-
Notifications
You must be signed in to change notification settings - Fork 0
/
PcapOrNotPcap_v1.py
335 lines (260 loc) · 8.37 KB
/
PcapOrNotPcap_v1.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
#!/usrbin/python3
# -*- coding:utf-8 -*-
from sys import argv
from scapy.all import *
from binascii import hexlify, unhexlify
from re import findall
from os import getcwd, listdir, mkdir
from zipfile import ZipFile, ZIP_DEFLATED
from shutil import rmtree
def Helper():
print("""
Usage: PcapOrNotPcap [-h] [-a] [-ip] [-p] [-m] [-u] [-ic] [-d] [-e] <file.pcap>
Description:
This is a script to parse a pcap file.
Options:
-h Show this message
-a General parsing
-ip Parse IP (IP src / IP dst), IP Layer
-p Parse ports (ports src / ports dst), TCP Layer
-m Parse MAC address (MAC src / MAC dst), Ether Layer
-u Parse ports (port src / ports dst), UDP Layer
-ic Parse icmp paquet, ICMP Layer
-d Parse data from paquets (all layer)
-e If executable find in data then try to export this
in 'output' directory. (not implemented for now)
""")
def ExportResult(lIcmp, lUdp, lMac, lPort, lIP, d, exe):
"""
Function to export all information recorded by the parsing
:param lIcmp: Data from ICMP
:param lUdp: Data from UDP
:param lMac: Data from Ether
:param lPort: Data from TCP
:param lIP: Data from IP
:param d: Data from ... Data (Raw layer)
:param exe: Data from extracted PE
"""
try:
# open in append mode to add without delete the other lines
with open('ImParsed.txt', 'a') as fl:
fl.writelines('------------------------------------------------------\n')
if lIP != None:
fl.writelines(lIP)
if lUdp != None:
fl.writelines(lUdp)
if lMac != None:
fl.writelines(lMac)
if lPort != None:
fl.writelines(lPort)
if lIcmp != None:
fl.writelines(lIcmp)
if d != None:
if d.find('MZ') != -1:
fl.writelines('/!\\ PE find /!\\ \n')
fl.writelines(d)
if exe != None:
fl.writelines(exe)
fl.writelines('------------------------------------------------------\n')
except Exception as e:
print('\t\t\t[!] %s' %(e))
def ParseUDP(pkt):
"""
Function to parse and record the UDP src and dst port
:param pkt: The packet to parse
:return: Tuple of src and dst port
"""
try:
try:
return ('UDP Port SRC: %s\n' %(pkt[UDP].sport), 'UDP Port DST: %s\n' %(plt[UDP].dport))
except:
pass
except Exception as e:
print('\t\t\t[!] %s' %(e))
def ParseICMP(pkt):
"""
Function to parse the layer ICMP and record the lenght and addr_mask
Can be used to find a date encapsulate in icmp
:param pkt: The packet to parse
:return: Tupe of ICMP lenght and ICMP address mask
"""
try:
try:
return ('ICMP Lenght: %s\n' %(pkt[ICMP].lenght), 'ICMP ADDR_Mask: %s\n' %(pkt[ICMP].addr_mask))
except:
pass
except Exception as e:
print('\t\t\t[!] %s' %(e))
def ParseIP(pkt):
"""
Function to parse layer IP and record the src and dst IP
:param pkt: The packet to parse
:return: Tuple of src and dst IP
"""
try:
try:
return ('IP SRC: %s\n' %(pkt[IP].src), 'IP DST: %s\n' %(pkt[IP].dst))
except:
pass
except Exception as e:
print('\t\t\t[!] %s' %(e))
def ParsePorts(pkt):
"""
Function to parse the layer TCP and record the src port and dst port
:param pkt: The packet to parse
:return: Tuple of src port and dst port
"""
try:
try:
return ('TCP Port SRC: %s\n' %(pkt[TCP].sport), 'TCP Port DST: %s\n' %(pkt[TCP].dport))
except:
pass
except Exception as e:
print('\t\t\t[!] %s' %(e))
def ParseMac(pkt):
"""
Function to parse the Ether layer and record the mac src and dst
:param pkt: The packet to parse
:return: Tuple of src mac and dst mac
"""
try:
try:
return ('MAC SRC: %s\n' %(pkt[Ether].src), 'MAC DST: %s\n' %(pkt[ETHER].dst))
except:
pass
except Exception as e:
print('\t\t\t[!] %s' %(e))
def ParseData(pkt):
"""
Function to parse the data and decode this
:param pkt: packet to parse
:return: The decoded data
"""
try:
try:
return 'Data :\n%s\n' % (str(unhexlify(b"".join(findall(b'..', hexlify(bytes(pkt.getlayer(Raw))))).decode('utf-8')))[2:-1])
except:
pass
except Exception as e:
print('\t\t\t[!] %s' %(e))
def ParseExe(pkt):
"""
Function to parse the data if present and if 'MZ' is find
Extract then the PE to an output dir.
