//public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable<Packets.AbstractPacket> packetList) {
        public int ExtractData(NetworkTcpSession tcpSession, bool transferIsClientToServer, IEnumerable <PacketParser.Packets.AbstractPacket> packetList)
        {
            NetworkHost sourceHost, destinationHost;

            if (transferIsClientToServer)
            {
                sourceHost      = tcpSession.Flow.FiveTuple.ClientHost;
                destinationHost = tcpSession.Flow.FiveTuple.ServerHost;
            }
            else
            {
                sourceHost      = tcpSession.Flow.FiveTuple.ServerHost;
                destinationHost = tcpSession.Flow.FiveTuple.ClientHost;
            }
            //bool successfulExtraction=false;
            int successfullyExtractedBytes = 0;

            foreach (Packets.AbstractPacket p in packetList)
            {
                if (p.GetType() == typeof(Packets.NtlmSspPacket))
                {
                    Packets.NtlmSspPacket ntlmPacket = (Packets.NtlmSspPacket)p;
                    if (ntlmPacket.NtlmChallenge != null)
                    {
                        if (ntlmChallengeList.ContainsKey(tcpSession.GetHashCode()))
                        {
                            ntlmChallengeList[tcpSession.GetHashCode()] = ntlmPacket.NtlmChallenge;
                        }
                        else
                        {
                            ntlmChallengeList.Add(tcpSession.GetHashCode(), ntlmPacket.NtlmChallenge);
                        }
                    }
                    if (ntlmPacket.DomainName != null)
                    {
                        sourceHost.AddDomainName(ntlmPacket.DomainName);
                    }
                    if (ntlmPacket.HostName != null)
                    {
                        sourceHost.AddHostName(ntlmPacket.HostName);
                    }
                    if (ntlmPacket.UserName != null)
                    {
                        if (ntlmPacket.UserName.EndsWith("$"))  //hostname
                        {
                            sourceHost.AddHostName(ntlmPacket.UserName.TrimEnd(new[] { '$' }));
                        }
                        else
                        {
                            sourceHost.AddNumberedExtraDetail("NTLM Username ", ntlmPacket.UserName);
                        }

                        string lanManagerHashInfo = null;
                        if (ntlmPacket.LanManagerResponse != null)
                        {
                            lanManagerHashInfo = "LAN Manager Response: " + ntlmPacket.LanManagerResponse;
                        }
                        if (ntlmPacket.NtlmResponse != null)
                        {
                            if (lanManagerHashInfo == null)
                            {
                                lanManagerHashInfo = "";
                            }
                            else
                            {
                                lanManagerHashInfo = lanManagerHashInfo + " - ";
                            }
                            lanManagerHashInfo = lanManagerHashInfo + "NTLM Response: " + ntlmPacket.NtlmResponse;
                        }
                        if (lanManagerHashInfo == null)
                        {
                            base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.UserName, ntlmPacket.ParentFrame.Timestamp));
                        }
                        else
                        {
                            if (ntlmChallengeList.ContainsKey(tcpSession.GetHashCode()))
                            {
                                lanManagerHashInfo = "NTLM Challenge: " + ntlmChallengeList[tcpSession.GetHashCode()] + " - " + lanManagerHashInfo;
                            }
                            if (ntlmPacket.DomainName == null)
                            {
                                base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.UserName, lanManagerHashInfo, ntlmPacket.ParentFrame.Timestamp));
                            }
                            else
                            {
                                base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.DomainName + "\\" + ntlmPacket.UserName, lanManagerHashInfo, ntlmPacket.ParentFrame.Timestamp));
                            }
                        }
                    }
                    successfullyExtractedBytes += ntlmPacket.ParentFrame.Data.Length;//it's OK to return a larger value that what was parsed
                }
            }

