Exemplo n.º 1
0
    def __init__(self):
        HTTPDecoder.__init__(self,
                            name='joomla-cve-2015-8562',
                            description='detect and dissect malformed HTTP headers targeting Joomla',
                            filter='tcp and (port 80 or port 8080 or port 8000)',
                            filterfn=lambda ((sip, sp), (dip, dp)): sp in (
                                80, 8000, 8080) or dp in (80, 8000, 8080),
                            author='bg',
                            optiondict={
                                'raw_payload': {'action': 'store_true', 'help':'return the raw payload (do not attempt to decode chr encoding)'}
                            },
                            longdescription='''
Usage Examples:
---------------

  decode -d joomla-cve-2015-8562 *.pcap
joomla-cve-2015-8562 2015-12-15 20:17:18    192.168.1.119:43865 <-    192.168.1.139:80    ** x-forwarded-for -> system('touch /tmp/2'); **

 The module assumes the cmd payload is encoded using chr.  To turn this off run:

  decode -d joomla-cve-2015-8562 --joomla-cve-2015-8562_no_eval *.pcap
oomla-cve-2015-8562 2015-12-15 20:17:18    192.168.1.119:43865 <-    192.168.1.139:80    ** x-forwarded-for -> "eval(chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(39).chr(116).chr(111).chr(117).chr(99).chr(104).chr(32).chr(47).chr(116).chr(109).chr(112).chr(47).chr(50).chr(39).chr(41).chr(59)); **
'''
                            )

        self.ioc = 'JFactory::getConfig();exit'
Exemplo n.º 2
0
 def preModule(self):
     if self.content_filter:
         self.content_filter = re.compile(self.content_filter)
     if self.name_filter:
         self.name_filter = re.compile(self.name_filter)
     HTTPDecoder.preModule(self)
     self.openfiles = {}  # dict of httpfile objects, indexed by url
Exemplo n.º 3
0
 def __init__(self):
     HTTPDecoder.__init__(self,
                          name='emdivi_c2',
                          description='deobfuscate Emdivi http c2',
                          filter='tcp and port 80',
                          author='bg',
                          )
Exemplo n.º 4
0
 def __init__(self):
     HTTPDecoder.__init__(self,
                          name='rip-http',
                          description='rip files from HTTP traffic',
                          filter='tcp and port 80',
                          author='bg/twp',
                          optiondict={'append_conn': {'action': 'store_true', 'help': 'append sourceip-destip to filename'},
                                      'append_ts': {'action': 'store_true', 'help': 'append timestamp to filename'},
                                      'direction': {'help': 'cs=only capture client POST, sc=only capture server GET response'},
                                      'outdir': {'help': 'directory to write output files (Default: current directory)', 'metavar': 'DIRECTORY', 'default': '.'},
                                      'content_filter': {'help': 'regex MIME type filter for files to save'},
                                      'name_filter': {'help': 'regex filename filter for files to save'}}
                          )
Exemplo n.º 5
0
 def __init__(self):
     HTTPDecoder.__init__(self,
             name='web',
             description='Improved version of web that tracks server response',
             filter='tcp and (port 80 or port 8080 or port 8000)',
             filterfn=lambda ((sip,sp),(dip,dp)): sp in (80, 8000, 8080) or dp in (80, 8000, 8080),
             author='bg,twp',
             optiondict={
                     'maxurilen':{'type':'int','default':30,'help':'Truncate URLs longer than max len.  Set to 0 for no truncating. (default: 30)'},
                     'md5':{'action':'store_true','help':'calculate MD5 for each response. Available in CSV output.'}
                     },
             )
     self.gunzip = False  # Not interested in response body
Exemplo n.º 6
0
 def __init__(self):
     HTTPDecoder.__init__(
         self,
         name="rip-http",
         description="rip files from HTTP traffic",
         filter="tcp and port 80",
         author="bg/twp",
         optiondict={
             "append_conn": {"action": "store_true", "help": "append sourceip-destip to filename"},
             "append_ts": {"action": "store_true", "help": "append timestamp to filename"},
             "direction": {"help": "cs=only capture client POST, sc=only capture server GET response"},
             "content_filter": {"help": "regex MIME type filter for files to save"},
             "name_filter": {"help": "regex filename filter for files to save"},
         },
     )
Exemplo n.º 7
0
 def __init__(self):
     HTTPDecoder.__init__(self,
             name='httpdump',
             description='Dump useful information about HTTP sessions',
             filter='tcp and (port 80 or port 8080 or port 8000)',
             filterfn=lambda ((sip,sp),(dip,dp)): sp in (80, 8000, 8080) or dp in (80, 8000, 8080),
             author='amm',
             optiondict={
                     'maxurilen':{'type':'int','default':30,'help':'Truncate URLs longer than max len.  Set to 0 for no truncating. (default: 30)'},
                     'maxpost':{'type':'int','default':1000,'help':'Truncate POST body longer than max chars.  Set to 0 for no truncating. (default: 1000)'},
                     'showcontent':{'action':'store_true','help':'Display response BODY.'},
                     'showhtml':{'action':'store_true','help':'Display response BODY only if HTML.'},
                     'urlfilter':{'type':'string','default':None,'help':'Filter to URLs matching this regex'},
                     },
             )
     self.output='colorout'
     self.gunzip=False   # Disable auto-gunzip as we want to indicate content that was compressed in the output
Exemplo n.º 8
0
    def preModule(self):
        if self.content_filter:
            self.content_filter = re.compile(self.content_filter)
        if self.name_filter:
            self.name_filter = re.compile(self.name_filter)
        HTTPDecoder.preModule(self)

