-
Notifications
You must be signed in to change notification settings - Fork 0
/
et.py
executable file
·50 lines (40 loc) · 1.77 KB
/
et.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#!/usr/bin/env python3
from argparse import ArgumentParser
from etrecon.etrecon import ETRecon
if '__main__' == __name__:
# generate args
arg_parser = ArgumentParser('ETRecon - analyze pcap files in order to detect who i.e. a device is phoning to. '
'Like ET phoning home. Get it?')
arg_parser.add_argument('-f', '--files', required=True, nargs='+', help='One or more pcap files to analyze')
arg_parser.add_argument('-i', '--ignoreips', required=False, nargs='*', default=[],
help='Exclude these IPs from the collected IPs communication list')
arg_parser.add_argument('--displayfilter', required=False, default='tcp or udp',
help='Set wireshark display filter. Default: "tcp or udp"')
arg_parser.add_argument('--jsonfile', required=False, help='Write output to JSON file')
# parse args
args = arg_parser.parse_args()
# generate instance
etr = ETRecon()
etr.ignore_ips = set(args.ignoreips)
etr.analyze_capture(args.files, args.displayfilter)
print('IPs communicating:')
print('\n'.join(etr.destination_ips))
print('')
# print results
print('Resolved DNS names:')
for name, ips in etr.dns_names.items():
print('{}: {}'.format(name, ', '.join(ips)))
print('')
print('Used SNI:')
for sni, ips in etr.tls_sni.items():
print('{}: {}'.format(sni, ', '.join(ips)))
print('')
print('Used HTTP hosts:')
for name, ips in etr.http_hosts.items():
print('{}: {}'.format(name, ', '.join(ips)))
print('')
print('Unhandled protocols:')
print(', '.join(etr.unhandled_protocols))
if args.jsonfile:
etr.write_json(args.jsonfile)
print('Wrote JSON to: "{}"'.format(args.jsonfile))