//
// ettercap log parser by overkill
// e-mail: overkill@overkill.cc
// IRC: #twlc@unet
//

#include <stdio.h>
#include <string.h>
#include <malloc.h>

FILE *f;

const char services[6][10]={"telnet", "ftp", "pop3", "imap2", "ircd", "www"};

struct info {
    char from[16], to[16], service[20], user[255], pass[255], extra[255];
    unsigned int port1, port2, validate;
} info;
    
int printstuff(struct info *);
int telnetftp(struct info *);
int irc(struct info *);
int www(struct info *);

int usage(char *s){
    fprintf(stderr, "you fucked up.");
    fprintf(stderr, "\nusage: %s logfile\n", s);
}

int main(int argc, char **argv)
{
    char line[255], tmp[50];
    int hh, mm, ss;
    struct info *record=malloc(sizeof(info));
    
    printf("-=* ettercap log parser by overkill *=-\n");
    if(argc==1){
	usage(argv[0]);
	exit(1);
    }
    f=fopen(argv[1], "rt");
    if(!f){
	fprintf(stderr, "\nFile open error.\n");
	exit(1);
    }
    // first we scan for telnet/ftp passwords
    printf("\n--------------------------------------------------------------------------------\n");
    printf("    TELNET/FTP section:");
    printf("\n--------------------------------------------------------------------------------\n");
    while(!feof(f)){
	fgets(line, 255, f);
	if(feof(f))
	    break;
	hh=mm=ss=0;
	sscanf(line, "%d:%d:%d", &hh, &mm, &ss);
	// check if it's a start line	
	if(hh||mm||ss){
	    memset(record, 0, sizeof(info));
	    // read the poor guy's info :>
	    sscanf(line, "%d:%d:%d %[^:]: %[^>] > %[^:]:%d %s", &hh, &mm, &ss, record->from, tmp, record->to, &(record->port2), record->service);
	    if((!strcmp(record->service, services[0]))||(!strcmp(record->service, services[1]))) 
		telnetftp(record);		    
	    	    
	    if (record->validate)
		printstuff(record);
	}
    }
    fseek(f, SEEK_SET, 0);
    // pop3 accounts
    printf("--------------------------------------------------------------------------------\n");
    printf("    POP3 and IMAP2 accounts:");
    printf("\n--------------------------------------------------------------------------------\n");
    while(!feof(f)){
	fgets(line, 255, f);
	if(feof(f))
	    break;
	hh=mm=ss=0;
	sscanf(line, "%d:%d:%d", &hh, &mm, &ss);
	if(hh||mm||ss){
	    memset(record, 0, sizeof(info));
	    sscanf(line, "%d:%d:%d %[^:]: %[^>] > %[^:]:%d %s", &hh, &mm, &ss, record->from, tmp, record->to, &(record->port2), record->service);
	    if((!strcmp(record->service, services[2]))||(!strcmp(record->service, services[3]))) 
		telnetftp(record);		    
	    	    
	    if (record->validate)
		printstuff(record);
	}
    }
    fseek(f, SEEK_SET, 0);
    // irc passwords
    printf("--------------------------------------------------------------------------------\n");
    printf("    IRC:");
    printf("\n--------------------------------------------------------------------------------\n");
    while(!feof(f)){
	fgets(line, 255, f);
	if(feof(f))
	    break;
	hh=mm=ss=0;
	sscanf(line, "%d:%d:%d", &hh, &mm, &ss);
	if(hh||mm||ss){
	    memset(record, 0, sizeof(info));
	    sscanf(line, "%d:%d:%d %[^:]: %d %[^>] > %[^:]:%d %s", &hh, &mm, &ss, record->from, &(record->port1), tmp, record->to, &(record->port2), record->service);
	    if((!strcmp(record->service, services[4]))||(record->port2==6667)||(record->port2==6668)||(record->port1==6667)||(record->port1==6668)) 
		irc(record);		    
	    	    
	    if (record->validate)
		printstuff(record);
	}
    }
    fseek(f, SEEK_SET, 0);
    // www accounts
    printf("--------------------------------------------------------------------------------\n");
    printf("    WWW accounts:");
    printf("\n--------------------------------------------------------------------------------\n");
    while(!feof(f)){
	fgets(line, 255, f);
	if(feof(f))
	    break;
	hh=mm=ss=0;
	sscanf(line, "%d:%d:%d", &hh, &mm, &ss);
	if(hh||mm||ss){
	    memset(record, 0, sizeof(info));
	    sscanf(line, "%d:%d:%d %[^:]: %d %[^>] > %[^:]:%d %s", &hh, &mm, &ss, record->from, &(record->port1), tmp, record->to, &(record->port2), record->service);
	    if(!strcmp(record->service, services[5])) 
		www(record);		    
	    	    
