public void ExtractData(ref NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <AbstractPacket> packetList)
{
ITransportLayerPacket transportLayerPacket = packetList.OfType <ITransportLayerPacket>().First();
foreach (CifsBrowserPacket browser in packetList.OfType <CifsBrowserPacket>())
{
System.Collections.Specialized.NameValueCollection parameters = new System.Collections.Specialized.NameValueCollection();
if (!string.IsNullOrEmpty(browser.Hostname))
{
sourceHost.AddHostName(browser.Hostname, browser.PacketTypeDescription);
}
if (!string.IsNullOrEmpty(browser.DomainOrWorkgroup))
{
sourceHost.AddDomainName(browser.DomainOrWorkgroup);
}
if (browser.OSVersion.major > 0 || browser.OSVersion.minor > 0)
{
sourceHost.AddNumberedExtraDetail("Windows Version", "" + browser.OSVersion.major + "." + browser.OSVersion.minor);
}
if (browser.Uptime != null)
{
parameters.Add("CIFS Browser Service Uptime", browser.Uptime.Value.ToString());
}
if (parameters.Count > 0)
{
//TODO: figure out the five tuple!
Events.ParametersEventArgs pe = new Events.ParametersEventArgs(browser.ParentFrame.FrameNumber, sourceHost, destinationHost, transportLayerPacket.TransportProtocol, transportLayerPacket.SourcePort, transportLayerPacket.DestinationPort, parameters, browser.ParentFrame.Timestamp, "CIFS Browser/MS-BRWS Uptime");
//var pe = new Events.ParametersEventArgs(browser.ParentFrame.FrameNumber, ft, true, parameters, browser.ParentFrame.Timestamp, "CIFS Browser/MS-BRWS Uptime");
base.MainPacketHandler.OnParametersDetected(pe);
}
}
}
private void ExtractData(ref NetworkHost sourceHost, NetworkHost destinationHost, Packets.DhcpPacket dhcpPacket)
{
if (dhcpPacket.OpCode == Packets.DhcpPacket.OpCodeValue.BootRequest && (sourceHost.MacAddress == null || dhcpPacket.ClientMacAddress != sourceHost.MacAddress))
{
sourceHost.MacAddress = dhcpPacket.ClientMacAddress;
}
else if (dhcpPacket.OpCode == Packets.DhcpPacket.OpCodeValue.BootReply && (destinationHost.MacAddress == null || dhcpPacket.ClientMacAddress != destinationHost.MacAddress))
{
destinationHost.MacAddress = dhcpPacket.ClientMacAddress;
}
if (dhcpPacket.OpCode == Packets.DhcpPacket.OpCodeValue.BootReply && (dhcpPacket.GatewayIpAddress != null && dhcpPacket.GatewayIpAddress != System.Net.IPAddress.None && dhcpPacket.GatewayIpAddress.Address > 0))
{
destinationHost.ExtraDetailsList["Default Gateway"] = dhcpPacket.GatewayIpAddress.ToString();
}
System.Collections.Specialized.NameValueCollection optionParameterList = new System.Collections.Specialized.NameValueCollection();
//now check all the DHCP options
//byte dhcpMessageType=0x00;//1=Discover, 2=Offer, 3=Request, 5=Ack, 8=Inform
foreach (Packets.DhcpPacket.Option option in dhcpPacket.OptionList)
{
//TODO: Add option to Parameters list
if (option.OptionCode == 12)//hostname
{
string hostname = Utils.ByteConverter.ReadString(option.OptionValue);
sourceHost.AddHostName(hostname);
optionParameterList.Add("DHCP Option 12 Hostname", hostname);
}
else if (option.OptionCode == 15)//Domain Name
{
string domain = Utils.ByteConverter.ReadString(option.OptionValue);
sourceHost.AddDomainName(domain);
optionParameterList.Add("DHCP Option 15 Domain", domain);
}
else if (option.OptionCode == 50) //requested IP address
{
if (dhcpPacket.DhcpMessageType == 3) //Must be a DHCP Request
{
System.Net.IPAddress requestedIpAddress = new System.Net.IPAddress(option.OptionValue);
if (sourceHost.IPAddress != requestedIpAddress)
{
if (!base.MainPacketHandler.NetworkHostList.ContainsIP(requestedIpAddress))
{
NetworkHost clonedHost = new NetworkHost(requestedIpAddress);
clonedHost.MacAddress = sourceHost.MacAddress;
//foreach(string hostname in sourceHost.HostNameList)
// clonedHost.AddHostName(hostname);
lock (base.MainPacketHandler.NetworkHostList)
base.MainPacketHandler.NetworkHostList.Add(clonedHost);
//now change the host to the cloned one (and hope it works out...)
