hZdZddlZddlZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl m Z ddl mZmZddlmZmZddlmZddlmZddlmZmZmZmZdd lmZdd lmZm Z m!Z!m"Z"dd l#m$Z$m%Z%dd l&m'Z'm(Z(dd l)m*Z*m+Z+m,Z,m-Z-ddl.m/Z/ ddl0Z0dZ1n #e2$rdZ1YnwxYw ddl3Z3dZ4n #e2$rdZ4YnwxYw ddl5Z5dZ6n #e2$rdZ6YnwxYwdej7vr*iej7d<dej7dd<dej7dd<gdZ8ddgZ9gdZ:gdZ;gdZdZ?dZ@dZAdZBGd d!eZCGd"d#eZDd$ZEGd%d&eCZFGd'd(eCZGGd)d*eZHGd+d,e ZIGd-d.eJZK d;d1ZLe!e/eHd23e!e/eHd24e e/eHd2d25e!e/eHd63e!e/eHd64Gd7d8eZMGd9d:eMZNdS)>> load_layer("http") Note that this layer ISN'T loaded by default, as quite experimental for now. To follow HTTP packets streams = group packets together to get the whole request/answer, use ``TCPSession`` as:: >>> sniff(session=TCPSession) # Live on-the-flow session >>> sniff(offline="./http_chunk.pcap", session=TCPSession) # pcap This will decode HTTP packets using ``Content_Length`` or chunks, and will also decompress the packets when needed. Note: on failure, decompression will be ignored. You can turn auto-decompression/auto-compression off with:: >>> conf.contribs["http"]["auto_compression"] = False (Defaults to True) You can also turn auto-chunking/dechunking off with:: >>> conf.contribs["http"]["auto_chunk"] = False (Defaults to True) N)Enum) plain_str bytes_encode) AutomatonATMT)conf)WINDOWS)warning log_loadinglog_interactiveScapy_Exception)StrField)Packet bind_layersbind_bottom_upRaw) StreamSocketSSLStreamSocket) get_temp_fileContextManagerSubprocess)GSS_S_COMPLETE GSS_S_FAILUREGSS_S_CONTINUE_NEEDED GSSAPI_BLOB)TCPTFhttpauto_compression auto_chunk) z Cache-Control Connection PermanentzContent-Lengthz Content-MD5z Content-TypeDatez Keep-AlivePragmaUpgradeViaWarningz X-Request-IDzX-Correlation-ID)zA-IMAcceptzAccept-CharsetzAccept-EncodingzAccept-LanguagezAccept-DatetimezAccess-Control-Request-MethodzAccess-Control-Request-Headers AuthorizationCookieExpect ForwardedFromHostzHTTP2-SettingszIf-MatchzIf-Modified-Sincez If-None-MatchzIf-RangezIf-Unmodified-Sincez Max-ForwardsOriginzProxy-AuthorizationRangeRefererTEz User-Agent)zUpgrade-Insecure-RequestszX-Requested-WithDNTzX-Forwarded-ForzX-Forwarded-HostzX-Forwarded-ProtozFront-End-HttpszX-Http-Method-OverridezX-ATT-DeviceIdz X-Wap-ProfilezProxy-ConnectionzX-UIDHz X-Csrf-Tokenz Save-Data)$zAccess-Control-Allow-Originz Access-Control-Allow-CredentialszAccess-Control-Expose-HeaderszAccess-Control-Max-AgezAccess-Control-Allow-MethodszAccess-Control-Allow-Headersz Accept-Patchz