public void ExtractData(ref NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <AbstractPacket> packetList) { ITransportLayerPacket transportLayerPacket = packetList.OfType <ITransportLayerPacket>().First(); foreach (CifsBrowserPacket browser in packetList.OfType <CifsBrowserPacket>()) { System.Collections.Specialized.NameValueCollection parameters = new System.Collections.Specialized.NameValueCollection(); if (!string.IsNullOrEmpty(browser.Hostname)) { sourceHost.AddHostName(browser.Hostname, browser.PacketTypeDescription); } if (!string.IsNullOrEmpty(browser.DomainOrWorkgroup)) { sourceHost.AddDomainName(browser.DomainOrWorkgroup); } if (browser.OSVersion.major > 0 || browser.OSVersion.minor > 0) { sourceHost.AddNumberedExtraDetail("Windows Version", "" + browser.OSVersion.major + "." + browser.OSVersion.minor); } if (browser.Uptime != null) { parameters.Add("CIFS Browser Service Uptime", browser.Uptime.Value.ToString()); } if (parameters.Count > 0) { //TODO: figure out the five tuple! Events.ParametersEventArgs pe = new Events.ParametersEventArgs(browser.ParentFrame.FrameNumber, sourceHost, destinationHost, transportLayerPacket.TransportProtocol, transportLayerPacket.SourcePort, transportLayerPacket.DestinationPort, parameters, browser.ParentFrame.Timestamp, "CIFS Browser/MS-BRWS Uptime"); //var pe = new Events.ParametersEventArgs(browser.ParentFrame.FrameNumber, ft, true, parameters, browser.ParentFrame.Timestamp, "CIFS Browser/MS-BRWS Uptime"); base.MainPacketHandler.OnParametersDetected(pe); } } }
private void ExtractData(ref NetworkHost sourceHost, Packets.HpSwitchProtocolPacket.HpSwField hpswField) { if (hpswField.TypeByte == (byte)Packets.HpSwitchProtocolPacket.HpSwField.FieldType.DeviceName) { if (!sourceHost.ExtraDetailsList.ContainsKey("HPSW Device Name")) { sourceHost.ExtraDetailsList.Add("HPSW Device Name", hpswField.ValueString); //sourceHost.HostNameList.Add(hpswField.ValueString); sourceHost.AddHostName(hpswField.ValueString); } } else if (hpswField.TypeByte == (byte)Packets.HpSwitchProtocolPacket.HpSwField.FieldType.Version) { if (!sourceHost.ExtraDetailsList.ContainsKey("HPSW Firmware version")) { sourceHost.ExtraDetailsList.Add("HPSW Firmware version", hpswField.ValueString); } } else if (hpswField.TypeByte == (byte)Packets.HpSwitchProtocolPacket.HpSwField.FieldType.Config) { if (!sourceHost.ExtraDetailsList.ContainsKey("HPSW Config")) { sourceHost.ExtraDetailsList.Add("HPSW Config", hpswField.ValueString); } } else if (hpswField.TypeByte == (byte)Packets.HpSwitchProtocolPacket.HpSwField.FieldType.MacAddress) { sourceHost.MacAddress = new System.Net.NetworkInformation.PhysicalAddress(hpswField.ValueBytes); } }
private void ExtractData(Packets.NetBiosDatagramServicePacket netBiosDatagramServicePacket, NetworkHost sourceHost) { if (netBiosDatagramServicePacket != null) { if (netBiosDatagramServicePacket.SourceNetBiosName != null && netBiosDatagramServicePacket.SourceNetBiosName.Length > 0) { sourceHost.AddHostName(netBiosDatagramServicePacket.SourceNetBiosName, netBiosDatagramServicePacket.PacketTypeDescription); } } }
private void ExtractData(ref NetworkHost sourceHost, NetworkHost destinationHost, Packets.DhcpPacket dhcpPacket) { if (dhcpPacket.OpCode == Packets.DhcpPacket.OpCodeValue.BootRequest && (sourceHost.MacAddress == null || dhcpPacket.ClientMacAddress != sourceHost.MacAddress)) { sourceHost.MacAddress = dhcpPacket.ClientMacAddress; } else if (dhcpPacket.OpCode == Packets.DhcpPacket.OpCodeValue.BootReply && (destinationHost.MacAddress == null || dhcpPacket.ClientMacAddress != destinationHost.MacAddress)) { destinationHost.MacAddress = dhcpPacket.ClientMacAddress; } if (dhcpPacket.OpCode == Packets.DhcpPacket.OpCodeValue.BootReply && (dhcpPacket.GatewayIpAddress != null && dhcpPacket.GatewayIpAddress != System.Net.IPAddress.None && dhcpPacket.GatewayIpAddress.Address > 0)) { destinationHost.ExtraDetailsList["Default Gateway"] = dhcpPacket.GatewayIpAddress.ToString(); } System.Collections.Specialized.NameValueCollection optionParameterList = new System.Collections.Specialized.NameValueCollection(); //now check all the DHCP options //byte dhcpMessageType=0x00;//1=Discover, 2=Offer, 3=Request, 5=Ack, 8=Inform foreach (Packets.DhcpPacket.Option option in dhcpPacket.OptionList) { //TODO: Add option to Parameters list if (option.OptionCode == 12)//hostname { string hostname = Utils.ByteConverter.ReadString(option.OptionValue); sourceHost.AddHostName(hostname); optionParameterList.Add("DHCP Option 12 Hostname", hostname); } else if (option.OptionCode == 15)//Domain Name { string domain = Utils.ByteConverter.ReadString(option.OptionValue); sourceHost.AddDomainName(domain); optionParameterList.Add("DHCP Option 15 Domain", domain); } else if (option.OptionCode == 50) //requested IP address { if (dhcpPacket.DhcpMessageType == 3) //Must be a DHCP Request { System.Net.IPAddress requestedIpAddress = new System.Net.IPAddress(option.OptionValue); if (sourceHost.IPAddress != requestedIpAddress) { if (!base.MainPacketHandler.NetworkHostList.ContainsIP(requestedIpAddress)) { NetworkHost clonedHost = new NetworkHost(requestedIpAddress); clonedHost.MacAddress = sourceHost.MacAddress; //foreach(string hostname in sourceHost.HostNameList) // clonedHost.AddHostName(hostname); lock (base.MainPacketHandler.NetworkHostList) base.MainPacketHandler.NetworkHostList.Add(clonedHost); //now