sourceHost = clonedHost;
}
else
{
sourceHost = base.MainPacketHandler.NetworkHostList.GetNetworkHost(requestedIpAddress);
if (dhcpPacket.OpCode == Packets.DhcpPacket.OpCodeValue.BootRequest && (sourceHost.MacAddress == null || dhcpPacket.ClientMacAddress != sourceHost.MacAddress))
{
sourceHost.MacAddress = dhcpPacket.ClientMacAddress;
}
}
}
if (sourceHost.MacAddress != null && previousIpList.ContainsKey(sourceHost.MacAddress.ToString()))
{
//if(previousIpList.ContainsKey(sourceHost.MacAddress.ToString())) {
sourceHost.AddNumberedExtraDetail("Previous IP", previousIpList[sourceHost.MacAddress.ToString()].ToString());
//sourceHost.ExtraDetailsList["Previous IP"]=previousIpList[sourceHost.MacAddress.ToString()].ToString();
previousIpList.Remove(sourceHost.MacAddress.ToString());
}
}
else if (dhcpPacket.DhcpMessageType == 1)//DHCP discover
//see which IP address the client hade previously
//They normally requests the same IP as they hade before...
{
System.Net.IPAddress requestedIpAddress = new System.Net.IPAddress(option.OptionValue);
this.previousIpList[sourceHost.MacAddress.ToString()] = requestedIpAddress;
}
}
/*
* else if(option.OptionCode==53) {//DHCP message type
* if(option.OptionValue!=null && option.OptionValue.Length==1)
* dhcpMessageType=option.OptionValue[0];
* }/*/
else if (option.OptionCode == 60)//vendor class identifier
{
string vendorCode = Utils.ByteConverter.ReadString(option.OptionValue);
sourceHost.AddDhcpVendorCode(vendorCode);
optionParameterList.Add("DHCP Option 60 Vendor Code", vendorCode);
}
else if (option.OptionCode == 81) //Client Fully Qualified Domain Name
{
string domain = Utils.ByteConverter.ReadString(option.OptionValue, 3, option.OptionValue.Length - 3);
sourceHost.AddHostName(domain);
optionParameterList.Add("DHCP Option 81 Domain", domain);
}
else if (option.OptionCode == 125) //V-I Vendor-specific Information http://tools.ietf.org/html/rfc3925
{
uint enterpriceNumber = Utils.ByteConverter.ToUInt32(option.OptionValue, 0);
optionParameterList.Add("DHCP Option 125 Enterprise Number", enterpriceNumber.ToString());
byte dataLen = option.OptionValue[4];
if (dataLen > 0 && option.OptionValue.Length >= 5 + dataLen)
{
string optionData = Utils.ByteConverter.ReadString(option.OptionValue, 5, dataLen);
optionParameterList.Add("DHCP Option 125 Data", optionData);
}
}
else
{
string optionValueString = Utils.ByteConverter.ReadString(option.OptionValue);
if (!System.Text.RegularExpressions.Regex.IsMatch(optionValueString, @"[^\u0020-\u007E]"))
{
optionParameterList.Add("DHCP Option " + option.OptionCode.ToString(), optionValueString);
}
}
}
if (optionParameterList.Count > 0)
{
//try to get the udp packet
string sourcePort = "UNKNOWN";
string destinationPort = "UNKNOWN";
foreach (Packets.AbstractPacket p in dhcpPacket.ParentFrame.PacketList)
{
if (p.GetType() == typeof(Packets.UdpPacket))
{
Packets.UdpPacket udpPacket = (Packets.UdpPacket)p;
sourcePort = "UDP " + udpPacket.SourcePort;
destinationPort = "UDP " + udpPacket.DestinationPort;
break;
}
}
Events.ParametersEventArgs ea = new Events.ParametersEventArgs(dhcpPacket.ParentFrame.FrameNumber, sourceHost, destinationHost, sourcePort, destinationPort, optionParameterList, dhcpPacket.ParentFrame.Timestamp, "DHCP Option");
MainPacketHandler.OnParametersDetected(ea);
}
}
