Huge improvement on HTTPS parser, now it parses TLS Client Hello mess…

…ages with SNI extension in order to extract the real hostname.
nunomcruz · Feb 28, 2017 · 8566f3d · 8566f3d
1 parent 92d2b47
commit 8566f3d
Showing 1 changed file with 13 additions and 6 deletions.
diff --git a/lib/bettercap/sniffer/parsers/https.rb b/lib/bettercap/sniffer/parsers/https.rb
@@ -19,12 +19,19 @@ class Https < Base
 
   def on_packet( pkt )
     begin
-      if pkt.respond_to?(:tcp_dst) and pkt.tcp_dst == 443
-        Thread.new do
-          hostname = BetterCap::Network.ip2name( pkt.ip_daddr )
-          if @@prev.nil? or @@prev != hostname
-            StreamLogger.log_raw( pkt, 'HTTPS', "https://#{hostname}/" )
-            @@prev = hostname
+      if pkt.respond_to?(:tcp_dst)
+        # poor man's TLS Client Hello with SNI extension parser :P
+        if pkt.payload[0] == "\x16" and pkt.payload[1] == "\x03"
+          if pkt.payload =~ /\x00\x00.{4}\x00.{2}([a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,6})\x00/
+            hostname = $1
+            if pkt.tcp_dst != 443
+              hostname += ":#{pkt.tcp_dst}"
+            end
+
+            if @@prev.nil? or @@prev != hostname
+              StreamLogger.log_raw( pkt, 'HTTPS', "https://#{hostname}/" )
+              @@prev = hostname
+            end
           end
         end
       end