public NetworkCredential Parse(TcpPacket tcpPacket) { NetworkPassword credential = null; var packetData = Encoding.UTF8.GetString(tcpPacket.Data); Match match = this._httpBasicAuthenticationRegex.Match(packetData); if (match.Success) { try { // Decode Base64 encoded credentials. string credentials = Encoding.UTF8.GetString( Convert.FromBase64String( match.Groups["Credentials"].Value)); var username = credentials.Split(':')[0]; var password = credentials.Split(':')[1]; credential = new NetworkPassword() { Protocol = "HTTP Basic Authentication", Username = username, Password = password, Source = tcpPacket.SourceIp, Destination = tcpPacket.DestinationIp }; } // Nothing to do, there always a chance it looks like Basic Authentication // but its not. catch { } } return(credential); }
private NetworkPassword SearchImapAuthenticateLogin(TcpSession tcpSession, string sessionData) { NetworkPassword password = null; Match match = _imapAuthenticateLoginRegex.Match(sessionData); if (match.Success) { // Decode the credentials Base64 string and split by Ascii Null character to get // the username and password (RFC 2595). // Note that we check if the 1'th cells of the split result is empty (regard to the RFC // the structure of the credentials is: 'authorization-id\0authentication-id\0passwd' // and sometimes the client may leave the authorization identity empty to indicate that // it is the same as the authentication identity). // TODO: maybe extract to external class and use it also at the SMTP Parser. string[] credentialsParts = Utilities.DecodeAsciiBase64(match.Groups["CredentialsBase64"].Value).Split('\0'); password = new NetworkPassword() { Protocol = "IMAP LOGIN (Base64)", Username = credentialsParts[0] != string.Empty ? credentialsParts[0] : credentialsParts[1], Password = credentialsParts[2], Source = tcpSession.SourceIp, Destination = tcpSession.DestinationIp }; } return(password); }
public void TelnetPasswordParser_ParseTelnetCharModePassword_ParseSuccess() { // Arrange var telnetParser = new PcapAnalyzer.TelnetPasswordParser(); var session = new PcapAnalyzer.TcpSession(); var expected = new PcapAnalyzer.NetworkPassword() { Username = "******", Password = "******", Destination = "2.2.2.2", Source = "1.1.1.1", Protocol = "Telnet" }; // Mock a session where the user is "us" and the password is "Secret123". session.Data = Encoding.ASCII.GetBytes("login:uuss" + Environment.NewLine + "Password:Secret123"); session.Packets.Add(mockPacket("2.2.2.2", "1.1.1.1", 21, 5472, "login:"******"1.1.1.1", "2.2.2.2", 5472, 21, "u")); session.Packets.Add(mockPacket("2.2.2.2", "1.1.1.1", 21, 5472, "u")); session.Packets.Add(mockPacket("1.1.1.1", "2.2.2.2", 5472, 21, "s")); session.Packets.Add(mockPacket("2.2.2.2", "1.1.1.1", 21, 5472, "s")); session.Packets.Add(mockPacket("2.2.2.2", "1.1.1.1", 21, 5472, "Password:"******"1.1.1.1", "2.2.2.2", 5472, 21, "Secret123")); session.Packets.Add(mockPacket("2.2.2.2", "1.1.1.1", 21, 5472, "some dummy data")); // Act. PcapAnalyzer.NetworkPassword password = (telnetParser.Parse(session) as PcapAnalyzer.NetworkPassword); // Assert. Assert.AreEqual(expected, password); }
public void HandlePassword(PcapAnalyzer.NetworkPassword password) { var edgeText = $"{password.Protocol} Password"; AddEdge(password.Username, password.Destination, edgeText); _graph.FindNode(password.Username).Attr.FillColor = Microsoft.Msagl.Drawing.Color.LightGreen; }
public NetworkLayerObject Parse(TcpSession tcpSession) { NetworkPassword credential = null; var sessionData = Encoding.UTF8.GetString(tcpSession.Data); Match match = this.ftpSuccessfullLoginRegex.Match(sessionData); if (match.Success) { credential = new NetworkPassword() { Protocol = "FTP", Username = match.Groups["Username"].Value, Password = match.Groups["Password"].Value, Source = tcpSession.SourceIp, Destination = tcpSession.DestinationIp }; if (credential.Password.EndsWith("\r")) { credential.Password = credential.Password.Replace("\r", ""); } if (credential.Username.EndsWith("\r")) { credential.Username = credential.Username.Replace("\r", ""); } } return(credential); }
