public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <PacketParser.Packets.AbstractPacket> packetList)
{
Packets.OscarPacket oscarPacket = null;
Packets.TcpPacket tcpPacket = null;
foreach (Packets.AbstractPacket p in packetList)
{
if (p.GetType() == typeof(Packets.OscarPacket))
{
oscarPacket = (Packets.OscarPacket)p;
}
else if (p.GetType() == typeof(Packets.TcpPacket))
{
tcpPacket = (Packets.TcpPacket)p;
}
}
if (oscarPacket != null && tcpPacket != null)
{
if (oscarPacket.ImText != null)
{
base.MainPacketHandler.OnMessageDetected(new PacketParser.Events.MessageEventArgs(ApplicationLayerProtocol.Oscar, sourceHost, destinationHost, oscarPacket.ParentFrame.FrameNumber, oscarPacket.ParentFrame.Timestamp, oscarPacket.SourceLoginId, oscarPacket.DestinationLoginId, oscarPacket.ImText, oscarPacket.ImText, oscarPacket.Attributes));
}
return(oscarPacket.BytesParsed);
}
return(0);
}
public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <Packets.AbstractPacket> packetList)
{
bool successfulExtraction = false;
Packets.CifsPacket.AbstractSmbCommand smbCommandPacket = null;
Packets.TcpPacket tcpPacket = null;
foreach (Packets.AbstractPacket p in packetList)
{
if (p.GetType().IsSubclassOf(typeof(Packets.CifsPacket.AbstractSmbCommand)))
{
smbCommandPacket = (Packets.CifsPacket.AbstractSmbCommand)p;
}
else if (p.GetType() == typeof(Packets.TcpPacket))
{
tcpPacket = (Packets.TcpPacket)p;
}
}
if (tcpPacket != null && smbCommandPacket != null)
{
successfulExtraction = true;
ExtractSmbData(sourceHost, destinationHost, tcpPacket, smbCommandPacket, base.MainPacketHandler);
}
if (successfulExtraction)
{
//return tcpPacket.PayloadDataLength;
return(0);//changed 2011-04-25 since the NetBiosSessionServicePacketHandler will return the # parsed bytes anyway.
}
else
{
return(0);
}
}
//public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable<PacketParser.Packets.AbstractPacket> packetList) {
public int ExtractData(NetworkTcpSession tcpSession, bool transferIsClientToServer, IEnumerable <PacketParser.Packets.AbstractPacket> packetList)
{
/*
* NetworkHost sourceHost, destinationHost;
* if (transferIsClientToServer) {
* sourceHost = tcpSession.Flow.FiveTuple.ClientHost;
* destinationHost = tcpSession.Flow.FiveTuple.ServerHost;
* }
* else {
* sourceHost = tcpSession.Flow.FiveTuple.ServerHost;
* destinationHost = tcpSession.Flow.FiveTuple.ClientHost;
* }*/
foreach (Packets.AbstractPacket p in packetList)
{
if (p.GetType() == typeof(Packets.SshPacket))
{
Packets.SshPacket sshPacket = (Packets.SshPacket)p;
tcpSession.Flow.FiveTuple.ClientHost.AddNumberedExtraDetail("SSH Version", sshPacket.SshVersion);
tcpSession.Flow.FiveTuple.ClientHost.AddNumberedExtraDetail("SSH Application", sshPacket.SshApplication);
return(p.PacketLength);
}
}
return(0);
}
//public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable<PacketParser.Packets.AbstractPacket> packetList) {
public int ExtractData(NetworkTcpSession tcpSession, bool transferIsClientToServer, IEnumerable <PacketParser.Packets.AbstractPacket> packetList)
{
foreach (Packets.AbstractPacket p in packetList)
{
if (p.GetType() == typeof(Packets.SpotifyKeyExchangePacket))
{
Packets.SpotifyKeyExchangePacket spotifyPacket = (Packets.SpotifyKeyExchangePacket)p;
if (spotifyPacket.IsClientToServer)
{
if (!tcpSession.ClientHost.ExtraDetailsList.ContainsKey("Spotify application OS"))
{
tcpSession.ClientHost.ExtraDetailsList.Add("Spotify application OS", spotifyPacket.ClientOperatingSystem);
}
NetworkCredential nc = new NetworkCredential(tcpSession.ClientHost, tcpSession.ServerHost, spotifyPacket.PacketTypeDescription, spotifyPacket.ClientUsername, spotifyPacket.ParentFrame.Timestamp);
nc.Password = "******" + spotifyPacket.PublicKeyHexString;
base.MainPacketHandler.AddCredential(nc);
}
else
{
NetworkCredential nc = new NetworkCredential(tcpSession.ClientHost, tcpSession.ServerHost, spotifyPacket.PacketTypeDescription, spotifyPacket.ClientUsername, spotifyPacket.ParentFrame.Timestamp);
nc.Password = "******" + spotifyPacket.PublicKeyHexString;
base.MainPacketHandler.AddCredential(nc);
}
//this function will always return true for spotify packets since I don't want to cache a lot of packets!
return(spotifyPacket.PacketLength);
}
}
return(0);
}
private int ExtractEmail(NetworkTcpSession tcpSession, TcpPacket tcpPacket, int emailStartIndex, int length)
{
Utils.StreamReassembler reassembler;
if (this.emailReassemblers.ContainsKey(tcpSession))
{
reassembler = this.emailReassemblers[tcpSession];
}
else
{
reassembler = new Utils.StreamReassembler(Pop3Packet.MULTILINE_RESPONSE_TERMINATOR, 2);//include the first 2 bytes of the terminator to get a CR-LF at the end of the extracted data
this.emailReassemblers.Add(tcpSession, reassembler);
}
//add all data after the POP3 response header (after +OK or +ERR)
int addedBytes = reassembler.AddData(tcpPacket.ParentFrame.Data, emailStartIndex, length);
if (reassembler.TerminatorFound)
{
//I'm assuming the email is going from server to client
Mime.Email email = new Mime.Email(reassembler.DataStream, base.MainPacketHandler, tcpPacket, false, tcpSession, ApplicationLayerProtocol.Pop3, FileTransfer.FileStreamAssembler.FileAssmeblyRootLocation.source);
//remove the last command since we don't wanna reassemble any more for this RETR command
if (this.pop3LastCommand.ContainsKey(tcpSession))
{
this.pop3LastCommand.Remove(tcpSession);
}
this.emailReassemblers.Remove(tcpSession);
}
return(addedBytes);
}
internal FileSegmentAssembler(string fileOutputDirectory, NetworkTcpSession networkTcpSession, bool transferIsClientToServer, string filePath, string uniqueFileId, FileTransfer.FileStreamAssemblerList fileStreamAssemblerList, PopularityList <string, PacketParser.FileTransfer.FileSegmentAssembler> parentAssemblerList, FileStreamTypes fileStreamType, string details, string serverHostname)
: this(fileOutputDirectory, filePath, uniqueFileId, fileStreamAssemblerList, parentAssemblerList, fileStreamType, details, serverHostname)
{
//this.fileOutputDirectory = fileOutputDirectory;
//this.networkTcpSession = networkTcpSession;
this.fiveTuple = networkTcpSession.Flow.FiveTuple;
this.transferIsClientToServer = transferIsClientToServer;
/*
* if (this.fileTransferIsServerToClient) {
* this.sourceHost = networkTcpSession.ServerHost;
* this.destinationHost = networkTcpSession.ClientHost;
* this.sourcePort = networkTcpSession.ServerTcpPort;
* this.destinationPort = networkTcpSession.ClientTcpPort;
* }
* else {
* this.sourceHost = networkTcpSession.ClientHost;
* this.destinationHost = networkTcpSession.ServerHost;
* this.sourcePort = networkTcpSession.ClientTcpPort;
* this.destinationPort = networkTcpSession.ServerTcpPort;
* }*/
/*
* this.filePath = filePath;
* this.uniqueFileId = uniqueFileId;
* this.parentAssemblerList = parentAssemblerList;
* this.fileStreamAssemblerList = fileStreamAssemblerList;
* this.fileStreamType = fileStreamType;
* this.details = details;
*/
}
public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <Packets.AbstractPacket> packetList)
{
bool successfulExtraction = false;
/*
* Packets.TlsRecordPacket tlsRecordPacket=null;
* Packets.TcpPacket tcpPacket=null;
* foreach(Packets.AbstractPacket p in packetList) {
* if(p.GetType()==typeof(Packets.TlsRecordPacket))
* tlsRecordPacket=(Packets.TlsRecordPacket)p;
* else if(p.GetType()==typeof(Packets.TcpPacket))
* tcpPacket=(Packets.TcpPacket)p;
* }
* */
Packets.TcpPacket tcpPacket = null;
foreach (Packets.AbstractPacket p in packetList)
{
if (p.GetType() == typeof(Packets.TcpPacket))
{
tcpPacket = (Packets.TcpPacket)p;
}
}
int parsedBytes = 0;
if (tcpPacket != null)
{
//there might be several TlsRecordPackets in an SSL packet
foreach (Packets.AbstractPacket p in packetList)
{
if (p.GetType() == typeof(Packets.TlsRecordPacket))
{
Packets.TlsRecordPacket tlsRecordPacket = (Packets.TlsRecordPacket)p;
