package modules import ( "regexp" "strings" "github.com/bettercap/bettercap/core" "github.com/bettercap/bettercap/packets" "github.com/google/gopacket" "github.com/google/gopacket/layers" ) var ( ntlmRe = regexp.MustCompile("(WWW-|Proxy-|)(Authenticate|Authorization): (NTLM|Negotiate)") challRe = regexp.MustCompile("(WWW-|Proxy-|)(Authenticate): (NTLM|Negotiate)") respRe = regexp.MustCompile("(WWW-|Proxy-|)(Authorization): (NTLM|Negotiate)") ntlm = packets.NewNTLMState() ) func isNtlm(s string) bool { return ntlmRe.FindString(s) != "" } func isChallenge(s string) bool { return challRe.FindString(s) != "" } func isResponse(s string) bool { return respRe.FindString(s) != "" } func ntlmParser(ip *layers.IPv4, pkt gopacket.Packet, tcp *layers.TCP) bool { data := tcp.Payload ok := false for _, line := range strings.Split(string(data), "\r\n") { if isNtlm(line) { tokens := strings.Split(line, " ") if len(tokens) != 3 { continue } if isChallenge(line) { ok = true ntlm.AddServerResponse(tcp.Ack, tokens[2]) } else if isResponse(line) { ok = true ntlm.AddClientResponse(tcp.Seq, tokens[2], func(data packets.NTLMChallengeResponseParsed) { NewSnifferEvent( pkt.Metadata().Timestamp, "ntlm.response", ip.SrcIP.String(), ip.DstIP.String(), nil, "%s %s > %s | %s", core.W(core.BG_DGRAY+core.FG_WHITE, "ntlm.response"), vIP(ip.SrcIP), vIP(ip.DstIP), data.LcString(), ).Push() }) } } } return ok }