//public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable<Packets.AbstractPacket> packetList) { public int ExtractData(NetworkTcpSession tcpSession, bool transferIsClientToServer, IEnumerable <PacketParser.Packets.AbstractPacket> packetList) { NetworkHost sourceHost, destinationHost; if (transferIsClientToServer) { sourceHost = tcpSession.Flow.FiveTuple.ClientHost; destinationHost = tcpSession.Flow.FiveTuple.ServerHost; } else { sourceHost = tcpSession.Flow.FiveTuple.ServerHost; destinationHost = tcpSession.Flow.FiveTuple.ClientHost; } //bool successfulExtraction=false; int successfullyExtractedBytes = 0; foreach (Packets.AbstractPacket p in packetList) { if (p.GetType() == typeof(Packets.NtlmSspPacket)) { Packets.NtlmSspPacket ntlmPacket = (Packets.NtlmSspPacket)p; if (ntlmPacket.NtlmChallenge != null) { if (ntlmChallengeList.ContainsKey(tcpSession.GetHashCode())) { ntlmChallengeList[tcpSession.GetHashCode()] = ntlmPacket.NtlmChallenge; } else { ntlmChallengeList.Add(tcpSession.GetHashCode(), ntlmPacket.NtlmChallenge); } } if (ntlmPacket.DomainName != null) { sourceHost.AddDomainName(ntlmPacket.DomainName); } if (ntlmPacket.HostName != null) { sourceHost.AddHostName(ntlmPacket.HostName); } if (ntlmPacket.UserName != null) { if (ntlmPacket.UserName.EndsWith("$")) //hostname { sourceHost.AddHostName(ntlmPacket.UserName.TrimEnd(new[] { '$' })); } else { sourceHost.AddNumberedExtraDetail("NTLM Username ", ntlmPacket.UserName); } string lanManagerHashInfo = null; if (ntlmPacket.LanManagerResponse != null) { lanManagerHashInfo = "LAN Manager Response: " + ntlmPacket.LanManagerResponse; } if (ntlmPacket.NtlmResponse != null) { if (lanManagerHashInfo == null) { lanManagerHashInfo = ""; } else { lanManagerHashInfo = lanManagerHashInfo + " - "; } lanManagerHashInfo = lanManagerHashInfo + "NTLM Response: " + ntlmPacket.NtlmResponse; } if (lanManagerHashInfo == null) { base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.UserName, ntlmPacket.ParentFrame.Timestamp)); } else { if (ntlmChallengeList.ContainsKey(tcpSession.GetHashCode())) { lanManagerHashInfo = "NTLM Challenge: " + ntlmChallengeList[tcpSession.GetHashCode()] + " - " + lanManagerHashInfo; } if (ntlmPacket.DomainName == null) { base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.UserName, lanManagerHashInfo, ntlmPacket.ParentFrame.Timestamp)); } else { base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.DomainName + "\\" + ntlmPacket.UserName, lanManagerHashInfo, ntlmPacket.ParentFrame.Timestamp)); } } } successfullyExtractedBytes += ntlmPacket.ParentFrame.Data.Length;//it's OK to return a larger value that what was parsed } } return(successfullyExtractedBytes); }
public Email(System.IO.MemoryStream emailMimeStream, PacketHandler mainPacketHandler, Packets.TcpPacket tcpPacket, bool transferIsClientToServer, NetworkTcpSession tcpSession, ApplicationLayerProtocol protocol, FileTransfer.FileStreamAssembler.FileAssmeblyRootLocation fileAssmeblyRootLocation = FileTransfer.FileStreamAssembler.FileAssmeblyRootLocation.destination) { Mime.UnbufferedReader ur = new PacketParser.Mime.UnbufferedReader(emailMimeStream); this.MainPacketHandler = mainPacketHandler; this.protocol = protocol; if (this.protocol == ApplicationLayerProtocol.Smtp) { this.fileTransferProtocol = FileTransfer.FileStreamTypes.SMTP; } else if (this.protocol == ApplicationLayerProtocol.Pop3) { this.fileTransferProtocol = FileTransfer.FileStreamTypes.POP3; } else if (this.protocol == ApplicationLayerProtocol.Imap) { this.fileTransferProtocol = FileTransfer.FileStreamTypes.IMAP; } //this.reassembleFileAtSourceHost = reassembleFileAtSourceHost; this.fileAssmeblyRootLocation = fileAssmeblyRootLocation; this.fiveTuple = tcpSession.Flow.FiveTuple; this.transferIsClientToServer = transferIsClientToServer; this.attachments = new List <FileTransfer.ReconstructedFile>(); this.from = null; this.to = null; this.subject = null; this.messageId = null; this.date = null;//Date: Fri, 1 Aug 2003 14:17:51 -0700 Encoding customEncoding = null; System.Collections.Specialized.NameValueCollection rootAttributes = null; bool messageSentToPacketHandler = false; foreach (Mime.MultipartPart multipart in Mime.PartBuilder.GetParts(ur)) //I might need to add "ref customEncoding" as a parameter here { if (rootAttributes == null) { from = multipart.Attributes["From"]; to = multipart.Attributes["To"]; subject = multipart.Attributes["Subject"]; messageId = multipart.Attributes["Message-ID"]; date = multipart.Attributes["Date"]; rootAttributes = multipart.Attributes; } if (multipart.Attributes["charset"] != null) { try { customEncoding = Encoding.GetEncoding(multipart.Attributes["charset"]); } catch { } } this.parseMultipart(multipart, rootAttributes, tcpPacket, ref messageSentToPacketHandler, customEncoding, from, to, subject, messageId); } //create an .eml file with the whole DATA portion string emlFilename = null; if (subject != null && subject.Length > 3) { emlFilename = Utils.StringManglerUtil.ConvertToFilename(subject, 10); /* * try { * System.IO.FileInfo fi = new System.IO.FileInfo(subject.Substring(0, 10)); * emlFilename = subject.Substring(0, 10); * } * catch { * emlFilename = Utils.StringManglerUtil.ConvertToFilename(subject, 10); * } */ } if (emlFilename == null || emlFilename.Length == 0) { if (messageId != null && messageId.Length > 3) { emlFilename = Utils.StringManglerUtil.ConvertToFilename(messageId, 10); } else { emlFilename = "message_" + tcpSession.GetHashCode().ToString("X8"); } } emlFilename = emlFilename + ".eml"; /* * string extendedFileId = tcpSession.GetHashCode().ToString(); * if (messageId != null && messageId.Length > 0) * extendedFileId = messageId; */ if (rootAttributes != null) { string extendedFileId = GetFileId(rootAttributes); using (FileTransfer.FileStreamAssembler assembler = new FileTransfer.FileStreamAssembler(MainPacketHandler.FileStreamAssemblerList, this.fiveTuple, this.transferIsClientToServer, this.fileTransferProtocol, emlFilename, "/", emailMimeStream.Length, emailMimeStream.Length, this.protocol.ToString() + " transcript From: " + from + " To: " + to + " Subject: " + subject, extendedFileId, tcpPacket.ParentFrame.FrameNumber, tcpPacket.ParentFrame.Timestamp, this.fileAssmeblyRootLocation)) { if (assembler.TryActivate()) { assembler.FileReconstructed += MainPacketHandler.OnMessageAttachmentDetected; assembler.FileReconstructed += Assembler_FileReconstructed; assembler.AddData(emailMimeStream.ToArray(), tcpPacket.SequenceNumber); //assembler.FinishAssembling(); } else { assembler.Clear(); assembler.FinishAssembling(); } } } }
public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <Packets.AbstractPacket> packetList) { //bool successfulExtraction=false; int successfullyExtractedBytes = 0; foreach (Packets.AbstractPacket p in packetList) { if (p.GetType() == typeof(Packets.NtlmSspPacket)) { Packets.NtlmSspPacket ntlmPacket = (Packets.NtlmSspPacket)p; if (ntlmPacket.NtlmChallenge != null) { if (ntlmChallengeList.ContainsKey(tcpSession.GetHashCode())) { ntlmChallengeList[tcpSession.GetHashCode()] = ntlmPacket.NtlmChallenge; } else { ntlmChallengeList.Add(tcpSession.GetHashCode(), ntlmPacket.NtlmChallenge); } } if (ntlmPacket.DomainName != null) { sourceHost.AddDomainName(ntlmPacket.DomainName); } if (ntlmPacket.HostName != null) { sourceHost.AddHostName(ntlmPacket.HostName); } if (ntlmPacket.UserName != null) { if (!sourceHost.ExtraDetailsList.ContainsKey("NTLM Username " + ntlmPacket.UserName)) { sourceHost.ExtraDetailsList.Add("NTLM Username " + ntlmPacket.UserName, ntlmPacket.UserName); } string lanManagerHashInfo = null; if (ntlmPacket.LanManagerResponse != null) { lanManagerHashInfo = "LAN Manager Response: " + ntlmPacket.LanManagerResponse; } if (ntlmPacket.NtlmResponse != null) { if (lanManagerHashInfo == null) { lanManagerHashInfo = ""; } else { lanManagerHashInfo = lanManagerHashInfo + " - "; } lanManagerHashInfo = lanManagerHashInfo + "NTLM Response: " + ntlmPacket.NtlmResponse; } if (lanManagerHashInfo == null) { base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.UserName, ntlmPacket.ParentFrame.Timestamp)); } else { if (ntlmChallengeList.ContainsKey(tcpSession.GetHashCode())) { lanManagerHashInfo = "NTLM Challenge: " + ntlmChallengeList[tcpSession.GetHashCode()] + " - " + lanManagerHashInfo; } base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.UserName, lanManagerHashInfo, ntlmPacket.ParentFrame.Timestamp)); } } successfullyExtractedBytes += ntlmPacket.ParentFrame.Data.Length;//it's OK to return a larger value that what was parsed } } return(successfullyExtractedBytes); }
public Email(System.IO.MemoryStream emailMimeStream, PacketHandler mainPacketHandler, Packets.TcpPacket tcpPacket, bool transferIsClientToServer, NetworkTcpSession tcpSession, ApplicationLayerProtocol protocol, FileTransfer.FileStreamAssembler.FileAssmeblyRootLocation fileAssmeblyRootLocation = FileTransfer.FileStreamAssembler.FileAssmeblyRootLocation.destination) { SharedUtils.Logger.Log("Extracting Email from MIME data in " + tcpPacket.ParentFrame.ToString(), SharedUtils.Logger.EventLogEntryType.Information); Mime.UnbufferedReader ur = new PacketParser.Mime.UnbufferedReader(emailMimeStream); this.MainPacketHandler = mainPacketHandler; this.protocol = protocol; if (this.protocol == ApplicationLayerProtocol.Smtp) { this.fileTransferProtocol = FileTransfer.FileStreamTypes.SMTP; } else if (this.protocol == ApplicationLayerProtocol.Pop3) { this.fileTransferProtocol = FileTransfer.FileStreamTypes.POP3; } else if (this.protocol == ApplicationLayerProtocol.Imap) { this.fileTransferProtocol = FileTransfer.FileStreamTypes.IMAP; } //this.reassembleFileAtSourceHost = reassembleFileAtSourceHost; this.fileAssmeblyRootLocation = fileAssmeblyRootLocation; this.fiveTuple = tcpSession.Flow.FiveTuple; this.transferIsClientToServer = transferIsClientToServer; this.attachments = new List <FileTransfer.ReconstructedFile>(); this.from = null; this.to = null; this.subject = null; this.messageId = null; this.date = null;//Date: Fri, 1 Aug 2003 14:17:51 -0700 Encoding customEncoding = null; this.RootAttributes = null; bool messageSentToPacketHandler = false; //The open source .NET implementation Mono can crash if the strings contain Unicode chracters //see KeePass bug: https://sourceforge.net/p/keepass/feature-requests/2254/ foreach (Mime.MultipartPart multipart in Mime.PartBuilder.GetParts(ur, Utils.SystemHelper.IsRunningOnMono(), null)) //I might need to add "ref customEncoding" as a parameter here { SharedUtils.Logger.Log("Extracting MIME part with attributes \"" + String.Join(",", multipart.Attributes.AllKeys) + "\" in " + tcpPacket.ParentFrame.ToString(), SharedUtils.Logger.EventLogEntryType.Information); if (this.RootAttributes == null) { from = multipart.Attributes["From"]; to = multipart.Attributes["To"]; subject = multipart.Attributes["Subject"]; messageId = multipart.Attributes["Message-ID"]; date = multipart.Attributes["Date"]; this.RootAttributes = multipart.Attributes; } if (multipart.Attributes["charset"] != null) { try { customEncoding = Encoding.GetEncoding(multipart.Attributes["charset"]); } catch (Exception e) { SharedUtils.Logger.Log("Exception getting encoding for charset \"" + multipart.Attributes["charset"] + "\". " + e.ToString(), SharedUtils.Logger.EventLogEntryType.Warning); } } this.parseMultipart(multipart, this.RootAttributes, tcpPacket, ref messageSentToPacketHandler, customEncoding, emailMimeStream.Length, from, to, subject, messageId); } if (!messageSentToPacketHandler && from != null && to != null) { //send message to PacketHandler with force if (this.transferIsClientToServer) { this.MainPacketHandler.OnMessageDetected(new PacketParser.Events.MessageEventArgs(this.protocol, this.fiveTuple.ClientHost, this.fiveTuple.ServerHost, tcpPacket.ParentFrame.FrameNumber, tcpPacket.ParentFrame.Timestamp, from, to, subject, "", customEncoding, this.RootAttributes, emailMimeStream.Length)); } else { this.MainPacketHandler.OnMessageDetected(new PacketParser.Events.MessageEventArgs(this.protocol, this.fiveTuple.ServerHost, this.fiveTuple.ClientHost, tcpPacket.ParentFrame.FrameNumber, tcpPacket.ParentFrame.Timestamp, from, to, subject, "", customEncoding, this.RootAttributes, emailMimeStream.Length)); } messageSentToPacketHandler = true; } //create an .eml file with the whole DATA portion string emlFilename = null; if (subject != null && subject.Length > 3) { emlFilename = Utils.StringManglerUtil.ConvertToFilename(subject, 10); } if (emlFilename == null || emlFilename.Length == 0) { if (messageId != null && messageId.Length > 3) { emlFilename = Utils.StringManglerUtil.ConvertToFilename(messageId, 10); } else { emlFilename = "message_" + tcpSession.GetHashCode().ToString("X8"); } } emlFilename = emlFilename + ".eml"; if (this.RootAttributes != null) { string extendedFileId = GetMessageId(this.RootAttributes); using (FileTransfer.FileStreamAssembler assembler = new FileTransfer.FileStreamAssembler(MainPacketHandler.FileStreamAssemblerList, this.fiveTuple, this.transferIsClientToServer, this.fileTransferProtocol, emlFilename, "/", emailMimeStream.Length, emailMimeStream.Length, this.protocol.ToString() + " transcript From: " + from + " To: " + to + " Subject: " + subject, extendedFileId, tcpPacket.ParentFrame.FrameNumber, tcpPacket.ParentFrame.Timestamp, this.fileAssmeblyRootLocation)) { if (assembler.TryActivate()) { assembler.FileReconstructed += this.MainPacketHandler.OnMessageAttachmentDetected; assembler.FileReconstructed += this.Assembler_FileReconstructed; SharedUtils.Logger.Log("Adding emailMimeStream bytes: " + emailMimeStream.Length, SharedUtils.Logger.EventLogEntryType.Information); assembler.AddData(emailMimeStream.ToArray(), tcpPacket.SequenceNumber); } else { SharedUtils.Logger.Log("Unable to activate email assembler", SharedUtils.Logger.EventLogEntryType.Warning); assembler.Clear(); assembler.FinishAssembling(); } } } }
//public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable<Packets.AbstractPacket> packetList) { public int ExtractData(NetworkTcpSession tcpSession, bool transferIsClientToServer, IEnumerable <PacketParser.Packets.AbstractPacket> packetList) { NetworkHost sourceHost, destinationHost; if (transferIsClientToServer) { sourceHost = tcpSession.Flow.FiveTuple.ClientHost; destinationHost = tcpSession.Flow.FiveTuple.ServerHost; } else { sourceHost = tcpSession.Flow.FiveTuple.ServerHost; destinationHost = tcpSession.Flow.FiveTuple.ClientHost; } //bool successfulExtraction=false; int successfullyExtractedBytes = 0; foreach (Packets.AbstractPacket p in packetList) { if (p.GetType() == typeof(Packets.NtlmSspPacket)) { Packets.NtlmSspPacket ntlmPacket = (Packets.NtlmSspPacket)p; if (ntlmPacket.NtlmChallenge != null) { if (ntlmChallengeList.ContainsKey(tcpSession.GetHashCode())) { ntlmChallengeList[tcpSession.GetHashCode()] = ntlmPacket.NtlmChallenge; } else { ntlmChallengeList.Add(tcpSession.GetHashCode(), ntlmPacket.NtlmChallenge); } } if (ntlmPacket.DomainName != null) { sourceHost.AddDomainName(ntlmPacket.DomainName); } if (ntlmPacket.HostName != null) { sourceHost.AddHostName(ntlmPacket.HostName, ntlmPacket.PacketTypeDescription); } if (ntlmPacket.UserName != null) { if (ntlmPacket.UserName.EndsWith("$")) //hostname { sourceHost.AddHostName(ntlmPacket.UserName.TrimEnd(new[] { '$' }), ntlmPacket.PacketTypeDescription); } else { sourceHost.AddNumberedExtraDetail("NTLM Username ", ntlmPacket.UserName); } string lanManagerHashInfo = null; if (ntlmPacket.LanManagerResponse != null) { lanManagerHashInfo = "LAN Manager Response: " + ntlmPacket.LanManagerResponse; if (ntlmPacket.LanManagerResponse.Length >= 16) { //$LM$a9c604d244c4e99d string lmHash = ntlmPacket.LanManagerResponse.Substring(0, 16); if (lmHash.Trim(new[] { '0' }).Length > 0) { base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.DomainName + "\\" + ntlmPacket.UserName, "$LM$" + lmHash, ntlmPacket.ParentFrame.Timestamp)); } } } if (ntlmPacket.NtlmResponse != null) { if (lanManagerHashInfo == null) { lanManagerHashInfo = ""; } else { lanManagerHashInfo = lanManagerHashInfo + " - "; } lanManagerHashInfo = lanManagerHashInfo + "NTLM Response: " + ntlmPacket.NtlmResponse; } if (lanManagerHashInfo == null) { base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.UserName, ntlmPacket.ParentFrame.Timestamp)); } else { string ntlmChallenge = null; if (ntlmChallengeList.ContainsKey(tcpSession.GetHashCode())) { ntlmChallenge = ntlmChallengeList[tcpSession.GetHashCode()]; lanManagerHashInfo = "NTLM Challenge: " + ntlmChallenge + " - " + lanManagerHashInfo; } if (ntlmPacket.DomainName == null) { base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.UserName, lanManagerHashInfo, ntlmPacket.ParentFrame.Timestamp)); } else { base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.DomainName + "\\" + ntlmPacket.UserName, lanManagerHashInfo, ntlmPacket.ParentFrame.Timestamp)); } if (ntlmChallenge != null && ntlmPacket.NtlmResponse != null) { string johnHash = null; if (ntlmPacket.NtlmResponse.Length == 48) //24 bytes of binary data => NTLMv1 //example: $NETNTLM$1122334455667788$B2B2220790F40C88BCFF347C652F67A7C4A70D3BEBD70233 { johnHash = "$NETNTLM$" + ntlmChallenge + "$" + ntlmPacket.NtlmResponse; } else if (ntlmPacket.NtlmResponse.Length > 48) //NTLMv2 //example: $NETNTLMv2$NTLMV2TESTWORKGROUP$1122334455667788$07659A550D5E9D02996DFD95C87EC1D5$0101000000000000006CF6385B74CA01B3610B02D99732DD000000000200120057004F0052004B00470052004F00550050000100200044004100540041002E00420049004E0043002D0053004500430055005200490000000000 { StringBuilder johnHashSB = new StringBuilder("$NETNTLMv2$"); if (ntlmPacket.DomainName != null) { johnHashSB.Append(ntlmPacket.DomainName); } johnHashSB.Append("$"); johnHashSB.Append(ntlmChallenge); johnHashSB.Append("$"); johnHashSB.Append(ntlmPacket.NtlmResponse.Substring(0, 32)); //NTProofStr johnHashSB.Append("$"); johnHashSB.Append(ntlmPacket.NtlmResponse.Substring(32)); //NTLMv2 response, minus NTProofStr johnHash = johnHashSB.ToString(); } if (johnHash != null) { base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.DomainName + "\\" + ntlmPacket.UserName, johnHash, ntlmPacket.ParentFrame.Timestamp)); } } } } successfullyExtractedBytes += ntlmPacket.ParentFrame.Data.Length;//it's OK to return a larger value that what was parsed } } return(successfullyExtractedBytes); }