Meterpreter traffic parser

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for SpartaEN from gravatar.com SpartaEN

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License
  • Author: SpartaEN
  • Requires: Python >=3.6
Classifiers

Project description

meterpreter-traffic-parser

A simple meterpreter traffic parser

Installation

pip3 install meterpreter-traffic-parser

Alternatively, you can install manually by cloing this repository to local and executing

pip3 install .

Examples

Parse plain text packet

from meterpreter_traffic_parser import *
from Crypto.Util.number import long_to_bytes

data = 0x9d6162899d6162899d6162899d6162899d6162899d6162899d6160aa9d6162899d6162af9d606288fe0e10ecc20f07eef2150be8e9043dfdf1173decf30210f0ed150be6f36162899d4862889d6357bdac5857bca55752beab5750b0aa5457bbaf5151bcae515bb0ac5454b9ab5262899d60ae899c6344a4b04c4fa4df2425c0d34132dcdf2d2bcabd2a27d0b04c4fa4b06b2fc0d4232be3dc2f20eef6100ae2f4265bfead2323d8d82723c8d22223d8a5202fc0d42321eed62223d8d82017e8e80f0adcf33905ccd32a54fada1029b9ec0868b1af1834c6b2082ef3d8572edfc83523c4a9321ba2e91456ebf22d33c5a53009e8a52d35ddaf202ebdd90e09bcec3403e6ee2508eaca590dd8d65630f8eb2a0b83d24e07cde92d51d3f3552dfef51b2ebdfe2b0fb1f42c27b1d72811b0e8513ac8ac0004ffb61857fcc53256ebff550ecbdb2423faaa1512bdca4e36eff3343afe970806dfdc282ad1d15713ffe90f2efdac2637e8c50e54d8cd5754e5d8333bdfda2555c3ac312cc2ec2200e1f3160affde4e55bfd7272cd9f80623cfda3310f9d26b17cdce2b2be8cb3635cdd45512dedf2f0fc7e85926e1ad0425e8fe4a55e1ed2400dbfc2252efb2002fd1f00810bcff1617cfd13435e3ef0930f1ed305bcae41068dbc41511fdef5416c2b63049d8dc2004bcd50856f8c8080ec4ce250de7cf5904e6d64e16c5ea2321fbf00020c3d3342afcfe3336e6f94e26cdc81324d0de572483d8302bcddc3023cb974c4fa4b04c27c7d94132dcdf2d2bcabd2a27d0b04c4fa4b06b62

p = Packet(long_to_bytes(data))
p.describe()

Output

session_guid: 00000000000000000000000000000000
enc_flags: 0
payload length (including tlv): 547
type: PACKET_TLV_TYPE_REQUEST

TLV units:
type: TLV_META_TYPE_STRING, TLV_TYPE_COMMAND_ID
length: 38
payload: b'core_negotiate_tlv_encryption\x00'

type: TLV_META_TYPE_STRING, TLV_TYPE_REQUEST_ID
length: 41
payload: b'54195586076629755220353099156063\x00'

type: TLV_META_TYPE_STRING, TLV_TYPE_RSA_PUB_KEY
length: 460
payload: b'-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuaunhUnXgENK6sGqK0qi\n82yVO/iLzE6LVUTAM4Sy+tu4boLQL8Qka8LWT2AL4Dok5qUaosDjcW8oQK7RqvKi\nO/eDtL3Zn4OwhzL4cJm8iME8JIs9u0XA1afv+y5uXS4bb4lBFEAs7tp4W/TfnUXw\nidVAIHXL6qvtnLt1GUaXo6QP66lERYVGD7J1PNKqCbhnwhvC/76JFNPegAFGRrpO\nuDSJIaVWWDI4pWBNmNu8Dh0eGac+7hpEbRaC0f/aMXmir5bwuFLUWjrhRxpQ9Cyq\nRYtstr5tK+Q+QAAf5Hi4qUilMSDonR8foK/tLwBCrmaBJNUHucRTod/DDUrFYC6F\nEQIDAQAB\n-----END PUBLIC KEY-----\n\x00'