if (tlsRecordPacket.TlsRecordIsComplete)
{
ExtractTlsRecordData(tlsRecordPacket, tcpPacket, sourceHost, destinationHost, base.MainPacketHandler);
successfulExtraction = true;
parsedBytes += tlsRecordPacket.Length + 5;
}
else if (tlsRecordPacket.Length > 4000)//it should have been complete, so just skip it... there is no point in reassembling it any more
{
successfulExtraction = true;
parsedBytes = tcpPacket.PayloadDataLength;
}
}
}
}
if (successfulExtraction)
{
return(parsedBytes);
//return tcpPacket.PayloadDataLength;
}
else
{
return(0);
}
}
internal FileSegmentAssembler(string fileOutputDirectory, NetworkTcpSession networkTcpSession, bool transferIsClientToServer, string filePath, string uniqueFileId, FileTransfer.FileStreamAssemblerList fileStreamAssemblerList, PopularityList <string, PacketParser.FileTransfer.FileSegmentAssembler> parentAssemblerList, FileStreamTypes fileStreamType, string details, string serverHostname)
: this(fileOutputDirectory, filePath, uniqueFileId, fileStreamAssemblerList, parentAssemblerList, fileStreamType, details, serverHostname)
{
//this.fileOutputDirectory = fileOutputDirectory;
//this.networkTcpSession = networkTcpSession;
this.fiveTuple = networkTcpSession.Flow.FiveTuple;
this.transferIsClientToServer = transferIsClientToServer;
}
//public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable<Packets.AbstractPacket> packetList) {
public int ExtractData(NetworkTcpSession tcpSession, bool transferIsClientToServer, IEnumerable <PacketParser.Packets.AbstractPacket> packetList)
{
/*
* NetworkHost sourceHost, destinationHost;
* if (transferIsClientToServer) {
* sourceHost = tcpSession.Flow.FiveTuple.ClientHost;
* destinationHost = tcpSession.Flow.FiveTuple.ServerHost;
* }
* else {
* sourceHost = tcpSession.Flow.FiveTuple.ServerHost;
* destinationHost = tcpSession.Flow.FiveTuple.ClientHost;
* }*/
bool successfulExtraction = false;
Packets.HttpPacket httpPacket = null;
Packets.TcpPacket tcpPacket = null;
foreach (Packets.AbstractPacket p in packetList)
{
if (p.GetType() == typeof(Packets.HttpPacket))
{
httpPacket = (Packets.HttpPacket)p;
}
else if (p.GetType() == typeof(Packets.TcpPacket))
{
tcpPacket = (Packets.TcpPacket)p;
}
}
if (httpPacket != null && tcpPacket != null)
{
if (httpPacket.PacketHeaderIsComplete)
{
//check if it is a POST and content length is small
if (httpPacket.RequestMethod != Packets.HttpPacket.RequestMethods.POST || httpPacket.ContentLength > 4096 /* used to be 1024*/ || httpPacket.ContentIsComplete())
{
successfulExtraction = ExtractHttpData(httpPacket, tcpPacket, tcpSession.Flow.FiveTuple, transferIsClientToServer, base.MainPacketHandler);
//successfulExtraction=true;
}
if (base.MainPacketHandler.ExtraHttpPacketHandler != null)
{
base.MainPacketHandler.ExtraHttpPacketHandler.ExtractHttpData(httpPacket, tcpPacket, tcpSession.Flow.FiveTuple, transferIsClientToServer, base.MainPacketHandler);
}
}
}
if (successfulExtraction)
{
return(httpPacket.PacketLength);
//return tcpPacket.PayloadDataLength;
}
else
{
return(0);
}
}
public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <PacketParser.Packets.AbstractPacket> packetList)
{
Packets.OscarFileTransferPacket oscarFileTransferPacket = null;
Packets.TcpPacket tcpPacket = null;
int parsedByteCount = 0;
foreach (Packets.AbstractPacket p in packetList)
{
if (p.GetType() == typeof(Packets.OscarFileTransferPacket))
{
oscarFileTransferPacket = (Packets.OscarFileTransferPacket)p;
}
else if (p.GetType() == typeof(Packets.TcpPacket))
{
tcpPacket = (Packets.TcpPacket)p;
}
}
if (oscarFileTransferPacket != null && tcpPacket != null)
{
parsedByteCount = oscarFileTransferPacket.ParsedBytesCount;
if (oscarFileTransferPacket.Type == PacketParser.Packets.OscarFileTransferPacket.CommandType.SendRequest)
{
//see if there is an old assembler that needs to be removed
if (base.MainPacketHandler.FileStreamAssemblerList.ContainsAssembler(sourceHost, tcpPacket.SourcePort, destinationHost, tcpPacket.DestinationPort, true))
{
FileTransfer.FileStreamAssembler oldAssembler = base.MainPacketHandler.FileStreamAssemblerList.GetAssembler(sourceHost, tcpPacket.SourcePort, destinationHost, tcpPacket.DestinationPort, true);
base.MainPacketHandler.FileStreamAssemblerList.Remove(oldAssembler, true);
}
FileTransfer.FileStreamAssembler assembler = new FileTransfer.FileStreamAssembler(base.MainPacketHandler.FileStreamAssemblerList, sourceHost, tcpPacket.SourcePort, destinationHost, tcpPacket.DestinationPort, true, FileTransfer.FileStreamTypes.OscarFileTransfer, oscarFileTransferPacket.FileName, "", (int)oscarFileTransferPacket.TotalFileSize, (int)oscarFileTransferPacket.TotalFileSize, oscarFileTransferPacket.FileName, "", oscarFileTransferPacket.ParentFrame.FrameNumber, oscarFileTransferPacket.ParentFrame.Timestamp);
//assembler.SetRemainingBytesInFile((int)oscarFileTransferPacket.TotalFileSize);
base.MainPacketHandler.FileStreamAssemblerList.Add(assembler);
}
else if (oscarFileTransferPacket.Type == PacketParser.Packets.OscarFileTransferPacket.CommandType.ReceiveAccept)
{
if (base.MainPacketHandler.FileStreamAssemblerList.ContainsAssembler(destinationHost, tcpPacket.DestinationPort, sourceHost, tcpPacket.SourcePort, true))
{
FileTransfer.FileStreamAssembler assembler = base.MainPacketHandler.FileStreamAssemblerList.GetAssembler(destinationHost, tcpPacket.DestinationPort, sourceHost, tcpPacket.SourcePort, true);
if (assembler != null)
{
assembler.TryActivate();
}
}
}
else if (oscarFileTransferPacket.Type == PacketParser.Packets.OscarFileTransferPacket.CommandType.TransferComplete)
{
//remove assembler from destination to client
if (base.MainPacketHandler.FileStreamAssemblerList.ContainsAssembler(destinationHost, tcpPacket.DestinationPort, sourceHost, tcpPacket.SourcePort, true))
{
FileTransfer.FileStreamAssembler oldAssembler = base.MainPacketHandler.FileStreamAssemblerList.GetAssembler(destinationHost, tcpPacket.DestinationPort, sourceHost, tcpPacket.SourcePort, true);
base.MainPacketHandler.FileStreamAssemblerList.Remove(oldAssembler, true);
}
}
}
return(parsedByteCount);
}
public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <Packets.AbstractPacket> packetList)
{
foreach (Packets.AbstractPacket p in packetList)
{
if (this.unusedPacketTypes.Contains(p.GetType()))
{
return(p.ParentFrame.Data.Length);//it is OK to return larger values than the parsed # bytes as long as there aren't additional trailing packets to parse at the end of the data
}
}
return(0);
}
public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <Packets.AbstractPacket> packetList)
{
int returnValue = 0;
foreach (Packets.AbstractPacket p in packetList)
{
if (p.GetType() == typeof(Packets.TabularDataStreamPacket))
{
returnValue = ExtractData(tcpSession, sourceHost, destinationHost, (Packets.TabularDataStreamPacket)p);
}
}
return(returnValue);
}
//public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable<Packets.AbstractPacket> packetList) {
public int ExtractData(NetworkTcpSession tcpSession, bool transferIsClientToServer, IEnumerable <PacketParser.Packets.AbstractPacket> packetList)
{
int returnValue = 0;
foreach (Packets.AbstractPacket p in packetList)
{
if (p.GetType() == typeof(Packets.ModbusTcpPacket))
{
returnValue = ExtractData(tcpSession, transferIsClientToServer, (Packets.ModbusTcpPacket)p);
}
}
return(returnValue);
}
//public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable<Packets.AbstractPacket> packetList) {
public int ExtractData(NetworkTcpSession tcpSession, bool transferIsClientToServer, IEnumerable <PacketParser.Packets.AbstractPacket> packetList)
{
int bytesParsed = 0;
foreach (Packets.AbstractPacket p in packetList)
{
//if(p.GetType().IsSubclassOf(typeof(Packets.NetBiosSessionService)))
if (p.GetType() == typeof(Packets.NetBiosSessionService))
{
bytesParsed += ((Packets.NetBiosSessionService)p).ParsedBytesCount;
