public override IEnumerable <AbstractPacket> GetSubPackets(bool includeSelfReference)
{
if (includeSelfReference)
{
yield return(this);
}
if (this.blobLength > 0 && this.blobOffset > 0)
{
SmbPacket.SecurityBlob securityBlob = new SmbPacket.SecurityBlob(this.ParentFrame, base.Smb2Packet.PacketStartIndex + this.blobOffset, this.PacketEndIndex);
if (securityBlob != null)
{
yield return(securityBlob);
foreach (AbstractPacket subPacket in securityBlob.GetSubPackets(false))
{
yield return(subPacket);
}
}
}
}
private void ExtractHeaderField(string headerField)
{
if (headerField.StartsWith("Host: ")) //look for the host
{
this.requestedHost = headerField.Substring(6).Trim();
if (!this.ParentFrame.QuickParse)
{
base.Attributes.Add("Requested Host", headerField.Substring(6).Trim());
}
}
else if (headerField.StartsWith("User-Agent: ", StringComparison.OrdinalIgnoreCase))
{
this.userAgentBanner = headerField.Substring(12).Trim();
if (!this.ParentFrame.QuickParse)
{
base.Attributes.Add("User-Agent", this.userAgentBanner = headerField.Substring(12).Trim());
}
}
else if (headerField.StartsWith("Server: ", StringComparison.OrdinalIgnoreCase))
{
this.serverBanner = headerField.Substring(8).Trim();
if (!this.ParentFrame.QuickParse)
{
this.Attributes.Add("Server banner", this.serverBanner = headerField.Substring(8).Trim());
}
}
else if (headerField.StartsWith("Cookie: ", StringComparison.OrdinalIgnoreCase))
{
//http://www.w3.org/Protocols/rfc2109/rfc2109
this.cookie = headerField.Substring(8).Trim();
if (!this.ParentFrame.QuickParse)
{
this.Attributes.Add("Cookie", this.cookie);
}
}
else if (headerField.StartsWith("Set-Cookie: ", StringComparison.OrdinalIgnoreCase))
{
if (String.IsNullOrEmpty(this.cookie))
{
this.cookie = headerField.Substring(12).Trim();
}
else
{
this.cookie += "; " + headerField.Substring(12).Trim();
}
if (!this.ParentFrame.QuickParse)
{
this.Attributes.Add("Cookie", this.cookie);
}
}
else if (headerField.StartsWith("Content-Type: ", StringComparison.OrdinalIgnoreCase))
{
this.contentType = headerField.Substring(14).Trim();
}
else if (headerField.StartsWith("Content-Length: ", StringComparison.OrdinalIgnoreCase))
{
this.contentLength = Convert.ToInt32(headerField.Substring(16).Trim());
}
else if (headerField.StartsWith("Content-Encoding: ", StringComparison.OrdinalIgnoreCase))
{
this.contentEncoding = headerField.Substring(18).Trim();
}
else if (headerField.StartsWith("Transfer-Encoding: ", StringComparison.OrdinalIgnoreCase))
{
this.transferEncoding = headerField.Substring(19).Trim();
}
else if (headerField.StartsWith("WWW-Authenticate: ", StringComparison.OrdinalIgnoreCase) && headerField.Contains("realm=\""))
{
int realmStart = headerField.IndexOf("realm=\"") + 7;
int realmEnd = headerField.IndexOf('\"', realmStart);
if (realmStart >= 0 && realmEnd > 0)
{
this.wwwAuthenticateRealm = headerField.Substring(realmStart, realmEnd - realmStart).Trim();
}
}
else if (headerField.StartsWith("WWW-Authenticate: Negotiate ", StringComparison.InvariantCultureIgnoreCase))
{
try {
string base64 = headerField.Substring("WWW-Authenticate: Negotiate ".Length).Trim();
byte[] gssApiData = Convert.FromBase64String(base64);
//create a "fake" frame
Frame virtualAuthFrame = new Frame(this.ParentFrame.Timestamp, gssApiData, this.ParentFrame.FrameNumber);
SmbPacket.SecurityBlob securityBlob = new SmbPacket.SecurityBlob(virtualAuthFrame, 0, virtualAuthFrame.Data.Length - 1);
this.subPackets.Add(securityBlob);
}
catch (Exception e) {
if (!this.ParentFrame.QuickParse)
{
this.ParentFrame.Errors.Add(new Frame.Error(this.ParentFrame, PacketStartIndex, this.PacketEndIndex, "Cannot parse credentials in HTTP Authorization: Negotiate (" + e.Message + ")"));
}
}
}
else if (headerField.StartsWith("Proxy-Authenticate: Basic realm=", StringComparison.OrdinalIgnoreCase))
{
this.wwwAuthenticateRealm = headerField.Substring(33, headerField.Length - 34).Trim();
}
else if (headerField.StartsWith("Authorization: Basic ", StringComparison.OrdinalIgnoreCase))
{
try {
string base64string = headerField.Substring(21).Trim();
Byte[] bArray = Convert.FromBase64String(base64string);
StringBuilder sb = new StringBuilder(bArray.Length);
foreach (byte b in bArray)
{
sb.Append((char)b);
}
//string s=System.Text.Encoding.Unicode.GetString(bArray);
string s = sb.ToString();
if (s.Contains(":"))
{
this.authorizationCredentialsUsername = s.Substring(0, s.IndexOf(':'));
if (s.IndexOf(':') + 1 < s.Length)
{
this.authorizationCredentailsPassword = s.Substring(s.IndexOf(':') + 1);
}
else
{
this.authorizationCredentailsPassword = "";
}
}
}
catch (Exception e) {
