Merge branch 'v3'

omriher · Jul 30, 2015 · e3f8e0e · e3f8e0e
2 parents 4a59f01 + ac5689f
commit e3f8e0e
Show file tree

Hide file tree

Showing 7 changed files with 294 additions and 51 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,5 +1,29 @@
 
-CapTipper 0.2 b08 (26-03-2015 - Black Hat Arsenal)
+CapTipper 0.3 b12 (05-08-2015 - Black Hat USA Arsenal)
+============================
+
+ * New Features:
+
+    - Plugin support infrastructure
+    - New Plugin: check_host
+    - New Plugin: find_scripts
+    - Full Documentation
+    - Some refactoring
+    - New Logo
+    - Output log
+    - Added: saz2pcap script
+
+ * Fixes:
+
+    - Surround Dump all with try/except
+    - User-agent doesn't exists (HTML report bug)
+    - 'req' not showing request body
+    - Confirm conversations are sorted by request time
+    - Changed webserver storage and access method
+    - Seperated uri and obj_num in core's hosts dataset
+
+
+CapTipper 0.2 b08 (26-03-2015 - Black Hat Singapore Arsenal)
 ============================
 
  * New Features:

diff --git a/CTConsole.py b/CTConsole.py
@@ -248,7 +248,9 @@ def do_dump(self,line):
 
     def help_dump(self):
         print newLine + "Dumps the object file to a given folder"
-        print newLine + "Usage: dump <conv_id> <path>" + newLine
+        print newLine + "Usage: dump <conv_id> <path> [-e]" + newLine
+        print "Options:"
+        print "   -e       - ignores executables" + newLine
         print "Example: dump 4 c:" + chr(92) + "files" + chr(92) + "index.html"
         print "         Dumps object 4 to given path" + newLine
         print "Example: dump all c:" + chr(92) + "files"
@@ -273,7 +275,7 @@ def do_hexdump(self,line):
 
     def help_hexdump(self):
         print "Display hexdump of given object"
-        print newLine + "Usage: hexdump <conv_id> [size=256]" + newLine
+        print newLine + "Usage: hexdump <conv_id> [size=" + str(DEFAULT_BODY_SIZE) + "]"
         print "       use 'all' as size to retrieve entire body"
 
     def do_head(self,line):
@@ -352,7 +354,7 @@ def help_info(self):
 
     def do_client(self,line):
         try:
-            print newLine + "Info of Client: " + newLine
+            print newLine + "Client Info: " + newLine
             for key, value in CTCore.client.get_information().iteritems():
                 print " {0:17}:  {1}".format(key, value)
             print ""
@@ -574,8 +576,8 @@ def do_peinfo(self, line):
     def help_peinfo(self):
         print newLine + "Display PE info of the file"
         print newLine + "Usage: peinfo <obj_id> [-p]" + newLine
-        print newLine + "OPTIONS:"
-        print newLine + "-p     -   Check for packers"
+        print "OPTIONS:"
+        print "     -p     -   Check for packers"
 
     def do_find(self,line):
         try:
@@ -702,8 +704,8 @@ def do_jsbeautify(self,line):
 
     def help_jsbeautify(self):
         print newLine + "Display JavaScript code after beautify"
-        print newLine + "Usage: jsbeautify <obj_id> <offset> <len>" + newLine
-        print newLine + "Example: jsbeautify slice <obj_id> <offset> <len | eob>"
+        print newLine + "Usage: jsbeautify <obj / slice> <object_id> <offset> <length>"
+        print newLine + "Example: jsbeautify slice <object_id> <offset> <len | eob>"
         print newLine + "Example: jsbeautify obj <object_id>"
 
     def do_update(self, line):
@@ -773,7 +775,7 @@ def complete_plugin(self, text, line, begidx, endidx):
         return completions
 
     def help_plugin(self):
-        print "Launching an external plugin (Alias: p)" + newLine
+        print "Launching an external plugin (alias: p)" + newLine
         print "usage: plugin <plugin_name / plugin_id> [-l] <*args>"
         print "     -l      - List all available plugins" + newLine
         print "examples:"

diff --git a/CTCore.py b/CTCore.py
@@ -34,8 +34,8 @@
 plugins = []
 plugins_folder = "plugins/"
 pcap_file = ""
-VERSION = "0.2"
-BUILD = "10"
+VERSION = "0.3"
+BUILD = "11"
 ABOUT = "CapTipper v" + VERSION + " b" + BUILD + " - Malicious HTTP traffic explorer tool" + newLine + \
         "Copyright 2015 Omri Herscovici <omriher@gmail.com>" + newLine
 

