This repository has been archived by the owner on May 15, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 26
/
search.py
executable file
·390 lines (336 loc) · 13 KB
/
search.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
#!/usr/bin/env python3.7
# BEGIN LICENSE #
#
# CERT Tapioca
#
# Copyright 2018 Carnegie Mellon University. All Rights Reserved.
#
# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE
# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS.
# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER
# EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED
# TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY,
# OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON
# UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO
# FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
#
# Released under a BSD (SEI)-style license, please see license.txt or
# contact permission@sei.cmu.edu for full terms.
#
# [DISTRIBUTION STATEMENT A] This material has been approved for
# public release and unlimited distribution. Please see Copyright
# notice for non-US Government use and distribution.
# CERT(R) is registered in the U.S. Patent and Trademark Office by
# Carnegie Mellon University.
#
# DM18-0637
#
# END LICENSE #
from __future__ import print_function
import sys
import os
import pickle
import pyshark
import color
import argparse
import base64
import hashlib
import json
import re
from shutil import copy2
from mitmproxy import io
from misc import eprint, Logger
pcapfile = 'tcpdump.pcap'
fullmitmfile = 'flows.log'
ssltestfile = 'ssltest.log'
report_output = 'search.txt'
json_output = 'search.json'
args = ''
searchterm = ''
verbose = False
found = False
foundunenc = False
foundunprot = False
foundprot = False
def isstr(s):
str = ''
try:
str = s.decode('UTF-8', errors='strict')
return True
except UnicodeError:
return False
def decodecontent(content):
if isstr(content):
return content
else:
try:
decoded = content.decode()
if isstr(decoded):
return decoded
except:
#print('Not a string!')
return ''
def get_search_results(pkt):
'''
Parse through packets that match tshark filter for search
'''
global found, foundunenc, searchterm
# Searches are case insensitive
pcre = re.compile('(?i)' + searchterm)
print(color.green(color.bright('Found match in %s packet [%d] (%s):' %
(pcapfile, int(pkt.number), pkt.highest_layer))))
found = True
foundunenc = True
for layer in pkt.layers:
for field_line in layer._get_all_field_lines():
if pcre.search(field_line):
print('%s: %s' % (layer.layer_name, field_line.rstrip()))
print(
color.bright(color.red('%s found in unencrypted %s traffic!' % (searchterm, pkt.highest_layer))))
if args.verbose:
print('----- Full packet dump begin -----')
print(pkt)
print('----- Full packet dump end -------')
def searchtcpdump(pcapfile, searchterm):
# Do case insensitve tshark display filter
matchingpackets = pyshark.FileCapture(
pcapfile, display_filter='frame matches "(?i)%s"' % searchterm)
matchingpackets.apply_on_packets(get_search_results, timeout=1000)
def searchmitmflow(flowfile, searchterm):
global found, foundunprot, foundprot
# Searches are case insensitive
pcre = re.compile('(?i)' + searchterm)
# Create a dictionary of all of the messages in the flow
with open(flowfile, 'rb') as logfile:
fr = io.FlowReader(logfile)
msgnum = 0
flowdict = {}
messages = []
for msg in fr.stream():
messagedict = {}
responsedict = {}
requestdict = {}
messagedict['msgnum'] = msgnum
requestdict['uri'] = msg.request.pretty_url
requestdict['method'] = msg.request.method
requestdict['scheme'] = msg.request.scheme
requestdict['headers'] = msg.request.headers
requestcontent = msg.request.content
decodedcontent = decodecontent(requestcontent)
if decodedcontent:
# mitmproxy found a way to decode the content
requestdict['content'] = decodedcontent
else:
# just take the raw bytes
requestdict['content'] = requestcontent
try:
responsedict['headers'] = msg.response.headers
except AttributeError:
responsedict['headers'] = ''
try:
responsecontent = msg.response.content
except AttributeError:
responsecontent = ''
try:
decodedcontent = decodecontent(responsecontent)
if decodedcontent:
# mitmproxy found a way to decode the content
responsedict['content'] = decodecontent(responsecontent)
else:
# just take the raw bytes
responsedict['content'] = responsecontent
except AttributeError:
responsedict['content'] = ''
messagedict['request'] = requestdict
messagedict['response'] = responsedict
# print(messagedict)
messages.append(messagedict)
msgnum = msgnum + 1
flowdict['messages'] = messages
# Check for matches in the flow dictionary
for message in flowdict['messages']:
msgnum = message['msgnum']
for key in message:
if key == 'msgnum':
continue
else:
for value in message[key].values():
if pcre.search(str(value)):
found = True
print(color.bright(color.green('Found match for %s in %s message [%s] field [%s]:' %
(searchterm, flowfile, msgnum + 1, key))))
if message['request']['scheme'] == 'https':
if flowfile.endswith('ssltest.log'):
foundunprot = True
print(
color.bright(color.red('%s found in non-validated HTTPS traffic!' % searchterm)))
elif flowfile.endswith('flows.log'):
foundprot = True
color.bright(
'%s found in validated HTTPS traffic' % searchterm)
elif message['request']['scheme'] == 'http':
