Exported username in flow information

author: Luca Deri <deri@ntop.org> 2022-07-04 22:52:54 +0200
committer: Luca Deri <deri@ntop.org> 2022-07-04 22:52:54 +0200
commit: 7fa8d882d83577334c7c91843eb40c2ebae8bf74 (patch)
tree: bb599e4828303ea4c531dec6e224f90247ca8427
parent: 461589517e50c201bf063c7d4dbb3639e43f4268 (diff)
11 files changed, 42 insertions, 18 deletions
diff --git a/src/lib/protocols/ftp_control.c b/src/lib/protocols/ftp_control.c
index ff624c419..a0bec3864 100644
--- a/src/lib/protocols/ftp_control.c
+++ b/src/lib/protocols/ftp_control.c
@@ -50,10 +50,15 @@ static int ndpi_ftp_control_check_request(struct ndpi_detection_module_struct *n
 #endif
 
   if(ndpi_match_strprefix(payload, payload_len, "USER")) {
+    char buf[64];
+    
     ndpi_user_pwd_payload_copy((u_int8_t*)flow->l4.tcp.ftp_imap_pop_smtp.username,
 			       sizeof(flow->l4.tcp.ftp_imap_pop_smtp.username), 5,
 			       payload, payload_len);
-    ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found FTP username");
+
+    snprintf(buf, sizeof(buf), "Found FTP username (%s)",
+	     flow->l4.tcp.ftp_imap_pop_smtp.username);
+    ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf);
     return 1;
   }
 
diff --git a/src/lib/protocols/mail_imap.c b/src/lib/protocols/mail_imap.c
index 2195e9f6e..a6809b454 100644
--- a/src/lib/protocols/mail_imap.c
+++ b/src/lib/protocols/mail_imap.c
@@ -176,13 +176,15 @@ void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 
 	  user = strtok_r(str, " \"\r\n", &saveptr);
 	  if(user) {
-	    char *pwd;
+	    char *pwd, buf[64];
 
 	    ndpi_snprintf(flow->l4.tcp.ftp_imap_pop_smtp.username,
 		     sizeof(flow->l4.tcp.ftp_imap_pop_smtp.username),
 		     "%s", user);
 
-	    ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found IMAP Username");
+	    snprintf(buf, sizeof(buf), "Found IMAP username (%s)",
+		     flow->l4.tcp.ftp_imap_pop_smtp.username);
+	    ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf);
 
 	    pwd = strtok_r(NULL, " \"\r\n", &saveptr);
 	    if(pwd) {
diff --git a/src/lib/protocols/mail_pop.c b/src/lib/protocols/mail_pop.c
index 7d6a03284..ad5b30a1c 100644
--- a/src/lib/protocols/mail_pop.c
+++ b/src/lib/protocols/mail_pop.c
@@ -77,11 +77,16 @@ static int ndpi_int_mail_pop_check_for_client_commands(struct ndpi_detection_mod
 	       && (packet->payload[1] == 'S' || packet->payload[1] == 's')
 	       && (packet->payload[2] == 'E' || packet->payload[2] == 'e')
 	       && (packet->payload[3] == 'R' || packet->payload[3] == 'r')) {
+      char buf[64];
+	
       ndpi_user_pwd_payload_copy((u_int8_t*)flow->l4.tcp.ftp_imap_pop_smtp.username,
 				 sizeof(flow->l4.tcp.ftp_imap_pop_smtp.username), 5,
 				 packet->payload, packet->payload_packet_len);
 
-      ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found username");
+      snprintf(buf, sizeof(buf), "Found username (%s)",
+	       flow->l4.tcp.ftp_imap_pop_smtp.username);
+      ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf);
+      
       flow->l4.tcp.pop_command_bitmask |= POP_BIT_USER;
       return 1;
     } else if((packet->payload[0] == 'P' || packet->payload[0] == 'p')
diff --git a/src/lib/protocols/mail_smtp.c b/src/lib/protocols/mail_smtp.c
index e3e5cecc9..ee2e489df 100644
--- a/src/lib/protocols/mail_smtp.c
+++ b/src/lib/protocols/mail_smtp.c
@@ -93,12 +93,16 @@ static void get_credentials_auth_plain(struct ndpi_detection_module_struct *ndpi
       user_len = i - 1;
   }
   if(user_len > 0) {
+    char buf[64];
+    
     user_len = ndpi_min(user_len, sizeof(flow->l4.tcp.ftp_imap_pop_smtp.username) - 1);
 
     memcpy(flow->l4.tcp.ftp_imap_pop_smtp.username, out + 1, user_len);
     flow->l4.tcp.ftp_imap_pop_smtp.username[user_len] = '\0';
 