private (string username, string realm) GetUserAndRealm(KerberosPacket kerberosPacket, NetworkHost sourceHost, NetworkHost destinationHost)
{
string username = "";
string realm = "";
List <string> spnParts = new List <string>();
foreach (var item in kerberosPacket.AsnData.Where(item => stringTypes.Contains(item.Item2)))
{
string itemString = Utils.ByteConverter.ReadString(item.Item3);
if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && hostnameRequestPaths.Contains(item.Item1) && itemString.EndsWith("$"))
{
string hostname = itemString.TrimEnd(new[] { '$' });
sourceHost.AddHostName(hostname);
//parameters.Add("Hostname (" + item.Item1 + ")", hostname);
realm = hostname;
}
else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && hostnameResponsePaths.Contains(item.Item1) && itemString.EndsWith("$"))
{
string hostname = itemString.TrimEnd(new[] { '$' });
destinationHost.AddHostName(hostname);
//parameters.Add("Hostname (" + item.Item1 + ")", hostname);
realm = hostname;
}
else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && (usernameRequestPaths.Contains(item.Item1) || usernameResponsePaths.Contains(item.Item1)) && !itemString.EndsWith("$"))
{
if (usernameRequestPaths.Contains(item.Item1))
{
base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "Kerberos", itemString, kerberosPacket.ParentFrame.Timestamp));
sourceHost.AddNumberedExtraDetail("Kerberos Username", itemString);
username = itemString;
}
else if (usernameResponsePaths.Contains(item.Item1))
{
base.MainPacketHandler.AddCredential(new NetworkCredential(destinationHost, sourceHost, "Kerberos", itemString, kerberosPacket.ParentFrame.Timestamp));
destinationHost.AddNumberedExtraDetail("Kerberos Username", itemString);
username = itemString;
}
#if DEBUG
else
{
System.Diagnostics.Debugger.Break();
}
#endif
//parameters.Add("Username (" + item.Item1 + ")", username);
}
else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && domainPaths.Contains(item.Item1))
{
sourceHost.AddDomainName(itemString);
destinationHost.AddDomainName(itemString);
//parameters.Add("Realm (" + item.Item1 + ")", itemString);
realm = itemString;
}
else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && kerberosPacket.MsgType == KerberosPacket.MessageType.krb_tgs_rep && hostnameResponsePaths.Contains(item.Item1))
{
spnParts.Add(itemString);
}
else
{
//parameters.Add(item.Item1 + " " + Enum.GetName(typeof(Utils.ByteConverter.Asn1TypeTag), item.Item2), itemString);
}
}
if (kerberosPacket.MsgType == KerberosPacket.MessageType.krb_tgs_rep && spnParts.Count > 0)
{
username = string.Join("/", spnParts);
}
return(username, realm);
}
public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <Packets.AbstractPacket> packetList)
{
//bool successfulExtraction=false;
int successfullyExtractedBytes = 0;
foreach (Packets.AbstractPacket p in packetList)
{
if (p.GetType() == typeof(Packets.NtlmSspPacket))
{
Packets.NtlmSspPacket ntlmPacket = (Packets.NtlmSspPacket)p;
if (ntlmPacket.NtlmChallenge != null)
{
if (ntlmChallengeList.ContainsKey(tcpSession.GetHashCode()))
{
ntlmChallengeList[tcpSession.GetHashCode()] = ntlmPacket.NtlmChallenge;
}
else
{
ntlmChallengeList.Add(tcpSession.GetHashCode(), ntlmPacket.NtlmChallenge);
}
}
if (ntlmPacket.DomainName != null)
{
sourceHost.AddDomainName(ntlmPacket.DomainName);
}
if (ntlmPacket.HostName != null)
