def __init__(self):
HTTPDecoder.__init__(self,
name='joomla-cve-2015-8562',
description='detect and dissect malformed HTTP headers targeting Joomla',
filter='tcp and (port 80 or port 8080 or port 8000)',
filterfn=lambda ((sip, sp), (dip, dp)): sp in (
80, 8000, 8080) or dp in (80, 8000, 8080),
author='bg',
optiondict={
'raw_payload': {'action': 'store_true', 'help':'return the raw payload (do not attempt to decode chr encoding)'}
},
longdescription='''
Usage Examples:
---------------
decode -d joomla-cve-2015-8562 *.pcap
joomla-cve-2015-8562 2015-12-15 20:17:18 192.168.1.119:43865 <- 192.168.1.139:80 ** x-forwarded-for -> system('touch /tmp/2'); **
The module assumes the cmd payload is encoded using chr. To turn this off run:
decode -d joomla-cve-2015-8562 --joomla-cve-2015-8562_no_eval *.pcap
oomla-cve-2015-8562 2015-12-15 20:17:18 192.168.1.119:43865 <- 192.168.1.139:80 ** x-forwarded-for -> "eval(chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(39).chr(116).chr(111).chr(117).chr(99).chr(104).chr(32).chr(47).chr(116).chr(109).chr(112).chr(47).chr(50).chr(39).chr(41).chr(59)); **
'''
)
self.ioc = 'JFactory::getConfig();exit'
def preModule(self):
if self.content_filter:
self.content_filter = re.compile(self.content_filter)
if self.name_filter:
self.name_filter = re.compile(self.name_filter)
HTTPDecoder.preModule(self)
self.openfiles = {} # dict of httpfile objects, indexed by url
def __init__(self):
HTTPDecoder.__init__(self,
name='emdivi_c2',
description='deobfuscate Emdivi http c2',
filter='tcp and port 80',
author='bg',
)
def __init__(self):
HTTPDecoder.__init__(self,
name='rip-http',
description='rip files from HTTP traffic',
filter='tcp and port 80',
author='bg/twp',
optiondict={'append_conn': {'action': 'store_true', 'help': 'append sourceip-destip to filename'},
'append_ts': {'action': 'store_true', 'help': 'append timestamp to filename'},
'direction': {'help': 'cs=only capture client POST, sc=only capture server GET response'},
'outdir': {'help': 'directory to write output files (Default: current directory)', 'metavar': 'DIRECTORY', 'default': '.'},
'content_filter': {'help': 'regex MIME type filter for files to save'},
'name_filter': {'help': 'regex filename filter for files to save'}}
)
def __init__(self):
HTTPDecoder.__init__(self,
name='web',
description='Improved version of web that tracks server response',
filter='tcp and (port 80 or port 8080 or port 8000)',
filterfn=lambda ((sip,sp),(dip,dp)): sp in (80, 8000, 8080) or dp in (80, 8000, 8080),
author='bg,twp',
optiondict={
'maxurilen':{'type':'int','default':30,'help':'Truncate URLs longer than max len. Set to 0 for no truncating. (default: 30)'},
'md5':{'action':'store_true','help':'calculate MD5 for each response. Available in CSV output.'}
},
)
self.gunzip = False # Not interested in response body
def __init__(self):
HTTPDecoder.__init__(
self,
name="rip-http",
description="rip files from HTTP traffic",
filter="tcp and port 80",
author="bg/twp",
optiondict={
"append_conn": {"action": "store_true", "help": "append sourceip-destip to filename"},
"append_ts": {"action": "store_true", "help": "append timestamp to filename"},
"direction": {"help": "cs=only capture client POST, sc=only capture server GET response"},
"content_filter": {"help": "regex MIME type filter for files to save"},
"name_filter": {"help": "regex filename filter for files to save"},
},
)
def __init__(self):
HTTPDecoder.__init__(self,
name='httpdump',
description='Dump useful information about HTTP sessions',
filter='tcp and (port 80 or port 8080 or port 8000)',
filterfn=lambda ((sip,sp),(dip,dp)): sp in (80, 8000, 8080) or dp in (80, 8000, 8080),
author='amm',
optiondict={
'maxurilen':{'type':'int','default':30,'help':'Truncate URLs longer than max len. Set to 0 for no truncating. (default: 30)'},
