xettercap 1.5.7xerob
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/bin/xettercap +61 -0
- data/lib/bettercap/banner +2 -0
- data/lib/bettercap/context.rb +259 -0
- data/lib/bettercap/discovery/agents/arp.rb +37 -0
- data/lib/bettercap/discovery/agents/base.rb +73 -0
- data/lib/bettercap/discovery/agents/icmp.rb +44 -0
- data/lib/bettercap/discovery/agents/udp.rb +30 -0
- data/lib/bettercap/discovery/thread.rb +128 -0
- data/lib/bettercap/error.rb +16 -0
- data/lib/bettercap/firewalls/base.rb +103 -0
- data/lib/bettercap/firewalls/bsd.rb +74 -0
- data/lib/bettercap/firewalls/linux.rb +65 -0
- data/lib/bettercap/firewalls/redirection.rb +42 -0
- data/lib/bettercap/loader.rb +27 -0
- data/lib/bettercap/logger.rb +131 -0
- data/lib/bettercap/memory.rb +56 -0
- data/lib/bettercap/monkey/celluloid/actor.rb +23 -0
- data/lib/bettercap/monkey/celluloid/io/udp_socket.rb +26 -0
- data/lib/bettercap/monkey/em-proxy/proxy.rb +23 -0
- data/lib/bettercap/monkey/openssl/server.rb +35 -0
- data/lib/bettercap/monkey/packetfu/pcap.rb +51 -0
- data/lib/bettercap/monkey/packetfu/utils.rb +210 -0
- data/lib/bettercap/monkey/system.rb +25 -0
- data/lib/bettercap/network/arp_reader.rb +91 -0
- data/lib/bettercap/network/hw-prefixes +21326 -0
- data/lib/bettercap/network/network.rb +102 -0
- data/lib/bettercap/network/packet_queue.rb +129 -0
- data/lib/bettercap/network/protos/base.rb +154 -0
- data/lib/bettercap/network/protos/dhcp.rb +227 -0
- data/lib/bettercap/network/protos/mysql.rb +40 -0
- data/lib/bettercap/network/protos/ntlm.rb +97 -0
- data/lib/bettercap/network/protos/snmp.rb +49 -0
- data/lib/bettercap/network/protos/teamviewer.rb +119 -0
- data/lib/bettercap/network/servers/dnsd.rb +152 -0
- data/lib/bettercap/network/servers/httpd.rb +55 -0
- data/lib/bettercap/network/services +2182 -0
- data/lib/bettercap/network/target.rb +168 -0
- data/lib/bettercap/network/validator.rb +96 -0
- data/lib/bettercap/options/core_options.rb +197 -0
- data/lib/bettercap/options/options.rb +165 -0
- data/lib/bettercap/options/proxy_options.rb +314 -0
- data/lib/bettercap/options/server_options.rb +73 -0
- data/lib/bettercap/options/sniff_options.rb +90 -0
- data/lib/bettercap/options/spoof_options.rb +71 -0
- data/lib/bettercap/pluggable.rb +37 -0
- data/lib/bettercap/proxy/http/module.rb +105 -0
- data/lib/bettercap/proxy/http/modules/injectcss.rb +79 -0
- data/lib/bettercap/proxy/http/modules/injecthtml.rb +80 -0
- data/lib/bettercap/proxy/http/modules/injectjs.rb +79 -0
- data/lib/bettercap/proxy/http/proxy.rb +184 -0
- data/lib/bettercap/proxy/http/request.rb +192 -0
- data/lib/bettercap/proxy/http/response.rb +226 -0
- data/lib/bettercap/proxy/http/ssl/authority.rb +182 -0
- data/lib/bettercap/proxy/http/ssl/bettercap-ca.pem +49 -0
- data/lib/bettercap/proxy/http/ssl/server.rb +63 -0
- data/lib/bettercap/proxy/http/sslstrip/cookiemonitor.rb +67 -0
- data/lib/bettercap/proxy/http/sslstrip/lock.ico +0 -0
- data/lib/bettercap/proxy/http/sslstrip/strip.rb +325 -0
- data/lib/bettercap/proxy/http/streamer.rb +225 -0
- data/lib/bettercap/proxy/stream_logger.rb +181 -0
- data/lib/bettercap/proxy/tcp/module.rb +75 -0
- data/lib/bettercap/proxy/tcp/proxy.rb +123 -0
- data/lib/bettercap/proxy/thread_pool.rb +194 -0
- data/lib/bettercap/shell.rb +70 -0
- data/lib/bettercap/sniffer/parsers/base.rb +87 -0
- data/lib/bettercap/sniffer/parsers/cookie.rb +45 -0
