public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <Packets.AbstractPacket> packetList) { bool successfulExtraction = false; /* * Packets.TlsRecordPacket tlsRecordPacket=null; * Packets.TcpPacket tcpPacket=null; * foreach(Packets.AbstractPacket p in packetList) { * if(p.GetType()==typeof(Packets.TlsRecordPacket)) * tlsRecordPacket=(Packets.TlsRecordPacket)p; * else if(p.GetType()==typeof(Packets.TcpPacket)) * tcpPacket=(Packets.TcpPacket)p; * } * */ Packets.TcpPacket tcpPacket = null; foreach (Packets.AbstractPacket p in packetList) { if (p.GetType() == typeof(Packets.TcpPacket)) { tcpPacket = (Packets.TcpPacket)p; } } int parsedBytes = 0; if (tcpPacket != null) { //there might be several TlsRecordPackets in an SSL packet foreach (Packets.AbstractPacket p in packetList) { if (p.GetType() == typeof(Packets.TlsRecordPacket)) { Packets.TlsRecordPacket tlsRecordPacket = (Packets.TlsRecordPacket)p; if (tlsRecordPacket.TlsRecordIsComplete) { ExtractTlsRecordData(tlsRecordPacket, tcpPacket, sourceHost, destinationHost, base.MainPacketHandler); successfulExtraction = true; parsedBytes += tlsRecordPacket.Length + 5; } else if (tlsRecordPacket.Length > 4000)//it should have been complete, so just skip it... there is no point in reassembling it any more { successfulExtraction = true; parsedBytes = tcpPacket.PayloadDataLength; } } } } if (successfulExtraction) { return(parsedBytes); //return tcpPacket.PayloadDataLength; } else { return(0); } }
private void ExtractTlsRecordData(Packets.TlsRecordPacket tlsRecordPacket, Packets.TcpPacket tcpPacket, FiveTuple fiveTuple, bool transferIsClientToServer, PacketHandler mainPacketHandler) { NetworkHost sourceHost, destinationHost; if (transferIsClientToServer) { sourceHost = fiveTuple.ClientHost; destinationHost = fiveTuple.ServerHost; } else { sourceHost = fiveTuple.ServerHost; destinationHost = fiveTuple.ClientHost; } foreach (Packets.AbstractPacket p in tlsRecordPacket.GetSubPackets(false)) { if (p.GetType() == typeof(Packets.TlsRecordPacket.HandshakePacket)) { Packets.TlsRecordPacket.HandshakePacket handshake = (Packets.TlsRecordPacket.HandshakePacket)p; if (handshake.MessageType == Packets.TlsRecordPacket.HandshakePacket.MessageTypes.ClientHello) { if (handshake.ServerHostName != null) { destinationHost.AddHostName(handshake.ServerHostName); System.Collections.Specialized.NameValueCollection param = new System.Collections.Specialized.NameValueCollection(); param.Add("TLS Server Name", handshake.ServerHostName); base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(handshake.ParentFrame.FrameNumber, fiveTuple, transferIsClientToServer, param, handshake.ParentFrame.Timestamp, "TLS Client Hello")); } } else if (handshake.MessageType == Packets.TlsRecordPacket.HandshakePacket.MessageTypes.Certificate) { for (int i = 0; i < handshake.CertificateList.Count; i++) { byte[] certificate = handshake.CertificateList[i]; string x509CertSubject; System.Security.Cryptography.X509Certificates.X509Certificate x509Cert = null; try { x509Cert = new System.Security.Cryptography.X509Certificates.X509Certificate(certificate); x509CertSubject = x509Cert.Subject; } catch { x509CertSubject = "Unknown_x509_Certificate_Subject"; x509Cert = null; } if (x509CertSubject.Contains("CN=")) { x509CertSubject = x509CertSubject.Substring(x509CertSubject.IndexOf("CN=") + 3); } else if (x509CertSubject.Contains("=")) { x509CertSubject = x509CertSubject.Substring(x509CertSubject.IndexOf('=') + 1); } if (x509CertSubject.Length > 28) { x509CertSubject = x509CertSubject.Substring(0, 28); } if (x509CertSubject.Contains(",")) { x509CertSubject = x509CertSubject.Substring(0, x509CertSubject.IndexOf(',')); } x509CertSubject.Trim(new char[] { '.', ' ' }); /* * while (x509CertSubject.EndsWith(".") || x509CertSubject.EndsWith(" ")) * x509CertSubject=x509CertSubject.Substring(0, x509CertSubject.Length-1); */ string filename = x509CertSubject + ".cer"; string fileLocation = "/"; string details; if (x509Cert != null) { details = "TLS Certificate: " + x509Cert.Subject; } else { details = "TLS Certificate: Unknown x509 Certificate"; } FileTransfer.FileStreamAssembler assembler = new FileTransfer.FileStreamAssembler(mainPacketHandler.FileStreamAssemblerList, fiveTuple, transferIsClientToServer, FileTransfer.FileStreamTypes.TlsCertificate, filename, fileLocation, certificate.Length, certificate.Length, details, null, tlsRecordPacket.ParentFrame.FrameNumber, tlsRecordPacket.ParentFrame.Timestamp, FileTransfer.FileStreamAssembler.FileAssmeblyRootLocation.source); mainPacketHandler.FileStreamAssemblerList.Add(assembler); if (i == 0 && x509CertSubject.Contains(".") && !x509CertSubject.Contains("*") && !x509CertSubject.Contains(" ")) { sourceHost.AddHostName(x509CertSubject); } System.Collections.Specialized.NameValueCollection parameters = new System.Collections.Specialized.NameValueCollection(); //parameters.Add("Certificate Subject", x509Cert.Subject); const string CERTIFICATE_SUBJECT = "Certificate Subject"; this.addParameters(parameters, x509Cert.Subject, CERTIFICATE_SUBJECT); if (i == 0) { //check for CN parameter if (parameters[CERTIFICATE_SUBJECT + " CN"] != null) { foreach (string cn in parameters.GetValues(CERTIFICATE_SUBJECT + " CN")) { sourceHost.AddNumberedExtraDetail("X.509 Certificate Subject CN", cn); if (cn.Contains(".") && !cn.Contains(" ")) { if (cn.Contains("*")) { if (cn.StartsWith("*.")) { sourceHost.AddDomainName(cn.Substring(2)); } } else { sourceHost.AddHostName(cn); } } } } } this.addParameters(parameters, x509Cert.Issuer, "Certificate Issuer"); //parameters.Add("Certificate Issuer", x509Cert.Issuer); parameters.Add("Certificate Hash", x509Cert.GetCertHashString()); parameters.Add("Certificate valid from", x509Cert.GetEffectiveDateString()); parameters.Add("Certificate valid to", x509Cert.GetExpirationDateString()); parameters.Add("Certificate Serial", x509Cert.GetSerialNumberString()); try { System.Security.Cryptography.X509Certificates.X509Certificate2 cert2 = new System.Security.Cryptography.X509Certificates.X509Certificate2(certificate); foreach (var ext in cert2.Extensions) { string fn = ext.Oid.FriendlyName; string oid = ext.Oid.Value; string val = ext.Format(true); System.IO.StringReader sr = new System.IO.StringReader(val); string line = sr.ReadLine(); while (line != null) { parameters.Add(oid + " " + fn, line); if (i == 0 && oid == "2.5.29.17") { sourceHost.AddNumberedExtraDetail("X.509 Certificate " + fn, line); } line = sr.ReadLine(); } } if (cert2.Verify()) { parameters.Add("Certificate valid", "TRUE"); } else { parameters.Add("Certificate valid", "FALSE"); } } catch (Exception) { } mainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(tlsRecordPacket.ParentFrame.FrameNumber, fiveTuple, transferIsClientToServer, parameters, tlsRecordPacket.ParentFrame.Timestamp, "X.509 Certificate")); if (assembler.TryActivate()) { assembler.AddData(certificate, tcpPacket.SequenceNumber);//this one should trigger FinnishAssembling() } } } } } }
private void ExtractTlsRecordData(Packets.TlsRecordPacket tlsRecordPacket, Packets.TcpPacket tcpPacket, NetworkHost sourceHost, NetworkHost destinationHost, PacketHandler mainPacketHandler) { foreach (Packets.AbstractPacket p in tlsRecordPacket.GetSubPackets(false)) { if (p.GetType() == typeof(Packets.TlsRecordPacket.HandshakePacket)) { Packets.TlsRecordPacket.HandshakePacket handshake = (Packets.TlsRecordPacket.HandshakePacket)p; if (handshake.MessageType == Packets.TlsRecordPacket.HandshakePacket.MessageTypes.Certificate) { for (int i = 0; i < handshake.CertificateList.Count; i++) { byte[] certificate = handshake.CertificateList[i]; string x509CertSubject; System.Security.Cryptography.X509Certificates.X509Certificate x509Cert = null; try { x509Cert = new System.Security.Cryptography.X509Certificates.X509Certificate(certificate); x509CertSubject = x509Cert.Subject; } catch { x509CertSubject = "Unknown_x509_Certificate_Subject"; x509Cert = null; } if (x509CertSubject.Length > 28) { x509CertSubject = x509CertSubject.Substring(0, 28); } if (x509CertSubject.Contains("=")) { x509CertSubject = x509CertSubject.Substring(x509CertSubject.IndexOf('=') + 1); } if (x509CertSubject.Contains(",")) { x509CertSubject = x509CertSubject.Substring(0, x509CertSubject.IndexOf(',')); } while (x509CertSubject.EndsWith(".") || x509CertSubject.EndsWith(" ")) { x509CertSubject = x509CertSubject.Substring(0, x509CertSubject.Length - 1); } string filename = x509CertSubject + ".cer"; string fileLocation = "/"; string details; if (x509Cert != null) { details = "TLS Certificate: " + x509Cert.Subject; } else { details = "TLS Certificate: Unknown x509 Certificate"; } FileTransfer.FileStreamAssembler assembler = new FileTransfer.FileStreamAssembler(mainPacketHandler.FileStreamAssemblerList, sourceHost, tcpPacket.SourcePort, destinationHost, tcpPacket.DestinationPort, true, FileTransfer.FileStreamTypes.TlsCertificate, filename, fileLocation, certificate.Length, certificate.Length, details, null, tlsRecordPacket.ParentFrame.FrameNumber, tlsRecordPacket.ParentFrame.Timestamp); mainPacketHandler.FileStreamAssemblerList.Add(assembler); if (assembler.TryActivate()) { assembler.AddData(certificate, tcpPacket.SequenceNumber);//this one should trigger FinnishAssembling() } } } } } }