Last active
July 14, 2017 16:48
-
-
Save Beercow/eec6da4793b88ca9777b29f8eb47b5fa to your computer and use it in GitHub Desktop.
Revisions
-
Beercow revised this gist
Jul 14, 2017 . 1 changed file with 6 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -20,8 +20,12 @@ def parse_pcap_file(filename): Reference: https://blog.bramp.net/post/2010/01/10/follow-http-stream-with-decompression/ ''' try: f = open(filename, 'rb') pcap = dpkt.pcap.Reader(f) except: f = open(filename, 'rb') pcap = dpkt.pcapng.Reader(f) conn = dict() print 'POST data,uinfo("<computer_name>@<user\domain>",win(<major><minor>),ver(<hardcoded_findstr_version>),data(cc numbers),logs (keylogger data)' for ts, buf in pcap: -
Jul 14, 2017 . 1 changed file with 8 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -23,7 +23,7 @@ def parse_pcap_file(filename): f = open(filename, 'rb') pcap = dpkt.pcap.Reader(f) conn = dict() print 'POST data,uinfo("<computer_name>@<user\domain>",win(<major><minor>),ver(<hardcoded_findstr_version>),data(cc numbers),logs (keylogger data)' for ts, buf in pcap: eth = dpkt.ethernet.Ethernet(buf) if eth.type != dpkt.ethernet.ETH_TYPE_IP: @@ -39,6 +39,7 @@ def parse_pcap_file(filename): conn[ip_tupl] = tcp.data try: stream = conn[ip_tupl] # print stream regex = "(oprat.*)" output = re.findall(regex, stream, re.IGNORECASE) if len(output) != 0: @@ -54,11 +55,15 @@ def parse_pcap_file(filename): win = re.findall(regex, str(parts), re.IGNORECASE) regex = "vers=(.*?M)" vers = re.findall(regex, str(parts), re.IGNORECASE) regex = "data=(.*?)(?:'|&)" data = re.findall(regex, str(parts), re.IGNORECASE) data = decodeb64(data) data = decodexor(data) regex = "logs=(.*?)(?:'|&)" logs = re.findall(regex, str(parts), re.IGNORECASE) logs = decodeb64(logs) logs = decodexor(logs) print "".join(parts) + ',' + "".join(uinfo) + ',' + "".join(win) + ',' + "".join(vers) + ',' + "".join(data) + ',' + "".join(logs) except: pass f.close() -
Jul 10, 2017 . 1 changed file with 0 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -39,7 +39,6 @@ def parse_pcap_file(filename): conn[ip_tupl] = tcp.data try: stream = conn[ip_tupl] regex = "(oprat.*)" output = re.findall(regex, stream, re.IGNORECASE) if len(output) != 0: -
Jul 10, 2017 . 1 changed file with 13 additions and 27 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,8 +1,7 @@ #!/usr/bin/env python #author Beercow import dpkt, re, base64, sys def decodeb64(data): data = base64.b64decode(str(data)) @@ -49,31 +48,18 @@ def parse_pcap_file(filename): if 'POST' in str(parts): regex = "(oprat.*?)POST" parts = re.findall(regex, str(parts), re.IGNORECASE) regex = "uinfo=(.*?)&" uinfo = re.findall(regex, str(parts), re.IGNORECASE) uinfo = decodeb64(uinfo) regex = "win=(.*?)&" win = re.findall(regex, str(parts), re.IGNORECASE) regex = "vers=(.*?M)" vers = re.findall(regex, str(parts), re.IGNORECASE) regex = "data=(.*?)'" data = re.findall(regex, str(parts), re.IGNORECASE) data = decodeb64(data) data = decodexor(data) print "".join(parts) + ',' + "".join(uinfo) + ',' + "".join(win) + ',' + "".join(vers) + ',' + "".join(data) except: pass f.close() -
Jul 8, 2017 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,85 @@ #!/usr/bin/env python #author Beercow import dpkt, re, base64, sys, string from binascii import * def decodeb64(data): data = base64.b64decode(str(data)) return data def decodexor(data): ptext='' for b in data: ptext+= chr(ord(b) ^ ord('\x2A')) return ptext def parse_pcap_file(filename): ''' Parses through a PCAP file looking for http requests and responses. If found, they are provided as argument to the relevant parse_* functions. Reference: https://blog.bramp.net/post/2010/01/10/follow-http-stream-with-decompression/ ''' f = open(filename, 'rb') pcap = dpkt.pcap.Reader(f) conn = dict() print 'POST data,uinfo("<computer_name>@<user\domain>",win(<major><minor>),ver(<hardcoded_findstr_version>),data(cc numbers)' for ts, buf in pcap: eth = dpkt.ethernet.Ethernet(buf) if eth.type != dpkt.ethernet.ETH_TYPE_IP: continue ip = eth.data if ip.p != dpkt.ip.IP_PROTO_TCP: continue tcp = ip.data ip_tupl = (ip.src, ip.dst, tcp.sport, tcp.dport) if ip_tupl in conn: conn[ip_tupl] = conn[ip_tupl] + tcp.data else: conn[ip_tupl] = tcp.data try: stream = conn[ip_tupl] # print stream regex = "(oprat.*)" output = re.findall(regex, stream, re.IGNORECASE) if len(output) != 0: for element in output: parts = element.split(',') if 'POST' in str(parts): regex = "(oprat.*?)POST" parts = re.findall(regex, str(parts), re.IGNORECASE) regex = "uinfo=(.*?)&" uinfo = re.findall(regex, str(parts), re.IGNORECASE) uinfo = decodeb64(uinfo) regex = "win=(.*?)&" win = re.findall(regex, str(parts), re.IGNORECASE) regex = "vers=(.*?M)" vers = re.findall(regex, str(parts), re.IGNORECASE) regex = "data=(.*?)'" data = re.findall(regex, str(parts), re.IGNORECASE) data = decodeb64(data) data = decodexor(data) print "".join(parts) + ',' + "".join(uinfo) + ',' + "".join(win) + ',' + "".join(vers) + ',' + "".join(data) else: regex = "uinfo=(.*?)&" uinfo = re.findall(regex, str(parts), re.IGNORECASE) uinfo = decodeb64(uinfo) regex = "win=(.*?)&" win = re.findall(regex, str(parts), re.IGNORECASE) regex = "vers=(.*?M)" vers = re.findall(regex, str(parts), re.IGNORECASE) regex = "data=(.*?)'" data = re.findall(regex, str(parts), re.IGNORECASE) data = decodeb64(data) data = decodexor(data) print "".join(parts) + ',' + "".join(uinfo) + ',' + "".join(win) + ',' + "".join(vers) + ',' + "".join(data) except: pass f.close() if __name__ == '__main__': if len(sys.argv) <= 1: print "%s [pcap file]" % __file__ sys.exit(2) parse_pcap_file(sys.argv[1])