#!/usr/bin/env python
#
# How to cook a covert channel - v1.0 - http://gray-world.net
# Copyright (c) 2006, Gray World Team <team [at] gray-world.net>
#
# ./get_cook.py cookie1.cap > cookie1.txt
#

import sys, time, struct, binascii
from scapy import *

def get_cookie(p):
  set="Set-Cookie: "
  cook="Cookie: "
  res=None
  ok=0
  if TCP in p and p[TCP].haslayer(Raw):
    http=p[TCP].load
    for line in http.splitlines():
      if line.find(set) == 0 or line.find(cook) == 0: ok=1
      if line.find(set) == 0 or line.find(cook) == 0\
        or line.find("Host: ") == 0 or line.find("Location: ") == 0\
        or line.find("GET ") == 0 or line.find("POST ") == 0\
        or line.find("HTTP/1") == 0:
        if res == None:
          res = line
        else:
          res = res+"\n  "+line
  if not res == None:
    res = p.sprintf("%IP.src%:%TCP.sport% -> %IP.dst%:%TCP.dport%")+"\n  "+res
  if ok == 0: return None
  return res

def has_been_cooked():
  sys.stderr.write("Looking for cookies in "+FILE+" :\n")
  c=i=0
  try:
    list=PcapReader(FILE)
  except:
    print "Cannot PcapRead "+FILE
    sys.exit(0)
  
  p=list.read_packet()
  while p != None:
    p=list.read_packet()
    if p != None:
      cook=get_cookie(p)
      if cook:
        print cook
        i=i+1
    c=c+1
    sys.stderr.write("\r"+str(c)+" packets : Found "+str(i)+" cookies... ")
  sys.stderr.write(" Done\n")

def is_beeing_cooked():
  sys.stderr.write("Smelling cookies...\n")
  sniff(filter="tcp and ( port 80 or port 8080 )",prn=lambda x: get_cookie(x))

### Main

if len(sys.argv) == 1:
  print sys.argv[0]+" [capture.cap || sniff]"
  sys.exit(0)
else:
  if sys.argv[1] == "sniff":
    is_beeing_cooked()
  else:
    FILE=sys.argv[1]
    has_been_cooked()