}
}
return(bytesParsed);
}
public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <Packets.AbstractPacket> packetList)
{
int bytesParsed = 0;
foreach (Packets.AbstractPacket p in packetList)
{
//if(p.GetType().IsSubclassOf(typeof(Packets.NetBiosSessionService)))
if (p.GetType() == typeof(Packets.NetBiosSessionService))
{
bytesParsed += ((Packets.NetBiosSessionService)p).ParsedBytesCount;
}
}
return(bytesParsed);
}
//public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable<AbstractPacket> packetList) {
public int ExtractData(NetworkTcpSession tcpSession, bool transferIsClientToServer, IEnumerable <PacketParser.Packets.AbstractPacket> packetList)
{
/*
* NetworkHost sourceHost, destinationHost;
* if (transferIsClientToServer) {
* sourceHost = tcpSession.Flow.FiveTuple.ClientHost;
* destinationHost = tcpSession.Flow.FiveTuple.ServerHost;
* }
* else {
* sourceHost = tcpSession.Flow.FiveTuple.ServerHost;
* destinationHost = tcpSession.Flow.FiveTuple.ClientHost;
* }*/
System.Collections.Specialized.NameValueCollection parms = new System.Collections.Specialized.NameValueCollection();
Packets.RdpPacket.Cookie rdpCookiePacket = null;
foreach (Packets.AbstractPacket p in packetList)
{
//if (p is Packets.IIPPacket)
// ipPacket = (Packets.IIPPacket)p;
if (p.GetType() == typeof(Packets.RdpPacket.Cookie))
{
rdpCookiePacket = (Packets.RdpPacket.Cookie)p;
if (rdpCookiePacket.RoutingCookie != null && rdpCookiePacket.RoutingCookie.Length > 0)
{
base.MainPacketHandler.AddCredential(new NetworkCredential(tcpSession.ClientHost, tcpSession.ServerHost, "RDP Cookie", rdpCookiePacket.RoutingCookie, "", rdpCookiePacket.ParentFrame.Timestamp));
if (rdpCookiePacket.RoutingCookie.Contains("="))
{
string[] parts = rdpCookiePacket.RoutingCookie.Split('=');
if (parts.Length > 1)
{
string pn = parts[0].Trim();
string pv = parts[1].Trim();
if (pn.Length > 0 && pv.Length > 0)
{
parms.Add(pn, pv);
}
}
}
}
}
}
if (parms.Count > 0 && rdpCookiePacket != null)
{
base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(rdpCookiePacket.ParentFrame.FrameNumber, tcpSession.Flow.FiveTuple, transferIsClientToServer, parms, rdpCookiePacket.ParentFrame.Timestamp, "RDP Cookie"));
}
return(0);//these bytes should already have been accounted for by the generic handler for TPKT
}
public int ExtractData(NetworkTcpSession tcpSession, bool transferIsClientToServer, IEnumerable <AbstractPacket> packetList)
{
//throw new NotImplementedException();
NetworkHost sourceHost, destinationHost;
if (transferIsClientToServer)
{
sourceHost = tcpSession.ClientHost;
destinationHost = tcpSession.ServerHost;
}
else
{
sourceHost = tcpSession.ServerHost;
destinationHost = tcpSession.ClientHost;
}
return(this.ExtractData(sourceHost, destinationHost, packetList));
}
private FileTransfer.FileSegmentAssembler GetOrCreateAssembler(NetworkTcpSession tcpSession, bool fileTransferIsClientToServer, Guid fileId, OP_CODE smb2Command)
{
string uniqueFileId = GetUniqueGuid(tcpSession, fileId);
FileTransfer.FileSegmentAssembler assembler = null;
if (!this.fileSegmentAssemblerList.ContainsKey(uniqueFileId))
{
if (this.fileIdFilenameMap.ContainsKey(uniqueFileId))
{
assembler = new FileTransfer.FileSegmentAssembler(this.fileOutputDirectory, tcpSession, fileTransferIsClientToServer, this.fileIdFilenameMap[uniqueFileId], uniqueFileId, base.MainPacketHandler.FileStreamAssemblerList, this.fileSegmentAssemblerList, FileTransfer.FileStreamTypes.SMB2, "SMB2 " + Enum.GetName(typeof(OP_CODE), smb2Command) + " " + fileId.ToString() + " \"" + this.fileIdFilenameMap[uniqueFileId] + "\"", null);
this.fileSegmentAssemblerList.Add(uniqueFileId, assembler);
}
}
else
{
assembler = this.fileSegmentAssemblerList[uniqueFileId];
}
return(assembler);
}
public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <PacketParser.Packets.AbstractPacket> packetList)
{
foreach (Packets.AbstractPacket p in packetList)
{
if (p.GetType() == typeof(Packets.SshPacket))
{
Packets.SshPacket sshPacket = (Packets.SshPacket)p;
if (!sourceHost.ExtraDetailsList.ContainsKey("SSH Version"))
{
sourceHost.ExtraDetailsList.Add("SSH Version", sshPacket.SshVersion);
}
if (!sourceHost.ExtraDetailsList.ContainsKey("SSH Application"))
{
sourceHost.ExtraDetailsList.Add("SSH Application", sshPacket.SshApplication);
}
return(p.PacketLength);
}
}
return(0);
}
public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <Packets.AbstractPacket> packetList)
{
bool successfulExtraction = false;
Packets.HttpPacket httpPacket = null;
Packets.TcpPacket tcpPacket = null;
foreach (Packets.AbstractPacket p in packetList)
{
if (p.GetType() == typeof(Packets.HttpPacket))
{
httpPacket = (Packets.HttpPacket)p;
}
else if (p.GetType() == typeof(Packets.TcpPacket))
{
tcpPacket = (Packets.TcpPacket)p;
}
}
if (httpPacket != null && tcpPacket != null)
{
if (httpPacket.PacketHeaderIsComplete)
{
//check if it is a POST and content length is small
if (httpPacket.RequestMethod != Packets.HttpPacket.RequestMethods.POST || httpPacket.ContentLength > 4096 /* used to be 1024*/ || httpPacket.ContentIsComplete())
{
successfulExtraction = ExtractHttpData(httpPacket, tcpPacket, sourceHost, destinationHost, base.MainPacketHandler);
//successfulExtraction=true;
}
}
}
if (successfulExtraction)
{
return(tcpPacket.PayloadDataLength);
}
else
{
return(0);
}
}
private void updateCredential(NetworkCredential cred, NetworkTcpSession session)
{
if (this.pop3Credentials.ContainsKey(session))
{
NetworkCredential oldCred = this.pop3Credentials[session];
//check to see which credential is best
if (oldCred.Username.Equals(cred.Username, StringComparison.InvariantCultureIgnoreCase))
{
if (oldCred.Password == null || oldCred.Password.Length <= 0)
{
oldCred.Password = cred.Password;
}
}
else if (cred.Username.Contains("@") && cred.Username.Contains(".") && !oldCred.Username.Contains("@") && !oldCred.Username.Contains("."))
{
this.pop3Credentials[session] = cred;
}
}
else
{
this.pop3Credentials.Add(session, cred);
}
}
public int ExtractData(NetworkTcpSession tcpSession, bool transferIsClientToServer, IEnumerable <AbstractPacket> packetList)
{
int parsedBytes = 0;
foreach (DnsPacket dp in packetList.OfType <DnsPacket>())
{
parsedBytes += dp.PacketLength;
}
NetworkHost sourceHost, destinationHost;
if (transferIsClientToServer)
{
sourceHost = tcpSession.ClientHost;
destinationHost = tcpSession.ServerHost;
}
else
{
sourceHost = tcpSession.ServerHost;
destinationHost = tcpSession.ClientHost;
}
this.ExtractData(ref sourceHost, destinationHost, packetList);
return(parsedBytes);
}
//public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable<Packets.AbstractPacket> packetList) {
public int ExtractData(NetworkTcpSession tcpSession, bool transferIsClientToServer, IEnumerable <PacketParser.Packets.AbstractPacket> packetList)
{
/*
* NetworkHost sourceHost, destinationHost;
* if (transferIsClientToServer) {
* sourceHost = tcpSession.Flow.FiveTuple.ClientHost;
* destinationHost = tcpSession.Flow.FiveTuple.ServerHost;
* }
* else {
* sourceHost = tcpSession.Flow.FiveTuple.ServerHost;
* destinationHost = tcpSession.Flow.FiveTuple.ClientHost;
* }*/
bool successfulExtraction = false;
Packets.TcpPacket tcpPacket = null;
List <Packets.AbstractPacket> packets = new List <Packets.AbstractPacket>(packetList);
foreach (Packets.AbstractPacket p in packets)
{
if (p.GetType() == typeof(Packets.TcpPacket))
{
tcpPacket = (Packets.TcpPacket)p;
}
}
//there can be multiple SMB2 commands in the same NetBiosSessionServicePacket
foreach (Packets.AbstractPacket p in packets)
{
if (p.GetType().IsSubclassOf(typeof(Packets.SmbPacket.AbstractSmbCommand)))
{
ExtractSmbData(tcpSession, transferIsClientToServer, tcpPacket, (Packets.SmbPacket.AbstractSmbCommand)p, base.MainPacketHandler);
}
}
return(0);//NetBiosSessionServicePacketHandler will return the # parsed bytes anyway.
