Exemplo n.º 1
0
        public void TelnetPasswordParser_ParseTelnetCharModePassword_ParseSuccess()
        {
            // Arrange
            var telnetParser = new PcapAnalyzer.TelnetPasswordParser();
            var session      = new PcapAnalyzer.TcpSession();

            var expected = new PcapAnalyzer.NetworkPassword()
            {
                Username    = "******",
                Password    = "******",
                Destination = "2.2.2.2",
                Source      = "1.1.1.1",
                Protocol    = "Telnet"
            };

            // Mock a session where the user is "us" and the password is "Secret123".
            session.Data = Encoding.ASCII.GetBytes("login:uuss" + Environment.NewLine + "Password:Secret123");
            session.Packets.Add(mockPacket("2.2.2.2", "1.1.1.1", 21, 5472, "login:"******"1.1.1.1", "2.2.2.2", 5472, 21, "u"));
            session.Packets.Add(mockPacket("2.2.2.2", "1.1.1.1", 21, 5472, "u"));
            session.Packets.Add(mockPacket("1.1.1.1", "2.2.2.2", 5472, 21, "s"));
            session.Packets.Add(mockPacket("2.2.2.2", "1.1.1.1", 21, 5472, "s"));
            session.Packets.Add(mockPacket("2.2.2.2", "1.1.1.1", 21, 5472, "Password:"******"1.1.1.1", "2.2.2.2", 5472, 21, "Secret123"));
            session.Packets.Add(mockPacket("2.2.2.2", "1.1.1.1", 21, 5472, "some dummy data"));

            // Act.
            PcapAnalyzer.NetworkPassword password = (telnetParser.Parse(session) as PcapAnalyzer.NetworkPassword);

            // Assert.
            Assert.AreEqual(expected, password);
        }
Exemplo n.º 2
0
        public void FtpPasswordParser_ParseFtpPassword_ParseSuccess()
        {
            // Arrange.
            var ftpParsrer = new PcapAnalyzer.FtpPasswordParser();
            var session    = new PcapAnalyzer.TcpSession();

            session.SourceIp      = "1.1.1.1";
            session.DestinationIp = "2.2.2.2";
            session.Data          = Encoding.UTF8.GetBytes(
                @"220 Chris Sanders FTP Server
USER csanders
331 Password required for csanders.
PASS echo
230 User csanders logged in.");

            // Act.
            PcapAnalyzer.NetworkPassword passsword = (ftpParsrer.Parse(session) as PcapAnalyzer.NetworkPassword);

            // Assert.
            Assert.AreEqual("csanders", passsword.Username);
            Assert.AreEqual("echo", passsword.Password);
        }
Exemplo n.º 3
0
        public void NtlmPasswordParser_ParseSmbNTLMv2Session_ParseSuccess()
        {
            // Arrange
            var ntlmParser = new PcapAnalyzer.NtlmsspHashParser();
            var session    = new PcapAnalyzer.TcpSession();

            var serverPacket = new PcapAnalyzer.TcpPacket()
            {
                SourceIp      = "2.2.2.2",
                DestinationIp = "1.1.1.1",
                Data          = new byte[]
                {
                    0x00, 0x00, 0x00, 0xf8, 0xfe, 0x53, 0x4d, 0x42, 0x40, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0xc0,
                    0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
                    0x00, 0x00, 0x00, 0x00, 0xd5, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x94,
                    0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                    0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x48, 0x00, 0xb0, 0x00, 0x4e, 0x54, 0x4c, 0x4d,
                    0x53, 0x53, 0x50, 0x00, 0x02, 0x00, 0x00, 0x00, 0x08, 0x00, 0x08, 0x00, 0x38, 0x00, 0x00, 0x00,
                    0x35, 0x02, 0x89, 0xe2, 0x01, 0x15, 0x18, 0x13, 0xd2, 0x89, 0x8c, 0xcd, 0x00, 0x00, 0x00, 0x00,
                    0x00, 0x00, 0x00, 0x00, 0x70, 0x00, 0x70, 0x00, 0x40, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x39, 0x38,
                    0x00, 0x00, 0x00, 0x0f, 0x53, 0x00, 0x55, 0x00, 0x53, 0x00, 0x45, 0x00, 0x02, 0x00, 0x08, 0x00,
                    0x53, 0x00, 0x55, 0x00, 0x53, 0x00, 0x45, 0x00, 0x01, 0x00, 0x0c, 0x00, 0x57, 0x00, 0x53, 0x00,
                    0x32, 0x00, 0x30, 0x00, 0x31, 0x00, 0x36, 0x00, 0x04, 0x00, 0x0e, 0x00, 0x73, 0x00, 0x75, 0x00,
                    0x73, 0x00, 0x65, 0x00, 0x2e, 0x00, 0x64, 0x00, 0x65, 0x00, 0x03, 0x00, 0x1c, 0x00, 0x57, 0x00,
                    0x53, 0x00, 0x32, 0x00, 0x30, 0x00, 0x31, 0x00, 0x36, 0x00, 0x2e, 0x00, 0x73, 0x00, 0x75, 0x00,
                    0x73, 0x00, 0x65, 0x00, 0x2e, 0x00, 0x64, 0x00, 0x65, 0x00, 0x05, 0x00, 0x0e, 0x00, 0x73, 0x00,
                    0x75, 0x00, 0x73, 0x00, 0x65, 0x00, 0x2e, 0x00, 0x64, 0x00, 0x65, 0x00, 0x07, 0x00, 0x08, 0x00,
                    0x8a, 0x8c, 0xe7, 0xa9, 0xf4, 0xce, 0xd2, 0x01, 0x00, 0x00, 0x00, 0x00
                }
            };