- data/lib/bettercap/sniffer/parsers/creditcard.rb +62 -0
- data/lib/bettercap/sniffer/parsers/custom.rb +26 -0
- data/lib/bettercap/sniffer/parsers/dhcp.rb +45 -0
- data/lib/bettercap/sniffer/parsers/dict.rb +37 -0
- data/lib/bettercap/sniffer/parsers/ftp.rb +24 -0
- data/lib/bettercap/sniffer/parsers/httpauth.rb +44 -0
- data/lib/bettercap/sniffer/parsers/https.rb +42 -0
- data/lib/bettercap/sniffer/parsers/irc.rb +24 -0
- data/lib/bettercap/sniffer/parsers/mail.rb +24 -0
- data/lib/bettercap/sniffer/parsers/mpd.rb +36 -0
- data/lib/bettercap/sniffer/parsers/mysql.rb +27 -0
- data/lib/bettercap/sniffer/parsers/nntp.rb +24 -0
- data/lib/bettercap/sniffer/parsers/ntlmss.rb +34 -0
- data/lib/bettercap/sniffer/parsers/pgsql.rb +36 -0
- data/lib/bettercap/sniffer/parsers/post.rb +33 -0
- data/lib/bettercap/sniffer/parsers/redis.rb +39 -0
- data/lib/bettercap/sniffer/parsers/rlogin.rb +45 -0
- data/lib/bettercap/sniffer/parsers/snmp.rb +44 -0
- data/lib/bettercap/sniffer/parsers/snpp.rb +37 -0
- data/lib/bettercap/sniffer/parsers/teamviewer.rb +30 -0
- data/lib/bettercap/sniffer/parsers/url.rb +30 -0
- data/lib/bettercap/sniffer/parsers/whatsapp.rb +33 -0
- data/lib/bettercap/sniffer/sniffer.rb +142 -0
- data/lib/bettercap/spoofers/arp.rb +150 -0
- data/lib/bettercap/spoofers/base.rb +152 -0
- data/lib/bettercap/spoofers/icmp.rb +202 -0
- data/lib/bettercap/spoofers/none.rb +57 -0
- data/lib/bettercap/update_checker.rb +57 -0
- data/lib/bettercap/version.rb +18 -0
- data/lib/bettercap.rb +70 -0
- metadata +276 -0
@@ -0,0 +1,87 @@
|
|
1
|
+
# encoding: UTF-8
|
2
|
+
=begin
|
3
|
+
|
4
|
+
BETTERCAP
|
5
|
+
|
6
|
+
Author : Simone 'evilsocket' Margaritelli
|
7
|
+
Email : evilsocket@gmail.com
|
8
|
+
Blog : http://www.evilsocket.net/
|
9
|
+
|
10
|
+
This project is released under the GPL 3 license.
|
11
|
+
|
12
|
+
=end
|
13
|
+
module BetterCap
|
14
|
+
module Parsers
|
15
|
+
# Base class for BetterCap::Parsers.
|
16
|
+
class Base
|
17
|
+
# Hash of available parsers ( parser name -> class name )
|
18
|
+
@@loaded = {}
|
19
|
+
|
20
|
+
class << self
|
21
|
+
# Called when this base class is inherited from one of the parsers.
|
22
|
+
def inherited(subclass)
|
23
|
+
name = subclass.name.split('::')[2].upcase
|
24
|
+
if name != 'CUSTOM'
|
25
|
+
@@loaded[name] = subclass.name
|
26
|
+
end
|
27
|
+
end
|
28
|
+
|
29
|
+
# Return a list of available parsers names.
|
30
|
+
def available
|
31
|
+
@@loaded.keys
|
32
|
+
end
|
33
|
+
|
34
|
+
# Parse the +v+ command line argument and return a list of parser names.
|
35
|
+
# Will raise BetterCap::Error if one or more parser names are not valid.
|
36
|
+
def from_cmdline(v)
|
37
|
+
raise BetterCap::Error, "No parser names provided" if v.nil?
|
38
|
+
|
39
|
+
avail = available
|
40
|
+
list = v.split(',').collect(&:strip).collect(&:upcase).reject{ |c| c.empty? }
|
41
|
+
list.each do |parser|
|
42
|
+
raise BetterCap::Error, "Invalid parser name '#{parser}'." unless avail.include?(parser) or parser == '*'
|
43
|
+
end
|
44
|
+
list
|
45
|
+
end
|
46
|
+
|
47
|
+
# Return a list of BetterCap::Parsers instances by their +parsers+ names.
|
48
|
+
def load_by_names(parsers)
|
49
|
+
loaded = []
|
50
|
+
|
51
|
+
@@loaded.each do |name,cname|
|
52
|
+
if parsers.include?(name) or parsers == ['*']
|
53
|
+
Logger.debug "Loading parser #{name} ( #{cname} ) ..."
