// TODO: use PL object
public void AddHash(PcapAnalyzer.NetworkHash networkHash)
{
_hashesTableUserControl.AddDataToTable(networkHash);
if (!this.hashesComboBox.Items.Contains(networkHash.HashType))
{
this.hashesComboBox.Items.Add(networkHash.HashType);
}
}
public void AddHash(PcapAnalyzer.NetworkHash networkHash)
{
// TODO: use network context hashes as the only data source
_hashesTableUserControl.AddDataToTable(networkHash);
_networkContext.Hashes.Add(networkHash);
if (!this.hashesComboBox.Items.Contains(networkHash.HashType))
{
this.hashesComboBox.Items.Add(networkHash.HashType);
}
}
public void HandleHash(PcapAnalyzer.NetworkHash hash)
{
// Usually the hashes username is named "User" or "Username".
var userName = GetPropertyValue(hash, new string[] { "User", "Username" });
if (userName.Length > 0)
{
var edgeText = $"{hash.HashType} Hash";
// If it is a domain related hash (e.g Kerberos, NTLM)
if (hash is PcapAnalyzer.IDomainCredential)
{
var domain = (hash as IDomainCredential).GetDoamin();
userName = domain.Length > 0 ? @$ "{domain}\{userName}" : userName;
}
AddEdge(userName, hash.Destination, edgeText);
_graph.FindNode(userName).Attr.FillColor = Microsoft.Msagl.Drawing.Color.LightGreen;
}
private NetworkHash SearchSmtpCramMd5(TcpSession tcpSession, string sessionData)
{
NetworkHash credential = null;
Match match = _smtpCramMd5Regex.Match(sessionData);
if (match.Success)
{
credential = new CramMd5Hash()
{
Protocol = "SMTP",
HashType = "CRAM-MD5",
Hash = match.Groups["Hash"].ToString(),
Challenge = match.Groups["Challenge"].ToString(),
Source = tcpSession.SourceIp,
Destination = tcpSession.DestinationIp
};
}
return(credential);
}
private NetworkLayerObject SearchImapCramMd5Hash(TcpSession tcpSession, string sessionData)
{
NetworkHash hash = null;
Match match = _imapCramMd5Regex.Match(sessionData);
if (match.Success)
{
// TODO: Handle the triming at the regex.
hash = new CramMd5Hash()
{
Protocol = "IMAP",
HashType = "CRAM-MD5",
Challenge = match.Groups["Challenge"].Value,
Hash = match.Groups["Response"].Value,
Source = tcpSession.SourceIp,
Destination = tcpSession.DestinationIp
};
}
return(hash);
}
public void HandleHash(PcapAnalyzer.NetworkHash hash)
{
// Usually the hashes username is named "User" \ "Username".
var user = GetPropValue(hash, "User");
var username = GetPropValue(hash, "Username");
var displayUserName = user != null ? user : username;
if (displayUserName != null)
{
var domain = GetPropValue(hash, "Domain");
if (domain != null)
{
if (domain.ToString().Length > 0)
{
displayUserName = domain.ToString() + @"\" + displayUserName;
}
}
var edgeText = $"{hash.HashType} Hash";
AddEdge(displayUserName.ToString(), hash.Destination, edgeText);
_graph.FindNode(displayUserName.ToString()).Attr.FillColor = Microsoft.Msagl.Drawing.Color.LightGreen;
}
}