Module: Msf::DBManager::Import::Libpcap

Included in:
Msf::DBManager::Import
Defined in:
lib/msf/core/db_manager/import/libpcap.rb

Instance Method Summary collapse

Instance Method Details

#import_libpcap(args = {}, &block) ⇒ Object

The libpcap file format is handled by PacketFu for data extraction. TODO: Make this its own mixin, and possibly extend PacketFu to do better stream analysis on the fly.


5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
# File 'lib/msf/core/db_manager/import/libpcap.rb', line 5

def import_libpcap(args={}, &block)
  data = args[:data]
  wspace = Msf::Util::DBManager.process_opts_workspace(args, framework).name
  bl = validate_ips(args[:blacklist]) ? args[:blacklist].split : []
  # seen_hosts is only used for determining when to yield an address. Once we get
  # some packet analysis going, the values will have all sorts of info. The plan
  # is to run through all the packets as a first pass and report host and service,
  # then, once we have everything parsed, we can reconstruct sessions and ngrep
  # out things like authentication sequences, examine ttl's and window sizes, all
  # kinds of crazy awesome stuff like that.
  seen_hosts = {}
  decoded_packets = 0
  last_count = 0
  data.read_packet_bytes do |p|
    if (decoded_packets >= last_count + 1000) and block
      yield(:pcap_count, decoded_packets)
      last_count = decoded_packets
    end
    decoded_packets += 1

    pkt = PacketFu::Packet.parse(p) rescue next # Just silently skip bad packets

    next unless pkt.is_ip? # Skip anything that's not IP. Technically, not Ethernet::Ip
    next if pkt.is_tcp? && (pkt.tcp_src == 0 || pkt.tcp_dst == 0) # Skip port 0
    next if pkt.is_udp? && (pkt.udp_src == 0 || pkt.udp_dst == 0) # Skip port 0
    saddr = pkt.ip_saddr
    daddr = pkt.ip_daddr

    # Handle blacklists and obviously useless IP addresses, and report the host.
    next if (bl | [saddr,daddr]).size == bl.size # Both hosts are blacklisted, skip everything.
    unless( bl.include?(saddr) || rfc3330_reserved(saddr))
      yield(:address,saddr) if block and !seen_hosts.keys.include?(saddr)
      unless seen_hosts[saddr]
        report_host(
            :workspace => wspace,
            :host      => saddr,
            :state     => Msf::HostState::Alive,
            :task      => args[:task]
        )
      end
      seen_hosts[saddr] ||= []

    end
    unless( bl.include?(daddr) || rfc3330_reserved(daddr))
      yield(:address,daddr) if block and !seen_hosts.keys.include?(daddr)
      unless seen_hosts[daddr]
        report_host(
            :workspace => wspace,
            :host      => daddr,
            :state     => Msf::HostState::Alive,
            :task      => args[:task]
        )
      end
      seen_hosts[daddr] ||= []
    end

    if pkt.is_tcp? # First pass on TCP packets
      if (pkt.tcp_flags.syn == 1 and pkt.tcp_flags.ack == 1) or # Oh, this kills me
        pkt.tcp_src < 1024 # If it's a low port, assume it's a proper service.
        if seen_hosts[saddr]
          unless seen_hosts[saddr].include? [pkt.tcp_src,"tcp"]
            report_service(
                :workspace => wspace, :host => saddr,
                :proto     => "tcp", :port => pkt.tcp_src,
                :state     => Msf::ServiceState::Open,
                :task      => args[:task]
            )
            seen_hosts[saddr] << [pkt.tcp_src,"tcp"]
            yield(:service,"%s:%d/%s" % [saddr,pkt.tcp_src,"tcp"])
          end
        end
      end
    elsif pkt.is_udp? # First pass on UDP packets
      if pkt.udp_src == pkt.udp_dst # Very basic p2p detection.
        [saddr,daddr].each do |xaddr|
          if seen_hosts[xaddr]
            unless seen_hosts[xaddr].include? [pkt.udp_src,"udp"]
              report_service(
                  :workspace => wspace, :host => xaddr,
                  :proto     => "udp", :port => pkt.udp_src,
                  :state     => Msf::ServiceState::Open,
                  :task      => args[:task]
              )
              seen_hosts[xaddr] << [pkt.udp_src,"udp"]
              yield(:service,"%s:%d/%s" % [xaddr,pkt.udp_src,"udp"])
            end
          end
        end
      elsif pkt.udp_src < 1024 # Probably a service
        if seen_hosts[saddr]
          unless seen_hosts[saddr].include? [pkt.udp_src,"udp"]
            report_service(
                :workspace => wspace, :host => saddr,
                :proto     => "udp", :port => pkt.udp_src,
                :state     => Msf::ServiceState::Open,
                :task      => args[:task]
            )
            seen_hosts[saddr] << [pkt.udp_src,"udp"]
            yield(:service,"%s:%d/%s" % [saddr,pkt.udp_src,"udp"])
          end
        end
      end
    end # tcp or udp

