new: net.sniff now supports ipv6

bettercap · Apr 3, 2021 · cbc1432 · cbc1432
1 parent bef4c6a
commit cbc1432
Show file tree

Hide file tree

Showing 13 changed files with 122 additions and 83 deletions.
diff --git a/modules/net_sniff/net_sniff.go b/modules/net_sniff/net_sniff.go
@@ -128,12 +128,20 @@ func (mod Sniffer) Author() string {
 }
 
 func (mod Sniffer) isLocalPacket(packet gopacket.Packet) bool {
- ipl := packet.Layer(layers.LayerTypeIPv4)
- if ipl != nil {
- ip, _ := ipl.(*layers.IPv4)
- if ip.SrcIP.Equal(mod.Session.Interface.IP) || ip.DstIP.Equal(mod.Session.Interface.IP) {
+ ip4l := packet.Layer(layers.LayerTypeIPv4)
+ if ip4l != nil {
+ ip4, _ := ip4l.(*layers.IPv4)
+ if ip4.SrcIP.Equal(mod.Session.Interface.IP) || ip4.DstIP.Equal(mod.Session.Interface.IP) {
  return true
  }
+ } else {
+ ip6l := packet.Layer(layers.LayerTypeIPv6)
+ if ip6l != nil {
+ ip6, _ := ip6l.(*layers.IPv6)
+ if ip6.SrcIP.Equal(mod.Session.Interface.IPv6) || ip6.DstIP.Equal(mod.Session.Interface.IPv6) {
+ return true
+ }
+ }
  }
  return false
 }

diff --git a/modules/net_sniff/net_sniff_dns.go b/modules/net_sniff/net_sniff_dns.go
@@ -3,12 +3,13 @@ package net_sniff
 import (
  "github.com/google/gopacket"
  "github.com/google/gopacket/layers"
+ "net"
  "strings"
 
  "github.com/evilsocket/islazy/tui"
 )
 
-func dnsParser(ip *layers.IPv4, pkt gopacket.Packet, udp *layers.UDP) bool {
+func dnsParser(srcIP, dstIP net.IP, payload []byte, pkt gopacket.Packet, udp *layers.UDP) bool {
  dns, parsed := pkt.Layer(layers.LayerTypeDNS).(*layers.DNS)
  if !parsed {
  return false
@@ -50,13 +51,13 @@ func dnsParser(ip *layers.IPv4, pkt gopacket.Packet, udp *layers.UDP) bool {
  NewSnifferEvent(
  pkt.Metadata().Timestamp,
  "dns",
- ip.SrcIP.String(),
- ip.DstIP.String(),
+ srcIP.String(),
+ dstIP.String(),
  nil,
  "%s %s > %s : %s is %s",
  tui.Wrap(tui.BACKDARKGRAY+tui.FOREWHITE, "dns"),
- vIP(ip.SrcIP),
- vIP(ip.DstIP),
+ vIP(srcIP),
+ vIP(dstIP),
  tui.Yellow(hostname),
  tui.Dim(strings.Join(ips, ", ")),
  ).Push()

diff --git a/modules/net_sniff/net_sniff_ftp.go b/modules/net_sniff/net_sniff_ftp.go
@@ -1,6 +1,7 @@
 package net_sniff
 
 import (
+ "net"
  "regexp"
 
  "github.com/google/gopacket"
@@ -14,7 +15,7 @@ var (
  ftpRe = regexp.MustCompile(`^(USER|PASS) (.+)[\n\r]+$`)
 )
 
-func ftpParser(ip *layers.IPv4, pkt gopacket.Packet, tcp *layers.TCP) bool {
+func ftpParser(srcIP, dstIP net.IP, payload []byte, pkt gopacket.Packet, tcp *layers.TCP) bool {
  data := string(tcp.Payload)
 
  if matches := ftpRe.FindAllStringSubmatch(data, -1); matches != nil {
@@ -23,13 +24,13 @@ func ftpParser(ip *layers.IPv4, pkt gopacket.Packet, tcp *layers.TCP) bool {
  NewSnifferEvent(
  pkt.Metadata().Timestamp,
  "ftp",
- ip.SrcIP.String(),
- ip.DstIP.String(),
+ srcIP.String(),
+ dstIP.String(),
  nil,
  "%s %s > %s:%s - %s %s",
  tui.Wrap(tui.BACKYELLOW+tui.FOREWHITE, "ftp"),
- vIP(ip.SrcIP),
- vIP(ip.DstIP),
+ vIP(srcIP),
+ vIP(dstIP),
  vPort(tcp.DstPort),
  tui.Bold(what),
  tui.Yellow(cred),

diff --git a/modules/net_sniff/net_sniff_http.go b/modules/net_sniff/net_sniff_http.go
@@ -5,6 +5,7 @@ import (
  "bytes"
  "compress/gzip"
  "io/ioutil"
+ "net"
  "net/http"
  "strings"
 
