Example #1
0
        // check if the packet is HTTP packet
        public static bool IsHTTP(TcpPacket packet)
        {
            if (packet.PayloadData != null)
            {
                if (SimpleRegex.GetMatches(regexIsHTTP, encoding.GetString(packet.PayloadData)).Count > 0)
                {
                    return(true);
                }
            }

            return(false);
        }
Example #2
0
        // process packet
        public bool ProcessPacket(Packet rawPacket, TcpPacket packet)
        {
            if (packet.ParentPacket == null)
            {
                return(true);
            }
            if (packet.PayloadData == null)
            {
                return(true);
            }

            var sourceIP = ((IpPacket)packet.ParentPacket).SourceAddress.ToString();
            var destIP   = ((IpPacket)packet.ParentPacket).DestinationAddress.ToString();

            var payload = packet.PayloadData;

            var data = encodingUtf8.GetString(payload);

            if (data != string.Empty)
            {
                var changed = new List <string>();
                var matches = SimpleRegex.GetMatches(regexType, data);

                // HTTP request
                if (matches.Count > 2)
                {
                    // check for images - stop further processing
                    if (matches[2].Contains(".png") || matches[2].Contains(".jpg") || matches[2].Contains(".gif"))
                    {
                        return(true);
                    }

                    // check for Accept-Encoding and replace it to prevent unreadable data
                    if (data.Contains("Accept-Encoding:"))
                    {
                        var diff = data.Length - regexEncoding.Replace(data, "Accept-Encoding: \r\n").Length;

                        var extra = string.Empty;

                        for (int i = 0; i < diff; i++)
                        {
                            extra += " ";
                        }

                        data = regexEncoding.Replace(data, "Accept-Encoding: " + extra + "\r\n");

                        changed.Add("Accept-Encoding");
                    }

                    // check for If-Modified-Since and replace it to prevent caching
                    if (data.Contains("If-Modified-Since:"))
                    {
                        var time = new DateTime(2000, 1, 1);

                        data = regexModified.Replace(data, "If-Modified-Since: " + time.ToString("R") + "\r\n");
                        changed.Add("If-Modified-Since");
                    }

                    // check for cookies and strip them if necessary
                    if (stripCookies && data.Contains("Cookie:"))
                    {
                        data = data.Replace("Cookie:", "C00kie:");

                        changed.Add("Cookies");
                    }
                }
                // HTTP response
                else
                {
                    // check for html tags - stop further processing
                    if (!(data.Contains("<form") || data.Contains("<input") || data.Contains("<a ") || data.Contains("</a>") || data.Contains("</div>") || data.Contains("<meta") || data.Contains("javascript")))
                    {
                        return(true);
                    }

                    var cmatches = SimpleRegex.GetMatches(regexCType, data);

                    // check for images - stop further processing
                    if (cmatches.Count > 1 && cmatches[1].Contains("image"))
                    {
                        return(true);
                    }

                    // HTTP 302 redirect stripping
                    foreach (var item in stripRedirects)
                    {
                        if (data.Contains("Location: " + item))
                        {
                            data = data.Replace("Location: https://", "Location:  http://");

                            changed.Add("HTTPS (302 redirect)");
                        }
                    }

                    // other links, actions...
                    if (data.Contains("\"https://") || data.Contains("'https://"))
                    {
                        data = data.Replace("\"https://", "\" http://");
                        data = data.Replace("'https://", "' http://");

                        changed.Add("HTTPS");
                    }
                }

                if (changed.Count > 0)
                {
                    // change packet data to stripped one
                    var bytes = encodingUtf8.GetBytes(data);
                    var diff  = packet.PayloadData.Length - bytes.Length;

                    packet.PayloadData = bytes;
                    packet.UpdateTCPChecksum();

                    // checksum fixes for IPv4 packets (IPv6 packet doesn't have a checksum)
                    if (packet.ParentPacket is IPv4Packet)
                    {
                        var ip = (IPv4Packet)packet.ParentPacket;
                        ip.TotalLength   = ip.HeaderLength + packet.Bytes.Length;
                        ip.PayloadLength = (ushort)packet.Bytes.Length;
                        ip.Checksum      = (ushort)(ip.Checksum + diff);
                    }

                    Stripped(sourceIP, destIP, changed);
                }
            }

            return(true);
        }
Example #3
0
        public HttpHeader(string header)
        {
            if (header == string.Empty)
            {
                return;
            }

            // determine type (GET/POST)
            if (header.Length > 4 && (header.Substring(0, 3) == "GET" || header.Substring(0, 4) == "POST"))
            {
                Type = PacketType.Request;
            }
            else
            {
                Type = PacketType.Response;
            }

            // get "HTTP Code"
            if (Type == PacketType.Response)
            {
                var codeMatches = SimpleRegex.GetMatches(regexCode, header);
                if (codeMatches != null && codeMatches.Count > 1)
                {
                    Code = codeMatches[2];
                }
            }

            // get request path, request type
            if (Type == PacketType.Request)
            {
                var pathMatches = SimpleRegex.GetMatches(regexPath, header);
                if (pathMatches != null && pathMatches.Count > 1)
                {
                    if (pathMatches[1] == "GET")
                    {
                        ReqType = RequestType.GET;
                    }
                    else if (pathMatches[1] == "POST")
                    {
                        ReqType = RequestType.POST;
                    }

                    Path = pathMatches[2];
                }
            }

            // get host address
            if (Type == PacketType.Request)
            {
                var hostMatches = SimpleRegex.GetMatches(regexHost, header);
                if (hostMatches != null && hostMatches.Count > 1)
                {
                    Host = hostMatches[1];
                }
            }

            // get authorization
            if (Type == PacketType.Request)
            {
                var authMatches = SimpleRegex.GetMatches(regexAuth, header);
                if (authMatches != null && authMatches.Count > 1)
                {
                    Authorization = authMatches[1];
                }
            }

            // get content type
            if (Type == PacketType.Response)
            {
                var typeMatches = SimpleRegex.GetMatches(regexType, header);
                if (typeMatches != null && typeMatches.Count > 1)
                {
                    ContentType = typeMatches[1];
                }
            }

            // get GET parameters (key=value)
            if (Type == PacketType.Request)
            {
                var getLine = Path.Split('?');

                // are there any params?
                if (getLine.Length == 2)
                {
                    var getParams = getLine[1].Split('&');

                    foreach (var param in getParams)
                    {
                        var splitParam = param.Split('=');
                        if (splitParam.Count() == 2)
                        {
                            GetParams.Add(new string[] { splitParam[0] != null ? splitParam[0] : string.Empty, splitParam[1] != null ? splitParam[1] : string.Empty });
                        }
                    }
                }
            }
        }
Example #4
0
        // worker function for parsing packets
        public void Worker()
        {
            while (Started)
            {
                // copy packets to threadQueue
                lock (PacketQueue)
                {
                    foreach (TcpPacket packet in PacketQueue)
                    {
                        threadQueue.Add(packet);
                    }

                    PacketQueue.Clear();
                }

                if (threadQueue.Count > 0)
                {
                    // loop through packets and check them for any useful information
                    foreach (TcpPacket packet in threadQueue)
                    {
                        if (packet.ParentPacket == null)
                        {
                            continue;
                        }

                        var sourceIP = ((IpPacket)packet.ParentPacket).SourceAddress;
                        var destIP   = ((IpPacket)packet.ParentPacket).DestinationAddress;

                        // check for exclusions
                        if (excludeLocalIP)
                        {
                            if (sourceIP.ToString() == deviceInfo.IP || deviceInfo.IPv6List.Contains(sourceIP.ToString()))
                            {
                                continue;
                            }
                        }

                        // check for FTP packet
                        if (packet.DestinationPort == 21)
                        {
                            var logins = ftpLogins.Where(l => (l.DestinationAddress.ToString() == destIP.ToString() && l.SourceAddress.ToString() == sourceIP.ToString()));

                            // parse TCP packet data
                            var data = packet.PayloadData != null?encoding.GetString(packet.PayloadData) : "";

                            // check if connection already started
                            if (logins.Count() > 0)
                            {
                                var login = logins.Last();

                                // get user
                                if (data.Length > 4 && data.Substring(0, 4).ToUpper() == "USER")
                                {
                                    var parts = data.Split(' ');
                                    if (parts.Length > 1)
                                    {
                                        login.User = parts[1].Replace("\r\n", "");
                                    }
                                }

                                // get password
                                if (data.Length > 4 && data.Substring(0, 4).ToUpper() == "PASS")
                                {
                                    var parts = data.Split(' ');
                                    if (parts.Length > 1)
                                    {
                                        login.Password = parts[1].Replace("\r\n", "");
                                    }

                                    Result(login.DestinationAddress.ToString(), login.User, login.Password, "/", SnifferResultType.FTP);

                                    ftpLogins.Remove(login);
                                }
                            }
                            else
                            {
                                ftpLogins.Add(new SnifferFTPlogin {
                                    DestinationAddress = destIP, SourceAddress = sourceIP
                                });
                            }

                            continue;
                        }

                        // check for IMAP
                        if (packet.DestinationPort == 143)
                        {
                            // parse TCP packet data
                            var data = packet.PayloadData != null?encoding.GetString(packet.PayloadData) : "";

                            // TAG LOGIN "username" "password"
                            var regexIMAP = new Regex("(.*?) login \"(.*?)\" \"(.*?)\"");
                            var matches   = SimpleRegex.GetMatches(regexIMAP, data);

                            if (matches.Count > 0)
                            {
                                Result(sourceIP.ToString(), matches[2], matches[3], "/", SnifferResultType.IMAP);
                            }

                            continue;
                        }

                        // check for SMTP
                        if (packet.DestinationPort == 25)
                        {
                            // parse TCP packet data
                            var data = packet.PayloadData != null?encoding.GetString(packet.PayloadData) : "";

                            // AUTH PLAIN base64
                            var regexSMTP = new Regex("AUTH PLAIN (.*?)$");
                            var matches   = SimpleRegex.GetMatches(regexSMTP, data);

                            if (matches.Count > 0)
                            {
                                var credentials = encoding.GetString(Convert.FromBase64String(matches[1].Replace("\r", ""))).Split(Convert.ToChar(0x0));

                                if (credentials.Length > 2)
                                {
                                    Result(sourceIP.ToString(), credentials[1], credentials[2], "/", SnifferResultType.SMTP);
                                }
                            }

                            continue;
                        }

                        // check for POP3
                        if (packet.DestinationPort == 110)
                        {
                            var logins = pop3Logins.Where(l => (l.DestinationAddress.ToString() == destIP.ToString() && l.SourceAddress.ToString() == sourceIP.ToString()));

                            // parse TCP packet data
                            var data = packet.PayloadData != null?encoding.GetString(packet.PayloadData) : "";

                            // check if connection already started
                            if (logins.Count() > 0)
                            {
                                var login = logins.Last();

                                // get user
                                if (data.Length > 4 && data.Substring(0, 4).ToUpper() == "USER")
                                {
                                    var parts = data.Split(' ');
                                    if (parts.Length > 1)
                                    {
                                        login.User = parts[1].Replace("\r\n", "");
                                    }
                                }

                                // get password
                                if (data.Length > 4 && data.Substring(0, 4).ToUpper() == "PASS")
                                {
                                    var parts = data.Split(' ');
                                    if (parts.Length > 1)
                                    {
                                        login.Password = parts[1].Replace("\r\n", "");
                                    }

                                    Result(login.DestinationAddress.ToString(), login.User, login.Password, "/", SnifferResultType.POP3);

                                    pop3Logins.Remove(login);
                                }
                            }
                            else
                            {
                                pop3Logins.Add(new SnifferPOP3login {
                                    DestinationAddress = destIP, SourceAddress = sourceIP
                                });
                            }

                            continue;
                        }

                        // check for HTTP packet and parse it
                        if (HttpPacket.IsHTTP(packet) || HttpPacket.HasPOST(packet))
                        {
                            var http = new HttpPacket(packet);

                            // save hostnames for incomplete packets
                            if (http.Header.Type == HttpHeader.PacketType.Request && http.Header.ReqType == HttpHeader.RequestType.POST)
                            {
                                postRequests.Add(new SnifferPostRequest {
                                    SourceAddress = sourceIP, DestinationAddress = destIP, Hostname = http.Header.Host
                                });
                            }

                            SnifferSearch(http, sourceIP, destIP);
                        }
                    }

                    threadQueue.Clear();
                }
                else
                {
                    Thread.Sleep(50);
                }
            }

            return;
        }