        self.openfiles = {}  # dict of httpfile objects, indexed by url

        # Create output directory, if necessary
        if not os.path.exists(self.outdir):
            try:
                os.makedirs(self.outdir)
            except (IOError, OSError) as e:
                self.error("Could not create directory '%s': %s" %
                           (self.outdir, e))
                sys.exit(1)
Exemplo n.º 9
0
 def __init__(self):
     HTTPDecoder.__init__(
         self,
         name='httpdump',
         description='Dump useful information about HTTP sessions',
         filter='tcp and (port 80 or port 8080 or port 8000)',
         filterfn=lambda ((sip, sp), (dip, dp)): sp in
         (80, 8000, 8080) or dp in (80, 8000, 8080),
         author='amm',
         optiondict={
             'maxurilen': {
                 'type':
                 'int',
                 'default':
                 30,
                 'help':
                 'Truncate URLs longer than max len.  Set to 0 for no truncating. (default: 30)'
             },
             'maxpost': {
                 'type':
                 'int',
                 'default':
                 1000,
                 'help':
                 'Truncate POST body longer than max chars.  Set to 0 for no truncating. (default: 1000)'
             },
             'showcontent': {
                 'action': 'store_true',
                 'help': 'Display response BODY.'
             },
             'showhtml': {
                 'action': 'store_true',
                 'help': 'Display response BODY only if HTML.'
             },
             'urlfilter': {
                 'type': 'string',
                 'default': None,
                 'help': 'Filter to URLs matching this regex'
             },
         },
     )
     self.out = colorout.ColorOutput()
     # Disable auto-gunzip as we want to indicate content that was
     # compressed in the output
     self.gunzip = False
Exemplo n.º 10
0
    def __init__(self):
        HTTPDecoder.__init__(self,
                             name='ms15-034',
                             description='detect attempts to enumerate MS15-034 vulnerable IIS servers',
                             longdescription='''
Proof-of-concept code to detect attempts to enumerate MS15-034 vulnerable
IIS servers and/or cause a denial of service.  Each event will generate an
alert that prints out the HTTP Request method and the range value contained
with the HTTP stream.

Usage: 
decode -d ms15-034 -q *.pcap
decode -d ms15-034 -i <interface> -q
''',
                          filter='tcp and (port 80 or port 8080 or port 8000)',
                          filterfn=lambda ((sip, sp), (dip, dp)): sp in (
                              80, 8000, 8080) or dp in (80, 8000, 8080),
                          author='bg',
                          )
Exemplo n.º 11
0
    def __init__(self):
        HTTPDecoder.__init__(
            self,
            name='ms15-034',
            description=
            'detect attempts to enumerate MS15-034 vulnerable IIS servers',
            longdescription='''
Proof-of-concept code to detect attempts to enumerate MS15-034 vulnerable
IIS servers and/or cause a denial of service.  Each event will generate an
alert that prints out the HTTP Request method and the range value contained
with the HTTP stream.