            var clientPacket = new PcapAnalyzer.TcpPacket()
            {
                SourceIp      = "1.1.1.1",
                DestinationIp = "2.2.2.2",
                Data          = new byte[]
                {
                    0x00, 0x00, 0x01, 0x68, 0xfe, 0x53, 0x4d, 0x42, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                    0x01, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
                    0x00, 0x00, 0x00, 0x00, 0xd5, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x94,
                    0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                    0x00, 0x00, 0x00, 0x00, 0x19, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                    0x58, 0x00, 0x10, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4e, 0x54, 0x4c, 0x4d,
                    0x53, 0x53, 0x50, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
                    0x9c, 0x00, 0x9c, 0x00, 0x40, 0x00, 0x00, 0x00, 0x08, 0x00, 0x08, 0x00, 0xdc, 0x00, 0x00, 0x00,
                    0x1a, 0x00, 0x1a, 0x00, 0xe4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfe, 0x00, 0x00, 0x00,
                    0x10, 0x00, 0x10, 0x00, 0x00, 0x01, 0x00, 0x00, 0x35, 0x02, 0x88, 0xe0, 0x39, 0xdb, 0xdb, 0xeb,
                    0x1b, 0xdd, 0x29, 0xb0, 0x7a, 0x5d, 0x20, 0xc8, 0xf8, 0x2f, 0x2c, 0xb7, 0x01, 0x01, 0x00, 0x00,
                    0x00, 0x00, 0x00, 0x00, 0x8a, 0x8c, 0xe7, 0xa9, 0xf4, 0xce, 0xd2, 0x01, 0xe7, 0x96, 0x9a, 0x04,
                    0x87, 0x2c, 0x16, 0x89, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x08, 0x00, 0x53, 0x00, 0x55, 0x00,
                    0x53, 0x00, 0x45, 0x00, 0x01, 0x00, 0x0c, 0x00, 0x57, 0x00, 0x53, 0x00, 0x32, 0x00, 0x30, 0x00,
                    0x31, 0x00, 0x36, 0x00, 0x04, 0x00, 0x0e, 0x00, 0x73, 0x00, 0x75, 0x00, 0x73, 0x00, 0x65, 0x00,
                    0x2e, 0x00, 0x64, 0x00, 0x65, 0x00, 0x03, 0x00, 0x1c, 0x00, 0x57, 0x00, 0x53, 0x00, 0x32, 0x00,
                    0x30, 0x00, 0x31, 0x00, 0x36, 0x00, 0x2e, 0x00, 0x73, 0x00, 0x75, 0x00, 0x73, 0x00, 0x65, 0x00,
                    0x2e, 0x00, 0x64, 0x00, 0x65, 0x00, 0x05, 0x00, 0x0e, 0x00, 0x73, 0x00, 0x75, 0x00, 0x73, 0x00,
                    0x65, 0x00, 0x2e, 0x00, 0x64, 0x00, 0x65, 0x00, 0x07, 0x00, 0x08, 0x00, 0x8a, 0x8c, 0xe7, 0xa9,
                    0xf4, 0xce, 0xd2, 0x01, 0x00, 0x00, 0x00, 0x00, 0x53, 0x00, 0x55, 0x00, 0x53, 0x00, 0x45, 0x00,
                    0x61, 0x00, 0x64, 0x00, 0x6d, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x69, 0x00, 0x73, 0x00, 0x74, 0x00,
                    0x72, 0x00, 0x61, 0x00, 0x74, 0x00, 0x6f, 0x00, 0x72, 0x00, 0x00, 0x00, 0xb2, 0xe8, 0x76, 0x55,
                    0x9c, 0x9c, 0x58, 0xb0, 0x34, 0x4b, 0xd5, 0xa9, 0x9f, 0x8e, 0x98, 0x55
                }
            };

            session.Packets.Add(serverPacket);
            session.Packets.Add(clientPacket);

