-
Notifications
You must be signed in to change notification settings - Fork 160
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
137 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,137 @@ | ||
| # | ||
| # CapTipper is a malicious HTTP traffic explorer tool | ||
| # By Omri Herscovici <omriher AT gmail.com> | ||
| # http://omriher.com | ||
| # @omriher | ||
| # | ||
| # This file is part of CapTipper | ||
| # | ||
| # CapTipper is a free software under the GPLv3 License | ||
| # | ||
|
|
||
| # This file belongs to the CuckooSploit project | ||
|
|
||
| import sys | ||
| import time | ||
| import os | ||
| import logging | ||
| import subprocess | ||
| import shlex | ||
| import re | ||
| sys.path.append(os.path.join(os.path.dirname(__file__), "..", "..", "lib", "captipper")) | ||
|
|
||
| import parse_pcap | ||
| import colorama | ||
|
|
||
| import CTCore | ||
| from CTConsole import console | ||
| from CTServer import server | ||
| from CTReport import Report | ||
|
|
||
| from subprocess import Popen, PIPE, STDOUT | ||
| from lib.common.results import NetlogFile | ||
| from lib.common.abstracts import Package | ||
| log = logging.getLogger(__name__) | ||
|
|
||
| class Pcap(Package): | ||
| """Pcap analysis package.""" | ||
| PATHS = [ | ||
| ("ProgramFiles", "Internet Explorer", "iexplore.exe"), | ||
| ] | ||
|
|
||
| HOSTS_PATHS = [ | ||
| ("SystemRoot", "System32", "drivers", "etc", "hosts"), | ||
| ] | ||
|
|
||
| TSHARK_PATHS = [ | ||
| ("ProgramFiles", "Wireshark", "tshark.exe"), | ||
| ] | ||
|
|
||
| hosts_path = "C:\\Windows\\System32\\drivers\\etc\\hosts" | ||
|
|
||
|
|
||
| def start(self, path): | ||
| self.tshark_proc = None | ||
| self.tshark_filename = "tshark.pcap" | ||
| log.debug("In pcap analysis package") | ||
| log.debug("path is "+ path) | ||
| # set default options | ||
| args = {} | ||
| #args["server_off"] = self.options["server_off"] if self.options["server_off"] else False | ||
| args["port"] = 80 #self.options["port"] if self.options["port"] else 80 | ||
| args["short_url"] = True #self.options["short_url"] if self.options["short_url"] else True | ||
| args["ungzip"] = True #self.options["ungzip"] if self.options["ungzip"] else True | ||
| #args.report = self.options["report"] if self.options["report"] else | ||
|
|
||
| CTCore.pcap_file = path | ||
|
|
||
| log.info("[A] Analyzing PCAP: " + CTCore.pcap_file) | ||
|
|
||
| #start_ws = args["server_off"] # Boolean to start web server | ||
| CTCore.PORT = args["port"] # Web server port | ||
| CTCore.b_use_short_uri = args["short_url"] # Display short URI paths | ||
| CTCore.b_auto_ungzip = args["ungzip"] | ||
|
|
||
| #if(args.report is not None): | ||
| # CTCore.b_auto_ungzip = True | ||
|
|
||
| parse_pcap.run(CTCore.pcap_file) | ||
|
|
||
| if not CTCore.conversations: | ||
| log.info("No HTTP conversations were found in PCAP file") | ||
| return | ||
| log.info(CTCore.newLine + "[+] Traffic Activity Time: "), | ||
| try: | ||
| log.info(CTCore.activity_date_time) | ||
| except: | ||
| log.error("Couldn't retrieve time") | ||
|
|
||
| #Update hosts file with all hosts found in pcap | ||
| #add each ip directly accessed in pcap to loopback network card | ||
| ip_pattern = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$" | ||
| host_domains = CTCore.hosts.keys() | ||
| if host_domains: | ||
| #self.PATHS = Pcap.HOSTS_PATHS | ||
| with open(self.hosts_path, "a+") as hosts_file: | ||
| for host, ip in host_domains: | ||
| ip = ip.split(":")[0] #remove the port from the ip address | ||
| netsh_cmd = "netsh interface ip add address \"Local Area Connection 2\" {0} 255.255.255.255".format(ip) | ||
| proc = Popen(shlex.split(netsh_cmd), stdout=PIPE, stderr=STDOUT) | ||
| output, err = proc.communicate() | ||
| if err: | ||
| log.error(err) | ||
| host = host.split(":")[0] #remove port from host if it exists | ||
| host_is_ip = re.match(ip_pattern, host, re.M) | ||
| if not host_is_ip: | ||
| hosts_file.write("\n\n127.0.0.1 {0}".format(host)) | ||
|
|
||
| try: | ||
| CTCore.web_server = server() | ||
| CTCore.web_server.start() | ||
| time.sleep(0.1) # Fixes graphic issues | ||
| CTCore.web_server_turned_on = True | ||
|
|
||
| id = 0 | ||
| request = CTCore.conversations[id].uri | ||
| host = CTCore.conversations[id].host | ||
| open_url = 'http://127.0.0.1:' + str(CTCore.PORT) + "/" + host + request | ||
|
|
||
| #open_url = 'http://' + CTCore.HOST + ":" + str(CTCore.PORT) + request | ||
|
|
||
| #Pcap.PATHS = Pcap.IE_PATHS | ||
| iexplore = self.get_path("Internet Explorer") | ||
| log.info("iexplore: "+iexplore) | ||
| log.info("url: "+open_url) | ||
| return self.execute(iexplore, args=["%s" % open_url]) | ||
| except Exception,e: | ||
| log.error("Error starting Web Server: %s", str(CTCore.msg_type.ERROR)) | ||
|
|
||
| if str(e).find("Errno 1004") > 0 or str(e).find("Errno 98") > 0: | ||
| log.error(" Port " + str(CTCore.PORT) + " is already taken.") | ||
| log.error(" Change the port using 'CapTipper.py <pcap_file> -p <port=80>' or use '-s' to disable web server") | ||
| log.error(" Proceeding without starting the web server..." + CTCore.newLine) | ||
| else: | ||
| log.error(str(e)) | ||
|
|
||
| def finish(self): | ||
| return super(Pcap, self).finish() |