@@ -116,19 +117,19 @@ func toSerializableResponse(res *http.Response) HTTPResponse {
  }
 }
 
-func httpParser(ip *layers.IPv4, pkt gopacket.Packet, tcp *layers.TCP) bool {
+func httpParser(srcIP, dstIP net.IP, payload []byte, pkt gopacket.Packet, tcp *layers.TCP) bool {
  data := tcp.Payload
  if req, err := http.ReadRequest(bufio.NewReader(bytes.NewReader(data))); err == nil {
  if user, pass, ok := req.BasicAuth(); ok {
  NewSnifferEvent(
  pkt.Metadata().Timestamp,
  "http.request",
- ip.SrcIP.String(),
+ srcIP.String(),
  req.Host,
  toSerializableRequest(req),
  "%s %s %s %s%s - %s %s, %s %s",
  tui.Wrap(tui.BACKRED+tui.FOREBLACK, "http"),
- vIP(ip.SrcIP),
+ vIP(srcIP),
  tui.Wrap(tui.BACKLIGHTBLUE+tui.FOREBLACK, req.Method),
  tui.Yellow(req.Host),
  vURL(req.URL.String()),
@@ -141,12 +142,12 @@ func httpParser(ip *layers.IPv4, pkt gopacket.Packet, tcp *layers.TCP) bool {
  NewSnifferEvent(
  pkt.Metadata().Timestamp,
  "http.request",
- ip.SrcIP.String(),
+ srcIP.String(),
  req.Host,
  toSerializableRequest(req),
  "%s %s %s %s%s",
  tui.Wrap(tui.BACKRED+tui.FOREBLACK, "http"),
- vIP(ip.SrcIP),
+ vIP(srcIP),
  tui.Wrap(tui.BACKLIGHTBLUE+tui.FOREBLACK, req.Method),
  tui.Yellow(req.Host),
  vURL(req.URL.String()),
@@ -159,15 +160,15 @@ func httpParser(ip *layers.IPv4, pkt gopacket.Packet, tcp *layers.TCP) bool {
  NewSnifferEvent(
  pkt.Metadata().Timestamp,
  "http.response",
- ip.SrcIP.String(),
- ip.DstIP.String(),
+ srcIP.String(),
+ dstIP.String(),
  sres,
  "%s %s:%d %s -> %s (%s %s)",
  tui.Wrap(tui.BACKRED+tui.FOREBLACK, "http"),
- vIP(ip.SrcIP),
+ vIP(srcIP),
  tcp.SrcPort,
  tui.Bold(res.Status),
- vIP(ip.DstIP),
+ vIP(dstIP),
  tui.Dim(humanize.Bytes(uint64(len(sres.Body)))),
  tui.Yellow(sres.ContentType),
  ).Push()

diff --git a/modules/net_sniff/net_sniff_krb5.go b/modules/net_sniff/net_sniff_krb5.go
@@ -2,6 +2,7 @@ package net_sniff
 
 import (
  "encoding/asn1"
+ "net"
 
  "github.com/bettercap/bettercap/packets"
 
@@ -11,7 +12,7 @@ import (
  "github.com/evilsocket/islazy/tui"
 )
 
-func krb5Parser(ip *layers.IPv4, pkt gopacket.Packet, udp *layers.UDP) bool {
+func krb5Parser(srcIP, dstIP net.IP, payload []byte, pkt gopacket.Packet, udp *layers.UDP) bool {
  if udp.DstPort != 88 {
  return false
  }
@@ -26,13 +27,13 @@ func krb5Parser(ip *layers.IPv4, pkt gopacket.Packet, udp *layers.UDP) bool {
  NewSnifferEvent(
  pkt.Metadata().Timestamp,
  "krb5",
- ip.SrcIP.String(),
- ip.DstIP.String(),
+ srcIP.String(),
+ dstIP.String(),
  nil,
  "%s %s -> %s : %s",
  tui.Wrap(tui.BACKRED+tui.FOREBLACK, "krb-as-req"),
- vIP(ip.SrcIP),
- vIP(ip.DstIP),
+ vIP(srcIP),
+ vIP(dstIP),
  s,
  ).Push()
 

diff --git a/modules/net_sniff/net_sniff_mdns.go b/modules/net_sniff/net_sniff_mdns.go
@@ -1,6 +1,7 @@
 package net_sniff
 
 import (
+ "net"
  "strings"
 
