public void KerberosHashParser_ParseUdpSession_ParseSuccess()
{
// Arrange
var kerberosParser = new PcapAnalyzer.KerberosAsReqHashParser();
var kerberosAsRequestPacket = new PcapAnalyzer.UdpPacket
{
SourceIp = "2.2.2.2",
DestinationIp = "1.1.1.1",
Data = new byte[]
{
0x6a, 0x82, 0x01, 0x1f, 0x30, 0x82, 0x01, 0x1b, 0xa1, 0x03, 0x02, 0x01, 0x05, 0xa2, 0x03, 0x02,
0x01, 0x0a, 0xa3, 0x5f, 0x30, 0x5d, 0x30, 0x48, 0xa1, 0x03, 0x02, 0x01, 0x02, 0xa2, 0x41, 0x04,
0x3f, 0x30, 0x3d, 0xa0, 0x03, 0x02, 0x01, 0x17, 0xa2, 0x36, 0x04, 0x34, 0x09, 0xa2, 0x24, 0x48,
0x93, 0xaf, 0xf5, 0xf3, 0x84, 0xf7, 0x9c, 0x37, 0x88, 0x3f, 0x15, 0x4a, 0x32, 0xd3, 0x96, 0xa9,
0x14, 0xa4, 0xd0, 0xa7, 0x8e, 0x97, 0x9b, 0xa7, 0x5d, 0x4f, 0xf5, 0x3c, 0x1d, 0xb7, 0x29, 0x41,
0x41, 0x76, 0x0f, 0xee, 0x05, 0xe4, 0x34, 0xc1, 0x2e, 0xcf, 0x8d, 0x5b, 0x9a, 0xa5, 0x83, 0x9e,
0x30, 0x11, 0xa1, 0x04, 0x02, 0x02, 0x00, 0x80, 0xa2, 0x09, 0x04, 0x07, 0x30, 0x05, 0xa0, 0x03,
0x01, 0x01, 0xff, 0xa4, 0x81, 0xad, 0x30, 0x81, 0xaa, 0xa0, 0x07, 0x03, 0x05, 0x00, 0x40, 0x81,
0x00, 0x10, 0xa1, 0x10, 0x30, 0x0e, 0xa0, 0x03, 0x02, 0x01, 0x01, 0xa1, 0x07, 0x30, 0x05, 0x1b,
0x03, 0x64, 0x65, 0x73, 0xa2, 0x08, 0x1b, 0x06, 0x44, 0x45, 0x4e, 0x59, 0x44, 0x43, 0xa3, 0x1b,
0x30, 0x19, 0xa0, 0x03, 0x02, 0x01, 0x02, 0xa1, 0x12, 0x30, 0x10, 0x1b, 0x06, 0x6b, 0x72, 0x62,
0x74, 0x67, 0x74, 0x1b, 0x06, 0x44, 0x45, 0x4e, 0x59, 0x44, 0x43, 0xa5, 0x11, 0x18, 0x0f, 0x32,
0x30, 0x33, 0x37, 0x30, 0x39, 0x31, 0x33, 0x30, 0x32, 0x34, 0x38, 0x30, 0x35, 0x5a, 0xa6, 0x11,
0x18, 0x0f, 0x32, 0x30, 0x33, 0x37, 0x30, 0x39, 0x31, 0x33, 0x30, 0x32, 0x34, 0x38, 0x30, 0x35,
0x5a, 0xa7, 0x06, 0x02, 0x04, 0x0b, 0xc4, 0xdd, 0x7e, 0xa8, 0x19, 0x30, 0x17, 0x02, 0x01, 0x17,
0x02, 0x02, 0xff, 0x7b, 0x02, 0x01, 0x80, 0x02, 0x01, 0x03, 0x02, 0x01, 0x01, 0x02, 0x01, 0x18,
0x02, 0x02, 0xff, 0x79, 0xa9, 0x1d, 0x30, 0x1b, 0x30, 0x19, 0xa0, 0x03, 0x02, 0x01, 0x14, 0xa1,
0x12, 0x04, 0x10, 0x58, 0x50, 0x31, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20
}
};
// Act.
var hash = kerberosParser.Parse(kerberosAsRequestPacket) as PcapAnalyzer.KerberosHash;
// Assert.
Assert.AreEqual("Kerberos V5 AS-REQ Pre-Auth etype 23", hash.HashType);
Assert.AreEqual("des", hash.User);
Assert.AreEqual("DENYDC", hash.Domain);
Assert.AreEqual(hash.Hash, "32d396a914a4d0a78e979ba75d4ff53c1db7294141760fee05e434c12ecf8d5b9aa5839e09a2244893aff5f384f79c37883f154a");
}
public void DnsModule_ParseTwoRecords_ParseSuccess()
{
// Arrange
var dnsModule = new PcapAnalyzer.DnsModule();
var parsedRecords = new List <PcapAnalyzer.DnsNameMapping>();
dnsModule.ParsedItemDetected +=
(object sender, ParsedItemDetectedEventArgs e) => parsedRecords.Add(e.ParsedItem as PcapAnalyzer.DnsNameMapping);
var dnsPacket = new PcapAnalyzer.UdpPacket
{
SourceIp = "2.2.2.2",
DestinationIp = "1.1.1.1",
DestinationPort = 53,
SourcePort = 100,
Data = new byte[]
{
0x79, 0x56, 0x81, 0x80, 0x00, 0x01, 0x00, 0x02, 0x00, 0x02, 0x00, 0x00, 0x04, 0x6d, 0x61, 0x69,
0x6c, 0x08, 0x70, 0x61, 0x74, 0x72, 0x69, 0x6f, 0x74, 0x73, 0x02, 0x69, 0x6e, 0x00, 0x00, 0x01,
0x00, 0x01, 0xc0, 0x0c, 0x00, 0x05, 0x00, 0x01, 0x00, 0x00, 0x2a, 0x4b, 0x00, 0x02, 0xc0, 0x11,
0xc0, 0x11, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x2a, 0x4c, 0x00, 0x04, 0x4a, 0x35, 0x8c, 0x99,
0xc0, 0x11, 0x00, 0x02, 0x00, 0x01, 0x00, 0x01, 0x43, 0x8c, 0x00, 0x06, 0x03, 0x6e, 0x73, 0x32,
0xc0, 0x11, 0xc0, 0x11, 0x00, 0x02, 0x00, 0x01, 0x00, 0x01, 0x43, 0x8c, 0x00, 0x06, 0x03, 0x6e,
0x73, 0x31, 0xc0, 0x11
}
};
// Act.
dnsModule.Analyze(dnsPacket);
// Assert.
Assert.AreEqual(2, parsedRecords.Count);
Assert.AreEqual(parsedRecords[0].Destination, "patriots.in");
Assert.AreEqual(parsedRecords[0].Query, "mail.patriots.in");
Assert.AreEqual(parsedRecords[1].Destination, "74.53.140.153");
Assert.AreEqual(parsedRecords[1].Query, "mail.patriots.in");
}
public NetworkLayerObject Parse(UdpPacket udpPacket) => null;
public void Analyze(UdpPacket udpPacket) => AnalyzeGeneric(udpPacket);
