Skip to content
Browse files

working copy

  • Loading branch information...
0 parents commit 32c0ed94a81b176724b4f81ed690db340922a7f5 @9b committed Dec 18, 2011
7 README.rst
@@ -0,0 +1,7 @@
+== Dependencies ==
+* http://code.google.com/p/dpkt/
+* http://pypi.python.org/pypi/cymruwhois
+
+== Files ==
+output_summary - take in one file and summarize the output to the screen
+pcap_summary - take in one file or a directory of PCAP files and summarize them in files
16 files/attacker_ips.txt
@@ -0,0 +1,16 @@
+255.255.255.255
+10.0.2.15
+239.255.255.250
+10.0.2.255
+192.168.249.2
+224.0.0.22
+65.55.21.19
+178.162.174.162
+209.139.208.130
+69.64.38.6
+46.4.30.143
+66.197.204.134
+216.92.12.78
+72.14.204.147
+72.14.204.105
+66.70.127.101
16 files/attacker_ips_whois.txt
@@ -0,0 +1,16 @@
+255.255.255.255 - - -
+10.0.2.15 - - -
+239.255.255.250 - - -
+10.0.2.255 - - -
+192.168.249.2 - - -
+224.0.0.22 - - -
+65.55.21.19 - MICROSOFT-CORP---MSN-AS-BLOCK - Microsoft Corp - 8075 - 65.55.0.0/19
+178.162.174.162 - LEASEWEB-DE Leaseweb Germany GmbH (previously netdirekt e. K.) - 28753 - 178.162.128.0/17
+209.139.208.130 - GT-BELL - Bell Canada - 6539 - 209.139.192.0/19
+69.64.38.6 - SERVER4YOU - Hosting Solutions International, Inc. - 30083 - 69.64.32.0/19
+46.4.30.143 - HETZNER-AS Hetzner Online AG RZ - 24940 - 46.4.0.0/16
+66.197.204.134 - NOC - Network Operations Center Inc. - 21788 - 66.197.128.0/17
+216.92.12.78 - PAIR-NETWORKS - pair Networks - 7859 - 216.92.0.0/16
+72.14.204.147 - GOOGLE - Google Inc. - 15169 - 72.14.204.0/23
+72.14.204.105 - GOOGLE - Google Inc. - 15169 - 72.14.204.0/23
+66.70.127.101 - DATAPIPE-SEA - DataPipe, Inc. - 22205 - 66.70.120.0/21
19 files/dns_queries.txt
@@ -0,0 +1,19 @@
+A - TRANSERSDATAFORME.COM - 66.197.204.133
+A - TRANSERSDATAFORME.COM - 66.197.204.134
+A - TRANSERSDATAFORME.COM - 66.197.204.135
+A - TRANSERSDATAFORME.COM - 66.197.204.136
+A - classicbattletech.com - 209.139.208.130
+A - givishoolstome.com - 178.162.174.162
+A - istockanalyst.com - 66.70.127.101
+A - jointhenewworldorder.com - 216.92.12.78
+A - limfoklubs.com - 69.64.38.6
+A - regfeedbackaccess.com - 178.162.174.162
+A - time.microsoft.akadns.net - 65.55.21.19
+A - www.l.google.com - 72.14.204.103
+A - www.l.google.com - 72.14.204.104
+A - www.l.google.com - 72.14.204.105
+A - www.l.google.com - 72.14.204.147
+A - www.l.google.com - 72.14.204.99
+A - xprstats.com - 46.4.30.143
+CNAME - time.windows.com - time.microsoft.akadns.net
+CNAME - www.google.com - www.l.google.com
98 files/full_http_requests.txt
@@ -0,0 +1,98 @@
+destination_ip - 178.162.174.162
+uri - /logo.png?tq=gKZEtzoYwLzEvUb5dQzRsrCpBfEtTca3l74EgC5OjrPGpgfib1XFp5zpRPksUt%2BA%2FgSoSEU%3D&pr=41
+source_ip - 10.0.2.15
+host - regfeedbackaccess.com
+accept - */*
+user-agent - chrome/9.0
+connection - close
+version - 1.0
+method - GET
+
+destination_ip - 178.162.174.162
+uri - /logo.png?tq=gKZEtzoYwLzEvUb5dQzRsrCpBfEtTca3l74EgC9OjrPGpgfib1XFp5zpRPksUt%2BA%2FgSoSEU%3D&pr=467
+source_ip - 10.0.2.15
+host - givishoolstome.com
+accept - */*
+user-agent - chrome/9.0
+connection - close
+version - 1.0
+method - GET
+
+destination_ip - 178.162.174.162
+uri - /logo.png?tq=gL5HtzoYwLzEpUb5fU3HxcaxAvU6EsazybMRtyFZ0umG8Ar0SsSA%2FgSoSEU%3D&pr=41
+source_ip - 10.0.2.15
+connection - close
+user-agent - chrome/9.0
+host - regfeedbackaccess.com
+version - 1.1
+method - GET
+
+destination_ip - 209.139.208.130
+uri - /lhous4.gif?pr=gJ4WK%2FSUh7TFmkR8oY%2BQtMWTUj26kJH7yZJTP7qVybhqtUn5CGFATA%3D%3D
+source_ip - 10.0.2.15
+host - classicbattletech.com
+accept - */*
+user-agent - chrome/9.0
+connection - close
+version - 1.0
+method - GET
+
+destination_ip - 216.92.12.78
+uri - /images/pages.jpg?sv=217&tq=gHZutDyMv5rJfSG1J8K%2B1MWCJbP4lltXIA%3D%3D
+source_ip - 10.0.2.15
+host - jointhenewworldorder.com
+accept - */*
+user-agent - chrome/9.0
+connection - close
+version - 1.0
+method - GET
+
+destination_ip - 46.4.30.143
+uri - /images/logo.png?tq=gFarqHoLmEqQTvWAbkiQEtFZ8KwrE8EGxy%2F2%2FGxKlxS1X%2FP9bEyXG8Nd9f0ZO4ARwh2jtnlJ4RDRWfCrL1%2BWZ4wb4%2FZqG9MGxy%2BoqzIfgBHCHKLhbz6VBsZdoLN5SeFMkg3j9moKylGATvWAakiXF8SiwG6%2BV%2BLvsw%3D%3D
+source_ip - 10.0.2.15
+connection - close
+user-agent - chrome/9.0
+host - xprstats.com
+version - 1.1
+method - GET
+
+destination_ip - 66.70.127.101
+uri - /png/intel.gif?sv=675&tq=gwY92w4A7jiwWknN94TRV9bvbNFjouNKzJI3XeHDW1%2BkfYlCM%2FfGvMazO425sOpHKXiiuVs0jzWmB9RwvNZwlFX63EHwPSWS5eOXmr08pGxcG7xBsIJ6ASctcX%2FvYkbSIIT%2BFInDxUZu16ObNa2JHav0HanfPrBw977AVUN
+source_ip - 10.0.2.15
+host - istockanalyst.com
+accept - */*
+user-agent - chrome/9.0
+connection - close
+version - 1.0
+method - GET
+
+destination_ip - 69.64.38.6
+uri - /img/135.png?tq=gK4QKH1O%2FQHS4l9mehOkFMfXUjY9SvIGtadXNz1M8gnDpVE3SDvlA8LqF2coSYQD0aFUZ2lf83XGoVc%2FKEj2QoD2Eis%2BPvEUxqUVaihJhAHRoVR8exTlArCmVCs%2FTKFH0aAmYGIUpReOoVAzPVyzDMW1Cnx%2BR%2FBag0pzQ4fB4w%3D%3D&pr=41
+source_ip - 10.0.2.15
+host - limfoklubs.com
+accept - */*
+user-agent - chrome/9.0
+connection - close
+version - 1.0
+method - GET
+
+destination_ip - 72.14.204.105
+source_ip - 10.0.2.15
+host - www.google.com
+uri - /
+connection - close
+version - 1.1
+pragma - no-cache
+user-agent -
+method - GET
+
+destination_ip - 72.14.204.147
+source_ip - 10.0.2.15
+host - www.google.com
+accept - */*
+uri - /
+connection - close
+version - 1.0
+user-agent -
+method - GET
+
10 files/http_requests.txt
@@ -0,0 +1,10 @@
+10.0.2.15 - 178.162.174.162 - GET - chrome/9.0 - /logo.png?tq=gKZEtzoYwLzEvUb5dQzRsrCpBfEtTca3l74EgC5OjrPGpgfib1XFp5zpRPksUt%2BA%2FgSoSEU%3D&pr=41
+10.0.2.15 - 178.162.174.162 - GET - chrome/9.0 - /logo.png?tq=gKZEtzoYwLzEvUb5dQzRsrCpBfEtTca3l74EgC9OjrPGpgfib1XFp5zpRPksUt%2BA%2FgSoSEU%3D&pr=467
+10.0.2.15 - 178.162.174.162 - GET - chrome/9.0 - /logo.png?tq=gL5HtzoYwLzEpUb5fU3HxcaxAvU6EsazybMRtyFZ0umG8Ar0SsSA%2FgSoSEU%3D&pr=41
+10.0.2.15 - 209.139.208.130 - GET - chrome/9.0 - /lhous4.gif?pr=gJ4WK%2FSUh7TFmkR8oY%2BQtMWTUj26kJH7yZJTP7qVybhqtUn5CGFATA%3D%3D
