示例#1
0
        private NetworkLayerObject GetKerberosTicketsHash(string source, string destination, byte[] data)
        {
            var kerberosPacket = KerberosPacketParser.GetKerberosPacket(data);

            if (kerberosPacket is null)
            {
                return(null);
            }

            if (kerberosPacket is KerberosTgsRepPacket)
            {
                var kerberosTgsRepPacket = kerberosPacket as KerberosTgsRepPacket;

                if (kerberosTgsRepPacket.Ticket.EncrytedPart.Etype == 23)
                {
                    return(new KerberosTgsRepHash()
                    {
                        Source = source,
                        Destination = destination,
                        Realm = kerberosTgsRepPacket.Ticket.Realm,
                        Etype = 23,
                        Username = kerberosTgsRepPacket.Cname.Name,
                        ServiceName = kerberosTgsRepPacket.Ticket.Sname.Name,
                        Hash = NtlmsspHashParser.ByteArrayToHexString(kerberosTgsRepPacket.Ticket.EncrytedPart.Cipher),
                        Protocol = "UDP",
                        HashType = "Kerberos TGS Rep Etype 23"
                    });
                }
            }

            return(null);
        }
示例#2
0
        private NetworkLayerObject GetKerberosTicketsHash(string source, string destination, string protocol, byte[] data)
        {
            var kerberosPacket = KerberosPacketParser.GetKerberosPacket(data);

            if (kerberosPacket is null)
            {
                return(null);
            }

            // TODO: refactor this boilerplate code
            if (kerberosPacket is KerberosTgsRepPacket)
            {
                var kerberosTgsRepPacket = kerberosPacket as KerberosTgsRepPacket;

                if (kerberosTgsRepPacket.Ticket.EncrytedPart.Etype == 23)
                {
                    return(new KerberosTgsRepHash()
                    {
                        Source = source,
                        Destination = destination,
                        Realm = kerberosTgsRepPacket.Ticket.Realm,
                        Etype = 23,
                        Username = kerberosTgsRepPacket.Cname.Name,
                        ServiceName = kerberosTgsRepPacket.Ticket.Sname.Name,
                        Hash = NtlmsspHashParser.ByteArrayToHexString(kerberosTgsRepPacket.Ticket.EncrytedPart.Cipher),
                        Protocol = protocol,
                        HashType = "Kerberos V5 TGS-REP etype 23"
                    });
                }
            }
            else if (kerberosPacket is KerberosAsRepPacket)
            {
                var kerberosAsRepPacket = kerberosPacket as KerberosAsRepPacket;

                if (kerberosAsRepPacket.Ticket.EncrytedPart.Etype == 23)
                {
                    return(new KerberosAsRepHash()
                    {
                        Source = source,
                        Destination = destination,
                        Realm = kerberosAsRepPacket.Ticket.Realm,
                        Etype = 23,
                        Username = kerberosAsRepPacket.Cname.Name,
                        ServiceName = kerberosAsRepPacket.Ticket.Sname.Name,
                        Hash = NtlmsspHashParser.ByteArrayToHexString(kerberosAsRepPacket.Ticket.EncrytedPart.Cipher),
                        Protocol = protocol,
                        HashType = "Kerberos V5 AS-REP etype 23"
                    });
                }
            }

            return(null);
        }
        private NetworkLayerObject GetKerberosTicketsHash(string source, string destination, string protocol, byte[] data)
        {
            var kerberosPacket = KerberosPacketParser.GetKerberosPacket(data, protocol);

            if (kerberosPacket is null)
            {
                return(null);
            }