            return(successfullyExtractedBytes);
        }
        //public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable<AbstractPacket> packetList) {
        public int ExtractData(NetworkTcpSession tcpSession, bool transferIsClientToServer, IEnumerable <PacketParser.Packets.AbstractPacket> packetList)
        {
            /*
             * NetworkHost sourceHost, destinationHost;
             * if (transferIsClientToServer) {
             *  sourceHost = tcpSession.Flow.FiveTuple.ClientHost;
             *  destinationHost = tcpSession.Flow.FiveTuple.ServerHost;
             * }
             * else {
             *  sourceHost = tcpSession.Flow.FiveTuple.ServerHost;
             *  destinationHost = tcpSession.Flow.FiveTuple.ClientHost;
             * }*/
            Packets.ImapPacket imapPacket = null;
            Packets.TcpPacket  tcpPacket  = null;
            foreach (Packets.AbstractPacket p in packetList)
            {
                if (p.GetType() == typeof(Packets.TcpPacket))
                {
                    tcpPacket = (Packets.TcpPacket)p;
                }
                else if (p.GetType() == typeof(Packets.ImapPacket))
                {
                    imapPacket = (Packets.ImapPacket)p;
                }
            }
            if (tcpPacket != null && (tcpPacket.SourcePort == 220 || tcpPacket.SourcePort == 143) && this.lastCommand.ContainsKey(tcpSession) && this.lastCommand[tcpSession] == ImapPacket.ClientCommand.UID && this.serverToClientEmailReassemblers.ContainsKey(tcpSession))
            {
                return(this.ExtractEmail(tcpSession, tcpPacket, tcpPacket.PacketStartIndex + tcpPacket.DataOffsetByteCount, tcpPacket.PayloadDataLength));
            }
            else if (tcpPacket != null && (tcpPacket.DestinationPort == 220 || tcpPacket.DestinationPort == 143) && this.lastCommand.ContainsKey(tcpSession) && this.lastCommand[tcpSession] == ImapPacket.ClientCommand.APPEND && this.clientToServerEmailReassemblers.ContainsKey(tcpSession))
            {
                return(this.ExtractEmail(tcpSession, tcpPacket, tcpPacket.PacketStartIndex + tcpPacket.DataOffsetByteCount, tcpPacket.PayloadDataLength));
            }
            else if (tcpPacket != null && imapPacket != null)
            {
                if (imapPacket.ClientToServer)
                {
                    if (imapPacket.Command != null)
                    {
                        if (lastCommand.ContainsKey(tcpSession))
                        {
                            lastCommand[tcpSession] = imapPacket.Command.Value;
                        }
                        else
                        {
                            lastCommand.Add(tcpSession, imapPacket.Command.Value);
                        }

                        if (imapPacket.FullRequestOrResponseLine != null && imapPacket.FullRequestOrResponseLine.Length > 0)
                        {
                            System.Collections.Specialized.NameValueCollection parameters = new System.Collections.Specialized.NameValueCollection();
                            parameters.Add(imapPacket.Command.Value.ToString(), imapPacket.FullRequestOrResponseLine);
                            base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(imapPacket.ParentFrame.FrameNumber, tcpSession.Flow.FiveTuple, transferIsClientToServer, parameters, imapPacket.ParentFrame.Timestamp, "IMAP Client Command"));
                        }

                        //remove any old email reassemblers since we have now received a new command
                        if (this.serverToClientEmailReassemblers.ContainsKey(tcpSession))
                        {
                            this.serverToClientEmailReassemblers[tcpSession].Close();
                            this.serverToClientEmailReassemblers.Remove(tcpSession);//we will need to create a new reassembler
                        }

                        if (imapPacket.Command == ImapPacket.ClientCommand.APPEND)
                        {
                            //an email is being uploaded to the server
                            if (imapPacket.BodyLength > 0)
                            {
                                int emailBytes = this.ExtractEmail(tcpSession, tcpPacket, imapPacket.PacketStartIndex + imapPacket.ParsedBytesCount, imapPacket.PacketLength - imapPacket.ParsedBytesCount, imapPacket.BodyLength, true);
                                imapPacket.ParsedBytesCount += emailBytes;
                            }
                        }
                        else if (imapPacket.Command == ImapPacket.ClientCommand.LOGIN)
                        {
                            string[] args       = imapPacket.FullRequestOrResponseLine.Split(new char[] { ' ' });
                            char[]   quoteChars = new char[] { '\'', '"' };
                            //a001 LOGIN SMITH SESAME
                            if (args.Length > 3)
                            {
                                string            username = args[2].Trim(quoteChars);
                                string            password = args[3].Trim(quoteChars);
                                NetworkCredential cred     = new NetworkCredential(tcpSession.ClientHost, tcpSession.ServerHost, "IMAP", username, password, imapPacket.ParentFrame.Timestamp);
                                //base.MainPacketHandler.OnCredentialDetected(new Events.CredentialEventArgs(cred));
                                base.MainPacketHandler.AddCredential(cred);
                            }
                        }
                    }
                    else if (lastCommand.ContainsKey(tcpSession) && lastCommand[tcpSession] == ImapPacket.ClientCommand.AUTHENTICATE)
                    {
                        if (imapPacket.FullRequestOrResponseLine != null && imapPacket.FullRequestOrResponseLine.Length > 0)
                        {
                            string            base64 = imapPacket.FullRequestOrResponseLine;
                            NetworkCredential cred   = SmtpPacketHandler.ExtractBase64EncodedAuthPlainCredential(base64, imapPacket.ParentFrame, tcpSession, ApplicationLayerProtocol.Imap);
                            if (cred != null)
                            {
                                //base.MainPacketHandler.OnCredentialDetected(new Events.CredentialEventArgs(cred));
                                base.MainPacketHandler.AddCredential(cred);

