Exemple #1
0
        public static bool TryParse(Frame parentFrame, int packetStartIndex, int packetEndIndex, ushort sourcePort, ushort destinationPort, out AbstractPacket result)
        {
            result = null;
            bool raw = sourcePort == 445 || destinationPort == 445;
            uint sessionServiceHeader = Utils.ByteConverter.ToUInt32(parentFrame.Data, packetStartIndex);

            if (sessionServiceHeader == 0x85000000)
            {
                //CIFS TCP session keep-alive message
                result = new NetBiosSessionService(parentFrame, packetStartIndex, packetStartIndex + 3, raw);
                return(true);
            }
            else
            {
                uint   length;
                byte[] allowedCommands = { 0x00, 0x81, 0x82, 0x83, 0x84, 0x85 };                          //see NetBIOS RFC 1002 http://tools.ietf.org/html/rfc1002
                //if ((sessionServiceHeader & 0xff000000) != 0) //first byte must be zero according to http://ubiqx.org/cifs/SMB.html
                if (Array.IndexOf <byte>(allowedCommands, (byte)(sessionServiceHeader & 0xff000000)) < 0) //first byte must be 0x00, 0x81, 0x82, 0x83, 0x84, 0x85 according to RFC 1002
                {
                    return(false);
                }
                if (raw)
                {
                    length = sessionServiceHeader & 0x00ffffff;//get the last 3 bytes (24 bits)
                }
                else
                {
                    length = sessionServiceHeader & 0x0001ffff;//get the last 17 bits
                }
                if (length == packetEndIndex - packetStartIndex + 1 - 4)
                {
                    result = new NetBiosSessionService(parentFrame, packetStartIndex, packetEndIndex, raw);
                    return(true);
                }
                else if (length < packetEndIndex - packetStartIndex + 1 - 4)
                {
                    //there is more data to parse after the returned result
                    byte nextPacketHeaderByte = parentFrame.Data[packetStartIndex + length + 4];
                    if (nextPacketHeaderByte == 0x00 || nextPacketHeaderByte == 0x85)
                    {
                        result = new NetBiosSessionService(parentFrame, packetStartIndex, packetStartIndex + (int)length + 3, raw);
                        return(true);
                    }
                    else
                    {
                        return(false);
                    }
                }
                else
                {
                    return(false);
                }
            }
        }
Exemple #2
0
        public static new bool TryParse(Frame parentFrame, int packetStartIndex, int packetEndIndex, out AbstractPacket result)
        {
            result = null;
            bool raw = false;
            uint sessionServiceHeader = Utils.ByteConverter.ToUInt32(parentFrame.Data, packetStartIndex);

            if (sessionServiceHeader == 0x85000000)
            {
                //CIFS TCP session keep-alive message
                result = new NetBiosSessionService(parentFrame, packetStartIndex, packetStartIndex + 3, raw);
                return(true);
            }
            else
            {
                uint length;
                if ((sessionServiceHeader & 0xff000000) != 0) //first byte must be zero according to http://ubiqx.org/cifs/SMB.html
                {
                    return(false);
                }
                if (raw)
                {
                    length = sessionServiceHeader & 0x00ffffff;//get the last 3 bytes (24 bits)
                }
                else
                {
                    length = sessionServiceHeader & 0x0001ffff;//get the last 17 bits
                }
                if (length == packetEndIndex - packetStartIndex + 1 - 4)
                {
                    result = new NetBiosSessionService(parentFrame, packetStartIndex, packetEndIndex, raw);
                    return(true);
                }
                else if (length < packetEndIndex - packetStartIndex + 1 - 4)
                {
                    //there is more data to parse after the returned result
                    byte nextPacketHeaderByte = parentFrame.Data[packetStartIndex + length + 4];
                    if (nextPacketHeaderByte == 0x00 || nextPacketHeaderByte == 0x85)
                    {
                        result = new NetBiosSessionService(parentFrame, packetStartIndex, packetStartIndex + (int)length + 3, raw);
                        return(true);
                    }
                    else
                    {
                        return(false);
                    }
                }
                else
                {
                    return(false);
                }
            }
        }
Exemple #3
0
        private AbstractPacket GetProtocolPacket(ApplicationLayerProtocol protocol, bool clientToServer)
        {
            AbstractPacket packet = null;

