def __init__(self):
# dictionary indexed by uid, points to login domain\name (string)
self.uidname = {}
self.fidhandles = {} # dictionary to map fid handles to psexec objects
# dictionary of psexec objects, indexed by conn+PID (use sessIndex
# function)
self.psexecobjs = {}
# FID won't work as an index because each stream has its own
SMBDecoder.__init__(
self,
name='psexec',
description=
'Extract command/response information from psexec over smb',
filter='tcp and (port 445 or port 139)',
filterfn=lambda t: t[0][1] == 445 or t[1][1] == 445 or t[0][
1] == 139 or t[1][1] == 139,
author='amm',
optiondict={
'alertsonly': {
'action': 'store_true',
'help': 'only dump alerts, not content'
},
'htmlalert': {
'action': 'store_true',
'help': 'include html as named value in alerts'
},
'time': {
'action': 'store_true',
'help': 'display command/response timestamps'
}
})
self.legacy = True
# self.out=colorout.ColorOutput(title='psexec')
self.out = colorout.ColorOutput()
def __init__(self):
dshell.TCPDecoder.__init__(
self,
name='stream2dump',
description=
'Generates color-coded Screen/HTML output similar to Wireshark Follow Stream',
longdescription="""
Generates color-coded Screen/HTML output similar to Wireshark Follow Stream.
Output by default uses the "colorout" output class. This will send TTY
color-formatted text to stdout (the screen) if available. If output
is directed to a file (-o or --outfile), the output will be in HTML format.
Note that the default bpf filter is to view all tcp traffic. The decoder
can also process UDP traffic, or it can be limited to specific streams
with --bpf/--ebpf.
Useful options:
--followstream_hex -- generates output in hex mode
--followstream_time -- includes timestamp for each blob/transmission
Example:
decode -d followstream --ebpf 'port 80' mypcap.pcap --followstream_time
decode -d followstream --ebpf 'port 80' mypcap.pcap -o file.html --followstream_time
""",
filter="",
author='amm',
optiondict={
'hex': {
'action': 'store_true',
'help': 'two-column hex/ascii output'
},
'time': {
'action': 'store_true',
'help': 'include timestamp for each blob'
},
'encoding': {
'type':
'string',
'help':
'attempt to interpret text as encoded with specified schema'
},
'outfiles': {
'type': 'string',
'help': 'output files'
},
})
self.out = colorout.ColorOutput()
def __init__(self):
HTTPDecoder.__init__(
self,
name='httpdump',
description='Dump useful information about HTTP sessions',
filter='tcp and (port 80 or port 8080 or port 8000)',
filterfn=lambda ((sip, sp), (dip, dp)): sp in
(80, 8000, 8080) or dp in (80, 8000, 8080),
author='amm',
optiondict={
'maxurilen': {
'type':
'int',
'default':
30,
'help':
'Truncate URLs longer than max len. Set to 0 for no truncating. (default: 30)'
},
'maxpost': {
'type':
'int',
'default':
1000,
'help':
'Truncate POST body longer than max chars. Set to 0 for no truncating. (default: 1000)'
},
'showcontent': {
'action': 'store_true',
'help': 'Display response BODY.'
},
'showhtml': {
'action': 'store_true',
'help': 'Display response BODY only if HTML.'
},
'urlfilter': {
'type': 'string',
'default': None,
'help': 'Filter to URLs matching this regex'
},
},
)
self.out = colorout.ColorOutput()
# Disable auto-gunzip as we want to indicate content that was
# compressed in the output
self.gunzip = False
def alert(self):
kwargs = {
'hostname': self.hostname,
'pid': self.pid,
'username': self.username,
'opentime': self.opentime,
'closetime': self.closetime,
'csCount': self.csCount,
'scCount': self.scCount,
'csBytes': self.csBytes,
'scBytes': self.scBytes
}
if self.parent.htmlalert:
htmlfactory = colorout.ColorOutput(htmlgenerator=True,
title="psexec")
self.write(htmlfactory)
htmlfactory.close()
kwargs['html'] = htmlfactory.htmldump()
kwargs.update(self.conn.info())
kwargs['ts'] = self.opentime
self.parent.alert(
"Host: %s, PID: %s, CS: %d, SC: %d, User: %s" %
(self.hostname, self.pid, self.csBytes, self.scBytes,
self.username), kwargs)
def __init__(self):
HTTPDecoder.__init__(
self,
name='peht',
description='Penetration/Exploit/Hijacking Tool detector',
longdescription="""
The Penetration/Exploit/Hijacking Tool detector will identify the tool used to scan or exploit a server using the
User agent, URI or HTTP content.
General usage:
decode -d peht <pcap>
Detailed usage:
decode -d peht --peht_showcontent <pcap>
Output:
Request Timestamp (UTC): 2017-07-16 02:41:47.238549
Penetration/Exploit/Hijacking Tool: Open Vulnerability Assessment System
User-Agent: Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)
Request Method: GET
URI: /scripts/session/login.php
Source IP: 1.2.3.4 - Source port: 666 - MAC: 50:b4:02:39:24:56
Host requested: example.com
Response Timestamp (UTC): 2017-07-16 02:41:48.238549
Response Reason: Not Found
Response Status: 404
Destination IP: 192.168.1.1 - Destination port: 80 - MAC: a4:42:ab:56:b6:23
Detailed Output:
Request Timestamp (UTC): 2017-07-16 02:41:47.238549
Penetration/Exploit/Hijacking Tool: Arbitrary Remote Code Execution/injection
User-Agent: Wget(linux)
Request Method: POST
URI: /command.php
Source IP: 1.2.3.4 - Source port: 666 - MAC: 50:b4:02:39:24:56
Host requested: example.com
cmd=%63%64%20%2F%76%61%72%2F%74%6D%70%20%26%26%20%65%63%68%6F%20%2D%6E%65%20%5C%5C%78%33%6B%65%72%20%3E%20%6B%65%72%2E%74%78%74%20%26%26%20%63%61%74%20%6B%65%72%2E%74%78%74
Response Timestamp (UTC): 2017-07-16 02:41:48.238549
Response Reason: Found
Response Status: 302
Destination IP: 192.168.1.1 - Destination port: 80 - MAC: a4:42:ab:56:b6:23
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://example.com/command.php">here</a>.</p>
</body></html>
""",
filter='tcp and (port 80 or port 81 or port 8080 or port 8000)',
filterfn=lambda ((sip, sp), (dip, dp)): sp in
(80, 81, 8000, 8080) or dp in (80, 81, 8000, 8080),
author='mm',
optiondict={
'showcontent': {
'action': 'store_true',
'default': False,
'help': 'Display the request and response body content.'
}
})
self.out = colorout.ColorOutput()
self.direction = None
self.request_ioc = None
self.request_method = None
self.request_user_agent = None
self.request_host = None
self.request_rangestr = None
self.request_body = None
self.request_referer = None
self.response_content_type = None
self.response_body = None
self.response_contentencoding = None
self.response_status = None
self.response_contentlength = None
self.response_reason = None