xettercap 1.5.7xerob

data/lib/bettercap/sniffer/parsers/base.rb

@@ -0,0 +1,87 @@
+# encoding: UTF-8
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+module BetterCap
+module Parsers
+# Base class for BetterCap::Parsers.
+class Base
+  # Hash of available parsers ( parser name -> class name )
+  @@loaded = {}
+
+  class << self
+    # Called when this base class is inherited from one of the parsers.
+    def inherited(subclass)
+      name = subclass.name.split('::')[2].upcase
+      if name != 'CUSTOM'
+        @@loaded[name] = subclass.name
+      end
+    end
+
+    # Return a list of available parsers names.
+    def available
+      @@loaded.keys
+    end
+
+    # Parse the +v+ command line argument and return a list of parser names.
+    # Will raise BetterCap::Error if one or more parser names are not valid.
+    def from_cmdline(v)
+      raise BetterCap::Error, "No parser names provided" if v.nil?
+
+      avail = available
+      list = v.split(',').collect(&:strip).collect(&:upcase).reject{ |c| c.empty? }
+      list.each do |parser|
+        raise BetterCap::Error, "Invalid parser name '#{parser}'." unless avail.include?(parser) or parser == '*'
+      end
+      list
+    end
+
+    # Return a list of BetterCap::Parsers instances by their +parsers+ names.
+    def load_by_names(parsers)
+      loaded = []
+
+      @@loaded.each do |name,cname|
+        if parsers.include?(name) or parsers == ['*']
+          Logger.debug "Loading parser #{name} ( #{cname} ) ..."
+          loaded << BetterCap::Loader.load(cname).new
+        end
+      end
+
+      loaded
+    end
+
+    # Load and return an instance of the BetterCap::Parsers::Custom parser
+    # given the +expression+ Regex object.
+    def load_custom(expression)
+      Logger.debug "Loading custom parser: '#{expression}' ..."
+      [ BetterCap::Parsers::Custom.new(expression) ]
+    end
+  end
+
+  # Initialize this parser.
+  def initialize
+    @filters = []
+    @name = 'BASE'
+  end
+
+  # This method will be called from the BetterCap::Sniffer for each
+  # incoming packet ( +pkt ) and will apply the parser filter to it.
+  def on_packet( pkt )
+    s = pkt.to_s
+    @filters.each do |filter|
+      if s =~ filter
+        StreamLogger.log_raw( pkt, @name, pkt.payload )
+      end
+    end
+  end
+end
+end
+end

data/lib/bettercap/sniffer/parsers/cookie.rb

@@ -0,0 +1,45 @@
+# encoding: UTF-8
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Parsers
+# HTTP cookies parser.
+class Cookie < Base
+  # Cookies to ignore.
+  FILTER = [ '__cfduid', '_ga', '_gat' ].freeze
+
+  def on_packet( pkt )
+    hostname = nil
+    cookies = {}
+
+    pkt.to_s.split("\n").each do |line|
+      if line =~ /Host:\s*([^\s]+)/i
+        hostname = $1
+      elsif line =~ /.*Cookie:\s*(.+)/i
+        $1.strip.split(';').each do |v|
+          k, v = v.split('=').map(&:strip)
+          next if k.nil? or v.nil?
+          unless k.empty? or v.empty? or FILTER.include?(k)
+            cookies[k] = v
+          end
+        end
+      end
+    end
+
+    unless hostname.nil? or cookies.empty?
+      StreamLogger.log_raw( pkt, "COOKIE", "[#{hostname.yellow}] #{cookies.map{|k,v| "#{k.green}=#{v.yellow}"}.join('; ')}" )
+    end
+  end
+end
+end
+end

