def dotransform(request, response):
pcap = request.value
usedb = config['working/usedb']
if usedb > 0:
# Connect to the database so we can insert the record created below
x = mongo_connect()
c = x['STREAMS']
# Hash the pcap file
try:
md5hash = md5_for_file(pcap)
except Exception as e:
return response + UIMessage(str(e))
d = find_session(md5hash)
folder = d[2]
else:
folder = config['working/directory']
l = len(folder) + 11
raw = pcap[l:-5]
raw = raw.split('-')
banner = 'Protocol:%s\nSource:%s\nDestination:%s' % (raw[0], raw[1],
raw[2])
e = pcapStream(banner)
response += e
return response
def dotransform(request, response):
pcap = request.value
usedb = config["working/usedb"]
# Check to see if we are using the database or not
if usedb == 0:
return response + UIMessage("No database support configured, check your config file")
else:
pass
x = mongo_connect()
try:
r = x.INDEX.find({"PCAP Path": pcap}).count()
if r > 0:
p = x.INDEX.find({"PCAP Path": pcap}, {"PCAP ID": 1, "_id": 0})
for i in p:
sessionid = i["PCAP ID"]
else:
return response + UIMessage("PCAP not found, is the SessionID correct??")
except Exception as e:
return response + UIMessage(str(e))
try:
s = x.STREAMS.find({"PCAP ID": sessionid}).count()
if s > 0:
p = x.STREAMS.find({"PCAP ID": sessionid}, {"File Name": 1, "_id": 0})
for i in p:
fname = i["File Name"]
q = pcapFile(fname)
response += q
return response
else:
return response + UIMessage("No streams found for that Session ID")
except Exception as e:
return response + UIMessage(str(e))
def dotransform(request, response):
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb == 0:
return response + UIMessage(
'No database support configured, check your config file')
else:
pass
zipfile = request.value
folder = request.fields['folder']
pcap_id = request.fields['sessionid']
# Build the web server variables
url = config['web/server'].strip('\'')
port = config['web/port'].strip('\'')
upload_url = 'http://%s:%s/pcap/_uploads' % (url, port)
# Connect to the database so we can insert the record created below
x = mongo_connect()
c = x['FILES']
now = time.strftime("%c")
# Hash the pcap file
try:
md5hash = md5_for_file(zipfile)
sha1hash = sha1_for_file(zipfile)
except Exception as e:
return response + UIMessage(str(e))
f = len(folder) + 1
filename = zipfile[f:]
download_url = 'http://%s:%s/pcap/downloads/%s' % (url, port, filename)
# Check to see if the file is already uploaded
s = c.find({'File Name': filename}).count()
if s > 0:
return response + UIMessage('File already uploaded!!')
else:
data = {
'Upload Time': now,
'File Name': filename,
'Folder': folder,
'MD5 Hash': md5hash,
'SHA1 Hash': sha1hash,
'Download': download_url,
'PCAP ID': pcap_id
}
try:
# Create the POST request to upload the file
files = {'files': open(zipfile, 'rb')}
r = requests.post(upload_url, files=files)
if r.status_code == 200:
c.insert(data)
return response + UIMessage('File Uploaded!!')
else:
return response + UIMessage('Whoops file upload didn\'t work.')
except Exception as e:
return response + UIMessage(str(e))
def dotransform(request, response):
pcap = request.value
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb == 0:
return response + UIMessage('No database support configured, check your config file')
else:
pass
x = mongo_connect()
ipaddr = []
try:
r = x.STREAMS.find({"File Name": pcap}).count()
if r > 0:
p = x.STREAMS.find({"File Name": pcap}, {"Packet.Source IP": 1, "Packet.Destination IP": 1, "_id": 0})
for i in p:
sip = i['Packet']['Source IP']
dip = i['Packet']['Destination IP']
ipaddr.append(sip)
ipaddr.append(dip)
else:
return response + UIMessage('This needs to be run from a TCP/UDP stream')
except Exception as e:
return response + UIMessage(str(e))
for t in ipaddr:
e = IPv4Address(t)
response += e
return response
def dotransform(request, response):
pcap = request.value
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb == 0:
return response + UIMessage('No database support configured, check your config file')
else:
pass
x = mongo_connect()
try:
r = x.STREAMS.find({"File Name": pcap}).count()
if r > 0:
p = x.STREAMS.find({"File Name": pcap}, {"Stream ID": 1, "_id": 0})
for i in p:
sessionid = i['Stream ID']
else:
return response + UIMessage('This needs to be run from a TCP/UDP stream')
except Exception as e:
return response + UIMessage(str(e))
try:
t = x.DNS.find({"Stream ID": sessionid}).count()
if t > 0:
p = x.DNS.find({"Stream ID": sessionid}, {"Request Details.Query Name": 1, "_id": 0})
for i in p:
e = Website(i['Request Details']['Query Name'])
response += e
return response
else:
return response + UIMessage('No DNS records found')
except Exception as e:
return response + UIMessage(str(e))
def dotransform(request, response):
filename = request.value
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb == 0:
return response + UIMessage(
'No database support configured, check your config file')
else:
pass
# Connect to the database so we can search for IP addresses.
x = mongo_connect()
c = x['STREAMS']
try:
hosts = []
r = x.STREAMS.find({'File Name': {'$regex': filename}})
if r > 0:
for x in r:
hosts.append(x['Packet']['Source IP'])
hosts.append(x['Packet']['Destination IP'])
# streamid = x['Stream ID']
else:
return response + UIMessage(
'No records found, please make sure the pcap stream file is indexed'
)
for h in hosts:
e = IPv4Address(h)
# e += Field('streamid', streamid, displayname='Stream ID', MatchingRule='Loose')
response += e
return response
except Exception as e:
return response + UIMessage(str(e))
def dotransform(request, response):
filename = request.value
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb == 0:
return response + UIMessage('No database support configured, check your config file')
else:
pass
# Connect to the database so we can search for IP addresses.
x = mongo_connect()
c = x['STREAMS']
try:
hosts = []
r = x.STREAMS.find({'File Name': {'$regex': filename}})
if r > 0:
for x in r:
hosts.append(x['Packet']['Source IP'])
hosts.append(x['Packet']['Destination IP'])
# streamid = x['Stream ID']
else:
return response + UIMessage('No records found, please make sure the pcap stream file is indexed')
for h in hosts:
e = IPv4Address(h)
# e += Field('streamid', streamid, displayname='Stream ID', MatchingRule='Loose')
response += e
return response
except Exception as e:
return response + UIMessage(str(e))
def dotransform(request, response):
pcap_id = request.value
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb == 0:
return response + UIMessage('No database support configured, check your config file')
else:
pass
# Connect to the database so we can insert the record created below
x = mongo_connect()
c = x['INDEX']
try:
s = c.find({'PCAP ID': pcap_id}).count()
if s > 0:
r = c.find({'PCAP ID': pcap_id}, {'Working Directory': 1, '_id': 0})
for i in r:
folder = i['Working Directory']
except Exception as e:
return response + UIMessage(str(e))
e = Folder(folder)
e += Field('sessionid', pcap_id, displayname='Session ID')
response += e
return response
def dotransform(request, response):
pcap = request.value
usedb = config['working/usedb']
if usedb > 0:
# Connect to the database so we can insert the record created below
x = mongo_connect()
c = x['STREAMS']
# Hash the pcap file
try:
md5hash = md5_for_file(pcap)
except Exception as e:
return response + UIMessage(str(e))
d = find_session(md5hash)
folder = d[2]
else:
folder = config['working/directory']
l = len(folder) + 11
raw = pcap[l:-5]
raw = raw.split('-')
banner = 'Protocol:%s\nSource:%s\nDestination:%s' % (raw[0], raw[1], raw[2])
e = pcapStream(banner)
response += e
return response
def dotransform(request, response):
pcap = request.value
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb == 0:
return response + UIMessage(
'No database support configured, check your config file')
else:
pass
x = mongo_connect()
ipaddr = []
try:
r = x.STREAMS.find({"File Name": pcap}).count()
if r > 0:
p = x.STREAMS.find({"File Name": pcap}, {
"Packet.Source IP": 1,
"Packet.Destination IP": 1,
"_id": 0
})
for i in p:
sip = i['Packet']['Source IP']
dip = i['Packet']['Destination IP']
ipaddr.append(sip)
ipaddr.append(dip)
else:
return response + UIMessage(
'This needs to be run from a TCP/UDP stream')
except Exception as e:
return response + UIMessage(str(e))
for t in ipaddr:
e = IPv4Address(t)
response += e
return response
def dotransform(request, response):
# Store the pcap file as a variable
pcap = request.value
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb > 0:
# Connect to the database so we can insert the record created below
x = mongo_connect()
c = x['DNS']
# Hash the pcap file
try:
md5hash = md5_for_file(pcap)
except Exception as e:
return response + UIMessage(str(e))
# Get the session and/or pcap id
d = find_session(md5hash)
pcap_id = d[0]
session_id = d[1]
else:
pass
try:
pkts = rdpcap(pcap)
dns_requests = []
for p in pkts:
if p.haslayer(DNSQR):
timestamp = datetime.datetime.fromtimestamp(p.time).strftime('%Y-%m-%d %H:%M:%S.%f')
r = p[DNSQR].qname[:-1]
tld = tldextract.extract(r)
domain = tld.registered_domain
if usedb > 0:
dns = OrderedDict({'PCAP ID': pcap_id, 'Stream ID': session_id,
'Time Stamp': timestamp,
'Type': 'Request', 'IP': {'src': p[IP].src, 'dst': p[IP].dst, 'length': p[IP].len},
'Request Details': {'Query Type': p[DNSQR].qtype, 'Query Name': r, 'Domain': domain}})
t = x.DNS.find({'Time Stamp': timestamp}).count()
if t > 0:
pass
else:
c.insert(dns)
else:
pass
if r not in dns_requests:
dns_requests.append(domain)
else:
pass
for d in dns_requests:
x = Domain(d)
response += x
return response
except Exception as e:
if usedb > 0:
error_logging(str(e), 'DNS Requests')
else:
return response + UIMessage(str(e))
def dotransform(request, response):
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb == 0:
return response + UIMessage('No database support configured, check your config file')
else:
pass
zipfile = request.value
folder = request.fields['folder']
pcap_id = request.fields['sessionid']
# Build the web server variables
url = config['web/server'].strip('\'')
port = config['web/port'].strip('\'')
upload_url = 'http://%s:%s/pcap/_uploads' % (url, port)
# Connect to the database so we can insert the record created below
x = mongo_connect()
c = x['FILES']
now = time.strftime("%c")
# Hash the pcap file
try:
md5hash = md5_for_file(zipfile)
sha1hash = sha1_for_file(zipfile)
except Exception as e:
return response + UIMessage(str(e))
f = len(folder) + 1
filename = zipfile[f:]
download_url = 'http://%s:%s/pcap/downloads/%s' % (url, port, filename)
# Check to see if the file is already uploaded
s = c.find({'File Name': filename}).count()
if s > 0:
return response + UIMessage('File already uploaded!!')
else:
data = {'Upload Time': now, 'File Name': filename, 'Folder': folder, 'MD5 Hash': md5hash, 'SHA1 Hash': sha1hash,
'Download': download_url, 'PCAP ID': pcap_id}
try:
# Create the POST request to upload the file
files = {'files': open(zipfile, 'rb')}
r = requests.post(upload_url, files=files)
if r.status_code == 200:
c.insert(data)
return response + UIMessage('File Uploaded!!')
else:
return response + UIMessage('Whoops file upload didn\'t work.')
except Exception as e:
return response + UIMessage(str(e))
def dotransform(request, response):
# Store the pcap file as a variable
pcap = request.value
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb > 0:
# Connect to the database so we can insert the record created below
x = mongo_connect()
c = x['HTTP']
# Hash the pcap file
try:
md5hash = md5_for_file(pcap)
except Exception as e:
return response + UIMessage(str(e))
d = find_session(md5hash)
pcap_id = d[0]
else:
pass
# Find HTTP Requests
pkts = rdpcap(pcap)
http_requests = []
for p in pkts:
if p.haslayer(HTTPRequest):
timestamp = datetime.datetime.fromtimestamp(p.time).strftime('%Y-%m-%d %H:%M:%S.%f')
r = p[HTTPRequest].Host
if usedb > 0:
http = OrderedDict({'PCAP ID': pcap_id,
'Time Stamp': timestamp,
'Type': 'HTTP Request', 'IP': {'src': p[IP].src, 'dst': p[IP].dst},
'HTTP': {'Method': p[HTTPRequest].Method, 'URI': p[HTTPRequest].Path,
'Referer': p[HTTPRequest].Referer, 'Host': p[HTTPRequest].Host}})
# Check if record already exists
s = x.HTTP.find({'Time Stamp': timestamp}).count()
if s > 0:
pass
else:
c.insert(http)
if r not in http_requests:
http_requests.append(r)
else:
pass
for i in http_requests:
h = Website(i)
response += h
return response
def dotransform(request, response):
pcap = request.value
lookfor = ['MAIL FROM:', 'RCPT TO:']
pkts = rdpcap(pcap)
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb > 0:
d = mongo_connect()
c = d['CREDS']
# Hash the pcap file
try:
md5pcap = md5_for_file(pcap)
except Exception as e:
return response + UIMessage(str(e))
x = find_session(md5pcap)
pcap_id = x[0]
else:
pass
addr = []
try:
for p in pkts:
for m in lookfor:
if p.haslayer(TCP) and p.haslayer(Raw):
raw = p[Raw].load
if m in raw:
for s in re.finditer('<([\S.-]+@[\S-]+)>', raw):
addr.append(s.group(1))
except Exception as e:
return response + UIMessage(str(e))
for x in addr:
if usedb > 0:
data = {'PCAP ID': pcap_id, 'Type': 'Email Address', 'Record': x}
t = d.CREDS.find({'Record': x}).count()
if t > 0:
pass
else:
c.insert(data)
else:
pass
e = EmailAddress(x)
response += e
return response
def dotransform(request, response):
pcap = request.value
lookfor = ['MAIL FROM:', 'RCPT TO:']
pkts = rdpcap(pcap)
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb > 0:
d = mongo_connect()
c = d['CREDS']
# Hash the pcap file
try:
md5pcap = md5_for_file(pcap)
except Exception as e:
return response + UIMessage(str(e))
x = find_session(md5pcap)
pcap_id = x[0]
else:
pass
addr = []
try:
for p in pkts:
for m in lookfor:
if p.haslayer(TCP) and p.haslayer(Raw):
raw = p[Raw].load
if m in raw:
for s in re.finditer('<([\S.-]+@[\S-]+)>', raw):
addr.append(s.group(1))
except Exception as e:
return response + UIMessage(str(e))
for x in addr:
if usedb > 0:
data = {'PCAP ID': pcap_id, 'Type': 'Email Address', 'Record': x}
t = d.CREDS.find({'Record': x}).count()
if t > 0:
pass
else:
c.insert(data)
else:
pass
e = EmailAddress(x)
response += e
return response
def dotransform(request, response):
pcap = request.value
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb == 0:
return response + UIMessage(
'No database support configured, check your config file')
else:
pass
x = mongo_connect()
try:
r = x.INDEX.find({"PCAP Path": pcap}).count()
if r > 0:
p = x.INDEX.find({"PCAP Path": pcap}, {"PCAP ID": 1, "_id": 0})
for i in p:
sessionid = i['PCAP ID']
else:
return response + UIMessage(
'PCAP not found, is the SessionID correct??')