'maxpost':{'type':'int','default':1000,'help':'Truncate POST body longer than max chars. Set to 0 for no truncating. (default: 1000)'},
'showcontent':{'action':'store_true','help':'Display response BODY.'},
'showhtml':{'action':'store_true','help':'Display response BODY only if HTML.'},
'urlfilter':{'type':'string','default':None,'help':'Filter to URLs matching this regex'},
},
)
self.output='colorout'
self.gunzip=False # Disable auto-gunzip as we want to indicate content that was compressed in the output
def preModule(self):
if self.content_filter:
self.content_filter = re.compile(self.content_filter)
if self.name_filter:
self.name_filter = re.compile(self.name_filter)
HTTPDecoder.preModule(self)
self.openfiles = {} # dict of httpfile objects, indexed by url
# Create output directory, if necessary
if not os.path.exists(self.outdir):
try:
os.makedirs(self.outdir)
except (IOError, OSError) as e:
self.error("Could not create directory '%s': %s" %
(self.outdir, e))
sys.exit(1)
def __init__(self):
HTTPDecoder.__init__(
self,
name='httpdump',
description='Dump useful information about HTTP sessions',
filter='tcp and (port 80 or port 8080 or port 8000)',
filterfn=lambda ((sip, sp), (dip, dp)): sp in
(80, 8000, 8080) or dp in (80, 8000, 8080),
author='amm',
optiondict={
'maxurilen': {
'type':
'int',
'default':
30,
'help':
'Truncate URLs longer than max len. Set to 0 for no truncating. (default: 30)'
},
'maxpost': {
'type':
'int',
'default':
1000,
'help':
'Truncate POST body longer than max chars. Set to 0 for no truncating. (default: 1000)'
},
'showcontent': {
'action': 'store_true',
'help': 'Display response BODY.'
},
'showhtml': {
'action': 'store_true',
'help': 'Display response BODY only if HTML.'
},
'urlfilter': {
'type': 'string',
'default': None,
'help': 'Filter to URLs matching this regex'
},
},
)
self.out = colorout.ColorOutput()
# Disable auto-gunzip as we want to indicate content that was
# compressed in the output
self.gunzip = False
def __init__(self):
HTTPDecoder.__init__(self,
name='ms15-034',
description='detect attempts to enumerate MS15-034 vulnerable IIS servers',
longdescription='''
Proof-of-concept code to detect attempts to enumerate MS15-034 vulnerable
IIS servers and/or cause a denial of service. Each event will generate an
alert that prints out the HTTP Request method and the range value contained
with the HTTP stream.
Usage:
decode -d ms15-034 -q *.pcap
decode -d ms15-034 -i <interface> -q
''',
filter='tcp and (port 80 or port 8080 or port 8000)',
filterfn=lambda ((sip, sp), (dip, dp)): sp in (
80, 8000, 8080) or dp in (80, 8000, 8080),
author='bg',
)
def __init__(self):
HTTPDecoder.__init__(
self,
name='ms15-034',
description=
'detect attempts to enumerate MS15-034 vulnerable IIS servers',
longdescription='''
Proof-of-concept code to detect attempts to enumerate MS15-034 vulnerable
IIS servers and/or cause a denial of service. Each event will generate an
alert that prints out the HTTP Request method and the range value contained
with the HTTP stream.
Usage:
decode -d ms15-034 -q *.pcap
decode -d ms15-034 -i <interface> -q
''',
filter='tcp and (port 80 or port 8080 or port 8000)',
filterfn=lambda ((sip, sp), (dip, dp)): sp in
(80, 8000, 8080) or dp in (80, 8000, 8080),
author='bg',
)
def __init__(self):
HTTPDecoder.__init__(self,
name='flash-detect',
description='Detects successful Flash file download.',
filter='tcp and (port 80 or port 8080 or port 8000)',
filterfn=lambda ((sip, sp), (dip, dp)): sp in (
80, 8000, 8080) or dp in (80, 8000, 8080),
optiondict={
'dump': {'action': 'store_true', 'help': '''\
Dump the flash file to a file based off its name, md5sum (if specified), or
its URI. The file is dumped to the local directory "flashout". The file
extension is ".flash" to prevent accidental execution.'''