{
sourceHost.AddHostName(ntlmPacket.HostName);
}
if (ntlmPacket.UserName != null)
{
if (!sourceHost.ExtraDetailsList.ContainsKey("NTLM Username " + ntlmPacket.UserName))
{
sourceHost.ExtraDetailsList.Add("NTLM Username " + ntlmPacket.UserName, ntlmPacket.UserName);
}
string lanManagerHashInfo = null;
if (ntlmPacket.LanManagerResponse != null)
{
lanManagerHashInfo = "LAN Manager Response: " + ntlmPacket.LanManagerResponse;
}
if (ntlmPacket.NtlmResponse != null)
{
if (lanManagerHashInfo == null)
{
lanManagerHashInfo = "";
}
else
{
lanManagerHashInfo = lanManagerHashInfo + " - ";
}
lanManagerHashInfo = lanManagerHashInfo + "NTLM Response: " + ntlmPacket.NtlmResponse;
}
if (lanManagerHashInfo == null)
{
base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.UserName, ntlmPacket.ParentFrame.Timestamp));
}
else
{
if (ntlmChallengeList.ContainsKey(tcpSession.GetHashCode()))
{
lanManagerHashInfo = "NTLM Challenge: " + ntlmChallengeList[tcpSession.GetHashCode()] + " - " + lanManagerHashInfo;
}
base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.UserName, lanManagerHashInfo, ntlmPacket.ParentFrame.Timestamp));
}
}
successfullyExtractedBytes += ntlmPacket.ParentFrame.Data.Length;//it's OK to return a larger value that what was parsed
}
}
return(successfullyExtractedBytes);
}
private (string username, string realm) GetUserAndRealm(KerberosPacket kerberosPacket, NetworkHost sourceHost, NetworkHost destinationHost)
{
string username = "";
string realm = "";
List <string> spnParts = new List <string>();
int lastInt = 0;
foreach (var item in kerberosPacket.AsnData)
{
if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.Integer)//Utils.ByteConverter.Asn1TypeTag.Integer
{
lastInt = (int)Utils.ByteConverter.ToUInt32(item.Item3);
}
else if (stringTypes.Contains(item.Item2))
{
string itemString = Utils.ByteConverter.ReadString(item.Item3);
//if(kerberosPacket.MsgType == KerberosPacket.MessageType.krb_ap_req) {
/** rfc1510 / http://web.mit.edu/freebsd/head/crypto/heimdal/lib/asn1/krb5.asn1
* KDC-REQ-BODY ::= SEQUENCE {
* kdc-options[0] KDCOptions,
* cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ
* realm[2] Realm, -- Server's realm
* -- Also client's in AS-REQ
* sname[3] PrincipalName OPTIONAL,
* from[4] KerberosTime OPTIONAL,
* till[5] KerberosTime OPTIONAL,
* rtime[6] KerberosTime OPTIONAL,
* nonce[7] krb5int32,
* etype[8] SEQUENCE OF ENCTYPE, -- EncryptionType,
* -- in preference order
* addresses[9] HostAddresses OPTIONAL,
* enc-authorization-data[10] EncryptedData OPTIONAL,
* -- Encrypted AuthorizationData encoding
* additional-tickets[11] SEQUENCE OF Ticket OPTIONAL
* }
**/
if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && hostnameRequestPaths.Contains(item.Item1) && itemString.EndsWith("$"))
{
string hostname = itemString.TrimEnd(new[] { '$' });
sourceHost.AddHostName(hostname, kerberosPacket.PacketTypeDescription);
//parameters.Add("Hostname (" + item.Item1 + ")", hostname);
realm = hostname;
}
else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && hostnameResponsePaths.Contains(item.Item1) && itemString.EndsWith("$"))
{
string hostname = itemString.TrimEnd(new[] { '$' });
destinationHost.AddHostName(hostname, kerberosPacket.PacketTypeDescription);
//parameters.Add("Hostname (" + item.Item1 + ")", hostname);
realm = hostname;
}
