public void TelnetPasswordParser_ParseTelnetCharModePassword_ParseSuccess()
{
// Arrange
var telnetParser = new PcapAnalyzer.TelnetPasswordParser();
var session = new PcapAnalyzer.TcpSession();
var expected = new PcapAnalyzer.NetworkPassword()
{
Username = "******",
Password = "******",
Destination = "2.2.2.2",
Source = "1.1.1.1",
Protocol = "Telnet"
};
// Mock a session where the user is "us" and the password is "Secret123".
session.Data = Encoding.ASCII.GetBytes("login:uuss" + Environment.NewLine + "Password:Secret123");
session.Packets.Add(mockPacket("2.2.2.2", "1.1.1.1", 21, 5472, "login:"******"1.1.1.1", "2.2.2.2", 5472, 21, "u"));
session.Packets.Add(mockPacket("2.2.2.2", "1.1.1.1", 21, 5472, "u"));
session.Packets.Add(mockPacket("1.1.1.1", "2.2.2.2", 5472, 21, "s"));
session.Packets.Add(mockPacket("2.2.2.2", "1.1.1.1", 21, 5472, "s"));
session.Packets.Add(mockPacket("2.2.2.2", "1.1.1.1", 21, 5472, "Password:"******"1.1.1.1", "2.2.2.2", 5472, 21, "Secret123"));
session.Packets.Add(mockPacket("2.2.2.2", "1.1.1.1", 21, 5472, "some dummy data"));
// Act.
PcapAnalyzer.NetworkPassword password = (telnetParser.Parse(session) as PcapAnalyzer.NetworkPassword);
// Assert.
Assert.AreEqual(expected, password);
}
public void FtpPasswordParser_ParseFtpPassword_ParseSuccess()
{
// Arrange.
var ftpParsrer = new PcapAnalyzer.FtpPasswordParser();
var session = new PcapAnalyzer.TcpSession();
session.SourceIp = "1.1.1.1";
session.DestinationIp = "2.2.2.2";
session.Data = Encoding.UTF8.GetBytes(
@"220 Chris Sanders FTP Server
USER csanders
331 Password required for csanders.
PASS echo
230 User csanders logged in.");
// Act.
PcapAnalyzer.NetworkPassword passsword = (ftpParsrer.Parse(session) as PcapAnalyzer.NetworkPassword);
// Assert.
Assert.AreEqual("csanders", passsword.Username);
Assert.AreEqual("echo", passsword.Password);
}
public void NtlmPasswordParser_ParseSmbNTLMv2Session_ParseSuccess()
{
// Arrange
var ntlmParser = new PcapAnalyzer.NtlmsspHashParser();
var session = new PcapAnalyzer.TcpSession();
var serverPacket = new PcapAnalyzer.TcpPacket()
{
SourceIp = "2.2.2.2",
DestinationIp = "1.1.1.1",
Data = new byte[]
{
0x00, 0x00, 0x00, 0xf8, 0xfe, 0x53, 0x4d, 0x42, 0x40, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0xc0,
0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xd5, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x94,
0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x48, 0x00, 0xb0, 0x00, 0x4e, 0x54, 0x4c, 0x4d,
0x53, 0x53, 0x50, 0x00, 0x02, 0x00, 0x00, 0x00, 0x08, 0x00, 0x08, 0x00, 0x38, 0x00, 0x00, 0x00,
0x35, 0x02, 0x89, 0xe2, 0x01, 0x15, 0x18, 0x13, 0xd2, 0x89, 0x8c, 0xcd, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x70, 0x00, 0x70, 0x00, 0x40, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x39, 0x38,
0x00, 0x00, 0x00, 0x0f, 0x53, 0x00, 0x55, 0x00, 0x53, 0x00, 0x45, 0x00, 0x02, 0x00, 0x08, 0x00,
0x53, 0x00, 0x55, 0x00, 0x53, 0x00, 0x45, 0x00, 0x01, 0x00, 0x0c, 0x00, 0x57, 0x00, 0x53, 0x00,