                                if (imapPacket.ParsedBytesCount == 0)
                                {
                                    imapPacket.ParsedBytesCount = base64.Length + 2;//add CRLF
                                }
                            }
                        }
                    }
                }
                else  //server to client
                {
                    if (imapPacket.Result != null && imapPacket.FullRequestOrResponseLine != null && imapPacket.FullRequestOrResponseLine.Length > 0)
                    {
                        System.Collections.Specialized.NameValueCollection parameters = new System.Collections.Specialized.NameValueCollection();
                        parameters.Add(imapPacket.Result.Value.ToString(), imapPacket.FullRequestOrResponseLine);
                        base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(imapPacket.ParentFrame.FrameNumber, tcpSession.Flow.FiveTuple, transferIsClientToServer, parameters, imapPacket.ParentFrame.Timestamp, "IMAP Server Response"));
                    }

                    if (lastCommand.ContainsKey(tcpSession) && (lastCommand[tcpSession] == ImapPacket.ClientCommand.FETCH || lastCommand[tcpSession] == ImapPacket.ClientCommand.UID))
                    {
                        if (imapPacket.Command != null && imapPacket.FullRequestOrResponseLine != null && imapPacket.FullRequestOrResponseLine.Length > 0)
                        {
                            System.Collections.Specialized.NameValueCollection parameters = new System.Collections.Specialized.NameValueCollection();
                            parameters.Add(imapPacket.Command.Value.ToString(), imapPacket.FullRequestOrResponseLine);
                            base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(imapPacket.ParentFrame.FrameNumber, tcpSession.Flow.FiveTuple, transferIsClientToServer, parameters, imapPacket.ParentFrame.Timestamp, "IMAP Untagged Response"));
                        }
                        //the server might push an email here
                        if (imapPacket.BodyLength > 0)
                        {
                            int emailBytes = this.ExtractEmail(tcpSession, tcpPacket, imapPacket.PacketStartIndex + imapPacket.ParsedBytesCount, imapPacket.PacketLength - imapPacket.ParsedBytesCount, imapPacket.BodyLength, false);
                            if (imapPacket.ParenthesesDiff > 0 && imapPacket.ParsedBytesCount + emailBytes < imapPacket.PacketLength)
                            {
                                //we might have a trailing line that closes the parenthesis, let's read that one too
                                int    index                   = imapPacket.PacketStartIndex + imapPacket.ParsedBytesCount + emailBytes;
                                string trailingLine            = Utils.ByteConverter.ReadLine(imapPacket.ParentFrame.Data, ref index);
                                int    trailingParenthesesDiff = trailingLine.Split('(').Length - trailingLine.Split(')').Length;
                                if (imapPacket.ParenthesesDiff + trailingParenthesesDiff == 0)
                                {
                                    return(index - imapPacket.PacketStartIndex);
                                }
                                else
                                {
                                    return(imapPacket.ParsedBytesCount + emailBytes);
                                }
                            }
                            else
                            {
                                return(imapPacket.ParsedBytesCount + emailBytes);
                            }
                        }
                    }
                    else if (lastCommand.ContainsKey(tcpSession) && (lastCommand[tcpSession] == ImapPacket.ClientCommand.STARTTLS))
                    {
                        if (imapPacket.Result == ImapPacket.ServerResult.OK)
                        {
                            //1 OK Begin TLS negotiation now
                            //do the same protocol switch trick as in SocksPacketHandler
                            //tcpSession.ProtocolFinder = new TcpPortProtocolFinder(tcpSession.ClientHost, tcpSession.ServerHost, tcpSession.ClientTcpPort, tcpSession.ServerTcpPort, tcpPacket.ParentFrame.FrameNumber, tcpPacket.ParentFrame.Timestamp, base.MainPacketHandler);
                            tcpSession.ProtocolFinder.SetConfirmedApplicationLayerProtocol(ApplicationLayerProtocol.Ssl, false);
                        }
                    }
                }
                return(imapPacket.ParsedBytesCount);
            }
            else
            {
                return(0);
            }
        }
Example #3
0
        public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <Packets.AbstractPacket> packetList)
        {
            //bool successfulExtraction=false;
            int successfullyExtractedBytes = 0;