}
public int ExtractData(NetworkTcpSession tcpSession, bool transferIsClientToServer, IEnumerable <PacketParser.Packets.AbstractPacket> packetList)
{
Packets.OscarPacket oscarPacket = null;
Packets.TcpPacket tcpPacket = null;
foreach (Packets.AbstractPacket p in packetList)
{
if (p.GetType() == typeof(Packets.OscarPacket))
{
oscarPacket = (Packets.OscarPacket)p;
}
else if (p.GetType() == typeof(Packets.TcpPacket))
{
tcpPacket = (Packets.TcpPacket)p;
}
}
if (oscarPacket != null && tcpPacket != null)
{
if (oscarPacket.ImText != null)
{
NetworkHost sourceHost, destinationHost;
if (transferIsClientToServer)
{
sourceHost = tcpSession.Flow.FiveTuple.ClientHost;
destinationHost = tcpSession.Flow.FiveTuple.ServerHost;
}
else
{
sourceHost = tcpSession.Flow.FiveTuple.ServerHost;
destinationHost = tcpSession.Flow.FiveTuple.ClientHost;
}
base.MainPacketHandler.OnMessageDetected(new PacketParser.Events.MessageEventArgs(ApplicationLayerProtocol.Oscar, sourceHost, destinationHost, oscarPacket.ParentFrame.FrameNumber, oscarPacket.ParentFrame.Timestamp, oscarPacket.SourceLoginId, oscarPacket.DestinationLoginId, oscarPacket.ImText, oscarPacket.ImText, Encoding.Default, oscarPacket.Attributes, oscarPacket.PacketLength));
}
return(oscarPacket.BytesParsed);
}
return(0);
}
// public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable<AbstractPacket> packetList) {
public int ExtractData(NetworkTcpSession tcpSession, bool transferIsClientToServer, IEnumerable <PacketParser.Packets.AbstractPacket> packetList)
{
T shimPacket = null;
Frame originalFrame = null;
SortedList <int, Packets.AbstractPacket> sortedPacketList = new SortedList <int, AbstractPacket>();
foreach (Packets.AbstractPacket p in packetList)
{
if (shimPacket != null)
{
sortedPacketList.Add(p.PacketStartIndex, p);
}
if (originalFrame == null)
{
originalFrame = p.ParentFrame;
}
if (p.GetType() == typeof(T))
{
shimPacket = (T)p;
}
}
if (shimPacket != null && originalFrame != null)
{
if (sortedPacketList.Count > 0)
{
Frame innerFrame = originalFrame.CloneWithPacketList(sortedPacketList);
base.MainPacketHandler.ParseFrame(innerFrame);
}
return(shimPacket.ParsedBytesCount);
}
else
{
return(0);
}
}
//public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable<Packets.AbstractPacket> packetList) {
public int ExtractData(NetworkTcpSession tcpSession, bool transferIsClientToServer, IEnumerable <PacketParser.Packets.AbstractPacket> packetList)
{
/*
* NetworkHost sourceHost, destinationHost;
* if (transferIsClientToServer) {
* sourceHost = tcpSession.Flow.FiveTuple.ClientHost;
* destinationHost = tcpSession.Flow.FiveTuple.ServerHost;
* }
* else {
* sourceHost = tcpSession.Flow.FiveTuple.ServerHost;
* destinationHost = tcpSession.Flow.FiveTuple.ClientHost;
* }*/
Packets.TcpPacket tcpPacket = null;
Packets.FtpPacket ftpPacket = null;
foreach (Packets.AbstractPacket p in packetList)
{
if (p.GetType() == typeof(Packets.TcpPacket))
{
tcpPacket = (Packets.TcpPacket)p;
}
else if (p.GetType() == typeof(Packets.FtpPacket))
{
ftpPacket = (Packets.FtpPacket)p;
}
}
FtpSession ftpSession = null;//we can only have one FtpSession per packet...
//bool returnValue=false;
int parsedBytes = 0;
if (tcpSession.SynPacketReceived && tcpSession.SynAckPacketReceived)
{
//start by checking if this is an incoming file transfer through FTP
if (!tcpSession.SessionEstablished)
{
//we now have an upcoming session
//see if it matches the pending FTP data sessions
if (this.pendingFileTransferList.ContainsKey(PendingFileTransfer.GetKey(tcpSession.ClientHost, tcpSession.ClientTcpPort, tcpSession.ServerHost, tcpSession.ServerTcpPort)))
{
PendingFileTransfer pending = this.pendingFileTransferList[PendingFileTransfer.GetKey(tcpSession.ClientHost, tcpSession.ClientTcpPort, tcpSession.ServerHost, tcpSession.ServerTcpPort)];
pending.FileTransferSessionEstablished = true;
ftpSession = pending.FtpControlSession;
//returnValue=true;//we managed to get some data out of this!
parsedBytes = tcpPacket.PayloadDataLength;
}
//see if the client port was unknown
else if (this.pendingFileTransferList.ContainsKey(PendingFileTransfer.GetKey(tcpSession.ClientHost, null, tcpSession.ServerHost, tcpSession.ServerTcpPort)))
{
PendingFileTransfer pending = this.pendingFileTransferList[PendingFileTransfer.GetKey(tcpSession.ClientHost, null, tcpSession.ServerHost, tcpSession.ServerTcpPort)];
this.pendingFileTransferList.Remove(pending.GetKey());
pending.DataSessionClientPort = tcpSession.ClientTcpPort;//the Key will now be changed!
pending.FileTransferSessionEstablished = true;
this.pendingFileTransferList.Add(pending.GetKey(), pending);
ftpSession = pending.FtpControlSession;
//returnValue=true;
parsedBytes = tcpPacket.PayloadDataLength;
}
}//end check for new FTP DATA sessions
else if (tcpPacket != null && tcpPacket.FlagBits.Fin)
{
//check if there is an FTP data session being closed
if (this.MainPacketHandler.FileStreamAssemblerList.ContainsAssembler(tcpSession.Flow.FiveTuple, transferIsClientToServer, true, PacketParser.FileTransfer.FileStreamTypes.FTP))
{
PacketParser.FileTransfer.FileStreamAssembler assembler = this.MainPacketHandler.FileStreamAssemblerList.GetAssembler(tcpSession.Flow.FiveTuple, transferIsClientToServer);
if (assembler.FileContentLength == -1 && assembler.FileSegmentRemainingBytes == -1)
{
//TODO: see if all data has been received or if the FIN arrived before the final data packet
assembler.FinishAssembling();
}
}
}
}
if (ftpPacket != null && tcpPacket != null)
{
//returnValue=true;
parsedBytes = ftpPacket.PacketLength;
if (ftpSessionList.ContainsKey(tcpSession))
{
ftpSession = ftpSessionList[tcpSession];
}
else
{
ftpSession = new FtpSession(tcpSession.ClientHost, tcpSession.ServerHost);
this.ftpSessionList.Add(tcpSession, ftpSession);
}
/*
* NetworkHost sourceHost, destinationHost;
* if (transferIsClientToServer) {
* sourceHost = tcpSession.Flow.FiveTuple.ClientHost;
* destinationHost = tcpSession.Flow.FiveTuple.ServerHost;
* }
* else {
* sourceHost = tcpSession.Flow.FiveTuple.ServerHost;
* destinationHost = tcpSession.Flow.FiveTuple.ClientHost;
* }
*/
if (ftpPacket.ClientToServer)
{
if (ftpPacket.RequestCommand != null)
{
if (ftpPacket.RequestArgument != null)
{
System.Collections.Specialized.NameValueCollection tmpCol = new System.Collections.Specialized.NameValueCollection();
tmpCol.Add(ftpPacket.RequestCommand, ftpPacket.RequestArgument);
base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(ftpPacket.ParentFrame.FrameNumber, tcpSession.Flow.FiveTuple, transferIsClientToServer, tmpCol, ftpPacket.ParentFrame.Timestamp, "FTP Request"));
}
if (ftpPacket.RequestCommand.ToUpper() == "USER")//username
{
ftpSession.Username = ftpPacket.RequestArgument;
}
else if (ftpPacket.RequestCommand.ToUpper() == "PASS")//password
{
ftpSession.Password = ftpPacket.RequestArgument;
if (ftpSession.Username != null && ftpSession.Password != null)
{
base.MainPacketHandler.AddCredential(new NetworkCredential(tcpSession.ClientHost, tcpSession.ServerHost, ftpPacket.PacketTypeDescription, ftpSession.Username, ftpSession.Password, ftpPacket.ParentFrame.Timestamp));
}
}
else if (ftpPacket.RequestCommand.ToUpper() == "PORT")
{
ushort clientListeningOnPort;
if (TryGetPort(ftpPacket.RequestArgument, out clientListeningOnPort))
{
//ftpSession.ActiveMode=true;
//ftpSession.ClientDataListenerTcpPort=this.GetPort(ftpPacket.RequestArgument);
//ftpSession.PendingFileTransfer=new PendingFileTransfer(ftpSession.ServerHost, (ushort)20, ftpSession.ClientHost, clientListeningOnPort, false, ftpSession);
ftpSession.PendingFileTransfer = new PendingFileTransfer(ftpSession.ServerHost, null, ftpSession.ClientHost, clientListeningOnPort, false, ftpSession);
if (this.pendingFileTransferList.ContainsKey(ftpSession.PendingFileTransfer.GetKey()))
{
this.pendingFileTransferList.Remove(ftpSession.PendingFileTransfer.GetKey());
}
this.pendingFileTransferList.Add(ftpSession.PendingFileTransfer.GetKey(), ftpSession.PendingFileTransfer);
}
}
else if (ftpPacket.RequestCommand.ToUpper() == "STOR")//file upload (client -> server)
//set filename and file direction
{
if (ftpSession.PendingFileTransfer != null)
{
ftpSession.PendingFileTransfer.Filename = ftpPacket.RequestArgument;
ftpSession.PendingFileTransfer.FileDirectionIsDataSessionServerToDataSessionClient = !ftpSession.PendingFileTransfer.DataSessionIsPassive;
ftpSession.PendingFileTransfer.Details = ftpPacket.RequestCommand + " " + ftpPacket.RequestArgument;
}
else
{
//ftpPacket.ParentFrame.Errors.Add(new Frame.Error(ftpPacket.ParentFrame, ftpPacket.PacketStartIndex, ftpPacket.PacketEndIndex, "STOR command without a pending ftp data session"));
this.MainPacketHandler.OnAnomalyDetected("STOR command without a pending ftp data session. Frame: " + ftpPacket.ParentFrame.ToString(), ftpPacket.ParentFrame.Timestamp);
//System.Diagnostics.Debugger.Break();//this should not occur!
