public override IEnumerable <AbstractPacket> GetSubPackets(bool includeSelfReference) { if (includeSelfReference) { yield return(this); } if (this.blobLength > 0 && this.blobOffset > 0) { SmbPacket.SecurityBlob securityBlob = new SmbPacket.SecurityBlob(this.ParentFrame, base.Smb2Packet.PacketStartIndex + this.blobOffset, this.PacketEndIndex); if (securityBlob != null) { yield return(securityBlob); foreach (AbstractPacket subPacket in securityBlob.GetSubPackets(false)) { yield return(subPacket); } } } }
private void ExtractHeaderField(string headerField) { if (headerField.StartsWith("Host: ")) //look for the host { this.requestedHost = headerField.Substring(6).Trim(); if (!this.ParentFrame.QuickParse) { base.Attributes.Add("Requested Host", headerField.Substring(6).Trim()); } } else if (headerField.StartsWith("User-Agent: ", StringComparison.OrdinalIgnoreCase)) { this.userAgentBanner = headerField.Substring(12).Trim(); if (!this.ParentFrame.QuickParse) { base.Attributes.Add("User-Agent", this.userAgentBanner = headerField.Substring(12).Trim()); } } else if (headerField.StartsWith("Server: ", StringComparison.OrdinalIgnoreCase)) { this.serverBanner = headerField.Substring(8).Trim(); if (!this.ParentFrame.QuickParse) { this.Attributes.Add("Server banner", this.serverBanner = headerField.Substring(8).Trim()); } } else if (headerField.StartsWith("Cookie: ", StringComparison.OrdinalIgnoreCase)) { //http://www.w3.org/Protocols/rfc2109/rfc2109 this.cookie = headerField.Substring(8).Trim(); if (!this.ParentFrame.QuickParse) { this.Attributes.Add("Cookie", this.cookie); } } else if (headerField.StartsWith("Set-Cookie: ", StringComparison.OrdinalIgnoreCase)) { if (String.IsNullOrEmpty(this.cookie)) { this.cookie = headerField.Substring(12).Trim(); } else { this.cookie += "; " + headerField.Substring(12).Trim(); } if (!this.ParentFrame.QuickParse) { this.Attributes.Add("Cookie", this.cookie); } } else if (headerField.StartsWith("Content-Type: ", StringComparison.OrdinalIgnoreCase)) { this.contentType = headerField.Substring(14).Trim(); } else if (headerField.StartsWith("Content-Length: ", StringComparison.OrdinalIgnoreCase)) { this.contentLength = Convert.ToInt32(headerField.Substring(16).Trim()); } else if (headerField.StartsWith("Content-Encoding: ", StringComparison.OrdinalIgnoreCase)) { this.contentEncoding = headerField.Substring(18).Trim(); } else if (headerField.StartsWith("Transfer-Encoding: ", StringComparison.OrdinalIgnoreCase)) { this.transferEncoding = headerField.Substring(19).Trim(); } else if (headerField.StartsWith("WWW-Authenticate: ", StringComparison.OrdinalIgnoreCase) && headerField.Contains("realm=\"")) { int realmStart = headerField.IndexOf("realm=\"") + 7; int realmEnd = headerField.IndexOf('\"', realmStart); if (realmStart >= 0 && realmEnd > 0) { this.wwwAuthenticateRealm = headerField.Substring(realmStart, realmEnd - realmStart).Trim(); } } else if (headerField.StartsWith("WWW-Authenticate: Negotiate ", StringComparison.InvariantCultureIgnoreCase)) { try { string base64 = headerField.Substring("WWW-Authenticate: Negotiate ".Length).Trim(); byte[] gssApiData = Convert.FromBase64String(base64); //create a "fake" frame Frame virtualAuthFrame = new Frame(this.ParentFrame.Timestamp, gssApiData, this.ParentFrame.FrameNumber); SmbPacket.SecurityBlob securityBlob = new SmbPacket.SecurityBlob(virtualAuthFrame, 0, virtualAuthFrame.Data.Length - 1); this.subPackets.Add(securityBlob); } catch (Exception e) { if (!this.ParentFrame.QuickParse) { this.ParentFrame.Errors.Add(new Frame.Error(this.ParentFrame, PacketStartIndex, this.PacketEndIndex, "Cannot parse credentials in HTTP Authorization: Negotiate (" + e.Message + ")")); } } } else if (headerField.StartsWith("Proxy-Authenticate: Basic realm=", StringComparison.OrdinalIgnoreCase)) { this.wwwAuthenticateRealm = headerField.Substring(33, headerField.Length - 34).Trim(); } else if (headerField.StartsWith("Authorization: Basic ", StringComparison.OrdinalIgnoreCase)) { try { string base64string = headerField.Substring(21).Trim(); Byte[] bArray = Convert.FromBase64String(base64string); StringBuilder sb = new StringBuilder(bArray.Length); foreach (byte b in bArray) { sb.Append((char)b); } //string s=System.Text.Encoding.Unicode.GetString(bArray); string s = sb.ToString(); if (s.Contains(":")) { this.authorizationCredentialsUsername = s.Substring(0, s.IndexOf(':')); if (s.IndexOf(':') + 1 < s.Length) { this.authorizationCredentailsPassword = s.Substring(s.IndexOf(':') + 1); } else { this.authorizationCredentailsPassword = ""; } } } catch (Exception e) { if (!this.ParentFrame.QuickParse) { this.ParentFrame.Errors.Add(new Frame.Error(this.ParentFrame, PacketStartIndex, this.PacketEndIndex, "Cannot parse credentials in HTTP Authorization (" + e.Message + ")")); } } } else if (headerField.StartsWith("Authorization: Digest ", StringComparison.OrdinalIgnoreCase)) { try { string authorizationString = headerField.Substring(22).Trim(); foreach (string keyValueString in authorizationString.Split(new char[] { ',' })) { //username="******" string[] parts = keyValueString.Split(new char[] { '=' }); if (parts.Length == 2) { /** * private string wwwAuthenticateRealm;//Used to be wwwAuthenticateBasicRealm * private string authorizationCredentialsUsername; * private string authorizationCredentailsPassword; **/ string name = parts[0].Trim(); string value = parts[1].Trim(new char[] { ' ', '\"', '\'' }); if (name.Equals("username", StringComparison.InvariantCultureIgnoreCase)) { this.authorizationCredentialsUsername = value; if (this.authorizationCredentailsPassword == null) { this.authorizationCredentailsPassword = "******"; } } else if (name.Equals("realm", StringComparison.InvariantCultureIgnoreCase)) { this.wwwAuthenticateRealm = value; } } } } catch (Exception e) { if (!this.ParentFrame.QuickParse) { this.ParentFrame.Errors.Add(new Frame.Error(this.ParentFrame, PacketStartIndex, this.PacketEndIndex, "Cannot parse credentials in HTTP Authorization (" + e.Message + ")")); } } } else if (headerField.StartsWith("Authorization: Negotiate", StringComparison.InvariantCultureIgnoreCase)) { try { string base64 = headerField.Substring("Authorization: Negotiate".Length).Trim(); byte[] gssApiData = Convert.FromBase64String(base64); //create a "fake" frame Frame virtualAuthFrame = new Frame(this.ParentFrame.Timestamp, gssApiData, this.ParentFrame.FrameNumber); SmbPacket.SecurityBlob securityBlob = new SmbPacket.SecurityBlob(virtualAuthFrame, 0, virtualAuthFrame.Data.Length - 1); this.subPackets.Add(securityBlob); } catch (Exception e) { if (!this.ParentFrame.QuickParse) { this.ParentFrame.Errors.Add(new Frame.Error(this.ParentFrame, PacketStartIndex, this.PacketEndIndex, "Cannot parse credentials in HTTP Authorization: Negotiate (" + e.Message + ")")); } } } else if (headerField.StartsWith("Content-Disposition:", StringComparison.OrdinalIgnoreCase)) { this.contentDisposition = headerField.Substring(20).Trim(); if (headerField.Contains("filename=")) { string filename = headerField.Substring(headerField.IndexOf("filename=") + 9); filename = filename.Trim(); if (filename.StartsWith("\"") && filename.IndexOf('\"', 1) > 0)//get the string inside the quotations { filename = filename.Substring(1, filename.IndexOf('\"', 1) - 1); } if (filename.Length > 0) { this.contentDispositionFilename = filename; } } else if (headerField.Contains("filename*=")) { //Example: Content-Disposition: inline; filename*=UTF-8''944.png //rfc6266 specifies that filename-parm can be "filename*" "=" ext-value //rfc5987 sprcifies that ext-value = charset "'" [ language ] "'" value-chars int charsetIndex = headerField.IndexOf("filename*=") + 10; int quoteIndex = headerField.IndexOf('\'', charsetIndex); if (charsetIndex > 0 && quoteIndex > 0) { string charset = headerField.Substring(charsetIndex, quoteIndex - charsetIndex); try { Encoding encoding = System.Text.Encoding.GetEncoding(charset); int extValueIndex = headerField.IndexOf('\'', quoteIndex + 1) + 1; byte[] extValueBytes = System.Text.Encoding.Default.GetBytes(headerField.Substring(extValueIndex)); string filename = encoding.GetString(extValueBytes); filename = filename.Trim(); if (filename.StartsWith("\"") && filename.IndexOf('\"', 1) > 0)//get the string inside the quotations { filename = filename.Substring(1, filename.IndexOf('\"', 1) - 1); } if (filename.Length > 0) { this.contentDispositionFilename = filename; } } catch { } } } } else if (headerField.StartsWith("Content-Range: ", StringComparison.OrdinalIgnoreCase)) { //Content-Range: bytes 8621-23239/42941008 //Content-Range: bytes 21010-47021/47022 System.Text.RegularExpressions.Regex rangeRegEx = new System.Text.RegularExpressions.Regex(@"bytes (?<start>[0-9]+)-(?<end>[0-9]+)/(?<total>[0-9]+)$"); System.Text.RegularExpressions.Match rangeMatch = rangeRegEx.Match(headerField); if (rangeMatch.Success) { long start, end, total; if (Int64.TryParse(rangeMatch.Groups["start"].Value, out start) && Int64.TryParse(rangeMatch.Groups["end"].Value, out end) && Int64.TryParse(rangeMatch.Groups["total"].Value, out total)) { this.contentRange = new FileTransfer.ContentRange() { Start = start, End = end, Total = total }; } } } }