},
'md5sum': {'type': 'int', 'default': 0, 'help': '''\
Calculate and print the md5sum of the file. There are three options:
0: (default) No md5sum calculations or labeling
1: Calculate md5sum; Print out md5sum in alert; Name all dumped files by
their md5sum (must be used with 'dump' option)
2: Calculate md5sum; Print out md5sum in alert; If found, a file's explicitly
listed save name (found in 'content-disposition' HTTP header) will be used
for file dump name instead of md5sum.
Any other numbers will be ignored and the default action will be used.'''
}
},
longdescription='''\
flash-detect identifies HTTP requests where the server response contains a Flash
file. Many exploit kits utilize Flash to deliver exploits to potentially vulnerable
browsers. If a flash file is successfully downloaded, an alert will occur stating
the full URL of the downloaded file, its content-type, and (optionally) its md5sum.
Usage Examples:
===============
Search all pcap files for Flash file downloads, and upon detection, calculate
and print alerts containing the md5sum to screen:
decode -d flash-detect --flash-detect_md5sum=1 *.pcap
If you wanted to save every detected Flash file to a local directory
"./flashout/" with its md5sum as the file name:
decode -d flash-detect --flash-detect_md5sum=1 --flash-detect_dump *.pcap
The output directory can be changed by modifying the `__OUTDIR` variable.
An example of a real pcap file, taken from
http://malware-traffic-analysis.net/2014/12/12/index.html:
decode -d flash-detect --flash-detect_md5sum=1 2014-12-12-Nuclear-EK-traffic.pcap
The following text should be displayed in the output, and the md5sum
can be checked on a site like virustotal:
** yquesrerman.ga/AwoVG1ADAw4OUhlVDlRTBQoHRUJTXVYOUVYaAwtGXFRVVFxXVwBOVRtA (application/octet-stream) md5sum: 9b3ad66a2a61e8760602d98b537b7734 **
Implementation Logic
====================
1. Check if the HTTP response status is 200 OK
2. Test the content-type of the HTTP response for the follwing strings:
'application/x-shockwave-flash'
'application/octet-stream'
'application/vnd.adobe.flash-movie'
3. Test filedownload following known Flash magic byte substrings:
'CWS'
'ZWS'
'FWS'
Note: Encoded or obfuscated flash files will *not* be detected.
Chainable
flash-detect is chainable. If a connection contains an HTTP response with a
successful Flash file download, then the entire connection (in the case of a
connectionHandler), and the request, response, requesttime, and responsetime
(in the case of an HTTPHandler) is/are passed to the subDecoders for additional
processing. Undetected or non-Flash files are dropped.
''',
author='ekilmer',
)
self.chainable = True
def __init__(self):
HTTPDecoder.__init__(
self,
name='peht',
description='Penetration/Exploit/Hijacking Tool detector',
longdescription="""
The Penetration/Exploit/Hijacking Tool detector will identify the tool used to scan or exploit a server using the
User agent, URI or HTTP content.
