commit
b29f2265f5
|
@ -15,6 +15,7 @@ class SnifferFTP < BaseProtocolParser
|
|||
:pass => /^PASS\s+([^\s]+)/i,
|
||||
:login_pass => /^(230\s*[^\n]+)/i,
|
||||
:login_fail => /^(5\d\d\s*[^\n]+)/i,
|
||||
:bye => /^221/
|
||||
}
|
||||
end
|
||||
|
||||
|
@ -23,6 +24,7 @@ class SnifferFTP < BaseProtocolParser
|
|||
return unless pkt.is_tcp?
|
||||
return if (pkt.tcp_sport != 21 and pkt.tcp_dport != 21)
|
||||
s = find_session((pkt.tcp_sport == 21) ? get_session_src(pkt) : get_session_dst(pkt))
|
||||
s[:sname] ||= "ftp"
|
||||
|
||||
self.sigs.each_key do |k|
|
||||
# There is only one pattern per run to test
|
||||
|
@ -38,21 +40,17 @@ class SnifferFTP < BaseProtocolParser
|
|||
|
||||
when :login_fail
|
||||
if(s[:user] and s[:pass])
|
||||
s[:proto]="ftp"
|
||||
s[:extra]="Failed Login. Banner: #{s[:banner]}"
|
||||
report_auth_info(s)
|
||||
print_status("Failed FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
|
||||
report_auth_info(s.merge({:active => false}))
|
||||
print_status("Failed FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}")
|
||||
|
||||
s[:pass]=""
|
||||
s[:pass] = ""
|
||||
return
|
||||
end
|
||||
|
||||
when :login_pass
|
||||
if(s[:user] and s[:pass])
|
||||
s[:proto]="ftp"
|
||||
s[:extra]="Successful Login. Banner: #{s[:banner]}"
|
||||
report_auth_info(s)
|
||||
print_status("Successful FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
|
||||
print_status("Successful FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}")
|
||||
# Remove it form the session objects so freeup memory
|
||||
sessions.delete(s[:session])
|
||||
return
|
||||
|
@ -60,12 +58,14 @@ class SnifferFTP < BaseProtocolParser
|
|||
|
||||
when :banner
|
||||
# Because some ftp server send multiple banner we take only the first one and ignore the rest
|
||||
if not (s[:banner])
|
||||
sessions[s[:session]].merge!({k => matches})
|
||||
s[:name]="FTP Server Welcome Banner: \"#{s[:banner]}\""
|
||||
if not (s[:info])
|
||||
s[:info] = matches
|
||||
report_service(s)
|
||||
end
|
||||
|
||||
when :bye
|
||||
sessions.delete(s[:session])
|
||||
|
||||
when nil
|
||||
# No matches, no saved state
|
||||
else
|
||||
|
|
|
@ -25,6 +25,7 @@ class SnifferIMAP < BaseProtocolParser
|
|||
return unless pkt.is_tcp?
|
||||
return if (pkt.tcp_sport != 143 and pkt.tcp_dport != 143)
|
||||
s = find_session((pkt.tcp_sport == 143) ? get_session_src(pkt) : get_session_dst(pkt))
|
||||
s[:sname] ||= "imap4"
|
||||
|
||||
self.sigs.each_key do |k|
|
||||
# There is only one pattern per run to test
|
||||
|
@ -38,14 +39,11 @@ class SnifferIMAP < BaseProtocolParser
|
|||
|
||||
case matched
|
||||
when :banner
|
||||
s[:banner] = matches
|
||||
s[:name] = "IMAP Server Welcome Banner: #{s[:banner]}"
|
||||
s[:info] = matches
|
||||
report_service(s)
|
||||
|
||||
when :login_pass
|
||||
|
||||
s[:proto]="imap4"
|
||||
s[:extra]="Sucessful Login. Banner: #{s[:banner]}"
|
||||
report_auth_info(s)
|
||||
print_status("Successful IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
|
||||
|
||||
|
@ -54,18 +52,14 @@ class SnifferIMAP < BaseProtocolParser
|
|||
|
||||
when :login_fail
|
||||
|
||||
s[:proto]="imap4"
|
||||
s[:extra]="Failed Login. Banner: #{s[:banner]}"
|
||||
report_auth_info(s)
|
||||
report_auth_info(s.merge({:active => false}))
|
||||
print_status("Failed IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
|
||||
|
||||
# Remove it form the session objects so freeup
|
||||
sessions.delete(s[:session])
|
||||
|
||||
when :login_bad
|
||||
s[:proto]="imap4"
|
||||
s[:extra]="Failed Login. Banner: #{s[:banner]}"
|
||||
report_auth_info(s)
|
||||
report_auth_info(s.merge({:active => false}))
|
||||
print_status("Bad IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
|
||||
|
||||
# Remove it form the session objects so freeup
|
||||
|
|
|
@ -38,8 +38,9 @@ class SnifferPOP3 < BaseProtocolParser
|
|||
case s[:last]
|
||||
when nil
|
||||
# Its the first +OK must include the banner, worst case its just +OK
|
||||
s[:banner] = matches
|
||||
s[:name] = "POP3 Server Welcome Banner: \"#{s[:banner]}\""
|
||||
s[:info] = matches
|
||||
s[:proto] = "tcp"
|
||||
s[:name] = "pop3"
|
||||
report_service(s)
|
||||
|
||||
when :user
|
||||
|
@ -48,8 +49,9 @@ class SnifferPOP3 < BaseProtocolParser
|
|||
when :pass
|
||||
# Perfect we get an +OK after a PASS command this means right password given :-)
|
||||
|
||||
s[:proto]="pop3"
|
||||
s[:extra]="Successful Login. Banner: #{s[:banner]}"
|
||||
s[:proto] = "tcp"
|
||||
s[:name] = "pop3"
|
||||
s[:extra] = "Successful Login. Banner: #{s[:banner]}"
|
||||
report_auth_info(s)
|
||||
print_status("Successful POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
|
||||
|
||||
|
|
|
@ -162,8 +162,8 @@ class SnifferSMB < BaseProtocolParser
|
|||
"\nNTHASH:#{s[:ntlmhash]}\n"
|
||||
print_status(logmessage)
|
||||
|
||||
src_ip = s[:host]
|
||||
dst_ip = s[:session].split("-")[1].split(":")[0]
|
||||
src_ip = s[:client_host]
|
||||
dst_ip = s[:host]
|
||||
# know this is ugly , last code added :-/
|
||||
smb_db_type_hash = case ntlm_ver
|
||||
when "NTLMv1" then "smb_netv1_hash"
|
||||
|
|
|
@ -177,12 +177,12 @@ class BaseProtocolParser
|
|||
sessions[sessionid][:mtime] = Time.now
|
||||
else
|
||||
# Create a new session entry along with the host/port from the id
|
||||
if (sessionid =~ /^([^:]+):([^-]+)-/s)
|
||||
if (sessionid =~ /^([^:]+):([^-]+)-([^:]+):(\d+)$/s)
|
||||
sessions[sessionid] = {
|
||||
:host => $1,
|
||||
:target_host => $1,
|
||||
:port => $2,
|
||||
:target_port => $2,
|
||||
:client_host => $1,
|
||||
:client_port => $2,
|
||||
:host => $3,
|
||||
:port => $4,
|
||||
:session => sessionid,
|
||||
:ctime => Time.now,
|
||||
:mtime => Time.now
|
||||
|
|
Loading…
Reference in New Issue