-    ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found username");
+    snprintf(buf, sizeof(buf), "Found username (%s)",
+	     flow->l4.tcp.ftp_imap_pop_smtp.username);
+    ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf);
 
     if(1 + user_len + 1 < out_len) {
       unsigned int pwd_len;
@@ -235,7 +239,8 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 		u_int8_t buf[48];
 		u_char *out;
 		size_t out_len;
-
+		char msg[64];
+		  
 		ndpi_user_pwd_payload_copy(buf, sizeof(buf), 0,
 					   packet->line[a].ptr, packet->line[a].len);
 
@@ -254,7 +259,9 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 		  ndpi_free(out);
 		}
 		
-		ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found username");
+		snprintf(msg, sizeof(msg), "Found SMTP username (%s)",
+			 flow->l4.tcp.ftp_imap_pop_smtp.username);
+		ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, msg);
 	      } else if(flow->l4.tcp.ftp_imap_pop_smtp.password[0] == '\0') {
 		/* Password */
 		u_int8_t buf[48];
diff --git a/src/lib/protocols/rsh.c b/src/lib/protocols/rsh.c
index 3344c8660..a3414562c 100644
--- a/src/lib/protocols/rsh.c
+++ b/src/lib/protocols/rsh.c
@@ -88,12 +88,12 @@ void ndpi_search_rsh(struct ndpi_detection_module_struct * ndpi_struct,
       }
 
       {
+	char str[64];
         char const * dissected_info[] = { (char const *)packet->payload,
                                           NULL, NULL };
         size_t i;
 
-        for (i = 1; i < NDPI_ARRAY_LENGTH(dissected_info); ++i)
-        {
+        for (i = 1; i < NDPI_ARRAY_LENGTH(dissected_info); ++i) {
           dissected_info[i] = memchr(dissected_info[i - 1], '\0',
                                      packet->payload_packet_len -
                                      (dissected_info[i - 1] - dissected_info[0]));
@@ -132,13 +132,12 @@ void ndpi_search_rsh(struct ndpi_detection_module_struct * ndpi_struct,
                          (unsigned long)packet->payload_packet_len -
                          (unsigned long)(dissected_info[2] - dissected_info[0])));
 
-        char str[64];
+	
         if (snprintf(str, NDPI_ARRAY_LENGTH(str), "User '%s' executing '%s'",
                      flow->protos.rsh.server_username,
                      flow->protos.rsh.command) < 0)
-        {
           str[0] = '\0';
-        }
+        
         ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, str);
       }
       return;
diff --git a/src/lib/protocols/telnet.c b/src/lib/protocols/telnet.c
index 43badd08c..d3ec02958 100644
--- a/src/lib/protocols/telnet.c
+++ b/src/lib/protocols/telnet.c
@@ -90,10 +90,16 @@ static int search_telnet_again(struct ndpi_detection_module_struct *ndpi_struct,
   }
 
   if(packet->payload[0] == '\r') {
+    char buf[64];
+    
     flow->protos.telnet.username_detected = 1;
-    ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found username");
     flow->protos.telnet.username[flow->protos.telnet.character_id] = '\0';
     flow->protos.telnet.character_id = 0;
+
+    snprintf(buf, sizeof(buf), "Found Telnet username (%s)",
+	     flow->protos.telnet.username);
+    ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf);
+
     return(1);
   }
 
diff --git a/tests/result/ftp.pcap.out b/tests/result/ftp.pcap.out
index d8323f368..208fe517c 100644
--- a/tests/result/ftp.pcap.out
+++ b/tests/result/ftp.pcap.out
@@ -8,7 +8,7 @@ Unknown	1115	1122198	1
 FTP_CONTROL	68	5571	1
 FTP_DATA	9	1819	1
 