|
54
|
+
loaded << BetterCap::Loader.load(cname).new
|
55
|
+
end
|
56
|
+
end
|
57
|
+
|
58
|
+
loaded
|
59
|
+
end
|
60
|
+
|
61
|
+
# Load and return an instance of the BetterCap::Parsers::Custom parser
|
62
|
+
# given the +expression+ Regex object.
|
63
|
+
def load_custom(expression)
|
64
|
+
Logger.debug "Loading custom parser: '#{expression}' ..."
|
65
|
+
[ BetterCap::Parsers::Custom.new(expression) ]
|
66
|
+
end
|
67
|
+
end
|
68
|
+
|
69
|
+
# Initialize this parser.
|
70
|
+
def initialize
|
71
|
+
@filters = []
|
72
|
+
@name = 'BASE'
|
73
|
+
end
|
74
|
+
|
75
|
+
# This method will be called from the BetterCap::Sniffer for each
|
76
|
+
# incoming packet ( +pkt ) and will apply the parser filter to it.
|
77
|
+
def on_packet( pkt )
|
78
|
+
s = pkt.to_s
|
79
|
+
@filters.each do |filter|
|
80
|
+
if s =~ filter
|
81
|
+
StreamLogger.log_raw( pkt, @name, pkt.payload )
|
82
|
+
end
|
83
|
+
end
|
84
|
+
end
|
85
|
+
end
|
86
|
+
end
|
87
|
+
end
|
@@ -0,0 +1,45 @@
|
|
1
|
+
# encoding: UTF-8
|
2
|
+
=begin
|
3
|
+
|
4
|
+
BETTERCAP
|
5
|
+
|
6
|
+
Author : Simone 'evilsocket' Margaritelli
|
7
|
+
Email : evilsocket@gmail.com
|
8
|
+
Blog : http://www.evilsocket.net/
|
9
|
+
|
10
|
+
This project is released under the GPL 3 license.
|
11
|
+
|
12
|
+
=end
|
13
|
+
|
14
|
+
module BetterCap
|
15
|
+
module Parsers
|
16
|
+
# HTTP cookies parser.
|
17
|
+
class Cookie < Base
|
18
|
+
# Cookies to ignore.
|
19
|
+
FILTER = [ '__cfduid', '_ga', '_gat' ].freeze
|
20
|
+
|
21
|
+
def on_packet( pkt )
|
22
|
+
hostname = nil
|
23
|
+
cookies = {}
|
24
|
+
|
25
|
+
pkt.to_s.split("\n").each do |line|
|
26
|
+
if line =~ /Host:\s*([^\s]+)/i
|
27
|
+
hostname = $1
|
28
|
+
elsif line =~ /.*Cookie:\s*(.+)/i
|
29
|
+
$1.strip.split(';').each do |v|
|
30
|
+
k, v = v.split('=').map(&:strip)
|
31
|
+
next if k.nil? or v.nil?
|
32
|
+
unless k.empty? or v.empty? or FILTER.include?(k)
|
33
|
+
cookies[k] = v
|
34
|
+
end
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
38
|
+
|
39
|
+
unless hostname.nil? or cookies.empty?
|
40
|
+
StreamLogger.log_raw( pkt, "COOKIE", "[#{hostname.yellow}] #{cookies.map{|k,v| "#{k.green}=#{v.yellow}"}.join('; ')}" )
|
41
|
+
end
|
42
|
+
end
|
43
|
+
end
|
44
|
+
end
|
45
|
+
end
|
@@ -0,0 +1,62 @@
|
|
1
|
+
=begin
|
2
|
+
|
3
|
+
BETTERCAP
|
4
|
+
|
5
|
+
Author : Simone 'evilsocket' Margaritelli
|
6
|
+
Email : evilsocket@gmail.com
|
7
|
+
Blog : http://www.evilsocket.net/
|
8
|
+
|
9
|
+
This project is released under the GPL 3 license.
