mirror of
https://github.com/bettercap/bettercap
synced 2025-07-07 21:42:06 -07:00
64 lines
1.5 KiB
Go
64 lines
1.5 KiB
Go
package modules
|
|
|
|
import (
|
|
"regexp"
|
|
"strings"
|
|
|
|
"github.com/evilsocket/bettercap-ng/core"
|
|
"github.com/evilsocket/bettercap-ng/packets"
|
|
|
|
"github.com/google/gopacket"
|
|
"github.com/google/gopacket/layers"
|
|
)
|
|
|
|
var (
|
|
ntlmRe = regexp.MustCompile("(WWW-|Proxy-|)(Authenticate|Authorization): (NTLM|Negotiate)")
|
|
challRe = regexp.MustCompile("(WWW-|Proxy-|)(Authenticate): (NTLM|Negotiate)")
|
|
respRe = regexp.MustCompile("(WWW-|Proxy-|)(Authorization): (NTLM|Negotiate)")
|
|
ntlm = packets.NewNTLMState()
|
|
)
|
|
|
|
func isNtlm(s string) bool {
|
|
return ntlmRe.FindString(s) != ""
|
|
}
|
|
|
|
func isChallenge(s string) bool {
|
|
return challRe.FindString(s) != ""
|
|
}
|
|
|
|
func isResponse(s string) bool {
|
|
return respRe.FindString(s) != ""
|
|
}
|
|
|
|
func ntlmParser(ip *layers.IPv4, pkt gopacket.Packet, tcp *layers.TCP) bool {
|
|
data := tcp.Payload
|
|
for _, line := range strings.Split(string(data), "\r\n") {
|
|
if isNtlm(line) {
|
|
tokens := strings.Split(line, " ")
|
|
if len(tokens) != 3 {
|
|
continue
|
|
}
|
|
if isChallenge(line) {
|
|
ntlm.AddServerResponse(tcp.Ack, tokens[2])
|
|
} else if isResponse(line) {
|
|
ntlm.AddClientResponse(tcp.Seq, tokens[2], func(data packets.NTLMChallengeResponseParsed) {
|
|
NewSnifferEvent(
|
|
pkt.Metadata().Timestamp,
|
|
"ntlm.response",
|
|
ip.SrcIP.String(),
|
|
ip.DstIP.String(),
|
|
SniffData{
|
|
"data": data,
|
|
},
|
|
"%s %s > %s | %s",
|
|
core.W(core.BG_DGRAY+core.FG_WHITE, "ntlm.response"),
|
|
vIP(ip.SrcIP),
|
|
vIP(ip.DstIP),
|
|
data.LcString(),
|
|
).Push()
|
|
})
|
|
}
|
|
}
|
|
}
|
|
return true
|
|
}
|