Usage: 
decode -d ms15-034 -q *.pcap
decode -d ms15-034 -i <interface> -q
''',
            filter='tcp and (port 80 or port 8080 or port 8000)',
            filterfn=lambda ((sip, sp), (dip, dp)): sp in
            (80, 8000, 8080) or dp in (80, 8000, 8080),
            author='bg',
        )
Exemplo n.º 12
0
    def __init__(self):
        HTTPDecoder.__init__(self,
                             name='flash-detect',
                             description='Detects successful Flash file download.',
                             filter='tcp and (port 80 or port 8080 or port 8000)',
                             filterfn=lambda ((sip, sp), (dip, dp)): sp in (
                                 80, 8000, 8080) or dp in (80, 8000, 8080),
                             optiondict={
                                 'dump': {'action': 'store_true', 'help': '''\
Dump the flash file to a file based off its name, md5sum (if specified), or
its URI. The file is dumped to the local directory "flashout". The file
extension is ".flash" to prevent accidental execution.'''
                                          },
                                 'md5sum': {'type': 'int', 'default': 0, 'help': '''\
Calculate and print the md5sum of the file. There are three options:
  0: (default) No md5sum calculations or labeling

  1: Calculate md5sum; Print out md5sum in alert; Name all dumped files by
their md5sum (must be used with 'dump' option)

  2: Calculate md5sum; Print out md5sum in alert; If found, a file's explicitly
listed save name (found in 'content-disposition' HTTP header) will be used
for file dump name instead of md5sum.

Any other numbers will be ignored and the default action will be used.'''
                                            }
                             },
                             longdescription='''\
flash-detect identifies HTTP requests where the server response contains a Flash
file.  Many exploit kits utilize Flash to deliver exploits to potentially vulnerable
browsers.  If a flash file is successfully downloaded, an alert will occur stating
the full URL of the downloaded file, its content-type, and (optionally) its md5sum.

Usage Examples:
===============
  Search all pcap files for Flash file downloads, and upon detection, calculate
  and print alerts containing the md5sum to screen:

    decode -d flash-detect --flash-detect_md5sum=1 *.pcap

  If you wanted to save every detected Flash file to a local directory
  "./flashout/" with its md5sum as the file name:

    decode -d flash-detect --flash-detect_md5sum=1 --flash-detect_dump *.pcap
  The output directory can be changed by modifying the `__OUTDIR` variable.

  An example of a real pcap file, taken from
  http://malware-traffic-analysis.net/2014/12/12/index.html:
    decode -d flash-detect --flash-detect_md5sum=1 2014-12-12-Nuclear-EK-traffic.pcap

        The following text should be displayed in the output, and the md5sum
        can be checked on a site like virustotal:
** yquesrerman.ga/AwoVG1ADAw4OUhlVDlRTBQoHRUJTXVYOUVYaAwtGXFRVVFxXVwBOVRtA (application/octet-stream) md5sum: 9b3ad66a2a61e8760602d98b537b7734 **

Implementation Logic
====================

1.  Check if the HTTP response status is 200 OK

2.  Test the content-type of the HTTP response for the follwing strings:
          'application/x-shockwave-flash'
          'application/octet-stream'
          'application/vnd.adobe.flash-movie'

3.  Test filedownload following known Flash magic byte substrings:
         'CWS'
         'ZWS'
         'FWS'

Note: Encoded or obfuscated flash files will *not* be detected.

Chainable

flash-detect is chainable. If a connection contains an HTTP response with a
successful Flash file download, then the entire connection (in the case of a
connectionHandler), and the request, response, requesttime, and responsetime
(in the case of an HTTPHandler) is/are passed to the subDecoders for additional
processing. Undetected or non-Flash files are dropped.
''',
                             author='ekilmer',
                             )
        self.chainable = True
Exemplo n.º 13
0
    def __init__(self):
        HTTPDecoder.__init__(
            self,
            name='peht',
            description='Penetration/Exploit/Hijacking Tool detector',
            longdescription="""
The Penetration/Exploit/Hijacking Tool detector will identify the tool used to scan or exploit a server using the
User agent, URI or HTTP content.

