mirror of
https://github.com/bettercap/bettercap
synced 2025-07-06 04:52:10 -07:00
new: new teamviewer packet parser for net.sniff
This commit is contained in:
parent
0d7eb43ee5
commit
db7d6b64f0
3 changed files with 163 additions and 0 deletions
|
@ -14,6 +14,7 @@ var tcpParsers = []func(*layers.IPv4, gopacket.Packet, *layers.TCP) bool{
|
||||||
ntlmParser,
|
ntlmParser,
|
||||||
httpParser,
|
httpParser,
|
||||||
ftpParser,
|
ftpParser,
|
||||||
|
teamViewerParser,
|
||||||
}
|
}
|
||||||
|
|
||||||
func onTCP(ip *layers.IPv4, pkt gopacket.Packet, verbose bool) {
|
func onTCP(ip *layers.IPv4, pkt gopacket.Packet, verbose bool) {
|
||||||
|
|
32
modules/net_sniff_teamviewer.go
Normal file
32
modules/net_sniff_teamviewer.go
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
package modules
|
||||||
|
|
||||||
|
import (
|
||||||
|
"github.com/bettercap/bettercap/packets"
|
||||||
|
|
||||||
|
"github.com/google/gopacket"
|
||||||
|
"github.com/google/gopacket/layers"
|
||||||
|
|
||||||
|
"github.com/evilsocket/islazy/tui"
|
||||||
|
)
|
||||||
|
|
||||||
|
func teamViewerParser(ip *layers.IPv4, pkt gopacket.Packet, tcp *layers.TCP) bool {
|
||||||
|
if tcp.SrcPort == packets.TeamViewerPort || tcp.DstPort == packets.TeamViewerPort {
|
||||||
|
if tv := packets.ParseTeamViewer(tcp.Payload); tv != nil {
|
||||||
|
NewSnifferEvent(
|
||||||
|
pkt.Metadata().Timestamp,
|
||||||
|
"teamviewer",
|
||||||
|
ip.SrcIP.String(),
|
||||||
|
ip.DstIP.String(),
|
||||||
|
nil,
|
||||||
|
"%s %s %s > %s",
|
||||||
|
tui.Wrap(tui.BACKYELLOW+tui.FOREWHITE, "teamviewer"),
|
||||||
|
vIP(ip.SrcIP),
|
||||||
|
tui.Yellow(tv.Command),
|
||||||
|
vIP(ip.DstIP),
|
||||||
|
).Push()
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return false
|
||||||
|
}
|
130
packets/teamviewer.go
Normal file
130
packets/teamviewer.go
Normal file
|
@ -0,0 +1,130 @@
|
||||||
|
package packets
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/binary"
|
||||||
|
"fmt"
|
||||||
|
)
|
||||||
|
|
||||||
|
const TeamViewerPort = 5938
|
||||||
|
|
||||||
|
var teamViewerCommands = map[uint8]string{
|
||||||
|
10: "CMD_IDENTIFY",
|
||||||
|
11: "CMD_REQUESTCONNECT",
|
||||||
|
13: "CMD_DISCONNECT",
|
||||||
|
14: "CMD_VNCDISCONNECT",
|
||||||
|
15: "CMD_TVCONNECTIONFAILED",
|
||||||
|
16: "CMD_PING",
|
||||||
|
17: "CMD_PINGOK",
|
||||||
|
18: "CMD_MASTERCOMMAND",
|
||||||
|
19: "CMD_MASTERRESPONSE",
|
||||||
|
20: "CMD_CHANGECONNECTION",
|
||||||
|
21: "CMD_NOPARTNERCONNECT",
|
||||||
|
22: "CMD_CONNECTTOWAITINGTHREAD",
|
||||||
|
23: "CMD_SESSIONMODE",
|
||||||
|
24: "CMD_REQUESTROUTINGSESSION",
|
||||||
|
25: "CMD_TIMEOUT",
|
||||||
|
26: "CMD_JAVACONNECT",
|
||||||
|
27: "CMD_KEEPALIVEBEEP",
|
||||||
|
28: "CMD_REQUESTKEEPALIVE",
|
||||||
|
29: "CMD_MASTERCOMMAND_ENCRYPTED",
|
||||||
|
30: "CMD_MASTERRESPONSE_ENCRYPTED",
|
||||||
|
31: "CMD_REQUESTRECONNECT",
|
||||||
|
32: "CMD_RECONNECTTOWAITINGTHREAD",
|
||||||
|
33: "CMD_STARTLOGGING",
|
||||||
|
34: "CMD_SERVERAVAILABLE",
|
||||||
|
35: "CMD_KEEPALIVEREQUEST",
|
||||||
|
36: "CMD_OK",
|
||||||
|
37: "CMD_FAILED",
|
||||||
|
