Morpheus - tcp/udp scripting (IRC chat filter)

[r00t-3xp10it]

This tutorial explains how to improve the 'IRC' filter

The next tutorial explains how to improve 'chat_services.eft filter', by default this
morpheus filter will only alert user of active connections, in this next tutorial we
are going to improve filter capabilitys like: detect target referer (url accesed),
detect server appl version (eg. PHP/5.0) and detect server name (Microsoft-IIS/7.5)
and build a logfile of IRC channel captured data (irc_data.log).

WARNING: morpheus allow you to improve filters in 2 diferent ways
1º - Edit filter before runing morpheus and the 'changes' will be permanent
2º - Edit filter using 'morpheus scripting console' and the changes are active only once

"In this tutorial we will edit the filter before running morpheus, making the changes permanent"

1º - prepare filter for improvements

# change to the rigth directory structure
cd morpheus/filters

# edit chat_services.eft filter
nano chat_services.eft

2º - step it will be improving 'IRC' capture displays and build a logfile with the captured data

# filter improvement
if (ip.proto == TCP && tcp.src == 194 || tcp.dst == 194) {
  msg("[morpheus] host:TaRgEt   [ ⊶  ]  port:194 irc ☆");
    if (search(DATA.data, "IRC")) {
      msg("[morpheus] | status: server referer found ☠");
      msg("[morpheus] |_ info : possible connection to IRC found ☠\n");
        # log captured data
        log(DATA.data, "./irc_data.log");
    }
}

3º - store data about port 80 traffic (referer | server version | server name)

# filter improvement
if (ip.proto == TCP && tcp.src == 80 || tcp.dst == 80) {
  msg("[morpheus] host:TaRgEt   [ ⊶  ]  port:80 http ☆");
    if (search(DATA.data, "X-Powered-By:")) {
      msg("[morpheus] | status: server version found ☠");
      msg("[morpheus] |_ logfile : morpheus/logs/irc_data.log ☠\n");
      log(DATA.data, "./irc_data.log");
    }
    if (search(DATA.data, "Referer:")) {
      msg("[morpheus] | status: server referer found ☠");
      msg("[morpheus] |_ logfile : morpheus/logs/irc_data.log ☠\n");
      log(DATA.data, "./irc_data.log");
    }
    if (search(DATA.data, "Server:")) {
      msg("[morpheus] | status: server name found ☠");
      msg("[morpheus] |_ logfile : morpheus/logs/irc_data.log ☠\n");
      log(DATA.data, "./irc_data.log");
    }
}

4º - run morpheus with the improved filter (capture data)....

5º - stop morpheus from running and open new terminal

# change to the rigth directory structure
1º - cd morpheus/logs

# remove utf-8/non-ancii caracters from output
2º - tr -cd '\11\12\15\40-\176' < irc_data.log > clean-file1.log

# store data into one bash variable (store_one and store_two and store_tre)
3º - store_one=`cat clean-file1.log | grep "Referer:"`
4º - store_two=`cat clean-file1.log | grep "X-Powered-By:"`
5º - store_tre=`cat clean-file1.log | grep "Server:"`

# display captured data to user
6º - echo "Referer: $store_one Version: $store_two Server: $store_tre"

# clean recent files
9º - rm *.log