public void NewStream(TcpRecon recon) { TreeNode n = tv.Nodes.Add(recon.HashCode, Path.GetFileName(recon.dumpFile)); n.Tag = recon; tv.Refresh(); }
private void TvNodeClick(TreeNode n) { TcpRecon tr = null; bool viewOnly = true; if (curdb != null) { curdb.FreeData(); curdb = null; } if (n.Tag is TcpRecon) { tr = (TcpRecon)n.Tag; if (he.LoadedFile != tr.dumpFile) { he.LoadFile(ref tr.dumpFile, ref viewOnly); } } else { DataBlock db = (DataBlock)n.Tag; curdb = db; if (he.LoadedFile != db.recon.dumpFile) { he.LoadFile(ref db.recon.dumpFile, ref viewOnly); } he.scrollTo(db.startOffset); he.set_SelStart(ref db.startOffset); he.set_SelLength(ref db.length); tabs_SelectedIndexChanged(null, null); } }
private void AddNewNode(TcpRecon recon) { int startAt = (int)recon.LastSavedOffset; int endAt = (int)recon.PreviousPacketEndOffset; if (recon.isComplete) { endAt = (int)recon.CurrentOffset; } DataBlock db = new DataBlock(recon.dumpFile, startAt, endAt - startAt, recon); db.EpochTimeStamp = curPacketTime.Seconds.ToString() + "." + curPacketTime.MicroSeconds.ToString(); /*string fu = firstTimeStamp_s.ToString() + "." + firstTimeStamp_ms.ToString(); * string fu2 = firstpacketTimeStamp_s.ToString() + "." + firstpacketTimeStamp_ms.ToString(); * decimal tmp = decimal.Parse(fu); * decimal temp2 = decimal.Parse(fu2); * decimal x = temp2 - tmp; * db.relativeTimeStamp = x.ToString(); * firstpacketTimeStamp_s = 0;*/ /*long hi = (long)curPacket.PcapHeader.Seconds - firstTimeStamp_s; * long low = (long)curPacket.PcapHeader.MicroSeconds - firstTimeStamp_ms; * db.relativeTimeStamp = hi.ToString() + "." + low.ToString(); */ owner.Invoke(NewNode, db); recon.LastSavedOffset = recon.PreviousPacketEndOffset; }
public DataBlock(string pFile, int start, int len, TcpRecon pRecon) { parentFile = pFile; startOffset = start; length = len; endOffset = start + len; recon = pRecon; }
public void NewStream(TcpRecon recon) { TreeNode n = null; string nText = getParentNodeName(recon); n = tv.Nodes.Add(recon.HashCode, nText); n.Tag = recon; tv.Refresh(); }
// The callback function for the SharpPcap library private void device_PcapOnPacketArrival(object sender, Packet packet) { if (packet is UDPPacket) { HandleDNS(packet); return; } if (!(packet is TCPPacket)) { return; } TCPPacket tcpPacket = (TCPPacket)packet; Connection c = new Connection(tcpPacket); TcpRecon recon = null; if (!sharpPcapDict.ContainsKey(c)) { c.generateFileName(outDir); recon = new TcpRecon(c.fileName); recon.LastSourcePort = tcpPacket.SourcePort; sharpPcapDict.Add(c, recon); if (!IPExists("tcp: " + tcpPacket.DestinationAddress)) { ips.Add("tcp: " + tcpPacket.DestinationAddress); } if (!IPExists("tcp: " + tcpPacket.SourceAddress)) { ips.Add("tcp: " + tcpPacket.SourceAddress); } owner.Invoke(NewStream, recon); } else { recon = sharpPcapDict[c]; } recon.ReassemblePacket(tcpPacket); //can contain fragments and out of order packets if (recon.PacketWritten) //reassembly/reordering complete data was saved this time.. { if (recon.LastSourcePort != tcpPacket.SourcePort) //previous entry is now complete so lets add it. { AddNewNode(recon); recon.LastSourcePort = tcpPacket.SourcePort; } } }
private void AddNewNode(TcpRecon recon) { int startAt = (int)recon.LastSavedOffset; int endAt = (int)recon.PreviousPacketEndOffset; if (recon.isComplete) { endAt = (int)recon.CurrentOffset; } DataBlock db = new DataBlock(recon.dumpFile, startAt, endAt - startAt, recon); owner.Invoke(NewNode, db); recon.LastSavedOffset = recon.PreviousPacketEndOffset; }
//#region reconManager callbacks private string getParentNodeName(TcpRecon recon) { string nText = Path.GetFileName(recon.dumpFile); return(getParentNodeName(nText)); }
