private void ExtractData(Packets.TcpPacket tcpPacket, FiveTuple fiveTuple, bool transferIsClientToServer, Packets.TlsRecordPacket.HandshakePacket handshake) { NetworkHost sourceHost, destinationHost; if (transferIsClientToServer) { sourceHost = fiveTuple.ClientHost; destinationHost = fiveTuple.ServerHost; } else { sourceHost = fiveTuple.ServerHost; destinationHost = fiveTuple.ClientHost; } //foreach (Packets.AbstractPacket p in tlsRecordPacket.GetSubPackets(false)) { // if(p.GetType()==typeof(Packets.TlsRecordPacket.HandshakePacket)) { // Packets.TlsRecordPacket.HandshakePacket handshake=(Packets.TlsRecordPacket.HandshakePacket)p; foreach (var version in handshake.GetSupportedSslVersions()) { //destinationHost.AddHostName(handshake.ServerHostName); System.Collections.Specialized.NameValueCollection param = new System.Collections.Specialized.NameValueCollection { { "TLS Handshake " + Enum.GetName(typeof(Packets.TlsRecordPacket.HandshakePacket.MessageTypes), handshake.MessageType) + " Supported Version", version.Item1.ToString() + "." + version.Item2.ToString() + " (0x" + version.Item1.ToString("x2") + version.Item2.ToString("x2") + ")" } }; base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(handshake.ParentFrame.FrameNumber, fiveTuple, transferIsClientToServer, param, handshake.ParentFrame.Timestamp, "TLS Handshake")); } if (!String.IsNullOrEmpty(handshake.GetAlpnNextProtocolString())) { //destinationHost.AddHostName(handshake.ServerHostName); System.Collections.Specialized.NameValueCollection param = new System.Collections.Specialized.NameValueCollection { { "TLS ALPN", handshake.GetAlpnNextProtocolString() } }; base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(handshake.ParentFrame.FrameNumber, fiveTuple, transferIsClientToServer, param, handshake.ParentFrame.Timestamp, "TLS Handshake")); } if (handshake.MessageType == Packets.TlsRecordPacket.HandshakePacket.MessageTypes.ClientHello) { if (handshake.ServerHostName != null) { destinationHost.AddHostName(handshake.ServerHostName); System.Collections.Specialized.NameValueCollection param = new System.Collections.Specialized.NameValueCollection(); param.Add("TLS Server Name (SNI)", handshake.ServerHostName); base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(handshake.ParentFrame.FrameNumber, fiveTuple, transferIsClientToServer, param, handshake.ParentFrame.Timestamp, "TLS Client Hello")); } } else if (handshake.MessageType == Packets.TlsRecordPacket.HandshakePacket.MessageTypes.Certificate) { for (int i = 0; i < handshake.CertificateList.Count; i++) { byte[] certificate = handshake.CertificateList[i]; string x509CertSubject; System.Security.Cryptography.X509Certificates.X509Certificate x509Cert = null; try { x509Cert = new System.Security.Cryptography.X509Certificates.X509Certificate(certificate); x509CertSubject = x509Cert.Subject; } catch { x509CertSubject = "Unknown_x509_Certificate_Subject"; x509Cert = null; } if (x509CertSubject.Contains("CN=")) { x509CertSubject = x509CertSubject.Substring(x509CertSubject.IndexOf("CN=") + 3); } else if (x509CertSubject.Contains("=")) { x509CertSubject = x509CertSubject.Substring(x509CertSubject.IndexOf('=') + 1); } if (x509CertSubject.Length > 28) { x509CertSubject = x509CertSubject.Substring(0, 28); } if (x509CertSubject.Contains(",")) { x509CertSubject = x509CertSubject.Substring(0, x509CertSubject.IndexOf(',')); } x509CertSubject.Trim(new char[] { '.', ' ' }); /* * while (x509CertSubject.EndsWith(".") || x509CertSubject.EndsWith(" ")) * x509CertSubject=x509CertSubject.Substring(0, x509CertSubject.Length-1); */ string filename = x509CertSubject + ".cer"; string fileLocation = "/"; string details; if (x509Cert != null) { details = "TLS Certificate: " + x509Cert.Subject; } else { details = "TLS Certificate: Unknown x509 Certificate"; } FileTransfer.FileStreamAssembler assembler = new FileTransfer.FileStreamAssembler(base.MainPacketHandler.FileStreamAssemblerList, fiveTuple, transferIsClientToServer, FileTransfer.FileStreamTypes.TlsCertificate, filename, fileLocation, certificate.Length, certificate.Length, details, null, tcpPacket.ParentFrame.FrameNumber, tcpPacket.ParentFrame.Timestamp, FileTransfer.FileStreamAssembler.FileAssmeblyRootLocation.source); base.MainPacketHandler.FileStreamAssemblerList.Add(assembler); if (i == 0 && x509CertSubject.Contains(".") && !x509CertSubject.Contains("*") && !x509CertSubject.Contains(" ")) { sourceHost.AddHostName(x509CertSubject); } System.Collections.Specialized.NameValueCollection