-	1	TCP 192.168.1.212:50694 <-> 90.130.70.73:21 [proto: 1/FTP_CONTROL][ClearText][Confidence: DPI][cat: Download/7][41 pkts/2892 bytes <-> 27 pkts/2679 bytes][Goodput ratio: 6/33][8.48 sec][User: anonymous][Pwd: NcFTP@][bytes ratio: 0.038 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 236/108 4743/1377 849/305][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 71/99 96/307 7/45][Risk: ** Unsafe Protocol **** Clear-Text Credentials **][Risk Score: 110][Risk Info: No client to server traffic / Found FTP username][PLAIN TEXT (vsFTPd 3.0.3)][Plen Bins: 74,18,5,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	TCP 192.168.1.212:50694 <-> 90.130.70.73:21 [proto: 1/FTP_CONTROL][ClearText][Confidence: DPI][cat: Download/7][41 pkts/2892 bytes <-> 27 pkts/2679 bytes][Goodput ratio: 6/33][8.48 sec][User: anonymous][Pwd: NcFTP@][bytes ratio: 0.038 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 236/108 4743/1377 849/305][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 71/99 96/307 7/45][Risk: ** Unsafe Protocol **** Clear-Text Credentials **][Risk Score: 110][Risk Info: No client to server traffic / Found FTP username (anonymous)][PLAIN TEXT (vsFTPd 3.0.3)][Plen Bins: 74,18,5,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	2	TCP 192.168.1.212:50695 <-> 90.130.70.73:25685 [proto: 175/FTP_DATA][ClearText][Confidence: DPI][cat: Download/7][5 pkts/342 bytes <-> 4 pkts/1477 bytes][Goodput ratio: 0/82][0.09 sec][bytes ratio: -0.624 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/28 14/28 29/29 14/0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 68/369 78/1271 5/521][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No client to server traffic][PLAIN TEXT (    1 0        0        1073741)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0]
 
 
diff --git a/tests/result/ftp_failed.pcap.out b/tests/result/ftp_failed.pcap.out
index 6b37c4798..bc5dd727c 100644
--- a/tests/result/ftp_failed.pcap.out
+++ b/tests/result/ftp_failed.pcap.out
@@ -5,4 +5,4 @@ Confidence DPI              : 1 (flows)
 
 FTP_CONTROL	18	1700	1
 
-	1	TCP [2a00:d40:1:3:192:12:193:11]:44724 <-> [2a00:800:1010::1]:21 [proto: 1/FTP_CONTROL][ClearText][Confidence: DPI][cat: Download/7][10 pkts/892 bytes <-> 8 pkts/808 bytes][Goodput ratio: 3/14][7.24 sec][User: hello][Pwd: ][Auth Failed][bytes ratio: 0.049 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 896/1442 5304/5318 1757/2052][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 89/101 98/126 4/15][Risk: ** Unsafe Protocol **** Clear-Text Credentials **][Risk Score: 110][Risk Info: No client to server traffic / Found FTP username][PLAIN TEXT (vsFTPd 3.0.3)][Plen Bins: 71,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	TCP [2a00:d40:1:3:192:12:193:11]:44724 <-> [2a00:800:1010::1]:21 [proto: 1/FTP_CONTROL][ClearText][Confidence: DPI][cat: Download/7][10 pkts/892 bytes <-> 8 pkts/808 bytes][Goodput ratio: 3/14][7.24 sec][User: hello][Pwd: ][Auth Failed][bytes ratio: 0.049 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 896/1442 5304/5318 1757/2052][Pkt Len c2s/s2c min/avg/max/stddev: 86/86 89/101 98/126 4/15][Risk: ** Unsafe Protocol **** Clear-Text Credentials **][Risk Score: 110][Risk Info: No client to server traffic / Found FTP username (hello)][PLAIN TEXT (vsFTPd 3.0.3)][Plen Bins: 71,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/imap.pcap.out b/tests/result/imap.pcap.out
index 68d54a1f4..55f7fe460 100644
--- a/tests/result/imap.pcap.out
+++ b/tests/result/imap.pcap.out
@@ -5,4 +5,4 @@ Confidence DPI              : 1 (flows)
 
 IMAP	33	3774	1
 
-	1	TCP 10.40.4.2:46045 <-> 10.40.3.2:143 [proto: 4/IMAP][ClearText][Confidence: DPI][cat: Email/3][20 pkts/1507 bytes <-> 13 pkts/2267 bytes][Goodput ratio: 12/62][4.57 sec][User: samir][Pwd: pfres][bytes ratio: -0.201 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/17 39/39 15/16][Pkt Len c2s/s2c min/avg/max/stddev: 66/74 75/174 139/762 17/181][Risk: ** Unsafe Protocol **** Clear-Text Credentials **][Risk Score: 110][Risk Info: No client to server traffic / Found IMAP Username][PLAIN TEXT ( OK IMAP4)][Plen Bins: 51,22,11,5,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	TCP 10.40.4.2:46045 <-> 10.40.3.2:143 [proto: 4/IMAP][ClearText][Confidence: DPI][cat: Email/3][20 pkts/1507 bytes <-> 13 pkts/2267 bytes][Goodput ratio: 12/62][4.57 sec][User: samir][Pwd: pfres][bytes ratio: -0.201 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/17 39/39 15/16][Pkt Len c2s/s2c min/avg/max/stddev: 66/74 75/174 139/762 17/181][Risk: ** Unsafe Protocol **** Clear-Text Credentials **][Risk Score: 110][Risk Info: No client to server traffic / Found IMAP username (samir)][PLAIN TEXT ( OK IMAP4)][Plen Bins: 51,22,11,5,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/irc.pcap.out b/tests/result/irc.pcap.out
index 17d60a8d5..07238fde4 100644
--- a/tests/result/irc.pcap.out
+++ b/tests/result/irc.pcap.out
@@ -5,4 +5,4 @@ Confidence DPI              : 1 (flows)
 
