public NetworkCredential Parse(TcpPacket tcpPacket)
{
NetworkPassword credential = null;
var packetData = Encoding.UTF8.GetString(tcpPacket.Data);
Match match = this._httpBasicAuthenticationRegex.Match(packetData);
if (match.Success)
{
try
{
// Decode Base64 encoded credentials.
string credentials = Encoding.UTF8.GetString(
Convert.FromBase64String(
match.Groups["Credentials"].Value));
var username = credentials.Split(':')[0];
var password = credentials.Split(':')[1];
credential = new NetworkPassword()
{
Protocol = "HTTP Basic Authentication",
Username = username,
Password = password,
Source = tcpPacket.SourceIp,
Destination = tcpPacket.DestinationIp
};
}
// Nothing to do, there always a chance it looks like Basic Authentication
// but its not.
catch { }
}
return(credential);
}
private NetworkPassword SearchImapAuthenticateLogin(TcpSession tcpSession, string sessionData)
{
NetworkPassword password = null;
Match match = _imapAuthenticateLoginRegex.Match(sessionData);
if (match.Success)
{
// Decode the credentials Base64 string and split by Ascii Null character to get
// the username and password (RFC 2595).
// Note that we check if the 1'th cells of the split result is empty (regard to the RFC
// the structure of the credentials is: 'authorization-id\0authentication-id\0passwd'
// and sometimes the client may leave the authorization identity empty to indicate that
// it is the same as the authentication identity).
// TODO: maybe extract to external class and use it also at the SMTP Parser.
string[] credentialsParts = Utilities.DecodeAsciiBase64(match.Groups["CredentialsBase64"].Value).Split('\0');
password = new NetworkPassword()
{
Protocol = "IMAP LOGIN (Base64)",
Username = credentialsParts[0] != string.Empty ? credentialsParts[0] : credentialsParts[1],
Password = credentialsParts[2],
Source = tcpSession.SourceIp,
Destination = tcpSession.DestinationIp
};
}
return(password);
}
public void TelnetPasswordParser_ParseTelnetCharModePassword_ParseSuccess()
{
// Arrange
var telnetParser = new PcapAnalyzer.TelnetPasswordParser();
var session = new PcapAnalyzer.TcpSession();
var expected = new PcapAnalyzer.NetworkPassword()
{
Username = "******",
Password = "******",
Destination = "2.2.2.2",
Source = "1.1.1.1",
Protocol = "Telnet"
};
// Mock a session where the user is "us" and the password is "Secret123".
session.Data = Encoding.ASCII.GetBytes("login:uuss" + Environment.NewLine + "Password:Secret123");
session.Packets.Add(mockPacket("2.2.2.2", "1.1.1.1", 21, 5472, "login:"******"1.1.1.1", "2.2.2.2", 5472, 21, "u"));
session.Packets.Add(mockPacket("2.2.2.2", "1.1.1.1", 21, 5472, "u"));
session.Packets.Add(mockPacket("1.1.1.1", "2.2.2.2", 5472, 21, "s"));
session.Packets.Add(mockPacket("2.2.2.2", "1.1.1.1", 21, 5472, "s"));
session.Packets.Add(mockPacket("2.2.2.2", "1.1.1.1", 21, 5472, "Password:"******"1.1.1.1", "2.2.2.2", 5472, 21, "Secret123"));
session.Packets.Add(mockPacket("2.2.2.2", "1.1.1.1", 21, 5472, "some dummy data"));
// Act.
PcapAnalyzer.NetworkPassword password = (telnetParser.Parse(session) as PcapAnalyzer.NetworkPassword);
// Assert.
Assert.AreEqual(expected, password);
}
public void HandlePassword(PcapAnalyzer.NetworkPassword password)
{
var edgeText = $"{password.Protocol} Password";
AddEdge(password.Username, password.Destination, edgeText);
_graph.FindNode(password.Username).Attr.FillColor = Microsoft.Msagl.Drawing.Color.LightGreen;
}
public NetworkLayerObject Parse(TcpSession tcpSession)
{
NetworkPassword credential = null;
var sessionData = Encoding.UTF8.GetString(tcpSession.Data);
Match match = this.ftpSuccessfullLoginRegex.Match(sessionData);
if (match.Success)
{
credential = new NetworkPassword()
{
Protocol = "FTP",
Username = match.Groups["Username"].Value,
Password = match.Groups["Password"].Value,
Source = tcpSession.SourceIp,
Destination = tcpSession.DestinationIp
};
if (credential.Password.EndsWith("\r"))
{
credential.Password = credential.Password.Replace("\r", "");
}
if (credential.Username.EndsWith("\r"))
{
credential.Username = credential.Username.Replace("\r", "");
}
}
return(credential);
}
private NetworkPassword SearchSmtpAuthLogin(TcpSession tcpSession, string sessionData)
{
NetworkPassword credential = null;
Match match = _smtpAuthLoginRegex.Match(sessionData);
if (match.Success)
{
credential = new NetworkPassword()
{
Protocol = "SMTP (Auth Login)",
Username = Utilities.DecodeAsciiBase64(match.Groups["Username"].Value),
Password = Utilities.DecodeAsciiBase64(match.Groups["Password"].Value),
Source = tcpSession.SourceIp,
Destination = tcpSession.DestinationIp
};
}
return(credential);
}
private NetworkPassword SearchImapPlaintextLogin(TcpSession tcpSession, string sessionData)
{
NetworkPassword password = null;
Match match = _imapPlaintextLoginRegex.Match(sessionData);
if (match.Success)
{
// TODO: Handle the triming at the regex.