}
}
else if (ftpPacket.RequestCommand.ToUpper() == "RETR")//file download (server -> client)
{
if (ftpSession.PendingFileTransfer != null)
{
ftpSession.PendingFileTransfer.Filename = ftpPacket.RequestArgument;
ftpSession.PendingFileTransfer.FileDirectionIsDataSessionServerToDataSessionClient = ftpSession.PendingFileTransfer.DataSessionIsPassive;
ftpSession.PendingFileTransfer.Details = ftpPacket.RequestCommand + " " + ftpPacket.RequestArgument;
}
else
{
//System.Diagnostics.Debugger.Break();//this should not iccur
//ftpPacket.ParentFrame.Errors.Add(new Frame.Error(ftpPacket.ParentFrame, ftpPacket.PacketStartIndex, ftpPacket.PacketEndIndex, "RETR command without a pending ftp data session"));
this.MainPacketHandler.OnAnomalyDetected("RETR command without a pending ftp data session. Frame: " + ftpPacket.ParentFrame.ToString(), ftpPacket.ParentFrame.Timestamp);
}
}
else if (ftpPacket.RequestCommand.ToUpper() == "SIZE")
{
ftpSession.PendingSizeRequestFileName = ftpPacket.RequestArgument;
}
}
}
else //server to client packet
{
if (ftpPacket.ResponseCode != 0 && ftpPacket.ResponseArgument != null)
{
System.Collections.Specialized.NameValueCollection tmpCol = new System.Collections.Specialized.NameValueCollection();
tmpCol.Add(ftpPacket.ResponseCode.ToString(), ftpPacket.ResponseArgument);
MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(ftpPacket.ParentFrame.FrameNumber, tcpSession.Flow.FiveTuple, transferIsClientToServer, tmpCol, ftpPacket.ParentFrame.Timestamp, "FTP Response"));
//look for an FTP banner
if (ftpPacket.ResponseCode == 220 && ftpPacket.ResponseArgument.ToLower().Contains("ftp"))
{
tcpSession.Flow.FiveTuple.ServerHost.AddFtpServerBanner(ftpPacket.ResponseArgument, tcpPacket.SourcePort);
}
}
if (ftpPacket.ResponseCode == 213 && ftpSession.PendingSizeRequestFileName != null)//File size response
{
int fileSize;
if (Int32.TryParse(ftpPacket.ResponseArgument, out fileSize))
{
ftpSession.FileSizes[ftpSession.PendingSizeRequestFileName] = fileSize;
}
//ftpSession.FileSizes.Add(ftpSession.PendingSizeRequestFileName, fileSize);
ftpSession.PendingSizeRequestFileName = null;
}
if (ftpPacket.ResponseCode == 226)//File receive OK
//close file stream assembler?
{
}
else if (ftpPacket.ResponseCode == 227) //Entering Passive Mode - Response to client "PASV" command
//From: http://cr.yp.to/ftp/retr.html
//Many servers put different strings before h1 and after p2.
//I recommend that clients use the following strategy to parse the
//response line: look for the first digit after the initial space;
//look for the fourth comma after that digit; read two (possibly negative)
//integers, separated by a comma; the TCP port number is p1*256+p2,
//where p1 is the first integer modulo 256 and p2 is the second integer
//modulo 256.
//it is probably simpler to do this with RegEx, but this is simple enough so I wont bother with RegEx for now...
{
char[] digits = { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' };
string ipAndPort = ftpPacket.ResponseArgument.Substring(ftpPacket.ResponseArgument.IndexOfAny(digits));
//string ipAndPort=ftpPacket.ResponseArgument.Substring(ftpPacket.ResponseArgument.IndexOf('(')+1);
ipAndPort = ipAndPort.Substring(0, ipAndPort.LastIndexOfAny(digits) + 1);
//ipAndPort=ipAndPort.Substring(0, ipAndPort.IndexOf(')'));
ushort serverListeningOnPort;
if (this.TryGetPort(ipAndPort, out serverListeningOnPort))
{
ftpSession.PendingFileTransfer = new PendingFileTransfer(ftpSession.ClientHost, null, ftpSession.ServerHost, serverListeningOnPort, true, ftpSession);
if (this.pendingFileTransferList.ContainsKey(ftpSession.PendingFileTransfer.GetKey()))
{
this.pendingFileTransferList.Remove(ftpSession.PendingFileTransfer.GetKey());
}
this.pendingFileTransferList.Add(ftpSession.PendingFileTransfer.GetKey(), ftpSession.PendingFileTransfer);
}
}
else if (ftpPacket.ResponseCode == 230)//Login successful
//ftpSession.=ftpPacket.RequestArgument;
{
if (ftpSession.Username != null && ftpSession.Password != null)
{
base.MainPacketHandler.AddCredential(new NetworkCredential(tcpSession.ClientHost, tcpSession.ServerHost, ftpPacket.PacketTypeDescription, ftpSession.Username, ftpSession.Password, true, ftpPacket.ParentFrame.Timestamp));
}
}
else if (ftpPacket.ResponseCode == 234) //server response to an 'AUTH TLS' command rfc4217 and rfc2228
/**
* If the server is willing to accept the named security mechanism,
* and does not require any security data, it must respond with reply
* code 234.
**/
//Unfortunately we haven't stored the request, so we can't know if the client was asking for TLS or some other security measure
{
if (ftpPacket.ResponseArgument.Contains("TLS") || ftpPacket.ResponseArgument.Contains("SSL"))
{
tcpSession.ProtocolFinder.SetConfirmedApplicationLayerProtocol(ApplicationLayerProtocol.Ssl, false);
}
}
}//end server to client
}
if (ftpSession != null && ftpSession.PendingFileTransfer != null)
{
//I guess returnValue is already set to true by now, but I'll do it again just to be sure...
if (parsedBytes == 0)
{
parsedBytes = tcpPacket.PayloadDataLength;
}
//returnValue=true;
PendingFileTransfer pending = ftpSession.PendingFileTransfer;
//see if the pending file transfer could be transformed into a real file stream assembler
if (pending.FileTransferSessionEstablished && pending.FileDirectionIsDataSessionServerToDataSessionClient != null && pending.DataSessionClientPort != null)
{
//Server->Client ?
FileTransfer.FileStreamAssembler.FileAssmeblyRootLocation fileAssemblyLocation;
if ((ftpSession.ServerHost == pending.DataSessionServer) == pending.FileDirectionIsDataSessionServerToDataSessionClient.Value)
{
fileAssemblyLocation = FileTransfer.FileStreamAssembler.FileAssmeblyRootLocation.source;
}
else
{
fileAssemblyLocation = FileTransfer.FileStreamAssembler.FileAssmeblyRootLocation.destination;
}
FileTransfer.FileStreamAssembler assembler = new FileTransfer.FileStreamAssembler(MainPacketHandler.FileStreamAssemblerList, pending.GetFiveTuple(), !pending.FileDirectionIsDataSessionServerToDataSessionClient.Value, FileTransfer.FileStreamTypes.FTP, pending.Filename, "/", pending.Details, tcpPacket.ParentFrame.FrameNumber, tcpPacket.ParentFrame.Timestamp, fileAssemblyLocation);
string fileCompletePath = "";
if (assembler.Filename != null && assembler.FileLocation != null)
{
fileCompletePath = assembler.FileLocation + "/" + assembler.Filename;
}
if (ftpSession.FileSizes.ContainsKey(fileCompletePath))
{
assembler.FileContentLength = ftpSession.FileSizes[fileCompletePath];
assembler.FileSegmentRemainingBytes = ftpSession.FileSizes[fileCompletePath];
}
else
{
//-1 is set instead of null if Content-Length is not defined
assembler.FileContentLength = -1;
assembler.FileSegmentRemainingBytes = -1;
}
if (assembler.TryActivate())
{
MainPacketHandler.FileStreamAssemblerList.Add(assembler);
}
//assembler.Activate();
//the file transfer is no longer pending since the assembler is started!
