def __init__(self): HTTPDecoder.__init__(self, name='joomla-cve-2015-8562', description='detect and dissect malformed HTTP headers targeting Joomla', filter='tcp and (port 80 or port 8080 or port 8000)', filterfn=lambda ((sip, sp), (dip, dp)): sp in ( 80, 8000, 8080) or dp in (80, 8000, 8080), author='bg', optiondict={ 'raw_payload': {'action': 'store_true', 'help':'return the raw payload (do not attempt to decode chr encoding)'} }, longdescription=''' Usage Examples: --------------- decode -d joomla-cve-2015-8562 *.pcap joomla-cve-2015-8562 2015-12-15 20:17:18 192.168.1.119:43865 <- 192.168.1.139:80 ** x-forwarded-for -> system('touch /tmp/2'); ** The module assumes the cmd payload is encoded using chr. To turn this off run: decode -d joomla-cve-2015-8562 --joomla-cve-2015-8562_no_eval *.pcap oomla-cve-2015-8562 2015-12-15 20:17:18 192.168.1.119:43865 <- 192.168.1.139:80 ** x-forwarded-for -> "eval(chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(39).chr(116).chr(111).chr(117).chr(99).chr(104).chr(32).chr(47).chr(116).chr(109).chr(112).chr(47).chr(50).chr(39).chr(41).chr(59)); ** ''' ) self.ioc = 'JFactory::getConfig();exit'
def preModule(self): if self.content_filter: self.content_filter = re.compile(self.content_filter) if self.name_filter: self.name_filter = re.compile(self.name_filter) HTTPDecoder.preModule(self) self.openfiles = {} # dict of httpfile objects, indexed by url
def __init__(self): HTTPDecoder.__init__(self, name='emdivi_c2', description='deobfuscate Emdivi http c2', filter='tcp and port 80', author='bg', )
def __init__(self): HTTPDecoder.__init__(self, name='rip-http', description='rip files from HTTP traffic', filter='tcp and port 80', author='bg/twp', optiondict={'append_conn': {'action': 'store_true', 'help': 'append sourceip-destip to filename'}, 'append_ts': {'action': 'store_true', 'help': 'append timestamp to filename'}, 'direction': {'help': 'cs=only capture client POST, sc=only capture server GET response'}, 'outdir': {'help': 'directory to write output files (Default: current directory)', 'metavar': 'DIRECTORY', 'default': '.'}, 'content_filter': {'help': 'regex MIME type filter for files to save'}, 'name_filter': {'help': 'regex filename filter for files to save'}} )
def __init__(self): HTTPDecoder.__init__(self, name='web', description='Improved version of web that tracks server response', filter='tcp and (port 80 or port 8080 or port 8000)', filterfn=lambda ((sip,sp),(dip,dp)): sp in (80, 8000, 8080) or dp in (80, 8000, 8080), author='bg,twp', optiondict={ 'maxurilen':{'type':'int','default':30,'help':'Truncate URLs longer than max len. Set to 0 for no truncating. (default: 30)'}, 'md5':{'action':'store_true','help':'calculate MD5 for each response. Available in CSV output.'} }, ) self.gunzip = False # Not interested in response body
def __init__(self): HTTPDecoder.__init__( self, name="rip-http", description="rip files from HTTP traffic", filter="tcp and port 80", author="bg/twp", optiondict={ "append_conn": {"action": "store_true", "help": "append sourceip-destip to filename"}, "append_ts": {"action": "store_true", "help": "append timestamp to filename"}, "direction": {"help": "cs=only capture client POST, sc=only capture server GET response"}, "content_filter": {"help": "regex MIME type filter for files to save"}, "name_filter": {"help": "regex filename filter for files to save"}, }, )
def __init__(self): HTTPDecoder.__init__(self, name='httpdump', description='Dump useful information about HTTP sessions', filter='tcp and (port 80 or port 8080 or port 8000)', filterfn=lambda ((sip,sp),(dip,dp)): sp in (80, 8000, 8080) or dp in (80, 8000, 8080), author='amm', optiondict={ 'maxurilen':{'type':'int','default':30,'help':'Truncate URLs longer than max len. Set to 0 for no truncating. (default: 30)'}, 'maxpost':{'type':'int','default':1000,'help':'Truncate POST body longer than max chars. Set to 0 for no truncating. (default: 1000)'}, 'showcontent':{'action':'store_true','help':'Display response BODY.'}, 'showhtml':{'action':'store_true','help':'Display response BODY only if HTML.'}, 'urlfilter':{'type':'string','default':None,'help':'Filter to URLs matching this regex'}, }, ) self.output='colorout' self.gunzip=False # Disable auto-gunzip as we want to indicate content that was compressed in the output
def preModule(self): if self.content_filter: self.content_filter = re.compile(self.content_filter) if self.name_filter: self.name_filter = re.compile(self.name_filter) HTTPDecoder.preModule(self) self.openfiles = {} # dict of httpfile objects, indexed by url # Create output directory, if necessary if not os.path.exists(self.outdir): try: os.makedirs(self.outdir) except (IOError, OSError) as e: self.error("Could not create directory '%s': %s" % (self.outdir, e)) sys.exit(1)
