pdump.pl

#!/usr/bin/perl

# pdump.pl v0.8 [http://pdump.org] (advamced low-level, highly configurable, perl packet sniffer and injector)
# started: 07/11/00 14:31:10.874351
# last updated: 12/25/00 23:29:39.547794
#
# currently clones: tcpdump/ngrep/dsniff/macof/webspy/urlsnarf/tcpkill/mailsnarf/carnivore/siphon
#                   along with other utilities and powerful configuration
#
# check the README or docs/README.html for the arguements and all kinds of other stuff.
# you can also get support from me in #pdump on irc.LucidX.com (SUIDnet) or through email at CommPort5@LucidX.com
#
# tested on:
#	BSD:
#		FreeBSD 3.1-RELEASE, 3.4-(RELEASE|STABLE), 4.0-(RELEASE|STABLE), 4.1-(RC|RELEASE|STABLE), 4.1.1-STABLE, 4.2-STABLE
#		OpenBSD 2.6, 2.7
#
#	Linux:
#		Slackware 7.0, kernels 2.2.17, 2.3.6
#		Red Hat 5.2, 6.2, kernels 2.0.36, 2.2.14-5.0smp
#		Mandrake 7.1, kernels 2.2.15-4mdk, 2.2.15-4mdksmp
#

# If you have installed the lib directory of pdump
# and it will always be there, you can uncomment
# the next line and put in the exact path to the lib
# directory for pdump so you can run pdump from any
# directory without using the -l option or having the
# lib directory in the current directory that you're
# in.  example: $fulpath = '/usr/local/pdump/lib';

$fulpath = '';

