#!/bin/bash

help () {
	echo "$0 -f <pcap> [OPTION]

	-f <pcap>: Read pcap
	-h : help

	OPTIONS:
		-A : all
	        -P : Get HTTP POST passwords (HTTP)
	        -I : Filter WPA-EAP Identity
		-C : Export EAP certs
	        -H : Get Handshakes 1 and 2
	        -D : Get DNS querys
	        -R : Responder vulnerable protocols (NBT-NS + LLMNR)
	        -N : Get NBT-NS querys
	        -L : Get LLMNR querys
	"

}

if [ ! -x $(which tshark) ]; then
  echo "tshark not installed"
  exit 0
fi

while getopts hf:APIHDRNLC flag
do
    case "${flag}" in
        h) HELP=true;;
        f) FILE=${OPTARG};;
        A) ALL=true;;
        P) PASSWORDS=true;;
        I) IDENTITY=true;;
        H) HANDSHAKES=true;;
        D) DNS=true;;
        R) NBTNS=true;LLMNR=true;;
        N) NBTNS=true;;
        L) LLMNR=true;;
	C) CERT=true;;
    esac
done

if [ "$HELP" = true ] ;
then
	help
	exit 0
fi

if [ -z "$FILE" ] ; then
	echo "File needed"
	echo
	help
	exit 1
fi


if [ -z "$ALL" ] && [ -z "$PASSWORDS" ] && [ -z "$IDENTITY" ] && [ -z "$HANDSHAKES" ] && [ -z "$DNS" ] && [ -z "$NBTNS" ] && [ -z "$LLMNR" ] && [ -z "$CERT" ]; then
	echo "Argument needed"
	help
	exit 2
fi

if [ "$#" -lt 3 ]; then
        echo "Argument needed"
        help
        exit 2
fi

if [ ! -z "$ALL" ] ; then
	PASSWORDS=true
	IDENTITY=true
	HANDSHAKES=true
	DNS=true
	NBTNS=true
	LLMNR=true
	CERT=true
fi

if [ ! -z "$PASSWORDS" ] ; then
	echo -e "\n\tGet POST passwords\n"
	tshark -r $FILE -Y 'http.request.method == POST and (lower(http.file_data) contains "pass" or lower(http.request.line) contains "pass" or tcp contains "login")' -T fields -e http.file_data -e http.request.full_uri
	# basic auth?
fi

if [ ! -z "$IDENTITY" ] ; then
	echo -e "\n\tGet WPA-EAP Identities\n"
	echo -e 'DESTINATION\t\tSOURCE\t\t\tIDENTITY'
	tshark -nr $FILE -Y "eap.type == 1  && eap.code == 2" -T fields -e wlan.da -e wlan.sa -e eap.identity 2> /tmp/error | sort -u
	cat /tmp/error
fi

if [ ! -z "$HANDSHAKES" ] ; then
	echo -e "\n\tGet Handshakes in pcap\n"
	tshark -nr $FILE -Y "wlan_rsna_eapol.keydes.msgnr == 1 or wlan_rsna_eapol.keydes.msgnr == 2"
fi

if [ ! -z "$DNS" ] ; then
	echo -e "\n\tGet DNS querys\n"
	tshark -nr $FILE -Y "dns.flags == 0x0100" -T fields -e ip.src -e dns.qry.name
fi

if [ ! -z "$NBTNS" ] ; then
	echo -e "\n\tGet NBTNS querys in file to responder\n"
	tshark -nr $FILE -Y "NBT-NS" -T fields -e ip.src -e nbns.name
fi

if [ ! -z "$LLMNR" ] ; then
	echo -e "\n\tGet LLMNR querys in file to responder\n"
	tshark -nr $FILE -Y "LLMNR" -T fields -e ip.src -e dns.qry.name
fi

# https://gist.github.com/Cablethief/a2b8f0f7d5ece96423ba376d261bd711
if [ ! -z "$CERT" ] ; then
	tmpbase=$(basename  $2)
	for x in $(tshark -r $FILE \
	           -Y "ssl.handshake.certificate and eapol" \
	           -T fields -e "ssl.handshake.certificate"); do
		echo $x | \
		sed "s/://g" | \
		xxd -ps -r | \
		tee $(mktemp $tmpbase.cert.XXXX.der) | \
		openssl x509 -inform der -text; 
	done
fi

# # TODO
#- Passwords: basic auth, FTP, TFTP, SMB, SMB2, SMTP, POP3, IMAP