except Exception as e:
return response + UIMessage(str(e))
try:
s = x.STREAMS.find({"PCAP ID": sessionid}).count()
if s > 0:
p = x.STREAMS.find({"PCAP ID": sessionid}, {
"File Name": 1,
"_id": 0
})
for i in p:
fname = i['File Name']
q = pcapFile(fname)
response += q
return response
else:
return response + UIMessage('No streams found for that Session ID')
except Exception as e:
return response + UIMessage(str(e))
def dotransform(request, response):
sessionid = request.value
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb == 0:
return response + UIMessage('No database support configured, check your config file')
else:
pass
x = mongo_connect()
try:
r = x.INDEX.find({"PCAP ID": sessionid}).count()
if r > 0:
p = x.INDEX.find({"PCAP ID": sessionid}, {"_id": 0})
for i in p:
pcap = i['PCAP Path']
s = pcapFile(pcap)
response += s
return response
else:
return response + UIMessage('PCAP not found, is the SessionID correct??')
except Exception as e:
return response + UIMessage(str(e))
def dotransform(request, response):
pcap = request.value
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb > 0:
# Connect to the database so we can insert the record created below
x = mongo_connect()
c = x['CREDS']
# Hash the pcap file
try:
md5pcap = md5_for_file(pcap)
except Exception as e:
return response + UIMessage(str(e))
d = find_session(md5pcap)
pcap_id = d[0]
else:
pass
d = smtp_creds(pcap)
if len(d) == 0:
return response + UIMessage('No SMTP Credentials found..sorry')
for n in d:
if usedb > 0:
data = {'PCAP ID': pcap_id, 'Type': 'Email Credential', 'Record': n}
t = x.CREDS.find({'Record': n}).count()
if t > 0:
pass
else:
c.insert(data)
else:
pass
e = Credential(n)
response += e
return response
def dotransform(request, response):
sessionid = request.value
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb == 0:
return response + UIMessage(
'No database support configured, check your config file')
else:
pass
x = mongo_connect()
try:
r = x.INDEX.find({"PCAP ID": sessionid}).count()
if r > 0:
p = x.INDEX.find({"PCAP ID": sessionid}, {"_id": 0})
for i in p:
pcap = i['PCAP Path']
s = pcapFile(pcap)
response += s
return response
else:
return response + UIMessage(
'PCAP not found, is the SessionID correct??')
except Exception as e:
return response + UIMessage(str(e))
def dotransform(request, response):
filename = request.value
md5hash = request.fields['sniffmypacketsv2.fhash']
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb > 0:
# Connect to the database so we can insert the record created below
x = mongo_connect()
c = x['MALWARE']
v = vt_lookup_file(md5hash)
if v is not None:
link = v['permalink']
scan = v['scan_date']
else:
return response + UIMessage('No record found in VirusTotal')
s = x.ARTIFACTS.find({'MD5 HASH': md5hash}, {"PCAP ID": 1, "_id": 0})
pcap_id = ''
for m in s:
pcap_id = m['PCAP ID']
data = {'PCAP ID': pcap_id, 'File Name': filename, 'Permalink': link, 'Scan Date': scan, 'MD5 Hash': md5hash}
t = x.MALWARE.find({'MD5 Hash': md5hash}).count()
if t > 0:
pass
else:
c.insert(data)
e = VirusTotal(link)
response += e
return response
def dotransform(request, response):
pcap = request.value
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb > 0:
# Connect to the database so we can insert the record created below
d = mongo_connect()
c = d['ARTIFACTS']
# Hash the pcap file
try:
md5pcap = md5_for_file(pcap)
except Exception as e:
return response + UIMessage(str(e))
x = find_session(md5pcap)
pcap_id = x[0]
folder = x[2]
else:
w = config['working/directory'].strip('\'')
try:
if w != '':
w = w + '/' + str(uuid.uuid4())[:12].replace('-', '')
if not os.path.exists(w):
os.makedirs(w)
folder = w
else:
return response + UIMessage('No working directory set, check your config file')
except Exception as e:
return response + UIMessage(e)
folder = '%s/%s' % (folder, 'artifacts')
if not os.path.exists(folder):
os.makedirs(folder)
dissector = Dissector() # instance of dissector class
dissector.change_dfolder(folder)
dissector.dissect_pkts(pcap)
list_files = glob.glob(folder+'/*')
# print list_files
# Loop through the stored files and create the database/maltego objects
for g in list_files:
try:
md5hash = md5_for_file(g)
sha1hash = sha1_for_file(g)
ftype = check_file(g)
n = len(folder) + 1
l = len(g)
filename = g[n:l]
if usedb > 0:
data = {'PCAP ID': pcap_id, 'Path': folder, 'File Name': filename, 'File Type': ftype, 'MD5 Hash': md5hash,
'SHA1 Hash': sha1hash}
t = d.ARTIFACTS.find({'MD5 Hash': md5hash, "File Name": filename}).count()
if t > 0:
pass
else:
c.insert(data)
else:
pass
# Create the Maltego entities
a = Artifact(filename)
a.ftype = ftype
a.fhash = md5hash
a += Field('path', folder, displayname='Path')
response += a
except Exception as e:
print str(e)
return response
def dotransform(request, response):
pcap = request.value
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb > 0:
# Connect to the database so we can insert the record created below
d = mongo_connect()
c = d['SSL']
# Hash the pcap file
try:
md5hash = md5_for_file(pcap)
except Exception as e:
return response + UIMessage(str(e))
d = find_session(md5hash)
pcap_id = d[0]
else:
pass
# Load the packets
pkts = rdpcap(pcap)