            foreach (Packets.AbstractPacket p in packetList)
            {
                if (p.GetType() == typeof(Packets.NtlmSspPacket))
                {
                    Packets.NtlmSspPacket ntlmPacket = (Packets.NtlmSspPacket)p;
                    if (ntlmPacket.NtlmChallenge != null)
                    {
                        if (ntlmChallengeList.ContainsKey(tcpSession.GetHashCode()))
                        {
                            ntlmChallengeList[tcpSession.GetHashCode()] = ntlmPacket.NtlmChallenge;
                        }
                        else
                        {
                            ntlmChallengeList.Add(tcpSession.GetHashCode(), ntlmPacket.NtlmChallenge);
                        }
                    }
                    if (ntlmPacket.DomainName != null)
                    {
                        sourceHost.AddDomainName(ntlmPacket.DomainName);
                    }
                    if (ntlmPacket.HostName != null)
                    {
                        sourceHost.AddHostName(ntlmPacket.HostName);
                    }
                    if (ntlmPacket.UserName != null)
                    {
                        if (!sourceHost.ExtraDetailsList.ContainsKey("NTLM Username " + ntlmPacket.UserName))
                        {
                            sourceHost.ExtraDetailsList.Add("NTLM Username " + ntlmPacket.UserName, ntlmPacket.UserName);
                        }
                        string lanManagerHashInfo = null;
                        if (ntlmPacket.LanManagerResponse != null)
                        {
                            lanManagerHashInfo = "LAN Manager Response: " + ntlmPacket.LanManagerResponse;
                        }
                        if (ntlmPacket.NtlmResponse != null)
                        {
                            if (lanManagerHashInfo == null)
                            {
                                lanManagerHashInfo = "";
                            }
                            else
                            {
                                lanManagerHashInfo = lanManagerHashInfo + " - ";
                            }
                            lanManagerHashInfo = lanManagerHashInfo + "NTLM Response: " + ntlmPacket.NtlmResponse;
                        }
                        if (lanManagerHashInfo == null)
                        {
                            base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.UserName, ntlmPacket.ParentFrame.Timestamp));
                        }
                        else
                        {
                            if (ntlmChallengeList.ContainsKey(tcpSession.GetHashCode()))
                            {
                                lanManagerHashInfo = "NTLM Challenge: " + ntlmChallengeList[tcpSession.GetHashCode()] + " - " + lanManagerHashInfo;
                            }
                            base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.UserName, lanManagerHashInfo, ntlmPacket.ParentFrame.Timestamp));
                        }
                    }
                    successfullyExtractedBytes += ntlmPacket.ParentFrame.Data.Length;//it's OK to return a larger value that what was parsed
                }
            }

            return(successfullyExtractedBytes);
        }
Example #4
0
        //public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable<Packets.AbstractPacket> packetList) {
        public int ExtractData(NetworkTcpSession tcpSession, bool transferIsClientToServer, IEnumerable <PacketParser.Packets.AbstractPacket> packetList)
        {
            NetworkHost sourceHost, destinationHost;

            if (transferIsClientToServer)
            {
                sourceHost      = tcpSession.Flow.FiveTuple.ClientHost;
                destinationHost = tcpSession.Flow.FiveTuple.ServerHost;
            }
            else
            {
                sourceHost      = tcpSession.Flow.FiveTuple.ServerHost;
                destinationHost = tcpSession.Flow.FiveTuple.ClientHost;
            }
            //bool successfulExtraction=false;
            int successfullyExtractedBytes = 0;

            foreach (Packets.AbstractPacket p in packetList)
            {
                if (p.GetType() == typeof(Packets.NtlmSspPacket))
                {
                    Packets.NtlmSspPacket ntlmPacket = (Packets.NtlmSspPacket)p;
                    if (ntlmPacket.NtlmChallenge != null)
                    {
                        if (ntlmChallengeList.ContainsKey(tcpSession.GetHashCode()))
                        {
                            ntlmChallengeList[tcpSession.GetHashCode()] = ntlmPacket.NtlmChallenge;
                        }
                        else
                        {
                            ntlmChallengeList.Add(tcpSession.GetHashCode(), ntlmPacket.NtlmChallenge);
                        }
                    }
                    if (ntlmPacket.DomainName != null)
                    {
                        sourceHost.AddDomainName(ntlmPacket.DomainName);
                    }
                    if (ntlmPacket.HostName != null)
                    {
                        sourceHost.AddHostName(ntlmPacket.HostName, ntlmPacket.PacketTypeDescription);
                    }
                    if (ntlmPacket.UserName != null)
                    {
                        if (ntlmPacket.UserName.EndsWith("$"))  //hostname
                        {
                            sourceHost.AddHostName(ntlmPacket.UserName.TrimEnd(new[] { '$' }), ntlmPacket.PacketTypeDescription);
                        }
                        else
                        {
                            sourceHost.AddNumberedExtraDetail("NTLM Username ", ntlmPacket.UserName);
                        }

