2009-07-17 20:36:40 +00:00
|
|
|
##
|
2010-04-30 08:40:19 +00:00
|
|
|
# $Id$
|
|
|
|
##
|
|
|
|
|
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
2009-07-17 20:36:40 +00:00
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
# Framework web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/framework/
|
|
|
|
#
|
|
|
|
##
|
|
|
|
|
|
|
|
##
|
|
|
|
# dsniff was helping me very often. Too bad that it doesn't work correctly
|
|
|
|
# anymore. Psnuffle should bring password sniffing into Metasploit local
|
2010-04-30 08:40:19 +00:00
|
|
|
# and if we get lucky even remote.
|
2009-07-17 20:36:40 +00:00
|
|
|
#
|
|
|
|
# Cheers - Max Moser - mmo@remote-exploit.org
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
include Msf::Exploit::Capture
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-07-17 20:36:40 +00:00
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'pSnuffle Packet Sniffer',
|
|
|
|
'Version' => '$Revision$',
|
|
|
|
'Description' => 'This module sniffs passwords like dsniff did in the past',
|
|
|
|
'Author' => 'Max Moser <mmo@remote-exploit.org>',
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Actions' =>
|
|
|
|
[
|
|
|
|
[ 'Sniffer' ],
|
|
|
|
[ 'List' ]
|
|
|
|
],
|
2010-04-30 08:40:19 +00:00
|
|
|
'PassiveActions' =>
|
2009-07-17 20:36:40 +00:00
|
|
|
[
|
|
|
|
'Sniffer'
|
|
|
|
],
|
|
|
|
'DefaultAction' => 'Sniffer'
|
|
|
|
)
|
|
|
|
|
|
|
|
register_options([
|
|
|
|
OptString.new('PROTOCOLS', [true, 'A comma-delimited list of protocols to sniff or "all".', "all"]),
|
2010-04-30 08:40:19 +00:00
|
|
|
], self.class)
|
|
|
|
|
2009-07-17 20:36:40 +00:00
|
|
|
register_advanced_options([
|
|
|
|
OptPath.new('ProtocolBase', [true, 'The base directory containing the protocol decoders',
|
|
|
|
File.join(Msf::Config.install_root, "data", "exploits", "psnuffle")
|
|
|
|
]),
|
|
|
|
], self.class)
|
2011-07-27 01:33:35 +00:00
|
|
|
deregister_options('RHOST')
|
2009-07-17 20:36:40 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def load_protocols
|
|
|
|
base = datastore['ProtocolBase']
|
|
|
|
if (not File.directory?(base))
|
2009-09-14 18:46:41 +00:00
|
|
|
raise RuntimeError,"The ProtocolBase parameter is set to an invalid directory"
|
2009-07-17 20:36:40 +00:00
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-07-17 20:36:40 +00:00
|
|
|
@protos = {}
|
|
|
|
decoders = Dir.new(base).entries.grep(/\.rb$/).sort
|
|
|
|
decoders.each do |n|
|
|
|
|
f = File.join(base, n)
|
|
|
|
m = ::Module.new
|
|
|
|
begin
|
|
|
|
m.module_eval(File.read(f, File.size(f)))
|
|
|
|
m.constants.grep(/^Sniffer(.*)/) do
|
|
|
|
proto = $1
|
|
|
|
klass = m.const_get("Sniffer#{proto}")
|
|
|
|
@protos[proto.downcase] = klass.new(framework, self)
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-07-17 20:36:40 +00:00
|
|
|
print_status("Loaded protocol #{proto} from #{f}...")
|
|
|
|
end
|
|
|
|
rescue ::Exception => e
|
2010-07-25 21:37:54 +00:00
|
|
|
print_error("Decoder #{n} failed to load: #{e.class} #{e} #{e.backtrace}")
|
2009-07-17 20:36:40 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
|
|
|
def run
|
2009-07-17 20:36:40 +00:00
|
|
|
# Load all of our existing protocols
|
|
|
|
load_protocols
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-07-17 20:36:40 +00:00
|
|
|
if(action.name == 'List')
|
|
|
|
print_status("Protocols: #{@protos.keys.sort.join(', ')}")
|
|
|
|
return
|
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-07-17 20:36:40 +00:00
|
|
|
# Remove protocols not explicitly allowed
|
|
|
|
if(datastore['PROTOCOLS'] != 'all')
|
|
|
|
allowed = datastore['PROTOCOLS'].split(',').map{|x| x.strip.downcase}
|
|
|
|
newlist = {}
|
|
|
|
@protos.each_key { |k| newlist[k] = @protos[k] if allowed.include?(k) }
|
|
|
|
@protos = newlist
|
|
|
|
end
|
|
|
|
|
2010-04-30 08:40:19 +00:00
|
|
|
print_status("Sniffing traffic.....")
|
2009-07-17 20:36:40 +00:00
|
|
|
open_pcap
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-07-17 20:36:40 +00:00
|
|
|
each_packet do |pkt|
|
2011-07-26 01:29:21 +00:00
|
|
|
p = PacketFu::Packet.parse(pkt)
|
|
|
|
next unless p.is_tcp?
|
|
|
|
next if p.payload.empty?