# Look for SSL packets and pull out the required information.
servers = []
try:
for p in pkts:
if p.haslayer(IP) and p.haslayer(TCP) and p.haslayer(Raw):
x = p[Raw].load
x = hexstr(x)
x = x.split(' ')
if x[0] == '16':
timestamp = datetime.datetime.fromtimestamp(p.time).strftime('%Y-%m-%d %H:%M:%S.%f')
stype = 'Handshake'
if x[5] == '01':
htype = 'Client Hello'
slen = int(''.join(x[131:133]), 16)
s = 133 + slen
sname = binascii.unhexlify(''.join(x[133:s]))
if sname not in servers:
servers.append(sname)
if usedb > 0:
data = {'PCAP ID': pcap_id, 'SSL Type': stype, 'Handshake Type': htype,
'Time Stamp': timestamp,
'Source IP': p[IP].src, 'Source Port': p[TCP].sport, 'Destination IP': p[IP].dst,
'Destination Port': p[TCP].dport, 'Server Name': sname}
t = d.SSL.find({'Time Stamp': timestamp}).count()
if t > 0:
pass
else:
c.insert(data)
else:
pass
if x[5] == '02':
htype = 'Server Hello'
ctype = ''.join(x[76:78])
if usedb > 0:
data = {'PCAP ID': pcap_id, 'SSL Type': stype, 'Handshake Type': htype,
'Time Stamp': timestamp,
'Source IP': p[IP].src, 'Source Port': p[TCP].sport, 'Destination IP': p[IP].dst,
'Destination Port': p[TCP].dport, 'Cipher Suite': ctype}
t = d.SSL.find({'Time Stamp': timestamp}).count()
if t > 0:
pass
else:
c.insert(data)
else:
pass
else:
pass
else:
pass
except Exception as e:
return response + UIMessage(str(e))
# Return Maltego entities based on the SSL server name
for s in servers:
e = Website(s)
response += e
return response
def dotransform(request, response):
# Store the pcap file as a variable
pcap = request.value
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb == 0:
return response + UIMessage('No database in use, so this is pointless!!!')
else:
pass
# Connect to the database so we can insert the record created below
x = mongo_connect()
c = x['GEOIP']
# Hash the pcap file
try:
md5hash = md5_for_file(pcap)
except Exception as e:
return response + UIMessage(str(e))
# Get the PCAP ID for the pcap file
try:
s = x.INDEX.find({"MD5 Hash": md5hash}).count()
if s == 0:
t = x.STREAMS.find({"MD5 Hash": md5hash}).count()
if t > 0:
r = x.STREAMS.find({"MD5 Hash": md5hash}, {"PCAP ID": 1, "_id": 0})
for i in r:
pcap_id = i['PCAP ID']
else:
return response + UIMessage('No PCAP ID, you need to index the pcap file')
if s > 0:
r = x.INDEX.find({"MD5 Hash": md5hash}, {"PCAP ID": 1, "_id": 0})
for i in r:
pcap_id = i['PCAP ID']
except Exception as e:
return response + UIMessage(str(e))
# Load the pcap file and look for IP addresses, then GeoIP them
convo = []
pkts = rdpcap(pcap)
for p in pkts:
if p.haslayer(IP) and p.haslayer(TCP):
proto = 'TCP'
s = proto, p[IP].src, p[TCP].sport
r = proto, p[IP].dst, p[TCP].dport
if s not in convo:
convo.append(s)
if r in convo:
convo.remove(r)
else:
convo.append(r)
else:
pass
if p.haslayer(IP) and p.haslayer(UDP):
proto = 'UDP'
s = proto, p[IP].src, p[UDP].sport
r = proto, p[IP].dst, p[UDP].dport
if s not in convo:
convo.append(s)
if r in convo:
convo.remove(r)
else:
convo.append(r)
else:
pass
# Run each IP through a GeoIP lookup and build a directory object to insert into the database
for proto, src, sport in convo:
s = lookup_geo(src)
if s is not None:
geo = OrderedDict({'PCAP ID': pcap_id, 'Protocol': proto, 'src': src, 'src port': sport, 'src geo': s})
t = x.GEOIP.find({'src': src, 'src port': sport}).count()
if t > 0:
pass
else:
c.insert(geo)
else:
pass
# Build the URL for the returned Maltego entity
url = config['web/server'].strip('\'')
port = config['web/port'].strip('\'')
map_url = 'http://%s:%s/pcap/%s/map' % (url, port, pcap_id)
e = GeoMap(map_url)
response += e
return response
def dotransform(request, response):
pcap = request.value
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb == 0:
return response + UIMessage('You have chosen not to use a database')
else:
pass
d = mongo_connect()
c = d['PACKETS']
y = d['PACKETSUMMARY']
url = config['web/server'].strip('\'')
port = config['web/port'].strip('\'')
# Hash the pcap file
try:
md5pcap = md5_for_file(pcap)
except Exception as e:
return response + UIMessage(str(e))
def convert_encoding(data, encoding='utf-8'):
if isinstance(data, dict):
return dict((convert_encoding(key), convert_encoding(value)) \
for key, value in data.iteritems())
elif isinstance(data, list):
return [convert_encoding(element) for element in data]
elif isinstance(data, unicode):
return data.encode(encoding, errors='replace')
else:
return data
# Get the PCAP ID for the pcap file
try:
s = d.INDEX.find({"MD5 Hash": md5pcap}).count()
if s == 0:
t = d.STREAMS.find({"MD5 Hash": md5pcap}).count()
if t > 0:
r = d.STREAMS.find({"MD5 Hash": md5pcap}, {"PCAP ID": 1, "Stream ID": 1, "_id": 0})
for i in r:
pcap_id = i['PCAP ID']
streamid = i['Stream ID']
else:
return response + UIMessage('No PCAP ID, you need to index the pcap file')
if s > 0:
r = d.INDEX.find({"MD5 Hash": md5pcap}, {"PCAP ID": 1, "_id": 0})
for i in r:
pcap_id = i['PCAP ID']
streamid = i['PCAP ID']
except Exception as e:
return response + UIMessage(str(e))
stream_url = 'http://%s:%s/pcap/%s/packets' % (url, port, streamid)
pkts = loadpackets(pcap)
# Dump the full packets into the database for later use.
x = find_layers(pkts, pcap, pcap_id, streamid)
try:
for s in x:
tstamp = s['Buffer']['timestamp']
q = d.PACKETS.find({"Buffer.timestamp": tstamp}).count()
if q > 0:
pass
else:
v = OrderedDict(json.loads(json.dumps(convert_encoding(s), encoding='latin-1', ensure_ascii=False)))
c.insert(v)
except Exception as e:
error_logging(str(e), 'Packets')
# Build the packet summary so we can make pretty pages.
count = 1
packet = OrderedDict()
try:
for p in pkts:
tstamp = datetime.datetime.fromtimestamp(p.time).strftime('%Y-%m-%d %H:%M:%S.%f')
p_header = {"PCAP ID": pcap_id, "Buffer": {"timestamp": tstamp, "packetnumber": count, "pcapfile": pcap,
"packet_length": p.len, "StreamID": streamid}}
packet.update(p_header)
if p.haslayer(IP):
p_ip = {"IP": {"ip_src": p[IP].src, "ip_dst": p[IP].dst, "ip_ttl": p[IP].ttl}}
packet.update(p_ip)
layers = []
counter = 0
while True:
layer = p.getlayer(counter)
if layer != None:
if layer.name == 'HTTP':
pass
else:
layers.append(layer.name)
else:
break
counter += 1
p_layers = {"Layers": layers}
packet.update(p_layers)
view_url = 'http://%s:%s/pcap/%s/%s/packets/%s' % (url, port, pcap_id, streamid, count)
p_view = {"View": view_url}
packet.update(p_view)
t = d.PACKETSUMMARY.find({"Buffer.timestamp": tstamp}).count()
if t > 0:
pass
else:
y.insert(packet)
count += 1
packet.clear()
except Exception as e:
error_logging(str(e), 'PacketSummary')
# Return the Maltego Entity
a = pcapStream(stream_url)
response += a
return response
def dotransform(request, response):
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb == 0:
return response + UIMessage(
'No database support configured, check your config file')
else:
pass
zipfile = request.value
# Build the web server variables
url = config['web/server'].strip('\'')
port = config['web/port'].strip('\'')
upload_url = 'http://%s:%s/pcap/_uploads' % (url, port)
# Connect to the database so we can insert the record created below
x = mongo_connect()
c = x['FILES']
now = time.strftime("%c")
# Hash the pcap file
try:
md5hash = md5_for_file(zipfile)
sha1hash = sha1_for_file(zipfile)
except Exception as e:
return response + UIMessage(str(e))
# Get the PCAP ID for the pcap file
try:
s = x.INDEX.find({"MD5 Hash": md5hash}).count()
if s == 0:
t = x.STREAMS.find({"MD5 Hash": md5hash}).count()
if t > 0:
r = x.STREAMS.find({"MD5 Hash": md5hash}, {
"Folder": 1,
"PCAP ID": 1,
"_id": 0
})
for i in r:
folder = i['Folder']
pcap_id = i['PCAP ID']
else:
return response + UIMessage(
'No PCAP ID, you need to index the pcap file')
if s > 0:
r = x.INDEX.find({"MD5 Hash": md5hash}, {
"Working Directory": 1,
"PCAP ID": 1,
"_id": 0
})
for i in r:
folder = i['Working Directory']
pcap_id = i['PCAP ID']
except Exception as e:
return response + UIMessage(str(e))
f = zipfile.split('/')
filename = f[len(f) - 1]
filename = filename.replace(':', '')
download_url = 'http://%s:%s/pcap/downloads/%s' % (url, port, filename)
# Check to see if the file is already uploaded
s = c.find({'File Name': filename}).count()
if s > 0:
return response + UIMessage('File already uploaded!!')
else:
data = {
'Upload Time': now,
'File Name': filename,
'Folder': folder,
'MD5 Hash': md5hash,
'SHA1 Hash': sha1hash,
'Download': download_url,
'PCAP ID': pcap_id
}
try:
# Create the POST request to upload the file
files = {'files': open(zipfile, 'rb')}
r = requests.post(upload_url, files=files)
if r.status_code == 200:
c.insert(data)
return response + UIMessage('File Uploaded!!')
else:
return response + UIMessage('Whoops file upload didn\'t work.')
except Exception as e:
return response + UIMessage(str(e))
def dotransform(request, response):
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb == 0:
return response + UIMessage('No database support configured, check your config file')
else:
pass
zipfile = request.value
# Build the web server variables
url = config['web/server'].strip('\'')
port = config['web/port'].strip('\'')
upload_url = 'http://%s:%s/pcap/_uploads' % (url, port)
# Connect to the database so we can insert the record created below
x = mongo_connect()
c = x['FILES']
now = time.strftime("%c")
# Hash the pcap file
try:
md5hash = md5_for_file(zipfile)
sha1hash = sha1_for_file(zipfile)
except Exception as e:
return response + UIMessage(str(e))
# Get the PCAP ID for the pcap file
try:
s = x.INDEX.find({"MD5 Hash": md5hash}).count()
if s == 0:
t = x.STREAMS.find({"MD5 Hash": md5hash}).count()
if t > 0:
r = x.STREAMS.find({"MD5 Hash": md5hash}, {"Folder": 1, "PCAP ID": 1, "_id": 0})
for i in r:
folder = i['Folder']
pcap_id = i['PCAP ID']
else:
return response + UIMessage('No PCAP ID, you need to index the pcap file')
if s > 0:
r = x.INDEX.find({"MD5 Hash": md5hash}, {"Working Directory": 1, "PCAP ID": 1, "_id": 0})
for i in r:
folder = i['Working Directory']
pcap_id = i['PCAP ID']
except Exception as e:
return response + UIMessage(str(e))
f = zipfile.split('/')
filename = f[len(f) - 1]
filename = filename.replace(':', '')
download_url = 'http://%s:%s/pcap/downloads/%s' % (url, port, filename)
# Check to see if the file is already uploaded
s = c.find({'File Name': filename}).count()
if s > 0:
return response + UIMessage('File already uploaded!!')
else:
data = {'Upload Time': now, 'File Name': filename, 'Folder': folder, 'MD5 Hash': md5hash, 'SHA1 Hash': sha1hash,
'Download': download_url, 'PCAP ID': pcap_id}
try:
# Create the POST request to upload the file
files = {'files': open(zipfile, 'rb')}
r = requests.post(upload_url, files=files)
if r.status_code == 200:
c.insert(data)
return response + UIMessage('File Uploaded!!')
else:
return response + UIMessage('Whoops file upload didn\'t work.')