            // TODO: use enum for hashes types
            if (kerberosPacket is KerberosTgsRepPacket)
            {
                var kerberosTgsRepPacket = kerberosPacket as KerberosTgsRepPacket;

                if (kerberosTgsRepPacket.Ticket.EncrytedPart.Etype == 23 || kerberosTgsRepPacket.Ticket.EncrytedPart.Etype == 18 || kerberosTgsRepPacket.Ticket.EncrytedPart.Etype == 17)
                {
                    return(new KerberosTgsRepHash()
                    {
                        Source = source,
                        Destination = destination,
                        Realm = kerberosTgsRepPacket.Ticket.Realm,
                        Etype = kerberosTgsRepPacket.Ticket.EncrytedPart.Etype,
                        Username = kerberosTgsRepPacket.Cname.Name,
                        ServiceName = kerberosTgsRepPacket.Ticket.Sname.Name,
                        Hash = NtlmsspHashParser.ByteArrayToHexString(kerberosTgsRepPacket.Ticket.EncrytedPart.Cipher),
                        Protocol = protocol,
                        HashType = $"Kerberos V5 TGS-REP etype {kerberosTgsRepPacket.Ticket.EncrytedPart.Etype}"
                    });
                }
            }
            else if (kerberosPacket is KerberosAsRepPacket)
            {
                var kerberosAsRepPacket = kerberosPacket as KerberosAsRepPacket;

                if (kerberosAsRepPacket.Ticket.EncrytedPart.Etype == 23 || kerberosAsRepPacket.Ticket.EncrytedPart.Etype == 18)
                {
                    return(new KerberosAsRepHash()
                    {
                        Source = source,
                        Destination = destination,
                        Realm = kerberosAsRepPacket.Ticket.Realm,
                        Etype = kerberosAsRepPacket.Ticket.EncrytedPart.Etype,
                        Username = kerberosAsRepPacket.Cname.Name,
                        ServiceName = kerberosAsRepPacket.Ticket.Sname.Name,
                        Hash = NtlmsspHashParser.ByteArrayToHexString(kerberosAsRepPacket.Ticket.EncrytedPart.Cipher),
                        Protocol = protocol,
                        HashType = $"Kerberos V5 AS-REP etype {kerberosAsRepPacket.Ticket.EncrytedPart.Etype}"
                    });
                }
            }

            return(null);
        }
        private readonly byte[] pa_data_signiture2 = new byte[] { 0xa2, 0x35, 0x04, 0x33 };  // Hash length = 0x35 = 53


        public NetworkLayerObject Parse(UdpPacket udpPacket)
        {
            if (!isKerberos(udpPacket))
            {
                return(null);
            }

            byte[] sig_part = udpPacket.Data.SubArray(40, 4);

            if (Utilities.SearchForSubarray(sig_part, this.pa_data_signiture) == 0 ||
                Utilities.SearchForSubarray(sig_part, this.pa_data_signiture2) == 0)
            {
                var paddingLen     = 0;
                var hashOffset     = 44;
                var userNameOffset = 144;
                var hashItemLen    = (int)udpPacket.Data[41];

                if (hashItemLen == 53)
                {
                    paddingLen = 1;
                }
                if (hashItemLen != 54 && hashItemLen != 53)
                {
                    hashItemLen    = (int)udpPacket.Data[48];
                    hashOffset     = 49;
                    userNameOffset = hashItemLen + 97;
                }

                var    hashLen      = 52 - paddingLen;
                byte[] hash         = udpPacket.Data.SubArray(hashOffset, hashLen);
                byte[] switchedHash = new byte[hashLen];
                hash.SubArray(16, 36).CopyTo(switchedHash, 0);
                hash.SubArray(0, 16).CopyTo(switchedHash, 36);
                string hashString = NtlmsspHashParser.ByteArrayToHexString(switchedHash);

                var    userName = ExtractKerberosMessageItem(udpPacket.Data, userNameOffset - paddingLen, out int userNameLength);
                string domain   = ExtractKerberosMessageItem(udpPacket.Data, userNameOffset + userNameLength - paddingLen + 4, out int domainLength);

                return(new KerberosHash()
                {
                    HashType = "Kerberos V5 AS-REQ Pre-Auth etype 23",
                    Protocol = "UDP",
                    Source = udpPacket.DestinationIp,
                    Destination = udpPacket.SourceIp,
                    User = userName,
                    Domain = domain,
                    Hash = hashString
                });
            }