change the host to the cloned one (and hope it works out...) sourceHost = clonedHost; } else { sourceHost = base.MainPacketHandler.NetworkHostList.GetNetworkHost(requestedIpAddress); if (dhcpPacket.OpCode == Packets.DhcpPacket.OpCodeValue.BootRequest && (sourceHost.MacAddress == null || dhcpPacket.ClientMacAddress != sourceHost.MacAddress)) { sourceHost.MacAddress = dhcpPacket.ClientMacAddress; } } } if (sourceHost.MacAddress != null && previousIpList.ContainsKey(sourceHost.MacAddress.ToString())) { //if(previousIpList.ContainsKey(sourceHost.MacAddress.ToString())) { sourceHost.AddNumberedExtraDetail("Previous IP", previousIpList[sourceHost.MacAddress.ToString()].ToString()); //sourceHost.ExtraDetailsList["Previous IP"]=previousIpList[sourceHost.MacAddress.ToString()].ToString(); previousIpList.Remove(sourceHost.MacAddress.ToString()); } } else if (dhcpPacket.DhcpMessageType == 1)//DHCP discover //see which IP address the client hade previously //They normally requests the same IP as they hade before... { System.Net.IPAddress requestedIpAddress = new System.Net.IPAddress(option.OptionValue); this.previousIpList[sourceHost.MacAddress.ToString()] = requestedIpAddress; } } /* * else if(option.OptionCode==53) {//DHCP message type * if(option.OptionValue!=null && option.OptionValue.Length==1) * dhcpMessageType=option.OptionValue[0]; * }/*/ else if (option.OptionCode == 60)//vendor class identifier { string vendorCode = Utils.ByteConverter.ReadString(option.OptionValue); sourceHost.AddDhcpVendorCode(vendorCode); optionParameterList.Add("DHCP Option 60 Vendor Code", vendorCode); } else if (option.OptionCode == 81) //Client Fully Qualified Domain Name { string domain = Utils.ByteConverter.ReadString(option.OptionValue, 3, option.OptionValue.Length - 3); sourceHost.AddHostName(domain); optionParameterList.Add("DHCP Option 81 Domain", domain); } else if (option.OptionCode == 125) //V-I Vendor-specific Information http://tools.ietf.org/html/rfc3925 { uint enterpriceNumber = Utils.ByteConverter.ToUInt32(option.OptionValue, 0); optionParameterList.Add("DHCP Option 125 Enterprise Number", enterpriceNumber.ToString()); byte dataLen = option.OptionValue[4]; if (dataLen > 0 && option.OptionValue.Length >= 5 + dataLen) { string optionData = Utils.ByteConverter.ReadString(option.OptionValue, 5, dataLen); optionParameterList.Add("DHCP Option 125 Data", optionData); } } else { string optionValueString = Utils.ByteConverter.ReadString(option.OptionValue); if (!System.Text.RegularExpressions.Regex.IsMatch(optionValueString, @"[^\u0020-\u007E]")) { optionParameterList.Add("DHCP Option " + option.OptionCode.ToString(), optionValueString); } } } if (optionParameterList.Count > 0) { //try to get the udp packet string sourcePort = "UNKNOWN"; string destinationPort = "UNKNOWN"; foreach (Packets.AbstractPacket p in dhcpPacket.ParentFrame.PacketList) { if (p.GetType() == typeof(Packets.UdpPacket)) { Packets.UdpPacket udpPacket = (Packets.UdpPacket)p; sourcePort = "UDP " + udpPacket.SourcePort; destinationPort = "UDP " + udpPacket.DestinationPort; break; } } Events.ParametersEventArgs ea = new Events.ParametersEventArgs(dhcpPacket.ParentFrame.FrameNumber, sourceHost, destinationHost, sourcePort, destinationPort, optionParameterList, dhcpPacket.ParentFrame.Timestamp, "DHCP Option"); MainPacketHandler.OnParametersDetected(ea); } }
public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <PacketParser.Packets.AbstractPacket> packetList) { Packets.IrcPacket ircPacket = null; Packets.TcpPacket tcpPacket = null; foreach (Packets.AbstractPacket p in packetList) { if (p.GetType() == typeof(Packets.TcpPacket)) { tcpPacket = (Packets.TcpPacket)p; } else if (p.GetType() == typeof(Packets.IrcPacket)) { ircPacket = (Packets.IrcPacket)p; } } if (ircPacket != null && tcpPacket != null) { System.Collections.Specialized.NameValueCollection tmpCol = new System.Collections.Specialized.NameValueCollection(); foreach (Packets.IrcPacket.Message m in ircPacket.Messages) { tmpCol.Add(m.Command, m.ToString()); if (m.Command.Equals("USER", StringComparison.InvariantCultureIgnoreCase)) { //the first parameter is the username List <string> parameters = new List <string>(); foreach (string s in m.Parameters) { parameters.Add(s); } if (parameters.Count > 0) { string ircUser = parameters[0]; IrcSession ircSession; if (this.ircSessionList.ContainsKey(tcpSession)) { ircSession = ircSessionList[tcpSession]; } else { ircSession = new IrcSession(); this.ircSessionList.Add(tcpSession, ircSession); } ircSession.User = ircUser; sourceHost.AddNumberedExtraDetail("IRC Username", ircUser); //NetworkCredential ircUserCredential = new NetworkCredential(sourceHost, destinationHost, "IRC", ircUser, "N/A (only IRC Username)", ircPacket.ParentFrame.Timestamp); this.MainPacketHandler.AddCredential(ircSession.GetCredential(sourceHost, destinationHost, ircPacket.ParentFrame.Timestamp)); } if (parameters.Count > 1) { sourceHost.AddHostName(parameters[1]); } if (parameters.Count > 2) { destinationHost.AddHostName(parameters[2]); } } else if (m.Command.Equals("NICK", StringComparison.InvariantCultureIgnoreCase)) { IEnumerator <string> enumerator = m.Parameters.GetEnumerator(); if (enumerator.MoveNext()) //move to the first position { string ircNick = enumerator.Current; IrcSession ircSession; if (this.ircSessionList.ContainsKey(tcpSession)) { ircSession = ircSessionList[tcpSession]; } else { ircSession = new IrcSession(); this.ircSessionList.Add(tcpSession, ircSession); } ircSession.Nick = ircNick; sourceHost.AddNumberedExtraDetail("IRC Nick", ircNick); //NetworkCredential ircNicCredential = new NetworkCredential(sourceHost, destinationHost, "IRC", enumerator.Current, "N/A (only IRC Nick)", ircPacket.ParentFrame.Timestamp); this.MainPacketHandler.AddCredential(ircSession.GetCredential(sourceHost, destinationHost, ircPacket.ParentFrame.Timestamp)); } } else if (m.Command.Equals("PASS", StringComparison.InvariantCultureIgnoreCase)) { IEnumerator <string> enumerator = m.Parameters.GetEnumerator(); if (enumerator.MoveNext()) //move to the first position { string ircPass = enumerator.Current; IrcSession ircSession; if (this.ircSessionList.ContainsKey(tcpSession)) { ircSession = ircSessionList[tcpSession]; } else { ircSession = new IrcSession(); this.ircSessionList.Add(tcpSession, ircSession); } ircSession.Pass = ircPass; this.MainPacketHandler.AddCredential(ircSession.GetCredential(sourceHost, destinationHost, ircPacket.ParentFrame.Timestamp)); } } else if (m.Command.Equals("PRIVMSG", StringComparison.InvariantCultureIgnoreCase)) { //first parameter is recipient, second is message List <string> parameters = new List <string>(); foreach (string s in m.Parameters) { parameters.Add(s); } if (parameters.Count >= 2) { System.Collections.Specialized.NameValueCollection attributes = new System.Collections.Specialized.NameValueCollection(); attributes.Add("Command", m.Command); string from = ""; if (m.Prefix != null && m.Prefix.Length > 0) { attributes.Add("Prefix", m.Prefix); from = m.Prefix; } for (int i = 0; i < parameters.Count; i++) { attributes.Add("Parameter " + (i + 1), parameters[i]); } base.MainPacketHandler.OnMessageDetected(new PacketParser.Events.MessageEventArgs(ApplicationLayerProtocol.Irc, sourceHost, destinationHost, ircPacket.ParentFrame.FrameNumber, ircPacket.ParentFrame.Timestamp, from, parameters[0], parameters[1], parameters[1], attributes)); } } } if (tmpCol.Count > 0) { base.MainPacketHandler.OnParametersDetected(new PacketParser.Events.ParametersEventArgs(ircPacket.ParentFrame.FrameNumber, sourceHost, destinationHost, "TCP " + tcpPacket.SourcePort, "TCP " + tcpPacket.DestinationPort, tmpCol, tcpPacket.ParentFrame.Timestamp, "IRC packet")); return(ircPacket.ParsedBytesCount); } } return(0); }
public void ExtractData(ref NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <Packets.AbstractPacket> packetList) { Packets.DnsPacket dnsPacket = null; Packets.IIPPacket ipPacket = null; Packets.ITransportLayerPacket transportLayerPacket = null; foreach (Packets.AbstractPacket p in packetList) { if (p.GetType() == typeof(Packets.DnsPacket)) { dnsPacket = (Packets.DnsPacket)p; } else if (p is Packets.IIPPacket) { ipPacket = (Packets.IIPPacket)p; } /*else if(p.GetType()==typeof(Packets.IPv6Packet)) * ipv6Packet=(Packets.IPv6Packet)p;*/ else if (p is Packets.ITransportLayerPacket tlp) { transportLayerPacket = tlp; } } if (dnsPacket != null) { //ExtractDnsData(dnsPacket); if (dnsPacket.Flags.Response) { System.Collections.Specialized.NameValueCollection cNamePointers = new System.Collections.Specialized.NameValueCollection(); if (dnsPacket.AnswerRecords != null && dnsPacket.AnswerRecords.Length > 0) { foreach (Packets.DnsPacket.ResourceRecord r in dnsPacket.AnswerRecords) { if (r.IP != null) { if (!base.MainPacketHandler.NetworkHostList.ContainsIP(r.IP)) { NetworkHost host = new NetworkHost(r.IP); host.AddHostName(r.DNS, dnsPacket.PacketTypeDescription); lock (base.MainPacketHandler.NetworkHostList) base.MainPacketHandler.NetworkHostList.Add(host); MainPacketHandler.OnNetworkHostDetected(new Events.NetworkHostEventArgs(host)); //base.MainPacketHandler.ParentForm.ShowDetectedHost(host); } else { base.MainPacketHandler.NetworkHostList.GetNetworkHost(r.IP).AddHostName(r.DNS, dnsPacket.PacketTypeDescription); } if (cNamePointers[r.DNS] != null) { base.MainPacketHandler.NetworkHostList.GetNetworkHost(r.IP).AddHostName(cNamePointers[r.DNS], dnsPacket.PacketTypeDescription); } } else if (r.Type == (ushort)Packets.DnsPacket.RRTypes.CNAME) { cNamePointers.Add(r.PrimaryName, r.DNS); } MainPacketHandler.OnDnsRecordDetected(new Events.DnsRecordEventArgs(r, sourceHost, destinationHost, ipPacket, transportLayerPacket)); //base.MainPacketHandler.ParentForm.ShowDnsRecord(r, sourceHost, destinationHost, ipPakcet, udpPacket); } } else { //display the flags instead //TODO : MainPacketHandler.OnDnsRecordDetected(new Events.DnsRecordEventArgs( if (dnsPacket.QueriedDnsName != null && dnsPacket.QueriedDnsName.Length > 0) { MainPacketHandler.OnDnsRecordDetected(new Events.DnsRecordEventArgs(new Packets.DnsPacket.ResponseWithErrorCode(dnsPacket), sourceHost, destinationHost, ipPacket, transportLayerPacket)); } } } else //DNS request { if (dnsPacket.QueriedDnsName != null && dnsPacket.QueriedDnsName.Length > 0) { sourceHost.AddQueriedDnsName(dnsPacket.QueriedDnsName); } } } }