Extract AES key with RSA private key

from meterpreter_traffic_parser import *
from Crypto.Util.number import long_to_bytes

private_key = """-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAuaunhUnXgENK6sGqK0qi82yVO/iLzE6LVUTAM4Sy+tu4boLQ
L8Qka8LWT2AL4Dok5qUaosDjcW8oQK7RqvKiO/eDtL3Zn4OwhzL4cJm8iME8JIs9
u0XA1afv+y5uXS4bb4lBFEAs7tp4W/TfnUXwidVAIHXL6qvtnLt1GUaXo6QP66lE
RYVGD7J1PNKqCbhnwhvC/76JFNPegAFGRrpOuDSJIaVWWDI4pWBNmNu8Dh0eGac+
7hpEbRaC0f/aMXmir5bwuFLUWjrhRxpQ9CyqRYtstr5tK+Q+QAAf5Hi4qUilMSDo
nR8foK/tLwBCrmaBJNUHucRTod/DDUrFYC6FEQIDAQABAoIBACLBiz5cMEcGUcPY
NO6drhs7PERZpnG8UkDH+eKq+IYVE1U8j5Qhd1/kvRFmvVJgEABM78t/qBPX5wUU
tJL3kH8BOlpfH5nIoQbt96u8W5qN8aA1oHyp9gsIwNeYPXib5O7gFpqf2MlthBJS
qHlcWkay8Koi4uUvAe/Q936fxEsRXWjyGi0bds/g6g/29DU7aY27ZElXkol6IVPu
0BP7p2nJDpf40AexUQfOQP3KBF+LQ2dnW6lwdWOS9FQCoCX8F8Xtmy83t45uMRzi
R7wQg5whMNgI4yPbK5i8IUpXJ1DBpz+csU3LugkGJ8r5JZygn0BBjCDMGrby6Yyj
zsU7J/ECgYEA4v6KIL5eTadbw/J2uPFx26+9TVzwPOqyc8O4KRX78Mk9C5ksnR7u
/5DyxcuH4qRaPo3OoQCauXHo2q/WuzA3qG9bP3unN4Ya0Pg7I8pEWAXdyvYqj4Dg
rREPuSHPQZL8ACZSpZ9ZfBZGD+gTXVlLx+LlOK6MFQ8+L5s6VJR+RPMCgYEA0WVT
039a+SwpvuCqe5D63a5FCvJwOvKxbRzwou7kW6ZWuIY69M9lQ2gUM6oKb0qNJBov
3Jiw5cuCoWTf1PR7Xh8RLuyldiM3sex5aiF40DC4dmf7DRAhYIXWEPxp071ibhfU
AH92LgAZ4kL7kv6qy0TCD0QkDhjQzyKoHc48XusCgYAf+dtbYXXHWpwCrlUrGFgB
qm/wRfdRnX4l8JwwrXggIzkGOT2fpIvmVHTeiB1MP/q2dSN2aq9hEDrNE5gcJl6w
y37/Ilwb5jhA17b9A7E89RaZULQOIwmDV7PvUGPxyNLW8o8R5bClWj3kX7zamYmj
TsMbiPsSvGL2Mde1snVXIQKBgQCAvG9BBHeF4eT4eV/XAFd7mvzPsiXV2AfFMZmw
UncK8cU3RS9R+4AiZQamjNBFg+wqWf86/JUlcm0plL8YSgbe4vLJiqxfaV+AgAZV
faatOIbwJRVv/o7GrQHjB4x4pWKylOu+Mp8RwPYo6U2KHhAbUHaOtDIGiLM35fK+
AGGVaQKBgQCCAkRxWs7d0R5WvwV8RPMS1kxRo7lOVephhNQPAdeAJ7R+58ernhP8
tr7aQ/NfokRW2rx8TJdWRFPwHk8cy1RU1u96WcKuY1dMYn5Cw+jkaNg/1sDez7AI
3KsrBUABLJAhkKIW5+3vJqnMOJdZB5sgIFkawCDI92YueciItM5gIg==
-----END RSA PRIVATE KEY-----"""

