public void ExtractData(ref NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <AbstractPacket> packetList)
{
ITransportLayerPacket transportLayerPacket = packetList.OfType <ITransportLayerPacket>().First();
foreach (CifsBrowserPacket browser in packetList.OfType <CifsBrowserPacket>())
{
System.Collections.Specialized.NameValueCollection parameters = new System.Collections.Specialized.NameValueCollection();
if (!string.IsNullOrEmpty(browser.Hostname))
{
sourceHost.AddHostName(browser.Hostname, browser.PacketTypeDescription);
}
if (!string.IsNullOrEmpty(browser.DomainOrWorkgroup))
{
sourceHost.AddDomainName(browser.DomainOrWorkgroup);
}
if (browser.OSVersion.major > 0 || browser.OSVersion.minor > 0)
{
sourceHost.AddNumberedExtraDetail("Windows Version", "" + browser.OSVersion.major + "." + browser.OSVersion.minor);
}
if (browser.Uptime != null)
{
parameters.Add("CIFS Browser Service Uptime", browser.Uptime.Value.ToString());
}
if (parameters.Count > 0)
{
//TODO: figure out the five tuple!
Events.ParametersEventArgs pe = new Events.ParametersEventArgs(browser.ParentFrame.FrameNumber, sourceHost, destinationHost, transportLayerPacket.TransportProtocol, transportLayerPacket.SourcePort, transportLayerPacket.DestinationPort, parameters, browser.ParentFrame.Timestamp, "CIFS Browser/MS-BRWS Uptime");
//var pe = new Events.ParametersEventArgs(browser.ParentFrame.FrameNumber, ft, true, parameters, browser.ParentFrame.Timestamp, "CIFS Browser/MS-BRWS Uptime");
base.MainPacketHandler.OnParametersDetected(pe);
}
}
}
private void ExtractData(ref NetworkHost sourceHost, Packets.HpSwitchProtocolPacket.HpSwField hpswField)
{
if (hpswField.TypeByte == (byte)Packets.HpSwitchProtocolPacket.HpSwField.FieldType.DeviceName)
{
if (!sourceHost.ExtraDetailsList.ContainsKey("HPSW Device Name"))
{
sourceHost.ExtraDetailsList.Add("HPSW Device Name", hpswField.ValueString);
//sourceHost.HostNameList.Add(hpswField.ValueString);
sourceHost.AddHostName(hpswField.ValueString);
}
}
else if (hpswField.TypeByte == (byte)Packets.HpSwitchProtocolPacket.HpSwField.FieldType.Version)
{
if (!sourceHost.ExtraDetailsList.ContainsKey("HPSW Firmware version"))
{
sourceHost.ExtraDetailsList.Add("HPSW Firmware version", hpswField.ValueString);
}
}
else if (hpswField.TypeByte == (byte)Packets.HpSwitchProtocolPacket.HpSwField.FieldType.Config)
{
if (!sourceHost.ExtraDetailsList.ContainsKey("HPSW Config"))
{
sourceHost.ExtraDetailsList.Add("HPSW Config", hpswField.ValueString);
}
}
else if (hpswField.TypeByte == (byte)Packets.HpSwitchProtocolPacket.HpSwField.FieldType.MacAddress)
{
sourceHost.MacAddress = new System.Net.NetworkInformation.PhysicalAddress(hpswField.ValueBytes);
}
}
private void ExtractData(Packets.NetBiosDatagramServicePacket netBiosDatagramServicePacket, NetworkHost sourceHost)
{
if (netBiosDatagramServicePacket != null)
{
if (netBiosDatagramServicePacket.SourceNetBiosName != null && netBiosDatagramServicePacket.SourceNetBiosName.Length > 0)
{
sourceHost.AddHostName(netBiosDatagramServicePacket.SourceNetBiosName, netBiosDatagramServicePacket.PacketTypeDescription);
}
}
}
private void ExtractData(ref NetworkHost sourceHost, NetworkHost destinationHost, Packets.DhcpPacket dhcpPacket)
{
if (dhcpPacket.OpCode == Packets.DhcpPacket.OpCodeValue.BootRequest && (sourceHost.MacAddress == null || dhcpPacket.ClientMacAddress != sourceHost.MacAddress))
{
sourceHost.MacAddress = dhcpPacket.ClientMacAddress;
}
else if (dhcpPacket.OpCode == Packets.DhcpPacket.OpCodeValue.BootReply && (destinationHost.MacAddress == null || dhcpPacket.ClientMacAddress != destinationHost.MacAddress))
{
destinationHost.MacAddress = dhcpPacket.ClientMacAddress;
}
if (dhcpPacket.OpCode == Packets.DhcpPacket.OpCodeValue.BootReply && (dhcpPacket.GatewayIpAddress != null && dhcpPacket.GatewayIpAddress != System.Net.IPAddress.None && dhcpPacket.GatewayIpAddress.Address > 0))
{
destinationHost.ExtraDetailsList["Default Gateway"] = dhcpPacket.GatewayIpAddress.ToString();
}
System.Collections.Specialized.NameValueCollection optionParameterList = new System.Collections.Specialized.NameValueCollection();
//now check all the DHCP options
//byte dhcpMessageType=0x00;//1=Discover, 2=Offer, 3=Request, 5=Ack, 8=Inform
foreach (Packets.DhcpPacket.Option option in dhcpPacket.OptionList)
{
//TODO: Add option to Parameters list
if (option.OptionCode == 12)//hostname
{
string hostname = Utils.ByteConverter.ReadString(option.OptionValue);
sourceHost.AddHostName(hostname);
optionParameterList.Add("DHCP Option 12 Hostname", hostname);
}
else if (option.OptionCode == 15)//Domain Name
{
string domain = Utils.ByteConverter.ReadString(option.OptionValue);
sourceHost.AddDomainName(domain);
optionParameterList.Add("DHCP Option 15 Domain", domain);
}
else if (option.OptionCode == 50) //requested IP address
{
if (dhcpPacket.DhcpMessageType == 3) //Must be a DHCP Request
{
System.Net.IPAddress requestedIpAddress = new System.Net.IPAddress(option.OptionValue);
if (sourceHost.IPAddress != requestedIpAddress)
{
if (!base.MainPacketHandler.NetworkHostList.ContainsIP(requestedIpAddress))
{
NetworkHost clonedHost = new NetworkHost(requestedIpAddress);
clonedHost.MacAddress = sourceHost.MacAddress;
//foreach(string hostname in sourceHost.HostNameList)
// clonedHost.AddHostName(hostname);
lock (base.MainPacketHandler.NetworkHostList)
base.MainPacketHandler.NetworkHostList.Add(clonedHost);
//now change the host to the cloned one (and hope it works out...)
