Beercow/POSeidon.py

## POSeidon.py
#!/usr/bin/env python
#author Beercow

import dpkt, re, base64, sys

def decodeb64(data):
    data = base64.b64decode(str(data))
    return data

def decodexor(data):
    ptext=''
    for b in data:
        ptext+= chr(ord(b) ^ ord('\x2A'))
    return ptext

def parse_pcap_file(filename):
    '''
    Parses through a PCAP file looking for http requests and responses. If found,
    they are provided as argument to the relevant parse_* functions.
    Reference:
    https://blog.bramp.net/post/2010/01/10/follow-http-stream-with-decompression/
    '''
    try:
        f = open(filename, 'rb')
        pcap = dpkt.pcap.Reader(f)
    except:
        f = open(filename, 'rb')
        pcap = dpkt.pcapng.Reader(f)
    conn = dict()
    print 'POST data,uinfo("<computer_name>@<user\domain>",win(<major><minor>),ver(<hardcoded_findstr_version>),data(cc numbers),logs (keylogger data)'
    for ts, buf in pcap:
        eth = dpkt.ethernet.Ethernet(buf)
        if eth.type != dpkt.ethernet.ETH_TYPE_IP:
            continue
        ip = eth.data
        if ip.p != dpkt.ip.IP_PROTO_TCP:
            continue
        tcp = ip.data
        ip_tupl = (ip.src, ip.dst, tcp.sport, tcp.dport)
        if ip_tupl in conn:
            conn[ip_tupl] = conn[ip_tupl] + tcp.data
        else:
            conn[ip_tupl] = tcp.data
        try:
            stream = conn[ip_tupl]
#            print stream
            regex = "(oprat.*)"
            output = re.findall(regex, stream, re.IGNORECASE)
            if len(output) != 0:
                for element in output:
                    parts = element.split(',')
                    if 'POST' in str(parts):
                        regex = "(oprat.*?)POST"
                        parts = re.findall(regex, str(parts), re.IGNORECASE)
                    regex = "uinfo=(.*?)&"
                    uinfo = re.findall(regex, str(parts), re.IGNORECASE)
                    uinfo = decodeb64(uinfo)
                    regex = "win=(.*?)&"
                    win = re.findall(regex, str(parts), re.IGNORECASE)
                    regex = "vers=(.*?M)"
                    vers = re.findall(regex, str(parts), re.IGNORECASE)
                    regex = "data=(.*?)(?:'|&)"
                    data = re.findall(regex, str(parts), re.IGNORECASE)
                    data = decodeb64(data)
                    data = decodexor(data)
                    regex = "logs=(.*?)(?:'|&)"
                    logs = re.findall(regex, str(parts), re.IGNORECASE)
                    logs = decodeb64(logs)
                    logs = decodexor(logs)
                    print "".join(parts) + ',' + "".join(uinfo) + ',' + "".join(win) + ',' + "".join(vers) + ',' + "".join(data) + ',' + "".join(logs)
        except:
            pass
    f.close()

if __name__ == '__main__':
    if len(sys.argv) <= 1:
        print "%s [pcap file]" % __file__
        sys.exit(2)
    parse_pcap_file(sys.argv[1])
	#!/usr/bin/env python
	#author Beercow

	import dpkt, re, base64, sys

	def decodeb64(data):
	data = base64.b64decode(str(data))
	return data

	def decodexor(data):
	ptext=''
	for b in data:
	ptext+= chr(ord(b) ^ ord('\x2A'))
	return ptext

	def parse_pcap_file(filename):
	'''
	Parses through a PCAP file looking for http requests and responses. If found,
	they are provided as argument to the relevant parse_* functions.
	Reference:
	https://blog.bramp.net/post/2010/01/10/follow-http-stream-with-decompression/
	'''
	try:
	f = open(filename, 'rb')
	pcap = dpkt.pcap.Reader(f)
	except:
	f = open(filename, 'rb')
	pcap = dpkt.pcapng.Reader(f)
	conn = dict()
	print 'POST data,uinfo("<computer_name>@<user\domain>",win(<major><minor>),ver(<hardcoded_findstr_version>),data(cc numbers),logs (keylogger data)'
	for ts, buf in pcap:
	eth = dpkt.ethernet.Ethernet(buf)
	if eth.type != dpkt.ethernet.ETH_TYPE_IP:
	continue
	ip = eth.data
	if ip.p != dpkt.ip.IP_PROTO_TCP:
	continue
	tcp = ip.data
	ip_tupl = (ip.src, ip.dst, tcp.sport, tcp.dport)
	if ip_tupl in conn:
	conn[ip_tupl] = conn[ip_tupl] + tcp.data
	else:
	conn[ip_tupl] = tcp.data
	try:
	stream = conn[ip_tupl]
	# print stream
	regex = "(oprat.*)"
	output = re.findall(regex, stream, re.IGNORECASE)
	if len(output) != 0:
	for element in output:
	parts = element.split(',')
	if 'POST' in str(parts):
	regex = "(oprat.*?)POST"
	parts = re.findall(regex, str(parts), re.IGNORECASE)
	regex = "uinfo=(.*?)&"
	uinfo = re.findall(regex, str(parts), re.IGNORECASE)
	uinfo = decodeb64(uinfo)
	regex = "win=(.*?)&"
	win = re.findall(regex, str(parts), re.IGNORECASE)
	regex = "vers=(.*?M)"
	vers = re.findall(regex, str(parts), re.IGNORECASE)
	regex = "data=(.*?)(?:'\|&)"
	data = re.findall(regex, str(parts), re.IGNORECASE)
	data = decodeb64(data)
	data = decodexor(data)
	regex = "logs=(.*?)(?:'\|&)"
	logs = re.findall(regex, str(parts), re.IGNORECASE)
	logs = decodeb64(logs)
	logs = decodexor(logs)
	print "".join(parts) + ',' + "".join(uinfo) + ',' + "".join(win) + ',' + "".join(vers) + ',' + "".join(data) + ',' + "".join(logs)
	except:
	pass
	f.close()

	if __name__ == '__main__':
	if len(sys.argv) <= 1:
	print "%s [pcap file]" % __file__
	sys.exit(2)
	parse_pcap_file(sys.argv[1])