except Exception as e:
return response + UIMessage(str(e))
def dotransform(request, response):
pcap = request.value
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb > 0:
# Connect to the database so we can insert the record created below
d = mongo_connect()
c = d['ARTIFACTS']
# Hash the pcap file
try:
md5pcap = md5_for_file(pcap)
except Exception as e:
return response + UIMessage(str(e))
x = find_session(md5pcap)
pcap_id = x[0]
folder = x[2]
else:
w = config['working/directory'].strip('\'')
try:
if w != '':
w = w + '/' + str(uuid.uuid4())[:12].replace('-', '')
if not os.path.exists(w):
os.makedirs(w)
folder = w
else:
return response + UIMessage(
'No working directory set, check your config file')
except Exception as e:
return response + UIMessage(e)
folder = '%s/%s' % (folder, 'artifacts')
if not os.path.exists(folder):
os.makedirs(folder)
dissector = Dissector() # instance of dissector class
dissector.change_dfolder(folder)
dissector.dissect_pkts(pcap)
list_files = glob.glob(folder + '/*')
# print list_files
# Loop through the stored files and create the database/maltego objects
for g in list_files:
try:
md5hash = md5_for_file(g)
sha1hash = sha1_for_file(g)
ftype = check_file(g)
n = len(folder) + 1
l = len(g)
filename = g[n:l]
if usedb > 0:
data = {
'PCAP ID': pcap_id,
'Path': folder,
'File Name': filename,
'File Type': ftype,
'MD5 Hash': md5hash,
'SHA1 Hash': sha1hash
}
t = d.ARTIFACTS.find({
'MD5 Hash': md5hash,
"File Name": filename
}).count()
if t > 0:
pass
else:
c.insert(data)
else:
pass
# Create the Maltego entities
a = Artifact(filename)
a.ftype = ftype
a.fhash = md5hash
a += Field('path', folder, displayname='Path')
response += a
except Exception as e:
print str(e)
return response
def dotransform(request, response):
filename = request.value
folder = request.fields['path']
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb == 0:
return response + UIMessage('No database support configured, check your config file')
else:
pass
# Build the web server variables
url = config['web/server'].strip('\'')
port = config['web/port'].strip('\'')
upload_url = 'http://%s:%s/pcap/_uploads' % (url, port)
# Connect to the database so we can insert the record created below
x = mongo_connect()
c = x['FILES']
now = time.strftime("%c")
zipfile = '%s/%s' % (folder, filename)
# Hash the pcap file
try:
md5hash = md5_for_file(zipfile)
sha1hash = sha1_for_file(zipfile)
except Exception as e:
return response + UIMessage(str(e))
# Get the PCAP ID for the pcap file
try:
s = x.ARTIFACTS.find({"MD5 Hash": md5hash}).count()
if s > 0:
r = x.ARTIFACTS.find({"MD5 Hash": md5hash}, {"File Type": 1, "PCAP ID": 1, "_id": 0})
for i in r:
pcap_id = i['PCAP ID']
ftype = i['File Type']
else:
return response + UIMessage('No PCAP ID, you need to index the pcap file')
except Exception as e:
return response + UIMessage(str(e))
download_url = 'http://%s:%s/pcap/downloads/%s' % (url, port, filename)
# Check to see if the file is already uploaded
s = c.find({'File Name': filename}).count()
if s > 0:
return response + UIMessage('File already uploaded!!')
else:
data = {'Upload Time': now, 'File Name': filename, 'Folder': folder, 'MD5 Hash': md5hash, 'SHA1 Hash': sha1hash,
'Download': download_url, 'PCAP ID': pcap_id, 'File Type': ftype}
try:
# Create the POST request to upload the file
files = {'files': open(zipfile, 'rb')}
r = requests.post(upload_url, files=files)
if r.status_code == 200:
c.insert(data)
return response + UIMessage('File Uploaded!!')
else:
return response + UIMessage(str(r.status_code))
except Exception as e:
return response + UIMessage(str(e))
def dotransform(request, response):
# Store the pcap file as a variable
pcap = request.value
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb > 0:
# Connect to the database so we can insert the record created below
x = mongo_connect()
c = x['DNS']
# Hash the pcap file
try:
md5hash = md5_for_file(pcap)
except Exception as e:
return response + UIMessage(str(e))
# Get the session and/or pcap id
d = find_session(md5hash)
pcap_id = d[0]
session_id = d[1]
else:
pass
try:
pkts = rdpcap(pcap)
dns_requests = []
for p in pkts:
if p.haslayer(DNSQR):
timestamp = datetime.datetime.fromtimestamp(
p.time).strftime('%Y-%m-%d %H:%M:%S.%f')
r = p[DNSQR].qname[:-1]
tld = tldextract.extract(r)
domain = tld.registered_domain
if usedb > 0:
dns = OrderedDict({
'PCAP ID': pcap_id,
'Stream ID': session_id,
'Time Stamp': timestamp,
'Type': 'Request',
'IP': {
'src': p[IP].src,
'dst': p[IP].dst,
'length': p[IP].len
},
'Request Details': {
'Query Type': p[DNSQR].qtype,
'Query Name': r,
'Domain': domain
}
})
t = x.DNS.find({'Time Stamp': timestamp}).count()
if t > 0:
pass
else:
c.insert(dns)
else:
pass
if r not in dns_requests:
dns_requests.append(domain)
else:
pass
for d in dns_requests:
x = Domain(d)
response += x
return response
except Exception as e:
if usedb > 0:
error_logging(str(e), 'DNS Requests')
else:
return response + UIMessage(str(e))
def dotransform(request, response):
# Store the pcap file as a variable
pcap = request.value
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb > 0:
# Connect to the database so we can insert the record created below
x = mongo_connect()
c = x['HTTP']
# Hash the pcap file
try:
md5hash = md5_for_file(pcap)
except Exception as e:
return response + UIMessage(str(e))
d = find_session(md5hash)
pcap_id = d[0]
else:
pass
# Find HTTP Requests
pkts = rdpcap(pcap)
http_requests = []
for p in pkts:
if p.haslayer(HTTPRequest):
timestamp = datetime.datetime.fromtimestamp(
p.time).strftime('%Y-%m-%d %H:%M:%S.%f')
r = p[HTTPRequest].Host
if usedb > 0:
http = OrderedDict({
'PCAP ID': pcap_id,
'Time Stamp': timestamp,
'Type': 'HTTP Request',
'IP': {
'src': p[IP].src,
'dst': p[IP].dst
},
'HTTP': {
'Method': p[HTTPRequest].Method,
'URI': p[HTTPRequest].Path,
'Referer': p[HTTPRequest].Referer,
'Host': p[HTTPRequest].Host
}
})
# Check if record already exists
s = x.HTTP.find({'Time Stamp': timestamp}).count()
if s > 0:
pass
else:
c.insert(http)
if r not in http_requests:
http_requests.append(r)
else:
pass
for i in http_requests:
h = Website(i)
response += h
return response
def dotransform(request, response):
# pcap file pulled from Maltego
pcap = request.value
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb == 0:
return response + UIMessage('You have chosen not to use a database')
else:
pass
# Connect to the database so we can insert the record created below
x = mongo_connect()
c = x['INDEX']
# Check the file exists first (so we don't add crap to the database
try:
open(pcap)
except IOError:
return response + UIMessage('The file doesn\'t exist')
# Check the pcap file is in the correct format (not pcap-ng)
try:
f_format = check_pcap(pcap)
if 'BAD' in f_format:
return response + UIMessage(
'File format is pcap-ng, not supported by sniffMyPackets, please convert.'