def __init__(self): HTTPDecoder.__init__( self, name='httpdump', description='Dump useful information about HTTP sessions', filter='tcp and (port 80 or port 8080 or port 8000)', filterfn=lambda ((sip, sp), (dip, dp)): sp in (80, 8000, 8080) or dp in (80, 8000, 8080), author='amm', optiondict={ 'maxurilen': { 'type': 'int', 'default': 30, 'help': 'Truncate URLs longer than max len. Set to 0 for no truncating. (default: 30)' }, 'maxpost': { 'type': 'int', 'default': 1000, 'help': 'Truncate POST body longer than max chars. Set to 0 for no truncating. (default: 1000)' }, 'showcontent': { 'action': 'store_true', 'help': 'Display response BODY.' }, 'showhtml': { 'action': 'store_true', 'help': 'Display response BODY only if HTML.' }, 'urlfilter': { 'type': 'string', 'default': None, 'help': 'Filter to URLs matching this regex' }, }, ) self.out = colorout.ColorOutput() # Disable auto-gunzip as we want to indicate content that was # compressed in the output self.gunzip = False
def __init__(self): HTTPDecoder.__init__(self, name='ms15-034', description='detect attempts to enumerate MS15-034 vulnerable IIS servers', longdescription=''' Proof-of-concept code to detect attempts to enumerate MS15-034 vulnerable IIS servers and/or cause a denial of service. Each event will generate an alert that prints out the HTTP Request method and the range value contained with the HTTP stream. Usage: decode -d ms15-034 -q *.pcap decode -d ms15-034 -i <interface> -q ''', filter='tcp and (port 80 or port 8080 or port 8000)', filterfn=lambda ((sip, sp), (dip, dp)): sp in ( 80, 8000, 8080) or dp in (80, 8000, 8080), author='bg', )
def __init__(self): HTTPDecoder.__init__( self, name='ms15-034', description= 'detect attempts to enumerate MS15-034 vulnerable IIS servers', longdescription=''' Proof-of-concept code to detect attempts to enumerate MS15-034 vulnerable IIS servers and/or cause a denial of service. Each event will generate an alert that prints out the HTTP Request method and the range value contained with the HTTP stream. Usage: decode -d ms15-034 -q *.pcap decode -d ms15-034 -i <interface> -q ''', filter='tcp and (port 80 or port 8080 or port 8000)', filterfn=lambda ((sip, sp), (dip, dp)): sp in (80, 8000, 8080) or dp in (80, 8000, 8080), author='bg', )
def __init__(self): HTTPDecoder.__init__(self, name='flash-detect', description='Detects successful Flash file download.', filter='tcp and (port 80 or port 8080 or port 8000)', filterfn=lambda ((sip, sp), (dip, dp)): sp in ( 80, 8000, 8080) or dp in (80, 8000, 8080), optiondict={ 'dump': {'action': 'store_true', 'help': '''\ Dump the flash file to a file based off its name, md5sum (if specified), or its URI. The file is dumped to the local directory "flashout". The file extension is ".flash" to prevent accidental execution.''' }, 'md5sum': {'type': 'int', 'default': 0, 'help': '''\ Calculate and print the md5sum of the file. There are three options: 0: (default) No md5sum calculations or labeling 1: Calculate md5sum; Print out md5sum in alert; Name all dumped files by their md5sum (must be used with 'dump' option) 2: Calculate md5sum; Print out md5sum in alert; If found, a file's explicitly listed save name (found in 'content-disposition' HTTP header) will be used for file dump name instead of md5sum. Any other numbers will be ignored and the default action will be used.''' } }, longdescription='''\ flash-detect identifies HTTP requests where the server response contains a Flash file. Many exploit kits utilize Flash to deliver exploits to potentially vulnerable browsers. If a flash file is successfully downloaded, an alert will occur stating the full URL of the downloaded file, its content-type, and (optionally) its md5sum. Usage Examples: =============== Search all pcap files for Flash file downloads, and upon detection, calculate and print alerts containing the md5sum to screen: decode -d flash-detect --flash-detect_md5sum=1 *.pcap If you wanted to save every detected Flash file to a local directory "./flashout/" with its md5sum as the file name: decode -d flash-detect --flash-detect_md5sum=1 --flash-detect_dump *.pcap The output directory can be changed by modifying the `__OUTDIR` variable. An example of a real pcap file, taken from http://malware-traffic-analysis.net/2014/12/12/index.html: decode -d flash-detect --flash-detect_md5sum=1 