data = 0x2926993adf8c06b90319d8059f51ec99b401f9b42926993a292698b52926993b2926991c2927993b4a49eb5f7648fc5d4652f05b5d43c64e4550c65f4745eb435952f0554726993a290f993b2924ac0e181fac0f1110a90d1f10ab031e13ac081b16aa0f1a16a0031813af0a1f15993a2926953a2b24be3a2926983a2927913a2d24b039ec75e27c93f3e0167fb28dd2c98ea0fd2ff42887d961f4e205a619311cf4b8dd93f189d24b8eb45af277bc76cc0ea8d5a0b3332812e6c8f73cced9f1d32189311dc13c30b80ebf944228979fd974a6ce23aacf386ebb5dbc1ac414a49678e6425944edf4a56f263a9c9e2a80e4d1884b35fc8da6e68bff64d33265350bf3e2b72dc5b0f0580cc12925074fc5505c9cd250b279150b9701cf5b2666ae9d0a0722f8b72aed8ffaa51f43594ebebe13b5bcb75e8a33c8cd396445c0c9da3d5a5b862bde38f62d13afd5387a62abce70e3d4192e3e96996ceaa0d1b0c7796028bdeabfbd8eddd13576f23135e1e7b06a0057a4b07bc786394ba1cd691547fad5db3a2926953a2b269d3a2926993a2926813a2d27542832d93a2fb12d08349729256baeb187

p = Packet(long_to_bytes(data))
p.describe()

sym_key_type = b""
sym_key_value_encrypted = b""

tlv_units = p.get_parsed_units()
for i in tlv_units:
    if i.get_type() & TLVType.TLV_TYPE_SYM_KEY_TYPE.value == TLVType.TLV_TYPE_SYM_KEY_TYPE.value:
        # 0x01 => AES256
        sym_key_type = int.from_bytes(i.get_payload(), 'big')
    if i.get_type() & TLVType.TLV_TYPE_SYM_KEY.value == TLVType.TLV_TYPE_SYM_KEY.value:
        sym_key_value_encrypted = i.get_payload()

sym_key_value = extract_aes_key(private_key, sym_key_value_encrypted)
print(f"sym key type: {sym_key_type}")
print(f"sym key value: {sym_key_value}")

Output

session_guid: f6aa9f832a3f413fb67775a39d27608e
enc_flags: 0
payload length (including tlv): 399
type: PACKET_TLV_TYPE_RESPONSE

TLV units:
type: TLV_META_TYPE_STRING, TLV_TYPE_COMMAND_ID
length: 38
payload: b'core_negotiate_tlv_encryption\x00'

type: TLV_META_TYPE_STRING, TLV_TYPE_REQUEST_ID
length: 41
payload: b'54195586076629755220353099156063\x00'

type: TLV_META_TYPE_UINT, TLV_TYPE_SYM_KEY_TYPE
length: 12
payload: b'\x00\x00\x00\x01'

type: TLV_META_TYPE_RAW, TLV_TYPE_ENC_SYM_KEY
length: 264
payload: b'\x03\xc5S{F\xba\xd5y,V\x94\x14\xe8\xe0\xa89\xc7\x06\xd2\xb1\xbd\xf0Gm\xd8,\x80\x80\x0b5\xd2!\xe7\xba\xd7\x10\xe8b\xa8-`\xdbQ%L\xe5(1\xef\x89\x95\xaa\x12;\xc0Q\xcd\x15\xe8@\xcb\xfa\x07\x10\x0b4\xe7\xa5\n\x91(&\xaek\x0e\x0e\xa5\xf0R?\xf4\n\x8cV\x02G\x9d\xc4\x863\xe2\x8d\x9e\xbf^\x7fxpbt\xce\x8cI\xbf\x00\xb5\xb8\xb3\xba\xcd\xf7\x11q\x1c\xda\x14\x9c\xcf\xadf^\xfa\x14\xfc\x0f"\xd5{\x8d\x04\xe3)\xcaq*X\x13\x0c!\xd6\xffyz\x05\xe8y\x94\xe0/"\xb1\x98\xf5r\x00\xff\x94\xb4,\x9e\x18\xd1\x91\xb3\xd7\xa6\xdc<%j\x7f\xd7\x84\x975,\x86\x9ex\x13\t\xe1\xeb\xa0^l\xe6P\xe0\x14|\xc2\xbc\x02\xf8\xa1\xcc\x0456\xef\x11\\\xfb\x91\xe7Vz\xee0\x08\xa7\xac\xb0Js\x9a\xf8\x96^CI\x0e$\xd0\x96\x9b\x17\xe7\xf8\x13\xef\xc8\x18\x13x\xdd\x99L\x99m\x8d\x96\xe2\xfd\xaf\x1f\xd2\x9b\xe4O\x8c}\xd3\xf3B'