Accept-RangesAgeAllowzAlt-SvczContent-DispositionzContent-EncodingzContent-LanguagezContent-Locationz Content-Rangez Delta-BaseETagExpiresIMz Last-ModifiedLinkLocationP3PzProxy-AuthenticatezPublic-Key-Pinsz Retry-AfterServerz Set-CookiezStrict-Transport-SecurityTrailerzTransfer-EncodingTkVaryzWWW-AuthenticatezX-Frame-Options) zContent-Security-PolicyzX-Content-Security-Policyz X-WebKit-CSPRefreshStatuszTiming-Allow-OriginzX-Content-DurationzX-Content-Type-Optionsz X-Powered-ByzX-UA-CompatiblezX-XSS-Protectionclt|ddS)zpTakes a header key (i.e., "Host" in "Host: www.google.com", and returns a stripped representation of it -_)rstripreplace)names U/mounts/lovelace/software/anaconda3/lib/python3.11/site-packages/scapy/layers/http.py_strip_header_namerGs* TZZ\\ " " * *3 4 44cFt|dzt|zS)zCreates a HTTP header lines: )r)rEvals rF _header_linerKs$    % S(9(9 99rHc|d}i}|D]g} |dd\}}n#t$rY)wxYwt|}||f||<h|S)N :)split ValueErrorrGlowerrC)sheaders headers_found header_linekeyvalue header_keys rF_parse_headersrZsgggGM99  $**433JC    H ',,2244 %(%++--$8 j!! s7 AAc(d}||}|dkr5|d|t|z}||t|zd}n|}d}|dd\}}|t ||fS)z Takes a HTTP packet, and returns a tuple containing: _ the first line (e.g., "GET ...") _ the headers in a dictionary _ the body  NrHrMrO)findlenrPrCrZ)rScrlfcrlf crlfcrlfIndexrTbody first_lines rF_parse_headers_and_bodyrds HFF8$$M2]S]]223X.//0!--33J     ~g66 <z/_HTTPContent._get_encodings..,sHLLLqill002288::LLLrH,ctg|]5}t|6Srvrwrxs rFr{z/_HTTPContent._get_encodings../sHKKKqill002288::KKKrH) isinstance HTTPResponseTransfer_EncodingrrPContent_Encoding)self encodingss rF_get_encodingsz_HTTPContent._get_encodings(s dL ) ) K% LLL'(>??EEcJJLLLL $ KKK'(=>>DDSIIKKKK rHcdS)NsHTTP1rvrs rFhashretz_HTTPContent.hashret3sxrHct||_|}tjddrwd|vrsd}|rk|d\}}} t |d}|d|}|||dzdkrn%||dzd}||z }n#t$rYnwxYw|k|s|}tjdds|S d |vrd dl}| |}nd |vrtj |}nd |vr1trtj |}ntjd nd|vr1trt!j |}ntjdnnd|vrjt"rOt%j|} t)j| } | }ntjdn#t0$rYnwxYw|S)NrrchunkedrHrMrdeflatergzipcompressz:Can't import lzw. compress decompression will be ignored !brz;Can't import brotli. brotli decompression will be ignored !zstdz>55JtUT"1"X-=>>qAAECII%%JmD$qs)44Q7"9>>JFGG} % N rHc@ dd}dd}|r|rQdd<||}t|jts|St|j|j}|j |r8|dr#|tsd}n Mt  |jjs dkr#t||jj z fd}npd }dd<ng||j}d |v} | rd }n>t|j|j r d }dd<n|r|j d krd}n fd}dd<|d<||r|SdS||r ||}|SdS)N detect_enddetect_unknownTFr\cdS)NTrv)rBs rFz%HTTP.tcp_reassemble..strHrc0t|z kSr )r_)dat http_lengthrs rFr*z%HTTP.tcp_reassemble..sSXX -Cv-MrHcdSNFrvr,s