    inspect_single_packet(pkt,wspace,args)

  end # data.body.map

  # Right about here, we should have built up some streams for some stream analysis.
  # Not sure what form that will take, but people like shoving many hundreds of
  # thousands of packets through this thing, so it'll need to be memory efficient.

end

#import_libpcap_file(args = {}) ⇒ Object


119
120
121
122
123
124
# File 'lib/msf/core/db_manager/import/libpcap.rb', line 119

def import_libpcap_file(args={})
  filename = args[:filename]

  data = PacketFu::PcapFile.new(:filename => filename)
  import_libpcap(args.merge(:data => data))
end

#inspect_single_packet(pkt, wspace, args) ⇒ Object

Do all the single packet analysis we can while churning through the pcap the first time. Multiple packet inspection will come later, where we can do stream analysis, compare requests and responses, etc.


129
130
131
132
133
# File 'lib/msf/core/db_manager/import/libpcap.rb', line 129

def inspect_single_packet(pkt,wspace,args)
  if pkt.is_tcp? or pkt.is_udp?
    inspect_single_packet_http(pkt,wspace,args)
  end
end

#inspect_single_packet_http(pkt, wspace, args) ⇒ Object

Checks for packets that are headed towards port 80, are tcp, contain an HTTP/1.0 line, contains an Authorization line, contains a b64-encoded credential, and extracts it. Reports this credential and solidifies the service as HTTP.


138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
# File 'lib/msf/core/db_manager/import/libpcap.rb', line 138

def inspect_single_packet_http(pkt,wspace,args)
  task = args.fetch(:task, nil)
  # First, check the server side (data from port 80).
  if pkt.is_tcp? and pkt.tcp_src == 80 and !pkt.payload.nil? and !pkt.payload.empty?
    if pkt.payload =~ /^HTTP\x2f1\x2e[01]/n
      http_server_match = pkt.payload.match(/\nServer:\s+([^\r\n]+)[\r\n]/n)
      if http_server_match.kind_of?(MatchData) and http_server_match[1]
        report_service(
            :workspace => wspace,
            :host      => pkt.ip_saddr,
            :port      => pkt.tcp_src,
            :proto     => "tcp",
            :name      => "http",
            :info      => http_server_match[1],
            :state     => Msf::ServiceState::Open,
            :task      => task
        )
        # That's all we want to know from this service.
        return :something_significant
      end
    end
  end

  # Next, check the client side (data to port 80)
  if pkt.is_tcp? and pkt.tcp_dst == 80 and !pkt.payload.nil? and !pkt.payload.empty?
    if pkt.payload.match(/[\x00-\x20]HTTP\x2f1\x2e[10]/n)
      auth_match = pkt.payload.match(/\nAuthorization:\s+Basic\s+([A-Za-z0-9=\x2b]+)/n)
      if auth_match.kind_of?(MatchData) and auth_match[1]
        b64_cred = auth_match[1]
      else
        return false
      end
      # If we're this far, we can surmise that at least the client is a web browser,
      # he thinks the server is HTTP and he just made an authentication attempt. At
      # this point, we'll just believe everything the packet says -- validation ought
      # to come later.
      user,pass = b64_cred.unpack("m*").first.split(/:/,2)
      report_service(
          :workspace => wspace,
          :host      => pkt.ip_daddr,
          :port      => pkt.tcp_dst,
          :proto     => "tcp",
          :name      => "http",
          :task      => task
      )

      service_data = {
          address: pkt.ip_daddr,
          port: pkt.tcp_dst,
          service_name: 'http',
          protocol: 'tcp',
          workspace_id: wspace.id
      }
      service_data[:task_id] = task.id if task

      filename = args[:filename]

      credential_data = {
          origin_type: :import,
          private_data: pass,
          private_type: :password,
          username: user,
          filename: filename
      }
      credential_data.merge!(service_data)
      credential_core = create_credential(credential_data)

       = {
          core: credential_core,
          status: Metasploit::Model::Login::Status::UNTRIED
      }

      .merge!(service_data)

      ()

      # That's all we want to know from this service.
      return :something_significant
    end
  end
end