diff --git a/CTServer.py b/CTServer.py
@@ -116,46 +116,70 @@ def log(self, uri):
         CTCore.request_logs.append("[" + str(now_s.isoformat()) + "] " + self.client_address[0] + " : " + uri)
 
     def handle(self):
-        self.data = self.request.recv(1024).strip()
-
-        request = HTTPRequest(self.data)
-
-        if (self.data != ""):
-            host_folder = self.get_domain_folder(request.path)
-
-            using_host_folder = False
-            for chost,ip_port in CTCore.hosts.keys():
-                if chost.lower() == host_folder.lower():
-                    req_host = chost
-                    using_host_folder = True
-                    break
+        try:
+            self.data = self.request.recv(1024).strip()
+            request = HTTPRequest(self.data)
 
-            if not using_host_folder:
-                req_host = request.headers['host']
-                get_uri = request.path
-            else:
-                get_uri = '/' + '/'.join(request.path.split('/')[2:])
-
-            self.log(req_host + get_uri)
-
-            req_sent = False
-            for conv in CTCore.conversations:
-                if conv.host == req_host:
-                    if (self.check_request(conv.uri, get_uri) == True):
-                        resp = conv.res_head
-                        if conv.orig_chunked_resp != "":
-                            resp = resp + "\r\n\r\n" + conv.orig_chunked_resp
-                        else:
-                            resp = resp + "\r\n\r\n"
-                            if conv.orig_resp:
-                                resp += conv.orig_resp
+            if self.data != "":
+                host_folder = self.get_domain_folder(request.path)
 
-                        self.request.send(resp)
-                        req_sent = True
+                using_host_folder = False
+                for chost,ip_port in CTCore.hosts.keys():
+                    if chost.lower() == host_folder.lower():
+                        req_host = chost
+                        using_host_folder = True
                         break
 
-            if not req_sent:
-                if get_uri == "/":
-                    self.request.send(self.build_index())
+                if not using_host_folder:
+                    req_host = request.headers['host']
+                    if req_host == "127.0.0.1":
+                        localhost = "http://127.0.0.1/"
+                        try:
+                            referrer = request.headers['referer']
+                            if referrer.find(localhost) == 0:
+                                end_of_host = referrer.find("/",len(localhost) + 1)
+                                req_host = referrer[len(localhost):end_of_host]
+                        except:
+                            pass
+
+                        if request.path.find(req_host) == 1 or req_host == "127.0.0.1":
+                            last_req = CTCore.request_logs[-1]
+                            last_url = last_req[last_req.find(' : ') + 3:]
+                            last_req_parsed = urlparse("http://" + last_url)
+                            req_host = last_req_parsed.netloc
+
+                    get_uri = request.path
                 else:
-                    self.request.send("HTTP/1.1 404 Not Found")
+                    get_uri = '/' + '/'.join(request.path.split('/')[2:])
+
+                try:
+                    req_sent = False
+                    for conv in CTCore.conversations:
+                        if conv.host == req_host:
+                            if (self.check_request(conv.uri, get_uri) == True):
+                                resp = conv.res_head
+                                if conv.orig_chunked_resp != "":
+                                    resp = resp + "\r\n\r\n" + conv.orig_chunked_resp
+                                else:
+                                    resp = resp + "\r\n\r\n"
+                                    if conv.orig_resp:
+                                        resp += conv.orig_resp
+
+                                self.request.send(resp)
+                                req_sent = True
+                                res = conv.res_num
+                                break
+
+                    if not req_sent:
+                        if get_uri == "/":
+                            self.request.send(self.build_index())
+                        else:
+                            self.request.send("HTTP/1.1 404 Not Found")
+                            res = "404 Not Found"
+                except Exception, e:
+                    res = str(e)
+                finally:
+                    self.log(req_host + get_uri + " - " + res)
+        except Exception, e:
+            pass
+
diff --git a/parse_pcap.py b/parse_pcap.py
@@ -171,8 +171,6 @@ def pcap_file(conn_dict, infile):
             if utils.is_request(tcp_pac.body):
                 conn_dict[key] = HttpConn(tcp_pac)
 
-    CTCore.sort_convs()
-
 
 def run(file_path):
     conn_dict = OrderedDict()
@@ -184,6 +182,8 @@ def run(file_path):
         try:
             pcap_file(conn_dict, infile)
         finally:
+            time.sleep(0.1)
+            CTCore.sort_convs()
             infile.close()
     finally:
         for conn in conn_dict.values():