else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && (usernameRequestPaths.Contains(item.Item1) || usernameResponsePaths.Contains(item.Item1)) && !itemString.EndsWith("$"))
{
if (usernameRequestPaths.Contains(item.Item1))
{
base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "Kerberos", itemString, kerberosPacket.ParentFrame.Timestamp));
sourceHost.AddNumberedExtraDetail("Kerberos Username", itemString);
username = itemString;
}
else if (usernameResponsePaths.Contains(item.Item1))
{
base.MainPacketHandler.AddCredential(new NetworkCredential(destinationHost, sourceHost, "Kerberos", itemString, kerberosPacket.ParentFrame.Timestamp));
destinationHost.AddNumberedExtraDetail("Kerberos Username", itemString);
username = itemString;
}
#if DEBUG
else
{
System.Diagnostics.Debugger.Break();
}
#endif
//parameters.Add("Username (" + item.Item1 + ")", username);
}
else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && domainPaths.Contains(item.Item1))
{
sourceHost.AddDomainName(itemString);
destinationHost.AddDomainName(itemString);
//parameters.Add("Realm (" + item.Item1 + ")", itemString);
realm = itemString;
}
else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && kerberosPacket.MsgType == KerberosPacket.MessageType.krb_tgs_rep && hostnameResponsePaths.Contains(item.Item1))
{
spnParts.Add(itemString);
}
else
{
//parameters.Add(item.Item1 + " " + Enum.GetName(typeof(Utils.ByteConverter.Asn1TypeTag), item.Item2), itemString);
}
}
}
if (kerberosPacket.MsgType == KerberosPacket.MessageType.krb_tgs_rep && spnParts.Count > 0)
{
username = string.Join("/", spnParts);
}
return(username, realm);
}
private void ExtractSmbData(NetworkHost sourceHost, NetworkHost destinationHost, Packets.TcpPacket tcpPacket, Packets.CifsPacket.AbstractSmbCommand smbCommandPacket, PacketHandler mainPacketHandler)
{
string smbSessionId;
if (smbCommandPacket.ParentCifsPacket.FlagsResponse)
{
smbSessionId = SmbSession.GetSmbSessionId(sourceHost.IPAddress, tcpPacket.SourcePort, destinationHost.IPAddress, tcpPacket.DestinationPort);
}
else
{
smbSessionId = SmbSession.GetSmbSessionId(destinationHost.IPAddress, tcpPacket.DestinationPort, sourceHost.IPAddress, tcpPacket.SourcePort);
}
if (smbCommandPacket.GetType() == typeof(Packets.CifsPacket.NegotiateProtocolRequest))
{
Packets.CifsPacket.NegotiateProtocolRequest request = (Packets.CifsPacket.NegotiateProtocolRequest)smbCommandPacket;
sourceHost.AcceptedSmbDialectsList = request.DialectList;
}
else if (smbCommandPacket.GetType() == typeof(Packets.CifsPacket.NegotiateProtocolResponse))
{
Packets.CifsPacket.NegotiateProtocolResponse reply = (Packets.CifsPacket.NegotiateProtocolResponse)smbCommandPacket;
if (destinationHost.AcceptedSmbDialectsList != null && destinationHost.AcceptedSmbDialectsList.Count > reply.DialectIndex)
{
sourceHost.PreferredSmbDialect = destinationHost.AcceptedSmbDialectsList[reply.DialectIndex];
}
//sourceHost.ExtraDetailsList.Add("Preferred SMB dialect", destinationHost.AcceptedSmbDialectsList[reply.DialectIndex]);
}
else if (smbCommandPacket.GetType() == typeof(Packets.CifsPacket.SetupAndXRequest))
{
Packets.CifsPacket.SetupAndXRequest request = (Packets.CifsPacket.SetupAndXRequest)smbCommandPacket;
if (request.NativeLanManager != null && request.NativeLanManager.Length > 0)
{
