pcap file extract fix

Author: Roman Hergenreder

__init__.py

@@ -5,7 +5,7 @@
 __all__ = [
     "util", "fileserver", "xss_handler", "rev_shell", 
     "xp_cmdshell", "dnsserver", "sqli", "smtpserver", 
-    "upload_file"
+    "upload_file", "pcap_file_extract"
 ]
 
 inc_dir = os.path.dirname(os.path.realpath(__file__))

pcap-file-extract.py pcap_file_extract.py

@@ -6,24 +6,26 @@
 from abc import ABC, abstractmethod
 from scapy.all import *
 from hackingscripts import util
+from collections import OrderedDict
 
 
 class HttpPacket(ABC):
-    def __init__(self, version):
+    def __init__(self, sock_src, version):
         self.version = version
         self.headers = util.CaseInsensitiveDict()
         self.payload = None
+        self.socket = sock_src
 
     @staticmethod
-    def parse(data):
+    def parse(sock_src, data):
         index = data.index(b"\r\n")
         first_line = data[0:index+2].decode()
         matches_req = re.match(HttpRequest.PATTERN.decode(), first_line)
         matches_res = re.match(HttpResponse.PATTERN.decode(), first_line)
         if matches_req:
-            http_packet = HttpRequest(*matches_req.groups())
+            http_packet = HttpRequest(sock_src, *matches_req.groups())
         elif matches_res:
-            http_packet = HttpResponse(*matches_res.groups())
+            http_packet = HttpResponse(sock_src, *matches_res.groups())
         else:
             return None
 
@@ -43,8 +45,8 @@ def get_file_path(self):
 class HttpRequest(HttpPacket):
     PATTERN = b"([A-Z]+) ([^ ]+) HTTP/([0-9.]+)\r\n"
 
-    def __init__(self, method, uri, version):
-        super().__init__(version)
+    def __init__(self, socket, method, uri, version):
+        super().__init__(socket, version)
         self.method = method
         self.uri = uri
 
@@ -58,8 +60,8 @@ def get_file_path(self):
 class HttpResponse(HttpPacket):
     PATTERN = b"HTTP/([0-9.]+) ([0-9]+) (.*)\r\n"
 
-    def __init__(self, version, status_code, status_text):
-        super().__init__(version)
+    def __init__(self, socket, version, status_code, status_text):
+        super().__init__(socket, version)
         self.status_code = int(status_code)
         self.status_text = status_text
         self.response_to = None
@@ -150,7 +152,7 @@ def __repr__(self):
 
 class TcpConnections:
     def __init__(self):
-        self.connections = {}
+        self.connections = OrderedDict()
 
     def __contains__(self, item: TcpConnection):
         return str(item) in self.connections
@@ -189,7 +191,6 @@ def __init__(self, pcap_path, output_dir="extracted_files/", filters=None):
         self._packets = None
 
     def _open_file(self):
-        # self._packets = pcapkit.extract(fin=self.pcap_path, store=False, nofile=True)
         self._packets = rdpcap(self.pcap_path)
 
     def extract_all(self):
@@ -204,6 +205,15 @@ def extract_all(self):
 
                 print(f"[+] Extracted: {file_path} {util.human_readable_size(len(packet.payload))} Bytes")
 
+    def __iter__(self):
+        self._open_file()
+        http_packets = self._parse_http_packets()
+        self.iter_filtered_packets = self._apply_filters(http_packets)
+        return iter(self.iter_filtered_packets)
+
+    def __next__(self):
+        return next(self.iter_filtered_packets)
+
     def _apply_filters(self, packets):
         filtered_packets = packets
         for f in self.filters:
@@ -238,15 +248,16 @@ def get_http_packet(self, packet_iterator, sock_src, initial_packet):
                     buff = (next_packet[TCP].seq, raw(next_packet[TCP].payload))
                     # potential TCP ZeroWindowProbe
                     continue
-
+                
+                # TODO: instead of assertions, we should make sure, the seq. is ascending
                 assert next_packet[TCP].seq > prev_seq
                 assert next_packet[IP].frag == 0
                 http_buffer += raw(next_packet[TCP].payload)
                 prev_seq = next_packet[TCP].seq
             else:
                 break
 
-        return HttpPacket.parse(http_buffer)
+        return HttpPacket.parse(sock_src, http_buffer)
 
     def _parse_http_packets(self):
 
@@ -298,7 +309,7 @@ def _parse_http_packets(self):
     parser.add_argument("-o", "--output-dir", help="Path to destination directory", default="extracted_files/",
                         dest="output_dir")
     parser.add_argument("-l", "--list", help="List available files only", default=False, action="store_true")
-    parser.add_argument("-e", "--extract", help="Extract files (default)", default=True, action="store_true")
+    parser.add_argument("-e", "--extract", help="Extract files (default)", default=False, action="store_true")
     parser.add_argument("-ec", "--exclude-codes", help="Exclude http status codes, default: 101,304,403,404",
                         default="101,304,403,404", dest="exclude_codes")
     parser.add_argument("-ic", "--include-codes", help="Limit http status codes", type=str,