github/bettercap
1
0
Fork 0
mirror of https://github.com/bettercap/bettercap.git synced 2025-03-12 04:36:03 -07:00
Code Issues Packages Projects Releases Wiki Activity

new: integrated net.sniff events into main events system ( with new.sniff.leak.* even type )

Browse Source
This commit is contained in:
evilsocket 2018-01-10 15:27:29 +01:00
parent 5bc00fb126
commit e8c6c7cf92
6 changed files with 115 additions and 28 deletions

4
caplets/local-sniffer.cap

@ -1,7 +1,7 @@
events.stream off
events.clear
set events.stream.filter net.sniff
events.stream on
# set events.stream.filter net.sniff
# events.stream on
set net.sniff.verbose false
set net.sniff.local true

13
modules/net_sniff_dns.go

@ -34,14 +34,23 @@ func dnsParser(ip *layers.IPv4, pkt gopacket.Packet, udp *layers.UDP) bool {
}
for hostname, ips := range m {
SniffPrinter("[%s] %s %s > %s : %s is %s\n",
NewSnifferEvent(
pkt.Metadata().Timestamp,
"dns",
ip.SrcIP.String(),
ip.DstIP.String(),
SniffData{
"Hostname": hostname,
"Addresses": ips,
},
"[%s] %s %s > %s : %s is %s",
vTime(pkt.Metadata().Timestamp),
core.W(core.BG_DGRAY+core.FG_WHITE, "dns"),
vIP(ip.SrcIP),
vIP(ip.DstIP),
core.Yellow(hostname),
core.Dim(strings.Join(ips, ", ")),
)
).Push()
}
return true

36
modules/net_sniff_event.go Normal file

@ -0,0 +1,36 @@
package modules
import (
"fmt"
"time"
"github.com/evilsocket/bettercap-ng/session"
)
type SniffData map[string]interface{}
type SnifferEvent struct {
PacketTime time.Time
Protocol string
Source string
Destination string
Data SniffData
Message string
}
func NewSnifferEvent(t time.Time, proto string, src string, dst string, data SniffData, format string, args ...interface{}) SnifferEvent {
return SnifferEvent{
PacketTime: t,
Protocol: proto,
Source: src,
Destination: dst,
Data: data,
Message: fmt.Sprintf(format, args...),
}
}
func (e SnifferEvent) Push() {
fmt.Printf("%s\n", e.Message)
session.I.Events.Add("net.sniff.leak."+e.Protocol, e.Data)
session.I.Input.Refresh()
}

25
modules/net_sniff_http.go

@ -26,25 +26,40 @@ func httpParser(ip *layers.IPv4, pkt gopacket.Packet, tcp *layers.TCP) bool {
return false
}
method := string(m[1])
hostname := string(m[2])
path := string(m[3])
ua := ""
mu := uaRe.FindSubmatch(data)
if len(mu) == 2 {
ua = string(mu[1])
}
url := fmt.Sprintf("%s", core.Yellow(string(m[3])))
url := fmt.Sprintf("%s", core.Yellow(path))
if tcp.DstPort != 80 {
url += fmt.Sprintf(":%s", vPort(tcp.DstPort))
}
url += fmt.Sprintf("%s", string(m[2]))
url += fmt.Sprintf("%s", hostname)
SniffPrinter("[%s] %s %s %s %s %s\n",
NewSnifferEvent(
pkt.Metadata().Timestamp,
"http",
ip.SrcIP.String(),
hostname,
SniffData{
"Method": method,
"Hostname": hostname,
"URL": url,
"UA": ua,
},
"[%s] %s %s %s %s %s",
vTime(pkt.Metadata().Timestamp),
core.W(core.BG_RED+core.FG_BLACK, "http"),
vIP(ip.SrcIP),
core.W(core.BG_LBLUE+core.FG_BLACK, vURL(string(m[1]))),
core.W(core.BG_LBLUE+core.FG_BLACK, method),
vURL(url),
core.Dim(ua))
core.Dim(ua),
).Push()
return true
}