General usage:
decode -d peht <pcap>
Detailed usage:
decode -d peht --peht_showcontent <pcap>
Output:
Request Timestamp (UTC): 2017-07-16 02:41:47.238549
Penetration/Exploit/Hijacking Tool: Open Vulnerability Assessment System
User-Agent: Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)
Request Method: GET
URI: /scripts/session/login.php
Source IP: 1.2.3.4 - Source port: 666 - MAC: 50:b4:02:39:24:56
Host requested: example.com
Response Timestamp (UTC): 2017-07-16 02:41:48.238549
Response Reason: Not Found
Response Status: 404
Destination IP: 192.168.1.1 - Destination port: 80 - MAC: a4:42:ab:56:b6:23
Detailed Output:
Request Timestamp (UTC): 2017-07-16 02:41:47.238549
Penetration/Exploit/Hijacking Tool: Arbitrary Remote Code Execution/injection
User-Agent: Wget(linux)
Request Method: POST
URI: /command.php
Source IP: 1.2.3.4 - Source port: 666 - MAC: 50:b4:02:39:24:56
Host requested: example.com
cmd=%63%64%20%2F%76%61%72%2F%74%6D%70%20%26%26%20%65%63%68%6F%20%2D%6E%65%20%5C%5C%78%33%6B%65%72%20%3E%20%6B%65%72%2E%74%78%74%20%26%26%20%63%61%74%20%6B%65%72%2E%74%78%74
Response Timestamp (UTC): 2017-07-16 02:41:48.238549
Response Reason: Found
Response Status: 302
Destination IP: 192.168.1.1 - Destination port: 80 - MAC: a4:42:ab:56:b6:23
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://example.com/command.php">here</a>.</p>
</body></html>
""",
filter='tcp and (port 80 or port 81 or port 8080 or port 8000)',
filterfn=lambda ((sip, sp), (dip, dp)): sp in
(80, 81, 8000, 8080) or dp in (80, 81, 8000, 8080),
author='mm',
optiondict={
'showcontent': {
'action': 'store_true',
'default': False,
'help': 'Display the request and response body content.'
}
})
self.out = colorout.ColorOutput()
self.direction = None
self.request_ioc = None
self.request_method = None
self.request_user_agent = None
self.request_host = None
self.request_rangestr = None
self.request_body = None
self.request_referer = None
self.response_content_type = None
self.response_body = None
self.response_contentencoding = None
self.response_status = None
self.response_contentlength = None
self.response_reason = None
def __init__(self):
HTTPDecoder.__init__(self,
name='peht',
description='Penetration/Exploit/Hijacking Tool detector',
longdescription="""
The Penetration/Exploit/Hijacking Tool detector will identify the tool used to scan or exploit a server using the
User agent, URI or HTTP content.
General usage:
decode -d peht <pcap>
Detailed usage:
decode -d peht --peht_showcontent <pcap>
Output:
Request Timestamp (UTC): 2017-07-16 02:41:47.238549
Penetration/Exploit/Hijacking Tool: Open Vulnerability Assessment System
User-Agent: Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)
Request Method: GET
URI: /scripts/session/login.php
Source IP: 1.2.3.4 - Source port: 666 - MAC: 50:b4:02:39:24:56
Host requested: example.com
Response Timestamp (UTC): 2017-07-16 02:41:48.238549
Response Reason: Not Found
Response Status: 404
Destination IP: 192.168.1.1 - Destination port: 80 - MAC: a4:42:ab:56:b6:23
Detailed Output:
Request Timestamp (UTC): 2017-07-16 02:41:47.238549
Penetration/Exploit/Hijacking Tool: Arbitrary Remote Code Execution/injection
User-Agent: Wget(linux)
Request Method: POST
URI: /command.php
Source IP: 1.2.3.4 - Source port: 666 - MAC: 50:b4:02:39:24:56
Host requested: example.com
cmd=%63%64%20%2F%76%61%72%2F%74%6D%70%20%26%26%20%65%63%68%6F%20%2D%6E%65%20%5C%5C%78%33%6B%65%72%20%3E%20%6B%65%72%2E%74%78%74%20%26%26%20%63%61%74%20%6B%65%72%2E%74%78%74
Response Timestamp (UTC): 2017-07-16 02:41:48.238549
Response Reason: Found
Response Status: 302
Destination IP: 192.168.1.1 - Destination port: 80 - MAC: a4:42:ab:56:b6:23
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://example.com/command.php">here</a>.</p>
</body></html>
""",
filter='tcp and (port 80 or port 81 or port 8080 or port 8000)',
filterfn=lambda ((sip, sp), (dip, dp)): sp in (
80, 81, 8000, 8080) or dp in (80, 81, 8000, 8080),
author='mm',
optiondict={
