diff --git a/data/exploits/psnuffle/ftp.rb b/data/exploits/psnuffle/ftp.rb index ea16937ce3..5016f14811 100755 --- a/data/exploits/psnuffle/ftp.rb +++ b/data/exploits/psnuffle/ftp.rb @@ -15,6 +15,7 @@ class SnifferFTP < BaseProtocolParser :pass => /^PASS\s+([^\s]+)/i, :login_pass => /^(230\s*[^\n]+)/i, :login_fail => /^(5\d\d\s*[^\n]+)/i, + :bye => /^221/ } end @@ -23,6 +24,7 @@ class SnifferFTP < BaseProtocolParser return unless pkt.is_tcp? return if (pkt.tcp_sport != 21 and pkt.tcp_dport != 21) s = find_session((pkt.tcp_sport == 21) ? get_session_src(pkt) : get_session_dst(pkt)) + s[:sname] ||= "ftp" self.sigs.each_key do |k| # There is only one pattern per run to test @@ -38,21 +40,17 @@ class SnifferFTP < BaseProtocolParser when :login_fail if(s[:user] and s[:pass]) - s[:proto]="ftp" - s[:extra]="Failed Login. Banner: #{s[:banner]}" - report_auth_info(s) - print_status("Failed FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})") + report_auth_info(s.merge({:active => false})) + print_status("Failed FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}") - s[:pass]="" + s[:pass] = "" return end when :login_pass if(s[:user] and s[:pass]) - s[:proto]="ftp" - s[:extra]="Successful Login. Banner: #{s[:banner]}" report_auth_info(s) - print_status("Successful FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})") + print_status("Successful FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}") # Remove it form the session objects so freeup memory sessions.delete(s[:session]) return @@ -60,12 +58,14 @@ class SnifferFTP < BaseProtocolParser when :banner # Because some ftp server send multiple banner we take only the first one and ignore the rest - if not (s[:banner]) - sessions[s[:session]].merge!({k => matches}) - s[:name]="FTP Server Welcome Banner: \"#{s[:banner]}\"" + if not (s[:info]) + s[:info] = matches report_service(s) end + when :bye + sessions.delete(s[:session]) + when nil # No matches, no saved state else diff --git a/data/exploits/psnuffle/imap.rb b/data/exploits/psnuffle/imap.rb index eea54aa724..6888fb4246 100755 --- a/data/exploits/psnuffle/imap.rb +++ b/data/exploits/psnuffle/imap.rb @@ -25,6 +25,7 @@ class SnifferIMAP < BaseProtocolParser return unless pkt.is_tcp? return if (pkt.tcp_sport != 143 and pkt.tcp_dport != 143) s = find_session((pkt.tcp_sport == 143) ? get_session_src(pkt) : get_session_dst(pkt)) + s[:sname] ||= "imap4" self.sigs.each_key do |k| # There is only one pattern per run to test @@ -38,14 +39,11 @@ class SnifferIMAP < BaseProtocolParser case matched when :banner - s[:banner] = matches - s[:name] = "IMAP Server Welcome Banner: #{s[:banner]}" + s[:info] = matches report_service(s) when :login_pass - s[:proto]="imap4" - s[:extra]="Sucessful Login. Banner: #{s[:banner]}" report_auth_info(s) print_status("Successful IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})") @@ -54,18 +52,14 @@ class SnifferIMAP < BaseProtocolParser when :login_fail - s[:proto]="imap4" - s[:extra]="Failed Login. Banner: #{s[:banner]}" - report_auth_info(s) + report_auth_info(s.merge({:active => false})) print_status("Failed IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})") # Remove it form the session objects so freeup sessions.delete(s[:session]) when :login_bad - s[:proto]="imap4" - s[:extra]="Failed Login. Banner: #{s[:banner]}" - report_auth_info(s) + report_auth_info(s.merge({:active => false})) print_status("Bad IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})") # Remove it form the session objects so freeup diff --git a/data/exploits/psnuffle/pop3.rb b/data/exploits/psnuffle/pop3.rb index e92dc7d0de..117b8c03cb 100755 --- a/data/exploits/psnuffle/pop3.rb +++ b/data/exploits/psnuffle/pop3.rb @@ -38,8 +38,9 @@ class SnifferPOP3 < BaseProtocolParser case s[:last] when nil # Its the first +OK must include the banner, worst case its just +OK - s[:banner] = matches - s[:name] = "POP3 Server Welcome Banner: \"#{s[:banner]}\"" + s[:info] = matches + s[:proto] = "tcp" + s[:name] = "pop3" report_service(s) when :user @@ -48,8 +49,9 @@ class SnifferPOP3 < BaseProtocolParser when :pass # Perfect we get an +OK after a PASS command this means right password given :-) - s[:proto]="pop3" - s[:extra]="Successful Login. Banner: #{s[:banner]}" + s[:proto] = "tcp" + s[:name] = "pop3" + s[:extra] = "Successful Login. Banner: #{s[:banner]}" report_auth_info(s) print_status("Successful POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})") diff --git a/data/exploits/psnuffle/smb.rb b/data/exploits/psnuffle/smb.rb index f50e752f86..3bcd2e083f 100755 --- a/data/exploits/psnuffle/smb.rb +++ b/data/exploits/psnuffle/smb.rb @@ -162,8 +162,8 @@ class SnifferSMB < BaseProtocolParser "\nNTHASH:#{s[:ntlmhash]}\n" print_status(logmessage) - src_ip = s[:host] - dst_ip = s[:session].split("-")[1].split(":")[0] + src_ip = s[:client_host] + dst_ip = s[:host] # know this is ugly , last code added :-/ smb_db_type_hash = case ntlm_ver when "NTLMv1" then "smb_netv1_hash" diff --git a/modules/auxiliary/sniffer/psnuffle.rb b/modules/auxiliary/sniffer/psnuffle.rb index 4e0dd45231..eebcd8643d 100644 --- a/modules/auxiliary/sniffer/psnuffle.rb +++ b/modules/auxiliary/sniffer/psnuffle.rb @@ -177,12 +177,12 @@ class BaseProtocolParser sessions[sessionid][:mtime] = Time.now else # Create a new session entry along with the host/port from the id - if (sessionid =~ /^([^:]+):([^-]+)-/s) + if (sessionid =~ /^([^:]+):([^-]+)-([^:]+):(\d+)$/s) sessions[sessionid] = { - :host => $1, - :target_host => $1, - :port => $2, - :target_port => $2, + :client_host => $1, + :client_port => $2, + :host => $3, + :port => $4, :session => sessionid, :ctime => Time.now, :mtime => Time.now