2014-12-12-Nuclear-EK-traffic.pcap The following text should be displayed in the output, and the md5sum can be checked on a site like virustotal: ** yquesrerman.ga/AwoVG1ADAw4OUhlVDlRTBQoHRUJTXVYOUVYaAwtGXFRVVFxXVwBOVRtA (application/octet-stream) md5sum: 9b3ad66a2a61e8760602d98b537b7734 ** Implementation Logic ==================== 1. Check if the HTTP response status is 200 OK 2. Test the content-type of the HTTP response for the follwing strings: 'application/x-shockwave-flash' 'application/octet-stream' 'application/vnd.adobe.flash-movie' 3. Test filedownload following known Flash magic byte substrings: 'CWS' 'ZWS' 'FWS' Note: Encoded or obfuscated flash files will *not* be detected. Chainable flash-detect is chainable. If a connection contains an HTTP response with a successful Flash file download, then the entire connection (in the case of a connectionHandler), and the request, response, requesttime, and responsetime (in the case of an HTTPHandler) is/are passed to the subDecoders for additional processing. Undetected or non-Flash files are dropped. ''', author='ekilmer', ) self.chainable = True
def __init__(self): HTTPDecoder.__init__( self, name='peht', description='Penetration/Exploit/Hijacking Tool detector', longdescription=""" The Penetration/Exploit/Hijacking Tool detector will identify the tool used to scan or exploit a server using the User agent, URI or HTTP content. General usage: decode -d peht <pcap> Detailed usage: decode -d peht --peht_showcontent <pcap> Output: Request Timestamp (UTC): 2017-07-16 02:41:47.238549 Penetration/Exploit/Hijacking Tool: Open Vulnerability Assessment System User-Agent: Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9) Request Method: GET URI: /scripts/session/login.php Source IP: 1.2.3.4 - Source port: 666 - MAC: 50:b4:02:39:24:56 Host requested: example.com Response Timestamp (UTC): 2017-07-16 02:41:48.238549 Response Reason: Not Found Response Status: 404 Destination IP: 192.168.1.1 - Destination port: 80 - MAC: a4:42:ab:56:b6:23 Detailed Output: Request Timestamp (UTC): 2017-07-16 02:41:47.238549 Penetration/Exploit/Hijacking Tool: Arbitrary Remote Code Execution/injection User-Agent: Wget(linux) Request Method: POST URI: /command.php Source IP: 1.2.3.4 - Source port: 666 - MAC: 50:b4:02:39:24:56 Host requested: example.com cmd=%63%64%20%2F%76%61%72%2F%74%6D%70%20%26%26%20%65%63%68%6F%20%2D%6E%65%20%5C%5C%78%33%6B%65%72%20%3E%20%6B%65%72%2E%74%78%74%20%26%26%20%63%61%74%20%6B%65%72%2E%74%78%74 Response Timestamp (UTC): 2017-07-16 02:41:48.238549 Response Reason: Found Response Status: 302 Destination IP: 192.168.1.1 - Destination port: 80 - MAC: a4:42:ab:56:b6:23 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://example.com/command.php">here</a>.</p> </body></html> """, filter='tcp and (port 80 or port 81 or port 8080 or port 8000)', filterfn=lambda ((sip, sp), (dip, dp)): sp in (80, 81, 8000, 8080) or dp in (80, 81, 8000, 8080), author='mm', optiondict={ 'showcontent': { 'action': 'store_true', 'default': False, 'help': 'Display the request and response body content.' } }) self.out = colorout.ColorOutput() self.direction = None self.request_ioc = None self.request_method = None self.request_user_agent = None self.request_host = None self.request_rangestr = None self.request_body = None self.request_referer = None self.response_content_type = None self.response_body = None self.response_contentencoding = None self.response_status = None self.response_contentlength = None self.response_reason = None
def __init__(self): HTTPDecoder.__init__(self, name='peht', description='Penetration/Exploit/Hijacking Tool detector', longdescription=""" The Penetration/Exploit/Hijacking Tool detector will identify the tool used to scan or exploit a server using the User agent, URI or HTTP content. General usage: decode -d peht <pcap> Detailed usage: decode -d peht --peht_showcontent <pcap> Output: Request Timestamp (UTC): 2017-07-16 02:41:47.238549 Penetration/Exploit/Hijacking Tool: Open Vulnerability Assessment System User-Agent: Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9) Request Method: GET URI: /scripts/session/login.php Source IP: 1.2.3.4 - Source port: 666 - MAC: 50:b4:02:39:24:56 Host requested: example.com Response Timestamp (UTC): 2017-07-16 02:41:48.238549 Response Reason: Not Found Response Status: 404 Destination IP: 192.168.1.1 - Destination port: 80 - MAC: a4:42:ab:56:b6:23 Detailed Output: Request Timestamp (UTC): 2017-07-16 02:41:47.238549 Penetration/Exploit/Hijacking Tool: Arbitrary Remote Code Execution/injection User-Agent: Wget(linux) Request Method: POST URI: /command.php Source IP: 1.2.3.4 - Source port: 666 - MAC: 50:b4:02:39:24:56 Host requested: example.com cmd=%63%64%20%2F%76%61%72%2F%74%6D%70%20%26%26%20%65%63%68%6F%20%2D%6E%65%20%5C%5C%78%33%6B%65%72%20%3E%20%6B%65%72%2E%74%78%74%20%26%26%20%63%61%74%20%6B%65%72%2E%74%78%74 Response Timestamp (UTC): 2017-07-16 02:41:48.238549 Response Reason: Found Response Status: 302 Destination IP: 192.168.1.1 - Destination port: 80 - MAC: a4:42:ab:56:b6:23 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://example.com/command.php">here</a>.