################################################################################

BEGIN {
 for ($a = 0; $a < @ARGV; $a++) {
  if ($ARGV[$a] =~ /^-l$/) {
   $req = $ARGV[$a+1];
  }
 }
 $filesep = '/';
 $basedir = '.';
 $libsdir = 'lib';
 if ($req) {
  $basedir = $req;
  $basedir =~ s/\/$//;
 }
 unless ($fulpath) {
  $fulpath = $basedir . $filesep . $libsdir;
 }
 opendir(DIR, $fulpath) or die "Unable to open $fulpath: $!\n\nMake sure you are in the main pdump directory\nor run pdump with the -l option.\n";
 while ($file = readdir DIR) {
  next unless $file =~ /\.pl$/;
  require $fulpath . $filesep . $file;
 }
 closedir DIR;
}
use Socket;
use POSIX qw(strftime);
use pdump::Sniff;
&ansi;
$SIG{'INT'} = \&die;
$tout = 10;
$snaplen = 256;
$xprc = " ";
$version = "0.8";
&get_args;
if ($spfp) {
 if ($xprc eq " " and !$expr) {
  $expr++;
  $xprc = "tcp";
 }
 else {
  $xprc .= " and tcp";
 }
}
unless ($dev) {
 $dev = pdump::Sniff::lookupdev($tout);
}
if ($omni or $ngrp) {
 $snaplen = 65535;
}
%sniff;
%done;
use constant ARP_OPCODE_REQUEST    => 1;
use constant ARP_OPCODE_REPLY      => 2;
use constant RARP_OPCODE_REQUEST   => 3;
use constant RARP_OPCODE_REPLY     => 4;
use constant ETH_TYPE_IP           => 0x0800;
use constant ETH_TYPE_ARP          => 0x0806;
use constant ETH_TYPE_APPLETALK    => 0x809b;
use constant ETH_TYPE_RARP         => 0x8035;
use constant ETH_TYPE_SNMP         => 0x814c;
use constant ETH_TYPE_IPv6         => 0x86dd;
use constant ETH_TYPE_PPP          => 0x880b;
use constant IGMP_VERSION_RFC998   => 0;
use constant IGMP_VERSION_RFC1112  => 1;
use constant IGMP_MSG_HOST_MQUERY  => 1;
use constant IGMP_MSG_HOST_MREPORT => 2;
use constant IGMP_IP_NO_HOSTS      => '224.0.0.0';
use constant IGMP_IP_ALL_HOSTS     => '224.0.0.1';
use constant IGMP_IP_ALL_ROUTERS   => '224.0.0.2';
use constant IP_PROTO_IP           => 0;
use constant IP_PROTO_ICMP         => 1;
use constant IP_PROTO_IGMP         => 2;
use constant IP_PROTO_IPIP         => 4;
use constant IP_PROTO_TCP          => 6;
use constant IP_PROTO_UDP          => 17;
use constant IP_VERSION_IPv4       => 4;
use constant IP_FLAG_MOREFRAGS     => 1;
use constant IP_FLAG_DONTFRAG      => 2;
use constant IP_FLAG_CONGESTION    => 4;
%icmpht = (
 0,	'echo reply',
 3,	'destination unreachable',
 4,	'source quench',
 5,	'redirect',
 8,	'echo request',
 9,	'router advertisement',
 10,	'router solicitation',
 11,	'time exceeded',
 12,	'parameter problem',
 13,	'timestamp request',
 14,	'timestamp reply',
 15,	'information request',
 16,	'information reply',
 17,	'address mask request',
 18,	'address mask reply',
);
$| = 1;
$ip = ${ifaddrlist()}{$dev};
$top = 0;
$xprc =~ s/\$localhost/$ip/;
$xprc =~ s/localhost/$ip/;
$xprc =~ s/\$ip/$ip/;
@sffp = grep { /^[^(#|\s+)]/ } split(/\n/, $sphn);
@idstr = (0x00, 0x00, 0x00, 0x01, 0x00, 0x01);
@encoscar = (0xf3, 0x26, 0x81, 0xc4, 0x39, 0x86, 0xdb, 0x92,
             0x71, 0xa3, 0xb9, 0xe6, 0x53, 0x7a, 0x95, 0x7c);
@enctoc = (0x54, 0x69, 0x63, 0x2f, 0x54, 0x6f, 0x63);
$httpl = "acctname|alias|domain|fname|email|id|login|loginid|loginname|login_id|mn|name|uid|unickname|user|userid|user_id|username|username_login|u2_username|fullhpd";
$httpp = "pass|passname|passwd|password|password1|password_from_form|password_login|pw|upasswd|u2_password";
#@httpl = ("acctname", "alias", "domain", "fname", "email", "id", "login", "loginid",
#          "loginname", "login_id", "mn", "name", "uid", "unickname", "user", "userid",
#          "user_id", "username", "username_login", "u2_username", "fullhpd");
#@httpp = ("pass", "passname", "passwd", "password", "password1", "password_from_form",
#          "password_login", "pw", "upasswd", "u2_password");
if ($ntshst) {
# ($haddr) = (gethostbyname($ntshst))[4];
# $raddr = join(".", unpack("C4", $haddr));
 $raddr = &ip2dot($ntshst);
}
if ($ansi) {
 print STDERR colored("(", 'blue');
 print STDERR colored("pdump.pl", 'bold');
 print STDERR colored(")", 'blue');
 print " ";
 print STDERR colored($version, 'underline');