foundunenc = True
print(
color.bright(color.red('%s found in unencrypted HTTP traffic!' % searchterm)))
print(str(value))
def check_multi(app, searchterm):
# As-is
check_app(app, searchterm)
# base64
encsearchterm = base64.b64encode(
searchterm.encode('ascii')).decode('ascii')
check_app(app, encsearchterm, 'base64')
# md5
encsearchterm = hashlib.md5(searchterm.encode('ascii')).hexdigest()
check_app(app, encsearchterm, 'md5')
# sha1
encsearchterm = hashlib.sha1(searchterm.encode('ascii')).hexdigest()
check_app(app, encsearchterm, 'sha1')
# sha256
#encsearchterm = hashlib.sha256(searchterm.encode('ascii')).hexdigest()
#check_app(app, encsearchterm)
def print_header(logfile):
global pcapfile, fullmitmfile, ssltestfile
traffictype = ''
logfile = os.path.basename(logfile)
if logfile == pcapfile:
traffictype = 'unencrypted'
elif logfile == fullmitmfile:
traffictype = 'protected HTTPS'
elif logfile == ssltestfile:
traffictype = 'UNPROTECTED HTTPS'
print(
color.bright('===== Search hits in %s traffic below =====' % traffictype))
def check_app(app, searchterm, encoding='string'):
'''
Check application based on app name in Tapioca results
'''
global pcapfile, ssltestfile, fullmitmfile
global found, foundunprot, foundprot, foundunenc
ssltesttime = None
fullmitmtime = None
pcaptime = None
appbase = os.path.basename(app)
# Get pcap file location
if appbase == ssltestfile or app == fullmitmfile:
# Check mitmproxy log
logfile = app
jsonfile = '%s.%s' % (app, json_output)
if os.path.exists(logfile):
if appbase == ssltestfile:
ssltesttime = os.path.getmtime(app)
elif appbase == fullmitmfile:
fullmitmtime = os.path.getmtime(app)
print_header(logfile)
print(color.bright('searching %s for %s (%s)') %
(color.cyan(logfile), searchterm, encoding))
searchmitmflow(logfile, searchterm)
print('')
elif appbase.endswith('.pcap'):
# Check tcpdump pcap
logfile = app
jsonfile = '%s.%s' % (app, json_output)
if os.path.exists(logfile):
pcaptime = os.path.getmtime(app)
print_header(logfile)
print(color.bright('searching %s for %s (%s)') %
(color.cyan(logfile), searchterm, encoding))
searchtcpdump(logfile, searchterm)
print('')
else:
# check app (all captures availabale)
appdir = os.path.join('results', app)
jsonfile = os.path.join(appdir, json_output)
# app name, so check all three
logfile = os.path.join('results', app, pcapfile)
if os.path.exists(logfile):
pcaptime = os.path.getmtime(logfile)
print_header(logfile)
print(color.bright('searching %s for %s (%s)') %
(color.cyan(logfile), searchterm, encoding))
searchtcpdump(logfile, searchterm)
print('')
logfile = os.path.join('results', app, ssltestfile)
if os.path.exists(logfile):
ssltesttime = os.path.getmtime(logfile)
print_header(logfile)
print(color.bright('searching %s for %s (%s)') %
(color.cyan(logfile), searchterm, encoding))
searchmitmflow(logfile, searchterm)
print('')
logfile = os.path.join('results', app, fullmitmfile)
if os.path.exists(logfile):
fullmitmtime = os.path.getmtime(logfile)
print_header(logfile)
print(color.bright('searching %s for %s (%s)') %
(color.cyan(logfile), searchterm, encoding))
searchmitmflow(logfile, searchterm)
print('')
report = {}
report['app'] = app
report['pcaptime'] = pcaptime
report['ssltesttime'] = ssltesttime
report['fullmitmtime'] = fullmitmtime
report['searchterm'] = searchterm
report['found'] = found
report['foundunenc'] = foundunenc
report['foundunprot'] = foundunprot
report['foundprot'] = foundprot
with open(jsonfile, 'w') as fp:
json.dump(report, fp)
def get_search_outname(searchterm):
# Remove non-nice characters, since we're using them in a filename
report_parts = report_output.split('.')
outname = report_parts[
0] + '_' + re.sub(r'\W+', '', searchterm).lower() + '.' + report_parts[-1]
return outname
def main():
global args, searchterm
parser = argparse.ArgumentParser(
description='Search captured traffic for a pattern')
parser.add_argument('app_or_capture', metavar='appname',
help='Application name or network capture file')
parser.add_argument(
'searchterm', type=str, help='String to search for')
parser.add_argument('-v', '--verbose', dest='verbose', action='store_true',
help='display packet contents')
parser.add_argument('-m', '--multi', dest='multi', action='store_true',
help='search multiple encodings')
args = parser.parse_args()
app = args.app_or_capture
searchterm = args.searchterm
appdir = os.path.join('results', app)
search_output = get_search_outname(searchterm)
if os.path.isdir(appdir):
sys.stdout = Logger(os.path.join(appdir, search_output))
if args.app_or_capture:
# Check only one app
# Option to use full packets perhaps specified
if args.multi:
check_multi(app, searchterm)
else:
check_app(app, searchterm)
else:
# Check all apps tested
for entry in os.listdir('results'):
if os.path.isdir(os.path.join('results', entry)):
app = entry
if args.multi:
check_multi(app, searchterm)
else:
check_app(app, searchterm)
elif os.path.isdir(os.path.join('results', entry.lower())):
app = entry
if args.multi:
check_multi(app, searchterm)
else:
check_app(app, searchterm)
print('')
# Flush stdout log file
sys.stdout = sys.__stdout__
# Copy log file to universally-named one
copy2(os.path.join(appdir, search_output),
os.path.join(appdir, report_output))
eprint(color.bright('Done!'))
if __name__ == "__main__":
main()