Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
A quick and dirty script to parse a PCAP file and decode Ranbyus C&C communications
#!/usr/bin/env python
import dpkt, sys
def b64decode(string,alphabet):
string = string.replace("=","")
ret = ""
left = 0
for i in range(0, len(string)):
if left == 0:
left = 6
else:
value1 = alphabet.index(string[i - 1]) & (2 ** left - 1)
value2 = alphabet.index(string[i]) >> (left - 2)
value = (value1 << (8 - left)) | value2
ret += chr(value)
left -= 2
return ret
def pcapdecode(pcapfile,alphabet):
"""A generator function that yields lists containing 'id=value' parameter pairs"""
streams = 0
with open(pcapfile) as f:
try:
pcap = dpkt.pcap.Reader(f)
except ValueError, e:
raise
for ts,buf in pcap:
http_res,http_req = None,None
eth = dpkt.ethernet.Ethernet(buf)
ip = eth.data
tcp = ip.data
if hasattr(tcp,'dport'):
if tcp.dport == 80 and len(tcp.data) > 0:
try:
http_req = dpkt.http.Request(tcp.data)
except:
continue # continue to the next packet if this one is incomplete
if hasattr(http_req,'method'):
if http_req.method == "POST":
yield [line for line in b64decode(http_req.body.split()[4],alphabet).split('&')]
# element [4] is the base64 data, and we are splitting on the expected parameter delimeter
def main():
if len(sys.argv) != 3:
sys.exit('Usage: %s (pcap file) (base64 alphabet)' % sys.argv[0])
results = 0
try:
for result in pcapdecode(sys.argv[1],sys.argv[2]):
print "*"*15
for pair in result:
print pair
print "*"*15
results += 1
except ValueError, e:
print str(e)
print("%d callbacks found" % results)
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.