if (!this.ParentFrame.QuickParse)
{
this.ParentFrame.Errors.Add(new Frame.Error(this.ParentFrame, PacketStartIndex, this.PacketEndIndex, "Cannot parse credentials in HTTP Authorization (" + e.Message + ")"));
}
}
}
else if (headerField.StartsWith("Authorization: Digest ", StringComparison.OrdinalIgnoreCase))
{
try {
string authorizationString = headerField.Substring(22).Trim();
foreach (string keyValueString in authorizationString.Split(new char[] { ',' }))
{
//username="******"
string[] parts = keyValueString.Split(new char[] { '=' });
if (parts.Length == 2)
{
/**
* private string wwwAuthenticateRealm;//Used to be wwwAuthenticateBasicRealm
* private string authorizationCredentialsUsername;
* private string authorizationCredentailsPassword;
**/
string name = parts[0].Trim();
string value = parts[1].Trim(new char[] { ' ', '\"', '\'' });
if (name.Equals("username", StringComparison.InvariantCultureIgnoreCase))
{
this.authorizationCredentialsUsername = value;
if (this.authorizationCredentailsPassword == null)
{
this.authorizationCredentailsPassword = "******";
}
}
else if (name.Equals("realm", StringComparison.InvariantCultureIgnoreCase))
{
this.wwwAuthenticateRealm = value;
}
}
}
}
catch (Exception e) {
if (!this.ParentFrame.QuickParse)
{
this.ParentFrame.Errors.Add(new Frame.Error(this.ParentFrame, PacketStartIndex, this.PacketEndIndex, "Cannot parse credentials in HTTP Authorization (" + e.Message + ")"));
}
}
}
else if (headerField.StartsWith("Authorization: Negotiate", StringComparison.InvariantCultureIgnoreCase))
{
try {
string base64 = headerField.Substring("Authorization: Negotiate".Length).Trim();
byte[] gssApiData = Convert.FromBase64String(base64);
//create a "fake" frame
Frame virtualAuthFrame = new Frame(this.ParentFrame.Timestamp, gssApiData, this.ParentFrame.FrameNumber);
SmbPacket.SecurityBlob securityBlob = new SmbPacket.SecurityBlob(virtualAuthFrame, 0, virtualAuthFrame.Data.Length - 1);
this.subPackets.Add(securityBlob);
}
catch (Exception e) {
if (!this.ParentFrame.QuickParse)
{
this.ParentFrame.Errors.Add(new Frame.Error(this.ParentFrame, PacketStartIndex, this.PacketEndIndex, "Cannot parse credentials in HTTP Authorization: Negotiate (" + e.Message + ")"));
}
}
}
else if (headerField.StartsWith("Content-Disposition:", StringComparison.OrdinalIgnoreCase))
{
this.contentDisposition = headerField.Substring(20).Trim();
if (headerField.Contains("filename="))
{
string filename = headerField.Substring(headerField.IndexOf("filename=") + 9);
filename = filename.Trim();
if (filename.StartsWith("\"") && filename.IndexOf('\"', 1) > 0)//get the string inside the quotations
{
filename = filename.Substring(1, filename.IndexOf('\"', 1) - 1);
}
if (filename.Length > 0)
{
this.contentDispositionFilename = filename;
}
}
else if (headerField.Contains("filename*="))
{
//Example: Content-Disposition: inline; filename*=UTF-8''944.png
//rfc6266 specifies that filename-parm can be "filename*" "=" ext-value
//rfc5987 sprcifies that ext-value = charset "'" [ language ] "'" value-chars
int charsetIndex = headerField.IndexOf("filename*=") + 10;
int quoteIndex = headerField.IndexOf('\'', charsetIndex);
if (charsetIndex > 0 && quoteIndex > 0)
{
string charset = headerField.Substring(charsetIndex, quoteIndex - charsetIndex);
try {
Encoding encoding = System.Text.Encoding.GetEncoding(charset);
int extValueIndex = headerField.IndexOf('\'', quoteIndex + 1) + 1;
byte[] extValueBytes = System.Text.Encoding.Default.GetBytes(headerField.Substring(extValueIndex));
string filename = encoding.GetString(extValueBytes);
filename = filename.Trim();
if (filename.StartsWith("\"") && filename.IndexOf('\"', 1) > 0)//get the string inside the quotations
{
filename = filename.Substring(1, filename.IndexOf('\"', 1) - 1);
}
if (filename.Length > 0)
{
this.contentDispositionFilename = filename;
}
}
catch { }
}
}
}
else if (headerField.StartsWith("Content-Range: ", StringComparison.OrdinalIgnoreCase))
{
//Content-Range: bytes 8621-23239/42941008
//Content-Range: bytes 21010-47021/47022
System.Text.RegularExpressions.Regex rangeRegEx = new System.Text.RegularExpressions.Regex(@"bytes (?<start>[0-9]+)-(?<end>[0-9]+)/(?<total>[0-9]+)$");
System.Text.RegularExpressions.Match rangeMatch = rangeRegEx.Match(headerField);
if (rangeMatch.Success)
{
long start, end, total;
if (Int64.TryParse(rangeMatch.Groups["start"].Value, out start) && Int64.TryParse(rangeMatch.Groups["end"].Value, out end) && Int64.TryParse(rangeMatch.Groups["total"].Value, out total))
{
this.contentRange = new FileTransfer.ContentRange()
{
Start = start, End = end, Total = total
};
}
}
}
}
