""" 
 Simple packet sniffer that writes a pcap file for
 any UDP traffic heading for closed ports.
 
 Written in an attempt to capture data from a
 MS11-083 exploit in the wild.
 
 Author: Samuel Hunter
 If you have any suggestions or comments find
 me on twitter or send me some mail.
 Dont tell me about my dirty code, I'm aware of that.
 This was written quickly with no concern of standards.
 
 twitter: @Trowalts
 email: trowalts@gmail.com
"""

from pcapy import *
from impacket import ImpactDecoder, ImpactPacket
from socket import *
import fcntl
import struct
import os
import time

class Sniffer:    
    def __init__(self):
        self.promiscuous = True
        self.called = 0 #silly habits
        self.interface = 'eth0'
        self.max_bytes = 65535  # Theoretical max size for a UDP packet
        self.read_timeout = 100
        self.ip = self.get_ip_address(self.interface)
        self.bpf = 'ip dst host %s and not src net 192.168.1.0/30'%self.ip
        
        print "\n---------------------------------------------------"
        print "Sniffing for unsolicited UDP packets to closed ports."
        print "      \"Open ports are for losers\" - MS11-083"
        print "Pcap log started, listening from %s"%time.strftime("%d:%m:%Y %H:%M:%S", time.localtime())
        print "---------------------------------------------------"
 
    def get_ip_address(self, ifname):
        s = socket(AF_INET, SOCK_STREAM)
        return inet_ntoa(fcntl.ioctl(s.fileno(), 0x8915, struct.pack('256s', ifname[:15]))[20:24])
    
    def start(self):
        self.reader = open_live(self.interface, self.max_bytes, self.promiscuous, self.read_timeout)
        # Pcapy uses BPF to filter packets, not src net 192.168.1.0/30 
        # should be changed, it just filters out 1.0, 1.1, 1.2 and 1.3
        # which I use for diffrent gateways and dont want traffic
        # from the router hitting the logs.
        self.reader.setfilter(self.bpf)
        # Run the packet capture loop
        self.reader.loop(0, self.callback)
          
    def callonce(self):
        self.dumper = self.reader.dump_open(time.strftime("%d-%m-%Y_%H-%M-%S.pcap", time.localtime()))    
        self.called = 1
    
    def callback(self, hdr, data):  
        # Parse the Ethernet packet
        decoder = ImpactDecoder.EthDecoder()
        ether = decoder.decode(data)
        # Parse the IP packet inside the Ethernet packet, typep
        iphdr = ether.child()
        udphdr = iphdr.child()
        
        # First check that the packets are not comming from the local host
        # Then check that it is a UDP packet (incase you changed the BPF) also
        # Check that the destination port for the packet is a closed port on the host
        if (iphdr.get_ip_src() != self.ip):
            self.refresh_portlist()
            if (iphdr.get_ip_p() == ImpactPacket.UDP.protocol and udphdr.get_uh_dport() not in self.portlist):
                if self.called == 0:
                    self.callonce()
                print "Incoming UDP packet from %s"%iphdr.get_ip_src()
                self.dumper.dump(hdr, data)
     
    def refresh_portlist(self):
        # bash script to get all the open and listening UDP ports
        # used in the callback function as criteria for logging traffic  
        output = os.popen("./getports.sh")
        pl = output.readlines()
        self.portlist = []
        for p in pl:
            self.portlist.append(int(p))
                    
def main():
    snf = Sniffer()
    snf.start()

if __name__ == "__main__":
    main()