private (string username, string realm) GetUserAndRealm(KerberosPacket kerberosPacket, NetworkHost sourceHost, NetworkHost destinationHost) { string username = ""; string realm = ""; List <string> spnParts = new List <string>(); foreach (var item in kerberosPacket.AsnData.Where(item => stringTypes.Contains(item.Item2))) { string itemString = Utils.ByteConverter.ReadString(item.Item3); if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && hostnameRequestPaths.Contains(item.Item1) && itemString.EndsWith("$")) { string hostname = itemString.TrimEnd(new[] { '$' }); sourceHost.AddHostName(hostname); //parameters.Add("Hostname (" + item.Item1 + ")", hostname); realm = hostname; } else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && hostnameResponsePaths.Contains(item.Item1) && itemString.EndsWith("$")) { string hostname = itemString.TrimEnd(new[] { '$' }); destinationHost.AddHostName(hostname); //parameters.Add("Hostname (" + item.Item1 + ")", hostname); realm = hostname; } else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && (usernameRequestPaths.Contains(item.Item1) || usernameResponsePaths.Contains(item.Item1)) && !itemString.EndsWith("$")) { if (usernameRequestPaths.Contains(item.Item1)) { base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "Kerberos", itemString, kerberosPacket.ParentFrame.Timestamp)); sourceHost.AddNumberedExtraDetail("Kerberos Username", itemString); username = itemString; } else if (usernameResponsePaths.Contains(item.Item1)) { base.MainPacketHandler.AddCredential(new NetworkCredential(destinationHost, sourceHost, "Kerberos", itemString, kerberosPacket.ParentFrame.Timestamp)); destinationHost.AddNumberedExtraDetail("Kerberos Username", itemString); username = itemString; } #if DEBUG else { System.Diagnostics.Debugger.Break(); } #endif //parameters.Add("Username (" + item.Item1 + ")", username); } else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && domainPaths.Contains(item.Item1)) { sourceHost.AddDomainName(itemString); destinationHost.AddDomainName(itemString); //parameters.Add("Realm (" + item.Item1 + ")", itemString); realm = itemString; } else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && kerberosPacket.MsgType == KerberosPacket.MessageType.krb_tgs_rep && hostnameResponsePaths.Contains(item.Item1)) { spnParts.Add(itemString); } else { //parameters.Add(item.Item1 + " " + Enum.GetName(typeof(Utils.ByteConverter.Asn1TypeTag), item.Item2), itemString); } } if (kerberosPacket.MsgType == KerberosPacket.MessageType.krb_tgs_rep && spnParts.Count > 0) { username = string.Join("/", spnParts); } return(username, realm); }
public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <Packets.AbstractPacket> packetList) { //bool successfulExtraction=false; int successfullyExtractedBytes = 0; foreach (Packets.AbstractPacket p in packetList) { if (p.GetType() == typeof(Packets.NtlmSspPacket)) { Packets.NtlmSspPacket ntlmPacket = (Packets.NtlmSspPacket)p; if (ntlmPacket.NtlmChallenge != null) { if (ntlmChallengeList.ContainsKey(tcpSession.GetHashCode())) { ntlmChallengeList[tcpSession.GetHashCode()] = ntlmPacket.NtlmChallenge; } else { ntlmChallengeList.Add(tcpSession.GetHashCode(), ntlmPacket.NtlmChallenge); } } if (ntlmPacket.DomainName != null) { sourceHost.AddDomainName(ntlmPacket.DomainName); } if (ntlmPacket.HostName != null) { sourceHost.AddHostName(ntlmPacket.HostName); } if (ntlmPacket.UserName != null) { if (!sourceHost.ExtraDetailsList.ContainsKey("NTLM Username " + ntlmPacket.UserName)) { sourceHost.ExtraDetailsList.Add("NTLM Username " + ntlmPacket.UserName, ntlmPacket.UserName); } string lanManagerHashInfo = null; if (ntlmPacket.LanManagerResponse != null) { lanManagerHashInfo = "LAN Manager Response: " + ntlmPacket.LanManagerResponse; } if (ntlmPacket.NtlmResponse != null) { if (lanManagerHashInfo == null) { lanManagerHashInfo = ""; } else { lanManagerHashInfo = lanManagerHashInfo + " - "; } lanManagerHashInfo = lanManagerHashInfo + "NTLM Response: " + ntlmPacket.NtlmResponse; } if (lanManagerHashInfo == null) { base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.UserName, ntlmPacket.ParentFrame.Timestamp)); } else { if (ntlmChallengeList.ContainsKey(tcpSession.GetHashCode())) { lanManagerHashInfo = "NTLM Challenge: " + ntlmChallengeList[tcpSession.GetHashCode()] + " - " + lanManagerHashInfo; } base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.UserName, lanManagerHashInfo, ntlmPacket.ParentFrame.Timestamp)); } } successfullyExtractedBytes += ntlmPacket.ParentFrame.Data.Length;//it's OK to return a larger value that what was parsed } } return(successfullyExtractedBytes); }
/// <summary> /// /// </summary> /// <param name="httpPacket"></param> /// <param name="tcpPacket"></param> /// <param name="sourceHost"></param> /// <param name="destinationHost"></param> /// <param name="mainPacketHandler"></param> /// <returns>True if the data was successfully parsed. False if the data need to be parsed again with more data</returns> private bool ExtractHttpData(Packets.HttpPacket httpPacket, Packets.TcpPacket tcpPacket, NetworkHost sourceHost, NetworkHost destinationHost, PacketHandler mainPacketHandler) { if (httpPacket.MessageTypeIsRequest) { //HTTP request System.Collections.Specialized.NameValueCollection cookieParams = null; if (httpPacket.UserAgentBanner != null && httpPacket.UserAgentBanner.Length > 0) { sourceHost.AddHttpUserAgentBanner(httpPacket.UserAgentBanner); } if (httpPacket.RequestedHost != null && httpPacket.RequestedHost.Length > 0) { destinationHost.AddHostName(httpPacket.RequestedHost); } if (httpPacket.Cookie != null) { cookieParams = new