pendingFileTransferList.Remove(pending.GetKey());
ftpSession.PendingFileTransfer = null;
}
}
return(parsedBytes);
}
private int ExtractData(NetworkTcpSession tcpSession, bool transferIsClientToServer, Packets.ModbusTcpPacket modbusPacket)
{
NetworkHost sourceHost, destinationHost;
if (transferIsClientToServer)
{
sourceHost = tcpSession.Flow.FiveTuple.ClientHost;
destinationHost = tcpSession.Flow.FiveTuple.ServerHost;
}
else
{
sourceHost = tcpSession.Flow.FiveTuple.ServerHost;
destinationHost = tcpSession.Flow.FiveTuple.ClientHost;
}
foreach (string anomaly in modbusPacket.Anomalies)
{
base.MainPacketHandler.OnAnomalyDetected(anomaly + " (frame " + modbusPacket.ParentFrame.FrameNumber + ")", modbusPacket.ParentFrame.Timestamp);
}
System.Collections.Specialized.NameValueCollection parameters = new System.Collections.Specialized.NameValueCollection();
//parameters.Add("Transaction ID", modbusPacket.TransactionID.ToString());
StringBuilder pName = new StringBuilder();
if (modbusPacket.IsResponse)
{
pName.Append("RSP ");
}
else
{
pName.Append("QRY ");
}
pName.Append("sa:" + modbusPacket.SlaveAddress.ToString().PadRight(4));
pName.Append("fc:" + modbusPacket.FunctionCode.ToString() + " (" + modbusPacket.FunctionCodeName.ToString() + ")");
if (modbusPacket.IsResponse)
{
if (modbusPacket.ModbusMessage == null)
{
parameters.Add(pName.ToString(), "");
}
else
{
parameters.Add(pName.ToString(), modbusPacket.ModbusMessage.ToString());
}
}
else //QUERY
{
if (modbusPacket.ModbusMessage == null)
{
parameters.Add(pName.ToString(), "UNKNOWN");
}
/*else if (modbusPacket.FunctionCode == (byte)Packets.ModbusTcpPacket.FunctionCodeEnum.WriteSingleCoil) {
* Packets.ModbusTcpPacket.WriteSingleCoilQueryOrResponse writeQuery = new Packets.ModbusTcpPacket.WriteSingleCoilQueryOrResponse(modbusPacket.StartingAddress.Value, modbusPacket.NRegistersToRead.Value);
* parameters.Add(pName.ToString(), writeQuery.ToString());
* }*/
else
{
parameters.Add(pName.ToString(), modbusPacket.ModbusMessage.ToString());
}
}
ushort sourcePort = 0;
ushort destinationPort = 0;
if (tcpSession.ClientHost.IPAddress.Equals(tcpSession.ServerHost.IPAddress))
{
//special case if src IP == dst IP
foreach (Packets.AbstractPacket packet in modbusPacket.ParentFrame.PacketList)
{
if (packet is Packets.TcpPacket)
{
Packets.TcpPacket tcpPacket = packet as Packets.TcpPacket;
sourcePort = tcpPacket.SourcePort;
destinationPort = tcpPacket.DestinationPort;
}
}
}
else if (tcpSession.ClientHost.IPAddress.Equals(sourceHost.IPAddress))
{
sourcePort = tcpSession.ClientTcpPort;
destinationPort = tcpSession.ServerTcpPort;
}
else
{
sourcePort = tcpSession.ServerTcpPort;
destinationPort = tcpSession.ClientTcpPort;
}
base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(modbusPacket.ParentFrame.FrameNumber, tcpSession.Flow.FiveTuple, transferIsClientToServer, parameters, modbusPacket.ParentFrame.Timestamp, "Modbus/TCP Transaction ID: " + modbusPacket.TransactionID.ToString()));
return(Math.Min(modbusPacket.Length + 6, modbusPacket.PacketLength));
}
private void ExtractSmbData(NetworkTcpSession tcpSession, bool transferIsClientToServer, Packets.TcpPacket tcpPacket, Packets.SmbPacket.AbstractSmbCommand smbCommandPacket, PacketHandler mainPacketHandler)
{
NetworkHost sourceHost, destinationHost;
if (transferIsClientToServer)
{
sourceHost = tcpSession.Flow.FiveTuple.ClientHost;
destinationHost = tcpSession.Flow.FiveTuple.ServerHost;
}
else
{
sourceHost = tcpSession.Flow.FiveTuple.ServerHost;
destinationHost = tcpSession.Flow.FiveTuple.ClientHost;
}
string smbSessionId;
if (smbCommandPacket.ParentCifsPacket.FlagsResponse)
{
smbSessionId = SmbSession.GetSmbSessionId(sourceHost.IPAddress, tcpPacket.SourcePort, destinationHost.IPAddress, tcpPacket.DestinationPort);
}
else
{
smbSessionId = SmbSession.GetSmbSessionId(destinationHost.IPAddress, tcpPacket.DestinationPort, sourceHost.IPAddress, tcpPacket.SourcePort);
}
if (smbCommandPacket.GetType() == typeof(Packets.SmbPacket.NegotiateProtocolRequest))
{
Packets.SmbPacket.NegotiateProtocolRequest request = (Packets.SmbPacket.NegotiateProtocolRequest)smbCommandPacket;
sourceHost.AcceptedSmbDialectsList = request.DialectList;
}
else if (smbCommandPacket.GetType() == typeof(Packets.SmbPacket.NegotiateProtocolResponse))
{
Packets.SmbPacket.NegotiateProtocolResponse reply = (Packets.SmbPacket.NegotiateProtocolResponse)smbCommandPacket;
if (destinationHost.AcceptedSmbDialectsList != null && destinationHost.AcceptedSmbDialectsList.Count > reply.DialectIndex)
{
sourceHost.PreferredSmbDialect = destinationHost.AcceptedSmbDialectsList[reply.DialectIndex];
}
//sourceHost.ExtraDetailsList.Add("Preferred SMB dialect", destinationHost.AcceptedSmbDialectsList[reply.DialectIndex]);
}
else if (smbCommandPacket.GetType() == typeof(Packets.SmbPacket.TreeConnectAndXRequest))
{
Packets.SmbPacket.TreeConnectAndXRequest request = (Packets.SmbPacket.TreeConnectAndXRequest)smbCommandPacket;
if (request.ShareName != null && request.ShareName.Length > 0)
{
destinationHost.AddNumberedExtraDetail("SMB File Share", request.ShareName);
System.Collections.Specialized.NameValueCollection parameters = new System.Collections.Specialized.NameValueCollection();
parameters.Add("SMB Tree Connect AndX Request " + request.ParentCifsPacket.MultiplexId.ToString(), request.ShareName);
mainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(smbCommandPacket.ParentFrame.FrameNumber, tcpSession.Flow.FiveTuple, transferIsClientToServer, parameters, smbCommandPacket.ParentFrame.Timestamp, "SMB Tree Connect AndX Request"));
SmbSession smbSession;
if (this.smbSessionPopularityList.ContainsKey(smbSessionId))
{
smbSession = this.smbSessionPopularityList[smbSessionId];
}
else
{
smbSession = new SmbSession(destinationHost.IPAddress, tcpPacket.DestinationPort, sourceHost.IPAddress, tcpPacket.SourcePort);
this.smbSessionPopularityList.Add(smbSessionId, smbSession);
}
smbSession.AddTreeConnectAndXRequestPath(smbCommandPacket.ParentCifsPacket.UserId, smbCommandPacket.ParentCifsPacket.MultiplexId, request.ShareName);
}
}
else if (smbCommandPacket.GetType() == typeof(Packets.SmbPacket.TreeConnectAndXResponse))
{
SmbSession smbSession;
if (this.smbSessionPopularityList.ContainsKey(smbSessionId))
{
smbSession = this.smbSessionPopularityList[smbSessionId];
}
else
{
smbSession = new SmbSession(sourceHost.IPAddress, tcpPacket.SourcePort, destinationHost.IPAddress, tcpPacket.DestinationPort);
this.smbSessionPopularityList.Add(smbSessionId, smbSession);
}
smbSession.StoreTreeConnectAndXRequestPathForTree(smbCommandPacket.ParentCifsPacket.UserId, smbCommandPacket.ParentCifsPacket.MultiplexId, smbCommandPacket.ParentCifsPacket.TreeId);
}
else if (smbCommandPacket.GetType() == typeof(Packets.SmbPacket.SetupAndXRequest))
{
Packets.SmbPacket.SetupAndXRequest request = (Packets.SmbPacket.SetupAndXRequest)smbCommandPacket;
if (request.NativeLanManager != null && request.NativeLanManager.Length > 0)
{
if (sourceHost.ExtraDetailsList.ContainsKey("SMB Native LAN Manager"))
{
sourceHost.ExtraDetailsList["SMB Native LAN Manager"] = request.NativeLanManager;
}
else
{
sourceHost.ExtraDetailsList.Add("SMB Native LAN Manager", request.NativeLanManager);
}
}
if (request.NativeOs != null && request.NativeOs.Length > 0)
{
if (sourceHost.ExtraDetailsList.ContainsKey("SMB Native OS"))
{
sourceHost.ExtraDetailsList["SMB Native OS"] = request.NativeOs;
}
else
{
sourceHost.ExtraDetailsList.Add("SMB Native OS", request.NativeOs);
}
}
if (request.PrimaryDomain != null && request.PrimaryDomain.Length > 0)
{
sourceHost.AddDomainName(request.PrimaryDomain);
}
if (request.AccountName != null && request.AccountName.Length > 0)
{
NetworkCredential nCredential = new NetworkCredential(sourceHost, destinationHost, smbCommandPacket.PacketTypeDescription, request.AccountName, request.ParentFrame.Timestamp);
if (request.AccountPassword != null && request.AccountPassword.Length > 0)
{
nCredential.Password = request.AccountPassword;
}
mainPacketHandler.AddCredential(nCredential);
}
}
else if (smbCommandPacket.GetType() == typeof(Packets.SmbPacket.SetupAndXResponse))
{
