morpheus icon indicating copy to clipboard operation
morpheus copied to clipboard

Published 20 hours ago verified publisher icon r00t-3xp10it

Morpheus - tcp/udp scripting syntax (filters)

Open r00t-3xp10it opened this issue 7 years ago • 0 comments


This tutorial describes etter filters command syntax logic

And it can be used to improve morpheus available filters
or to start write your own filter from scratch. 


WARNING: morpheus allow you to improve filters in 2 diferent ways
1º - Edit filter before runing morpheus and the 'changes' will be permanent
2º - Edit filter using 'morpheus scripting console' and the changes are active only once




filter ip address from source(src)

if (ip.src == '192.168.1.69') {
  msg("[morpheus] host:192.168.1.69   [ * ]  found");
}

filter ip address from destination(dst)

if (ip.dst == '192.168.1.69') {
  msg("[morpheus] host:192.168.1.69   [ * ]  found");
}

filter ip address from destination(dst) and(&&) from source(src)

if (ip.dst == '192.168.1.69' && ip.src == '192.168.1.69') {
  msg("[morpheus] host:192.168.1.69   [ * ]  found");
}

filter ip address from destination(dst) or(||) from source(src)

if (ip.dst == '192.168.1.69' || ip.src == '192.168.1.69') {
  msg("[morpheus] host:192.168.1.69   [ * ]  found");
}

filter protocol TCP from port 80 (src)

if (ip.proto == TCP && ip.src == 80) {
  msg("[morpheus] host:192.168.1.69   [ <- ]   port:80 http");
}

filter protocol UDP from port 53 (dst)

if (ip.proto == UDP && ip.dst == 53) {
  msg("[morpheus] host:192.168.1.69   [ -> ]   port:53 dns");
}

search for 'data' inside captured packet (search for: User-Agent)

# filter protocol and port destination/source
if (ip.proto == TCP && ip.dst == 80 || ip.src == 80) {
  msg("[morpheus] host:192.168.1.69   [ -> ]   port:80 http");
    # search for string inside captured packet
    if (search(DATA.data, "User-Agent:")) {
      msg("[morpheus] |_ status: User-Agent string found...");
    }
}

search for 'data' inside captured packet (search for: User-Agent) and store it on logfile

# filter protocol and port destination/source
if (ip.proto == TCP && ip.dst == 80 || ip.src == 80) {
  msg("[morpheus] host:192.168.1.69   [ -> ]   port:80 http");
    # search for string inside captured packet
    if (search(DATA.data, "User-Agent:")) {
      msg("[morpheus] |_ status: User-Agent string found...");
        # build logfile with captured data
        log(DATA.data, "./logfile.log");
    }
}

search for 'data' inside captured packet (search for: Host) and replace word by another one

# filter protocol and port destination/source
if (ip.proto == TCP && ip.dst == 80 || ip.src == 80) {
  msg("[morpheus] host:192.168.1.69   [ -> ]   port:80 http");
    # search for string inside captured packet
    if (search(DATA.data, "Host:")) {
      msg("[morpheus] |_ status: Host string found...");
        # replace word 'Host' by 'Pwn!' before forward packet back
        replace("Host", "Pwn!"); # note: replacement string is same length as original string
    }
}

r00t-3xp10it avatar Dec 29 '16 01:12 r00t-3xp10it