type: TLV_META_TYPE_UINT, TLV_TYPE_RESULT
length: 12
payload: b'\x00\x00\x00\x00'

type: TLV_META_TYPE_RAW, TLV_TYPE_UUID
length: 24
payload: b'\x12\x1b\xff\xa3\x15\x98\x0b\x91\x0e\xbe\x0f\xbcQ\x87\x97\x1e'

sym key type: 1
sym key value: b'\xc0\xd7>\x7f\xcdH=W9\xcb3\xf5\x91\xaa0\xf3\xca\xd9\x0c$\xad]\xd7\xc8\xab\xe4\xf2\xa8N\\\xe8\x9b'

Parse encrypted data

from meterpreter_traffic_parser import *
from Crypto.Util.number import long_to_bytes

aes_key = b'\xc0\xd7>\x7f\xcdH=W9\xcb3\xf5\x91\xaa0\xf3\xca\xd9\x0c$\xad]\xd7\xc8\xab\xe4\xf2\xa8N\\\xe8\x9b'

data = 0x7e30af14889a3097540fee2bc847dab7e317cf9a7e30af157e30af7c7e30af144a1999b733e68b894ee6b64581a31e4f800f1e2413c6ffabc4690df0ffdf5ad592f3d3de710b43f85611c113dff2d03a4a91fc6cf046cafc37d823f986dee137e05368e717be6acbd31e87435f8bc7601dae969be7b5888050246f2f01b9cab8

p = Packet(long_to_bytes(data), aes_key)
p.describe()

Output

session_guid: f6aa9f832a3f413fb67775a39d27608e
enc_flags: 1
payload length (including tlv): 104
type: PACKET_TLV_TYPE_REQUEST

TLV units:
type: TLV_META_TYPE_STRING, TLV_TYPE_COMMAND_ID
length: 24
payload: b'core_machine_id\x00'

type: TLV_META_TYPE_STRING, TLV_TYPE_REQUEST_ID
length: 41
payload: b'10041968846689921436271074045356\x00'

LICENSE

MIT License

Copyright (c) 2021 Sparta_EN

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for SpartaEN from gravatar.com SpartaEN

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License
  • Author: SpartaEN
  • Requires: Python >=3.6
Classifiers

Release history Release notifications | RSS feed

This version

0.0.2

0.0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

meterpreter-traffic-parser-0.0.2.tar.gz (17.0 kB view details)

Uploaded Source

Built Distribution

meterpreter_traffic_parser-0.0.2-py3-none-any.whl (15.1 kB view details)

Uploaded Python 3

File details

Details for the file meterpreter-traffic-parser-0.0.2.tar.gz.

File metadata

  • Download URL: meterpreter-traffic-parser-0.0.2.tar.gz
  • Upload date:
  • Size: 17.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.2 importlib_metadata/4.8.1 pkginfo/1.7.1 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.62.2 CPython/3.9.5

File hashes

Hashes for meterpreter-traffic-parser-0.0.2.tar.gz
Algorithm Hash digest
SHA256 3f859ea06df8f9689d69c1a7787e2910809db3821422772557dcb94ab80a95ad
MD5 82327882ce635481275434c2ca116285
BLAKE2b-256 b2307ca2652d096ef25ee943b4fb834e138de48e1cb833ad3a58ac759ed2703f

See more details on using hashes here.

File details

Details for the file meterpreter_traffic_parser-0.0.2-py3-none-any.whl.

File metadata

  • Download URL: meterpreter_traffic_parser-0.0.2-py3-none-any.whl
  • Upload date:
  • Size: 15.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.2 importlib_metadata/4.8.1 pkginfo/1.7.1 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.62.2 CPython/3.9.5

File hashes

Hashes for meterpreter_traffic_parser-0.0.2-py3-none-any.whl
Algorithm Hash digest
SHA256 1e3af39cb7bb0c7a1b1a0f0f514677991716fd6998ed12dc42b6053af221ab53
MD5 c18c5763a98cd989a89e3ca7f7560012
BLAKE2b-256 57a92aab95e3c7340d48da2430d8672123eb9d476cced44e4658021614b94a50

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page