System.Collections.Specialized.NameValueCollection(); char[] separators = { ';', ',' }; foreach (string s in httpPacket.Cookie.Split(separators)) { string cookieFragment = s.Trim(); int splitOffset = cookieFragment.IndexOf('='); if (splitOffset > 0) { cookieParams.Add(cookieFragment.Substring(0, splitOffset), cookieFragment.Substring(splitOffset + 1)); } else { cookieParams.Add(cookieFragment, ""); } } NetworkCredential inCookieCredential = NetworkCredential.GetNetworkCredential(cookieParams, sourceHost, destinationHost, "HTTP Cookie parameter", httpPacket.ParentFrame.Timestamp); if (inCookieCredential != null) { mainPacketHandler.AddCredential(inCookieCredential); } mainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(tcpPacket.ParentFrame.FrameNumber, sourceHost, destinationHost, "TCP " + tcpPacket.SourcePort, "TCP " + tcpPacket.DestinationPort, cookieParams, httpPacket.ParentFrame.Timestamp, "HTTP Cookie")); NetworkCredential credential = new NetworkCredential(sourceHost, destinationHost, "HTTP Cookie", httpPacket.Cookie, "N/A", httpPacket.ParentFrame.Timestamp); mainPacketHandler.AddCredential(credential); } if (httpPacket.AuthorizationCredentialsUsername != null) { NetworkCredential nc = new NetworkCredential(sourceHost, destinationHost, httpPacket.PacketTypeDescription, httpPacket.AuthorizationCredentialsUsername, httpPacket.AuthorizationCredentialsPassword, httpPacket.ParentFrame.Timestamp); mainPacketHandler.AddCredential(nc); //this.AddCredential(nc); } if (httpPacket.HeaderFields != null && httpPacket.HeaderFields.Count > 0) { SortedList <string, string> ignoredHeaderNames = new SortedList <string, string>(); ignoredHeaderNames.Add("accept", null); ignoredHeaderNames.Add("connection", null); ignoredHeaderNames.Add("accept-language", null); ignoredHeaderNames.Add("accept-encoding", null); //Build a sortedList of all headers System.Collections.Specialized.NameValueCollection httpHeaders = new System.Collections.Specialized.NameValueCollection(); //SortedList<string, string> httpHeaders = new SortedList<string, string>(); foreach (string header in httpPacket.HeaderFields) { int delimiterIndex = header.IndexOf(':'); if (delimiterIndex > 0 && delimiterIndex < header.Length) { string headerName = header.Substring(0, delimiterIndex).Trim(); //if (!httpHeaders.ContainsKey(headerName)) if (!ignoredHeaderNames.ContainsKey(headerName.ToLower())) { httpHeaders.Add(headerName, header.Substring(delimiterIndex + 1).Trim()); } } } //mainPacketHandler.OnParametersDetected base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(httpPacket.ParentFrame.FrameNumber, sourceHost, destinationHost, "TCP " + tcpPacket.SourcePort, "TCP " + tcpPacket.DestinationPort, httpHeaders, httpPacket.ParentFrame.Timestamp, "HTTP Header")); foreach (string headerName in httpHeaders.Keys) { /** * http://mobiforge.com/developing/blog/useful-x-headers * http://nakedsecurity.sophos.com/2012/01/25/smartphone-website-telephone-number/ * http://www.nowsms.com/discus/messages/485/14998.html * http://coding-talk.com/f46/check-isdn-10962/ **/ if (headerName.StartsWith("X-", StringComparison.InvariantCultureIgnoreCase)) { sourceHost.AddNumberedExtraDetail("HTTP header: " + headerName, httpHeaders[headerName]); } else if (headerName.StartsWith("HTTP_X", StringComparison.InvariantCultureIgnoreCase)) { sourceHost.AddNumberedExtraDetail("HTTP header: " + headerName, httpHeaders[headerName]); } else if (headerName.StartsWith("X_", StringComparison.InvariantCultureIgnoreCase)) { sourceHost.AddNumberedExtraDetail("HTTP header: " + headerName, httpHeaders[headerName]); } else if (headerName.StartsWith("HTTP_MSISDN", StringComparison.InvariantCultureIgnoreCase)) { sourceHost.AddNumberedExtraDetail("HTTP header: " + headerName, httpHeaders[headerName]); } } } //file transfer if ((httpPacket.RequestMethod == Packets.HttpPacket.RequestMethods.GET || httpPacket.RequestMethod == Packets.HttpPacket.RequestMethods.POST) && httpPacket.RequestedFileName != null) { System.Collections.Specialized.NameValueCollection queryStringData = httpPacket.GetQuerystringData(); if (queryStringData != null && queryStringData.Count > 0) { //parentForm.ShowParameters(tcpPacket.ParentFrame.FrameNumber, sourceHost, destinationHost, "TCP "+tcpPacket.SourcePort, "TCP "+tcpPacket.DestinationPort, queryStringData, tcpPacket.ParentFrame.Timestamp, "HTTP QueryString"); mainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(tcpPacket.ParentFrame.FrameNumber, sourceHost, destinationHost, "TCP " + tcpPacket.SourcePort, "TCP " + tcpPacket.DestinationPort, queryStringData, tcpPacket.ParentFrame.Timestamp, "HTTP QueryString")); //mainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "HTTP GET QueryString", NetworkCredential credential = NetworkCredential.GetNetworkCredential(queryStringData, sourceHost, destinationHost, "HTTP GET QueryString", tcpPacket.ParentFrame.Timestamp); if (credential != null) { mainPacketHandler.AddCredential(credential); } if (queryStringData.HasKeys()) { Dictionary <string, string> queryStringDictionary = new Dictionary <string, string>(); foreach (string key in queryStringData.AllKeys) { queryStringDictionary.Add(key, queryStringData[key]); } if (queryStringDictionary.ContainsKey("utmsr")) { sourceHost.AddNumberedExtraDetail("Screen resolution (Google Analytics)", queryStringDictionary["utmsr"]); } if (queryStringDictionary.ContainsKey("utmsc")) { sourceHost.AddNumberedExtraDetail("Color depth (Google Analytics)", queryStringDictionary["utmsc"]); } if (queryStringDictionary.ContainsKey("utmul")) { sourceHost.AddNumberedExtraDetail("Browser language (Google Analytics)", queryStringDictionary["utmul"]); } if (queryStringDictionary.ContainsKey("utmfl")) { sourceHost.AddNumberedExtraDetail("Flash version (Google Analytics)", queryStringDictionary["utmfl"]); } if (httpPacket.RequestMethod == Packets.HttpPacket.RequestMethods.POST && queryStringDictionary.ContainsKey("a") && queryStringDictionary["a"].Equals("SendMessage")) { if (!httpPacket.ContentIsComplete())//we must have all the content when parsing AOL data { return(false); } } } } //file transfer stuff string fileUri = httpPacket.RequestedFileName; string queryString = null; if (fileUri.Contains("?")) { if (fileUri.IndexOf('?') + 1 < fileUri.Length) { queryString = fileUri.Substring(fileUri.IndexOf('?') + 1); } fileUri = fileUri.Substring(0, fileUri.IndexOf('?')); } if (fileUri.StartsWith("http://")) { fileUri = fileUri.Substring(7); } if (fileUri.StartsWith("www.") && fileUri.Contains("/")) { fileUri = fileUri.Substring(fileUri.IndexOf("/")); } //char[] separators={ '/' }; char[] separators = new char[System.IO.Path.GetInvalidPathChars().Length + 1]; Array.Copy(System.IO.Path.GetInvalidPathChars(), separators, System.IO.Path.GetInvalidPathChars().Length); separators[separators.Length - 1] = '/'; string[] uriParts = fileUri.Split(separators); string filename; string fileLocation = ""; if (fileUri.EndsWith("/")) { filename = "index.html"; for (int i = 0; i < uriParts.Length; i++) { if (uriParts[i].Length > 0 && !uriParts[i].Contains("..")) { fileLocation += "/" + uriParts[i]; } } } else { filename = uriParts[uriParts.Length - 1]; for (int i = 0; i < uriParts.Length - 1; i++) { if (uriParts[i].Length > 0 && !uriParts[i].Contains("..")) { fileLocation += "/" + uriParts[i]; } } } //make sure all queryString-depending dynamic webpages are shown individually if (queryString != null && queryString.Length > 0) { filename += "." + queryString.GetHashCode().ToString("X4"); } //I will have to switch source and destination host here since this is only the request, not the actual file transfer! try { //see if there is an old assembler that needs to be removed if (mainPacketHandler.FileStreamAssemblerList.ContainsAssembler(destinationHost, tcpPacket.DestinationPort, sourceHost, tcpPacket.SourcePort, true)) { FileTransfer.FileStreamAssembler oldAssembler = mainPacketHandler.FileStreamAssemblerList.GetAssembler(destinationHost, tcpPacket.DestinationPort, sourceHost, tcpPacket.SourcePort, true); mainPacketHandler.FileStreamAssemblerList.Remove(oldAssembler, true); } string fileDetails = httpPacket.RequestedFileName; if (httpPacket.RequestedHost != null && httpPacket.RequestedHost.Length > 0 && httpPacket.RequestedFileName != null && httpPacket.RequestedFileName.StartsWith("/")) { fileDetails = httpPacket.RequestedHost + httpPacket.RequestedFileName; } FileTransfer.FileStreamAssembler assembler = new FileTransfer.FileStreamAssembler(mainPacketHandler.FileStreamAssemblerList, destinationHost, tcpPacket.DestinationPort, sourceHost, tcpPacket.SourcePort, tcpPacket != null, FileTransfer.FileStreamTypes.HttpGetNormal, filename, fileLocation, fileDetails, httpPacket.ParentFrame.FrameNumber, httpPacket.ParentFrame.Timestamp); //FileTransfer.FileStreamAssembler assembler=new FileTransfer.FileStreamAssembler(mainPacketHandler.FileStreamAssemblerList, destinationHost, tcpPacket.DestinationPort, sourceHost, tcpPacket.SourcePort, tcpPacket!=null, FileTransfer.FileStreamTypes.HttpGetNormal, filename, fileLocation, httpPacket.RequestedFileName, httpPacket.ParentFrame.FrameNumber, httpPacket.ParentFrame.Timestamp); mainPacketHandler.FileStreamAssemblerList.Add(assembler); } catch (Exception e) { mainPacketHandler.OnAnomalyDetected("Error creating assembler for HTTP file transfer: " + e.Message); } //Large HTTP POSTs should also be dumped to files //if(httpPacket.RequestMethod==Packets.HttpPacket.RequestMethods.POST && !httpPacket.ContentIsComplete() && httpPacket.ContentLength>4096 && httpPacket.ContentType.StartsWith("multipart/form-data")) { if (httpPacket.RequestMethod == Packets.HttpPacket.RequestMethods.POST) { //All Multipart MIME HTTP POSTs should be dumped to file //the fileAssembler extracts the form parameters after assembly if (httpPacket.ContentType != null && httpPacket.ContentType.StartsWith("multipart/form-data")) { FileTransfer.FileStreamAssembler assembler = null; try { //see if there is an old assembler that needs to be removed if (mainPacketHandler.FileStreamAssemblerList.ContainsAssembler(sourceHost, tcpPacket.SourcePort, destinationHost, tcpPacket.DestinationPort, true)) { FileTransfer.FileStreamAssembler oldAssembler = mainPacketHandler.FileStreamAssemblerList.GetAssembler(sourceHost, tcpPacket.SourcePort, destinationHost, tcpPacket.DestinationPort, true); mainPacketHandler.FileStreamAssemblerList.Remove(oldAssembler, true); } string mimeBoundary; if (httpPacket.ContentType.ToLower(System.Globalization.CultureInfo.InvariantCulture).StartsWith("multipart/form-data; boundary=") && httpPacket.ContentType.Length > 30) { mimeBoundary = httpPacket.ContentType.Substring(30); } else { mimeBoundary = ""; } assembler = new