  "github.com/bettercap/bettercap/packets"
@@ -12,20 +13,20 @@ import (
  "github.com/evilsocket/islazy/tui"
 )
 
-func mdnsParser(ip *layers.IPv4, pkt gopacket.Packet, udp *layers.UDP) bool {
+func mdnsParser(srcIP, dstIP net.IP, payload []byte, pkt gopacket.Packet, udp *layers.UDP) bool {
  if udp.SrcPort == packets.MDNSPort && udp.DstPort == packets.MDNSPort {
  dns := layers.DNS{}
  if err := dns.DecodeFromBytes(udp.Payload, gopacket.NilDecodeFeedback); err == nil && dns.OpCode == layers.DNSOpCodeQuery {
  for _, q := range dns.Questions {
  NewSnifferEvent(
  pkt.Metadata().Timestamp,
  "mdns",
- ip.SrcIP.String(),
- ip.DstIP.String(),
+ srcIP.String(),
+ dstIP.String(),
  nil,
  "%s %s : %s query for %s",
  tui.Wrap(tui.BACKDARKGRAY+tui.FOREWHITE, "mdns"),
- vIP(ip.SrcIP),
+ vIP(srcIP),
  tui.Dim(q.Type.String()),
  tui.Yellow(string(q.Name)),
  ).Push()
@@ -56,12 +57,12 @@ func mdnsParser(ip *layers.IPv4, pkt gopacket.Packet, udp *layers.UDP) bool {
  NewSnifferEvent(
  pkt.Metadata().Timestamp,
  "mdns",
- ip.SrcIP.String(),
- ip.DstIP.String(),
+ srcIP.String(),
+ dstIP.String(),
  nil,
  "%s %s : %s is %s",
  tui.Wrap(tui.BACKDARKGRAY+tui.FOREWHITE, "mdns"),
- vIP(ip.SrcIP),
+ vIP(srcIP),
  tui.Yellow(hostname),
  tui.Dim(strings.Join(ips, ", ")),
  ).Push()

diff --git a/modules/net_sniff/net_sniff_ntlm.go b/modules/net_sniff/net_sniff_ntlm.go
@@ -1,6 +1,7 @@
 package net_sniff
 
 import (
+ "net"
  "regexp"
  "strings"
 
@@ -31,7 +32,7 @@ func isResponse(s string) bool {
  return respRe.FindString(s) != ""
 }
 
-func ntlmParser(ip *layers.IPv4, pkt gopacket.Packet, tcp *layers.TCP) bool {
+func ntlmParser(srcIP, dstIP net.IP, payload []byte, pkt gopacket.Packet, tcp *layers.TCP) bool {
  data := tcp.Payload
  ok := false
 
@@ -50,13 +51,13 @@ func ntlmParser(ip *layers.IPv4, pkt gopacket.Packet, tcp *layers.TCP) bool {
  NewSnifferEvent(
  pkt.Metadata().Timestamp,
  "ntlm.response",
- ip.SrcIP.String(),
- ip.DstIP.String(),
+ srcIP.String(),
+ dstIP.String(),
  nil,
  "%s %s > %s | %s",
  tui.Wrap(tui.BACKDARKGRAY+tui.FOREWHITE, "ntlm.response"),
- vIP(ip.SrcIP),
- vIP(ip.DstIP),
+ vIP(srcIP),
+ vIP(dstIP),
  data.LcString(),
  ).Push()
  })

diff --git a/modules/net_sniff/net_sniff_parsers.go b/modules/net_sniff/net_sniff_parsers.go
@@ -2,6 +2,7 @@ package net_sniff
 
 import (
  "fmt"
+ "net"
 
  "github.com/bettercap/bettercap/log"
  "github.com/bettercap/bettercap/packets"
@@ -12,21 +13,22 @@ import (
  "github.com/evilsocket/islazy/tui"
 )
 