data/lib/bettercap/sniffer/parsers/creditcard.rb

@@ -0,0 +1,62 @@
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Parsers
+# CC parser.
+class CreditCard < Base
+  PARSERS = [
+    # All major cards.
+    /(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6011[0-9]{12}|3(?:0[0-5]|[68][0-9])[0-9]{11}|3[47][0-9]{13})/m,
+    # American Express
+    /(3[47][0-9]{13})/m,
+    # Diners Club
+    /(3(?:0[0-5]|[68][0-9])[0-9]{11})/m,
+    # Discover
+    /(6011[0-9]{12})/m,
+    # MasterCard
+    /(5[1-5][0-9]{14})/m,
+    # Visa
+    /(4[0-9]{12}(?:[0-9]{3})?)/m
+  ].freeze
+
+  def on_packet( pkt )
+    begin
+      payload = pkt.to_s
+      PARSERS.each do |expr|
+        matches = payload.scan( expr )
+        matches.each do |m|
+          StreamLogger.log_raw( pkt, 'CREDITCARD', m ) if luhn?(m)
+        end
+        break unless matches.empty?
+      end
+    rescue; end
+  end
+
+  # Validate +cc+ with Lughn algorithm.
+  def luhn?(cc)
+    digits = cc.split(//).map(&:to_i)
+    last   = digits.pop
+
+    products = digits.reverse.map.with_index do |n,i|
+        i.even? ? n*2 : n*1
+    end.reverse
+    sum = products.inject(0) { |t,p| t + p.to_s.split(//).map(&:to_i).inject(:+) }
+    checksum = 10 - (sum % 10)
+    checksum == 10 ? 0 : checksum
+
+    ( last == checksum )
+  end
+
+end
+end
+end

data/lib/bettercap/sniffer/parsers/custom.rb

@@ -0,0 +1,26 @@
+# encoding: UTF-8
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Parsers
+# Parser used when the "--custom-parser EXPRESSION" command line
+# argument is specified.
+class Custom < Base
+  # Initialize the parser given the +filter+ Regexp object.
+  def initialize( filter )
+    @filters = [ filter ]
+    @name    = 'DATA'
+  end
+end
+end
+end

data/lib/bettercap/sniffer/parsers/dhcp.rb

@@ -0,0 +1,45 @@
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Parsers
+# DHCP packets and authentication parser.
+class DHCP < Base
+  def on_packet( pkt )
+    begin
+      if pkt.udp_dst == 67 or pkt.udp_dst == 68
+        packet = Network::Protos::DHCP::Packet.parse( pkt.payload )
+        unless packet.nil?
+          auth = packet.authentication
+          cid  = auth.nil?? nil : packet.client_identifier
+          msg  = "[#{packet.type.yellow}] #{'Transaction-ID'.green}=#{sprintf( "0x%X", packet.xid ).yellow}"
+
+          unless cid.nil?
+            msg += " #{'Client-ID'.green}='#{cid.yellow}'"
+          end
+
+          unless auth.nil?
+            msg += "\n#{'AUTHENTICATION'.green}:\n\n"
+            auth.each do |k,v|
+              msg += "  #{k.blue} : #{v.yellow}\n"
+            end
+            msg += "\n"
+          end
+
+          StreamLogger.log_raw( pkt, 'DHCP', msg )
+        end
+      end
+    rescue; end
+  end
+end
+end
+end

data/lib/bettercap/sniffer/parsers/dict.rb

@@ -0,0 +1,37 @@
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Parsers
+# DICT authentication parser.
+class Dict < Base
+  def initialize
+    @name = 'DICT'
+  end
+  def on_packet( pkt )
+    begin
+      if pkt.tcp_dst == 2628
+        lines = pkt.to_s.split(/\r?\n/)
+        lines.each do |line|
+          if line =~ /AUTH\s+(.+)\s+(.+)$/
+            user = $1
+            pass = $2
+            StreamLogger.log_raw( pkt, @name, "username=#{user} password=#{pass}" )
+          end
+        end
+      end
+    rescue
+    end
+  end
+end
+end
+end

data/lib/bettercap/sniffer/parsers/ftp.rb

@@ -0,0 +1,24 @@
+# encoding: UTF-8
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Parsers
+# FTP authentication parser.
+class Ftp < Base
+  def initialize
+    @filters = [ /(USER|PASS)\s+.+/ ]
+    @name = 'FTP'
+  end
+end
+end
+end

