forked from DidierStevens/DidierStevensSuite
-
Notifications
You must be signed in to change notification settings - Fork 0
/
credentials-listener.lua
105 lines (83 loc) · 2.31 KB
/
credentials-listener.lua
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
--[[
2013/11/26 - 2013/11/26
credentials-listener.lua V0.0.1
Wireshark Lua listener to extract credentials
Example: tshark.exe -q -X lua_script:credentials-listener.lua -r test.pcapng
Source code by Didier Stevens, GPL according to Wireshark Foundation ToS
https://DidierStevens.com
Use at your own risk
Shortcommings, or todo's ;-)
History:
2013/11/26: start
--]]
local function MyToString(data)
if data then
return tostring(data)
else
return ''
end
end
local function TableCount(table, key)
if not table[key] then
table[key] = 1
else
table[key] = table[key] + 1
end
end
local function TableDump(table)
for key, value in pairs(table) do
print(key .. ': ' .. value)
end
end
local function DefineHTTPAuthBasicCredentialsListener()
local oTap = Listener.new(nil, 'http.authbasic')
local oField_http_authbasic = Field.new('http.authbasic')
local iCount = 0
local tCredentials = {}
function oTap.packet(pinfo, tvb, http)
iCount = iCount + 1
local sCredentials = MyToString(oField_http_authbasic())
if sCredentials ~= '' then
TableCount(tCredentials, sCredentials)
end
end
function oTap.draw()
print('HTTP: ' .. iCount)
TableDump(tCredentials)
end
end
local function DefineFTPCredentialsListener()
local oTap = Listener.new(nil, 'ftp.request.command == "USER" or ftp.request.command == "PASS"')
local oField_ftp_request_command = Field.new('ftp.request.command')
local oField_ftp_request_arg = Field.new('ftp.request.arg')
local oField_tcp_stream = Field.new('tcp.stream')
local iCount = 0
local tCredentials = {}
local tStreamUser = {}
function oTap.packet(pinfo, tvb, ftp)
iCount = iCount + 1
local sCommand = MyToString(oField_ftp_request_command())
local sArg = MyToString(oField_ftp_request_arg())
local sTCPStream = MyToString(oField_tcp_stream())
if sCommand == '' or sTCPStream == '' or sArg == '' then
return
end
if sCommand == 'USER' then
tStreamUser[sTCPStream] = sArg
end
if sCommand == 'PASS' then
local sCredentials = MyToString(tStreamUser[sTCPStream]) .. ':' .. sArg
TableCount(tCredentials, sCredentials)
tStreamUser[sTCPStream] = None
end
end
function oTap.draw()
print('FTP: ' .. iCount)
TableDump(tCredentials)
end
end
local function Main()
DefineHTTPAuthBasicCredentialsListener()
DefineFTPCredentialsListener()
end
Main()