-func onUNK(ip *layers.IPv4, pkt gopacket.Packet, verbose bool) {
+func onUNK(srcIP, dstIP net.IP, payload []byte, pkt gopacket.Packet, verbose bool) {
  if verbose {
+ sz := len(payload)
  NewSnifferEvent(
  pkt.Metadata().Timestamp,
  pkt.TransportLayer().LayerType().String(),
- vIP(ip.SrcIP),
- vIP(ip.DstIP),
+ vIP(srcIP),
+ vIP(dstIP),
  SniffData{
- "Size": len(ip.Payload),
+ "Size": sz,
  },
  "%s %s > %s %s",
  tui.Wrap(tui.BACKDARKGRAY+tui.FOREWHITE, pkt.TransportLayer().LayerType().String()),
- vIP(ip.SrcIP),
- vIP(ip.DstIP),
- tui.Dim(fmt.Sprintf("%d bytes", len(ip.Payload))),
+ vIP(srcIP),
+ vIP(dstIP),
+ tui.Dim(fmt.Sprintf("%d bytes", sz)),
  ).Push()
  }
 }
@@ -41,13 +43,29 @@ func mainParser(pkt gopacket.Packet, verbose bool) bool {
  // simple networking sniffing mode?
  nlayer := pkt.NetworkLayer()
  if nlayer != nil {
- if nlayer.LayerType() != layers.LayerTypeIPv4 {
+ isIPv4 := nlayer.LayerType() == layers.LayerTypeIPv4
+ isIPv6 := nlayer.LayerType() == layers.LayerTypeIPv6
+
+ if !isIPv4 && !isIPv6 {
  log.Debug("Unexpected layer type %s, skipping packet.", nlayer.LayerType())
  log.Debug("%s", pkt.Dump())
  return false
  }
 
- ip := nlayer.(*layers.IPv4)
+ var srcIP, dstIP net.IP
+ var basePayload []byte
+
+ if isIPv4 {
+ ip := nlayer.(*layers.IPv4)
+ srcIP = ip.SrcIP
+ dstIP = ip.DstIP
+ basePayload = ip.Payload
+ } else {
+ ip := nlayer.(*layers.IPv6)
+ srcIP = ip.SrcIP
+ dstIP = ip.DstIP
+ basePayload = ip.Payload
+ }
 
  tlayer := pkt.TransportLayer()
  if tlayer == nil {
@@ -57,11 +75,11 @@ func mainParser(pkt gopacket.Packet, verbose bool) bool {
  }
 
  if tlayer.LayerType() == layers.LayerTypeTCP {
- onTCP(ip, pkt, verbose)
+ onTCP(srcIP, dstIP, basePayload, pkt, verbose)
  } else if tlayer.LayerType() == layers.LayerTypeUDP {
- onUDP(ip, pkt, verbose)
+ onUDP(srcIP, dstIP, basePayload, pkt, verbose)
  } else {
- onUNK(ip, pkt, verbose)
+ onUNK(srcIP, dstIP, basePayload, pkt, verbose)
  }
  return true
  } else if ok, radiotap, dot11 := packets.Dot11Parse(pkt); ok {

diff --git a/modules/net_sniff/net_sniff_sni.go b/modules/net_sniff/net_sniff_sni.go
@@ -2,6 +2,7 @@ package net_sniff
 
 import (
  "fmt"
+ "net"
 
  "regexp"
 
@@ -14,7 +15,7 @@ import (
 // poor man's TLS Client Hello with SNI extension parser :P
 var sniRe = regexp.MustCompile("\x00\x00.{4}\x00.{2}([a-z0-9]+([\\-\\.]{1}[a-z0-9]+)*\\.[a-z]{2,6})\x00")
 
-func sniParser(ip *layers.IPv4, pkt gopacket.Packet, tcp *layers.TCP) bool {
+func sniParser(srcIP, dstIP net.IP, payload []byte, pkt gopacket.Packet, tcp *layers.TCP) bool {
  data := tcp.Payload
  dataSize := len(data)
 
@@ -35,12 +36,12 @@ func sniParser(ip *layers.IPv4, pkt gopacket.Packet, tcp *layers.TCP) bool {
  NewSnifferEvent(
  pkt.Metadata().Timestamp,
  "https",
- ip.SrcIP.String(),
+ srcIP.String(),
  domain,
  nil,
  "%s %s > %s",
  tui.Wrap(tui.BACKYELLOW+tui.FOREWHITE, "sni"),
- vIP(ip.SrcIP),
+ vIP(srcIP),
  tui.Yellow("https://"+domain),
  ).Push()