if (sourceHost.ExtraDetailsList.ContainsKey("SMB Native LAN Manager"))
{
sourceHost.ExtraDetailsList["SMB Native LAN Manager"] = request.NativeLanManager;
}
else
{
sourceHost.ExtraDetailsList.Add("SMB Native LAN Manager", request.NativeLanManager);
}
}
if (request.NativeOs != null && request.NativeOs.Length > 0)
{
if (sourceHost.ExtraDetailsList.ContainsKey("SMB Native OS"))
{
sourceHost.ExtraDetailsList["SMB Native OS"] = request.NativeOs;
}
else
{
sourceHost.ExtraDetailsList.Add("SMB Native OS", request.NativeOs);
}
}
if (request.PrimaryDomain != null && request.PrimaryDomain.Length > 0)
{
sourceHost.AddDomainName(request.PrimaryDomain);
}
if (request.AccountName != null && request.AccountName.Length > 0)
{
NetworkCredential nCredential = new NetworkCredential(sourceHost, destinationHost, smbCommandPacket.PacketTypeDescription, request.AccountName, request.ParentFrame.Timestamp);
if (request.AccountPassword != null && request.AccountPassword.Length > 0)
{
nCredential.Password = request.AccountPassword;
}
mainPacketHandler.AddCredential(nCredential);
}
}
else if (smbCommandPacket.GetType() == typeof(Packets.CifsPacket.SetupAndXResponse))
{
Packets.CifsPacket.SetupAndXResponse response = (Packets.CifsPacket.SetupAndXResponse)smbCommandPacket;
if (response.NativeLanManager != null && response.NativeLanManager.Length > 0)
{
if (sourceHost.ExtraDetailsList.ContainsKey("SMB Native LAN Manager"))
{
sourceHost.ExtraDetailsList["SMB Native LAN Manager"] = response.NativeLanManager;
}
else
{
sourceHost.ExtraDetailsList.Add("SMB Native LAN Manager", response.NativeLanManager);
}
}
if (response.NativeOs != null && response.NativeOs.Length > 0)
{
if (sourceHost.ExtraDetailsList.ContainsKey("SMB Native OS"))
{
sourceHost.ExtraDetailsList["SMB Native OS"] = response.NativeOs;
}
else
{
sourceHost.ExtraDetailsList.Add("SMB Native OS", response.NativeOs);
}
}
}
else if (smbCommandPacket.GetType() == typeof(Packets.CifsPacket.NTCreateAndXRequest))
{
Packets.CifsPacket.NTCreateAndXRequest request = (Packets.CifsPacket.NTCreateAndXRequest)smbCommandPacket;
string filename, filePath;
if (request.Filename.EndsWith("\0"))
{
filename = request.Filename.Remove(request.Filename.Length - 1);
}
else
{
filename = request.Filename;
}
if (filename.Contains(System.IO.Path.DirectorySeparatorChar.ToString()))
{
filePath = filename.Substring(0, filename.LastIndexOf(System.IO.Path.DirectorySeparatorChar.ToString()));
filename = filename.Substring(filename.LastIndexOf(System.IO.Path.DirectorySeparatorChar.ToString()) + 1);
}
else
{
filePath = System.IO.Path.DirectorySeparatorChar.ToString();
}
try {
//string smbSessionId=SmbSession.GetSmbSessionId(destinationHost.IPAddress, tcpPacket.DestinationPort, sourceHost.IPAddress, tcpPacket.SourcePort);
SmbSession smbSession;
if (this.smbSessionPopularityList.ContainsKey(smbSessionId))
{
smbSession = this.smbSessionPopularityList[smbSessionId];
}
else
{
smbSession = new SmbSession(destinationHost.IPAddress, tcpPacket.DestinationPort, sourceHost.IPAddress, tcpPacket.SourcePort);
this.smbSessionPopularityList.Add(smbSessionId, smbSession);
}
FileTransfer.FileStreamAssembler assembler = new FileTransfer.FileStreamAssembler(mainPacketHandler.FileStreamAssemblerList, destinationHost, tcpPacket.DestinationPort, sourceHost, tcpPacket.SourcePort, tcpPacket != null, FileTransfer.FileStreamTypes.SMB, filename, filePath, request.Filename, smbCommandPacket.ParentFrame.FrameNumber, smbCommandPacket.ParentFrame.Timestamp);