|
10
|
+
|
11
|
+
=end
|
12
|
+
|
13
|
+
module BetterCap
|
14
|
+
module Parsers
|
15
|
+
# CC parser.
|
16
|
+
class CreditCard < Base
|
17
|
+
PARSERS = [
|
18
|
+
# All major cards.
|
19
|
+
/(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6011[0-9]{12}|3(?:0[0-5]|[68][0-9])[0-9]{11}|3[47][0-9]{13})/m,
|
20
|
+
# American Express
|
21
|
+
/(3[47][0-9]{13})/m,
|
22
|
+
# Diners Club
|
23
|
+
/(3(?:0[0-5]|[68][0-9])[0-9]{11})/m,
|
24
|
+
# Discover
|
25
|
+
/(6011[0-9]{12})/m,
|
26
|
+
# MasterCard
|
27
|
+
/(5[1-5][0-9]{14})/m,
|
28
|
+
# Visa
|
29
|
+
/(4[0-9]{12}(?:[0-9]{3})?)/m
|
30
|
+
].freeze
|
31
|
+
|
32
|
+
def on_packet( pkt )
|
33
|
+
begin
|
34
|
+
payload = pkt.to_s
|
35
|
+
PARSERS.each do |expr|
|
36
|
+
matches = payload.scan( expr )
|
37
|
+
matches.each do |m|
|
38
|
+
StreamLogger.log_raw( pkt, 'CREDITCARD', m ) if luhn?(m)
|
39
|
+
end
|
40
|
+
break unless matches.empty?
|
41
|
+
end
|
42
|
+
rescue; end
|
43
|
+
end
|
44
|
+
|
45
|
+
# Validate +cc+ with Lughn algorithm.
|
46
|
+
def luhn?(cc)
|
47
|
+
digits = cc.split(//).map(&:to_i)
|
48
|
+
last = digits.pop
|
49
|
+
|
50
|
+
products = digits.reverse.map.with_index do |n,i|
|
51
|
+
i.even? ? n*2 : n*1
|
52
|
+
end.reverse
|
53
|
+
sum = products.inject(0) { |t,p| t + p.to_s.split(//).map(&:to_i).inject(:+) }
|
54
|
+
checksum = 10 - (sum % 10)
|
55
|
+
checksum == 10 ? 0 : checksum
|
56
|
+
|
57
|
+
( last == checksum )
|
58
|
+
end
|
59
|
+
|
60
|
+
end
|
61
|
+
end
|
62
|
+
end
|
@@ -0,0 +1,26 @@
|
|
1
|
+
# encoding: UTF-8
|
2
|
+
=begin
|
3
|
+
|
4
|
+
BETTERCAP
|
5
|
+
|
6
|
+
Author : Simone 'evilsocket' Margaritelli
|
7
|
+
Email : evilsocket@gmail.com
|
8
|
+
Blog : http://www.evilsocket.net/
|
9
|
+
|
10
|
+
This project is released under the GPL 3 license.
|
11
|
+
|
12
|
+
=end
|
13
|
+
|
14
|
+
module BetterCap
|
15
|
+
module Parsers
|
16
|
+
# Parser used when the "--custom-parser EXPRESSION" command line
|
17
|
+
# argument is specified.
|
18
|
+
class Custom < Base
|
19
|
+
# Initialize the parser given the +filter+ Regexp object.
|
20
|
+
def initialize( filter )
|
21
|
+
@filters = [ filter ]
|
22
|
+
@name = 'DATA'
|
23
|
+
end
|
24
|
+
end
|
25
|
+
end
|
26
|
+
end
|
@@ -0,0 +1,45 @@
|
|
1
|
+
=begin
|
2
|
+
|
3
|
+
BETTERCAP
|
4
|
+
|
5
|
+
Author : Simone 'evilsocket' Margaritelli
|
6
|
+
Email : evilsocket@gmail.com
|
7
|
+
Blog : http://www.evilsocket.net/
|
8
|
+
|
9
|
+
This project is released under the GPL 3 license.
|
10
|
+
|
11
|
+
=end
|
12
|
+
|
13
|
+
module BetterCap
|
14
|
+
module Parsers
|
15
|
+
# DHCP packets and authentication parser.
|
16
|
+
class DHCP < Base
|
17
|
+
def on_packet( pkt )
|
18
|
+
begin
|
19
|
+
if pkt.udp_dst == 67 or pkt.udp_dst == 68
|
20
|
+
packet = Network::Protos::DHCP::Packet.parse( pkt.payload )
|
21
|
+
unless packet.nil?
|
22
|
+
auth = packet.authentication
|
23
|
+
cid = auth.nil?? nil : packet.client_identifier
|
24
|
+
msg = "[#{packet.type.yellow}] #{'Transaction-ID'.green}=#{sprintf( "0x%X", packet.xid ).yellow}"
|
25
|
+
|
26
|
+
unless cid.nil?