	    if (record->validate)
		printstuff(record);
	}
    }

    fclose(f);
}

int printstuff(struct info *record)
{
    printf("%u %-15s - %s  %s  %s\n", record->port2, record->to, record->user, record->pass, record->extra);
}
    
int telnetftp(struct info *record)
{
    char tmp[255], tmp1[20];
    
    getc(f);
    fgets(tmp, 255, f); 
    sscanf(tmp, "%s %s", tmp1, record->user);
    fgets(tmp, 255, f); 
    sscanf(tmp, "%s %s", tmp1, record->pass);
    record->validate=1;
    if(record->port2==21)
	if((!strcmp(record->user, "anonymous"))||(!strcmp(record->user, "ftp")))
	    record->validate=0;
    if((!strcmp(record->service, services[1]))&&(record->port2!=21))
	record->validate=0;
}

int irc(struct info *record)
{
    char a[255], b[255], c[255], types[10][50]={
	"x@channels.undernet.org",  // undernet users
	"nickserv@services.dal.net",  // dalnet lamers
	"/identify password",  // still dalnet..
	"nickserv identify",  // on some other irc server, duno
	"chanserv identify",  // same crap
	"#channel password",  // heh
	"#channel +k password",  // ..
	"OPER"  // oops..
    };
    // btw, there are some other irc login strings i havent covered
    // if you find some of them, let me know :)
    
    memset(a, 0, 255); memset(b, 0, 255); memset(c, 0, 255);    
    getc(f);
    fgets(a, 255, f);
    memmove(a, a+6, 200);
    fgets(b, 255, f);
    memmove(b, b+6, 200);
    getc(f);
    fgets(c, 255, f);
    if((record->port1==6667)||(record->port1==6668)){
	record->port2=record->port1;
	strcpy(record->to, record->from);
    }
    if(strstr(c, types[0])){
	sscanf(b, "%s %s", record->user, record->pass);
	sprintf(record->extra, "      <undernet>");
	record->validate=1;
	return(0);
    }
    if(strstr(c, types[1])){
	sscanf(a, "%s", record->user);
	strcpy(record->pass, b);
	record->pass[strlen(record->pass)-2]=0;
	sprintf(record->extra, "     <dalnet nickserv>");
	record->validate=1;
	return(0);
    }
    if(strstr(c, types[2])){
	sscanf(a, "%s", record->user);
	sscanf(b, "%s", record->pass);
	sprintf(record->extra, "      <dalnet>");
	record->validate=1;
	return(0);
    }
    if((strstr(c, types[3]))||(strstr(c, types[4]))){
	sscanf(a, "%s", record->user);
	sscanf(b, "%s", record->pass);
	sprintf(record->extra, c);
	record->extra[strlen(record->extra)-1]=0;
	record->validate=1;
	return(0);
    }
    if((strstr(c, types[5]))||(strstr(c, types[6]))){
	sscanf(a, "%s", record->user);
	strcpy(record->pass, b);
	if((record->pass[0]=='\n')||(record->pass[0]=='*')||(record->pass[0]=='#')) return(0);
	record->pass[strlen(record->pass)-1]=0;
	sprintf(record->extra, "   <channel key>");
	record->validate=1;
	return(0);
    }
    if(strstr(c, types[7])){
	sscanf(a, "%s", record->user);
	sscanf(b, "%s", record->pass);
	sprintf(record->extra, "<OPER request> from %s", record->from);
	record->validate=1;
	return(0);
    }
}

int www(struct info *record)
{
    char a[255], b[255], c[255];
    
    memset(a, 0, 255); memset(b, 0, 255); memset(c, 0, 255);    
    getc(f);
    fgets(a, 255, f);
    memmove(a, a+6, 200);
    fgets(b, 255, f);
    memmove(b, b+6, 200);
    getc(f);
    fgets(c, 255, f);
    if(record->port1==80){
	record->port2=record->port1;
	strcpy(record->to, record->from);
    }
    strcpy(record->user, a);
    strcpy(record->pass, b);
    record->user[strlen(record->user)-1]=0;
    record->pass[strlen(record->pass)-1]=0;
    sprintf(record->extra, "\n %s", c);
    record->extra[strlen(record->extra)-1]=0;
    record->validate=1;
    
}