// The callback function for the SharpPcap library private void device_PcapOnPacketArrival(object sender, CaptureEventArgs e) { Packet packet; try { packet = PacketDotNet.Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data); } catch (Exception ex) { //System.Console.Write(ex.Message); //todo: sometimes get error raw packet not implemented? return; } if (firstTimeStamp == 0) { firstTimeStamp = decimal.Parse(e.Packet.Timeval.Seconds.ToString() + "." + e.Packet.Timeval.MicroSeconds.ToString()); } totalPackets++; UdpPacket udpPacket = (UdpPacket)packet.Extract(typeof(UdpPacket)); if (udpPacket != null) { HandleDNS(udpPacket); return; } IpPacket ipPacket = (IpPacket)packet.Extract(typeof(IpPacket)); TcpPacket tcpPacket = (TcpPacket)packet.Extract(typeof(TcpPacket)); if (tcpPacket == null) { return; } totalTCPPackets++; Connection c = new Connection(tcpPacket); TcpRecon recon = null; curPacket = tcpPacket; curPacketTime = e.Packet.Timeval; if (!sharpPcapDict.ContainsKey(c)) { c.generateFileName(outDir); recon = new TcpRecon(c.fileName); recon.LastSourcePort = tcpPacket.SourcePort; recon.StreamStartTimeStamp = e.Packet.Timeval.Seconds.ToString() + "." + e.Packet.Timeval.MicroSeconds.ToString(); decimal curTime = decimal.Parse(recon.StreamStartTimeStamp); recon.relativeTimeStamp = (curTime - firstTimeStamp).ToString(); sharpPcapDict.Add(c, recon); if (!IPExists("tcp: " + ipPacket.DestinationAddress)) { ips.Add("tcp: " + ipPacket.DestinationAddress); } if (!IPExists("tcp: " + ipPacket.SourceAddress)) { ips.Add("tcp: " + ipPacket.SourceAddress); } owner.Invoke(NewStream, recon); } else { recon = sharpPcapDict[c]; } //can contain fragments and out of order packets recon.ReassemblePacket(ipPacket.SourceAddress.Address, ipPacket.DestinationAddress.Address, tcpPacket, e.Packet.Timeval); if (recon.PacketWritten) //reassembly/reordering complete data was saved this time.. { if (recon.LastSourcePort != tcpPacket.SourcePort) //previous entry is now complete so lets add it. { AddNewNode(recon); recon.LastSourcePort = tcpPacket.SourcePort; } } }
public void Run(IScriptableComponent component) { int i = 0, j = 0, hits = 0; Form1 f = component.Parent; string C2 = f.InputBox("Enter the C2 IP to decode data for (can be partial string but be unique)", "Set C2", ""); if (C2.Length == 0) { return; } string pDir = Path.GetDirectoryName(f.txtPcap.Text); string rep = pDir + "\\decoder_x_output.txt"; if (File.Exists(rep)) { File.Delete(rep); } StreamWriter w = File.AppendText(rep); foreach (TreeNode n in f.tv.Nodes) { i++; j = 0; f.setpb(i, f.tv.Nodes.Count, 1); TcpRecon recon = (TcpRecon)n.Tag; //both ips are embedded in dump file name //you can also use recon.Client[Address|Port] recon.Server[Address|Port] if (recon.dumpFile.IndexOf(C2) == -1) { continue; } foreach (TreeNode nn in n.Nodes) { j++; f.setpb(j, n.Nodes.Count, 2); DataBlock db = (DataBlock)nn.Tag; w.WriteLine(n.Text + " : " + nn.Text + "\r\n------------------------------------------------"); if (!db.LoadData()) { w.WriteLine("Failed to load data...\r\n"); continue; } byte[] buf = null; //in this example we will only process raw binary transfers (no http) if (db.DataType == DataBlock.DataTypes.dtBinary) { buf = db.data; } /*else if(db.DataType == DataBlock.DataTypes.dtHttpReq) //if you wanted to process http request * { * buf = db.GetBinaryBody(); * }*/ //DataBlock Source and Dest addresses are set per packet, //you can also filter based on db.SourcePort && db.DestPort // //example to handle client requests to server port 9000: // if(db.SourceAddress == recon.ClientAddress && db.DestPort == 9000) // //Note: this for loop only runs if we matched target server because of continue above... if (buf != null && buf.Length > 0) { hits++; decode(buf); w.WriteLine(HexDumper.HexDump(buf)); w.WriteLine("\r\n"); } db.FreeData(); } } f.pb.Value = 0; f.pb2.Value = 0; w.Close(); if (hits > 0) { MessageBox.Show(hits.ToString() + " packets decoded.\nSaved as: " + rep); } else { MessageBox.Show("No binary data packets found from the C2 you entered: " + C2); } }