0x32, 0x00, 0x30, 0x00, 0x31, 0x00, 0x36, 0x00, 0x04, 0x00, 0x0e, 0x00, 0x73, 0x00, 0x75, 0x00,
0x73, 0x00, 0x65, 0x00, 0x2e, 0x00, 0x64, 0x00, 0x65, 0x00, 0x03, 0x00, 0x1c, 0x00, 0x57, 0x00,
0x53, 0x00, 0x32, 0x00, 0x30, 0x00, 0x31, 0x00, 0x36, 0x00, 0x2e, 0x00, 0x73, 0x00, 0x75, 0x00,
0x73, 0x00, 0x65, 0x00, 0x2e, 0x00, 0x64, 0x00, 0x65, 0x00, 0x05, 0x00, 0x0e, 0x00, 0x73, 0x00,
0x75, 0x00, 0x73, 0x00, 0x65, 0x00, 0x2e, 0x00, 0x64, 0x00, 0x65, 0x00, 0x07, 0x00, 0x08, 0x00,
0x8a, 0x8c, 0xe7, 0xa9, 0xf4, 0xce, 0xd2, 0x01, 0x00, 0x00, 0x00, 0x00
}
};
var clientPacket = new PcapAnalyzer.TcpPacket()
{
SourceIp = "1.1.1.1",
DestinationIp = "2.2.2.2",
Data = new byte[]
{
0x00, 0x00, 0x01, 0x68, 0xfe, 0x53, 0x4d, 0x42, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xd5, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x94,
0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x19, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x58, 0x00, 0x10, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4e, 0x54, 0x4c, 0x4d,
0x53, 0x53, 0x50, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
0x9c, 0x00, 0x9c, 0x00, 0x40, 0x00, 0x00, 0x00, 0x08, 0x00, 0x08, 0x00, 0xdc, 0x00, 0x00, 0x00,
0x1a, 0x00, 0x1a, 0x00, 0xe4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfe, 0x00, 0x00, 0x00,
0x10, 0x00, 0x10, 0x00, 0x00, 0x01, 0x00, 0x00, 0x35, 0x02, 0x88, 0xe0, 0x39, 0xdb, 0xdb, 0xeb,
0x1b, 0xdd, 0x29, 0xb0, 0x7a, 0x5d, 0x20, 0xc8, 0xf8, 0x2f, 0x2c, 0xb7, 0x01, 0x01, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x8a, 0x8c, 0xe7, 0xa9, 0xf4, 0xce, 0xd2, 0x01, 0xe7, 0x96, 0x9a, 0x04,
0x87, 0x2c, 0x16, 0x89, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x08, 0x00, 0x53, 0x00, 0x55, 0x00,
0x53, 0x00, 0x45, 0x00, 0x01, 0x00, 0x0c, 0x00, 0x57, 0x00, 0x53, 0x00, 0x32, 0x00, 0x30, 0x00,
0x31, 0x00, 0x36, 0x00, 0x04, 0x00, 0x0e, 0x00, 0x73, 0x00, 0x75, 0x00, 0x73, 0x00, 0x65, 0x00,
0x2e, 0x00, 0x64, 0x00, 0x65, 0x00, 0x03, 0x00, 0x1c, 0x00, 0x57, 0x00, 0x53, 0x00, 0x32, 0x00,
0x30, 0x00, 0x31, 0x00, 0x36, 0x00, 0x2e, 0x00, 0x73, 0x00, 0x75, 0x00, 0x73, 0x00, 0x65, 0x00,
0x2e, 0x00, 0x64, 0x00, 0x65, 0x00, 0x05, 0x00, 0x0e, 0x00, 0x73, 0x00, 0x75, 0x00, 0x73, 0x00,
0x65, 0x00, 0x2e, 0x00, 0x64, 0x00, 0x65, 0x00, 0x07, 0x00, 0x08, 0x00, 0x8a, 0x8c, 0xe7, 0xa9,
0xf4, 0xce, 0xd2, 0x01, 0x00, 0x00, 0x00, 0x00, 0x53, 0x00, 0x55, 0x00, 0x53, 0x00, 0x45, 0x00,
0x61, 0x00, 0x64, 0x00, 0x6d, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x69, 0x00, 0x73, 0x00, 0x74, 0x00,
0x72, 0x00, 0x61, 0x00, 0x74, 0x00, 0x6f, 0x00, 0x72, 0x00, 0x00, 0x00, 0xb2, 0xe8, 0x76, 0x55,
0x9c, 0x9c, 0x58, 0xb0, 0x34, 0x4b, 0xd5, 0xa9, 0x9f, 0x8e, 0x98, 0x55
}
};
session.Packets.Add(serverPacket);
session.Packets.Add(clientPacket);
// Act.
var hash = ntlmParser.Parse(session) as PcapAnalyzer.NtlmHash;
// Assert.
Assert.AreEqual("NTLMSSP", hash.Protocol);
Assert.AreEqual("administrator", hash.User);
Assert.AreEqual("SUSE", hash.Domain);
Assert.AreEqual(hash.NtHash.Length, 312);
}