52
modules/net_sniff_parsers.go

@ -5,20 +5,11 @@ import (
"github.com/evilsocket/bettercap-ng/core"
"github.com/evilsocket/bettercap-ng/log"
"github.com/evilsocket/bettercap-ng/session"
"github.com/google/gopacket"
"github.com/google/gopacket/layers"
)
type SniffPrinterType func(format string, args ...interface{}) (int, error)
var SniffPrinter = SniffPrinterType(func(format string, args ...interface{}) (n int, e error) {
n, e = fmt.Printf(format, args...)
session.I.Input.Refresh()
return
})
func tcpParser(ip *layers.IPv4, pkt gopacket.Packet, verbose bool) {
tcp := pkt.Layer(layers.LayerTypeTCP).(*layers.TCP)
@ -29,14 +20,23 @@ func tcpParser(ip *layers.IPv4, pkt gopacket.Packet, verbose bool) {
}
if verbose == true {
SniffPrinter("[%s] %s %s:%s > %s:%s %s\n",
NewSnifferEvent(
pkt.Metadata().Timestamp,
"tcp",
fmt.Sprintf("%s:%s", ip.SrcIP, vPort(tcp.SrcPort)),
fmt.Sprintf("%s:%s", ip.DstIP, vPort(tcp.DstPort)),
SniffData{
"Size": len(ip.Payload),
},
"[%s] %s %s:%s > %s:%s %s",
vTime(pkt.Metadata().Timestamp),
core.W(core.BG_LBLUE+core.FG_BLACK, "tcp"),
vIP(ip.SrcIP),
vPort(tcp.SrcPort),
vIP(ip.DstIP),
vPort(tcp.DstPort),
core.Dim(fmt.Sprintf("%d bytes", len(ip.Payload))))
core.Dim(fmt.Sprintf("%d bytes", len(ip.Payload))),
).Push()
}
}
@ -48,25 +48,43 @@ func udpParser(ip *layers.IPv4, pkt gopacket.Packet, verbose bool) {
}
if verbose == true {
SniffPrinter("[%s] %s %s:%s > %s:%s %s\n",
NewSnifferEvent(
pkt.Metadata().Timestamp,
"udp",
fmt.Sprintf("%s:%s", ip.SrcIP, vPort(udp.SrcPort)),
fmt.Sprintf("%s:%s", ip.DstIP, vPort(udp.DstPort)),
SniffData{
"Size": len(ip.Payload),
},
"[%s] %s %s:%s > %s:%s %s",
vTime(pkt.Metadata().Timestamp),
core.W(core.BG_DGRAY+core.FG_WHITE, "udp"),
vIP(ip.SrcIP),
vPort(udp.SrcPort),
vIP(ip.DstIP),
vPort(udp.DstPort),
core.Dim(fmt.Sprintf("%d bytes", len(ip.Payload))))
core.Dim(fmt.Sprintf("%d bytes", len(ip.Payload))),
).Push()
}
}
func unkParser(ip *layers.IPv4, pkt gopacket.Packet, verbose bool) {
if verbose == true {
SniffPrinter("[%s] [%s] %s > %s (%d bytes)\n",
vTime(pkt.Metadata().Timestamp),
pkt.TransportLayer().LayerType(),
NewSnifferEvent(
pkt.Metadata().Timestamp,
pkt.TransportLayer().LayerType().String(),
vIP(ip.SrcIP),
vIP(ip.DstIP),
len(ip.Payload))
SniffData{
"Size": len(ip.Payload),
},
"[%s] %s %s > %s %s",
vTime(pkt.Metadata().Timestamp),
core.W(core.BG_DGRAY+core.FG_WHITE, pkt.TransportLayer().LayerType().String()),
vIP(ip.SrcIP),
vIP(ip.DstIP),
core.Dim(fmt.Sprintf("%d bytes", len(ip.Payload))),
).Push()
}
}

13
modules/net_sniff_sni.go

@ -31,11 +31,20 @@ func sniParser(ip *layers.IPv4, pkt gopacket.Packet, tcp *layers.TCP) bool {
domain = fmt.Sprintf("%s:%d", domain, tcp.DstPort)
}
SniffPrinter("[%s] %s %s > %s\n",
NewSnifferEvent(
pkt.Metadata().Timestamp,
"sni",
ip.SrcIP.String(),
domain,
SniffData{
"Domain": domain,
},
"[%s] %s %s > %s",
vTime(pkt.Metadata().Timestamp),
core.W(core.BG_YELLOW+core.FG_WHITE, "sni"),
vIP(ip.SrcIP),
core.Yellow("https://"+domain))
core.Yellow("https://"+domain),
).Push()
return true
}