sourceHost = clonedHost;
}
else
{
sourceHost = base.MainPacketHandler.NetworkHostList.GetNetworkHost(requestedIpAddress);
if (dhcpPacket.OpCode == Packets.DhcpPacket.OpCodeValue.BootRequest && (sourceHost.MacAddress == null || dhcpPacket.ClientMacAddress != sourceHost.MacAddress))
{
sourceHost.MacAddress = dhcpPacket.ClientMacAddress;
}
}
}
if (sourceHost.MacAddress != null && previousIpList.ContainsKey(sourceHost.MacAddress.ToString()))
{
//if(previousIpList.ContainsKey(sourceHost.MacAddress.ToString())) {
sourceHost.AddNumberedExtraDetail("Previous IP", previousIpList[sourceHost.MacAddress.ToString()].ToString());
//sourceHost.ExtraDetailsList["Previous IP"]=previousIpList[sourceHost.MacAddress.ToString()].ToString();
previousIpList.Remove(sourceHost.MacAddress.ToString());
}
}
else if (dhcpPacket.DhcpMessageType == 1)//DHCP discover
//see which IP address the client hade previously
//They normally requests the same IP as they hade before...
{
System.Net.IPAddress requestedIpAddress = new System.Net.IPAddress(option.OptionValue);
this.previousIpList[sourceHost.MacAddress.ToString()] = requestedIpAddress;
}
}
/*
* else if(option.OptionCode==53) {//DHCP message type
* if(option.OptionValue!=null && option.OptionValue.Length==1)
* dhcpMessageType=option.OptionValue[0];
* }/*/
else if (option.OptionCode == 60)//vendor class identifier
{
string vendorCode = Utils.ByteConverter.ReadString(option.OptionValue);
sourceHost.AddDhcpVendorCode(vendorCode);
optionParameterList.Add("DHCP Option 60 Vendor Code", vendorCode);
}
else if (option.OptionCode == 81) //Client Fully Qualified Domain Name
{
string domain = Utils.ByteConverter.ReadString(option.OptionValue, 3, option.OptionValue.Length - 3);
sourceHost.AddHostName(domain);
optionParameterList.Add("DHCP Option 81 Domain", domain);
}
else if (option.OptionCode == 125) //V-I Vendor-specific Information http://tools.ietf.org/html/rfc3925
{
uint enterpriceNumber = Utils.ByteConverter.ToUInt32(option.OptionValue, 0);
optionParameterList.Add("DHCP Option 125 Enterprise Number", enterpriceNumber.ToString());
byte dataLen = option.OptionValue[4];
if (dataLen > 0 && option.OptionValue.Length >= 5 + dataLen)
{
string optionData = Utils.ByteConverter.ReadString(option.OptionValue, 5, dataLen);
optionParameterList.Add("DHCP Option 125 Data", optionData);
}
}
else
{
string optionValueString = Utils.ByteConverter.ReadString(option.OptionValue);
if (!System.Text.RegularExpressions.Regex.IsMatch(optionValueString, @"[^\u0020-\u007E]"))
{
optionParameterList.Add("DHCP Option " + option.OptionCode.ToString(), optionValueString);
}
}
}
if (optionParameterList.Count > 0)
{
//try to get the udp packet
string sourcePort = "UNKNOWN";
string destinationPort = "UNKNOWN";
foreach (Packets.AbstractPacket p in dhcpPacket.ParentFrame.PacketList)
{
if (p.GetType() == typeof(Packets.UdpPacket))
{
Packets.UdpPacket udpPacket = (Packets.UdpPacket)p;
sourcePort = "UDP " + udpPacket.SourcePort;
destinationPort = "UDP " + udpPacket.DestinationPort;
break;
}
}
Events.ParametersEventArgs ea = new Events.ParametersEventArgs(dhcpPacket.ParentFrame.FrameNumber, sourceHost, destinationHost, sourcePort, destinationPort, optionParameterList, dhcpPacket.ParentFrame.Timestamp, "DHCP Option");
MainPacketHandler.OnParametersDetected(ea);
}
}
public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <PacketParser.Packets.AbstractPacket> packetList)
{
Packets.IrcPacket ircPacket = null;
Packets.TcpPacket tcpPacket = null;
foreach (Packets.AbstractPacket p in packetList)
{
if (p.GetType() == typeof(Packets.TcpPacket))
{
tcpPacket = (Packets.TcpPacket)p;
}
else if (p.GetType() == typeof(Packets.IrcPacket))
{
ircPacket = (Packets.IrcPacket)p;
}
}
if (ircPacket != null && tcpPacket != null)
{
System.Collections.Specialized.NameValueCollection tmpCol = new System.Collections.Specialized.NameValueCollection();
foreach (Packets.IrcPacket.Message m in ircPacket.Messages)
{
tmpCol.Add(m.Command, m.ToString());
if (m.Command.Equals("USER", StringComparison.InvariantCultureIgnoreCase))
{
//the first parameter is the username
List <string> parameters = new List <string>();
foreach (string s in m.Parameters)
{
parameters.Add(s);
}
if (parameters.Count > 0)
{
string ircUser = parameters[0];
IrcSession ircSession;
if (this.ircSessionList.ContainsKey(tcpSession))
{
ircSession = ircSessionList[tcpSession];
}
else
{
ircSession = new IrcSession();
this.ircSessionList.Add(tcpSession, ircSession);
}
ircSession.User = ircUser;
sourceHost.AddNumberedExtraDetail("IRC Username", ircUser);
//NetworkCredential ircUserCredential = new NetworkCredential(sourceHost, destinationHost, "IRC", ircUser, "N/A (only IRC Username)", ircPacket.ParentFrame.Timestamp);
this.MainPacketHandler.AddCredential(ircSession.GetCredential(sourceHost, destinationHost, ircPacket.ParentFrame.Timestamp));
}
if (parameters.Count > 1)
{
sourceHost.AddHostName(parameters[1]);
}
if (parameters.Count > 2)
{
destinationHost.AddHostName(parameters[2]);
}
}
else if (m.Command.Equals("NICK", StringComparison.InvariantCultureIgnoreCase))
{
IEnumerator <string> enumerator = m.Parameters.GetEnumerator();
if (enumerator.MoveNext()) //move to the first position
{
string ircNick = enumerator.Current;
IrcSession ircSession;
if (this.ircSessionList.ContainsKey(tcpSession))
{
ircSession = ircSessionList[tcpSession];
}
else
{
ircSession = new IrcSession();
this.ircSessionList.Add(tcpSession, ircSession);
}
ircSession.Nick = ircNick;
sourceHost.AddNumberedExtraDetail("IRC Nick", ircNick);
//NetworkCredential ircNicCredential = new NetworkCredential(sourceHost, destinationHost, "IRC", enumerator.Current, "N/A (only IRC Nick)", ircPacket.ParentFrame.Timestamp);
this.MainPacketHandler.AddCredential(ircSession.GetCredential(sourceHost, destinationHost, ircPacket.ParentFrame.Timestamp));
}
}
else if (m.Command.Equals("PASS", StringComparison.InvariantCultureIgnoreCase))
{
IEnumerator <string> enumerator = m.Parameters.GetEnumerator();
if (enumerator.MoveNext()) //move to the first position
{
string ircPass = enumerator.Current;
IrcSession ircSession;
if (this.ircSessionList.ContainsKey(tcpSession))
{
ircSession = ircSessionList[tcpSession];
}
else
{
ircSession = new IrcSession();
this.ircSessionList.Add(tcpSession, ircSession);
}
ircSession.Pass = ircPass;
this.MainPacketHandler.AddCredential(ircSession.GetCredential(sourceHost, destinationHost, ircPacket.ParentFrame.Timestamp));
}
}
else if (m.Command.Equals("PRIVMSG", StringComparison.InvariantCultureIgnoreCase))
{
//first parameter is recipient, second is message
List <string> parameters = new List <string>();
foreach (string s in m.Parameters)
{
parameters.Add(s);
}
if (parameters.Count >= 2)
{
System.Collections.Specialized.NameValueCollection attributes = new System.Collections.Specialized.NameValueCollection();
attributes.Add("Command", m.Command);
string from = "";
if (m.Prefix != null && m.Prefix.Length > 0)
{
attributes.Add("Prefix", m.Prefix);
from = m.Prefix;
}
for (int i = 0; i < parameters.Count; i++)
{
attributes.Add("Parameter " + (i + 1), parameters[i]);
}
base.MainPacketHandler.OnMessageDetected(new PacketParser.Events.MessageEventArgs(ApplicationLayerProtocol.Irc, sourceHost, destinationHost, ircPacket.ParentFrame.FrameNumber, ircPacket.ParentFrame.Timestamp, from, parameters[0], parameters[1], parameters[1], attributes));
}
}
}
if (tmpCol.Count > 0)
{
base.MainPacketHandler.OnParametersDetected(new PacketParser.Events.ParametersEventArgs(ircPacket.ParentFrame.FrameNumber, sourceHost, destinationHost, "TCP " + tcpPacket.SourcePort, "TCP " + tcpPacket.DestinationPort, tmpCol, tcpPacket.ParentFrame.Timestamp, "IRC packet"));
return(ircPacket.ParsedBytesCount);
}
}
return(0);
}
public void ExtractData(ref NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <Packets.AbstractPacket> packetList)
{
Packets.DnsPacket dnsPacket = null;
Packets.IIPPacket ipPacket = null;
Packets.ITransportLayerPacket transportLayerPacket = null;
foreach (Packets.AbstractPacket p in packetList)
{
if (p.GetType() == typeof(Packets.DnsPacket))
{
dnsPacket = (Packets.DnsPacket)p;
}
else if (p is Packets.IIPPacket)
{
ipPacket = (Packets.IIPPacket)p;
}
/*else if(p.GetType()==typeof(Packets.IPv6Packet))
* ipv6Packet=(Packets.IPv6Packet)p;*/
else if (p is Packets.ITransportLayerPacket tlp)
{
transportLayerPacket = tlp;
}
}
if (dnsPacket != null)
{
//ExtractDnsData(dnsPacket);
if (dnsPacket.Flags.Response)
{
System.Collections.Specialized.NameValueCollection cNamePointers = new System.Collections.Specialized.NameValueCollection();
if (dnsPacket.AnswerRecords != null && dnsPacket.AnswerRecords.Length > 0)
{
foreach (Packets.DnsPacket.ResourceRecord r in dnsPacket.AnswerRecords)
{
if (r.IP != null)
{
if (!base.MainPacketHandler.NetworkHostList.ContainsIP(r.IP))
{
NetworkHost host = new NetworkHost(r.IP);
host.AddHostName(r.DNS, dnsPacket.PacketTypeDescription);
lock (base.MainPacketHandler.NetworkHostList)
base.MainPacketHandler.NetworkHostList.Add(host);
MainPacketHandler.OnNetworkHostDetected(new Events.NetworkHostEventArgs(host));
//base.MainPacketHandler.ParentForm.ShowDetectedHost(host);
}
else
{
base.MainPacketHandler.NetworkHostList.GetNetworkHost(r.IP).AddHostName(r.DNS, dnsPacket.PacketTypeDescription);
}
if (cNamePointers[r.DNS] != null)
{
base.MainPacketHandler.NetworkHostList.GetNetworkHost(r.IP).AddHostName(cNamePointers[r.DNS], dnsPacket.PacketTypeDescription);
}
}
else if (r.Type == (ushort)Packets.DnsPacket.RRTypes.CNAME)
{
cNamePointers.Add(r.PrimaryName, r.DNS);
}
MainPacketHandler.OnDnsRecordDetected(new Events.DnsRecordEventArgs(r, sourceHost, destinationHost, ipPacket, transportLayerPacket));
//base.MainPacketHandler.ParentForm.ShowDnsRecord(r, sourceHost, destinationHost, ipPakcet, udpPacket);
}
}
else
{
//display the flags instead
//TODO : MainPacketHandler.OnDnsRecordDetected(new Events.DnsRecordEventArgs(
if (dnsPacket.QueriedDnsName != null && dnsPacket.QueriedDnsName.Length > 0)
{
MainPacketHandler.OnDnsRecordDetected(new Events.DnsRecordEventArgs(new Packets.DnsPacket.ResponseWithErrorCode(dnsPacket), sourceHost, destinationHost, ipPacket, transportLayerPacket));
}
}
}
else //DNS request
{
if (dnsPacket.QueriedDnsName != null && dnsPacket.QueriedDnsName.Length > 0)
{
sourceHost.AddQueriedDnsName(dnsPacket.QueriedDnsName);
}
}
}
}
private (string username, string realm) GetUserAndRealm(KerberosPacket kerberosPacket, NetworkHost sourceHost, NetworkHost destinationHost)
{
string username = "";
string realm = "";
List <string> spnParts = new List <string>();
foreach (var item in kerberosPacket.AsnData.Where(item => stringTypes.Contains(item.Item2)))
{
string itemString = Utils.ByteConverter.ReadString(item.Item3);
if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && hostnameRequestPaths.Contains(item.Item1) && itemString.EndsWith("$"))
{
string hostname = itemString.TrimEnd(new[] { '$' });
sourceHost.AddHostName(hostname);
//parameters.Add("Hostname (" + item.Item1 + ")", hostname);
realm = hostname;
}
else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && hostnameResponsePaths.Contains(item.Item1) && itemString.EndsWith("$"))
{
string hostname = itemString.TrimEnd(new[] { '$' });
destinationHost.AddHostName(hostname);
//parameters.Add("Hostname (" + item.Item1 + ")", hostname);
realm = hostname;
}
else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && (usernameRequestPaths.Contains(item.Item1) || usernameResponsePaths.Contains(item.Item1)) && !itemString.EndsWith("$"))
{
if (usernameRequestPaths.Contains(item.Item1))
{
base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "Kerberos", itemString, kerberosPacket.ParentFrame.Timestamp));
sourceHost.AddNumberedExtraDetail("Kerberos Username", itemString);
username = itemString;
}
else if (usernameResponsePaths.Contains(item.Item1))
{
base.MainPacketHandler.AddCredential(new NetworkCredential(destinationHost, sourceHost, "Kerberos", itemString, kerberosPacket.ParentFrame.Timestamp));
destinationHost.AddNumberedExtraDetail("Kerberos Username", itemString);
username = itemString;
}
#if DEBUG
else
{
System.Diagnostics.Debugger.Break();
}
#endif
//parameters.Add("Username (" + item.Item1 + ")", username);
}
else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && domainPaths.Contains(item.Item1))
{
sourceHost.AddDomainName(itemString);
destinationHost.AddDomainName(itemString);
//parameters.Add("Realm (" + item.Item1 + ")", itemString);
realm = itemString;
}
else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && kerberosPacket.MsgType == KerberosPacket.MessageType.krb_tgs_rep && hostnameResponsePaths.Contains(item.Item1))
{
spnParts.Add(itemString);
}
else
{
//parameters.Add(item.Item1 + " " + Enum.GetName(typeof(Utils.ByteConverter.Asn1TypeTag), item.Item2), itemString);
}
}
if (kerberosPacket.MsgType == KerberosPacket.MessageType.krb_tgs_rep && spnParts.Count > 0)
{
username = string.Join("/", spnParts);
}
return(username, realm);
}
public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <Packets.AbstractPacket> packetList)
{
//bool successfulExtraction=false;
int successfullyExtractedBytes = 0;
foreach (Packets.AbstractPacket p in packetList)
{
if (p.GetType() == typeof(Packets.NtlmSspPacket))
{
Packets.NtlmSspPacket ntlmPacket = (Packets.NtlmSspPacket)p;
if (ntlmPacket.NtlmChallenge != null)
{
if (ntlmChallengeList.ContainsKey(tcpSession.GetHashCode()))
{
ntlmChallengeList[tcpSession.GetHashCode()] = ntlmPacket.NtlmChallenge;
}
else
{
ntlmChallengeList.Add(tcpSession.GetHashCode(), ntlmPacket.NtlmChallenge);
}
}
if (ntlmPacket.DomainName != null)
{
sourceHost.AddDomainName(ntlmPacket.DomainName);
}
if (ntlmPacket.HostName != null)
{
sourceHost.AddHostName(ntlmPacket.HostName);
}
if (ntlmPacket.UserName != null)
{
if (!sourceHost.ExtraDetailsList.ContainsKey("NTLM Username " + ntlmPacket.UserName))
{
sourceHost.ExtraDetailsList.Add("NTLM Username " + ntlmPacket.UserName, ntlmPacket.UserName);
}
string lanManagerHashInfo = null;
if (ntlmPacket.LanManagerResponse != null)
{
lanManagerHashInfo = "LAN Manager Response: " + ntlmPacket.LanManagerResponse;
}
if (ntlmPacket.NtlmResponse != null)
{
if (lanManagerHashInfo == null)
{
lanManagerHashInfo = "";
}
else
{
lanManagerHashInfo = lanManagerHashInfo + " - ";
}
lanManagerHashInfo = lanManagerHashInfo + "NTLM Response: " + ntlmPacket.NtlmResponse;
}
if (lanManagerHashInfo == null)
{
base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.UserName, ntlmPacket.ParentFrame.Timestamp));
}
else
{
if (ntlmChallengeList.ContainsKey(tcpSession.GetHashCode()))
{
lanManagerHashInfo = "NTLM Challenge: " + ntlmChallengeList[tcpSession.GetHashCode()] + " - " + lanManagerHashInfo;
}
base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.UserName, lanManagerHashInfo, ntlmPacket.ParentFrame.Timestamp));
}
}
successfullyExtractedBytes += ntlmPacket.ParentFrame.Data.Length;//it's OK to return a larger value that what was parsed
}
}
return(successfullyExtractedBytes);
}
/// <summary>
///
/// </summary>
/// <param name="httpPacket"></param>
/// <param name="tcpPacket"></param>
/// <param name="sourceHost"></param>
/// <param name="destinationHost"></param>
/// <param name="mainPacketHandler"></param>
/// <returns>True if the data was successfully parsed. False if the data need to be parsed again with more data</returns>
private bool ExtractHttpData(Packets.HttpPacket httpPacket, Packets.TcpPacket tcpPacket, NetworkHost sourceHost, NetworkHost destinationHost, PacketHandler mainPacketHandler)
{
if (httpPacket.MessageTypeIsRequest)
{
//HTTP request
System.Collections.Specialized.NameValueCollection cookieParams = null;
if (httpPacket.UserAgentBanner != null && httpPacket.UserAgentBanner.Length > 0)
{
sourceHost.AddHttpUserAgentBanner(httpPacket.UserAgentBanner);
}
if (httpPacket.RequestedHost != null && httpPacket.RequestedHost.Length > 0)
{
destinationHost.AddHostName(httpPacket.RequestedHost);
}
if (httpPacket.Cookie != null)
{
cookieParams = new System.Collections.Specialized.NameValueCollection();
char[] separators = { ';', ',' };
foreach (string s in httpPacket.Cookie.Split(separators))
{
string cookieFragment = s.Trim();
int splitOffset = cookieFragment.IndexOf('=');
if (splitOffset > 0)
{
cookieParams.Add(cookieFragment.Substring(0, splitOffset), cookieFragment.Substring(splitOffset + 1));
}
else
{
cookieParams.Add(cookieFragment, "");
}
}
NetworkCredential inCookieCredential = NetworkCredential.GetNetworkCredential(cookieParams, sourceHost, destinationHost, "HTTP Cookie parameter", httpPacket.ParentFrame.Timestamp);
if (inCookieCredential != null)
{
mainPacketHandler.AddCredential(inCookieCredential);
}
mainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(tcpPacket.ParentFrame.FrameNumber, sourceHost, destinationHost, "TCP " + tcpPacket.SourcePort, "TCP " + tcpPacket.DestinationPort, cookieParams, httpPacket.ParentFrame.Timestamp, "HTTP Cookie"));
NetworkCredential credential = new NetworkCredential(sourceHost, destinationHost, "HTTP Cookie", httpPacket.Cookie, "N/A", httpPacket.ParentFrame.Timestamp);
mainPacketHandler.AddCredential(credential);
}
if (httpPacket.AuthorizationCredentialsUsername != null)
{
NetworkCredential nc = new NetworkCredential(sourceHost, destinationHost, httpPacket.PacketTypeDescription, httpPacket.AuthorizationCredentialsUsername, httpPacket.AuthorizationCredentialsPassword, httpPacket.ParentFrame.Timestamp);
mainPacketHandler.AddCredential(nc);
//this.AddCredential(nc);
}
if (httpPacket.HeaderFields != null && httpPacket.HeaderFields.Count > 0)
{
SortedList <string, string> ignoredHeaderNames = new SortedList <string, string>();
ignoredHeaderNames.Add("accept", null);
ignoredHeaderNames.Add("connection", null);
ignoredHeaderNames.Add("accept-language", null);
ignoredHeaderNames.Add("accept-encoding", null);
//Build a sortedList of all headers
System.Collections.Specialized.NameValueCollection httpHeaders = new System.Collections.Specialized.NameValueCollection();
//SortedList<string, string> httpHeaders = new SortedList<string, string>();
foreach (string header in httpPacket.HeaderFields)
{
int delimiterIndex = header.IndexOf(':');
if (delimiterIndex > 0 && delimiterIndex < header.Length)
{
string headerName = header.Substring(0, delimiterIndex).Trim();
//if (!httpHeaders.ContainsKey(headerName))
if (!ignoredHeaderNames.ContainsKey(headerName.ToLower()))
{
httpHeaders.Add(headerName, header.Substring(delimiterIndex + 1).Trim());
}
}
}
//mainPacketHandler.OnParametersDetected
base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(httpPacket.ParentFrame.FrameNumber, sourceHost, destinationHost, "TCP " + tcpPacket.SourcePort, "TCP " + tcpPacket.DestinationPort, httpHeaders, httpPacket.ParentFrame.Timestamp, "HTTP Header"));
foreach (string headerName in httpHeaders.Keys)
{
/**
* http://mobiforge.com/developing/blog/useful-x-headers
* http://nakedsecurity.sophos.com/2012/01/25/smartphone-website-telephone-number/
* http://www.nowsms.com/discus/messages/485/14998.html
* http://coding-talk.com/f46/check-isdn-10962/
**/
if (headerName.StartsWith("X-", StringComparison.InvariantCultureIgnoreCase))
{
sourceHost.AddNumberedExtraDetail("HTTP header: " + headerName, httpHeaders[headerName]);
}
else if (headerName.StartsWith("HTTP_X", StringComparison.InvariantCultureIgnoreCase))
{
sourceHost.AddNumberedExtraDetail("HTTP header: " + headerName, httpHeaders[headerName]);
}
else if (headerName.StartsWith("X_", StringComparison.InvariantCultureIgnoreCase))
{
sourceHost.AddNumberedExtraDetail("HTTP header: " + headerName, httpHeaders[headerName]);
}
else if (headerName.StartsWith("HTTP_MSISDN", StringComparison.InvariantCultureIgnoreCase))
{
sourceHost.AddNumberedExtraDetail("HTTP header: " + headerName, httpHeaders[headerName]);
}
}
}
//file transfer
if ((httpPacket.RequestMethod == Packets.HttpPacket.RequestMethods.GET || httpPacket.RequestMethod == Packets.HttpPacket.RequestMethods.POST) && httpPacket.RequestedFileName != null)
{
System.Collections.Specialized.NameValueCollection queryStringData = httpPacket.GetQuerystringData();
if (queryStringData != null && queryStringData.Count > 0)
{
//parentForm.ShowParameters(tcpPacket.ParentFrame.FrameNumber, sourceHost, destinationHost, "TCP "+tcpPacket.SourcePort, "TCP "+tcpPacket.DestinationPort, queryStringData, tcpPacket.ParentFrame.Timestamp, "HTTP QueryString");
mainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(tcpPacket.ParentFrame.FrameNumber, sourceHost, destinationHost, "TCP " + tcpPacket.SourcePort, "TCP " + tcpPacket.DestinationPort, queryStringData, tcpPacket.ParentFrame.Timestamp, "HTTP QueryString"));
//mainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "HTTP GET QueryString",
NetworkCredential credential = NetworkCredential.GetNetworkCredential(queryStringData, sourceHost, destinationHost, "HTTP GET QueryString", tcpPacket.ParentFrame.Timestamp);
if (credential != null)
{
mainPacketHandler.AddCredential(credential);
}
if (queryStringData.HasKeys())
{
Dictionary <string, string> queryStringDictionary = new Dictionary <string, string>();
foreach (string key in queryStringData.AllKeys)
{
queryStringDictionary.Add(key, queryStringData[key]);
}
if (queryStringDictionary.ContainsKey("utmsr"))
{
sourceHost.AddNumberedExtraDetail("Screen resolution (Google Analytics)", queryStringDictionary["utmsr"]);
}
if (queryStringDictionary.ContainsKey("utmsc"))
{
sourceHost.AddNumberedExtraDetail("Color depth (Google Analytics)", queryStringDictionary["utmsc"]);
}
if (queryStringDictionary.ContainsKey("utmul"))
{
sourceHost.AddNumberedExtraDetail("Browser language (Google Analytics)", queryStringDictionary["utmul"]);
}
if (queryStringDictionary.ContainsKey("utmfl"))
{
sourceHost.AddNumberedExtraDetail("Flash version (Google Analytics)", queryStringDictionary["utmfl"]);
}
if (httpPacket.RequestMethod == Packets.HttpPacket.RequestMethods.POST && queryStringDictionary.ContainsKey("a") && queryStringDictionary["a"].Equals("SendMessage"))
{
if (!httpPacket.ContentIsComplete())//we must have all the content when parsing AOL data
{
return(false);
}
}
}
}
//file transfer stuff
string fileUri = httpPacket.RequestedFileName;
string queryString = null;
if (fileUri.Contains("?"))
{
if (fileUri.IndexOf('?') + 1 < fileUri.Length)
{
queryString = fileUri.Substring(fileUri.IndexOf('?') + 1);
}
fileUri = fileUri.Substring(0, fileUri.IndexOf('?'));
}
if (fileUri.StartsWith("http://"))
{
fileUri = fileUri.Substring(7);
}
if (fileUri.StartsWith("www.") && fileUri.Contains("/"))
{
fileUri = fileUri.Substring(fileUri.IndexOf("/"));
}
//char[] separators={ '/' };
char[] separators = new char[System.IO.Path.GetInvalidPathChars().Length + 1];
Array.Copy(System.IO.Path.GetInvalidPathChars(), separators, System.IO.Path.GetInvalidPathChars().Length);
separators[separators.Length - 1] = '/';
string[] uriParts = fileUri.Split(separators);
string filename;
string fileLocation = "";
if (fileUri.EndsWith("/"))
{
filename = "index.html";
for (int i = 0; i < uriParts.Length; i++)
{
if (uriParts[i].Length > 0 && !uriParts[i].Contains(".."))
{
fileLocation += "/" + uriParts[i];
}
}
}
else
{
filename = uriParts[uriParts.Length - 1];
for (int i = 0; i < uriParts.Length - 1; i++)
{
if (uriParts[i].Length > 0 && !uriParts[i].Contains(".."))
{
fileLocation += "/" + uriParts[i];
}
}
}
//make sure all queryString-depending dynamic webpages are shown individually
if (queryString != null && queryString.Length > 0)
{
filename += "." + queryString.GetHashCode().ToString("X4");
}
//I will have to switch source and destination host here since this is only the request, not the actual file transfer!
try {
//see if there is an old assembler that needs to be removed
if (mainPacketHandler.FileStreamAssemblerList.ContainsAssembler(destinationHost, tcpPacket.DestinationPort, sourceHost, tcpPacket.SourcePort, true))
{
FileTransfer.FileStreamAssembler oldAssembler = mainPacketHandler.FileStreamAssemblerList.GetAssembler(destinationHost, tcpPacket.DestinationPort, sourceHost, tcpPacket.SourcePort, true);
mainPacketHandler.FileStreamAssemblerList.Remove(oldAssembler, true);
}
string fileDetails = httpPacket.RequestedFileName;
if (httpPacket.RequestedHost != null && httpPacket.RequestedHost.Length > 0 && httpPacket.RequestedFileName != null && httpPacket.RequestedFileName.StartsWith("/"))
{
fileDetails = httpPacket.RequestedHost + httpPacket.RequestedFileName;
}
FileTransfer.FileStreamAssembler assembler = new FileTransfer.FileStreamAssembler(mainPacketHandler.FileStreamAssemblerList, destinationHost, tcpPacket.DestinationPort, sourceHost, tcpPacket.SourcePort, tcpPacket != null, FileTransfer.FileStreamTypes.HttpGetNormal, filename, fileLocation, fileDetails, httpPacket.ParentFrame.FrameNumber, httpPacket.ParentFrame.Timestamp);
//FileTransfer.FileStreamAssembler assembler=new FileTransfer.FileStreamAssembler(mainPacketHandler.FileStreamAssemblerList, destinationHost, tcpPacket.DestinationPort, sourceHost, tcpPacket.SourcePort, tcpPacket!=null, FileTransfer.FileStreamTypes.HttpGetNormal, filename, fileLocation, httpPacket.RequestedFileName, httpPacket.ParentFrame.FrameNumber, httpPacket.ParentFrame.Timestamp);
mainPacketHandler.FileStreamAssemblerList.Add(assembler);
}
catch (Exception e) {
mainPacketHandler.OnAnomalyDetected("Error creating assembler for HTTP file transfer: " + e.Message);
}
//Large HTTP POSTs should also be dumped to files
//if(httpPacket.RequestMethod==Packets.HttpPacket.RequestMethods.POST && !httpPacket.ContentIsComplete() && httpPacket.ContentLength>4096 && httpPacket.ContentType.StartsWith("multipart/form-data")) {
if (httpPacket.RequestMethod == Packets.HttpPacket.RequestMethods.POST)
{
//All Multipart MIME HTTP POSTs should be dumped to file
//the fileAssembler extracts the form parameters after assembly
if (httpPacket.ContentType != null && httpPacket.ContentType.StartsWith("multipart/form-data"))
{
FileTransfer.FileStreamAssembler assembler = null;
try {
//see if there is an old assembler that needs to be removed
if (mainPacketHandler.FileStreamAssemblerList.ContainsAssembler(sourceHost, tcpPacket.SourcePort, destinationHost, tcpPacket.DestinationPort, true))
{
FileTransfer.FileStreamAssembler oldAssembler = mainPacketHandler.FileStreamAssemblerList.GetAssembler(sourceHost, tcpPacket.SourcePort, destinationHost, tcpPacket.DestinationPort, true);
mainPacketHandler.FileStreamAssemblerList.Remove(oldAssembler, true);
}
string mimeBoundary;
if (httpPacket.ContentType.ToLower(System.Globalization.CultureInfo.InvariantCulture).StartsWith("multipart/form-data; boundary=") && httpPacket.ContentType.Length > 30)
{
mimeBoundary = httpPacket.ContentType.Substring(30);
}
else
{
mimeBoundary = "";
}
assembler = new FileTransfer.FileStreamAssembler(mainPacketHandler.FileStreamAssemblerList, sourceHost, tcpPacket.SourcePort, destinationHost, tcpPacket.DestinationPort, tcpPacket != null, FileTransfer.FileStreamTypes.HttpPostMimeMultipartFormData, filename + ".form-data.mime", fileLocation, mimeBoundary, httpPacket.ParentFrame.FrameNumber, httpPacket.ParentFrame.Timestamp);
assembler.FileContentLength = httpPacket.ContentLength;
assembler.FileSegmentRemainingBytes = httpPacket.ContentLength;
mainPacketHandler.FileStreamAssemblerList.Add(assembler);
if (assembler.TryActivate())
{
//assembler is now active
if (httpPacket.MessageBody != null && httpPacket.MessageBody.Length > 0)
{
assembler.AddData(httpPacket.MessageBody, tcpPacket.SequenceNumber);
}
}
}
catch (Exception e) {
if (assembler != null)
{
assembler.Clear();
}
mainPacketHandler.OnAnomalyDetected("Error creating assembler for HTTP file transfer: " + e.Message);
}
}
else //form data (not multipart)
{
System.Collections.Generic.List <Mime.MultipartPart> formMultipartData = httpPacket.GetFormData();
if (formMultipartData != null)
{
foreach (Mime.MultipartPart mimeMultipart in formMultipartData)
{
if (mimeMultipart.Attributes["requests"] != null && httpPacket.GetQuerystringData() != null && httpPacket.GetQuerystringData()["a"] == "SendMessage")
{
//To handle AOL webmail
string encodedMessage = mimeMultipart.Attributes["requests"];
if (encodedMessage.StartsWith("[{") && encodedMessage.EndsWith("}]"))
{
encodedMessage = encodedMessage.Substring(2, encodedMessage.Length - 4);
}
int startIndex = -1;
int endIndex = -1;
while (endIndex < encodedMessage.Length - 2)
{
//startIndex = endIndex + 1;
if (endIndex > 0)
{
startIndex = encodedMessage.IndexOf(',', endIndex) + 1;
}
else
{
startIndex = 0;
}
bool escapedString = encodedMessage[startIndex] == '\"';
if (escapedString)
{
startIndex = encodedMessage.IndexOf('\"', startIndex) + 1;
endIndex = encodedMessage.IndexOf('\"', startIndex);
while (encodedMessage[endIndex - 1] == '\\')
{
endIndex = encodedMessage.IndexOf('\"', endIndex + 1);
}
}
else
{
endIndex = encodedMessage.IndexOf(':', startIndex);
}
string attributeName = encodedMessage.Substring(startIndex, endIndex - startIndex);
#if DEBUG
//System.Diagnostics.Debug.Assert(encodedMessage[endIndex + 1] == ':');
if (encodedMessage[endIndex] != ':' && encodedMessage[endIndex + 1] != ':')
{
System.Diagnostics.Debugger.Break();
}
#endif
startIndex = encodedMessage.IndexOf(':', endIndex) + 1;
escapedString = encodedMessage[startIndex] == '\"';
if (escapedString)
{
startIndex = encodedMessage.IndexOf('\"', startIndex) + 1;
endIndex = encodedMessage.IndexOf('\"', startIndex);
while (encodedMessage[endIndex - 1] == '\\')
{
endIndex = encodedMessage.IndexOf('\"', endIndex + 1);
}
}
else if (encodedMessage.IndexOf(',', startIndex) > 0)
{
endIndex = encodedMessage.IndexOf(',', startIndex);
}
else
{
endIndex = encodedMessage.Length;
}
string attributeValue = encodedMessage.Substring(startIndex, endIndex - startIndex);
//replace some special characters
encodedMessage = encodedMessage.Replace("\\n", System.Environment.NewLine).Replace("\\r", "\r").Replace("\\t", "\t");
mimeMultipart.Attributes.Add(attributeName, attributeValue);
}
//END OF AOL WEBMAIL CODE
}
}
this.MainPacketHandler.ExtractMultipartFormData(formMultipartData, sourceHost, destinationHost, tcpPacket.ParentFrame.Timestamp, httpPacket.ParentFrame.FrameNumber, "TCP " + tcpPacket.SourcePort, "TCP " + tcpPacket.DestinationPort, ApplicationLayerProtocol.Http, cookieParams);
}
}
}
}
}
else //reply
{
if (httpPacket.ServerBanner != null && httpPacket.ServerBanner.Length > 0)
{
sourceHost.AddHttpServerBanner(httpPacket.ServerBanner, tcpPacket.SourcePort);
}
if (httpPacket.WwwAuthenticateRealm != null && httpPacket.WwwAuthenticateRealm.Length > 0)
{
sourceHost.AddHostName(httpPacket.WwwAuthenticateRealm);
sourceHost.ExtraDetailsList["WWW-Authenticate realm"] = httpPacket.WwwAuthenticateRealm;
}
if (mainPacketHandler.FileStreamAssemblerList.ContainsAssembler(sourceHost, tcpPacket.SourcePort, destinationHost, tcpPacket.DestinationPort, true))
{
FileTransfer.FileStreamAssembler assembler = mainPacketHandler.FileStreamAssemblerList.GetAssembler(sourceHost, tcpPacket.SourcePort, destinationHost, tcpPacket.DestinationPort, true);
//http://www.mail-archive.com/[email protected]/msg08695.html
//There could also be no content-length when http-keepalives are not used.
//In that case, the client just collects all data till the TCP-FIN.
//-1 is set instead of null if Content-Length is not defined
if (httpPacket.ContentLength >= 0 || httpPacket.ContentLength == -1)
{
assembler.FileContentLength = httpPacket.ContentLength;
assembler.FileSegmentRemainingBytes = httpPacket.ContentLength;//we get the whole file in one segment (one serie of TCP packets)
}
if (httpPacket.ContentLength == 0)
{
mainPacketHandler.FileStreamAssemblerList.Remove(assembler, true);
}
else
{
if (httpPacket.ContentDispositionFilename != null)
{
assembler.Filename = httpPacket.ContentDispositionFilename;
}
//append content type extention to file name
if (httpPacket.ContentType != null && httpPacket.ContentType.Contains("/") && httpPacket.ContentType.IndexOf('/') < httpPacket.ContentType.Length - 1)
{
string extension = Utils.StringManglerUtil.GetExtension(httpPacket.ContentType);
/*
* string extension=httpPacket.ContentType.Substring(httpPacket.ContentType.IndexOf('/')+1);
* if(extension.Contains(";"))
* extension=extension.Substring(0, extension.IndexOf(";"));
* */
if (extension.Length > 0 &&
!assembler.Filename.EndsWith("." + extension, StringComparison.InvariantCultureIgnoreCase) &&
!(assembler.Filename.EndsWith("jpg", StringComparison.InvariantCultureIgnoreCase) && extension.Equals("jpeg", StringComparison.InvariantCultureIgnoreCase)) &&
!(assembler.Filename.EndsWith("htm", StringComparison.InvariantCultureIgnoreCase) && extension.Equals("html", StringComparison.InvariantCultureIgnoreCase)))
{
//append the content type as extension
assembler.Filename = assembler.Filename + "." + extension;
}
}
if (httpPacket.TransferEncoding == "chunked")
{
assembler.FileStreamType = FileTransfer.FileStreamTypes.HttpGetChunked;
}
if (httpPacket.ContentEncoding != null && httpPacket.ContentEncoding.Length > 0)
{
if (httpPacket.ContentEncoding.Equals("gzip"))//I'll only care aboute gzip for now
{
assembler.ContentEncoding = Packets.HttpPacket.ContentEncodings.Gzip;
}
else if (httpPacket.ContentEncoding.Equals("deflate"))//http://tools.ietf.org/html/rfc1950
{
assembler.ContentEncoding = Packets.HttpPacket.ContentEncodings.Deflate;
}
}
if (assembler.TryActivate())
{
//the assembler is now ready to receive data
if (httpPacket.MessageBody != null && httpPacket.MessageBody.Length > 0)
{
if (assembler.FileStreamType == FileTransfer.FileStreamTypes.HttpGetChunked || httpPacket.MessageBody.Length <= assembler.FileSegmentRemainingBytes || assembler.FileSegmentRemainingBytes == -1)
{
assembler.AddData(httpPacket.MessageBody, tcpPacket.SequenceNumber);
}
}
}
}
//}
//else {
// mainPacketHandler.FileStreamAssemblerList.Remove(assembler, true);
//}
}
}
return(true);
}
private (string username, string realm) GetUserAndRealm(KerberosPacket kerberosPacket, NetworkHost sourceHost, NetworkHost destinationHost)
{
string username = "";
string realm = "";
List <string> spnParts = new List <string>();
int lastInt = 0;
foreach (var item in kerberosPacket.AsnData)
{
if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.Integer)//Utils.ByteConverter.Asn1TypeTag.Integer
{
lastInt = (int)Utils.ByteConverter.ToUInt32(item.Item3);
}
else if (stringTypes.Contains(item.Item2))
{
string itemString = Utils.ByteConverter.ReadString(item.Item3);
//if(kerberosPacket.MsgType == KerberosPacket.MessageType.krb_ap_req) {
/** rfc1510 / http://web.mit.edu/freebsd/head/crypto/heimdal/lib/asn1/krb5.asn1
* KDC-REQ-BODY ::= SEQUENCE {
* kdc-options[0] KDCOptions,
* cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ
* realm[2] Realm, -- Server's realm
* -- Also client's in AS-REQ
* sname[3] PrincipalName OPTIONAL,
* from[4] KerberosTime OPTIONAL,
* till[5] KerberosTime OPTIONAL,
* rtime[6] KerberosTime OPTIONAL,
* nonce[7] krb5int32,
* etype[8] SEQUENCE OF ENCTYPE, -- EncryptionType,
* -- in preference order
* addresses[9] HostAddresses OPTIONAL,
* enc-authorization-data[10] EncryptedData OPTIONAL,
* -- Encrypted AuthorizationData encoding
* additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
* }
**/
if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && hostnameRequestPaths.Contains(item.Item1) && itemString.EndsWith("$"))
{
string hostname = itemString.TrimEnd(new[] { '$' });
sourceHost.AddHostName(hostname, kerberosPacket.PacketTypeDescription);
//parameters.Add("Hostname (" + item.Item1 + ")", hostname);
realm = hostname;
}
else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && hostnameResponsePaths.Contains(item.Item1) && itemString.EndsWith("$"))
{
string hostname = itemString.TrimEnd(new[] { '$' });
destinationHost.AddHostName(hostname, kerberosPacket.PacketTypeDescription);
//parameters.Add("Hostname (" + item.Item1 + ")", hostname);
realm = hostname;
}
else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && (usernameRequestPaths.Contains(item.Item1) || usernameResponsePaths.Contains(item.Item1)) && !itemString.EndsWith("$"))
{
if (usernameRequestPaths.Contains(item.Item1))
{
base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "Kerberos", itemString, kerberosPacket.ParentFrame.Timestamp));
sourceHost.AddNumberedExtraDetail("Kerberos Username", itemString);
username = itemString;
}
else if (usernameResponsePaths.Contains(item.Item1))
{
base.MainPacketHandler.AddCredential(new NetworkCredential(destinationHost, sourceHost, "Kerberos", itemString, kerberosPacket.ParentFrame.Timestamp));
destinationHost.AddNumberedExtraDetail("Kerberos Username", itemString);
username = itemString;
}
#if DEBUG
else
{
System.Diagnostics.Debugger.Break();
}
#endif
//parameters.Add("Username (" + item.Item1 + ")", username);
}
else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && domainPaths.Contains(item.Item1))
{
sourceHost.AddDomainName(itemString);
destinationHost.AddDomainName(itemString);
//parameters.Add("Realm (" + item.Item1 + ")", itemString);
realm = itemString;
}
else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && kerberosPacket.MsgType == KerberosPacket.MessageType.krb_tgs_rep && hostnameResponsePaths.Contains(item.Item1))
{
spnParts.Add(itemString);
}
else
{
//parameters.Add(item.Item1 + " " + Enum.GetName(typeof(Utils.ByteConverter.Asn1TypeTag), item.Item2), itemString);
}
}
}
if (kerberosPacket.MsgType == KerberosPacket.MessageType.krb_tgs_rep && spnParts.Count > 0)
{
username = string.Join("/", spnParts);
}
return(username, realm);
}
