# Psnuffle password sniffer add-on class for HTTP GET URL's # part of psnuffle sniffer auxiliary module # # Very simple example how to write sniffer extensions # # Sniffer class for GET URL's class SnifferURL < BaseProtocolParser def register_sigs self.sigs = { :get => /^GET\s+([^\n]+)\s+HTTP\/\d\.\d/si, :webhost => /^HOST\:\s+([^\n\r]+)/si, } end def parse(pkt) # We want to return immediantly if we do not have a packet which is handled by us return if not pkt[:tcp] return if (pkt[:tcp].dst_port != 80) s = find_session((pkt[:tcp].dst_port == 80) ? get_session_dst(pkt) : get_session_src(pkt)) self.sigs.each_key do |k| # There is only one pattern per run to test matched = nil matches = nil if(pkt[:tcp].payload_data =~ self.sigs[k]) matched = k matches = $1 sessions[s[:session]].merge!({k => matches}) end case matched when :webhost sessions[s[:session]].merge!({k => matches}) if(s[:get]) print_status("HTTP GET: #{s[:session]} http://#{s[:webhost]}#{s[:get]}") sessions.delete(s[:session]) return end when nil # No matches, no saved state end # end case matched end # end of each_key end # end of parse end # end of URL sniffer