From bdfa1856ac6b23d6beb932d195a87c65e506e6da Mon Sep 17 00:00:00 2001 From: ShellCode33 Date: Thu, 3 Nov 2022 20:23:24 +0100 Subject: [PATCH 1/3] Use the new BaseLayer of pyshark to fix #16 --- credslayer/parsers/ftp.py | 4 ++-- credslayer/parsers/http.py | 4 ++-- credslayer/parsers/imap.py | 4 ++-- credslayer/parsers/kerberos.py | 4 ++-- credslayer/parsers/ldap.py | 4 ++-- credslayer/parsers/mysql.py | 4 ++-- credslayer/parsers/ntlmssp.py | 4 ++-- credslayer/parsers/pgsql.py | 4 ++-- credslayer/parsers/pop.py | 4 ++-- credslayer/parsers/smtp.py | 4 ++-- credslayer/parsers/snmp.py | 4 ++-- credslayer/parsers/telnet.py | 4 ++-- 12 files changed, 24 insertions(+), 24 deletions(-) diff --git a/credslayer/parsers/ftp.py b/credslayer/parsers/ftp.py index fd54056..482f36e 100644 --- a/credslayer/parsers/ftp.py +++ b/credslayer/parsers/ftp.py @@ -1,12 +1,12 @@ # coding: utf-8 -from pyshark.packet.layer import Layer +from pyshark.packet.layers.base import BaseLayer from credslayer.core import logger from credslayer.core.session import Session -def analyse(session: Session, layer: Layer): +def analyse(session: Session, layer: BaseLayer): current_creds = session.credentials_being_built diff --git a/credslayer/parsers/http.py b/credslayer/parsers/http.py index dd0e535..d92f9aa 100644 --- a/credslayer/parsers/http.py +++ b/credslayer/parsers/http.py @@ -3,7 +3,7 @@ import base64 from urllib.parse import parse_qs -from pyshark.packet.layer import Layer +from pyshark.packet.layers.base import BaseLayer from credslayer.core import logger from credslayer.core.session import Session @@ -26,7 +26,7 @@ 'j_password'] -def analyse(session: Session, layer: Layer): +def analyse(session: Session, layer: BaseLayer): current_creds = session.credentials_being_built diff --git a/credslayer/parsers/imap.py b/credslayer/parsers/imap.py index e83562d..bae6f8b 100644 --- a/credslayer/parsers/imap.py +++ b/credslayer/parsers/imap.py @@ -1,12 +1,12 @@ # coding: utf-8 -from pyshark.packet.layer import Layer +from pyshark.packet.layers.base import BaseLayer from credslayer.core import logger from credslayer.core.session import Session -def analyse(session: Session, layer: Layer): +def analyse(session: Session, layer: BaseLayer): current_creds = session.credentials_being_built diff --git a/credslayer/parsers/kerberos.py b/credslayer/parsers/kerberos.py index 601940f..f4df016 100644 --- a/credslayer/parsers/kerberos.py +++ b/credslayer/parsers/kerberos.py @@ -1,12 +1,12 @@ # coding: utf-8 -from pyshark.packet.layer import Layer +from pyshark.packet.layers.base import BaseLayer from credslayer.core import logger from credslayer.core.session import Session -def analyse(session: Session, layer: Layer) -> bool: +def analyse(session: Session, layer: BaseLayer) -> bool: logger.debug("Kerberos analysis...") return False diff --git a/credslayer/parsers/ldap.py b/credslayer/parsers/ldap.py index 0628ec1..d13b0a3 100644 --- a/credslayer/parsers/ldap.py +++ b/credslayer/parsers/ldap.py @@ -1,11 +1,11 @@ # coding: utf-8 -from pyshark.packet.layer import Layer +from pyshark.packet.layers.base import BaseLayer from credslayer.core import logger from credslayer.core.session import Session -def analyse(session: Session, layer: Layer): +def analyse(session: Session, layer: BaseLayer): current_creds = session.credentials_being_built diff --git a/credslayer/parsers/mysql.py b/credslayer/parsers/mysql.py index e38ecc3..2b0f157 100644 --- a/credslayer/parsers/mysql.py +++ b/credslayer/parsers/mysql.py @@ -1,12 +1,12 @@ # coding: utf-8 -from pyshark.packet.layer import Layer +from pyshark.packet.layers.base import BaseLayer from credslayer.core import logger from credslayer.core.session import Session -def analyse(session: Session, layer: Layer): +def analyse(session: Session, layer: BaseLayer): current_creds = session.credentials_being_built diff --git a/credslayer/parsers/ntlmssp.py b/credslayer/parsers/ntlmssp.py index c2b0309..b2b307f 100644 --- a/credslayer/parsers/ntlmssp.py +++ b/credslayer/parsers/ntlmssp.py @@ -3,7 +3,7 @@ import base64 from typing import Tuple -from pyshark.packet.layer import Layer +from pyshark.packet.layers.base import BaseLayer from credslayer.core import logger from credslayer.core.session import Session @@ -30,7 +30,7 @@ def _fix_tshark_widechar_issue(layer) -> Tuple[str, str]: # Great resource : http://davenport.sourceforge.net/ntlm.html#theNtlmv2Response -def analyse(session: Session, layer: Layer): +def analyse(session: Session, layer: BaseLayer): current_creds = session.credentials_being_built diff --git a/credslayer/parsers/pgsql.py b/credslayer/parsers/pgsql.py index 4c5b42a..6ad4e2c 100644 --- a/credslayer/parsers/pgsql.py +++ b/credslayer/parsers/pgsql.py @@ -1,12 +1,12 @@ # coding: utf-8 -from pyshark.packet.layer import Layer +from pyshark.packet.layers.base import BaseLayer from credslayer.core import logger from credslayer.core.session