The Ettercap log parser is a tool to parse ettercap logs.
c88c3a6506d0d9772bcaf6c80249027819691fa7b6d442fabfdf0b72202d9fac
//
// ettercap log parser by overkill
// e-mail: overkill@overkill.cc
// IRC: #twlc@unet
//
#include <stdio.h>
#include <string.h>
#include <malloc.h>
FILE *f;
const char services[6][10]={"telnet", "ftp", "pop3", "imap2", "ircd", "www"};
struct info {
char from[16], to[16], service[20], user[255], pass[255], extra[255];
unsigned int port1, port2, validate;
} info;
int printstuff(struct info *);
int telnetftp(struct info *);
int irc(struct info *);
int www(struct info *);
int usage(char *s){
fprintf(stderr, "you fucked up.");
fprintf(stderr, "\nusage: %s logfile\n", s);
}
int main(int argc, char **argv)
{
char line[255], tmp[50];
int hh, mm, ss;
struct info *record=malloc(sizeof(info));
printf("-=* ettercap log parser by overkill *=-\n");
if(argc==1){
usage(argv[0]);
exit(1);
}
f=fopen(argv[1], "rt");
if(!f){
fprintf(stderr, "\nFile open error.\n");
exit(1);
}
// first we scan for telnet/ftp passwords
printf("\n--------------------------------------------------------------------------------\n");
printf(" TELNET/FTP section:");
printf("\n--------------------------------------------------------------------------------\n");
while(!feof(f)){
fgets(line, 255, f);
if(feof(f))
break;
hh=mm=ss=0;
sscanf(line, "%d:%d:%d", &hh, &mm, &ss);
// check if it's a start line
if(hh||mm||ss){
memset(record, 0, sizeof(info));
// read the poor guy's info :>
sscanf(line, "%d:%d:%d %[^:]: %[^>] > %[^:]:%d %s", &hh, &mm, &ss, record->from, tmp, record->to, &(record->port2), record->service);
if((!strcmp(record->service, services[0]))||(!strcmp(record->service, services[1])))
telnetftp(record);
if (record->validate)
printstuff(record);
}
}
fseek(f, SEEK_SET, 0);
// pop3 accounts
printf("--------------------------------------------------------------------------------\n");
printf(" POP3 and IMAP2 accounts:");
printf("\n--------------------------------------------------------------------------------\n");
while(!feof(f)){
fgets(line, 255, f);
if(feof(f))
break;
hh=mm=ss=0;
sscanf(line, "%d:%d:%d", &hh, &mm, &ss);
if(hh||mm||ss){
memset(record, 0, sizeof(info));
sscanf(line, "%d:%d:%d %[^:]: %[^>] > %[^:]:%d %s", &hh, &mm, &ss, record->from, tmp, record->to, &(record->port2), record->service);
if((!strcmp(record->service, services[2]))||(!strcmp(record->service, services[3])))
telnetftp(record);
if (record->validate)
printstuff(record);
}
}
fseek(f, SEEK_SET, 0);
// irc passwords
printf("--------------------------------------------------------------------------------\n");
printf(" IRC:");
printf("\n--------------------------------------------------------------------------------\n");
while(!feof(f)){
fgets(line, 255, f);
if(feof(f))
break;
hh=mm=ss=0;
sscanf(line, "%d:%d:%d", &hh, &mm, &ss);
if(hh||mm||ss){
memset(record, 0, sizeof(info));
sscanf(line, "%d:%d:%d %[^:]: %d %[^>] > %[^:]:%d %s", &hh, &mm, &ss, record->from, &(record->port1), tmp, record->to, &(record->port2), record->service);
if((!strcmp(record->service, services[4]))||(record->port2==6667)||(record->port2==6668)||(record->port1==6667)||(record->port1==6668))
irc(record);
if (record->validate)
printstuff(record);
}
}
fseek(f, SEEK_SET, 0);
// www accounts
printf("--------------------------------------------------------------------------------\n");
printf(" WWW accounts:");
printf("\n--------------------------------------------------------------------------------\n");
while(!feof(f)){