38: "CMD_PING_PERFORMANCE",
|
||||||
|
39: "CMD_PING_PERFORMANCE_RESPONSE",
|
||||||
|
40: "CMD_REQUESTKEEPALIVE2",
|
||||||
|
41: "CMD_DISCONNECT_SWITCHEDTOUDP",
|
||||||
|
42: "CMD_SENDMODE_UDP",
|
||||||
|
43: "CMD_KEEPALIVEREQUEST_ANSWER",
|
||||||
|
44: "CMD_ROUTE_CMD_TO_CLIENT",
|
||||||
|
45: "CMD_NEW_MASTERLOGIN",
|
||||||
|
46: "CMD_BUDDY",
|
||||||
|
47: "CMD_ACCEPTROUTINGSESSION",
|
||||||
|
48: "CMD_NEW_MASTERLOGIN_ANSWER",
|
||||||
|
49: "CMD_BUDDY_ENCRYPTED",
|
||||||
|
50: "CMD_REQUEST_ROUTE_BUDDY",
|
||||||
|
51: "CMD_CONTACT_OTHER_MASTER",
|
||||||
|
52: "CMD_REQUEST_ROUTE_ENCRYPTED",
|
||||||
|
53: "CMD_ENDSESSION",
|
||||||
|
54: "CMD_SESSIONID",
|
||||||
|
55: "CMD_RECONNECT_TO_SESSION",
|
||||||
|
56: "CMD_RECONNECT_TO_SESSION_ANSWER",
|
||||||
|
57: "CMD_MEETING_CONTROL",
|
||||||
|
58: "CMD_CARRIER_SWITCH",
|
||||||
|
59: "CMD_MEETING_AUTHENTICATION",
|
||||||
|
60: "CMD_ROUTERCMD",
|
||||||
|
61: "CMD_PARTNERRECONNECT",
|
||||||
|
62: "CMD_CONGRESTION_CONTROL",
|
||||||
|
63: "CMD_ACK",
|
||||||
|
70: "CMD_UDPREQUESTCONNECT",
|
||||||
|
71: "CMD_UDPPING",
|
||||||
|
72: "CMD_UDPREQUESTCONNECT_VPN",
|
||||||
|
90: "CMD_DATA",
|
||||||
|
91: "CMD_DATA2",
|
||||||
|
92: "CMD_DATA_ENCRYPTED",
|
||||||
|
93: "CMD_REQUESTENCRYPTION",
|
||||||
|
94: "CMD_CONFIRMENCRYPTION",
|
||||||
|
95: "CMD_ENCRYPTIONREQUESTFAILED",
|
||||||
|
96: "CMD_REQUESTNOENCRYPTION",
|
||||||
|
97: "CMD_UDPFLOWCONTROL",
|
||||||
|
98: "CMD_DATA3",
|
||||||
|
99: "CMD_DATA3_ENCRYPTED",
|
||||||
|
100: "CMD_DATA3_RESENDPACKETS",
|
||||||
|
101: "CMD_DATA3_ACKPACKETS",
|
||||||
|
102: "CMD_AUTH_CHALLENGE",
|
||||||
|
103: "CMD_AUTH_RESPONSE",
|
||||||
|
104: "CMD_AUTH_RESULT",
|
||||||
|
105: "CMD_RIP_MESSAGES",
|
||||||
|
106: "CMD_DATA4",
|
||||||
|
107: "CMD_DATASTREAM",
|
||||||
|
108: "CMD_UDPHEARTBEAT",
|
||||||
|
109: "CMD_DATA_DIRECTED",
|
||||||
|
110: "CMD_UDP_RESENDPACKETS",
|
||||||
|
111: "CMD_UDP_ACKPACKETS",
|
||||||
|
112: "CMD_UDP_PROTECTEDCOMMAND",
|
||||||
|
113: "CMD_FLUSHSENDBUFFER",
|
||||||
|
}
|
||||||
|
|
||||||
|
type TeamViewerPacket struct {
|
||||||
|
Magic uint16
|
||||||
|
Version string
|
||||||
|
CommandCode uint8
|
||||||
|
Command string
|
||||||
|
}
|
||||||
|
|
||||||
|
func ParseTeamViewer(data []byte) *TeamViewerPacket {
|
||||||
|
if len(data) < 3 {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
magic := binary.BigEndian.Uint16(data[0:2])
|
||||||
|
cmdCode := uint8(data[3])
|
||||||
|
version := "1.x"
|
||||||
|
cmd := "CMD_?"
|
||||||
|
|
||||||
|
if magic == 0x1724 {
|
||||||
|
version = "1.x"
|
||||||
|
} else if magic == 0x1130 {
|
||||||
|
version = "2.x"
|
||||||
|
} else {
|
||||||
|
version = fmt.Sprintf("?.? (magic=0x%x)", magic)
|
||||||
|
}
|
||||||
|
|
||||||
|
if val, found := teamViewerCommands[cmdCode]; !found {
|
||||||
|
return nil
|
||||||
|
} else {
|
||||||
|
cmd = val
|
||||||
|
}
|
||||||
|
|
||||||
|
return &TeamViewerPacket{
|
||||||
|
Magic: magic,
|
||||||
|
Version: version,
|
||||||
|
CommandCode: cmdCode,
|
||||||
|
Command: cmd,
|
||||||
|
}
|
||||||
|
}
|
Loading…
Add table
Add a link
Reference in a new issue