            if (protocol == ApplicationLayerProtocol.Dns)
            {
                if (DnsPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, true, out DnsPacket dnsPacket))
                {
                    return(dnsPacket);
                }
            }
            else if (protocol == ApplicationLayerProtocol.FtpControl)
            {
                if (FtpPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, clientToServer, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.Http)
            {
                if (HttpPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.Http2)
            {
                if (Http2Packet.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.Irc)
            {
                if (IrcPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.IEC_104)
            {
                if (IEC_60870_5_104Packet.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.Imap)
            {
                return(new ImapPacket(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, clientToServer));
            }
            else if (protocol == ApplicationLayerProtocol.Kerberos)
            {
                return(new KerberosPacket(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, true));
            }
            else if (protocol == ApplicationLayerProtocol.Lpd)
            {
                if (LpdPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, clientToServer, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.ModbusTCP)
            {
                if (ModbusTcpPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, this.sourcePort, this.destinationPort, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.NetBiosNameService)
            {
                return(new NetBiosNameServicePacket(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex));
            }
            else if (protocol == ApplicationLayerProtocol.NetBiosSessionService)
            {
                if (NetBiosSessionService.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, this.sourcePort, this.destinationPort, out packet, this.IsVirtualPacketFromTrailingDataInTcpSegment))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.OpenFlow)
            {
                if (OpenFlowPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.Oscar)
            {
                if (OscarPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.OscarFileTransfer)
            {
                if (OscarFileTransferPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.Pop3)
            {
                return(new Pop3Packet(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, clientToServer));
            }
            else if (protocol == ApplicationLayerProtocol.Sip)
            {
                return(new SipPacket(this.ParentFrame, this.PacketStartIndex + this.DataOffsetByteCount, this.PacketEndIndex));
            }
            else if (protocol == ApplicationLayerProtocol.Smtp)
            {
                return(new SmtpPacket(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, clientToServer));
            }
            else if (protocol == ApplicationLayerProtocol.Socks)
            {
                if (SocksPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, clientToServer, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.SpotifyServerProtocol)
            {
                if (SpotifyKeyExchangePacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, clientToServer, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.Ssh)
            {
                if (SshPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.Ssl)
            {
                if (SslPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.TabularDataStream)
            {
                return(new TabularDataStreamPacket(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex));
            }
            else if (protocol == ApplicationLayerProtocol.Tpkt)
            {
                if (TpktPacket.TryParse(ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, this, out packet))
                {
                    return(packet);
                }
            }
            return(packet);
        }
        public static bool TryParse(Frame parentFrame, int packetStartIndex, int packetEndIndex, ushort sourcePort, ushort destinationPort, out AbstractPacket result, bool isVirtualPacketFromTrailingDataInTcpSegment = false)
        {
            result = null;
            bool raw = sourcePort == 445 || destinationPort == 445;
            uint sessionServiceHeader = Utils.ByteConverter.ToUInt32(parentFrame.Data, packetStartIndex);