:param pkt: packet to parse
:return: String to add in export file, no return if no PE
"""
try:
try:
# record the data decoded in string
df = str(unhexlify(b"".join(findall(b'..', hexlify(bytes(pkt.getlayer(Raw))))).decode('utf-8')))
# create the path for the output dir
outdir = '%s\\output\\' %(getcwd())
# if MZ present in data then extract the PE
if df.find('MZ') != -1:
# check if the output dir is present or not else create the folder
if 'output' not in listdir(getcwd()):
mkdir(outdir)
# list the file present in output dir
flo = listdir(outdir)
# open in write bytes mode the extracted PE
with open('%s\\%s.exe' %(outdir, len(flo)+1), 'wb') as ExeF:
# write the hexadecimal data in file
ExeF.write(b"".join(findall(b'..', hexlify(bytes(pkt.getlayer(Raw))))).decode('utf-8'))
# return a string to prevent the user in exported file
return 'Executable Exported in %s\\%s.exe' %(outdir, len(flo)+1)
except:
pass
except Exception as e:
print('\t\t\t[!] %s' %(e))
def ZippedExe():
"""
Zip with password the extracted PE
and delete the folder output and PE.
"""
# create zip object in write mode
zf = ZipFile('output.zip', mode='w', compression=ZIP_DEFLATED)
# iter in all PE to add it in zip file
for f in listdir('%s\\output' %(getcwd())):
zf.write('%s\\output\\%s' %(getcwd(), f))
# set the password for the zip
zf.setpassword(b"infected")
# remove the output folder
rmtree('%s\\output' %(getcwd()))
if __name__ == '__main__':
print("""
Welcome to ...
_____ _____ _____ _ _____
| _ |___ ___ ___| |___| | |___| |_| _ |___ ___ ___
| __| _| .'| . | | | _| | | | . | _| __| _| .'| . |
|__| |___|__,| _|_____|_| |_|___|___|_| |__| |___|__,| _|
|_| |_|
Developed by Icenuke.
""")
# enter in this piece of code if the lenght of argv is sup or equal to 2
if len(argv) >= 2:
# this is it in prevention of error reader pcap file
try:
# init the vars pcaps reader
pcaps = rdpcap(argv[-1])
# init var IP for tuple IP src/dst
tpIP = ""
# init var Port for tuple port src/dst
tpPort = ""
# init var mac for tuple mac src/dst
tpMac = ""
# init var udp for tuple UDP port src/dst
tpUdp = ""
#init var icmp for tuple icmp lenght/addr_mask
tpIcmp = ""
#init var data raw with ip src/dst
datas = ""
# init pe var
pe = ""
# if -h present in argv then go to helper
if '-h' in argv:
Helper()
# iter in all packet present in pcap
for p in pcaps:
# go to parse layer ip to record ip src dst
if '-ip' in argv:
tpIP = ParseIP(p)
# go to parse layer TCP to record the port src dst
if '-p' in argv:
tpPort = ParsePorts(p)
# go to parse layer Ether to record the mac src dst
if '-m' in argv:
tpMac = ParseMac(p)
# go to record the data
if '-d' in argv:
datas = ParseData(p)
# go to parse layer udp to record the port src dst
if '-u' in argv:
tpUdp = ParseUDP(p)
# go to parse layer ICMP to record the lenght and the mask address
if '-ic' in argv:
tpIcmp = ParseICMP(p)
# go to parse the data to extract the PE if present
if '-e' in argv:
pe = ParseExe(p)
# all parsing
if '-a' in argv:
tpIP = ParseIP(p)
tpPort = ParsePorts(p)
tpMac = ParseMac(p)
datas = ParseData(p)
tpUdp = ParseUDP(p)
tpIcmp = ParseICMP(p)
pe = ParseExe(p)
# Export the result in txt file
ExportResult(tpIcmp, tpUdp, tpMac, tpPort, tpIP, datas, pe)
# check if output di is present to zip that
if 'output' in listdir(getcwd()):
ZippedExe()
print('\t\t[+] Parsing finished!!')
print('\t\t[+] Find the export result at:')
print('\t\t\t|> %s\\ImParsed.txt' %(getcwd()))
except Exception as e:
print('\t[!] %s' %(e))
else:
Helper()