)
except Exception as e:
return response + UIMessage(str(e))
# Hash the pcap file
try:
md5hash = md5_for_file(pcap)
sha1hash = sha1_for_file(pcap)
except Exception as e:
return response + UIMessage(str(e))
# Get the file size
try:
filesize = check_size(pcap)
except Exception as e:
return response + UIMessage(str(e))
# Check the pcap file doesn't exist in the database already (based on MD5 hash)
try:
s = x.INDEX.find({"MD5 Hash": md5hash}).count()
if s > 0:
r = x.INDEX.find({"MD5 Hash": md5hash}, {"PCAP ID": 1, "_id": 0})
for i in r:
e = SessionID(i['PCAP ID'])
e += Field('sniffmypacketsv2.pcapfile',
pcap,
displayname='PCAP File')
response += e
return response
else:
pass
except Exception as e:
return response + UIMessage(str(e))
# Popup message box for entering comments about the pcap file
msg = 'Enter Comments'
title = 'Comments'
field_names = ["Comments"]
field_values = []
field_values = multenterbox(msg, title, field_names)
# General variables used to build the index
comments = field_values[0]
now = time.strftime("%c")
pcap_id = str(uuid.uuid4())[:12].replace('-', '')
# Get a count of packets available
try:
pkcount = packet_count(pcap)
except Exception as e:
return response + UIMessage(str(e))
# Get the start/end time of packets
try:
pcap_time = get_time(pcap)
except Exception as e:
return response + UIMessage(str(e))
# Check for working directory, if it doesn't exist create it.
w = config['working/directory'].strip('\'')
try:
if w != '':
w = w + '/' + pcap_id
if not os.path.exists(w):
os.makedirs(w)
else:
return response + UIMessage(
'No working directory set, check your config file')
except Exception as e:
return response + UIMessage(e)
# Build a dictonary object to upload into the database
index = OrderedDict({
'PCAP ID': pcap_id,
'PCAP Path': pcap,
'Working Directory': w,
'Upload Time': now,
'Comments': comments,
'MD5 Hash': md5hash,
'SHA1 Hash': sha1hash,
'Packet Count': pkcount,
'First Packet': pcap_time[0],
'Last Packet': pcap_time[1],
'File Size': filesize
})
# Insert record into the database
c.insert(index)
# Return the entity with Session ID into Maltego
r = SessionID(pcap_id)
r += Field('sniffmypacketsv2.pcapfile', pcap, displayname='PCAP File')
response += r
return response
def dotransform(request, response):
pcap = request.value
folder = ''
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb > 0:
# Connect to the database so we can insert the record created below
x = mongo_connect()
c = x['STREAMS']
# Hash the pcap file
try:
md5hash = md5_for_file(pcap)
d = find_session(md5hash)
pcap_id = d[0]
folder = d[2]
except Exception as e:
return response + UIMessage(str(e))
else:
w = config['working/directory'].strip('\'')
try:
if w != '':
w = w + '/' + str(uuid.uuid4())[:12].replace('-', '')
if not os.path.exists(w):
os.makedirs(w)
folder = w
else:
return response + UIMessage('No working directory set, check your config file')
except Exception as e:
return response + UIMessage(e)
# Create TCP/UDP stream files
s = create_streams(pcap, folder)
if usedb > 0:
for i in s:
# Create StreamID
streamid = str(uuid.uuid4())[:8]
# Get a count of packets available
try:
pkcount = packet_count(i)
except Exception as e:
return response + UIMessage(str(e))
# Get the start/end time of packets
try:
pcap_time = get_time(i)
except Exception as e:
return response + UIMessage(str(e))
# Hash the pcap file
try:
md5hash = md5_for_file(i)
sha1hash = sha1_for_file(i)
except Exception as e:
return response + UIMessage(str(e))
# Pull out the details of the packets
l = len(folder) + 1
raw = i[l:-5]
pkt = raw.replace('-', ' ').replace(':', ' ').split()
# Create the dictonary object to insert into database
data = OrderedDict({'PCAP ID': pcap_id, 'Stream ID': streamid, 'Folder': folder, 'Packet Count': pkcount,
'File Name': i, 'First Packet': pcap_time[0], 'Last Packet': pcap_time[1],
'MD5 Hash': md5hash, 'SHA1 Hash': sha1hash,
'Packet': {'Protocol': pkt[0], 'Source IP': pkt[1], 'Source Port': pkt[2],
'Destination IP': pkt[3], 'Destination Port': pkt[4]}})
# Check to see if the record exists
try:
t = x.STREAMS.find({"File Name": i}).count()
if t > 0:
pass
else:
c.insert(data)
except Exception as e:
return response + UIMessage(str(e))
else:
pass
# Create Maltego entities for each pcap file
for p in s:
e = pcapFile(p)
response += e
return response
def dotransform(request, response):
f = request.value
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb > 0:
d = mongo_connect()
folder = []
# Check the pcap file doesn't exist in the database already (based on MD5 hash)
try:
s = d.ARTIFACTS.find({"File Name": f}).count()
if s > 0:
r = d.ARTIFACTS.find({"File Name": f}, {"Path": 1, "_id": 0})
for i in r:
folder = i['Path']
else:
return response + UIMessage('File not found!!')
except Exception as e:
return response + UIMessage(str(e))
else:
folder = request.fields['path']
msgdata = []
lookfor = 'DATA'
file = '%s/%s' % (folder, f)
# split the original file into two parts, message and header and save as lists
with open(file, mode='r') as msgfile:
reader = msgfile.read()
for i, part in enumerate(reader.split(lookfor)):
if i == 1:
msgdata.append(part.strip())
save_files = []
for item in msgdata:
newfolder = '%s/email-messages' % folder
if not os.path.exists(newfolder):
os.makedirs(newfolder)
filename = newfolder + '/' + 'msgdata.msg'
fb = open(filename, 'w')
fb.write('%s\n' % item)
fb.close()
if filename not in save_files:
save_files.append(filename)
fp = open(filename)
msg = email.message_from_file(fp)
fp.close()
counter = 1
for part in msg.walk():
if part.get_content_maintype() == 'multipart':
continue
filename = part.get_filename()
if not filename:
ext = mimetypes.guess_extension(part.get_content_type())
if not ext:
ext = '.bin'
filename = 'part-%03d%s' % (counter, ext)
counter += 1
savefile = newfolder + '/' + filename
fp = open(savefile, 'wb')
fp.write(part.get_payload(decode=True))
fp.close()
if savefile not in save_files:
save_files.append(savefile)
# Create the Maltego entity
for s in save_files:
e = EmailAttachment(s)
response += e
return response
def dotransform(request, response):
pcap = request.value
folder = ''
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb > 0:
# Connect to the database so we can insert the record created below
x = mongo_connect()
c = x['STREAMS']
# Hash the pcap file
try:
md5hash = md5_for_file(pcap)
d = find_session(md5hash)
pcap_id = d[0]
folder = d[2]
except Exception as e:
return response + UIMessage(str(e))
else:
w = config['working/directory'].strip('\'')
try:
if w != '':
w = w + '/' + str(uuid.uuid4())[:12].replace('-', '')
if not os.path.exists(w):
os.makedirs(w)
folder = w
else:
return response + UIMessage(
'No working directory set, check your config file')
except Exception as e:
return response + UIMessage(e)
# Create TCP/UDP stream files
s = create_streams(pcap, folder)
if usedb > 0:
for i in s:
# Create StreamID
streamid = str(uuid.uuid4())[:8]
# Get a count of packets available
try:
pkcount = packet_count(i)
except Exception as e:
return response + UIMessage(str(e))
# Get the start/end time of packets
try:
pcap_time = get_time(i)
except Exception as e:
return response + UIMessage(str(e))
# Hash the pcap file
try:
md5hash = md5_for_file(i)
sha1hash = sha1_for_file(i)
except Exception as e:
return response + UIMessage(str(e))
# Pull out the details of the packets
l = len(folder) + 1
raw = i[l:-5]
pkt = raw.replace('-', ' ').replace(':', ' ').split()
# Create the dictonary object to insert into database
data = OrderedDict({
'PCAP ID': pcap_id,
'Stream ID': streamid,
'Folder': folder,
'Packet Count': pkcount,
'File Name': i,
'First Packet': pcap_time[0],
'Last Packet': pcap_time[1],
'MD5 Hash': md5hash,
'SHA1 Hash': sha1hash,
'Packet': {
'Protocol': pkt[0],
'Source IP': pkt[1],
'Source Port': pkt[2],
'Destination IP': pkt[3],
'Destination Port': pkt[4]
}
})
# Check to see if the record exists
try:
t = x.STREAMS.find({"File Name": i}).count()
if t > 0:
pass
else:
c.insert(data)
except Exception as e:
return response + UIMessage(str(e))
else:
pass
# Create Maltego entities for each pcap file
for p in s:
e = pcapFile(p)
response += e
return response
def dotransform(request, response):
# Store the pcap file as a variable
pcap = request.value
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb == 0:
return response + UIMessage(
'No database in use, so this is pointless!!!')