Packets.SmbPacket.SetupAndXResponse response = (Packets.SmbPacket.SetupAndXResponse)smbCommandPacket;
if (response.NativeLanManager != null && response.NativeLanManager.Length > 0)
{
if (sourceHost.ExtraDetailsList.ContainsKey("SMB Native LAN Manager"))
{
sourceHost.ExtraDetailsList["SMB Native LAN Manager"] = response.NativeLanManager;
}
else
{
sourceHost.ExtraDetailsList.Add("SMB Native LAN Manager", response.NativeLanManager);
}
}
if (response.NativeOs != null && response.NativeOs.Length > 0)
{
if (sourceHost.ExtraDetailsList.ContainsKey("SMB Native OS"))
{
sourceHost.ExtraDetailsList["SMB Native OS"] = response.NativeOs;
}
else
{
sourceHost.ExtraDetailsList.Add("SMB Native OS", response.NativeOs);
}
}
}
else if (smbCommandPacket.GetType() == typeof(Packets.SmbPacket.NTCreateAndXRequest))
{
Packets.SmbPacket.NTCreateAndXRequest request = (Packets.SmbPacket.NTCreateAndXRequest)smbCommandPacket;
string filename, filePath;
if (request.Filename.EndsWith("\0"))
{
filename = request.Filename.Remove(request.Filename.Length - 1);
}
else
{
filename = request.Filename;
}
//print raw filename on parameters tab
System.Collections.Specialized.NameValueCollection parameters = new System.Collections.Specialized.NameValueCollection();
parameters.Add("SMB NT Create AndX Request " + request.ParentCifsPacket.MultiplexId.ToString(), filename);
base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(request.ParentFrame.FrameNumber, tcpSession.Flow.FiveTuple, transferIsClientToServer, parameters, request.ParentFrame.Timestamp, "SMB NTCreateAndXRequest"));
SmbSession smbSession;
if (this.smbSessionPopularityList.ContainsKey(smbSessionId))
{
smbSession = this.smbSessionPopularityList[smbSessionId];
}
else
{
smbSession = new SmbSession(destinationHost.IPAddress, tcpPacket.DestinationPort, sourceHost.IPAddress, tcpPacket.SourcePort);
this.smbSessionPopularityList.Add(smbSessionId, smbSession);
}
string treePath = smbSession.GetPathForTree(smbCommandPacket.ParentCifsPacket.TreeId);
if (treePath == null)
{
filePath = "";
}
else
{
filePath = treePath + System.IO.Path.DirectorySeparatorChar;
}
if (System.IO.Path.DirectorySeparatorChar != '\\' && filename.Contains("\\"))
{
filename.Replace('\\', System.IO.Path.DirectorySeparatorChar);
}
if (filename.Contains(System.IO.Path.DirectorySeparatorChar.ToString()))
{
filePath += filename.Substring(0, filename.LastIndexOf(System.IO.Path.DirectorySeparatorChar.ToString()));
filename = filename.Substring(filename.LastIndexOf(System.IO.Path.DirectorySeparatorChar.ToString()) + 1);
}
else
{
filePath += System.IO.Path.DirectorySeparatorChar.ToString();
}
try {
FileTransfer.FileStreamAssembler assembler = new FileTransfer.FileStreamAssembler(mainPacketHandler.FileStreamAssemblerList, tcpSession.Flow.FiveTuple, !transferIsClientToServer, FileTransfer.FileStreamTypes.SMB, filename, filePath, filePath + filename, smbCommandPacket.ParentFrame.FrameNumber, smbCommandPacket.ParentFrame.Timestamp);
smbSession.AddFileStreamAssembler(assembler, request.ParentCifsPacket.TreeId, request.ParentCifsPacket.MultiplexId, request.ParentCifsPacket.ProcessId);
}
catch (Exception e) {
MainPacketHandler.OnAnomalyDetected("Error creating assembler for SMB file transfer: " + e.Message);
}
}
//else if(!smbCommandPacket.ParentCifsPacket.FlagsResponse && mainPacketHandler.FileStreamAssemblerList.ContainsAssembler(destinationHost, tcpPacket.DestinationPort, sourceHost, tcpPacket.SourcePort, true)) {
else if (!smbCommandPacket.ParentCifsPacket.FlagsResponse && this.smbSessionPopularityList.ContainsKey(smbSessionId))
{
//Request
if (smbCommandPacket.GetType() == typeof(Packets.SmbPacket.CloseRequest) && smbSessionPopularityList.ContainsKey(smbSessionId))
{
SmbSession smbSession = this.smbSessionPopularityList[smbSessionId];
Packets.SmbPacket.CloseRequest closeRequest = (Packets.SmbPacket.CloseRequest)smbCommandPacket;
ushort fileId = closeRequest.FileId;
//FileTransfer.FileStreamAssembler assemblerToClose;
if (smbSession.ContainsFileId(closeRequest.ParentCifsPacket.TreeId, closeRequest.ParentCifsPacket.MultiplexId, closeRequest.ParentCifsPacket.ProcessId, fileId))
{
FileTransfer.FileStreamAssembler assemblerToClose = smbSession.GetFileStreamAssembler(closeRequest.ParentCifsPacket.TreeId, closeRequest.ParentCifsPacket.MultiplexId, closeRequest.ParentCifsPacket.ProcessId, fileId);
if (assemblerToClose != null && assemblerToClose.AssembledByteCount >= assemblerToClose.FileContentLength)
{
assemblerToClose.FinishAssembling();
}
FileTransfer.FileSegmentAssembler segmentAssemblerToClose = smbSession.GetFileSegmentAssembler(closeRequest.ParentCifsPacket.TreeId, closeRequest.ParentCifsPacket.MultiplexId, closeRequest.ParentCifsPacket.ProcessId, fileId);
if (segmentAssemblerToClose != null)
{
segmentAssemblerToClose.Close();
}
smbSession.RemoveFileStreamAssembler(closeRequest.ParentCifsPacket.TreeId, closeRequest.ParentCifsPacket.MultiplexId, closeRequest.ParentCifsPacket.ProcessId, fileId, false);
//TODO: remove the following line (added for debugging purpose 2011-04-25)
//assemblerToClose.FinishAssembling();
if (mainPacketHandler.FileStreamAssemblerList.ContainsAssembler(assemblerToClose))
{
mainPacketHandler.FileStreamAssemblerList.Remove(assemblerToClose, true);
}
else
{
assemblerToClose.Clear();
}
}
}
else if (smbCommandPacket.GetType() == typeof(Packets.SmbPacket.ReadAndXRequest) && smbSessionPopularityList.ContainsKey(smbSessionId))
{
SmbSession smbSession = this.smbSessionPopularityList[smbSessionId];
//Packets.CifsPacket.ReadAndXRequest request=this.smbSessionPopularityList[smbSessionId];
Packets.SmbPacket.ReadAndXRequest readRequest = (Packets.SmbPacket.ReadAndXRequest)smbCommandPacket;
ushort fileId = readRequest.FileId;
smbSession.Touch(readRequest.ParentCifsPacket.TreeId, readRequest.ParentCifsPacket.MultiplexId, readRequest.ParentCifsPacket.ProcessId, fileId);
}
else if (smbCommandPacket.GetType() == typeof(Packets.SmbPacket.WriteAndXRequest))
{
SmbSession smbSession = this.smbSessionPopularityList[smbSessionId];
Packets.SmbPacket.WriteAndXRequest request = (Packets.SmbPacket.WriteAndXRequest)smbCommandPacket;
FileTransfer.FileSegmentAssembler segmentAssembler = smbSession.GetFileSegmentAssembler(request.ParentCifsPacket.TreeId, request.ParentCifsPacket.MultiplexId, request.ParentCifsPacket.ProcessId, request.FileId);
if (segmentAssembler == null)
{
string outputDir = System.IO.Path.GetDirectoryName(mainPacketHandler.OutputDirectory);
FileTransfer.FileStreamAssembler tmpAssembler = smbSession.GetFileStreamAssembler(request.ParentCifsPacket.TreeId, request.ParentCifsPacket.MultiplexId, request.ParentCifsPacket.ProcessId, request.FileId);
if (tmpAssembler != null)
{
string filePath = tmpAssembler.FileLocation;
if (filePath.Length == 0 || filePath.EndsWith("/"))
{
filePath += tmpAssembler.Filename;
}
else
{
filePath += "/" + tmpAssembler.Filename;
}
segmentAssembler = new FileTransfer.FileSegmentAssembler(outputDir, tcpSession, false, filePath, tcpSession.ToString() + "SMB" + request.FileId.ToString(), mainPacketHandler.FileStreamAssemblerList, null, FileTransfer.FileStreamTypes.SMB, "SMB Write " + tmpAssembler.Details, null);
smbSession.AddFileSegmentAssembler(segmentAssembler, request.FileId);
}
}
if (segmentAssembler != null)
{
segmentAssembler.AddData(request.WriteOffset, request.GetFileData(), request.ParentFrame);
}
}
}
else if (smbCommandPacket.ParentCifsPacket.FlagsResponse && this.smbSessionPopularityList.ContainsKey(smbSessionId))
{
//Response
SmbSession smbSession = this.smbSessionPopularityList[smbSessionId];
//FileTransfer.FileStreamAssembler assembler=mainPacketHandler.FileStreamAssemblerList.GetAssembler(sourceHost, tcpPacket.SourcePort, destinationHost, tcpPacket.DestinationPort, true);
if (smbCommandPacket.GetType() == typeof(Packets.SmbPacket.NTCreateAndXResponse))
{
Packets.SmbPacket.NTCreateAndXResponse response = (Packets.SmbPacket.NTCreateAndXResponse)smbCommandPacket;
ushort fileId = response.FileId;
int fileLength = (int)response.EndOfFile;//yes, I know I will not be able to store big files now... but an int as length is really enough!