FileTransfer.FileStreamAssembler(mainPacketHandler.FileStreamAssemblerList, sourceHost, tcpPacket.SourcePort, destinationHost, tcpPacket.DestinationPort, tcpPacket != null, FileTransfer.FileStreamTypes.HttpPostMimeMultipartFormData, filename + ".form-data.mime", fileLocation, mimeBoundary, httpPacket.ParentFrame.FrameNumber, httpPacket.ParentFrame.Timestamp); assembler.FileContentLength = httpPacket.ContentLength; assembler.FileSegmentRemainingBytes = httpPacket.ContentLength; mainPacketHandler.FileStreamAssemblerList.Add(assembler); if (assembler.TryActivate()) { //assembler is now active if (httpPacket.MessageBody != null && httpPacket.MessageBody.Length > 0) { assembler.AddData(httpPacket.MessageBody, tcpPacket.SequenceNumber); } } } catch (Exception e) { if (assembler != null) { assembler.Clear(); } mainPacketHandler.OnAnomalyDetected("Error creating assembler for HTTP file transfer: " + e.Message); } } else //form data (not multipart) { System.Collections.Generic.List <Mime.MultipartPart> formMultipartData = httpPacket.GetFormData(); if (formMultipartData != null) { foreach (Mime.MultipartPart mimeMultipart in formMultipartData) { if (mimeMultipart.Attributes["requests"] != null && httpPacket.GetQuerystringData() != null && httpPacket.GetQuerystringData()["a"] == "SendMessage") { //To handle AOL webmail string encodedMessage = mimeMultipart.Attributes["requests"]; if (encodedMessage.StartsWith("[{") && encodedMessage.EndsWith("}]")) { encodedMessage = encodedMessage.Substring(2, encodedMessage.Length - 4); } int startIndex = -1; int endIndex = -1; while (endIndex < encodedMessage.Length - 2) { //startIndex = endIndex + 1; if (endIndex > 0) { startIndex = encodedMessage.IndexOf(',', endIndex) + 1; } else { startIndex = 0; } bool escapedString = encodedMessage[startIndex] == '\"'; if (escapedString) { startIndex = encodedMessage.IndexOf('\"', startIndex) + 1; endIndex = encodedMessage.IndexOf('\"', startIndex); while (encodedMessage[endIndex - 1] == '\\') { endIndex = encodedMessage.IndexOf('\"', endIndex + 1); } } else { endIndex = encodedMessage.IndexOf(':', startIndex); } string attributeName = encodedMessage.Substring(startIndex, endIndex - startIndex); #if DEBUG //System.Diagnostics.Debug.Assert(encodedMessage[endIndex + 1] == ':'); if (encodedMessage[endIndex] != ':' && encodedMessage[endIndex + 1] != ':') { System.Diagnostics.Debugger.Break(); } #endif startIndex = encodedMessage.IndexOf(':', endIndex) + 1; escapedString = encodedMessage[startIndex] == '\"'; if (escapedString) { startIndex = encodedMessage.IndexOf('\"', startIndex) + 1; endIndex = encodedMessage.IndexOf('\"', startIndex); while (encodedMessage[endIndex - 1] == '\\') { endIndex = encodedMessage.IndexOf('\"', endIndex + 1); } } else if (encodedMessage.IndexOf(',', startIndex) > 0) { endIndex = encodedMessage.IndexOf(',', startIndex); } else { endIndex = encodedMessage.Length; } string attributeValue = encodedMessage.Substring(startIndex, endIndex - startIndex); //replace some special characters encodedMessage = encodedMessage.Replace("\\n", System.Environment.NewLine).Replace("\\r", "\r").Replace("\\t", "\t"); mimeMultipart.Attributes.Add(attributeName, attributeValue); } //END OF AOL WEBMAIL CODE } } this.MainPacketHandler.ExtractMultipartFormData(formMultipartData, sourceHost, destinationHost, tcpPacket.ParentFrame.Timestamp, httpPacket.ParentFrame.FrameNumber, "TCP " + tcpPacket.SourcePort, "TCP " + tcpPacket.DestinationPort, ApplicationLayerProtocol.Http, cookieParams); } } } } } else //reply { if (httpPacket.ServerBanner != null && httpPacket.ServerBanner.Length > 0) { sourceHost.AddHttpServerBanner(httpPacket.ServerBanner, tcpPacket.SourcePort); } if (httpPacket.WwwAuthenticateRealm != null && httpPacket.WwwAuthenticateRealm.Length > 0) { sourceHost.AddHostName(httpPacket.WwwAuthenticateRealm); sourceHost.ExtraDetailsList["WWW-Authenticate realm"] = httpPacket.WwwAuthenticateRealm; } if (mainPacketHandler.FileStreamAssemblerList.ContainsAssembler(sourceHost, tcpPacket.SourcePort, destinationHost, tcpPacket.DestinationPort, true)) { FileTransfer.FileStreamAssembler assembler = mainPacketHandler.FileStreamAssemblerList.GetAssembler(sourceHost, tcpPacket.SourcePort, destinationHost, tcpPacket.DestinationPort, true); //http://www.mail-archive.com/[email protected]/msg08695.html //There could also be no content-length when http-keepalives are not used. //In that case, the client just collects all data till the TCP-FIN. //-1 is set instead of null if Content-Length is not defined if (httpPacket.ContentLength >= 0 || httpPacket.ContentLength == -1) { assembler.FileContentLength = httpPacket.ContentLength; assembler.FileSegmentRemainingBytes = httpPacket.ContentLength;//we get the whole file in one segment (one serie of TCP packets) } if (httpPacket.ContentLength == 0) { mainPacketHandler.FileStreamAssemblerList.Remove(assembler, true); } else { if (httpPacket.ContentDispositionFilename != null) { assembler.Filename = httpPacket.ContentDispositionFilename; } //append content type extention to file name if (httpPacket.ContentType != null && httpPacket.ContentType.Contains("/") && httpPacket.ContentType.IndexOf('/') < httpPacket.ContentType.Length - 1) { string extension = Utils.StringManglerUtil.GetExtension(httpPacket.ContentType); /* * string extension=httpPacket.ContentType.Substring(httpPacket.ContentType.IndexOf('/')+1); * if(extension.Contains(";")) * extension=extension.Substring(0, extension.IndexOf(";")); * */ if (extension.Length > 0 && !assembler.Filename.EndsWith("." + extension, StringComparison.InvariantCultureIgnoreCase) && !