Created
June 24, 2014 20:09
-
-
Save crashish/4ce0bd0cc7d8a10c14c3 to your computer and use it in GitHub Desktop.
A quick and dirty script to parse a PCAP file and decode Ranbyus C&C communications
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import dpkt, sys | |
| def b64decode(string,alphabet): | |
| string = string.replace("=","") | |
| ret = "" | |
| left = 0 | |
| for i in range(0, len(string)): | |
| if left == 0: | |
| left = 6 | |
| else: | |
| value1 = alphabet.index(string[i - 1]) & (2 ** left - 1) | |
| value2 = alphabet.index(string[i]) >> (left - 2) | |
| value = (value1 << (8 - left)) | value2 | |
| ret += chr(value) | |
| left -= 2 | |
| return ret | |
| def pcapdecode(pcapfile,alphabet): | |
| """A generator function that yields lists containing 'id=value' parameter pairs""" | |
| streams = 0 | |
| with open(pcapfile) as f: | |
| try: | |
| pcap = dpkt.pcap.Reader(f) | |
| except ValueError, e: | |
| raise | |
| for ts,buf in pcap: | |
| http_res,http_req = None,None | |
| eth = dpkt.ethernet.Ethernet(buf) | |
| ip = eth.data | |
| tcp = ip.data | |
| if hasattr(tcp,'dport'): | |
| if tcp.dport == 80 and len(tcp.data) > 0: | |
| try: | |
| http_req = dpkt.http.Request(tcp.data) | |
| except: | |
| continue # continue to the next packet if this one is incomplete | |
| if hasattr(http_req,'method'): | |
| if http_req.method == "POST": | |
| yield [line for line in b64decode(http_req.body.split()[4],alphabet).split('&')] | |
| # element [4] is the base64 data, and we are splitting on the expected parameter delimeter | |
| def main(): | |
| if len(sys.argv) != 3: | |
| sys.exit('Usage: %s (pcap file) (base64 alphabet)' % sys.argv[0]) | |
| results = 0 | |
| try: | |
| for result in pcapdecode(sys.argv[1],sys.argv[2]): | |
| print "*"*15 | |
| for pair in result: | |
| print pair | |
| print "*"*15 | |
| results += 1 | |
| except ValueError, e: | |
| print str(e) | |
| print("%d callbacks found" % results) | |
| if __name__ == "__main__": | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment