private void ExtractData(Packets.TcpPacket tcpPacket, FiveTuple fiveTuple, bool transferIsClientToServer, Packets.TlsRecordPacket.HandshakePacket handshake)
{
NetworkHost sourceHost, destinationHost;
if (transferIsClientToServer)
{
sourceHost = fiveTuple.ClientHost;
destinationHost = fiveTuple.ServerHost;
}
else
{
sourceHost = fiveTuple.ServerHost;
destinationHost = fiveTuple.ClientHost;
}
//foreach (Packets.AbstractPacket p in tlsRecordPacket.GetSubPackets(false)) {
// if(p.GetType()==typeof(Packets.TlsRecordPacket.HandshakePacket)) {
// Packets.TlsRecordPacket.HandshakePacket handshake=(Packets.TlsRecordPacket.HandshakePacket)p;
foreach (var version in handshake.GetSupportedSslVersions())
{
//destinationHost.AddHostName(handshake.ServerHostName);
System.Collections.Specialized.NameValueCollection param = new System.Collections.Specialized.NameValueCollection {
{ "TLS Handshake " + Enum.GetName(typeof(Packets.TlsRecordPacket.HandshakePacket.MessageTypes), handshake.MessageType) + " Supported Version", version.Item1.ToString() + "." + version.Item2.ToString() + " (0x" + version.Item1.ToString("x2") + version.Item2.ToString("x2") + ")" }
};
base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(handshake.ParentFrame.FrameNumber, fiveTuple, transferIsClientToServer, param, handshake.ParentFrame.Timestamp, "TLS Handshake"));
}
if (!String.IsNullOrEmpty(handshake.GetAlpnNextProtocolString()))
{
//destinationHost.AddHostName(handshake.ServerHostName);
System.Collections.Specialized.NameValueCollection param = new System.Collections.Specialized.NameValueCollection {
{ "TLS ALPN", handshake.GetAlpnNextProtocolString() }
};
base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(handshake.ParentFrame.FrameNumber, fiveTuple, transferIsClientToServer, param, handshake.ParentFrame.Timestamp, "TLS Handshake"));
}
if (handshake.MessageType == Packets.TlsRecordPacket.HandshakePacket.MessageTypes.ClientHello)
{
if (handshake.ServerHostName != null)
{
destinationHost.AddHostName(handshake.ServerHostName);
System.Collections.Specialized.NameValueCollection param = new System.Collections.Specialized.NameValueCollection();
param.Add("TLS Server Name (SNI)", handshake.ServerHostName);
base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(handshake.ParentFrame.FrameNumber, fiveTuple, transferIsClientToServer, param, handshake.ParentFrame.Timestamp, "TLS Client Hello"));
}
}
else if (handshake.MessageType == Packets.TlsRecordPacket.HandshakePacket.MessageTypes.Certificate)
{
for (int i = 0; i < handshake.CertificateList.Count; i++)
{
byte[] certificate = handshake.CertificateList[i];
string x509CertSubject;
System.Security.Cryptography.X509Certificates.X509Certificate x509Cert = null;
try {
x509Cert = new System.Security.Cryptography.X509Certificates.X509Certificate(certificate);
x509CertSubject = x509Cert.Subject;
}
catch {
x509CertSubject = "Unknown_x509_Certificate_Subject";
x509Cert = null;
}
if (x509CertSubject.Contains("CN="))
{
x509CertSubject = x509CertSubject.Substring(x509CertSubject.IndexOf("CN=") + 3);
}
else if (x509CertSubject.Contains("="))
{
x509CertSubject = x509CertSubject.Substring(x509CertSubject.IndexOf('=') + 1);
}
if (x509CertSubject.Length > 28)
{
x509CertSubject = x509CertSubject.Substring(0, 28);
}
if (x509CertSubject.Contains(","))
{
x509CertSubject = x509CertSubject.Substring(0, x509CertSubject.IndexOf(','));
}
x509CertSubject.Trim(new char[] { '.', ' ' });
/*
* while (x509CertSubject.EndsWith(".") || x509CertSubject.EndsWith(" "))
* x509CertSubject=x509CertSubject.Substring(0, x509CertSubject.Length-1);
*/
string filename = x509CertSubject + ".cer";
string fileLocation = "/";
string details;
if (x509Cert != null)
{
details = "TLS Certificate: " + x509Cert.Subject;
}
else
{
details = "TLS Certificate: Unknown x509 Certificate";
}
FileTransfer.FileStreamAssembler assembler = new FileTransfer.FileStreamAssembler(base.MainPacketHandler.FileStreamAssemblerList, fiveTuple, transferIsClientToServer, FileTransfer.FileStreamTypes.TlsCertificate, filename, fileLocation, certificate.Length, certificate.Length, details, null, tcpPacket.ParentFrame.FrameNumber, tcpPacket.ParentFrame.Timestamp, FileTransfer.FileStreamAssembler.FileAssmeblyRootLocation.source);
base.MainPacketHandler.FileStreamAssemblerList.Add(assembler);
if (i == 0 && x509CertSubject.Contains(".") && !x509CertSubject.Contains("*") && !x509CertSubject.Contains(" "))
{
sourceHost.AddHostName(x509CertSubject);
}
System.Collections.Specialized.NameValueCollection parameters = new System.Collections.Specialized.NameValueCollection();
//parameters.Add("Certificate Subject", x509Cert.Subject);
const string CERTIFICATE_SUBJECT = "Certificate Subject";
this.addParameters(parameters, x509Cert.Subject, CERTIFICATE_SUBJECT);
if (i == 0)
{
//check for CN parameter
if (parameters[CERTIFICATE_SUBJECT + " CN"] != null)
{
foreach (string cn in parameters.GetValues(CERTIFICATE_SUBJECT + " CN"))
{
sourceHost.AddNumberedExtraDetail("X.509 Certificate Subject CN", cn);
if (cn.Contains(".") && !cn.Contains(" "))
{
if (cn.Contains("*"))
{
if (cn.StartsWith("*."))