import Session -def analyse(session: Session, layer: Layer): +def analyse(session: Session, layer: BaseLayer): current_creds = session.credentials_being_built diff --git a/credslayer/parsers/pop.py b/credslayer/parsers/pop.py index e818179..57ba703 100644 --- a/credslayer/parsers/pop.py +++ b/credslayer/parsers/pop.py @@ -1,11 +1,11 @@ # coding: utf-8 -from pyshark.packet.layer import Layer +from pyshark.packet.layers.base import BaseLayer from credslayer.core import utils, logger from credslayer.core.session import Session -def analyse(session: Session, layer: Layer): +def analyse(session: Session, layer: BaseLayer): current_creds = session.credentials_being_built diff --git a/credslayer/parsers/smtp.py b/credslayer/parsers/smtp.py index 5259cc5..757ec4a 100644 --- a/credslayer/parsers/smtp.py +++ b/credslayer/parsers/smtp.py @@ -2,13 +2,13 @@ from base64 import b64decode -from pyshark.packet.layer import Layer +from pyshark.packet.layers.base import BaseLayer from credslayer.core import utils, logger from credslayer.core.session import Session -def analyse(session: Session, layer: Layer): +def analyse(session: Session, layer: BaseLayer): current_creds = session.credentials_being_built diff --git a/credslayer/parsers/snmp.py b/credslayer/parsers/snmp.py index 824abcd..18c30cf 100644 --- a/credslayer/parsers/snmp.py +++ b/credslayer/parsers/snmp.py @@ -1,12 +1,12 @@ # coding: utf-8 -from pyshark.packet.layer import Layer +from pyshark.packet.layers.base import BaseLayer from credslayer.core import logger from credslayer.core.session import Session -def analyse(session: Session, layer: Layer): +def analyse(session: Session, layer: BaseLayer): current_creds = session.credentials_being_built diff --git a/credslayer/parsers/telnet.py b/credslayer/parsers/telnet.py index 6a3df5d..1315001 100644 --- a/credslayer/parsers/telnet.py +++ b/credslayer/parsers/telnet.py @@ -1,5 +1,5 @@ # coding: utf-8 -from pyshark.packet.layer import Layer +from pyshark.packet.layers.base import BaseLayer from credslayer.core import logger from credslayer.core.session import Session @@ -27,7 +27,7 @@ def _is_username_duplicated(username: str) -> bool: return True -def analyse(session: Session, layer: Layer): +def analyse(session: Session, layer: BaseLayer): if not hasattr(layer, "data"): return From 6b63b143f0ebd0cdac9ef03abc2c0d72c6dfcda6 Mon Sep 17 00:00:00 2001 From: ShellCode33 Date: Thu, 3 Nov 2022 20:45:03 +0100 Subject: [PATCH 2/3] parsers/ntlmssp.py : nt_status appears to be hex now --- credslayer/parsers/ntlmssp.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/credslayer/parsers/ntlmssp.py b/credslayer/parsers/ntlmssp.py index b2b307f..0fc23f4 100644 --- a/credslayer/parsers/ntlmssp.py +++ b/credslayer/parsers/ntlmssp.py @@ -35,7 +35,7 @@ def analyse(session: Session, layer: BaseLayer): current_creds = session.credentials_being_built if current_creds and hasattr(layer, "nt_status"): - status = int(layer.nt_status) + status = int(layer.nt_status, 16) if status == 0: # LOGON SUCCESS logger.found(session, "{} found: {}".format(current_creds.context["version"], current_creds.hash)) From c044d34d93ebe35126f9267199050c1fdb931d91 Mon Sep 17 00:00:00 2001 From: ShellCode33 Date: Thu, 3 Nov 2022 20:45:22 +0100 Subject: [PATCH 3/3] Fix some tests that were not working anymore for some reason --- tests/tests.py | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/tests/tests.py b/tests/tests.py index 553d7d8..f5efcec 100644 --- a/tests/tests.py +++ b/tests/tests.py @@ -76,13 +76,25 @@ def test_http_basic_auth(self): def test_http_post_auth(self): credentials_list = process_pcap("samples/http-post-auth.pcap").get_list_of_all_credentials() print(credentials_list) - self.assertTrue(Credentials('toto', 'Str0ngP4ssw0rd') in credentials_list) + self.assertTrue( + Credentials( + 'toto', + 'Str0ngP4ssw0rd', + context={'Method': 'POST', 'URL': 'http://192.168.56.101:1337/login'} + ) in credentials_list + ) self.assertTrue(len(credentials_list) == 1) def test_http_get_auth(self): credentials_list = process_pcap("samples/http-get-auth.pcap").get_list_of_all_credentials() print(credentials_list) - self.assertTrue(Credentials('admin', 'qwerty1234') in credentials_list) + self.assertTrue( + Credentials( + 'admin', + 'qwerty1234', + context={'Method': 'GET', 'URL': 'http://192.168.56.101:1337/login?login=admin&password=qwerty1234'} + ) in credentials_list + ) self.assertTrue(len(credentials_list) == 1) def test_ldap(self): @@ -180,7 +192,7 @@ def test_ntlmssp(self): self.assertTrue(len(remaining_credentials) == 6) self.assertTrue(Credentials(hash="administrator::example:ea46e3a07ea448d200000000000000000000000000000000:" "4d626ea83a02eee710571a2b84241788bd21e3a66ddbf4a5" - ":CHALLENGE_NOT_FOUND") in remaining_credentials) + ":CHALLENGE_NOT_FOUND", context={'version': 'NETNTLMv1'}) in remaining_credentials) class ManagerTest(unittest.TestCase):