rFr*z%HTTP.tcp_reassemble..sUrHrc,|dS)Ns0 endswithr0s rFr*z%HTTP.tcp_reassemble..sS\\,-G-GrHc,|dSNr\r2r0s rFr*z%HTTP.tcp_reassemble..sS\\+-F-FrHs101c,|dSr5)r^r0s rFr*z%HTTP.tcp_reassemble..sSXXk-B-BrHc0ddS)Ntcp_endF)get)r,metadatas rFr*z%HTTP.tcp_reassemble..sX\\)U-K-KrH)r9r~rrrclsresprr3rrrr_rsclsreqr) r!rr:rBr' is_unknown http_packet is_responserrr-rs ` @@rFtcp_reassemblezHTTP.tcp_reassembles=\\,55 \\"2D99 > #Z> #).H% &#d))Kk1<@@ #""$[%8#+FFK /F + 6 k**+ 6 -<<>>+ 6 ,^ #V&.6&A++"%d))k.A.O"OK!M!M!M!M!MJJ"3!2J15H-..(,4CCEE $ 16!G!GJJ 3SZ@@6!F!FJ26H-.. 6[%<%F%F"C!BJJ "L!K!K!KJ15H-.%/H\ "z$ #"" # #z$ #!c$ii "" # #rHc tjd|jzdzdz|jzdz}|d}|d|}||}|r|jStjd|jzdz}||}|r|jSn#t$rYnwxYwtS) zZDecides if the payload is an HTTP Request or Response, or something else. s^(?:s) s(?:.+?) s/\d\.\d$rMN^s/\d\.\d \d\d\d .*$) rcompile reqmethodshdrindexmatchr<r;rQr)rrprog crlfIndexreqresults rFrzHTTP.guess_payload_classs :4?*V3'(D  g..I*9*%CZZ__F ({"z$/4J"JKKC(<'(    D  sA)B*,dD\ ) ) F >  JJLLL} )6+>BBB    9  EDDD#&.KKB..     dD\""" 9   &&.d6F6F6H6H1I1II     1&,;!nS-DEEG-2G**--G''!8::GG/&&tT&BBD'd33DII$T400DIrHc r|jrAttjd|z|jjt|z fddi|}|jrCttj d|o|z|S)Nz>> %sverboserz<< %s) r]rnrrpopeningsummaryrZsr1rsuccess)rrJrresps rFrzHTTP_Client.sr1/s 9 E $"**7S[[]]+BCC D D Dty} FFSL      9   ((t6 7     rHrHc tjd|}|std|\}}} } |dkrd} nd} | pd} | ot | } ||| | |dd d d || d } | |ttdi| z } |r| |z} | | }|sn|j d vrP|j tj tjfvr0d |jvr^|jd d\}} t#t%j|}n&#t($rt+dwxYw|j}d}t-||j jkrt+d|j|j|d\|_}}|t6t8fvrt+d|j jd zt%jt?|z| _ t|j dvr+|r)|j!|j"#f|||d|S |S)z, Perform a HTTP(s) request. z)(https?)://([^/:]+)(?:\:(\d+))?(?:/(.*))?z Bad URL !httpsTFr)r}r~rs gzip, deflatesno-caches keep-alive)Accept_Encoding Cache_Controlr"rr,r)401407rrOzInvalid WWW-AuthenticateNr) req_flagszAuthentication failure)s301s302)rrfollow_redirectsrv)$rrGrQgroupsrrupdaterrrrr\rPrSrVWWW_AuthenticaterPrbase64 b64decoderr rrXr_GSS_Init_sec_contextr`rrencode b64encoderr'requestr8r)rurlrrrrTm transportr|r}pathr~ http_headersrJrmethodssp_blobtokenstatuss rFrzHTTP_Client.request?s HA3 G G *[)) )&'hhjj# 4t   CCC{s!D  t$CIII 0(!'    G$$$ff{22\222   4KC. 88C==D #333?#(#-' t444'+'<'B'B4'K'K N'263CD3I3I'J'JHH(NNN"12L"M"MMN"&!6#' ((DO,AAA-.HIII59X5R5R "#6S662DOUF n6K%LLL-.FGGG-4466=(u667%#3338H3#t|M((**#%5     s %!EE!c|jr;tdt|jjz|jdS)NzX Connection to %s closed )r]rnrrrZins getpeernamerhrs rFrhzHTTP_Client.closesQ 9 U /$ty}7P7P7R7R2S2SS T T T rH)NFr)rHrT) rrrrrPrQrrrrrhrvrHrFrXrXs !  " 9999",&,&,&,&\ QQQQfrHrXrrc jttj|}||rdnd}|d|rdpdd|d ||| } | r|rt| vrt d | St d } t| d5} | | j dddn #1swxYwYtrtj | n[ttjj5t#jtjj| gdddn #1swxYwY| SdS)a Util to perform an HTTP request. :param host: the host to connect to :param path: the path of the request (default /) :param port: the port (default 80/443) :param timeout: timeout before None is returned :param display: display the result in the default browser (default False) :param iface: interface to use. Changing this turns on "raw" :param headers: any additional headers passed to the request :returns: the HTTPResponse packet )r]NrdrerrSrfz://:)rz(No HTTP content returned. Cannot displayz.html)autoextwb)rXrPrQrrr ropenwriterr os startfilerrrHuniversal_open subprocessPopen) r|rr}rdisplayr~rrTclientansfilefds rF http_requestrs-G < < %EFFFGGGGGGGGGGGGGGG s$B//B36B34&D&&D*-D*re)sport)dport)rriceZdZdZeZejddfdZdZ ddZ e j d d Z e je d d Ze j dZe j dZe jedZdZe jed dZe jedZe j ddZe j ddZe j ddZe jedZe jedZdZdS) HTTP_Serverab HTTP server automaton :param ssp: the SSP to serve. If None, unauthenticated (or basic). :param mech: the HTTP_AUTH_MECHS to use (default: NONE) Other parameters: :param BASIC_IDENTITIES: a dict that contains {"user": "password"} for Basic authentication. :param BASIC_REALM: the basic realm. TNc||_d|vrtd||_|j|_d|_d|_|di|_|dd|_ |tj kr/|jstd|tdd |_n!|tj kr|td tj|g|Ri|dS) NrZz>HTTP_Server cannot be started directly ! Use HTTP_Server.spawnFBASIC_IDENTITIES BASIC_REALMrz#Please provide 'BASIC_IDENTITIES' !z)Can't use 'BASIC_IDENTITIES' with 'ssp' !TzCannot use ssp with mech=NONE !)r]rQr_rXr\r`basicrhrrrPrUrQrr)rrbr]r_rrs rFrzHTTP_Server.__init__s   P * & +=r B B!::mY?? ?( ( (( H !FGGG !LMMMDJJ _) ) ) !BCCC41$111&11111rHcX|jt|z dSr )rZsendr)rrs rFrzHTTP_Server.sends$ tvv}%%%%%rHrfc|jr7tjrtjd|dSt d|zdSdS)z, Verbose print (if enabled) z> %sN)r]r interactiver rrn)rrSs rFvprintzHTTP_Server.vprintsT 9 " "$VQ/////fqj!!!!!  " "rHrO)initialc"d|_d|_dSr/) authenticatedr`rs rFBEGINzHTTP_Server.BEGIN s"rHr)prioc|jtjjkr||r )r\rPrQrXSERVEAUTHrs rFshould_authenticatezHTTP_Server.should_authenticates1 ?o28 8 8**,, ))++ rHcdSr rvrs rFrzHTTP_Server.AUTHs rHctd|_|||j|ddS)Nz AUTH ERROR)r`_ask_authorizationr\r)rproxys rF AUTH_ERRORzHTTP_Server.AUTH_ERRORs9 t777 L!!!!!rHc*|r )rrs rF allow_reauthzHTTP_Server.allow_reauth siikkrHc|r'|tdd|dS|tdd|dS)NrsProxy Authentication Required)rrProxy_Authenticaters Unauthorized)rrrrr)rrrs rFrzHTTP_Server._ask_authorization$s   II &"B'+      II &"1%)     rHcht|vr|||jdkrd}nd}|r|j}n|j}|s3|j|jr d|jzz | |dS| dd\}t||jkr| | tjn##t$r| |wxYw|js t!