parameters = new System.Collections.Specialized.NameValueCollection(); //parameters.Add("Certificate Subject", x509Cert.Subject); const string CERTIFICATE_SUBJECT = "Certificate Subject"; this.addParameters(parameters, x509Cert.Subject, CERTIFICATE_SUBJECT); if (i == 0) { //check for CN parameter if (parameters[CERTIFICATE_SUBJECT + " CN"] != null) { foreach (string cn in parameters.GetValues(CERTIFICATE_SUBJECT + " CN")) { sourceHost.AddNumberedExtraDetail("X.509 Certificate Subject CN", cn); if (cn.Contains(".") && !cn.Contains(" ")) { if (cn.Contains("*")) { if (cn.StartsWith("*.")) { sourceHost.AddDomainName(cn.Substring(2)); } } else { sourceHost.AddHostName(cn); } } } } } this.addParameters(parameters, x509Cert.Issuer, "Certificate Issuer"); //parameters.Add("Certificate Issuer", x509Cert.Issuer); parameters.Add("Certificate Hash", x509Cert.GetCertHashString()); parameters.Add("Certificate valid from", x509Cert.GetEffectiveDateString()); parameters.Add("Certificate valid to", x509Cert.GetExpirationDateString()); parameters.Add("Certificate Serial", x509Cert.GetSerialNumberString()); try { System.Security.Cryptography.X509Certificates.X509Certificate2 cert2 = new System.Security.Cryptography.X509Certificates.X509Certificate2(certificate); foreach (var ext in cert2.Extensions) { string fn = ext.Oid.FriendlyName; string oid = ext.Oid.Value; string val = ext.Format(true); System.IO.StringReader sr = new System.IO.StringReader(val); string line = sr.ReadLine(); while (line != null) { parameters.Add(oid + " " + fn, line); if (i == 0 && oid == "2.5.29.17") { sourceHost.AddNumberedExtraDetail("X.509 Certificate " + fn, line); } line = sr.ReadLine(); } } if (cert2.Verify()) { parameters.Add("Certificate valid", "TRUE"); } else { parameters.Add("Certificate valid", "FALSE"); } } catch (Exception) { } base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(tcpPacket.ParentFrame.FrameNumber, fiveTuple, transferIsClientToServer, parameters, tcpPacket.ParentFrame.Timestamp, "X.509 Certificate")); if (assembler.TryActivate()) { assembler.AddData(certificate, tcpPacket.SequenceNumber);//this one should trigger FinnishAssembling() } } } //} //return true; }
private void ExtractTlsRecordData(Packets.TlsRecordPacket tlsRecordPacket, Packets.TcpPacket tcpPacket, NetworkHost sourceHost, NetworkHost destinationHost, PacketHandler mainPacketHandler) { foreach (Packets.AbstractPacket p in tlsRecordPacket.GetSubPackets(false)) { if (p.GetType() == typeof(Packets.TlsRecordPacket.HandshakePacket)) { Packets.TlsRecordPacket.HandshakePacket handshake = (Packets.TlsRecordPacket.HandshakePacket)p; if (handshake.MessageType == Packets.TlsRecordPacket.HandshakePacket.MessageTypes.Certificate) { for (int i = 0; i < handshake.CertificateList.Count; i++) { byte[] certificate = handshake.CertificateList[i]; string x509CertSubject; System.Security.Cryptography.X509Certificates.X509Certificate x509Cert = null; try { x509Cert = new System.Security.Cryptography.X509Certificates.X509Certificate(certificate); x509CertSubject = x509Cert.Subject; } catch { x509CertSubject = "Unknown_x509_Certificate_Subject"; x509Cert = null; } if (x509CertSubject.Length > 28) { x509CertSubject = x509CertSubject.Substring(0, 28); } if (x509CertSubject.Contains("=")) { x509CertSubject = x509CertSubject.Substring(x509CertSubject.IndexOf('=') + 1); } if (x509CertSubject.Contains(",")) { x509CertSubject = x509CertSubject.Substring(0, x509CertSubject.IndexOf(',')); } while (x509CertSubject.EndsWith(".") || x509CertSubject.EndsWith(" ")) { x509CertSubject = x509CertSubject.Substring(0, x509CertSubject.Length - 1); } string filename = x509CertSubject + ".cer"; string fileLocation = "/"; string details; if (x509Cert != null) { details = "TLS Certificate: " + x509Cert.Subject; } else { details = "TLS Certificate: Unknown x509 Certificate"; } FileTransfer.FileStreamAssembler assembler = new FileTransfer.FileStreamAssembler(mainPacketHandler.FileStreamAssemblerList, sourceHost, tcpPacket.SourcePort, destinationHost, tcpPacket.DestinationPort, true, FileTransfer.FileStreamTypes.TlsCertificate, filename, fileLocation, certificate.Length, certificate.Length, details, null, tlsRecordPacket.ParentFrame.FrameNumber, tlsRecordPacket.ParentFrame.Timestamp); mainPacketHandler.FileStreamAssemblerList.Add(assembler); if (assembler.TryActivate()) { assembler.AddData(certificate, tcpPacket.SequenceNumber);//this one should trigger FinnishAssembling() } } } } } }