                        string lanManagerHashInfo = null;
                        if (ntlmPacket.LanManagerResponse != null)
                        {
                            lanManagerHashInfo = "LAN Manager Response: " + ntlmPacket.LanManagerResponse;
                            if (ntlmPacket.LanManagerResponse.Length >= 16)
                            {
                                //$LM$a9c604d244c4e99d
                                string lmHash = ntlmPacket.LanManagerResponse.Substring(0, 16);
                                if (lmHash.Trim(new[] { '0' }).Length > 0)
                                {
                                    base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.DomainName + "\\" + ntlmPacket.UserName, "$LM$" + lmHash, ntlmPacket.ParentFrame.Timestamp));
                                }
                            }
                        }
                        if (ntlmPacket.NtlmResponse != null)
                        {
                            if (lanManagerHashInfo == null)
                            {
                                lanManagerHashInfo = "";
                            }
                            else
                            {
                                lanManagerHashInfo = lanManagerHashInfo + " - ";
                            }
                            lanManagerHashInfo = lanManagerHashInfo + "NTLM Response: " + ntlmPacket.NtlmResponse;
                        }
                        if (lanManagerHashInfo == null)
                        {
                            base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.UserName, ntlmPacket.ParentFrame.Timestamp));
                        }
                        else
                        {
                            string ntlmChallenge = null;
                            if (ntlmChallengeList.ContainsKey(tcpSession.GetHashCode()))
                            {
                                ntlmChallenge      = ntlmChallengeList[tcpSession.GetHashCode()];
                                lanManagerHashInfo = "NTLM Challenge: " + ntlmChallenge + " - " + lanManagerHashInfo;
                            }
                            if (ntlmPacket.DomainName == null)
                            {
                                base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.UserName, lanManagerHashInfo, ntlmPacket.ParentFrame.Timestamp));
                            }
                            else
                            {
                                base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.DomainName + "\\" + ntlmPacket.UserName, lanManagerHashInfo, ntlmPacket.ParentFrame.Timestamp));
                            }

                            if (ntlmChallenge != null && ntlmPacket.NtlmResponse != null)
                            {
                                string johnHash = null;
                                if (ntlmPacket.NtlmResponse.Length == 48)  //24 bytes of binary data => NTLMv1
                                //example: $NETNTLM$1122334455667788$B2B2220790F40C88BCFF347C652F67A7C4A70D3BEBD70233
                                {
                                    johnHash = "$NETNTLM$" + ntlmChallenge + "$" + ntlmPacket.NtlmResponse;
                                }
                                else if (ntlmPacket.NtlmResponse.Length > 48)  //NTLMv2
                                //example: $NETNTLMv2$NTLMV2TESTWORKGROUP$1122334455667788$07659A550D5E9D02996DFD95C87EC1D5$0101000000000000006CF6385B74CA01B3610B02D99732DD000000000200120057004F0052004B00470052004F00550050000100200044004100540041002E00420049004E0043002D0053004500430055005200490000000000
                                {
                                    StringBuilder johnHashSB = new StringBuilder("$NETNTLMv2$");
                                    if (ntlmPacket.DomainName != null)
                                    {
                                        johnHashSB.Append(ntlmPacket.DomainName);
                                    }
                                    johnHashSB.Append("$");
                                    johnHashSB.Append(ntlmChallenge);
                                    johnHashSB.Append("$");
                                    johnHashSB.Append(ntlmPacket.NtlmResponse.Substring(0, 32)); //NTProofStr
                                    johnHashSB.Append("$");
                                    johnHashSB.Append(ntlmPacket.NtlmResponse.Substring(32));    //NTLMv2 response, minus NTProofStr
                                    johnHash = johnHashSB.ToString();
                                }
                                if (johnHash != null)
                                {
                                    base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.DomainName + "\\" + ntlmPacket.UserName, johnHash, ntlmPacket.ParentFrame.Timestamp));
                                }
                            }
                        }
                    }
                    successfullyExtractedBytes += ntlmPacket.ParentFrame.Data.Length;//it's OK to return a larger value that what was parsed
                }
            }

            return(successfullyExtractedBytes);
        }