public static void Trace(Packet packet, PacketMonitorForm PacketMonitor) { IpPacket ipPacket = null; TcpPacket tcpPacket = null; try { ipPacket = PacketDotNet.IpPacket.GetEncapsulated(packet); if (ipPacket == null || ipPacket.Version == IpVersion.IPv6) { return; } tcpPacket = PacketDotNet.TcpPacket.GetEncapsulated(packet); if (tcpPacket == null) { return; } long Key = ipPacket.SourceAddress.Address + tcpPacket.SourcePort + ipPacket.DestinationAddress.Address + tcpPacket.AcknowledgmentNumber; if (isReassembledPacketOfPostRequest(ipPacket, tcpPacket)) { PacketReassemble(Key, tcpPacket); MailList[Key].TimeToLive = 0; // Var_PushFlag == true 表示資料都已經擷取完全 if (MailList[Key].Var_PushFlag == true) { var Mail = MailList[Key]; foreach (var Data in Mail.PostRequestDataList) { Mail.PostRequestData += new string(Data); } foreach (var Data in Mail.VarDataList) { Mail.VarData += new string(Data); } DoSomething(Mail, PacketMonitor); MailList.Remove(Key); } } else if (isPostRequest(tcpPacket)) { MailList.Add(Key, new HttpMail(ipPacket, tcpPacket)); } else { return; } AddMailLiveTime(); } catch { Console.WriteLine(); return; } }
// 當Post Request擷取完成時要做的事 private static void DoSomething(HttpMail Mail, PacketMonitorForm PacketMonitor) { // PacketMonitor.mTxtBox.Text += Mail.PostRequestData + Mail.VarData + "\r\n\r\n"; // 需要URI解碼 //PacketMonitor.mTxtBox.Text += Uri.UnescapeDataString(Mail.PostRequestData) + Uri.UnescapeDataString(Mail.VarData) + "\r\n"; //PacketMonitor.mTxtBox.Text += "------------------------------------------------------------------------------------------------\r\n\r\n"; }
public unsafe void Trace(Packet packet, PacketMonitorForm Form) { IpPacket ipPacket = null; TcpPacket tcpPacket = null; try { ipPacket = PacketDotNet.IpPacket.GetEncapsulated(packet); if (ipPacket == null || ipPacket.Version == IpVersion.IPv6) { return; } tcpPacket = PacketDotNet.TcpPacket.GetEncapsulated(packet); if (tcpPacket == null) { return; } if (tcpPacket.PayloadData.Length < 6) { return; } } catch { return; } TraceClientHello(ipPacket, tcpPacket, Form); fixed(Byte *_Byte = packet.Bytes) { SSLAnalyze.InsertPacketData(_Byte); } if (SSLAnalyze.GetHandShakeMainContent()) { var _SSLInformation = AddToSSLInfo(Form, null); WriteToDB(_SSLInformation); } var _Certificate = _CertificateManage.Trace(packet); if (_Certificate != null) { AddToSSLInfo(Form, _Certificate); DoSomething(Form, _Certificate); } }
//追蹤有傳送 ClientHello 之封包,並更新該 IPTraceInfo 為 hasSSL 以標明要儲存往後之對應封包 private void TraceClientHello(IpPacket ipPacket, TcpPacket tcpPacket, PacketMonitorForm form) { if (tcpPacket.PayloadData[0] == 0x16 && tcpPacket.PayloadData[5] == 0x01) // Record Layer Type = Handshake(0x16) & Handshake Type = Client Hello(0x01) { bool isSSLVersion = false; if ((tcpPacket.PayloadData[1] == 0x02 && tcpPacket.PayloadData[2] == 0x00) || (tcpPacket.PayloadData[1] == 0x03 && tcpPacket.PayloadData[2] == 0x00) || (tcpPacket.PayloadData[1] == 0x03 && tcpPacket.PayloadData[2] == 0x01) || (tcpPacket.PayloadData[1] == 0x03 && tcpPacket.PayloadData[2] == 0x02) || (tcpPacket.PayloadData[1] == 0x03 && tcpPacket.PayloadData[2] == 0x03)) { isSSLVersion = true; } if (!isSSLVersion) { return; } int Count = form.listIPTrace.Count; List <IPTraceInfo> _IPTrace = form.listIPTrace; for (int j = 0; j < Count; j++) { if ((_IPTrace[j].SrcIP == ipPacket.SourceAddress.ToString()) && (_IPTrace[j].DstIP == ipPacket.DestinationAddress.ToString()) || (_IPTrace[j].SrcIP == ipPacket.DestinationAddress.ToString()) && (_IPTrace[j].DstIP == ipPacket.SourceAddress.ToString())) { foreach (var port in _IPTrace[j].Ports) { if ((port.SrcPort == tcpPacket.SourcePort.ToString() && port.DstPort == tcpPacket.DestinationPort.ToString()) || (port.SrcPort == tcpPacket.DestinationPort.ToString() && port.DstPort == tcpPacket.SourcePort.ToString())) { port.hasSSL = true; string FileName = ipPacket.SourceAddress.ToString() + "(" + tcpPacket.SourcePort.ToString() + ") - " + ipPacket.DestinationAddress.ToString() + "(" + tcpPacket.DestinationPort.ToString() + ").pcap"; port.SSLPcapFileWriter = new PcapFileWriter(StoragePath + "\\" + FileName); return; } } return; } } } }
// 取得了 SSL 完整資訊後要做的事情 ( 將Certificate資訊放進listIPTrace ) private void DoSomething(PacketMonitorForm form, Certificate _Certificate) { int Count = form.listIPTrace.Count; List <IPTraceInfo> _IPTrace = form.listIPTrace; for (int j = 0; j < Count; j++) { if ((_IPTrace[j].SrcIP == _Certificate.ServerIP) && (_IPTrace[j].DstIP == _Certificate.UserIP) || (_IPTrace[j].DstIP == _Certificate.ServerIP) && (_IPTrace[j].SrcIP == _Certificate.UserIP)) { if (_IPTrace[j].certificate == null && _Certificate != null) { _IPTrace[j].certificate = _Certificate; } return; } } }
//結合 Key 和 Certificate 之資訊緩存 private unsafe SSLInformation AddToSSLInfo(PacketMonitorForm form, Certificate _Certificate) { List <IPTraceInfo> list = form.listIPTrace; Port port = null; // 當有 Certificate 時代表有建立了 SSL 連線對談,但尚未取得完整鑰匙資訊,因此先放入列表中等待資訊完整放入 if (_Certificate != null) { SSLInformationList.Add(new SSLInformation { UserIP = _Certificate.UserIP, ServerIP = _Certificate.ServerIP, UserPort = _Certificate.UserPort, ServerPort = _Certificate.ServerPort, certificate = _Certificate, }); return(null); } else if (_Certificate == null) { string _UserIP = string.Format("{0}.{1}.{2}.{3}", SSLAnalyze.GetUserIP()[3], SSLAnalyze.GetUserIP()[2], SSLAnalyze.GetUserIP()[1], SSLAnalyze.GetUserIP()[0]); string _ServerIP = string.Format("{0}.{1}.{2}.{3}", SSLAnalyze.GetServerIP()[3], SSLAnalyze.GetServerIP()[2], SSLAnalyze.GetServerIP()[1], SSLAnalyze.GetServerIP()[0]); string _UserPort = SSLAnalyze.GetUserPort().ToString(); string _ServerPort = SSLAnalyze.GetServerPort().ToString(); for (int j = 0; j < list.Count; j++) { if ((list[j].SrcIP == _ServerIP) && (list[j].DstIP == _UserIP)) { foreach (var p in list[j].Ports) { if ((p.SrcPort == _ServerPort) && (p.DstPort == _UserPort)) { port = p; break; } } } else if ((list[j].DstIP == _ServerIP) && (list[j].SrcIP == _UserIP)) { foreach (var p in list[j].Ports) { if ((p.SrcPort == _UserPort) && (p.DstPort == _ServerPort)) { port = p; break; } } } } foreach (var _SSLInformation in SSLInformationList) { if (_UserIP == _SSLInformation.UserIP && _ServerIP == _SSLInformation.ServerIP && _UserPort == _SSLInformation.UserPort && _ServerPort == _SSLInformation.ServerPort) { _SSLInformation.Version = SSLAnalyze.GetVersion().ToString(); _SSLInformation.CipherSuite = SSLAnalyze.GetCipherSuite().ToString(); string pubkey = null; if (SSLAnalyze.GetPubKeyLen() > 0) { if (SSLAnalyze.GetPubKeyLen() == SSLAnalyze.GetSessionKeyLen()) { for (int i = 0; i < SSLAnalyze.GetPubKeyLen(); i++) { pubkey += string.Format("{0:x2} ", SSLAnalyze.GetPubkey()[i]); } } else { for (int i = 0; i < SSLAnalyze.GetSessionKeyLen(); i++) { pubkey += string.Format("{0:x2} ", SSLAnalyze.GetPubkey()[i + 6]); } } } _SSLInformation.PubKey = pubkey; string sessionkey = null; if (SSLAnalyze.GetSessionKeyLen() > 0) { for (int i = 0; i < SSLAnalyze.GetSessionKeyLen(); i++) { sessionkey += string.Format("{0:x2} ", SSLAnalyze.GetSessionKey()[i]); } } _SSLInformation.SessionKey = sessionkey; string NewSessionkey = null; if (SSLAnalyze.GetNewSessionTicketLen() > 0) { for (int i = 0; i < SSLAnalyze.GetNewSessionTicketLen(); i++) { NewSessionkey += string.Format("{0:x2} ", SSLAnalyze.GetNewSessionTicket()[i]); } } _SSLInformation.NewSessionKey = NewSessionkey; if (port != null && (pubkey != null || sessionkey != null || NewSessionkey != null)) { port.keys.ServerPort = _ServerPort; port.keys.UserPort = _UserPort; if (port.keys.pubKey == null) { port.keys.pubKey = pubkey; } if (port.keys.sessionKey == null) { port.keys.sessionKey = sessionkey; } if (port.keys.newSessionkey == null) { port.keys.newSessionkey = NewSessionkey; } port.keys.hasKey = true; } SSLInformationList.Remove(_SSLInformation); return(_SSLInformation); } } // 此之後之程式碼是設定沒有 Certificate 之 SSL資訊 var sslInformation = new SSLInformation(); sslInformation.UserIP = _UserIP; sslInformation.ServerIP = _ServerIP; sslInformation.UserPort = _UserPort; sslInformation.ServerPort = _ServerPort; sslInformation.Version = SSLAnalyze.GetVersion().ToString(); sslInformation.CipherSuite = SSLAnalyze.GetCipherSuite().ToString(); string _pubkey = null; if (SSLAnalyze.GetPubKeyLen() > 0) { if (SSLAnalyze.GetPubKeyLen() == SSLAnalyze.GetSessionKeyLen()) { for (int i = 0; i < SSLAnalyze.GetPubKeyLen(); i++) { _pubkey += string.Format("{0:x2} ", SSLAnalyze.GetPubkey()[i]); } } else { for (int i = 0; i < SSLAnalyze.GetSessionKeyLen(); i++) { _pubkey += string.Format("{0:x2} ", SSLAnalyze.GetPubkey()[i + 6]); } } } sslInformation.PubKey = _pubkey; string _sessionkey = null; if (SSLAnalyze.GetSessionKeyLen() > 0) { for (int i = 0; i < SSLAnalyze.GetSessionKeyLen(); i++) { _sessionkey += string.Format("{0:x2} ", SSLAnalyze.GetSessionKey()[i]); } } sslInformation.SessionKey = _sessionkey; string _NewSessionkey = null; if (SSLAnalyze.GetNewSessionTicketLen() > 0) { for (int i = 0; i < SSLAnalyze.GetNewSessionTicketLen(); i++) { _NewSessionkey += string.Format("{0:x2} ", SSLAnalyze.GetNewSessionTicket()[i]); } } sslInformation.NewSessionKey = _NewSessionkey; sslInformation.certificate = null; if (port != null && (_pubkey != null || _sessionkey != null || _NewSessionkey != null)) { port.keys.ServerPort = _ServerPort; port.keys.UserPort = _UserPort; if (port.keys.pubKey == null) { port.keys.pubKey = _pubkey; } if (port.keys.sessionKey == null) { port.keys.sessionKey = _sessionkey; } if (port.keys.newSessionkey == null) { port.keys.newSessionkey = _NewSessionkey; } port.keys.hasKey = true; } return(sslInformation); } return(null); }