private NetworkPassword SearchSmtpAuthLogin(TcpSession tcpSession, string sessionData) { NetworkPassword credential = null; Match match = _smtpAuthLoginRegex.Match(sessionData); if (match.Success) { credential = new NetworkPassword() { Protocol = "SMTP (Auth Login)", Username = Utilities.DecodeAsciiBase64(match.Groups["Username"].Value), Password = Utilities.DecodeAsciiBase64(match.Groups["Password"].Value), Source = tcpSession.SourceIp, Destination = tcpSession.DestinationIp }; } return(credential); }
private NetworkPassword SearchImapPlaintextLogin(TcpSession tcpSession, string sessionData) { NetworkPassword password = null; Match match = _imapPlaintextLoginRegex.Match(sessionData); if (match.Success) { // TODO: Handle the triming at the regex. password = new NetworkPassword() { Protocol = "IMAP Plaintext", Username = match.Groups["Username"].Value.Trim(new char[] { '"' }), Password = match.Groups["Password"].Value.Trim(new char[] { '"' }), Source = tcpSession.SourceIp, Destination = tcpSession.DestinationIp }; } return(password); }
public NetworkCredential Parse(TcpSession tcpSession) { NetworkPassword credential = null; var sessionData = Encoding.UTF8.GetString(tcpSession.Data); Match match = this._ftpSuccessfullLoginRegex.Match(sessionData); if (match.Success) { credential = new NetworkPassword() { Protocol = "FTP", Username = match.Groups["Username"].Value, Password = match.Groups["Password"].Value, Source = tcpSession.SourceIp, Destination = tcpSession.DestinationIp }; } return(credential); }
public void FtpPasswordParser_ParseFtpPassword_ParseSuccess() { // Arrange. var ftpParsrer = new PcapAnalyzer.FtpPasswordParser(); var session = new PcapAnalyzer.TcpSession(); session.SourceIp = "1.1.1.1"; session.DestinationIp = "2.2.2.2"; session.Data = Encoding.UTF8.GetBytes( @"220 Chris Sanders FTP Server USER csanders 331 Password required for csanders. PASS echo 230 User csanders logged in."); // Act. PcapAnalyzer.NetworkPassword passsword = (ftpParsrer.Parse(session) as PcapAnalyzer.NetworkPassword); // Assert. Assert.AreEqual("csanders", passsword.Username); Assert.AreEqual("echo", passsword.Password); }
public void HttpBasicPasswordParser_ParseFtpPassword_ParseSuccess() { // Arrange. var parsrer = new PcapAnalyzer.HttpBasicPasswordParser(); var packet = new PcapAnalyzer.TcpPacket(); packet.SourceIp = "1.1.1.1"; packet.DestinationIp = "2.2.2.2"; packet.Data = Encoding.UTF8.GetBytes( @"GET /password-ok.php HTTP/1.1 Host: browserspy.dk Connection: keep-alive Cache-Control: max-age=0 Authorization: Basic dGVzdDpmYWlsMw== Accept: text/html,application/xhtml+xml"); // Act. PcapAnalyzer.NetworkPassword password = (parsrer.Parse(packet) as PcapAnalyzer.NetworkPassword); // Assert. Assert.AreEqual("test", password.Username); Assert.AreEqual("fail3", password.Password); }
// This function extracts Telnet username and password from a Tcp session. // Algorithm: // - First check if the session data matches a Regular expression. // - If match, iterate over session packets and manage a state machine // depends on the authentication phase. // // The algorithm should work on both Line-Mode (RFC 1116) and Character-Mode (the default // Telnet mode). public NetworkLayerObject Parse(TcpSession tcpSession) { int serverPort; int clientPort; var serverIp = string.Empty; var clientIp = string.Empty; var password = string.Empty; var username = string.Empty; var state = TelnetServerState.None; NetworkPassword credential = null; var sessionData = Encoding.UTF8.GetString(tcpSession.Data); Match match = _telnetPossibleLoginRegex.Match(sessionData); if (match.Success) { foreach (var packet in tcpSession.Packets) { // Telnet works with ASCII characters set (known as NVT ASCII). var packetData = Encoding.ASCII.GetString(packet.Data); if (packetData.Contains("login:"******"Password:"******"Telnet", Username = username, Password = password, Source = clientIp, Destination = serverIp }; break; } } } return(credential); }