//public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable<Packets.AbstractPacket> packetList) {
public int ExtractData(NetworkTcpSession tcpSession, bool transferIsClientToServer, IEnumerable <PacketParser.Packets.AbstractPacket> packetList)
{
NetworkHost sourceHost, destinationHost;
if (transferIsClientToServer)
{
sourceHost = tcpSession.Flow.FiveTuple.ClientHost;
destinationHost = tcpSession.Flow.FiveTuple.ServerHost;
}
else
{
sourceHost = tcpSession.Flow.FiveTuple.ServerHost;
destinationHost = tcpSession.Flow.FiveTuple.ClientHost;
}
//bool successfulExtraction=false;
int successfullyExtractedBytes = 0;
foreach (Packets.AbstractPacket p in packetList)
{
if (p.GetType() == typeof(Packets.NtlmSspPacket))
{
Packets.NtlmSspPacket ntlmPacket = (Packets.NtlmSspPacket)p;
if (ntlmPacket.NtlmChallenge != null)
{
if (ntlmChallengeList.ContainsKey(tcpSession.GetHashCode()))
{
ntlmChallengeList[tcpSession.GetHashCode()] = ntlmPacket.NtlmChallenge;
}
else
{
ntlmChallengeList.Add(tcpSession.GetHashCode(), ntlmPacket.NtlmChallenge);
}
}
if (ntlmPacket.DomainName != null)
{
sourceHost.AddDomainName(ntlmPacket.DomainName);
}
if (ntlmPacket.HostName != null)
{
sourceHost.AddHostName(ntlmPacket.HostName);
}
if (ntlmPacket.UserName != null)
{
if (ntlmPacket.UserName.EndsWith("$")) //hostname
{
sourceHost.AddHostName(ntlmPacket.UserName.TrimEnd(new[] { '$' }));
}
else
{
sourceHost.AddNumberedExtraDetail("NTLM Username ", ntlmPacket.UserName);
}
string lanManagerHashInfo = null;
if (ntlmPacket.LanManagerResponse != null)
{
lanManagerHashInfo = "LAN Manager Response: " + ntlmPacket.LanManagerResponse;
}
if (ntlmPacket.NtlmResponse != null)
{
if (lanManagerHashInfo == null)
{
lanManagerHashInfo = "";
}
else
{
lanManagerHashInfo = lanManagerHashInfo + " - ";
}
lanManagerHashInfo = lanManagerHashInfo + "NTLM Response: " + ntlmPacket.NtlmResponse;
}
if (lanManagerHashInfo == null)
{
base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.UserName, ntlmPacket.ParentFrame.Timestamp));
}
else
{
if (ntlmChallengeList.ContainsKey(tcpSession.GetHashCode()))
{
lanManagerHashInfo = "NTLM Challenge: " + ntlmChallengeList[tcpSession.GetHashCode()] + " - " + lanManagerHashInfo;
}
if (ntlmPacket.DomainName == null)
{
base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.UserName, lanManagerHashInfo, ntlmPacket.ParentFrame.Timestamp));
}
else
{
base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.DomainName + "\\" + ntlmPacket.UserName, lanManagerHashInfo, ntlmPacket.ParentFrame.Timestamp));
}
}
}
successfullyExtractedBytes += ntlmPacket.ParentFrame.Data.Length;//it's OK to return a larger value that what was parsed
}
}
return(successfullyExtractedBytes);
}
public Email(System.IO.MemoryStream emailMimeStream, PacketHandler mainPacketHandler, Packets.TcpPacket tcpPacket, bool transferIsClientToServer, NetworkTcpSession tcpSession, ApplicationLayerProtocol protocol, FileTransfer.FileStreamAssembler.FileAssmeblyRootLocation fileAssmeblyRootLocation = FileTransfer.FileStreamAssembler.FileAssmeblyRootLocation.destination)
{
Mime.UnbufferedReader ur = new PacketParser.Mime.UnbufferedReader(emailMimeStream);
this.MainPacketHandler = mainPacketHandler;
this.protocol = protocol;
if (this.protocol == ApplicationLayerProtocol.Smtp)
{
this.fileTransferProtocol = FileTransfer.FileStreamTypes.SMTP;
}
else if (this.protocol == ApplicationLayerProtocol.Pop3)
{
this.fileTransferProtocol = FileTransfer.FileStreamTypes.POP3;
}
else if (this.protocol == ApplicationLayerProtocol.Imap)
{
this.fileTransferProtocol = FileTransfer.FileStreamTypes.IMAP;
}
//this.reassembleFileAtSourceHost = reassembleFileAtSourceHost;
this.fileAssmeblyRootLocation = fileAssmeblyRootLocation;
this.fiveTuple = tcpSession.Flow.FiveTuple;
this.transferIsClientToServer = transferIsClientToServer;
this.attachments = new List <FileTransfer.ReconstructedFile>();
this.from = null;
this.to = null;
this.subject = null;
this.messageId = null;
this.date = null;//Date: Fri, 1 Aug 2003 14:17:51 -0700
Encoding customEncoding = null;
System.Collections.Specialized.NameValueCollection rootAttributes = null;
bool messageSentToPacketHandler = false;
foreach (Mime.MultipartPart multipart in Mime.PartBuilder.GetParts(ur)) //I might need to add "ref customEncoding" as a parameter here
{
if (rootAttributes == null)
{
from = multipart.Attributes["From"];
to = multipart.Attributes["To"];
subject = multipart.Attributes["Subject"];
messageId = multipart.Attributes["Message-ID"];
date = multipart.Attributes["Date"];
rootAttributes = multipart.Attributes;
}
if (multipart.Attributes["charset"] != null)
{
try {
customEncoding = Encoding.GetEncoding(multipart.Attributes["charset"]);
}
catch { }
}
this.parseMultipart(multipart, rootAttributes, tcpPacket, ref messageSentToPacketHandler, customEncoding, from, to, subject, messageId);
}
//create an .eml file with the whole DATA portion
string emlFilename = null;
if (subject != null && subject.Length > 3)
{
emlFilename = Utils.StringManglerUtil.ConvertToFilename(subject, 10);
/*
* try {
* System.IO.FileInfo fi = new System.IO.FileInfo(subject.Substring(0, 10));
* emlFilename = subject.Substring(0, 10);
* }
* catch {
* emlFilename = Utils.StringManglerUtil.ConvertToFilename(subject, 10);
* }
*/
}
if (emlFilename == null || emlFilename.Length == 0)
{
if (messageId != null && messageId.Length > 3)
{
emlFilename = Utils.StringManglerUtil.ConvertToFilename(messageId, 10);
}
else
{
emlFilename = "message_" + tcpSession.GetHashCode().ToString("X8");
}
}
emlFilename = emlFilename + ".eml";
/*
* string extendedFileId = tcpSession.GetHashCode().ToString();
* if (messageId != null && messageId.Length > 0)
* extendedFileId = messageId;
*/
if (rootAttributes != null)
{
string extendedFileId = GetFileId(rootAttributes);
using (FileTransfer.FileStreamAssembler assembler = new FileTransfer.FileStreamAssembler(MainPacketHandler.FileStreamAssemblerList, this.fiveTuple, this.transferIsClientToServer, this.fileTransferProtocol, emlFilename, "/", emailMimeStream.Length, emailMimeStream.Length, this.protocol.ToString() + " transcript From: " + from + " To: " + to + " Subject: " + subject, extendedFileId, tcpPacket.ParentFrame.FrameNumber, tcpPacket.ParentFrame.Timestamp, this.fileAssmeblyRootLocation)) {
if (assembler.TryActivate())
{
assembler.FileReconstructed += MainPacketHandler.OnMessageAttachmentDetected;
assembler.FileReconstructed += Assembler_FileReconstructed;
assembler.AddData(emailMimeStream.ToArray(), tcpPacket.SequenceNumber);
//assembler.FinishAssembling();
}
else
{
assembler.Clear();
assembler.FinishAssembling();
}
}
}
}
public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <Packets.AbstractPacket> packetList)
{
//bool successfulExtraction=false;
int successfullyExtractedBytes = 0;
foreach (Packets.AbstractPacket p in packetList)
{
if (p.GetType() == typeof(Packets.NtlmSspPacket))
{
Packets.NtlmSspPacket ntlmPacket = (Packets.NtlmSspPacket)p;
if (ntlmPacket.NtlmChallenge != null)
{
if (ntlmChallengeList.ContainsKey(tcpSession.GetHashCode()))
{
ntlmChallengeList[tcpSession.GetHashCode()] = ntlmPacket.NtlmChallenge;
}
else
{
ntlmChallengeList.Add(tcpSession.GetHashCode(), ntlmPacket.NtlmChallenge);
}
}
if (ntlmPacket.DomainName != null)
{
sourceHost.AddDomainName(ntlmPacket.DomainName);
}
if (ntlmPacket.HostName != null)
{
sourceHost.AddHostName(ntlmPacket.HostName);
}
if (ntlmPacket.UserName != null)
{
if (!sourceHost.ExtraDetailsList.ContainsKey("NTLM Username " + ntlmPacket.UserName))
{
sourceHost.ExtraDetailsList.Add("NTLM Username " + ntlmPacket.UserName, ntlmPacket.UserName);
}
string lanManagerHashInfo = null;
if (ntlmPacket.LanManagerResponse != null)
{
lanManagerHashInfo = "LAN Manager Response: " + ntlmPacket.LanManagerResponse;
}
if (ntlmPacket.NtlmResponse != null)
{
if (lanManagerHashInfo == null)
{
lanManagerHashInfo = "";
}
else
{
lanManagerHashInfo = lanManagerHashInfo + " - ";
}
lanManagerHashInfo = lanManagerHashInfo + "NTLM Response: " + ntlmPacket.NtlmResponse;
}
if (lanManagerHashInfo == null)
{
base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.UserName, ntlmPacket.ParentFrame.Timestamp));
}
else
{
if (ntlmChallengeList.ContainsKey(tcpSession.GetHashCode()))
{
lanManagerHashInfo = "NTLM Challenge: " + ntlmChallengeList[tcpSession.GetHashCode()] + " - " + lanManagerHashInfo;
}
base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.UserName, lanManagerHashInfo, ntlmPacket.ParentFrame.Timestamp));
}
}
successfullyExtractedBytes += ntlmPacket.ParentFrame.Data.Length;//it's OK to return a larger value that what was parsed
}
}
return(successfullyExtractedBytes);
}
public Email(System.IO.MemoryStream emailMimeStream, PacketHandler mainPacketHandler, Packets.TcpPacket tcpPacket, bool transferIsClientToServer, NetworkTcpSession tcpSession, ApplicationLayerProtocol protocol, FileTransfer.FileStreamAssembler.FileAssmeblyRootLocation fileAssmeblyRootLocation = FileTransfer.FileStreamAssembler.FileAssmeblyRootLocation.destination)
{
SharedUtils.Logger.Log("Extracting Email from MIME data in " + tcpPacket.ParentFrame.ToString(), SharedUtils.Logger.EventLogEntryType.Information);
Mime.UnbufferedReader ur = new PacketParser.Mime.UnbufferedReader(emailMimeStream);
this.MainPacketHandler = mainPacketHandler;
this.protocol = protocol;
if (this.protocol == ApplicationLayerProtocol.Smtp)
{
this.fileTransferProtocol = FileTransfer.FileStreamTypes.SMTP;
}
else if (this.protocol == ApplicationLayerProtocol.Pop3)
{
this.fileTransferProtocol = FileTransfer.FileStreamTypes.POP3;
}
else if (this.protocol == ApplicationLayerProtocol.Imap)
{
this.fileTransferProtocol = FileTransfer.FileStreamTypes.IMAP;
}
//this.reassembleFileAtSourceHost = reassembleFileAtSourceHost;
this.fileAssmeblyRootLocation = fileAssmeblyRootLocation;
this.fiveTuple = tcpSession.Flow.FiveTuple;
this.transferIsClientToServer = transferIsClientToServer;
this.attachments = new List <FileTransfer.ReconstructedFile>();
this.from = null;
this.to = null;
this.subject = null;
this.messageId = null;
this.date = null;//Date: Fri, 1 Aug 2003 14:17:51 -0700
Encoding customEncoding = null;
this.RootAttributes = null;
bool messageSentToPacketHandler = false;
//The open source .NET implementation Mono can crash if the strings contain Unicode chracters
//see KeePass bug: https://sourceforge.net/p/keepass/feature-requests/2254/
foreach (Mime.MultipartPart multipart in Mime.PartBuilder.GetParts(ur, Utils.SystemHelper.IsRunningOnMono(), null)) //I might need to add "ref customEncoding" as a parameter here
{
SharedUtils.Logger.Log("Extracting MIME part with attributes \"" + String.Join(",", multipart.Attributes.AllKeys) + "\" in " + tcpPacket.ParentFrame.ToString(), SharedUtils.Logger.EventLogEntryType.Information);
if (this.RootAttributes == null)
{
from = multipart.Attributes["From"];
to = multipart.Attributes["To"];
subject = multipart.Attributes["Subject"];
messageId = multipart.Attributes["Message-ID"];
date = multipart.Attributes["Date"];
this.RootAttributes = multipart.Attributes;
}
if (multipart.Attributes["charset"] != null)
{
try {
customEncoding = Encoding.GetEncoding(multipart.Attributes["charset"]);
}
catch (Exception e) {
SharedUtils.Logger.Log("Exception getting encoding for charset \"" + multipart.Attributes["charset"] + "\". " + e.ToString(), SharedUtils.Logger.EventLogEntryType.Warning);
}
}
this.parseMultipart(multipart, this.RootAttributes, tcpPacket, ref messageSentToPacketHandler, customEncoding, emailMimeStream.Length, from, to, subject, messageId);
}
if (!messageSentToPacketHandler && from != null && to != null)
{
//send message to PacketHandler with force
if (this.transferIsClientToServer)
{
this.MainPacketHandler.OnMessageDetected(new PacketParser.Events.MessageEventArgs(this.protocol, this.fiveTuple.ClientHost, this.fiveTuple.ServerHost, tcpPacket.ParentFrame.FrameNumber, tcpPacket.ParentFrame.Timestamp, from, to, subject, "", customEncoding, this.RootAttributes, emailMimeStream.Length));
}
else
{
this.MainPacketHandler.OnMessageDetected(new PacketParser.Events.MessageEventArgs(this.protocol, this.fiveTuple.ServerHost, this.fiveTuple.ClientHost, tcpPacket.ParentFrame.FrameNumber, tcpPacket.ParentFrame.Timestamp, from, to, subject, "", customEncoding, this.RootAttributes, emailMimeStream.Length));
}
messageSentToPacketHandler = true;
}
//create an .eml file with the whole DATA portion
string emlFilename = null;
if (subject != null && subject.Length > 3)
{
emlFilename = Utils.StringManglerUtil.ConvertToFilename(subject, 10);
}
if (emlFilename == null || emlFilename.Length == 0)
{
if (messageId != null && messageId.Length > 3)
{
emlFilename = Utils.StringManglerUtil.ConvertToFilename(messageId, 10);
}
else
{
emlFilename = "message_" + tcpSession.GetHashCode().ToString("X8");
}
}
emlFilename = emlFilename + ".eml";
if (this.RootAttributes != null)
{
string extendedFileId = GetMessageId(this.RootAttributes);
using (FileTransfer.FileStreamAssembler assembler = new FileTransfer.FileStreamAssembler(MainPacketHandler.FileStreamAssemblerList, this.fiveTuple, this.transferIsClientToServer, this.fileTransferProtocol, emlFilename, "/", emailMimeStream.Length, emailMimeStream.Length, this.protocol.ToString() + " transcript From: " + from + " To: " + to + " Subject: " + subject, extendedFileId, tcpPacket.ParentFrame.FrameNumber, tcpPacket.ParentFrame.Timestamp, this.fileAssmeblyRootLocation)) {
if (assembler.TryActivate())
{
assembler.FileReconstructed += this.MainPacketHandler.OnMessageAttachmentDetected;
assembler.FileReconstructed += this.Assembler_FileReconstructed;
SharedUtils.Logger.Log("Adding emailMimeStream bytes: " + emailMimeStream.Length, SharedUtils.Logger.EventLogEntryType.Information);
assembler.AddData(emailMimeStream.ToArray(), tcpPacket.SequenceNumber);
}
else
{
SharedUtils.Logger.Log("Unable to activate email assembler", SharedUtils.Logger.EventLogEntryType.Warning);
assembler.Clear();
assembler.FinishAssembling();
}
}
}
}
//public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable<Packets.AbstractPacket> packetList) {
public int ExtractData(NetworkTcpSession tcpSession, bool transferIsClientToServer, IEnumerable <PacketParser.Packets.AbstractPacket> packetList)
{
NetworkHost sourceHost, destinationHost;
if (transferIsClientToServer)
{
sourceHost = tcpSession.Flow.FiveTuple.ClientHost;
destinationHost = tcpSession.Flow.FiveTuple.ServerHost;
}
else
{
sourceHost = tcpSession.Flow.FiveTuple.ServerHost;
destinationHost = tcpSession.Flow.FiveTuple.ClientHost;
}
//bool successfulExtraction=false;
int successfullyExtractedBytes = 0;
foreach (Packets.AbstractPacket p in packetList)
{
if (p.GetType() == typeof(Packets.NtlmSspPacket))
{
Packets.NtlmSspPacket ntlmPacket = (Packets.NtlmSspPacket)p;
if (ntlmPacket.NtlmChallenge != null)
{
if (ntlmChallengeList.ContainsKey(tcpSession.GetHashCode()))
{
ntlmChallengeList[tcpSession.GetHashCode()] = ntlmPacket.NtlmChallenge;
}
else
{
ntlmChallengeList.Add(tcpSession.GetHashCode(), ntlmPacket.NtlmChallenge);
}
}
if (ntlmPacket.DomainName != null)
{
sourceHost.AddDomainName(ntlmPacket.DomainName);
}
if (ntlmPacket.HostName != null)
{
sourceHost.AddHostName(ntlmPacket.HostName, ntlmPacket.PacketTypeDescription);
}
if (ntlmPacket.UserName != null)
{
if (ntlmPacket.UserName.EndsWith("$")) //hostname
{
sourceHost.AddHostName(ntlmPacket.UserName.TrimEnd(new[] { '$' }), ntlmPacket.PacketTypeDescription);
}
else
{
sourceHost.AddNumberedExtraDetail("NTLM Username ", ntlmPacket.UserName);
}
string lanManagerHashInfo = null;
if (ntlmPacket.LanManagerResponse != null)
{
lanManagerHashInfo = "LAN Manager Response: " + ntlmPacket.LanManagerResponse;
if (ntlmPacket.LanManagerResponse.Length >= 16)
{
//$LM$a9c604d244c4e99d
string lmHash = ntlmPacket.LanManagerResponse.Substring(0, 16);
if (lmHash.Trim(new[] { '0' }).Length > 0)
{
base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.DomainName + "\\" + ntlmPacket.UserName, "$LM$" + lmHash, ntlmPacket.ParentFrame.Timestamp));
}
}
}
if (ntlmPacket.NtlmResponse != null)
{
if (lanManagerHashInfo == null)
{
lanManagerHashInfo = "";
}
else
{
lanManagerHashInfo = lanManagerHashInfo + " - ";
}
lanManagerHashInfo = lanManagerHashInfo + "NTLM Response: " + ntlmPacket.NtlmResponse;
}
if (lanManagerHashInfo == null)
{
base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.UserName, ntlmPacket.ParentFrame.Timestamp));
}
else
{
string ntlmChallenge = null;
if (ntlmChallengeList.ContainsKey(tcpSession.GetHashCode()))
{
ntlmChallenge = ntlmChallengeList[tcpSession.GetHashCode()];
lanManagerHashInfo = "NTLM Challenge: " + ntlmChallenge + " - " + lanManagerHashInfo;
}
if (ntlmPacket.DomainName == null)
{
base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.UserName, lanManagerHashInfo, ntlmPacket.ParentFrame.Timestamp));
}
else
{
base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.DomainName + "\\" + ntlmPacket.UserName, lanManagerHashInfo, ntlmPacket.ParentFrame.Timestamp));
}
if (ntlmChallenge != null && ntlmPacket.NtlmResponse != null)
{
string johnHash = null;
if (ntlmPacket.NtlmResponse.Length == 48) //24 bytes of binary data => NTLMv1
//example: $NETNTLM$1122334455667788$B2B2220790F40C88BCFF347C652F67A7C4A70D3BEBD70233
{
johnHash = "$NETNTLM$" + ntlmChallenge + "$" + ntlmPacket.NtlmResponse;
}
else if (ntlmPacket.NtlmResponse.Length > 48) //NTLMv2
//example: $NETNTLMv2$NTLMV2TESTWORKGROUP$1122334455667788$07659A550D5E9D02996DFD95C87EC1D5$0101000000000000006CF6385B74CA01B3610B02D99732DD000000000200120057004F0052004B00470052004F00550050000100200044004100540041002E00420049004E0043002D0053004500430055005200490000000000
{
StringBuilder johnHashSB = new StringBuilder("$NETNTLMv2$");
if (ntlmPacket.DomainName != null)
{
johnHashSB.Append(ntlmPacket.DomainName);
}
johnHashSB.Append("$");
johnHashSB.Append(ntlmChallenge);
johnHashSB.Append("$");
johnHashSB.Append(ntlmPacket.NtlmResponse.Substring(0, 32)); //NTProofStr
johnHashSB.Append("$");
johnHashSB.Append(ntlmPacket.NtlmResponse.Substring(32)); //NTLMv2 response, minus NTProofStr
johnHash = johnHashSB.ToString();
}
if (johnHash != null)
{
base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.DomainName + "\\" + ntlmPacket.UserName, johnHash, ntlmPacket.ParentFrame.Timestamp));
}
}
}
}
successfullyExtractedBytes += ntlmPacket.ParentFrame.Data.Length;//it's OK to return a larger value that what was parsed
}
}
return(successfullyExtractedBytes);
}