smbSession.AddFileStreamAssembler(assembler, request.ParentCifsPacket.TreeId, request.ParentCifsPacket.MultiplexId, request.ParentCifsPacket.ProcessId);
}
catch (Exception e) {
MainPacketHandler.OnAnomalyDetected("Error creating assembler for SMB file transfer: " + e.Message);
}
}
//else if(!smbCommandPacket.ParentCifsPacket.FlagsResponse && mainPacketHandler.FileStreamAssemblerList.ContainsAssembler(destinationHost, tcpPacket.DestinationPort, sourceHost, tcpPacket.SourcePort, true)) {
else if (!smbCommandPacket.ParentCifsPacket.FlagsResponse && this.smbSessionPopularityList.ContainsKey(smbSessionId))
{
//Request
if (smbCommandPacket.GetType() == typeof(Packets.CifsPacket.CloseRequest) && smbSessionPopularityList.ContainsKey(smbSessionId))
{
SmbSession smbSession = this.smbSessionPopularityList[smbSessionId];
Packets.CifsPacket.CloseRequest closeRequest = (Packets.CifsPacket.CloseRequest)smbCommandPacket;
ushort fileId = closeRequest.FileId;
FileTransfer.FileStreamAssembler assemblerToClose;
if (smbSession.ContainsFileId(closeRequest.ParentCifsPacket.TreeId, closeRequest.ParentCifsPacket.MultiplexId, closeRequest.ParentCifsPacket.ProcessId, fileId))
{
assemblerToClose = smbSession.GetFileStreamAssembler(closeRequest.ParentCifsPacket.TreeId, closeRequest.ParentCifsPacket.MultiplexId, closeRequest.ParentCifsPacket.ProcessId, fileId);
smbSession.RemoveFileStreamAssembler(closeRequest.ParentCifsPacket.TreeId, closeRequest.ParentCifsPacket.MultiplexId, closeRequest.ParentCifsPacket.ProcessId, fileId, false);
//TODO: remove the following line (added for debugging purpose 2011-04-25)
//assemblerToClose.FinishAssembling();
if (mainPacketHandler.FileStreamAssemblerList.ContainsAssembler(assemblerToClose))
{
mainPacketHandler.FileStreamAssemblerList.Remove(assemblerToClose, true);
}
else
{
assemblerToClose.Clear();
}
}
}
else if (smbCommandPacket.GetType() == typeof(Packets.CifsPacket.ReadAndXRequest) && smbSessionPopularityList.ContainsKey(smbSessionId))
{
SmbSession smbSession = this.smbSessionPopularityList[smbSessionId];
//Packets.CifsPacket.ReadAndXRequest request=this.smbSessionPopularityList[smbSessionId];
Packets.CifsPacket.ReadAndXRequest readRequest = (Packets.CifsPacket.ReadAndXRequest)smbCommandPacket;
ushort fileId = readRequest.FileId;
smbSession.Touch(readRequest.ParentCifsPacket.TreeId, readRequest.ParentCifsPacket.MultiplexId, readRequest.ParentCifsPacket.ProcessId, fileId);
}
}
else if (smbCommandPacket.ParentCifsPacket.FlagsResponse && this.smbSessionPopularityList.ContainsKey(smbSessionId))
{
//Response
SmbSession smbSession = this.smbSessionPopularityList[smbSessionId];
//FileTransfer.FileStreamAssembler assembler=mainPacketHandler.FileStreamAssemblerList.GetAssembler(sourceHost, tcpPacket.SourcePort, destinationHost, tcpPacket.DestinationPort, true);
if (smbCommandPacket.GetType() == typeof(Packets.CifsPacket.NTCreateAndXResponse))
{
Packets.CifsPacket.NTCreateAndXResponse response = (Packets.CifsPacket.NTCreateAndXResponse)smbCommandPacket;
ushort fileId = response.FileId;
int fileLength = (int)response.EndOfFile;//yes, I know I will not be able to store big files now... but an int as length is really enough!