data/lib/bettercap/sniffer/parsers/httpauth.rb

@@ -0,0 +1,44 @@
+# encoding: UTF-8
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Parsers
+# HTTP basic and digest authentication parser.
+class Httpauth < Base
+  def on_packet( pkt )
+    lines = pkt.to_s.split("\n")
+    hostname = nil
+    path = nil
+
+    lines.each do |line|
+      if line =~ /[A-Z]+\s+(\/[^\s]+)\s+HTTP\/\d\.\d/
+        path = $1
+
+      elsif line =~ /Host:\s*([^\s]+)/i
+        hostname = $1
+
+      elsif line =~ /Authorization:\s*Basic\s+([^\s]+)/i
+        encoded = $1
+        decoded = Base64.decode64(encoded)
+        user, pass = decoded.split(':')
+
+        StreamLogger.log_raw( pkt, 'HTTP BASIC AUTH', "http://#{hostname}#{path} - username=#{user} password=#{pass}".yellow )
+
+      elsif line =~ /Authorization:\s*([^\s]+)\s+(.+)/i
+        StreamLogger.log_raw( pkt, "HTTP #{$1} AUTH", "http://#{hostname}#{path}\n#{$1.blue}: #{$2.yellow}" )
+      end
+    end
+  end
+end
+end
+end

data/lib/bettercap/sniffer/parsers/https.rb

@@ -0,0 +1,42 @@
+# encoding: UTF-8
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Parsers
+# HTTPS connections parser.
+class Https < Base
+  @@prev = nil
+
+  def on_packet( pkt )
+    begin
+      if pkt.tcp_dst == 443
+        # the DNS resolution could take a while and block other parsers.
+        Thread.new do
+          begin
+              hostname = Resolv.getname pkt.ip_daddr
+          rescue
+              hostname = pkt.ip_daddr.to_s
+          end
+
+          if @@prev.nil? or @@prev != hostname
+            StreamLogger.log_raw( pkt, 'HTTPS', "https://#{hostname}/" )
+            @@prev = hostname
+          end
+        end
+      end
+    rescue
+    end
+  end
+end
+end
+end

data/lib/bettercap/sniffer/parsers/irc.rb

@@ -0,0 +1,24 @@
+# encoding: UTF-8
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Parsers
+# IRC protocol parser.
+class Irc < Base
+  def initialize
+    @filters = [ /NICK\s+.+/, /NS IDENTIFY\s+.+/, /nickserv :identify\s+.+/ ]
+    @name = 'IRC'
+  end
+end
+end
+end

data/lib/bettercap/sniffer/parsers/mail.rb

@@ -0,0 +1,24 @@
+# encoding: UTF-8
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Parsers
+# POP/IMAP authentication parser.
+class Mail < Base
+  def initialize
+    @filters = [ /(\d+ )?(auth|authenticate) ([a-z\-_0-9]+)/i ]
+    @name = 'MAIL'
+  end
+end
+end
+end

data/lib/bettercap/sniffer/parsers/mpd.rb

@@ -0,0 +1,36 @@
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Parsers
+# Music Player Daemon (MPD) authentication parser.
+class Mpd < Base
+  def initialize
+    @name = 'MPD'
+  end
+  def on_packet( pkt )
+    begin
+      if pkt.tcp_dst == 6600
+        lines = pkt.to_s.split(/\r?\n/)
+        lines.each do |line|
+          if line =~ /password\s+(.+)$/
+            pass = $1
+            StreamLogger.log_raw( pkt, @name, "password=#{pass}" )
+          end
+        end
+      end
+    rescue
+    end
+  end
+end
+end
+end

data/lib/bettercap/sniffer/parsers/mysql.rb

@@ -0,0 +1,27 @@
+# encoding: UTF-8
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Parsers
+# MySQL authentication parser.
+class MySQL < Base
+  def on_packet( pkt )
+    packet = Network::Protos::MySQL::Packet.parse( pkt.payload )
+    unless packet.nil? or !packet.is_auth?
+      StreamLogger.log_raw( pkt, 'MYSQL', "#{'username'.blue}='#{packet.username.yellow}' "\
+                                          "#{'password'.blue}='#{packet.password.map { |x| sprintf("%02X", x )}.join.yellow}'" )
+    end
+  end
+end
+end
+end