'showcontent': {'action': 'store_true', 'default': False, 'help': 'Display the request and response body content.'}
}
)
self.out = colorout.ColorOutput()
self.direction = None
self.request_ioc = None
self.request_method = None
self.request_user_agent = None
self.request_host = None
self.request_rangestr = None
self.request_body = None
self.request_referer = None
self.response_content_type = None
self.response_body = None
self.response_contentencoding = None
self.response_status = None
self.response_contentlength = None
self.response_reason = None
def preModule(self):
if self.content_filter:
self.content_filter = re.compile(self.content_filter)
if self.name_filter: self.name_filter = re.compile(self.name_filter)
HTTPDecoder.preModule(self)
self.openfiles = {} # dict of httpfile objects, indexed by url
def __init__(self):
HTTPDecoder.__init__(
self,
name='flash-detect',
description='Detects successful Flash file download.',
filter='tcp and (port 80 or port 8080 or port 8000)',
filterfn=lambda ((sip, sp), (dip, dp)): sp in
(80, 8000, 8080) or dp in (80, 8000, 8080),
optiondict={
'dump': {
'action':
'store_true',
'help':
'''\
Dump the flash file to a file based off its name, md5sum (if specified), or
its URI. The file is dumped to the local directory "flashout". The file
extension is ".flash" to prevent accidental execution.'''
},
'md5sum': {
'type':
'int',
'default':
0,
'help':
'''\
Calculate and print the md5sum of the file. There are three options:
0: (default) No md5sum calculations or labeling
1: Calculate md5sum; Print out md5sum in alert; Name all dumped files by
their md5sum (must be used with 'dump' option)
2: Calculate md5sum; Print out md5sum in alert; If found, a file's explicitly
listed save name (found in 'content-disposition' HTTP header) will be used
for file dump name instead of md5sum.
Any other numbers will be ignored and the default action will be used.'''
}
},
longdescription='''\
flash-detect identifies HTTP requests where the server response contains a Flash
file. Many exploit kits utilize Flash to deliver exploits to potentially vulnerable
browsers. If a flash file is successfully downloaded, an alert will occur stating
the full URL of the downloaded file, its content-type, and (optionally) its md5sum.
Usage Examples:
===============
Search all pcap files for Flash file downloads, and upon detection, calculate
and print alerts containing the md5sum to screen:
decode -d flash-detect --flash-detect_md5sum=1 *.pcap
If you wanted to save every detected Flash file to a local directory
"./flashout/" with its md5sum as the file name:
decode -d flash-detect --flash-detect_md5sum=1 --flash-detect_dump *.pcap
The output directory can be changed by modifying the `__OUTDIR` variable.
An example of a real pcap file, taken from
http://malware-traffic-analysis.net/2014/12/12/index.html:
decode -d flash-detect --flash-detect_md5sum=1 2014-12-12-Nuclear-EK-traffic.pcap
The following text should be displayed in the output, and the md5sum
can be checked on a site like virustotal:
** yquesrerman.ga/AwoVG1ADAw4OUhlVDlRTBQoHRUJTXVYOUVYaAwtGXFRVVFxXVwBOVRtA (application/octet-stream) md5sum: 9b3ad66a2a61e8760602d98b537b7734 **
Implementation Logic
====================
1. Check if the HTTP response status is 200 OK
2. Test the content-type of the HTTP response for the follwing strings:
'application/x-shockwave-flash'
'application/octet-stream'
'application/vnd.adobe.flash-movie'
3. Test filedownload following known Flash magic byte substrings:
'CWS'
'ZWS'
'FWS'
Note: Encoded or obfuscated flash files will *not* be detected.
Chainable
flash-detect is chainable. If a connection contains an HTTP response with a
successful Flash file download, then the entire connection (in the case of a
connectionHandler), and the request, response, requesttime, and responsetime
(in the case of an HTTPHandler) is/are passed to the subDecoders for additional
processing. Undetected or non-Flash files are dropped.
''',
author='ekilmer',
)
self.chainable = True