|
27
|
+
msg += " #{'Client-ID'.green}='#{cid.yellow}'"
|
28
|
+
end
|
29
|
+
|
30
|
+
unless auth.nil?
|
31
|
+
msg += "\n#{'AUTHENTICATION'.green}:\n\n"
|
32
|
+
auth.each do |k,v|
|
33
|
+
msg += " #{k.blue} : #{v.yellow}\n"
|
34
|
+
end
|
35
|
+
msg += "\n"
|
36
|
+
end
|
37
|
+
|
38
|
+
StreamLogger.log_raw( pkt, 'DHCP', msg )
|
39
|
+
end
|
40
|
+
end
|
41
|
+
rescue; end
|
42
|
+
end
|
43
|
+
end
|
44
|
+
end
|
45
|
+
end
|
@@ -0,0 +1,37 @@
|
|
1
|
+
=begin
|
2
|
+
|
3
|
+
BETTERCAP
|
4
|
+
|
5
|
+
Author : Simone 'evilsocket' Margaritelli
|
6
|
+
Email : evilsocket@gmail.com
|
7
|
+
Blog : http://www.evilsocket.net/
|
8
|
+
|
9
|
+
This project is released under the GPL 3 license.
|
10
|
+
|
11
|
+
=end
|
12
|
+
|
13
|
+
module BetterCap
|
14
|
+
module Parsers
|
15
|
+
# DICT authentication parser.
|
16
|
+
class Dict < Base
|
17
|
+
def initialize
|
18
|
+
@name = 'DICT'
|
19
|
+
end
|
20
|
+
def on_packet( pkt )
|
21
|
+
begin
|
22
|
+
if pkt.tcp_dst == 2628
|
23
|
+
lines = pkt.to_s.split(/\r?\n/)
|
24
|
+
lines.each do |line|
|
25
|
+
if line =~ /AUTH\s+(.+)\s+(.+)$/
|
26
|
+
user = $1
|
27
|
+
pass = $2
|
28
|
+
StreamLogger.log_raw( pkt, @name, "username=#{user} password=#{pass}" )
|
29
|
+
end
|
30
|
+
end
|
31
|
+
end
|
32
|
+
rescue
|
33
|
+
end
|
34
|
+
end
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
@@ -0,0 +1,24 @@
|
|
1
|
+
# encoding: UTF-8
|
2
|
+
=begin
|
3
|
+
|
4
|
+
BETTERCAP
|
5
|
+
|
6
|
+
Author : Simone 'evilsocket' Margaritelli
|
7
|
+
Email : evilsocket@gmail.com
|
8
|
+
Blog : http://www.evilsocket.net/
|
9
|
+
|
10
|
+
This project is released under the GPL 3 license.
|
11
|
+
|
12
|
+
=end
|
13
|
+
|
14
|
+
module BetterCap
|
15
|
+
module Parsers
|
16
|
+
# FTP authentication parser.
|
17
|
+
class Ftp < Base
|
18
|
+
def initialize
|
19
|
+
@filters = [ /(USER|PASS)\s+.+/ ]
|
20
|
+
@name = 'FTP'
|
21
|
+
end
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
@@ -0,0 +1,44 @@
|
|
1
|
+
# encoding: UTF-8
|
2
|
+
=begin
|
3
|
+
|
4
|
+
BETTERCAP
|
5
|
+
|
6
|
+
Author : Simone 'evilsocket' Margaritelli
|
7
|
+
Email : evilsocket@gmail.com
|
8
|
+
Blog : http://www.evilsocket.net/
|
9
|
+
|
10
|
+
This project is released under the GPL 3 license.