}nE#t$r8d|_| ||j| |wxYw|j|j|\|_}}nV t)fd|jDdt.}}n#t0$r dt2}}YnwxYw|t.t4fvr| ||t4krl|j|r'dtjt;|zz | ||d|_|d| |dS) NrTFz realm='%s'rrOc3\K|]&\}}|d|k"dV'dS)rTN)r)rykvrs rF z7HTTP_Server.received_unauthenticated..csU Aq'(qq!!,4466$>>>>>>rHzAUTH OK)!rrrrProxy_Authorizationr'r\rrrrPrrrrrrr`r_GSS_Accept_sec_contextnextrrr StopIterationrrrrrrrr) rrr authorizationrrtokrrs @rFreceived_unauthenticatedz$HTTP_Server.received_unauthenticated6s #   KK & & &zZ'' 2 # 7 # 1   :=MD,<< z%s)answerrrr)rrrs rFrzHTTP_Server.SERVEs ; FS!!  . IIf    KKckkmmmmV^^5E5E5EF G G G G G KKs{{}}, - - - - -rHc*|r rrs rF serve_eofzHTTP_Server.serve_eofrrHc,||r )rrrs rF new_requestzHTTP_Server.new_requestsjjoorHcb|jdkrtdz Stdddz S)z HTTP_server answer function. :param pkt: a HTTPRequest packet :returns: a HTTPResponse packet /z4

OK

s404s Not FoundrzA

404 - Not Found

)rrrs rFrzHTTP_Server.answersO 8t  >>F  "*T  rH)rfr )rrrrrpkt_clsrPrQrrrrstater conditionrrrrrreceive_conditionreofrrrrrrrrvrHrFrrsq  G !   2222>&&&""""TZT^E"""#" TZ\\  \ TZ\\""\" T^J $TDq)))A&A&*)A&FTXd^^^TZa   TZa TZ\\...\.TXe___TE""#" rHrc>eZdZdZdZejdddddffd ZxZS) HTTPS_Servera0 HTTPS server automaton This has the same arguments and attributes as HTTP_Server, with the addition of: :param sslcontext: an optional SSLContext object. If used, cert and key are ignored. :param cert: path to the certificate :param key: path to the key NTcNd|vrtd|5tjtj} | ||n|} t | |dd|j|d<tt|j ||||d|dS)NrZz@HTTPS_Server cannot be started directly ! Use HTTPS_Server.spawnT) server_side)rbr]r_) rQrtruPROTOCOL_TLS_SERVERload_cert_chainrr{rrrr) rrbr]certrWr^r_rrrrs rFrzHTTPS_Server.__init__s   R   nS%<==G  # #D# . . . . G(   vD  A A L  v +lD!!*        rH) rrrr socketclsrPrQrrrs@rFrrse  I !              rHr)rNrFFr)Orrrrrrrrirtrrenumr scapy.compatrrscapy.automatonrr scapy.configr scapy.constsr scapy.errorr r r r scapy.fieldsr scapy.packetrrrrscapy.supersocketrr scapy.utilsrrscapy.layers.gssapirrrrscapy.layers.inetrrr ImportErrorrrrrrrrrrrrrGrKrZrdrprrrrrrrrPobjectrXrrrrvrHrFrs""P  00000000++++++++ NNNNNNNNNNNN!!!!!!AAAAAAAAAAAA;;;;;;;;???????? "!!!!!!MMM!!! !JJJ DM&04DM&,-*.DM&,'    %! <%%%!"%%%N & & &""555:::   ===$(xFxFxFxFxF6xFxFxFv     x      & & & & & ,& & & R) ) ) ) ) <) ) ) \IIIII6IIIXdnnnnn&nnnb5634&&&&XsD####sD#### CRr****sD%%%%sD%%%% eeeee)eeeP- - - - - ;- - - - - s6BBB#B**B43B48B??C C