//tag the requested file with the fileId
FileTransfer.FileStreamAssembler assembler = smbSession.GetLastReferencedFileStreamAssembler(response.ParentCifsPacket.TreeId, response.ParentCifsPacket.MultiplexId, response.ParentCifsPacket.ProcessId);
smbSession.RemoveLastReferencedAssembler(response.ParentCifsPacket.TreeId, response.ParentCifsPacket.MultiplexId, response.ParentCifsPacket.ProcessId);
if (assembler != null)
{
//Add file ID as extended ID in order to differentiate between parallell file transfers on disk cache
assembler.ExtendedFileId = "Id" + fileId.ToString("X4"); //2011-04-18
smbSession.AddFileStreamAssembler(assembler, response.ParentCifsPacket.TreeId, response.ParentCifsPacket.MultiplexId, response.ParentCifsPacket.ProcessId, response.FileId);
assembler.FileContentLength = fileLength;
}
}
else if (smbCommandPacket.GetType() == typeof(Packets.SmbPacket.ReadAndXResponse))
{
Packets.SmbPacket.ReadAndXResponse response = (Packets.SmbPacket.ReadAndXResponse)smbCommandPacket;
//move the assembler to the real FileStreamAssemblerList!
FileTransfer.FileStreamAssembler assembler = smbSession.GetLastReferencedFileStreamAssembler(response.ParentCifsPacket.TreeId, response.ParentCifsPacket.MultiplexId, response.ParentCifsPacket.ProcessId);
if (assembler == null)
{
base.MainPacketHandler.OnAnomalyDetected("Unable to find assembler for frame " + smbCommandPacket.ParentFrame.FrameNumber + " : " + smbCommandPacket.ToString());
}
else if (assembler != null)
{
/* Removed 2011-04-25
* if(!mainPacketHandler.FileStreamAssemblerList.ContainsAssembler(assembler))
* mainPacketHandler.FileStreamAssemblerList.Add(assembler);
* */
assembler.FileSegmentRemainingBytes += response.DataLength;//setting this one so that it can receive more bytes
if (!assembler.IsActive)
{
System.Diagnostics.Debug.Assert(assembler.ExtendedFileId != null && assembler.ExtendedFileId != "", "No FileID set for SMB file transfer!");
if (!assembler.TryActivate())
{
if (!response.ParentCifsPacket.ParentFrame.QuickParse)
{
response.ParentCifsPacket.ParentFrame.Errors.Add(new Frame.Error(response.ParentCifsPacket.ParentFrame, response.PacketStartIndex, response.PacketEndIndex, "Unable to activate file stream assembler for " + assembler.FileLocation + "/" + assembler.Filename));
}
}
else if (assembler.IsActive)
{
assembler.AddData(response.GetFileData(), tcpPacket.SequenceNumber);
}
}
/* Removed 2011-04-25
* if(!assembler.IsActive) {//see if the file is fully assembled or if something else went wrong...
* smbSession.RemoveLastReferencedAssembler(response.ParentCifsPacket.TreeId, response.ParentCifsPacket.MultiplexId, response.ParentCifsPacket.ProcessId);
* }
* */
}
}
}
}
//public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable<Packets.AbstractPacket> packetList) {
public int ExtractData(NetworkTcpSession tcpSession, bool transferIsClientToServer, IEnumerable <PacketParser.Packets.AbstractPacket> packetList)
{
NetworkHost sourceHost, destinationHost;
if (transferIsClientToServer)
{
sourceHost = tcpSession.Flow.FiveTuple.ClientHost;
destinationHost = tcpSession.Flow.FiveTuple.ServerHost;
}
else
{
sourceHost = tcpSession.Flow.FiveTuple.ServerHost;
destinationHost = tcpSession.Flow.FiveTuple.ClientHost;
}
//bool successfulExtraction=false;
int successfullyExtractedBytes = 0;
foreach (Packets.AbstractPacket p in packetList)
{
if (p.GetType() == typeof(Packets.NtlmSspPacket))
{
Packets.NtlmSspPacket ntlmPacket = (Packets.NtlmSspPacket)p;
if (ntlmPacket.NtlmChallenge != null)
{
if (ntlmChallengeList.ContainsKey(tcpSession.GetHashCode()))
{
ntlmChallengeList[tcpSession.GetHashCode()] = ntlmPacket.NtlmChallenge;
}
else
{
ntlmChallengeList.Add(tcpSession.GetHashCode(), ntlmPacket.NtlmChallenge);
}
}
if (ntlmPacket.DomainName != null)
{
sourceHost.AddDomainName(ntlmPacket.DomainName);
}
if (ntlmPacket.HostName != null)
{
sourceHost.AddHostName(ntlmPacket.HostName);
}
if (ntlmPacket.UserName != null)
{
if (ntlmPacket.UserName.EndsWith("$")) //hostname
{
sourceHost.AddHostName(ntlmPacket.UserName.TrimEnd(new[] { '$' }));
}
else
{
sourceHost.AddNumberedExtraDetail("NTLM Username ", ntlmPacket.UserName);
}
string lanManagerHashInfo = null;
if (ntlmPacket.LanManagerResponse != null)
{
lanManagerHashInfo = "LAN Manager Response: " + ntlmPacket.LanManagerResponse;
}
if (ntlmPacket.NtlmResponse != null)
{
if (lanManagerHashInfo == null)
{
lanManagerHashInfo = "";
}
else
{
lanManagerHashInfo = lanManagerHashInfo + " - ";
}
lanManagerHashInfo = lanManagerHashInfo + "NTLM Response: " + ntlmPacket.NtlmResponse;
}
if (lanManagerHashInfo == null)
{
base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.UserName, ntlmPacket.ParentFrame.Timestamp));
}
else
{
if (ntlmChallengeList.ContainsKey(tcpSession.GetHashCode()))
{
lanManagerHashInfo = "NTLM Challenge: " + ntlmChallengeList[tcpSession.GetHashCode()] + " - " + lanManagerHashInfo;
}
if (ntlmPacket.DomainName == null)
{
base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.UserName, lanManagerHashInfo, ntlmPacket.ParentFrame.Timestamp));
}
else
{
base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.DomainName + "\\" + ntlmPacket.UserName, lanManagerHashInfo, ntlmPacket.ParentFrame.Timestamp));
}
}
}
successfullyExtractedBytes += ntlmPacket.ParentFrame.Data.Length;//it's OK to return a larger value that what was parsed
}
}
return(successfullyExtractedBytes);
}
//used in both SMTP and POP3 for "AUTH PLAIN" and in IMAP for "authenticate plain"
public static NetworkCredential ExtractBase64EncodedAuthPlainCredential(string base64, Frame frame, NetworkTcpSession session, ApplicationLayerProtocol protocol)
{
/**
* https://tools.ietf.org/html/rfc2595
*
* The client sends the authorization identity (identity to
* login as), followed by a US-ASCII NUL character, followed by the
* authentication identity (identity whose password will be used),
* followed by a US-ASCII NUL character, followed by the clear-text
* password. The client may leave the authorization identity empty to
* indicate that it is the same as the authentication identity.
*
* Also, more details here: http://www.fehcom.de/qmail/smtpauth.html
**/
//dGVzdAB0ZXN0AHRlc3RwYXNz => user = test, password = password
byte[] bytes = System.Convert.FromBase64String(base64);
if (bytes.Length > 3 && Array.IndexOf <byte>(bytes, 0, 2) > 0)
{
int firstNullIndex = Array.IndexOf <byte>(bytes, 0);
int secondNullIndex = Array.IndexOf <byte>(bytes, 0, firstNullIndex + 1);
if (firstNullIndex >= 0 && secondNullIndex > 0)
{
string username = ASCIIEncoding.ASCII.GetString(bytes, firstNullIndex + 1, secondNullIndex - firstNullIndex - 1);
string password = ASCIIEncoding.ASCII.GetString(bytes, secondNullIndex + 1, bytes.Length - secondNullIndex - 1);
return(new NetworkCredential(session.ClientHost, session.ServerHost, protocol.ToString(), username, password, frame.Timestamp));
}
}
return(null);
}