            // Act.
            var hash = ntlmParser.Parse(session) as PcapAnalyzer.NtlmHash;

            // Assert.
            Assert.AreEqual("NTLMSSP", hash.Protocol);
            Assert.AreEqual("administrator", hash.User);
            Assert.AreEqual("SUSE", hash.Domain);
            Assert.AreEqual(hash.NtHash.Length, 312);
        }
Exemplo n.º 4
0
 public void Analyze(TcpSession tcpSession)
 {
 }
Exemplo n.º 5
0
 public void Analyze(TcpSession tcpSession) => AnalyzeGeneric(tcpSession);
Exemplo n.º 6
0
        public NetworkLayerObject Parse(TcpSession tcpSession)
        {
            NtlmHash ntlmHash    = null;
            var      serverState = NtlmServerState.WaitForChallenge;

            byte[] ntlmMessage = new byte[] { };

            foreach (TcpPacket packet in tcpSession.Packets)
            {
                // Look for server challenge.
                if (serverState == NtlmServerState.WaitForChallenge)
                {
                    int challengeSigniturePos = Utilities.SearchForSubarray(packet.Data, _ntlmChallengeSigniture);

                    if (challengeSigniturePos != -1)
                    {
                        // Get only the NTLM message part.
                        ntlmMessage = packet.Data.Skip(challengeSigniturePos).ToArray();
                        string challenge = ExtractNtlmChallenge(ntlmMessage);

                        ntlmHash = new NtlmHash()
                        {
                            Source      = packet.DestinationIp,
                            Destination = packet.SourceIp,
                            Challenge   = challenge,
                        };

                        serverState = NtlmServerState.WaitForResponse;
                    }
                }
                // Look for client response.
                else if (serverState == NtlmServerState.WaitForResponse && packet.SourceIp == ntlmHash.Source)
                {
                    int responseSigniturePos = Utilities.SearchForSubarray(packet.Data, _ntlmResponseSigniture);

                    if (responseSigniturePos != -1)
                    {
                        // Get only the NTLM message part.
                        ntlmMessage          = packet.Data.Skip(responseSigniturePos).ToArray();
                        ntlmHash.LmHash      = ExtractNtlmsspMessageItem(ntlmMessage, 14, false);
                        ntlmHash.NtHash      = ExtractNtlmsspMessageItem(ntlmMessage, 22, false);
                        ntlmHash.Domain      = ExtractNtlmsspMessageItem(ntlmMessage, 30);
                        ntlmHash.User        = ExtractNtlmsspMessageItem(ntlmMessage, 38);
                        ntlmHash.Workstation = ExtractNtlmsspMessageItem(ntlmMessage, 46);
                        ntlmHash.Protocol    = "NTLMSSP";

                        if (ntlmHash.NtHash.Length == 24)
                        {
                            ntlmHash.HashType = "NTLMv1";
                            ntlmHash.Hash     = ntlmHash.LmHash;
                        }
                        else if (ntlmHash.NtHash.Length > 24)
                        {
                            ntlmHash.HashType = "NTLMv2";
                            ntlmHash.Hash     = ntlmHash.NtHash;
                        }
                    }
                }
            }

            // Verify that we extracted a full hash.
            return(ntlmHash?.Hash == null ? null : ntlmHash);
        }
Exemplo n.º 7
0
 public NetworkLayerObject Parse(TcpSession tcpSession) => null;
 public NetworkCredential Parse(TcpSession tcpSession) => null;
Exemplo n.º 9
0
        // This function extracts Telnet username and password from a Tcp session.
        // Algorithm:
        //  - First check if the session data matches a Regular expression.
        //  - If match, iterate over session packets and manage a state machine
        //    depends on the authentication phase.
        //
        // The algorithm should work on both Line-Mode (RFC 1116) and Character-Mode (the default
        // Telnet mode).
        public NetworkLayerObject Parse(TcpSession tcpSession)
        {
            int             serverPort;
            int             clientPort;
            var             serverIp   = string.Empty;
            var             clientIp   = string.Empty;
            var             password   = string.Empty;
            var             username   = string.Empty;
            var             state      = TelnetServerState.None;
            NetworkPassword credential = null;

            var   sessionData = Encoding.UTF8.GetString(tcpSession.Data);
            Match match       = _telnetPossibleLoginRegex.Match(sessionData);

            if (match.Success)
            {
                foreach (var packet in tcpSession.Packets)
                {
                    // Telnet works with ASCII characters set (known as NVT ASCII).
                    var packetData = Encoding.ASCII.GetString(packet.Data);

                    if (packetData.Contains("login:"******"Password:"******"Telnet",
                            Username    = username,
                            Password    = password,
                            Source      = clientIp,
                            Destination = serverIp
                        };

                        break;
                    }
                }
            }

            return(credential);
        }