 IRC	29	8945	1
 
-	1	TCP 10.180.156.249:45921 <-> 38.229.70.20:8000 [proto: 65/IRC][ClearText][Confidence: DPI][cat: Chat/9][14 pkts/1046 bytes <-> 15 pkts/7899 bytes][Goodput ratio: 11/87][14.57 sec][bytes ratio: -0.766 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1314/1206 8864/8864 2852/2736][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 75/527 107/1514 14/611][Risk: ** Known Proto on Non Std Port **** Unsafe Protocol **** Clear-Text Credentials **][Risk Score: 160][Risk Info: No client to server traffic / Found username][PLAIN TEXT (USER xx)][Plen Bins: 13,41,6,0,0,0,0,0,6,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26,0,0]
+	1	TCP 10.180.156.249:45921 <-> 38.229.70.20:8000 [proto: 65/IRC][ClearText][Confidence: DPI][cat: Chat/9][14 pkts/1046 bytes <-> 15 pkts/7899 bytes][Goodput ratio: 11/87][14.57 sec][bytes ratio: -0.766 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1314/1206 8864/8864 2852/2736][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 75/527 107/1514 14/611][Risk: ** Known Proto on Non Std Port **** Unsafe Protocol **** Clear-Text Credentials **][Risk Score: 160][Risk Info: No client to server traffic / Found username (xxxxx +iw xxxxx :Xxxxxx Xxxx)][PLAIN TEXT (USER xx)][Plen Bins: 13,41,6,0,0,0,0,0,6,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26,0,0]
diff --git a/tests/result/pop3.pcap.out b/tests/result/pop3.pcap.out
index 30ec3cb35..dd0921dc4 100644
--- a/tests/result/pop3.pcap.out
+++ b/tests/result/pop3.pcap.out
@@ -5,4 +5,4 @@ Confidence DPI              : 1 (flows)
 
 POP3	31	3915	1
 
-	1	TCP 143.225.229.181:35287 <-> 74.208.5.28:110 [proto: 2/POP3][ClearText][Confidence: DPI][cat: Email/3][18 pkts/1269 bytes <-> 13 pkts/2646 bytes][Goodput ratio: 6/67][27.32 sec][User: cicciopernacchio@mail.com][Pwd: pippozzo][bytes ratio: -0.352 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1792/2973 5526/5668 2204/2427][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 70/204 98/1514 8/379][Risk: ** Unsafe Protocol **** Clear-Text Credentials **][Risk Score: 110][Risk Info: No client to server traffic / Found username][PLAIN TEXT (OK POP server ready H migmxus)][Plen Bins: 60,20,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0]
+	1	TCP 143.225.229.181:35287 <-> 74.208.5.28:110 [proto: 2/POP3][ClearText][Confidence: DPI][cat: Email/3][18 pkts/1269 bytes <-> 13 pkts/2646 bytes][Goodput ratio: 6/67][27.32 sec][User: cicciopernacchio@mail.com][Pwd: pippozzo][bytes ratio: -0.352 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1792/2973 5526/5668 2204/2427][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 70/204 98/1514 8/379][Risk: ** Unsafe Protocol **** Clear-Text Credentials **][Risk Score: 110][Risk Info: No client to server traffic / Found username (cicciopernacchio@mail.com)][PLAIN TEXT (OK POP server ready H migmxus)][Plen Bins: 60,20,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0]
author	Luca Deri <deri@ntop.org>	2022-07-04 22:52:54 +0200
committer	Luca Deri <deri@ntop.org>	2022-07-04 22:52:54 +0200
commit	7fa8d882d83577334c7c91843eb40c2ebae8bf74 (patch)
tree	bb599e4828303ea4c531dec6e224f90247ca8427
parent	461589517e50c201bf063c7d4dbb3639e43f4268 (diff)