            if (sessionServiceHeader == 0x85000000)
            {
                //CIFS TCP session keep-alive message
                result = new NetBiosSessionService(parentFrame, packetStartIndex, packetStartIndex + 3, raw);
                return(true);
            }
            else
            {
                uint   length;
                byte[] allowedCommands = { 0x00, 0x81, 0x82, 0x83, 0x84, 0x85 };                          //see NetBIOS RFC 1002 http://tools.ietf.org/html/rfc1002
                //if ((sessionServiceHeader & 0xff000000) != 0) //first byte must be zero according to http://ubiqx.org/cifs/SMB.html
                if (Array.IndexOf <byte>(allowedCommands, (byte)(sessionServiceHeader & 0xff000000)) < 0) //first byte must be 0x00, 0x81, 0x82, 0x83, 0x84, 0x85 according to RFC 1002
                {
                    return(false);
                }
                if (raw)
                {
                    length = sessionServiceHeader & 0x00ffffff;//get the last 3 bytes (24 bits)
                }
                else
                {
                    length = sessionServiceHeader & 0x0001ffff;//get the last 17 bits
                }
                if (length == packetEndIndex - packetStartIndex + 1 - 4)
                {
                    result = new NetBiosSessionService(parentFrame, packetStartIndex, packetEndIndex, raw);
                    return(true);
                }
                else if (length < packetEndIndex - packetStartIndex + 1 - 4)
                {
                    //there is more data to parse after the returned result
                    byte nextPacketHeaderByte = parentFrame.Data[packetStartIndex + length + 4];
                    if (nextPacketHeaderByte == 0x00 || nextPacketHeaderByte == 0x85)
                    {
                        result = new NetBiosSessionService(parentFrame, packetStartIndex, packetStartIndex + (int)length + 3, raw);
                        return(true);
                    }
                    else
                    {
                        return(false);
                    }
                }
                else
                {
                    //Check for EternalBlue exploit
                    //https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a
                    if (length > 0x1000 && packetEndIndex - packetStartIndex + 1 - 4 < 800 && !isVirtualPacketFromTrailingDataInTcpSegment)
                    {
                        if (length == 0xfff7)//this is the value used in most exploits, but it can probably be any large value
                        {
                            parentFrame.Errors.Add(new Frame.Error(parentFrame, packetStartIndex, packetEndIndex, "EternalBlue exploit attempt, nbss size = 0x" + length.ToString("x4")));
                        }
                        else
                        {
                            //this might lead to false positives if this is an SMB packet that has been chained after another AndX SMB packet in the same frame. Thus this is the trailing packet that has been cut off due to MSS (see PCAP "SMB File transfer 3" for details)
                            parentFrame.Errors.Add(new Frame.Error(parentFrame, packetStartIndex, packetEndIndex, "Possible EternalBlue exploit attempt, nbss size = 0x" + length.ToString("x4")));
                        }
                    }
                    return(false);
                }
            }
        }
Exemple #5
0
        internal IEnumerable <AbstractPacket> GetSubPackets(bool includeSelfReference, ISessionProtocolFinder protocolFinder, bool clientToServer)
        {
            if (includeSelfReference)
            {
                yield return(this);
            }
            if (PacketStartIndex + dataOffsetByteCount < PacketEndIndex)
            {
                AbstractPacket packet = null;
                foreach (ApplicationLayerProtocol protocol in protocolFinder.GetProbableApplicationLayerProtocols())
                {
                    try{
                        if (protocol == ApplicationLayerProtocol.Dns)
                        {
                            packet = new DnsPacket(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex);
                            protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Dns;
                            break;
                        }
                        else if (protocol == ApplicationLayerProtocol.FtpControl)
                        {
                            if (FtpPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, clientToServer, out packet))
                            {
                                protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.FtpControl;
                                break;
                            }
                        }
                        else if (protocol == ApplicationLayerProtocol.Http)
                        {
                            if (HttpPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet))
                            {
                                protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Http;
                                break;
                            }
                        }
                        else if (protocol == ApplicationLayerProtocol.Irc)
                        {
                            if (IrcPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet))
                            {
                                protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Irc;
                                break;
                            }
                        }
                        else if (protocol == ApplicationLayerProtocol.IEC_104)
                        {
                            if (IEC_60870_5_104Packet.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet))
                            {
                                protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.IEC_104;
                                break;
                            }
                        }
                        else if (protocol == ApplicationLayerProtocol.NetBiosNameService)
                        {
                            packet = new NetBiosNameServicePacket(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex);
                            protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.NetBiosNameService;
                            break;
                        }
                        else if (protocol == ApplicationLayerProtocol.NetBiosSessionService)
                        {
                            if (NetBiosSessionService.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet))
                            {
                                //packet = new NetBiosSessionService(ParentFrame, PacketStartIndex+dataOffsetByteCount, PacketEndIndex, false);
                                protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.NetBiosSessionService;
                                break;
                            }
                        }
                        else if (protocol == ApplicationLayerProtocol.Oscar)
                        {
                            if (OscarPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet))
                            {
                                protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Oscar;
                                break;
                            }
                        }
                        else if (protocol == ApplicationLayerProtocol.OscarFileTransfer)
                        {
                            if (OscarFileTransferPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet))
                            {
                                protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.OscarFileTransfer;
                                break;
                            }
                        }
                        else if (protocol == ApplicationLayerProtocol.Smtp)
                        {
                            packet = new SmtpPacket(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, clientToServer);
                            protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Smtp;
                            break;
                        }
                        else if (protocol == ApplicationLayerProtocol.SpotifyServerProtocol)
                        {
                            if (SpotifyKeyExchangePacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, clientToServer, out packet))
                            {
                                protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.SpotifyServerProtocol;
                                break;
                            }
                        }
                        else if (protocol == ApplicationLayerProtocol.Ssh)
                        {
                            if (SshPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet))
                            {
                                protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Ssh;
                                break;
                            }
                        }
                        else if (protocol == ApplicationLayerProtocol.Ssl)
                        {
                            if (SslPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet))
                            {
                                protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Ssl;
                                break;
                            }
                        }
                        else if (protocol == ApplicationLayerProtocol.TabularDataStream)
                        {
                            packet = new TabularDataStreamPacket(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex);
                            protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.TabularDataStream;
                            break;
                        }
                    }
                    catch (Exception) {
                        packet = null;
                    }
                }
                if (packet == null)
                {
                    packet = new RawPacket(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex);
                }
                yield return(packet);

                foreach (AbstractPacket subPacket in packet.GetSubPackets(false))
                {
                    yield return(subPacket);
                }
            }
        }