General usage:
    decode -d peht <pcap> 

Detailed usage:
    decode -d peht --peht_showcontent <pcap> 

Output:

    Request Timestamp (UTC): 2017-07-16 02:41:47.238549 
    Penetration/Exploit/Hijacking Tool: Open Vulnerability Assessment System
    User-Agent: Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)
    Request Method: GET
    URI: /scripts/session/login.php
    Source IP: 1.2.3.4 - Source port: 666 - MAC: 50:b4:02:39:24:56
    Host requested: example.com

    Response Timestamp (UTC): 2017-07-16 02:41:48.238549
    Response Reason: Not Found
    Response Status: 404
    Destination IP: 192.168.1.1 - Destination port: 80 - MAC: a4:42:ab:56:b6:23


    Detailed Output:

    Request Timestamp (UTC): 2017-07-16 02:41:47.238549 
    Penetration/Exploit/Hijacking Tool: Arbitrary Remote Code Execution/injection
    User-Agent: Wget(linux)
    Request Method: POST
    URI: /command.php
    Source IP: 1.2.3.4 - Source port: 666 - MAC: 50:b4:02:39:24:56
    Host requested: example.com

    cmd=%63%64%20%2F%76%61%72%2F%74%6D%70%20%26%26%20%65%63%68%6F%20%2D%6E%65%20%5C%5C%78%33%6B%65%72%20%3E%20%6B%65%72%2E%74%78%74%20%26%26%20%63%61%74%20%6B%65%72%2E%74%78%74

    Response Timestamp (UTC): 2017-07-16 02:41:48.238549
    Response Reason: Found
    Response Status: 302
    Destination IP: 192.168.1.1 - Destination port: 80 - MAC: a4:42:ab:56:b6:23

    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>302 Found</title>
    </head><body>
    <h1>Found</h1>
    <p>The document has moved <a href="https://example.com/command.php">here</a>.</p>
    </body></html>

""",
            filter='tcp and (port 80 or port 81 or port 8080 or port 8000)',
            filterfn=lambda ((sip, sp), (dip, dp)): sp in
            (80, 81, 8000, 8080) or dp in (80, 81, 8000, 8080),
            author='mm',
            optiondict={
                'showcontent': {
                    'action': 'store_true',
                    'default': False,
                    'help': 'Display the request and response body content.'
                }
            })

        self.out = colorout.ColorOutput()
        self.direction = None
        self.request_ioc = None
        self.request_method = None
        self.request_user_agent = None
        self.request_host = None
        self.request_rangestr = None
        self.request_body = None
        self.request_referer = None
        self.response_content_type = None
        self.response_body = None
        self.response_contentencoding = None
        self.response_status = None
        self.response_contentlength = None
        self.response_reason = None
Exemplo n.º 14
0
    def __init__(self):
        HTTPDecoder.__init__(self,
                                name='peht',
                                description='Penetration/Exploit/Hijacking Tool detector',
                                longdescription="""
The Penetration/Exploit/Hijacking Tool detector will identify the tool used to scan or exploit a server using the
User agent, URI or HTTP content.

General usage:
    decode -d peht <pcap> 

Detailed usage:
    decode -d peht --peht_showcontent <pcap> 

Output:

    Request Timestamp (UTC): 2017-07-16 02:41:47.238549 
    Penetration/Exploit/Hijacking Tool: Open Vulnerability Assessment System
    User-Agent: Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)
    Request Method: GET
    URI: /scripts/session/login.php
    Source IP: 1.2.3.4 - Source port: 666 - MAC: 50:b4:02:39:24:56
    Host requested: example.com

    Response Timestamp (UTC): 2017-07-16 02:41:48.238549
    Response Reason: Not Found
    Response Status: 404
    Destination IP: 192.168.1.1 - Destination port: 80 - MAC: a4:42:ab:56:b6:23


    Detailed Output:

    Request Timestamp (UTC): 2017-07-16 02:41:47.238549 
    Penetration/Exploit/Hijacking Tool: Arbitrary Remote Code Execution/injection
    User-Agent: Wget(linux)
    Request Method: POST
    URI: /command.php
    Source IP: 1.2.3.4 - Source port: 666 - MAC: 50:b4:02:39:24:56
    Host requested: example.com

    cmd=%63%64%20%2F%76%61%72%2F%74%6D%70%20%26%26%20%65%63%68%6F%20%2D%6E%65%20%5C%5C%78%33%6B%65%72%20%3E%20%6B%65%72%2E%74%78%74%20%26%26%20%63%61%74%20%6B%65%72%2E%74%78%74

    Response Timestamp (UTC): 2017-07-16 02:41:48.238549
    Response Reason: Found
    Response Status: 302
    Destination IP: 192.168.1.1 - Destination port: 80 - MAC: a4:42:ab:56:b6:23

    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>302 Found</title>
    </head><body>
    <h1>Found</h1>
    <p>The document has moved <a href="https://example.com/command.php">here</a>.</p>
    </body></html>