</p> </body></html> """, filter='tcp and (port 80 or port 81 or port 8080 or port 8000)', filterfn=lambda ((sip, sp), (dip, dp)): sp in ( 80, 81, 8000, 8080) or dp in (80, 81, 8000, 8080), author='mm', optiondict={ 'showcontent': {'action': 'store_true', 'default': False, 'help': 'Display the request and response body content.'} } ) self.out = colorout.ColorOutput() self.direction = None self.request_ioc = None self.request_method = None self.request_user_agent = None self.request_host = None self.request_rangestr = None self.request_body = None self.request_referer = None self.response_content_type = None self.response_body = None self.response_contentencoding = None self.response_status = None self.response_contentlength = None self.response_reason = None
def __init__(self): HTTPDecoder.__init__( self, name='flash-detect', description='Detects successful Flash file download.', filter='tcp and (port 80 or port 8080 or port 8000)', filterfn=lambda ((sip, sp), (dip, dp)): sp in (80, 8000, 8080) or dp in (80, 8000, 8080), optiondict={ 'dump': { 'action': 'store_true', 'help': '''\ Dump the flash file to a file based off its name, md5sum (if specified), or its URI. The file is dumped to the local directory "flashout". The file extension is ".flash" to prevent accidental execution.''' }, 'md5sum': { 'type': 'int', 'default': 0, 'help': '''\ Calculate and print the md5sum of the file. There are three options: 0: (default) No md5sum calculations or labeling 1: Calculate md5sum; Print out md5sum in alert; Name all dumped files by their md5sum (must be used with 'dump' option) 2: Calculate md5sum; Print out md5sum in alert; If found, a file's explicitly listed save name (found in 'content-disposition' HTTP header) will be used for file dump name instead of md5sum. Any other numbers will be ignored and the default action will be used.''' } }, longdescription='''\ flash-detect identifies HTTP requests where the server response contains a Flash file. Many exploit kits utilize Flash to deliver exploits to potentially vulnerable browsers. If a flash file is successfully downloaded, an alert will occur stating the full URL of the downloaded file, its content-type, and (optionally) its md5sum. Usage Examples: =============== Search all pcap files for Flash file downloads, and upon detection, calculate and print alerts containing the md5sum to screen: decode -d flash-detect --flash-detect_md5sum=1 *.pcap If you wanted to save every detected Flash file to a local directory "./flashout/" with its md5sum as the file name: decode -d flash-detect --flash-detect_md5sum=1 --flash-detect_dump *.pcap The output directory can be changed by modifying the `__OUTDIR` variable. An example of a real pcap file, taken from http://malware-traffic-analysis.net/2014/12/12/index.html: decode -d flash-detect --flash-detect_md5sum=1 2014-12-12-Nuclear-EK-traffic.pcap The following text should be displayed in the output, and the md5sum can be checked on a site like virustotal: ** yquesrerman.ga/AwoVG1ADAw4OUhlVDlRTBQoHRUJTXVYOUVYaAwtGXFRVVFxXVwBOVRtA (application/octet-stream) md5sum: 9b3ad66a2a61e8760602d98b537b7734 ** Implementation Logic ==================== 1. Check if the HTTP response status is 200 OK 2. Test the content-type of the HTTP response for the follwing strings: 'application/x-shockwave-flash' 'application/octet-stream' 'application/vnd.adobe.flash-movie' 3. Test filedownload following known Flash magic byte substrings: 'CWS' 'ZWS' 'FWS' Note: Encoded or obfuscated flash files will *not* be detected. Chainable flash-detect is chainable. If a connection contains an HTTP response with a successful Flash file download, then the entire connection (in the case of a connectionHandler), and the request, response, requesttime, and responsetime (in the case of an HTTPHandler) is/are passed to the subDecoders for additional processing. Undetected or non-Flash files are dropped. ''', author='ekilmer', ) self.chainable = True