password = new NetworkPassword()
{
Protocol = "IMAP Plaintext",
Username = match.Groups["Username"].Value.Trim(new char[] { '"' }),
Password = match.Groups["Password"].Value.Trim(new char[] { '"' }),
Source = tcpSession.SourceIp,
Destination = tcpSession.DestinationIp
};
}
return(password);
}
public NetworkCredential Parse(TcpSession tcpSession)
{
NetworkPassword credential = null;
var sessionData = Encoding.UTF8.GetString(tcpSession.Data);
Match match = this._ftpSuccessfullLoginRegex.Match(sessionData);
if (match.Success)
{
credential = new NetworkPassword()
{
Protocol = "FTP",
Username = match.Groups["Username"].Value,
Password = match.Groups["Password"].Value,
Source = tcpSession.SourceIp,
Destination = tcpSession.DestinationIp
};
}
return(credential);
}
public void FtpPasswordParser_ParseFtpPassword_ParseSuccess()
{
// Arrange.
var ftpParsrer = new PcapAnalyzer.FtpPasswordParser();
var session = new PcapAnalyzer.TcpSession();
session.SourceIp = "1.1.1.1";
session.DestinationIp = "2.2.2.2";
session.Data = Encoding.UTF8.GetBytes(
@"220 Chris Sanders FTP Server
USER csanders
331 Password required for csanders.
PASS echo
230 User csanders logged in.");
// Act.
PcapAnalyzer.NetworkPassword passsword = (ftpParsrer.Parse(session) as PcapAnalyzer.NetworkPassword);
// Assert.
Assert.AreEqual("csanders", passsword.Username);
Assert.AreEqual("echo", passsword.Password);
}
public void HttpBasicPasswordParser_ParseFtpPassword_ParseSuccess()
{
// Arrange.
var parsrer = new PcapAnalyzer.HttpBasicPasswordParser();
var packet = new PcapAnalyzer.TcpPacket();
packet.SourceIp = "1.1.1.1";
packet.DestinationIp = "2.2.2.2";
packet.Data = Encoding.UTF8.GetBytes(
@"GET /password-ok.php HTTP/1.1
Host: browserspy.dk
Connection: keep-alive
Cache-Control: max-age=0
Authorization: Basic dGVzdDpmYWlsMw==
Accept: text/html,application/xhtml+xml");
// Act.
PcapAnalyzer.NetworkPassword password = (parsrer.Parse(packet) as PcapAnalyzer.NetworkPassword);
// Assert.
Assert.AreEqual("test", password.Username);
Assert.AreEqual("fail3", password.Password);
}
// This function extracts Telnet username and password from a Tcp session.
// Algorithm:
// - First check if the session data matches a Regular expression.
// - If match, iterate over session packets and manage a state machine
// depends on the authentication phase.
//
// The algorithm should work on both Line-Mode (RFC 1116) and Character-Mode (the default
// Telnet mode).
public NetworkLayerObject Parse(TcpSession tcpSession)
{
int serverPort;
int clientPort;
var serverIp = string.Empty;
var clientIp = string.Empty;
var password = string.Empty;
var username = string.Empty;
var state = TelnetServerState.None;
NetworkPassword credential = null;
var sessionData = Encoding.UTF8.GetString(tcpSession.Data);
Match match = _telnetPossibleLoginRegex.Match(sessionData);
if (match.Success)
{
foreach (var packet in tcpSession.Packets)
{
// Telnet works with ASCII characters set (known as NVT ASCII).
var packetData = Encoding.ASCII.GetString(packet.Data);
if (packetData.Contains("login:"******"Password:"******"Telnet",
Username = username,
Password = password,
Source = clientIp,
Destination = serverIp
};
break;
}
}
}
return(credential);
}