 print STDERR colored(":", 'green');
 print " ";
 print STDERR colored("by", 'white');
 print " ";
 print STDERR colored("<Samy Kamkar> CommPort5", 'bold green');
 print STDERR colored("(", 'bold blue');
 print STDERR colored("\@", 'bold red');
 print STDERR colored("LucidX.com", 'bold green');
 print STDERR colored(")", 'bold blue');
 print "\n";
 print STDERR colored("(", 'blue');
 print STDERR colored($0, 'underline');
 print STDERR colored(")", 'blue');
 print STDERR colored(":", 'green');
 print " ";
 print STDERR colored("listening", 'white');
 print " ";
 print colored("on", 'white');
 print " ";
 print STDERR colored($dev, 'green');
 print " ";
 print STDERR colored("::", 'bold');
 print " ";
 print STDERR colored($ip, 'green');
 print " ";
 print STDERR colored("[", 'bold red');
 print STDERR colored($host, 'bold cyan');
 print STDERR colored("]", 'bold red');
 print "\n";
 if ($ngrp and !$ngrq) {
  print colored("match", 'bold green');
  print colored(":", 'bold');
  print " ";
  print colored($ngrr, 'underline');
  print "\n";
 }
}
else {
 print STDERR "(pdump.pl) $version: by <Samy Kamkar> CommPort5(\@LucidX.com)\n";
 print STDERR "($0): listening on $dev :: $ip [$host]\n";
 if ($ngrp and !$ngrq) {
  print "match: $ngrr\n";
 }
}
if ($macof) {
 &macof;
}
else {
 if ($expr) {
  $packet_all  = new pdump::Sniff;
  $filt_all    = $xprc;
  if ($ntsnf) {
   if ($lcls) {
    $filt_all  = "tcp and dst port 80 or dst port 8080 or dst port 3128";
   }
   elsif ($term) {
    unless ($xprc) {
     $filt_all = "tcp[13] & 16 != 0";
    }
    else {
     $filt_all .= " and tcp[13] & 16 != 0";
    }
   }
   elsif ($omni) {
    $filt_all  = "tcp port 25";
   }
   elsif ($term) {
    unless ($xprc) {
     $filt_all = "tcp[13] & 16 != 0";
    }
    else {
     $filt_all .= " and tcp[13] & 16 != 0";
    }
   }
   else {
    $filt_all  = "tcp and dst port 80 or dst port 8080 or dst port 3128 and not host $ip";
   }
  }
  if ($snff) {
   $filt_all   = " ";
  }
  if ($flsp) {
#   if ($expr) {
#    $filt_all .= " and tcp";
#   }
#   else {
#    $filt_all = "tcp";
#   }
   $filt_all = "tcp";
  }
  if ($nopr) {
   $pcap_all   = $packet_all->pcapinit($dev, $filt_all, $snaplen, 60, 0);
  }
  else {
   $pcap_all   = $packet_all->pcapinit($dev, $filt_all, $snaplen, 60, 256);
  }
  $offset_all  = linkoffset($pcap_all);
  if ($wrt) {
   $awr        = dump_open($pcap_all, $write);
  }
 }
 else {
  $packet_all  = new pdump::Sniff;
  $filt_all    = " ";
  if ($nopr) {
   $pcap_all   = $packet_all->pcapinit($dev, $filt_all, $snaplen, 60, 0);
  }
  else {
   $pcap_all   = $packet_all->pcapinit($dev, $filt_all, $snaplen, 60, 256);
  }
  $offset_all   = linkoffset($pcap_all);
  if ($wrt) {
   $awr         = dump_open($pcap_all, $write);
  }
 }
}
unless ($macof) {
 if ($expr) {
  if ($wrt) {
   if ($snff) {
    loop $pcap_all, 10, \&pwsniff, \$awr;
   }
   elsif ($sndd) {
    loop $pcap_all, 10, \&check_jack, \$awr;
   }
   elsif ($omni) {
    loop $pcap_all, 10, \&omnivore, \$awr;
   }
   elsif ($term) {
    loop $pcap_all, 10, \&terminator, \$awr;
   }
   elsif ($flsp) {
    loop $pcap_all, 10, \&check_file, \$awr;
   }
   elsif ($ntsnf) {
    loop $pcap_all, 10, \&check_web, \$awr;
   }
   else {
    loop $pcap_all, 10, \&check_all, \$awr;
   }
  }
  else {
   if ($snff) {
    loop $pcap_all, -1, \&pwsniff, \@packet_all;
   }
   elsif ($sndd) {
    loop $pcap_all, -1, \&check_jack, \@packet_all;
   }
   elsif ($omni) {
    loop $pcap_all, -1, \&omnivore, \@packet_all;
   }
   elsif ($flsp) {
    loop $pcap_all, -1, \&check_file, \@packet_all;
   }
   elsif ($term) {
    loop $pcap_all, -1, \&terminator, \@packet_all;
   }
   elsif ($ntsnf) {
    loop $pcap_all, -1, \&check_web, \@packet_all;
   }
   else {
    loop $pcap_all, -1, \&check_all, \@packet_all;
   }
  }
 }
 else {
  if ($wrt) {
   loop $pcap_all, 10, \&check_all, \$twr;
  }
  else {
   loop $pcap_all, -1, \&check_all, \@packet_all;
  }
 }
}
syntax highlighted by Code2HTML, v. 0.8.8b