(assembler.Filename.EndsWith("jpg", StringComparison.InvariantCultureIgnoreCase) && extension.Equals("jpeg", StringComparison.InvariantCultureIgnoreCase)) && !(assembler.Filename.EndsWith("htm", StringComparison.InvariantCultureIgnoreCase) && extension.Equals("html", StringComparison.InvariantCultureIgnoreCase))) { //append the content type as extension assembler.Filename = assembler.Filename + "." + extension; } } if (httpPacket.TransferEncoding == "chunked") { assembler.FileStreamType = FileTransfer.FileStreamTypes.HttpGetChunked; } if (httpPacket.ContentEncoding != null && httpPacket.ContentEncoding.Length > 0) { if (httpPacket.ContentEncoding.Equals("gzip"))//I'll only care aboute gzip for now { assembler.ContentEncoding = Packets.HttpPacket.ContentEncodings.Gzip; } else if (httpPacket.ContentEncoding.Equals("deflate"))//http://tools.ietf.org/html/rfc1950 { assembler.ContentEncoding = Packets.HttpPacket.ContentEncodings.Deflate; } } if (assembler.TryActivate()) { //the assembler is now ready to receive data if (httpPacket.MessageBody != null && httpPacket.MessageBody.Length > 0) { if (assembler.FileStreamType == FileTransfer.FileStreamTypes.HttpGetChunked || httpPacket.MessageBody.Length <= assembler.FileSegmentRemainingBytes || assembler.FileSegmentRemainingBytes == -1) { assembler.AddData(httpPacket.MessageBody, tcpPacket.SequenceNumber); } } } } //} //else { // mainPacketHandler.FileStreamAssemblerList.Remove(assembler, true); //} } } return(true); }
private (string username, string realm) GetUserAndRealm(KerberosPacket kerberosPacket, NetworkHost sourceHost, NetworkHost destinationHost) { string username = ""; string realm = ""; List <string> spnParts = new List <string>(); int lastInt = 0; foreach (var item in kerberosPacket.AsnData) { if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.Integer)//Utils.ByteConverter.Asn1TypeTag.Integer { lastInt = (int)Utils.ByteConverter.ToUInt32(item.Item3); } else if (stringTypes.Contains(item.Item2)) { string itemString = Utils.ByteConverter.ReadString(item.Item3); //if(kerberosPacket.MsgType == KerberosPacket.MessageType.krb_ap_req) { /** rfc1510 / http://web.mit.edu/freebsd/head/crypto/heimdal/lib/asn1/krb5.asn1 * KDC-REQ-BODY ::= SEQUENCE { * kdc-options[0] KDCOptions, * cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ * realm[2] Realm, -- Server's realm * -- Also client's in AS-REQ * sname[3] PrincipalName OPTIONAL, * from[4] KerberosTime OPTIONAL, * till[5] KerberosTime OPTIONAL, * rtime[6] KerberosTime OPTIONAL, * nonce[7] krb5int32, * etype[8] SEQUENCE OF ENCTYPE, -- EncryptionType, * -- in preference order * addresses[9] HostAddresses OPTIONAL, * enc-authorization-data[10] EncryptedData OPTIONAL, * -- Encrypted AuthorizationData encoding * additional-tickets[11] SEQUENCE OF Ticket OPTIONAL * } **/ if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && hostnameRequestPaths.Contains(item.Item1) && itemString.EndsWith("$")) { string hostname = itemString.TrimEnd(new[] { '$' }); sourceHost.AddHostName(hostname, kerberosPacket.PacketTypeDescription); //parameters.Add("Hostname (" + item.Item1 + ")", hostname); realm = hostname; } else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && hostnameResponsePaths.Contains(item.Item1) && itemString.EndsWith("$")) { string hostname = itemString.TrimEnd(new[] { '$' }); destinationHost.AddHostName(hostname, kerberosPacket.PacketTypeDescription); //parameters.Add("Hostname (" + item.Item1 + ")", hostname); realm = hostname; } else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && (usernameRequestPaths.Contains(item.Item1) || usernameResponsePaths.Contains(item.Item1)) && !itemString.EndsWith("$")) { if (usernameRequestPaths.Contains(item.Item1)) { base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "Kerberos", itemString, kerberosPacket.ParentFrame.Timestamp)); sourceHost.AddNumberedExtraDetail("Kerberos Username", itemString); username = itemString; } else if (usernameResponsePaths.Contains(item.Item1)) { base.MainPacketHandler.AddCredential(new NetworkCredential(destinationHost, sourceHost, "Kerberos", itemString, kerberosPacket.ParentFrame.Timestamp)); destinationHost.AddNumberedExtraDetail("Kerberos Username", itemString); username = itemString; } #if DEBUG else { System.Diagnostics.Debugger.Break(); } #endif //parameters.Add("Username (" + item.Item1 + ")", username); } else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && domainPaths.Contains(item.Item1)) { sourceHost.AddDomainName(itemString); destinationHost.AddDomainName(itemString); //parameters.Add("Realm (" + item.Item1 + ")", itemString); realm = itemString; } else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && kerberosPacket.MsgType == KerberosPacket.MessageType.krb_tgs_rep && hostnameResponsePaths.Contains(item.Item1)) { spnParts.Add(itemString); } else { //parameters.Add(item.Item1 + " " + Enum.GetName(typeof(Utils.ByteConverter.Asn1TypeTag), item.Item2), itemString); } } } if (kerberosPacket.MsgType == KerberosPacket.MessageType.krb_tgs_rep && spnParts.Count > 0) { username = string.Join("/", spnParts); } return(username, realm); }