From 68b05ac469212c61771b6769311abdb7f8a64052 Mon Sep 17 00:00:00 2001
From: evilsocket <evilsocket@gmail.com>
Date: Sun, 11 Feb 2018 05:45:02 +0100
Subject: [PATCH] new: ntlm parser

---
 modules/net_sniff_ntlm.go    | 63 ++++++++++++++++++++++++++++++++++++
 modules/net_sniff_parsers.go |  6 ++--
 2 files changed, 66 insertions(+), 3 deletions(-)
 create mode 100644 modules/net_sniff_ntlm.go

diff --git a/modules/net_sniff_ntlm.go b/modules/net_sniff_ntlm.go
new file mode 100644
index 00000000..e67c1061
--- /dev/null
+++ b/modules/net_sniff_ntlm.go
@@ -0,0 +1,63 @@
+package modules
+
+import (
+	"regexp"
+	"strings"
+
+	"github.com/evilsocket/bettercap-ng/core"
+
+	"github.com/google/gopacket"
+	"github.com/google/gopacket/layers"
+)
+
+var (
+	ntlmRe  = regexp.MustCompile("(WWW-|Proxy-|)(Authenticate|Authorization): (NTLM|Negotiate)")
+	challRe = regexp.MustCompile("(WWW-|Proxy-|)(Authenticate): (NTLM|Negotiate)")
+	respRe  = regexp.MustCompile("(WWW-|Proxy-|)(Authorization): (NTLM|Negotiate)")
+)
+
+func isNtlm(s string) bool {
+	return ntlmRe.FindString(s) != ""
+}
+
+func isChallenge(s string) bool {
+	return challRe.FindString(s) != ""
+}
+
+func isResponse(s string) bool {
+	return respRe.FindString(s) != ""
+}
+
+func ntlmParser(ip *layers.IPv4, pkt gopacket.Packet, tcp *layers.TCP) bool {
+	data := tcp.Payload
+	for _, line := range strings.Split(string(data), "\r\n") {
+		if isNtlm(line) {
+			tokens := strings.Split(line, " ")
+			if len(tokens) != 3 {
+				continue
+			}
+			what := "?"
+			if isChallenge(line) {
+				what = "challenge"
+			} else if isResponse(line) {
+				what = "response"
+			}
+
+			NewSnifferEvent(
+				pkt.Metadata().Timestamp,
+				"ntlm."+what,
+				ip.SrcIP.String(),
+				ip.DstIP.String(),
+				SniffData{
+					what: tokens[2],
+				},
+				"%s %s > %s | %s",
+				core.W(core.BG_DGRAY+core.FG_WHITE, "ntlm."+what),
+				vIP(ip.SrcIP),
+				vIP(ip.DstIP),
+				tokens[2],
+			).Push()
+		}
+	}
+	return true
+}
diff --git a/modules/net_sniff_parsers.go b/modules/net_sniff_parsers.go
index ef62ebb2..db6da88c 100644
--- a/modules/net_sniff_parsers.go
+++ b/modules/net_sniff_parsers.go
@@ -15,11 +15,11 @@ func tcpParser(ip *layers.IPv4, pkt gopacket.Packet, verbose bool) {
 
 	if sniParser(ip, pkt, tcp) {
 		return
+	} else if ntlmParser(ip, pkt, tcp) {
+		return
 	} else if httpParser(ip, pkt, tcp) {
 		return
-	}
-
-	if verbose == true {
+	} else if verbose == true {
 		NewSnifferEvent(
 			pkt.Metadata().Timestamp,
 			"tcp",