def dotransform(request, response): pkts = rdpcap(request.value) tcpflags = {"SYN": 02, "FIN": 0x001, "XMAS": 0x029, "ACK": 0x010, "NULL": 0x000} senders = [] talkers = [] for p in pkts: for key, value in tcpflags.iteritems(): if p.haslayer(TCP) and p.getlayer(TCP).flags == int(value): dport = p.getlayer(TCP).dport srcip = p.getlayer(IP).src flagset = key talker = srcip, dport, flagset if talker not in talkers: talkers.append(talker) if srcip not in senders: senders.append(srcip) counter = 0 for x in senders: for y in talkers: if x in y: src = y[0] counter += y.count(y[1]) flag = y[2] e = WarningAlert(str(flag) + " scan from: " + str(src)) e.linklabel = "# of connections: " + str(counter) e.linkcolor = 0xFF0000 response += e return response
def dotransform(request, response): pkts = rdpcap(request.value) tcpflags = {'SYN': 0x002, 'FIN': 0x001, 'XMAS': 0x029, 'ACK': 0x010, 'NULL': 0x000} senders = [] con = [] flagset = '' for p in pkts: for key, value in tcpflags.iteritems(): if p.haslayer(TCP) and p.getlayer(TCP).flags == int(value): sport = p.getlayer(TCP).sport srcip = p.getlayer(IP).src flagset = key if srcip not in senders: senders.append(srcip) if sport not in con: con.append(srcip) for x in senders: e = WarningAlert(str(flagset) + ' scan from: ' + str(x)) e.linklabel = '# of connections: ' + str(con.count(x)) e.linkcolor = 0xFF0000 response += e return response
def dotransform(request, response): pcap = request.value pkts = rdpcap(pcap) folder = request.fields['sniffMyPackets.outputfld'] output_file = folder + '/suspicious-icmp.pcap' icmp_packets = [] # Common ICMP payload types for ping icmp_payload = ['0123567', 'abcdef'] suspicious = 0 # Look for ICMP request and reply packets and store in new list for p in pkts: if p.haslayer(IP) and p.haslayer(ICMP): if p[ICMP].type == 8: icmp_packets.append(p) if p[ICMP].type == 0: icmp_packets.append(p) # Look through ICMP packets stored in list and check the payload against common ping payloads for x in icmp_packets: if x.haslayer(Raw): for s in icmp_payload: load = str(x[Raw].load) if s not in load: suspicious = 1 # Write files out to a new pcap wrpcap(output_file, icmp_packets) # If there is something dodgy write it out to Maltego otherwise return message to UI if suspicious == 1: e = WarningAlert('Suspicious ICMP Payload') e.linklabel = 'Output ' + output_file e += Field('sniffMyPackets.outputfld', folder, displayname='Folder Location') e += Field('dumpfile', output_file, displayname='Output File', matchingrule='loose') e.linkcolor = 0xFF0000 response += e return response else: return response + UIMessage('Nothing dodgy here')
def dotransform(request, response): pkts = rdpcap(request.value) deauth_packets = [] station = [] for p in pkts: if p.haslayer(Dot11) and p.haslayer(Dot11Deauth): deauth_packets.append(p.getlayer(Dot11).addr2) if p.getlayer(Dot11).addr2 not in station: station.append(p.getlayer(Dot11).addr2) for x in station: e = WarningAlert('Deauth Attack:' + str(x)) e.linklabel = '# of pkts: ' + str(deauth_packets.count(x)) e.linkcolor = 0xFF0000 response += e return response
def dotransform(request, response): pcap = request.value pkts = rdpcap(pcap) dnsHost = [] for x in pkts: if x.haslayer(DNS) and x.haslayer(DNSRR): ancount = x.getlayer(DNS).ancount qname = x.getlayer(DNSRR).rrname if ancount >= 7: dnsrec = qname, ancount if dnsrec not in dnsHost: dnsHost.append(dnsrec) for dnsv, dnsc in dnsHost: e = WarningAlert('Fast Flux?: ' + dnsv) e.linklabel = 'Unique IPs:\n' + str(dnsc) e.linkcolor = 0xFF0000 response += e return response
def dotransform(request, response): pkts = rdpcap(request.value) tcpflags = { 'SYN': 02, 'FIN': 0x001, 'XMAS': 0x029, 'ACK': 0x010, 'NULL': 0x000 } senders = [] talkers = [] for p in pkts: for key, value in tcpflags.iteritems(): if p.haslayer(TCP) and p.getlayer(TCP).flags == int(value): dport = p.getlayer(TCP).dport srcip = p.getlayer(IP).src flagset = key talker = srcip, dport, flagset if talker not in talkers: talkers.append(talker) if srcip not in senders: senders.append(srcip) counter = 0 for x in senders: for y in talkers: if x in y: src = y[0] counter += y.count(y[1]) flag = y[2] e = WarningAlert(str(flag) + ' scan from: ' + str(src)) e.linklabel = '# of connections: ' + str(counter) e.linkcolor = 0xFF0000 response += e return response
def dotransform(request, response): pkts = rdpcap(request.value) ips = [] success = 'SMBu\\x00\\x00\\x00\\x00' null_share = 'IPC$' for p in pkts: if p.haslayer(TCP) and p.getlayer(TCP).dport == 445 and p.haslayer(Raw): raw = p.getlayer(Raw).load srcip = p.getlayer(IP).src dstip = p.getlayer(IP).dst if success and null_share in raw: convo = srcip, dstip if convo not in ips: ips.append(convo) for src, dst in ips: e = WarningAlert('Null Share:\n' + str(src) + '->' + str(dst)) e.linklabel = str(null_share) e.linkcolor = 0xFF0000 response += e return response
def dotransform(request, response): pcap = request.value pkts = rdpcap(pcap) dnsHost = [] for x in pkts: if x.haslayer(DNS) and x.haslayer(DNSRR): ancount = x.getlayer(DNS).ancount qname = x.getlayer(DNSRR).rrname ttl = x.getlayer(DNSRR).ttl if ancount >= 7 or ttl == 0: dnsrec = qname, ancount, ttl if dnsrec not in dnsHost: dnsHost.append(dnsrec) for dnsv, dnsc, ttl in dnsHost: e = WarningAlert('Fast Flux?: ' + dnsv) e.linklabel = 'Unique IPs: ' + str(dnsc) e += Field('dnsttl', ttl, displayname='TTL') e.linkcolor = 0xFF0000 response += e return response
def dotransform(request, response): pkts = rdpcap(request.value) ips = [] success = 'SMBu\\x00\\x00\\x00\\x00' null_share = 'IPC$' for p in pkts: if p.haslayer(TCP) and p.getlayer(TCP).dport == 445 and p.haslayer( Raw): raw = p.getlayer(Raw).load srcip = p.getlayer(IP).src dstip = p.getlayer(IP).dst if success and null_share in raw: convo = srcip, dstip if convo not in ips: ips.append(convo) for src, dst in ips: e = WarningAlert('Null Share:\n' + str(src) + '->' + str(dst)) e.linklabel = str(null_share) e.linkcolor = 0xFF0000 response += e return response