+10.0.2.15 - 216.92.12.78 - GET - chrome/9.0 - /images/pages.jpg?sv=217&tq=gHZutDyMv5rJfSG1J8K%2B1MWCJbP4lltXIA%3D%3D
+10.0.2.15 - 46.4.30.143 - GET - chrome/9.0 - /images/logo.png?tq=gFarqHoLmEqQTvWAbkiQEtFZ8KwrE8EGxy%2F2%2FGxKlxS1X%2FP9bEyXG8Nd9f0ZO4ARwh2jtnlJ4RDRWfCrL1%2BWZ4wb4%2FZqG9MGxy%2BoqzIfgBHCHKLhbz6VBsZdoLN5SeFMkg3j9moKylGATvWAakiXF8SiwG6%2BV%2BLvsw%3D%3D
+10.0.2.15 - 66.70.127.101 - GET - chrome/9.0 - /png/intel.gif?sv=675&tq=gwY92w4A7jiwWknN94TRV9bvbNFjouNKzJI3XeHDW1%2BkfYlCM%2FfGvMazO425sOpHKXiiuVs0jzWmB9RwvNZwlFX63EHwPSWS5eOXmr08pGxcG7xBsIJ6ASctcX%2FvYkbSIIT%2BFInDxUZu16ObNa2JHav0HanfPrBw977AVUN
+10.0.2.15 - 69.64.38.6 - GET - chrome/9.0 - /img/135.png?tq=gK4QKH1O%2FQHS4l9mehOkFMfXUjY9SvIGtadXNz1M8gnDpVE3SDvlA8LqF2coSYQD0aFUZ2lf83XGoVc%2FKEj2QoD2Eis%2BPvEUxqUVaihJhAHRoVR8exTlArCmVCs%2FTKFH0aAmYGIUpReOoVAzPVyzDMW1Cnx%2BR%2FBag0pzQ4fB4w%3D%3D&pr=41
+10.0.2.15 - 72.14.204.105 - GET - - /
+10.0.2.15 - 72.14.204.147 - GET - - /
0 libs/__init__.py
No changes.
BIN libs/__init__.pyc
Binary file not shown.
185 libs/c2utils.py
@@ -0,0 +1,185 @@
+import socket
+import itertools
+import operator
+
+try:
+ import dpkt
+except:
+ print "Download dpkt"
+
+try:
+ import cymruwhois
+except:
+ print "Download cymruwhois"
+
+class pcap_miner():
+ def __init__(self,pcap_file):
+ #declaration
+ self._pcap_file = pcap_file
+ self._http_request_data = []
+ self._source_ips = []
+ self._destination_ips = []
+ self._source_ip_details = []
+ self._destination_ip_details = []
+ self._dns_request_data = []
+ self._flows = []
+ self._packet_count = 0
+ self._http_count = 0
+ self._dns_count = 0
+
+ #processing
+ self._handle = self._get_dpkt_handle()
+ self._extract_data()
+
+ def _get_dpkt_handle(self):
+ f = open(self._pcap_file)
+ pcap = dpkt.pcap.Reader(f)
+ return pcap
+
+ def unpack_ip(self,packed_ip):
+ ip = socket.inet_ntoa(packed_ip)
+ return ip
+
+ def quick_unique(self,seq):
+ seen = set()
+ return [ x for x in seq if x not in seen and not seen.add(x)]
+
+ def _extract_data(self):
+ pcap = self._handle
+ eth = None
+ ip = None
+ protocol = None
+
+ for ts, buf in pcap:
+ try:
+ eth = dpkt.ethernet.Ethernet(buf)
+ ip = eth.data
+ protocol = ip.data
+ except dpkt.dpkt.NeedData:
+ continue
+
+ self._packet_count += 1
+
+ try:
+ source_ip = self.unpack_ip(ip.src)
+ destination_ip = self.unpack_ip(ip.dst)
+ self._source_ips.append(source_ip)
+ self._destination_ips.append(destination_ip)
+ except Exception, e:
+ continue
+
+ try:
+ if protocol.dport == 80 or protocol.dport == 443:
+ self._http_count += 1
+ try:
+ http = dpkt.http.Request(protocol.data)
+ tmp = http.headers
+ tmp["source_ip"] = source_ip
+ tmp['destination_ip'] = destination_ip
+ tmp['method'] = http.method
+ tmp['version'] = http.version
+ tmp['uri'] = http.uri
+ self._http_request_data.append(tmp)
+ except Exception, e:
+ continue
+ except Exception, e:
+ continue
+
+ try:
+ if protocol.dport == 53 or protocol.sport == 53:
+ self._dns_count += 1
+ try:
+ dns = dns = dpkt.dns.DNS(protocol.data)
+ if dns.qr != dpkt.dns.DNS_R: continue
+ if dns.opcode != dpkt.dns.DNS_QUERY: continue
+ if dns.rcode != dpkt.dns.DNS_RCODE_NOERR: continue
+ if len(dns.an) < 1: continue
+ for answer in dns.an:
+ if answer.type == 5:
+ tmp = { "type": "CNAME", "request":answer.name, "response":answer.cname }
+ self._dns_request_data.append(tmp)
+ elif answer.type == 1:
+ tmp = { "type": "A", "request":answer.name, "response":socket.inet_ntoa(answer.rdata) }
+ self._dns_request_data.append(tmp)
+ elif answer.type == 12:
+ tmp = { "type": "PTR", "request":answer.name, "response":answer.ptrname }
+ self._dns_request_data.append(tmp)
+
+ except Exception, e:
+ continue
+ except Exception, e:
+ continue
+ try:
+ self._flows.append(source_ip + "/" + destination_ip + "/" + str(protocol.dport))
+ except Exception, e:
+ continue
+
+ def get_source_ips(self):
+ return self.quick_unique(self._source_ips)
+
+ def get_source_ip_details(self):
+ ulist = self.quick_unique(self._source_ips)
+ c = cymruwhois.Client()
+ for item in c.lookupmany(ulist):
+ try:
+ if item.prefix == None:
+ tmp = { "ip_address": item.ip, "block": "", "asn": "", "owner": "" }
+ else:
+ tmp = { "ip_address": item.ip, "block": item.prefix, "asn": item.asn, "owner": item.owner }
+ self._source_ip_details.append(tmp)
+ except Exception, e:
+ continue
+
+ return self._source_ip_details
+
+ def get_destination_ips(self):
+ return self.quick_unique(self._destination_ips)
+
+ def get_destination_ip_details(self):
+ ulist = self.quick_unique(self._destination_ips)
+ c = cymruwhois.Client()
+ for item in c.lookupmany(ulist):
+ try:
+ if item.prefix == None:
+ tmp = { "ip_address": item.ip, "block": "", "asn": "", "owner": "" }
+ else:
+ tmp = { "ip_address": item.ip, "block": item.prefix, "asn": item.asn, "owner": item.owner }
+ self._destination_ip_details.append(tmp)
+ except Exception, e:
+ continue
+
+ return self._destination_ip_details
+
+ def get_http_request_data(self):
+ getvals = operator.itemgetter('source_ip','destination_ip', 'uri')
+ self._http_request_data.sort(key=getvals)
+
+ result = []
+ for k, g in itertools.groupby(self._http_request_data, getvals):
+ result.append(g.next())
+
+ self._http_request_data[:] = result
+ return self._http_request_data
+
+ def get_dns_request_data(self):
+ getvals = operator.itemgetter('type','request', 'response')
+ self._dns_request_data.sort(key=getvals)
+
+ result = []
+ for k, g in itertools.groupby(self._dns_request_data, getvals):
+ result.append(g.next())
+
+ self._dns_request_data[:] = result
+ return self._dns_request_data
+
+ def get_flows(self):
+ return self.quick_unique(self._flows)
+
+ def get_packet_count(self):
+ return self._packet_count
+
+ def get_http_count(self):
+ return self._http_count
+
+ def get_dns_count(self):
+ return self._dns_count
BIN libs/c2utils.pyc
Binary file not shown.