|
2009-07-17 20:36:40 +00:00
|
|
|
@protos.each_key do |k|
|
2011-07-26 01:29:21 +00:00
|
|
|
@protos[k].parse(p)
|
2009-07-17 20:36:40 +00:00
|
|
|
end
|
|
|
|
true
|
|
|
|
end
|
2009-08-19 14:07:33 +00:00
|
|
|
close_pcap
|
2009-07-17 20:36:40 +00:00
|
|
|
print_status("Finished sniffing")
|
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
end
|
2009-07-17 20:36:40 +00:00
|
|
|
|
|
|
|
# End module class
|
|
|
|
|
|
|
|
# Basic class for taking care of sessions
|
|
|
|
class BaseProtocolParser
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-07-17 20:36:40 +00:00
|
|
|
attr_accessor :framework, :module, :sessions, :dport, :sigs
|
|
|
|
|
|
|
|
def initialize(framework, mod)
|
|
|
|
self.framework = framework
|
|
|
|
self.module = mod
|
|
|
|
self.sessions = {}
|
|
|
|
self.dport = 0
|
|
|
|
register_sigs()
|
|
|
|
end
|
|
|
|
|
|
|
|
def parse(pkt)
|
|
|
|
nil
|
|
|
|
end
|
|
|
|
|
|
|
|
def register_sigs
|
|
|
|
self.sigs = {}
|
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-08-19 14:07:33 +00:00
|
|
|
#
|
|
|
|
# Glue methods to bridge parsers to the main module class
|
|
|
|
#
|
|
|
|
def print_status(msg)
|
|
|
|
self.module.print_status(msg)
|
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-08-19 14:07:33 +00:00
|
|
|
def print_error(msg)
|
|
|
|
self.module.print_error(msg)
|
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-08-19 14:07:33 +00:00
|
|
|
def report_auth_info(*s)
|
|
|
|
self.module.report_auth_info(*s)
|
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2011-07-27 17:56:15 +00:00
|
|
|
def report_note(*s)
|
|
|
|
self.module.report_note(*s)
|
|
|
|
end
|
|
|
|
|
2009-08-19 14:07:33 +00:00
|
|
|
def report_service(*s)
|
|
|
|
self.module.report_service(*s)
|
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-08-19 14:07:33 +00:00
|
|
|
def find_session(sessionid)
|
2011-07-27 17:56:15 +00:00
|
|
|
purge_keys = []
|
2009-07-17 20:36:40 +00:00
|
|
|
sessions.each_key do |ses|
|
|
|
|
# Check for cleanup abilities... kills performance in large environments maybe
|
|
|
|
if ((sessions[ses][:mtime]-sessions[ses][:ctime])>300) #When longer than 5 minutes no packet was related to the session, delete it
|
|
|
|
# too bad to this session has no action for a long time
|
2011-07-27 17:56:15 +00:00
|
|
|
purge_keys << ses
|
2009-07-17 20:36:40 +00:00
|
|
|
end
|
|
|
|
end
|
2011-07-27 17:56:15 +00:00
|
|
|
purge_keys.each {|ses| sessions.delete(ses) }
|
2009-07-17 20:36:40 +00:00
|
|
|
|
|
|
|
# Does this session already exist?
|
|
|
|
if (sessions[sessionid])
|
|
|
|
# Refresh the timestamp
|
|
|
|
sessions[sessionid][:mtime] = Time.now
|
|
|
|
else
|
2009-08-19 14:07:33 +00:00
|
|
|
# Create a new session entry along with the host/port from the id
|
|
|
|
if (sessionid =~ /^([^:]+):([^-]+)-/s)
|
|
|
|
sessions[sessionid] = {
|
2010-04-30 08:40:19 +00:00
|
|
|
:host => $1,
|
|
|
|
:target_host => $1,
|
|
|
|
:port => $2,
|
|
|
|
:target_port => $2,
|
|
|
|
:session => sessionid,
|
|
|
|
:ctime => Time.now,
|
2009-08-19 14:07:33 +00:00
|
|
|
:mtime => Time.now
|
|
|
|
}
|
|
|
|
end
|
2009-07-17 20:36:40 +00:00
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-07-17 20:36:40 +00:00
|
|
|
return sessions[sessionid]
|
2009-08-19 14:07:33 +00:00
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
|
|
|
def get_session_src(pkt)
|
2011-07-26 01:29:21 +00:00
|
|
|
return "%s:%d-%s:%d" % [pkt.ip_daddr,pkt.tcp_dport,pkt.ip_saddr,pkt.tcp_sport] if pkt.is_tcp?
|
|
|
|
return "%s:%d-%s:%d" % [pkt.ip_daddr,pkt.udp_dport,pkt.ip_saddr,pkt.udp_sport] if pkt.is_udp?
|
|
|
|
return "%s:%d-%s:%d" % [pkt.ip_daddr,0,pkt.ip_saddr,0]
|
2009-08-19 14:07:33 +00:00
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
|
|
|
def get_session_dst(pkt)
|
2011-07-26 01:29:21 +00:00
|
|
|
return "%s:%d-%s:%d" % [pkt.ip_saddr,pkt.tcp_sport,pkt.ip_daddr,pkt.tcp_dport] if pkt.is_tcp?
|
|
|
|
return "%s:%d-%s:%d" % [pkt.ip_saddr,pkt.udp_sport,pkt.ip_daddr,pkt.udp_dport] if pkt.is_udp?
|
|
|
|
return "%s:%d-%s:%d" % [pkt.ip_saddr,0,pkt.ip_daddr,0]
|
2009-08-19 14:07:33 +00:00
|
|
|
end
|
|
|
|
|
2009-07-17 20:36:40 +00:00
|
|
|
end
|
|
|
|
|