//tag the requested file with the fileId
FileTransfer.FileStreamAssembler assembler = smbSession.GetLastReferencedFileStreamAssembler(response.ParentCifsPacket.TreeId, response.ParentCifsPacket.MultiplexId, response.ParentCifsPacket.ProcessId);
smbSession.RemoveLastReferencedAssembler(response.ParentCifsPacket.TreeId, response.ParentCifsPacket.MultiplexId, response.ParentCifsPacket.ProcessId);
if (assembler != null)
{
//Add file ID as extended ID in order to differentiate between parallell file transfers on disk cache
assembler.ExtendedFileId = "Id" + fileId.ToString("X4"); //2011-04-18
smbSession.AddFileStreamAssembler(assembler, response.ParentCifsPacket.TreeId, response.ParentCifsPacket.MultiplexId, response.ParentCifsPacket.ProcessId, response.FileId);
assembler.FileContentLength = fileLength;
}
}
else if (smbCommandPacket.GetType() == typeof(Packets.CifsPacket.ReadAndXResponse))
{
Packets.CifsPacket.ReadAndXResponse response = (Packets.CifsPacket.ReadAndXResponse)smbCommandPacket;
//move the assembler to the real FileStreamAssemblerList!
FileTransfer.FileStreamAssembler assembler = smbSession.GetLastReferencedFileStreamAssembler(response.ParentCifsPacket.TreeId, response.ParentCifsPacket.MultiplexId, response.ParentCifsPacket.ProcessId);
if (assembler == null)
{
base.MainPacketHandler.OnAnomalyDetected("Unable to find assembler for " + smbCommandPacket.ToString());
}
else if (assembler != null)
{
/* Removed 2011-04-25
* if(!mainPacketHandler.FileStreamAssemblerList.ContainsAssembler(assembler))
* mainPacketHandler.FileStreamAssemblerList.Add(assembler);
* */
assembler.FileSegmentRemainingBytes += response.DataLength;//setting this one so that it can receive more bytes
if (!assembler.IsActive)
{
System.Diagnostics.Debug.Assert(assembler.ExtendedFileId != null && assembler.ExtendedFileId != "", "No FileID set for SMB file transfer!");
if (!assembler.TryActivate())
{
if (!response.ParentCifsPacket.ParentFrame.QuickParse)
{
response.ParentCifsPacket.ParentFrame.Errors.Add(new Frame.Error(response.ParentCifsPacket.ParentFrame, response.PacketStartIndex, response.PacketEndIndex, "Unable to activate file stream assembler for " + assembler.FileLocation + "/" + assembler.Filename));
}
}
else if (assembler.IsActive)
{
assembler.AddData(response.GetFileData(), tcpPacket.SequenceNumber);
}
}
/* Removed 2011-04-25
* if(!assembler.IsActive) {//see if the file is fully assembled or if something else went wrong...
* smbSession.RemoveLastReferencedAssembler(response.ParentCifsPacket.TreeId, response.ParentCifsPacket.MultiplexId, response.ParentCifsPacket.ProcessId);
* }
* */
}
}
}
}