{
sourceHost.AddDomainName(cn.Substring(2));
}
}
else
{
sourceHost.AddHostName(cn);
}
}
}
}
}
this.addParameters(parameters, x509Cert.Issuer, "Certificate Issuer");
//parameters.Add("Certificate Issuer", x509Cert.Issuer);
parameters.Add("Certificate Hash", x509Cert.GetCertHashString());
parameters.Add("Certificate valid from", x509Cert.GetEffectiveDateString());
parameters.Add("Certificate valid to", x509Cert.GetExpirationDateString());
parameters.Add("Certificate Serial", x509Cert.GetSerialNumberString());
try {
System.Security.Cryptography.X509Certificates.X509Certificate2 cert2 = new System.Security.Cryptography.X509Certificates.X509Certificate2(certificate);
foreach (var ext in cert2.Extensions)
{
string fn = ext.Oid.FriendlyName;
string oid = ext.Oid.Value;
string val = ext.Format(true);
System.IO.StringReader sr = new System.IO.StringReader(val);
string line = sr.ReadLine();
while (line != null)
{
parameters.Add(oid + " " + fn, line);
if (i == 0 && oid == "2.5.29.17")
{
sourceHost.AddNumberedExtraDetail("X.509 Certificate " + fn, line);
}
line = sr.ReadLine();
}
}
if (cert2.Verify())
{
parameters.Add("Certificate valid", "TRUE");
}
else
{
parameters.Add("Certificate valid", "FALSE");
}
}
catch (Exception) { }
base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(tcpPacket.ParentFrame.FrameNumber, fiveTuple, transferIsClientToServer, parameters, tcpPacket.ParentFrame.Timestamp, "X.509 Certificate"));
if (assembler.TryActivate())
{
assembler.AddData(certificate, tcpPacket.SequenceNumber);//this one should trigger FinnishAssembling()
}
}
}
//}
//return true;
}
private void ExtractTlsRecordData(Packets.TlsRecordPacket tlsRecordPacket, Packets.TcpPacket tcpPacket, NetworkHost sourceHost, NetworkHost destinationHost, PacketHandler mainPacketHandler)
{
foreach (Packets.AbstractPacket p in tlsRecordPacket.GetSubPackets(false))
{
if (p.GetType() == typeof(Packets.TlsRecordPacket.HandshakePacket))
{
Packets.TlsRecordPacket.HandshakePacket handshake = (Packets.TlsRecordPacket.HandshakePacket)p;
if (handshake.MessageType == Packets.TlsRecordPacket.HandshakePacket.MessageTypes.Certificate)
{
for (int i = 0; i < handshake.CertificateList.Count; i++)
{
byte[] certificate = handshake.CertificateList[i];
string x509CertSubject;
System.Security.Cryptography.X509Certificates.X509Certificate x509Cert = null;
try {
x509Cert = new System.Security.Cryptography.X509Certificates.X509Certificate(certificate);
x509CertSubject = x509Cert.Subject;
}
catch {
x509CertSubject = "Unknown_x509_Certificate_Subject";
x509Cert = null;
}
if (x509CertSubject.Length > 28)
{
x509CertSubject = x509CertSubject.Substring(0, 28);
}
if (x509CertSubject.Contains("="))
{
x509CertSubject = x509CertSubject.Substring(x509CertSubject.IndexOf('=') + 1);
}
if (x509CertSubject.Contains(","))
{
x509CertSubject = x509CertSubject.Substring(0, x509CertSubject.IndexOf(','));
}
while (x509CertSubject.EndsWith(".") || x509CertSubject.EndsWith(" "))
{
x509CertSubject = x509CertSubject.Substring(0, x509CertSubject.Length - 1);
}
string filename = x509CertSubject + ".cer";
string fileLocation = "/";
string details;
if (x509Cert != null)
{
details = "TLS Certificate: " + x509Cert.Subject;
}
else
{
details = "TLS Certificate: Unknown x509 Certificate";
}
FileTransfer.FileStreamAssembler assembler = new FileTransfer.FileStreamAssembler(mainPacketHandler.FileStreamAssemblerList, sourceHost, tcpPacket.SourcePort, destinationHost, tcpPacket.DestinationPort, true, FileTransfer.FileStreamTypes.TlsCertificate, filename, fileLocation, certificate.Length, certificate.Length, details, null, tlsRecordPacket.ParentFrame.FrameNumber, tlsRecordPacket.ParentFrame.Timestamp);
mainPacketHandler.FileStreamAssemblerList.Add(assembler);
if (assembler.TryActivate())
{
assembler.AddData(certificate, tcpPacket.SequenceNumber);//this one should trigger FinnishAssembling()
}
}
}
}
}
}
