hatching / httpreplay Goto Github PK

Hi,
I've noticed that I was unable to decrypt the traffic normally one of the requests was using the "br" encoding in the header "content-encoding" (that's what I understood). The request was in HTTP/2.0.
Can you check this ? (I was analyzing "https://www.airfrance.fr" with Cuckoo).
FYI, I post the issue here because it's httpreplay that is raising an error :)
Thank you

Source is commented with

# See the file 'LICENSE' for copying permission

But actual license file is missing

This may or may not be an issue depending on the intent of reader.py. But, httpreplay/reader.py passes a file path (variable name fp) to dkpt/pcap.py but dkpt wants a file object. This is causing issues in cuckoo/modules/processing/network.py (Cuckoo Sandbox 2.0-RC1).

READER.PY

    def __init__(self, fp):
        self.tcp = None
        self.udp = None
        self.values = []

        try:
            #SHOULD PASS FILE OBJECT NOT PATH
            self.pcap = dpkt.pcap.Reader(fp)
        except ValueError as e:
            if e.message == "invalid tcpdump header":
                log.critical("Currently we don't support PCAP-NG files")
            self.pcap = None

PCAP.PY INIT

class Reader(object):
    """Simple pypcap-compatible pcap file reader."""
    def __init__(self, fileobj):
        self.name = getattr(fileobj, 'name', '<%s>' % fileobj.__class__.__name__)
        self.__f = fileobj
        blah blah blah.... 

The last release on PyPi is 0.2.6.

The current release in the master is 1.0.

Thanks

Hi Jurriaan,

i have taken a look at the code of httpreplay, because i had some issues during the decrytion of https traffic with cuckoo. My thoughts about these issues are that you are using tlslite within the code, but tlslite does not support newer cipher suites. Whereas within the code of setup.py you are using tlslite-ng as dependency and not tlslite.

Is that just a typing error that smegma.py is using tlslite as importing library?!?

Cheers,

Hi Jurriaan,
i found a strange error decoding some sessions. I added the pcap.
The error "AttributeError: 'str' object has no attribute 'name'" that you see if running without debugging is not correct. Inside the debugger you get a assert because it is not a block cipher (see attachment)
I just connected to https://www.heise.de. The error occurs inside tlslite-ng. There seems to be the same error with version 0.7-alpha2.


tlsmaster.txt

dump.zip

subj.
This package is required by Cuckoo sandbox, but we do not have/want the outdated version.
The latest mitmproxy supports python3, please migrate.

Thanks

Hello, would you be able to publish a new release? There's a bug where you changed the function name (init_to_str to inet_to_str), but not other places that call this function. You fixed this, but the latest release (0.2.6) doesn't have the fix.
Could you please publish a release with commit fca7349 in it? That would be greatly appreciated!

Hi,

I am trying to use your tool, but I am facing some difficulties. I have a pcap file containing the whole communication between my kali linux and a webserver, where kali linux sends packages from different ports to the webserver and the webserver responds with content or some HTTP error codes.
When I am strarting httpreplay with this pcap file, I get an output of all HTTP requests in the pcap file (seems to be everything okay), in addition I see some warnings that there are unknown streams. When I look at wireshark or tcp dump I don't see that any packages are sent. Am I missing some essential point or am I missinterpreting the purpose of the code? May the unknown streams be an issue?

Thanks for any help!

I read that invalid order pcap file by Wireshark and everything just OK.

Don't know why this error show up?

P/s: I think that DumpTLSMasterSecret module fail leading to this problem.

2017-07-30 05:50:58,595 [cuckoo.processing.network] ERROR: Error running httpreplay-based PCAP analysis
Traceback (most recent call last):
  File "/root/cuckoo/cuckoo_28_7/cuckoo/processing/network.py", line 899, in run
    results.update(p2.run())
  File "/root/cuckoo/cuckoo_28_7/cuckoo/processing/network.py", line 776, in run
    l = sorted(r.process(), key=lambda x: x[1])
  File "build/bdist.linux-x86_64/egg/httpreplay/reader.py", line 118, in process
    self.tcp and self.tcp.process(ts, ip, packet)
  File "build/bdist.linux-x86_64/egg/httpreplay/smegma.py", line 87, in process
    s.process(ts, tcp, to_server)
  File "build/bdist.linux-x86_64/egg/httpreplay/smegma.py", line 361, in process
    self.states[self.state](self, ts, tcp, to_server)
  File "build/bdist.linux-x86_64/egg/httpreplay/smegma.py", line 126, in state_init_syn
    raise InvalidTcpPacketOrder(tcp)
InvalidTcpPacketOrder: �������KԌ�P@5�D EEEFFDELFEEPFACNFBDCEEFCFADHEICA FHEJEOCNDIEPEGEMFBFEFFEEEOEDLAA