#!/usr/bin/perl

####################   ----> LOL.perl <---- ###################
#
#
# This script requires ngrep, tshark, xxd, tcpflow, md5sum, and strings installed.
#
# GPL Lic Applys; pls give credit when you use :)
#
# Contact amar.yousif@uth.tmc.edu for comments and suggestions
#
# This script is PoC only, further enhancements and suggestions are welcomed :)
#
# This version will name all files being xfered but it will carve out DOCX only,
# routines can be written to carve out other type files or foremost can be used
#
# Usage: ./lol.perl [file.pcap]
#
# It is recommended that you run this script in its own directory 
#
##################################################################

if (@ARGV!=1) {print "Usage: lol.perl [PcapFile]\n";exit;}

#define files
`mkdir loltemp 2>&-`;#<-- that's where we put all the temp files and artifacts
`mkdir xferfiles 2>&-`;#<-- that's where the xfered files will go after they get carved out of the payload
$originalpcap=$ARGV[0];#<-- this the only var that needs to be entered when the script is invoked 
`rm ./loltemp/suspect.pcap 2>&-`;#<-- rm old files
$suspectpcap="./loltemp/suspect.pcap";
`rm ./loltemp/temp* 2>&-`;#<-- rm old files
$temp1="./loltemp/temp1";
$temp2="./loltemp/temp2";

#convert the file to a format older tools can understand 
`tshark -r $originalpcap -w $suspectpcap 2>&-`;

# Identify TCP conversations with 'OFT2' and 'Cool FileXfer' in the payload <-- this is the sig for AOL's Oscar File Xfer
`ngrep -I $suspectpcap 'OFT2.*Cool FileXfer' src port 5190 | grep 'T ' > $temp1`;
die "\nLooks like there is no OFT2 activity in this pcap file, I know this because temp1 is empty.\n\n" if -z $temp1;
open (IN, "<$temp1")  || die "Can't open $temp1 for reading: $!\n";
open (OUT, ">$temp2") || die "can't open $temp2 for writing: \n";
while(<IN>)
        {
         s/T\s//;
         s/:/,/g;
         s/\s->\s/,/;
         s/\s\[AP\]//;
         print OUT;
         }
close(OUT);
close(IN);

`rm ./loltemp/*OFT2* 2>&-`;#<-- rm old files

# use the conversations data identified above to get conversation pcap files, carve the files, and print out the file names of the xfer files and some other info 

open (IN,"<$temp2") or die "can't open $temp2\n";
$num=0;
while(<IN>)
        {
	$num=+1;
        ($senderip,$senderport,$recip,$recport)=split(",");
	`tshark -R '(ip.addr eq $recip and ip.addr eq $senderip) and (tcp.port eq $recport and tcp.port eq $senderport)' -r $suspectpcap -w ./loltemp/pcapOFT2CONV$num`;
	`strings ./loltemp/pcapOFT2CONV$num > ./loltemp/strOFT2CONV$num`;#<-- we're running the conversation file thru strings, this will always produce the xfer file right after the sig Cool FileXfer
	open (infile,"<./loltemp/strOFT2CONV$num") or die "can't open conv strings file \n";
	$x=0;
 	while(<infile>)	
		{
		if ($_ =~ m/Cool FileXfer/)
			{
			$x=1;
			next;
			}
		next if ($x eq 0);
		$filename=$_;
		$x=0;
		}
	close(infile);

####### carving the file.... in this case we'll do DOCX file carving, but other subs can be written to carve other type files based on the magic number and the extention of the file etc.... or you can script foremost to do this but here we're just doing PoC 
	`rm ./loltemp/flow 2>&-`;#<-- rm old files
	`rm ./loltemp/hex* 2>&-`;#<-- rm old files
	`tcpflow -r ./loltemp/pcapOFT2CONV$num 'src port 5190'`;
	`cp *$senderport* ./loltemp/flow`;
	`rm *$senderport*`;
	`xxd -ps ./loltemp/flow > ./loltemp/hex1`;#<-- change binary file to hex
###### here we will carve the file out by looking for the magic number and cut off the other data before it
	open (IN, "<./loltemp/hex1")  || die "Can't open ./loltemp/hex1 for reading: $!\n";
	open (OUT, ">./loltemp/hex2") || die "can't open ./loltemp/hex2 for writing: \n";
	$tag='false';
	while(<IN>)
       		{
		if ($tag eq 'true') {print OUT;}
		elsif ($_ =~m /.*(504b0304.*)/)
			{
			print OUT $1;
			$tag='true';
			}
         	}
	close(OUT);
	close(IN);
	`xxd -r -ps ./loltemp/hex2 > ./loltemp/hex3`;#<-- here we're changing back from hex to bin
	`cp ./loltemp/hex3 ./xferfiles/$filename`;#<-- linking the filename to the file
	$hash = `md5sum ./xferfiles/$filename`;
	print "\nOFT2 Conversation number $num\nSender:$senderip\tReceiver:$recip\tFile:$filename\nmd5sum:$hash\n";# <-- output will sho sender, receiver, and xfered file for ALL OFT2 conversations one by one
	}
	print "\nCarved files are stored under the xferfiles directory\n";
close(IN);
exit;