else:
pass
# Connect to the database so we can insert the record created below
x = mongo_connect()
c = x['GEOIP']
# Hash the pcap file
try:
md5hash = md5_for_file(pcap)
except Exception as e:
return response + UIMessage(str(e))
# Get the PCAP ID for the pcap file
try:
s = x.INDEX.find({"MD5 Hash": md5hash}).count()
if s == 0:
t = x.STREAMS.find({"MD5 Hash": md5hash}).count()
if t > 0:
r = x.STREAMS.find({"MD5 Hash": md5hash}, {
"PCAP ID": 1,
"_id": 0
})
for i in r:
pcap_id = i['PCAP ID']
else:
return response + UIMessage(
'No PCAP ID, you need to index the pcap file')
if s > 0:
r = x.INDEX.find({"MD5 Hash": md5hash}, {"PCAP ID": 1, "_id": 0})
for i in r:
pcap_id = i['PCAP ID']
except Exception as e:
return response + UIMessage(str(e))
# Load the pcap file and look for IP addresses, then GeoIP them
convo = []
pkts = rdpcap(pcap)
for p in pkts:
if p.haslayer(IP) and p.haslayer(TCP):
proto = 'TCP'
s = proto, p[IP].src, p[TCP].sport
r = proto, p[IP].dst, p[TCP].dport
if s not in convo:
convo.append(s)
if r in convo:
convo.remove(r)
else:
convo.append(r)
else:
pass
if p.haslayer(IP) and p.haslayer(UDP):
proto = 'UDP'
s = proto, p[IP].src, p[UDP].sport
r = proto, p[IP].dst, p[UDP].dport
if s not in convo:
convo.append(s)
if r in convo:
convo.remove(r)
else:
convo.append(r)
else:
pass
# Run each IP through a GeoIP lookup and build a directory object to insert into the database
for proto, src, sport in convo:
s = lookup_geo(src)
if s is not None:
geo = OrderedDict({
'PCAP ID': pcap_id,
'Protocol': proto,
'src': src,
'src port': sport,
'src geo': s
})
t = x.GEOIP.find({'src': src, 'src port': sport}).count()
if t > 0:
pass
else:
c.insert(geo)
else:
pass
# Build the URL for the returned Maltego entity
url = config['web/server'].strip('\'')
port = config['web/port'].strip('\'')
map_url = 'http://%s:%s/pcap/%s/map' % (url, port, pcap_id)
e = GeoMap(map_url)
response += e
return response
def dotransform(request, response):
# pcap file pulled from Maltego
pcap = request.value
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb == 0:
return response + UIMessage('You have chosen not to use a database')
else:
pass
# Connect to the database so we can insert the record created below
x = mongo_connect()
c = x['INDEX']
# Check the file exists first (so we don't add crap to the database
try:
open(pcap)
except IOError:
return response + UIMessage('The file doesn\'t exist')
# Check the pcap file is in the correct format (not pcap-ng)
try:
f_format = check_pcap(pcap)
if 'BAD' in f_format:
return response + UIMessage('File format is pcap-ng, not supported by sniffMyPackets, please convert.')
except Exception as e:
return response + UIMessage(str(e))
# Hash the pcap file
try:
md5hash = md5_for_file(pcap)
sha1hash = sha1_for_file(pcap)
except Exception as e:
return response + UIMessage(str(e))
# Get the file size
try:
filesize = check_size(pcap)
except Exception as e:
return response + UIMessage(str(e))
# Check the pcap file doesn't exist in the database already (based on MD5 hash)
try:
s = x.INDEX.find({"MD5 Hash": md5hash}).count()
if s > 0:
r = x.INDEX.find({"MD5 Hash": md5hash}, {"PCAP ID": 1, "_id": 0})
for i in r:
e = SessionID(i['PCAP ID'])
e += Field('sniffmypacketsv2.pcapfile', pcap, displayname='PCAP File')
response += e
return response
else:
pass
except Exception as e:
return response + UIMessage(str(e))
# Popup message box for entering comments about the pcap file
msg = 'Enter Comments'
title = 'Comments'
field_names = ["Comments"]
field_values = []
field_values = multenterbox(msg, title, field_names)
# General variables used to build the index
comments = field_values[0]
now = time.strftime("%c")
pcap_id = str(uuid.uuid4())[:12].replace('-', '')
# Get a count of packets available
try:
pkcount = packet_count(pcap)
except Exception as e:
return response + UIMessage(str(e))
# Get the start/end time of packets
try:
pcap_time = get_time(pcap)
except Exception as e:
return response + UIMessage(str(e))
# Check for working directory, if it doesn't exist create it.
w = config['working/directory'].strip('\'')
try:
if w != '':
w = w + '/' + pcap_id
if not os.path.exists(w):
os.makedirs(w)
else:
return response + UIMessage('No working directory set, check your config file')
except Exception as e:
return response + UIMessage(e)
# Build a dictonary object to upload into the database
index = OrderedDict({'PCAP ID': pcap_id, 'PCAP Path': pcap, 'Working Directory': w, 'Upload Time': now,
'Comments': comments, 'MD5 Hash': md5hash, 'SHA1 Hash': sha1hash,
'Packet Count': pkcount, 'First Packet': pcap_time[0], 'Last Packet': pcap_time[1],
'File Size': filesize})
# Insert record into the database
c.insert(index)
# Return the entity with Session ID into Maltego
r = SessionID(pcap_id)
r += Field('sniffmypacketsv2.pcapfile', pcap, displayname='PCAP File')
response += r
return response