|
11
|
+
|
12
|
+
=end
|
13
|
+
|
14
|
+
module BetterCap
|
15
|
+
module Parsers
|
16
|
+
# HTTP basic and digest authentication parser.
|
17
|
+
class Httpauth < Base
|
18
|
+
def on_packet( pkt )
|
19
|
+
lines = pkt.to_s.split("\n")
|
20
|
+
hostname = nil
|
21
|
+
path = nil
|
22
|
+
|
23
|
+
lines.each do |line|
|
24
|
+
if line =~ /[A-Z]+\s+(\/[^\s]+)\s+HTTP\/\d\.\d/
|
25
|
+
path = $1
|
26
|
+
|
27
|
+
elsif line =~ /Host:\s*([^\s]+)/i
|
28
|
+
hostname = $1
|
29
|
+
|
30
|
+
elsif line =~ /Authorization:\s*Basic\s+([^\s]+)/i
|
31
|
+
encoded = $1
|
32
|
+
decoded = Base64.decode64(encoded)
|
33
|
+
user, pass = decoded.split(':')
|
34
|
+
|
35
|
+
StreamLogger.log_raw( pkt, 'HTTP BASIC AUTH', "http://#{hostname}#{path} - username=#{user} password=#{pass}".yellow )
|
36
|
+
|
37
|
+
elsif line =~ /Authorization:\s*([^\s]+)\s+(.+)/i
|
38
|
+
StreamLogger.log_raw( pkt, "HTTP #{$1} AUTH", "http://#{hostname}#{path}\n#{$1.blue}: #{$2.yellow}" )
|
39
|
+
end
|
40
|
+
end
|
41
|
+
end
|
42
|
+
end
|
43
|
+
end
|
44
|
+
end
|
@@ -0,0 +1,42 @@
|
|
1
|
+
# encoding: UTF-8
|
2
|
+
=begin
|
3
|
+
|
4
|
+
BETTERCAP
|
5
|
+
|
6
|
+
Author : Simone 'evilsocket' Margaritelli
|
7
|
+
Email : evilsocket@gmail.com
|
8
|
+
Blog : http://www.evilsocket.net/
|
9
|
+
|
10
|
+
This project is released under the GPL 3 license.
|
11
|
+
|
12
|
+
=end
|
13
|
+
|
14
|
+
module BetterCap
|
15
|
+
module Parsers
|
16
|
+
# HTTPS connections parser.
|
17
|
+
class Https < Base
|
18
|
+
@@prev = nil
|
19
|
+
|
20
|
+
def on_packet( pkt )
|
21
|
+
begin
|
22
|
+
if pkt.tcp_dst == 443
|
23
|
+
# the DNS resolution could take a while and block other parsers.
|
24
|
+
Thread.new do
|
25
|
+
begin
|
26
|
+
hostname = Resolv.getname pkt.ip_daddr
|
27
|
+
rescue
|
28
|
+
hostname = pkt.ip_daddr.to_s
|
29
|
+
end
|
30
|
+
|
31
|
+
if @@prev.nil? or @@prev != hostname
|
32
|
+
StreamLogger.log_raw( pkt, 'HTTPS', "https://#{hostname}/" )
|
33
|
+
@@prev = hostname
|
34
|
+
end
|
35
|
+
end
|
36
|
+
end
|
37
|
+
rescue
|
38
|
+
end
|
39
|
+
end
|
40
|
+
end
|
41
|
+
end
|
42
|
+
end
|
@@ -0,0 +1,24 @@
|
|
1
|
+
# encoding: UTF-8
|
2
|
+
=begin
|
3
|
+
|
4
|
+
BETTERCAP
|
5
|
+
|
6
|
+
Author : Simone 'evilsocket' Margaritelli
|
7
|
+
Email : evilsocket@gmail.com
|
8
|
+
Blog : http://www.evilsocket.net/
|
9
|
+
|
10
|
+
This project is released under the GPL 3 license.
|
11
|
+
|
12
|
+
=end
|
13
|
+
|
14
|
+
module BetterCap
|
15
|
+
module Parsers
|
16
|
+
# IRC protocol parser.
|
17
|
+
class Irc < Base
|
18
|
+
def initialize
|
19
|
+
@filters = [ /NICK\s+.+/, /NS IDENTIFY\s+.+/, /nickserv :identify\s+.+/ ]
|
20
|
+
@name = 'IRC'
|
21
|
+
end
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
@@ -0,0 +1,24 @@
|
|
1
|
+
# encoding: UTF-8
|
2
|
+
=begin
|
3
|
+
|
4
|
+
BETTERCAP
|
5
|
+
|
6
|
+
Author : Simone 'evilsocket' Margaritelli
|
7
|
+
Email : evilsocket@gmail.com
|
8
|
+
Blog : http://www.evilsocket.net/
|
9
|
+
|
10
|
+
This project is released under the GPL 3 license.
|
11
|
+
|
12
|
+
=end
|
13
|
+
|
14
|
+
module BetterCap
|
15
|
+
module Parsers
|
16
|
+
# POP/IMAP authentication parser.
|
17
|
+
class Mail < Base
|
18
|
+
def initialize
|
19
|
+
@filters = [ /(\d+ )?(auth|authenticate) ([a-z\-_0-9]+)/i ]
|
20
|
+
@name = 'MAIL'
|
21
|
+
end
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
@@ -0,0 +1,36 @@
|
|
1
|
+
=begin
|
2
|
+
|
3
|
+
BETTERCAP
|
4
|
+
|
5
|
+
Author : Simone 'evilsocket' Margaritelli
|
6
|
+
Email : evilsocket@gmail.com
|
7
|
+
Blog : http://www.evilsocket.net/
|
8
|
+
|
9
|
+
This project is released under the GPL 3 license.