""",
            filter='tcp and (port 80 or port 81 or port 8080 or port 8000)',
            filterfn=lambda ((sip, sp), (dip, dp)): sp in (
                                 80, 81, 8000, 8080) or dp in (80, 81, 8000, 8080),
            author='mm',
            optiondict={
                'showcontent': {'action': 'store_true', 'default': False, 'help': 'Display the request and response body content.'}
            }
        )
        
        self.out = colorout.ColorOutput()
        self.direction = None
        self.request_ioc = None
        self.request_method = None
        self.request_user_agent = None
        self.request_host = None
        self.request_rangestr = None
        self.request_body = None
        self.request_referer = None
        self.response_content_type = None
        self.response_body = None
        self.response_contentencoding = None
        self.response_status = None
        self.response_contentlength = None
        self.response_reason = None
Exemplo n.º 15
0
 def preModule(self):
     if self.content_filter:
         self.content_filter = re.compile(self.content_filter)
     if self.name_filter: self.name_filter = re.compile(self.name_filter)
     HTTPDecoder.preModule(self)
     self.openfiles = {}  # dict of httpfile objects, indexed by url
Exemplo n.º 16
0
    def __init__(self):
        HTTPDecoder.__init__(
            self,
            name='flash-detect',
            description='Detects successful Flash file download.',
            filter='tcp and (port 80 or port 8080 or port 8000)',
            filterfn=lambda ((sip, sp), (dip, dp)): sp in
            (80, 8000, 8080) or dp in (80, 8000, 8080),
            optiondict={
                'dump': {
                    'action':
                    'store_true',
                    'help':
                    '''\
Dump the flash file to a file based off its name, md5sum (if specified), or
its URI. The file is dumped to the local directory "flashout". The file
extension is ".flash" to prevent accidental execution.'''
                },
                'md5sum': {
                    'type':
                    'int',
                    'default':
                    0,
                    'help':
                    '''\
Calculate and print the md5sum of the file. There are three options:
  0: (default) No md5sum calculations or labeling

  1: Calculate md5sum; Print out md5sum in alert; Name all dumped files by
their md5sum (must be used with 'dump' option)

  2: Calculate md5sum; Print out md5sum in alert; If found, a file's explicitly
listed save name (found in 'content-disposition' HTTP header) will be used
for file dump name instead of md5sum.

Any other numbers will be ignored and the default action will be used.'''
                }
            },
            longdescription='''\
flash-detect identifies HTTP requests where the server response contains a Flash
file.  Many exploit kits utilize Flash to deliver exploits to potentially vulnerable
browsers.  If a flash file is successfully downloaded, an alert will occur stating
the full URL of the downloaded file, its content-type, and (optionally) its md5sum.

Usage Examples:
===============
  Search all pcap files for Flash file downloads, and upon detection, calculate
  and print alerts containing the md5sum to screen:

    decode -d flash-detect --flash-detect_md5sum=1 *.pcap

  If you wanted to save every detected Flash file to a local directory
  "./flashout/" with its md5sum as the file name:

    decode -d flash-detect --flash-detect_md5sum=1 --flash-detect_dump *.pcap
  The output directory can be changed by modifying the `__OUTDIR` variable.

  An example of a real pcap file, taken from
  http://malware-traffic-analysis.net/2014/12/12/index.html:
    decode -d flash-detect --flash-detect_md5sum=1 2014-12-12-Nuclear-EK-traffic.pcap

        The following text should be displayed in the output, and the md5sum
        can be checked on a site like virustotal:
** yquesrerman.ga/AwoVG1ADAw4OUhlVDlRTBQoHRUJTXVYOUVYaAwtGXFRVVFxXVwBOVRtA (application/octet-stream) md5sum: 9b3ad66a2a61e8760602d98b537b7734 **

Implementation Logic
====================

1.  Check if the HTTP response status is 200 OK

2.  Test the content-type of the HTTP response for the follwing strings:
          'application/x-shockwave-flash'
          'application/octet-stream'
          'application/vnd.adobe.flash-movie'

3.  Test filedownload following known Flash magic byte substrings:
         'CWS'
         'ZWS'
         'FWS'

Note: Encoded or obfuscated flash files will *not* be detected.

Chainable

flash-detect is chainable. If a connection contains an HTTP response with a
successful Flash file download, then the entire connection (in the case of a
connectionHandler), and the request, response, requesttime, and responsetime
(in the case of an HTTPHandler) is/are passed to the subDecoders for additional
processing. Undetected or non-Flash files are dropped.
''',
            author='ekilmer',
        )
        self.chainable = True