data/lib/bettercap/sniffer/parsers/nntp.rb

@@ -0,0 +1,24 @@
+# encoding: UTF-8
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Parsers
+# NNTP authentication parser.
+class Nntp < Base
+  def initialize
+    @filters = [ /AUTHINFO\s+(USER|PASS)\s+.+/i ]
+    @name = 'NNTP'
+  end
+end
+end
+end

data/lib/bettercap/sniffer/parsers/ntlmss.rb

@@ -0,0 +1,34 @@
+# encoding: UTF-8
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Parsers
+# NTLMSS authentication parser.
+class NTLMSS < Base
+  def on_packet( pkt )
+    packet = Network::Protos::NTLM::Packet.parse( pkt.payload )
+    if !packet.nil? and packet.is_auth?
+      msg = "NTLMSSP Authentication:\n"
+      msg += "  #{'LM Response'.blue}   : #{packet.lm_response.map { |x| sprintf("%02X", x )}.join.yellow}\n"
+      msg += "  #{'NTLM Response'.blue} : #{packet.ntlm_response.map { |x| sprintf("%02X", x )}.join.yellow}\n"
+      msg += "  #{'Domain Name'.blue}   : #{packet.domain_name.yellow}\n"
+      msg += "  #{'User Name'.blue}     : #{packet.user_name.yellow}\n"
+      msg += "  #{'Host Name'.blue}     : #{packet.host_name.yellow}\n"
+      msg += "  #{'Session Key'.blue}   : #{packet.session_key_resp.map { |x| sprintf("%02X", x )}.join.yellow}"
+
+      StreamLogger.log_raw( pkt, 'NTLM', msg )
+    end
+  end
+end
+end
+end

data/lib/bettercap/sniffer/parsers/pgsql.rb

@@ -0,0 +1,36 @@
+# encoding: UTF-8
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Parsers
+# PgSQL authentication parser.
+class PgSQL < Base
+  STARTUP_EXPR      = /....\x00\x03\x00\x00user\x00([^\x00]+)\x00database\x00([^\x00]+)/
+  MD5_AUTH_REQ_EXPR = /\x52....\x00\x00\x00\x05(....)/
+  MD5_PASSWORD_EXPR = /\x70....md5(.+)/
+
+  def on_packet( pkt )
+    if pkt.payload =~ STARTUP_EXPR
+      StreamLogger.log_raw( pkt, 'PGSQL', "STARTUP #{'username'.blue}='#{$1.yellow}' #{'database'.blue}='#{$2.yellow}'" )
+
+    elsif pkt.payload =~ MD5_AUTH_REQ_EXPR
+      salt = $1.reverse.unpack('L')[0]
+      StreamLogger.log_raw( pkt, 'PGSQL', "MD5 AUTH REQUEST #{'salt'.blue}=#{sprintf("0x%X", salt).yellow}" )
+
+    elsif pkt.payload =~ MD5_PASSWORD_EXPR
+      StreamLogger.log_raw( pkt, 'PGSQL', "PASSWORD #{'md5'.blue}='#{$1.yellow}'" )
+    end
+  end
+end
+end
+end

data/lib/bettercap/sniffer/parsers/post.rb

@@ -0,0 +1,33 @@
+# encoding: UTF-8
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : http://www.evilsocket.net/
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Parsers
+# HTTP POST requests parser.
+class Post < Base
+  def on_packet( pkt )
+    s = pkt.to_s
+    if s =~ /POST\s+[^\s]+\s+HTTP.+/
+      begin
+        req = BetterCap::Proxy::HTTP::Request.parse(pkt.payload)
+        # the packet could be incomplete
+        unless req.body.nil? or req.body.empty?
+          StreamLogger.log_raw( pkt, "POST", req.to_url(1000) )
+          StreamLogger.log_post( req )
+        end
+      rescue; end
+    end
+  end
+end
+end
+end