|
10
|
+
|
11
|
+
=end
|
12
|
+
|
13
|
+
module BetterCap
|
14
|
+
module Parsers
|
15
|
+
# Music Player Daemon (MPD) authentication parser.
|
16
|
+
class Mpd < Base
|
17
|
+
def initialize
|
18
|
+
@name = 'MPD'
|
19
|
+
end
|
20
|
+
def on_packet( pkt )
|
21
|
+
begin
|
22
|
+
if pkt.tcp_dst == 6600
|
23
|
+
lines = pkt.to_s.split(/\r?\n/)
|
24
|
+
lines.each do |line|
|
25
|
+
if line =~ /password\s+(.+)$/
|
26
|
+
pass = $1
|
27
|
+
StreamLogger.log_raw( pkt, @name, "password=#{pass}" )
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
31
|
+
rescue
|
32
|
+
end
|
33
|
+
end
|
34
|
+
end
|
35
|
+
end
|
36
|
+
end
|
@@ -0,0 +1,27 @@
|
|
1
|
+
# encoding: UTF-8
|
2
|
+
=begin
|
3
|
+
|
4
|
+
BETTERCAP
|
5
|
+
|
6
|
+
Author : Simone 'evilsocket' Margaritelli
|
7
|
+
Email : evilsocket@gmail.com
|
8
|
+
Blog : http://www.evilsocket.net/
|
9
|
+
|
10
|
+
This project is released under the GPL 3 license.
|
11
|
+
|
12
|
+
=end
|
13
|
+
|
14
|
+
module BetterCap
|
15
|
+
module Parsers
|
16
|
+
# MySQL authentication parser.
|
17
|
+
class MySQL < Base
|
18
|
+
def on_packet( pkt )
|
19
|
+
packet = Network::Protos::MySQL::Packet.parse( pkt.payload )
|
20
|
+
unless packet.nil? or !packet.is_auth?
|
21
|
+
StreamLogger.log_raw( pkt, 'MYSQL', "#{'username'.blue}='#{packet.username.yellow}' "\
|
22
|
+
"#{'password'.blue}='#{packet.password.map { |x| sprintf("%02X", x )}.join.yellow}'" )
|
23
|
+
end
|
24
|
+
end
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
@@ -0,0 +1,24 @@
|
|
1
|
+
# encoding: UTF-8
|
2
|
+
=begin
|
3
|
+
|
4
|
+
BETTERCAP
|
5
|
+
|
6
|
+
Author : Simone 'evilsocket' Margaritelli
|
7
|
+
Email : evilsocket@gmail.com
|
8
|
+
Blog : http://www.evilsocket.net/
|
9
|
+
|
10
|
+
This project is released under the GPL 3 license.
|
11
|
+
|
12
|
+
=end
|
13
|
+
|
14
|
+
module BetterCap
|
15
|
+
module Parsers
|
16
|
+
# NNTP authentication parser.
|
17
|
+
class Nntp < Base
|
18
|
+
def initialize
|
19
|
+
@filters = [ /AUTHINFO\s+(USER|PASS)\s+.+/i ]
|
20
|
+
@name = 'NNTP'
|
21
|
+
end
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
@@ -0,0 +1,34 @@
|
|
1
|
+
# encoding: UTF-8
|
2
|
+
=begin
|
3
|
+
|
4
|
+
BETTERCAP
|
5
|
+
|
6
|
+
Author : Simone 'evilsocket' Margaritelli
|
7
|
+
Email : evilsocket@gmail.com
|
8
|
+
Blog : http://www.evilsocket.net/
|
9
|
+
|
10
|
+
This project is released under the GPL 3 license.
|
11
|
+
|
12
|
+
=end
|
13
|
+
|
14
|
+
module BetterCap
|
15
|
+
module Parsers
|
16
|
+
# NTLMSS authentication parser.
|
17
|
+
class NTLMSS < Base
|
18
|
+
def on_packet( pkt )
|
19
|
+
packet = Network::Protos::NTLM::Packet.parse( pkt.payload )
|
20
|
+
if !packet.nil? and packet.is_auth?
