MCPcopy Index your code
hub / github.com/USArmyResearchLab/Dshell / __init__

Method __init__

dshell/plugins/protocol/bitcoin.py:20–120  ·  view source on GitHub ↗
(self)

Source from the content-addressed store, hash-verified

18class DshellPlugin(dshell.core.ConnectionPlugin):
19
20 def __init__(self):
21 super().__init__( name='bitcoin',
22 description='Extract Bitcoin traffic, including Stratum mining protocol (pooled) traffic',
23 longdescription='''
24The bitcoin plugin will extract any Bitcoin traffic attempting to find and output:
25 Client/server IP addresses, src/dst port numbers, MAC addresses of the machines
26 used in the Bitcoin communication/transactions, timestamps of the packets,
27 packet payload sizes in KB, and the Network type
28 ('Bitcoin Main' if Bitcoin data traffic).
29
30Connection tuples are cached when BITCOIN-MAIN traffic is detected, such that following this,
31any blobs in a cached connection that do not contain BITCOIN-MAIN magic bytes, are labeled
32as part of a connection containing Bitcoin traffic.
33
34Any traffic on BITCOIN-MAIN's designated port will be labeled as potential Bitcoin traffic.
35
36Additionally for Stratum mining, the plugin will attempt to extract:
37 Bitcoin miner being used, transaction methods used in each connection
38 (mining.notify, mining.authorize, mining.get_transaction, mining.submit, etc.),
39 User ID (Auth ID) used to access the Bitcoin mining pool, and possibly the password
40 used to connect to the pool if it is stored in the JSON of the payload.
41
42 Also, the:
43 range of job IDs (per connection), previous block hash, generation transaction (part 1),
44 generation transaction (part 2), merkle tree branches (hashes), block version,
45 and the hash difficulty (n-bits)
46 (The generation transactions and merkle tree branches are only optionally outputted
47 to a file: See Example (2) below)
48
49 Note (1): The first time that all of this Stratum mining information is
50 collected (per connection), all of the packets decoded after this
51 point from within the same connection (same exact sip, dip, sport, dport)
52 will continue to output the same collection of information since it
53 will be the same, and is cumulative per connection.
54
55 Note (2): The gen_tx1 and gen_tx2 fields enable the miner to build the coinbase
56 transaction for the block by concatentating gen_tx1, the extranonce1
57 at the start of gen_tx1, the extranonce2 generated by the miner, and
58 gen_tx2 (hashes with scriptPubKeys)
59
60 Note (3): Some pools recommend miners use their Bitcoin wallet ID
61 (address used for payment) as their 'Auth ID'. This will be easily
62 spotted as it is an address consisting of 26-35 alphanumeric characters,
63 and it always begins with either the number '1' or '3'
64
65
66 For additional information:
67 Bitcoin Protocol: <https://en.bitcoin.it/wiki/Protocol_documentation>
68 Stratum Mining Protocol: <https://en.bitcoin.it/wiki/Stratum_mining_protocol>
69
70
71--------Main ports / Some secondary ports used for Bitcoin Traffic---------
72 Bitcoin Main traffic uses port 8333
73 Bitcoin Testnet uses port 18333
74 Several pools use ports 3333, 8332, 8337
75 The other ports checked are known ports used by specific BTC mining pools
76 Other Bitcoin pools utilize alternate ports (even 80 / 443)
77

Callers

nothing calls this directly

Calls 1

AlertOutputClass · 0.90

Tested by

no test coverage detected