new: added net.sniff FTP credentials parser (closes #424)

2025-08-14 02:36:57 -07:00 · 2019-01-29 13:02:14 +01:00 · 2019-01-29 13:02:14 +01:00 · 36a6bb87ce
commit 36a6bb87ce
parent 8230b8bca6
2 changed files with 44 additions and 0 deletions
--- a/modules/net_sniff_ftp.go
+++ b/modules/net_sniff_ftp.go
@ -0,0 +1,42 @@
+package modules
+
+import (
+	"regexp"
+
+	"github.com/google/gopacket"
+	"github.com/google/gopacket/layers"
+
+	"github.com/evilsocket/islazy/str"
+	"github.com/evilsocket/islazy/tui"
+)
+
+var (
+	ftpRe = regexp.MustCompile(`^(USER|PASS) (.+)[\n\r]+$`)
+)
+
+func ftpParser(ip *layers.IPv4, pkt gopacket.Packet, tcp *layers.TCP) bool {
+	data := string(tcp.Payload)
+
+	if matches := ftpRe.FindAllStringSubmatch(data, -1); matches != nil {
+		what := str.Trim(matches[0][1])
+		cred := str.Trim(matches[0][2])
+		NewSnifferEvent(
+			pkt.Metadata().Timestamp,
+			"ftp",
+			ip.SrcIP.String(),
+			ip.DstIP.String(),
+			nil,
+			"%s %s > %s:%s - %s %s",
+			tui.Wrap(tui.BACKYELLOW+tui.FOREWHITE, "ftp"),
+			vIP(ip.SrcIP),
+			vIP(ip.DstIP),
+			vPort(tcp.DstPort),
+			tui.Bold(what),
+			tui.Yellow(cred),
+		).Push()
+
+		return true
+	}
+
+	return false
+}
--- a/modules/net_sniff_parsers.go
+++ b/modules/net_sniff_parsers.go
@ -21,6 +21,8 @@ func tcpParser(ip *layers.IPv4, pkt gopacket.Packet, verbose bool) {
 		return
 	} else if httpParser(ip, pkt, tcp) {
 		return
+	} else if ftpParser(ip, pkt, tcp) {
+		return
 	} else if verbose {
 		NewSnifferEvent(
 			pkt.Metadata().Timestamp,