/
pcap.py
137 lines (113 loc) · 5.2 KB
/
pcap.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
#
# CapTipper is a malicious HTTP traffic explorer tool
# By Omri Herscovici <omriher AT gmail.com>
# http://omriher.com
# @omriher
#
# This file is part of CapTipper
#
# CapTipper is a free software under the GPLv3 License
#
# This file belongs to the CuckooSploit project
import sys
import time
import os
import logging
import subprocess
import shlex
import re
sys.path.append(os.path.join(os.path.dirname(__file__), "..", "..", "lib", "captipper"))
import parse_pcap
import colorama
import CTCore
from CTConsole import console
from CTServer import server
from CTReport import Report
from subprocess import Popen, PIPE, STDOUT
from lib.common.results import NetlogFile
from lib.common.abstracts import Package
log = logging.getLogger(__name__)
class Pcap(Package):
"""Pcap analysis package."""
PATHS = [
("ProgramFiles", "Internet Explorer", "iexplore.exe"),
]
HOSTS_PATHS = [
("SystemRoot", "System32", "drivers", "etc", "hosts"),
]
TSHARK_PATHS = [
("ProgramFiles", "Wireshark", "tshark.exe"),
]
hosts_path = "C:\\Windows\\System32\\drivers\\etc\\hosts"
def start(self, path):
self.tshark_proc = None
self.tshark_filename = "tshark.pcap"
log.debug("In pcap analysis package")
log.debug("path is "+ path)
# set default options
args = {}
#args["server_off"] = self.options["server_off"] if self.options["server_off"] else False
args["port"] = 80 #self.options["port"] if self.options["port"] else 80
args["short_url"] = True #self.options["short_url"] if self.options["short_url"] else True
args["ungzip"] = True #self.options["ungzip"] if self.options["ungzip"] else True
#args.report = self.options["report"] if self.options["report"] else
CTCore.pcap_file = path
log.info("[A] Analyzing PCAP: " + CTCore.pcap_file)
#start_ws = args["server_off"] # Boolean to start web server
CTCore.PORT = args["port"] # Web server port
CTCore.b_use_short_uri = args["short_url"] # Display short URI paths
CTCore.b_auto_ungzip = args["ungzip"]
#if(args.report is not None):
# CTCore.b_auto_ungzip = True
parse_pcap.run(CTCore.pcap_file)
if not CTCore.conversations:
log.info("No HTTP conversations were found in PCAP file")
return
log.info(CTCore.newLine + "[+] Traffic Activity Time: "),
try:
log.info(CTCore.activity_date_time)
except:
log.error("Couldn't retrieve time")
#Update hosts file with all hosts found in pcap
#add each ip directly accessed in pcap to loopback network card
ip_pattern = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$"
host_domains = CTCore.hosts.keys()
if host_domains:
#self.PATHS = Pcap.HOSTS_PATHS
with open(self.hosts_path, "a+") as hosts_file:
for host, ip in host_domains:
ip = ip.split(":")[0] #remove the port from the ip address
netsh_cmd = "netsh interface ip add address \"Local Area Connection 2\" {0} 255.255.255.255".format(ip)
proc = Popen(shlex.split(netsh_cmd), stdout=PIPE, stderr=STDOUT)
output, err = proc.communicate()
if err:
log.error(err)
host = host.split(":")[0] #remove port from host if it exists
host_is_ip = re.match(ip_pattern, host, re.M)
if not host_is_ip:
hosts_file.write("\n\n127.0.0.1 {0}".format(host))
try:
CTCore.web_server = server()
CTCore.web_server.start()
time.sleep(0.1) # Fixes graphic issues
CTCore.web_server_turned_on = True
id = 0
request = CTCore.conversations[id].uri
host = CTCore.conversations[id].host
open_url = 'http://127.0.0.1:' + str(CTCore.PORT) + "/" + host + request
#open_url = 'http://' + CTCore.HOST + ":" + str(CTCore.PORT) + request
#Pcap.PATHS = Pcap.IE_PATHS
iexplore = self.get_path("Internet Explorer")
log.info("iexplore: "+iexplore)
log.info("url: "+open_url)
return self.execute(iexplore, args=["%s" % open_url])
except Exception,e:
log.error("Error starting Web Server: %s", str(CTCore.msg_type.ERROR))
if str(e).find("Errno 1004") > 0 or str(e).find("Errno 98") > 0:
log.error(" Port " + str(CTCore.PORT) + " is already taken.")
log.error(" Change the port using 'CapTipper.py <pcap_file> -p <port=80>' or use '-s' to disable web server")
log.error(" Proceeding without starting the web server..." + CTCore.newLine)
else:
log.error(str(e))
def finish(self):
return super(Pcap, self).finish()