43 output_summary.py
@@ -0,0 +1,43 @@
+#!/usr/bin/python
+
+__description__ = 'Summarize a PCAP file to standard out'
+__author__ = 'Brandon Dixon'
+__version__ = '1.0'
+__date__ = '2011/12/1'
+
+from libs.c2utils import pcap_miner
+import time, re, optparse, getpass, time
+
+def main():
+ oParser = optparse.OptionParser(usage='usage: %prog [options]\n' + __description__, version='%prog ' + __version__)
+ oParser.add_option('-f', '--file', type='string', help='input PCAP file for processing')
+ oParser.add_option('-v', '--verbose', action="store_true", default=False, help='verbose logging on performed actions')
+ (options, args) = oParser.parse_args()
+
+ if options.file:
+ miner = pcap_miner(options.file)
+ #file 1 - DNS queries and domains returned
+ print "== DNS Queries and Domains ==\n"
+ for dns in miner.get_dns_request_data():
+ print(dns['type'] + " - " + dns['request'] + " - " + dns['response'])
+
+ print "\n== Destination Addresses ==\n"
+ #file 3 - IPs of attackers with whois
+ for ip in miner.get_destination_ip_details():
+ print(ip['ip_address'] + " - " + ip['owner'] + " - " + ip['asn'] + " - " + ip['block'])
+
+ print "\n== Request Dump ==\n"
+ #file 5 - whatever can be dumped from the request
+ for info in miner.get_http_request_data():
+ for key, value in info.items():
+ print(key + " - " + value)
+ print("\n")
+
+ else:
+ oParser.print_help()
+ return
+
+if __name__ == '__main__':
+ main()
+
+
82 pcap_summary.py
@@ -0,0 +1,82 @@
+#!/usr/bin/python
+
+__description__ = 'Summarize a PCAP file'
+__author__ = 'Brandon Dixon'
+__version__ = '1.0'
+__date__ = '2011/12/1'
+
+from libs.c2utils import pcap_miner
+import time, re, optparse, getpass, time, hashlib, os
+
+def generate(infile, outfile):
+ miner = pcap_miner(infile)
+ #file 1 - DNS queries and domains returned
+ f = open(outfile + "dns_queries.txt","w")
+ for dns in miner.get_dns_request_data():
+ f.write(dns['type'] + " - " + dns['request'] + " - " + dns['response'] + "\n")
+ f.close()
+
+ #file 2 - IPS of attackers without whois
+ f = open(outfile + "attacker_ips.txt","w")
+ for ip in miner.get_destination_ips():
+ f.write(ip + "\n")
+ f.close()
+
+ #file 3 - IPs of attackers with whois
+ f = open(outfile + "attacker_ips_whois.txt","w")
+ for ip in miner.get_destination_ip_details():
+ f.write(ip['ip_address'] + " - " + ip['owner'] + " - " + ip['asn'] + " - " + ip['block'] + "\n")
+ f.close()
+
+ #file 4 - what you called HTTPrequests but it can be other port just the requests back forh part
+ f = open(outfile + "http_requests.txt","w")
+ for info in miner.get_http_request_data():
+ if 'user-agent' not in info:
+ info['user-agent'] = " "
+
+ f.write(info['source_ip'] + " - " + info['destination_ip'] + " - " + info['method'] + " - " + info['user-agent'] + " - " + info['uri'] + "\n")
+ f.close()
+
+ #file 5 - whatever can be dumped from the request
+ f = open(outfile + "full_http_requests.txt","w")
+ for info in miner.get_http_request_data():
+ for key, value in info.items():
+ f.write(key + " - " + value + "\n")
+ f.write("\n")
+ f.close()
+
+ #file 6 - dump flows
+ f = open(outfile + "flows.txt","w")
+ for info in miner.get_flows():
+ f.write(info + "\n")
+ f.close()
+
+def main():
+ oParser = optparse.OptionParser(usage='usage: %prog [options]\n' + __description__, version='%prog ' + __version__)
+ oParser.add_option('-f', '--file', type='string', help='input PCAP file for processing')
+ oParser.add_option('-d', '--dir', type='string', help='input PCAP dir for processing')
+ oParser.add_option('-o', '--out', type='string', help='output directory - absolute path only')
+ oParser.add_option('-v', '--verbose', action="store_true", default=False, help='verbose logging on performed actions')
+ (options, args) = oParser.parse_args()
+
+ if options.file and options.out:
+ generate(options.file,options.out)
+ elif options.dir and options.out:
+ files = []
+ dirlist = os.listdir(options.dir)
+ for fname in dirlist:
+ files.append(fname)
+ files.sort()
+ count = 0
+
+ for file in files:
+ outdir = options.out + hashlib.md5(file).hexdigest() + "/"
+ if not os.path.exists(outdir):
+ os.makedirs(outdir)
+ generate(options.dir + file,outdir)
+ else:
+ oParser.print_help()
+ return
+
+if __name__ == '__main__':
+ main()
BIN pcaps/dump.pcap
Binary file not shown.
BIN pcaps/sample.pcap
Binary file not shown.

0 comments on commit 32c0ed9

Please sign in to comment.
Something went wrong with that request. Please try again.