|
21
|
+
msg = "NTLMSSP Authentication:\n"
|
22
|
+
msg += " #{'LM Response'.blue} : #{packet.lm_response.map { |x| sprintf("%02X", x )}.join.yellow}\n"
|
23
|
+
msg += " #{'NTLM Response'.blue} : #{packet.ntlm_response.map { |x| sprintf("%02X", x )}.join.yellow}\n"
|
24
|
+
msg += " #{'Domain Name'.blue} : #{packet.domain_name.yellow}\n"
|
25
|
+
msg += " #{'User Name'.blue} : #{packet.user_name.yellow}\n"
|
26
|
+
msg += " #{'Host Name'.blue} : #{packet.host_name.yellow}\n"
|
27
|
+
msg += " #{'Session Key'.blue} : #{packet.session_key_resp.map { |x| sprintf("%02X", x )}.join.yellow}"
|
28
|
+
|
29
|
+
StreamLogger.log_raw( pkt, 'NTLM', msg )
|
30
|
+
end
|
31
|
+
end
|
32
|
+
end
|
33
|
+
end
|
34
|
+
end
|
@@ -0,0 +1,36 @@
|
|
1
|
+
# encoding: UTF-8
|
2
|
+
=begin
|
3
|
+
|
4
|
+
BETTERCAP
|
5
|
+
|
6
|
+
Author : Simone 'evilsocket' Margaritelli
|
7
|
+
Email : evilsocket@gmail.com
|
8
|
+
Blog : http://www.evilsocket.net/
|
9
|
+
|
10
|
+
This project is released under the GPL 3 license.
|
11
|
+
|
12
|
+
=end
|
13
|
+
|
14
|
+
module BetterCap
|
15
|
+
module Parsers
|
16
|
+
# PgSQL authentication parser.
|
17
|
+
class PgSQL < Base
|
18
|
+
STARTUP_EXPR = /....\x00\x03\x00\x00user\x00([^\x00]+)\x00database\x00([^\x00]+)/
|
19
|
+
MD5_AUTH_REQ_EXPR = /\x52....\x00\x00\x00\x05(....)/
|
20
|
+
MD5_PASSWORD_EXPR = /\x70....md5(.+)/
|
21
|
+
|
22
|
+
def on_packet( pkt )
|
23
|
+
if pkt.payload =~ STARTUP_EXPR
|
24
|
+
StreamLogger.log_raw( pkt, 'PGSQL', "STARTUP #{'username'.blue}='#{$1.yellow}' #{'database'.blue}='#{$2.yellow}'" )
|
25
|
+
|
26
|
+
elsif pkt.payload =~ MD5_AUTH_REQ_EXPR
|
27
|
+
salt = $1.reverse.unpack('L')[0]
|
28
|
+
StreamLogger.log_raw( pkt, 'PGSQL', "MD5 AUTH REQUEST #{'salt'.blue}=#{sprintf("0x%X", salt).yellow}" )
|
29
|
+
|
30
|
+
elsif pkt.payload =~ MD5_PASSWORD_EXPR
|
31
|
+
StreamLogger.log_raw( pkt, 'PGSQL', "PASSWORD #{'md5'.blue}='#{$1.yellow}'" )
|
32
|
+
end
|
33
|
+
end
|
34
|
+
end
|
35
|
+
end
|
36
|
+
end
|
@@ -0,0 +1,33 @@
|
|
1
|
+
# encoding: UTF-8
|
2
|
+
=begin
|
3
|
+
|
4
|
+
BETTERCAP
|
5
|
+
|
6
|
+
Author : Simone 'evilsocket' Margaritelli
|
7
|
+
Email : evilsocket@gmail.com
|
8
|
+
Blog : http://www.evilsocket.net/
|
9
|
+
|
10
|
+
This project is released under the GPL 3 license.
|
11
|
+
|
12
|
+
=end
|
13
|
+
|
14
|
+
module BetterCap
|
15
|
+
module Parsers
|
16
|
+
# HTTP POST requests parser.
|
17
|
+
class Post < Base
|
18
|
+
def on_packet( pkt )
|
19
|
+
s = pkt.to_s
|
20
|
+
if s =~ /POST\s+[^\s]+\s+HTTP.+/
|
21
|
+
begin
|
22
|
+
req = BetterCap::Proxy::HTTP::Request.parse(pkt.payload)
|
23
|
+
# the packet could be incomplete
|
24
|
+
unless req.body.nil? or req.body.empty?
|
25
|
+
StreamLogger.log_raw( pkt, "POST", req.to_url(1000) )
|
26
|
+
StreamLogger.log_post( req )
|
27
|
+
end
|
28
|
+
rescue; end
|
29
|
+
end
|
30
|
+
end
|
31
|
+
end
|
32
|
+
end
|
33
|
+
end
|