fgets(line, 255, f);
if(feof(f))
break;
hh=mm=ss=0;
sscanf(line, "%d:%d:%d", &hh, &mm, &ss);
if(hh||mm||ss){
memset(record, 0, sizeof(info));
sscanf(line, "%d:%d:%d %[^:]: %d %[^>] > %[^:]:%d %s", &hh, &mm, &ss, record->from, &(record->port1), tmp, record->to, &(record->port2), record->service);
if(!strcmp(record->service, services[5]))
www(record);
if (record->validate)
printstuff(record);
}
}
fclose(f);
}
int printstuff(struct info *record)
{
printf("%u %-15s - %s %s %s\n", record->port2, record->to, record->user, record->pass, record->extra);
}
int telnetftp(struct info *record)
{
char tmp[255], tmp1[20];
getc(f);
fgets(tmp, 255, f);
sscanf(tmp, "%s %s", tmp1, record->user);
fgets(tmp, 255, f);
sscanf(tmp, "%s %s", tmp1, record->pass);
record->validate=1;
if(record->port2==21)
if((!strcmp(record->user, "anonymous"))||(!strcmp(record->user, "ftp")))
record->validate=0;
if((!strcmp(record->service, services[1]))&&(record->port2!=21))
record->validate=0;
}
int irc(struct info *record)
{
char a[255], b[255], c[255], types[10][50]={
"x@channels.undernet.org", // undernet users
"nickserv@services.dal.net", // dalnet lamers
"/identify password", // still dalnet..
"nickserv identify", // on some other irc server, duno
"chanserv identify", // same crap
"#channel password", // heh
"#channel +k password", // ..
"OPER" // oops..
};
// btw, there are some other irc login strings i havent covered
// if you find some of them, let me know :)
memset(a, 0, 255); memset(b, 0, 255); memset(c, 0, 255);
getc(f);
fgets(a, 255, f);
memmove(a, a+6, 200);
fgets(b, 255, f);
memmove(b, b+6, 200);
getc(f);
fgets(c, 255, f);
if((record->port1==6667)||(record->port1==6668)){
record->port2=record->port1;
strcpy(record->to, record->from);
}
if(strstr(c, types[0])){
sscanf(b, "%s %s", record->user, record->pass);
sprintf(record->extra, " <undernet>");
record->validate=1;
return(0);
}
if(strstr(c, types[1])){
sscanf(a, "%s", record->user);
strcpy(record->pass, b);
record->pass[strlen(record->pass)-2]=0;
sprintf(record->extra, " <dalnet nickserv>");
record->validate=1;
return(0);
}
if(strstr(c, types[2])){
sscanf(a, "%s", record->user);
sscanf(b, "%s", record->pass);
sprintf(record->extra, " <dalnet>");
record->validate=1;
return(0);
}
if((strstr(c, types[3]))||(strstr(c, types[4]))){
sscanf(a, "%s", record->user);
sscanf(b, "%s", record->pass);
sprintf(record->extra, c);
record->extra[strlen(record->extra)-1]=0;
record->validate=1;
return(0);
}
if((strstr(c, types[5]))||(strstr(c, types[6]))){
sscanf(a, "%s", record->user);
strcpy(record->pass, b);
if((record->pass[0]=='\n')||(record->pass[0]=='*')||(record->pass[0]=='#')) return(0);
record->pass[strlen(record->pass)-1]=0;
sprintf(record->extra, " <channel key>");
record->validate=1;
return(0);
}
if(strstr(c, types[7])){
sscanf(a, "%s", record->user);
sscanf(b, "%s", record->pass);
sprintf(record->extra, "<OPER request> from %s", record->from);
record->validate=1;
return(0);
}
}
int www(struct info *record)
{
char a[255], b[255], c[255];
memset(a, 0, 255); memset(b, 0, 255); memset(c, 0, 255);
getc(f);
fgets(a, 255, f);
memmove(a, a+6, 200);
fgets(b, 255, f);
memmove(b, b+6, 200);
getc(f);
fgets(c, 255, f);
if(record->port1==80){
record->port2=record->port1;
strcpy(record->to, record->from);
}
strcpy(record->user, a);
strcpy(record->pass, b);
record->user[strlen(record->user)-1]=0;
record->pass[strlen(record->pass)-1]=0;
sprintf(record->extra, "\n %s", c);
record->extra[strlen(record->extra)-1]=0;
record->validate=1;
}