            return(null);
        }
示例#5
0
        public void NtlmPasswordParser_ParseSmbNTLMv2Session_ParseSuccess()
        {
            // Arrange
            var ntlmParser = new PcapAnalyzer.NtlmsspHashParser();
            var session    = new PcapAnalyzer.TcpSession();

            var serverPacket = new PcapAnalyzer.TcpPacket()
            {
                SourceIp      = "2.2.2.2",
                DestinationIp = "1.1.1.1",
                Data          = new byte[]
                {
                    0x00, 0x00, 0x00, 0xf8, 0xfe, 0x53, 0x4d, 0x42, 0x40, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0xc0,
                    0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
                    0x00, 0x00, 0x00, 0x00, 0xd5, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x94,
                    0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                    0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x48, 0x00, 0xb0, 0x00, 0x4e, 0x54, 0x4c, 0x4d,
                    0x53, 0x53, 0x50, 0x00, 0x02, 0x00, 0x00, 0x00, 0x08, 0x00, 0x08, 0x00, 0x38, 0x00, 0x00, 0x00,
                    0x35, 0x02, 0x89, 0xe2, 0x01, 0x15, 0x18, 0x13, 0xd2, 0x89, 0x8c, 0xcd, 0x00, 0x00, 0x00, 0x00,
                    0x00, 0x00, 0x00, 0x00, 0x70, 0x00, 0x70, 0x00, 0x40, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x39, 0x38,
                    0x00, 0x00, 0x00, 0x0f, 0x53, 0x00, 0x55, 0x00, 0x53, 0x00, 0x45, 0x00, 0x02, 0x00, 0x08, 0x00,
                    0x53, 0x00, 0x55, 0x00, 0x53, 0x00, 0x45, 0x00, 0x01, 0x00, 0x0c, 0x00, 0x57, 0x00, 0x53, 0x00,
                    0x32, 0x00, 0x30, 0x00, 0x31, 0x00, 0x36, 0x00, 0x04, 0x00, 0x0e, 0x00, 0x73, 0x00, 0x75, 0x00,
                    0x73, 0x00, 0x65, 0x00, 0x2e, 0x00, 0x64, 0x00, 0x65, 0x00, 0x03, 0x00, 0x1c, 0x00, 0x57, 0x00,
                    0x53, 0x00, 0x32, 0x00, 0x30, 0x00, 0x31, 0x00, 0x36, 0x00, 0x2e, 0x00, 0x73, 0x00, 0x75, 0x00,
                    0x73, 0x00, 0x65, 0x00, 0x2e, 0x00, 0x64, 0x00, 0x65, 0x00, 0x05, 0x00, 0x0e, 0x00, 0x73, 0x00,
                    0x75, 0x00, 0x73, 0x00, 0x65, 0x00, 0x2e, 0x00, 0x64, 0x00, 0x65, 0x00, 0x07, 0x00, 0x08, 0x00,
                    0x8a, 0x8c, 0xe7, 0xa9, 0xf4, 0xce, 0xd2, 0x01, 0x00, 0x00, 0x00, 0x00
                }
            };

            var clientPacket = new PcapAnalyzer.TcpPacket()
            {
                SourceIp      = "1.1.1.1",
                DestinationIp = "2.2.2.2",
                Data          = new byte[]
                {
                    0x00, 0x00, 0x01, 0x68, 0xfe, 0x53, 0x4d, 0x42, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                    0x01, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
                    0x00, 0x00, 0x00, 0x00, 0xd5, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0x00, 0x00, 0x94,
                    0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                    0x00, 0x00, 0x00, 0x00, 0x19, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                    0x58, 0x00, 0x10, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4e, 0x54, 0x4c, 0x4d,
                    0x53, 0x53, 0x50, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
                    0x9c, 0x00, 0x9c, 0x00, 0x40, 0x00, 0x00, 0x00, 0x08, 0x00, 0x08, 0x00, 0xdc, 0x00, 0x00, 0x00,
                    0x1a, 0x00, 0x1a, 0x00, 0xe4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfe, 0x00, 0x00, 0x00,
                    0x10, 0x00, 0x10, 0x00, 0x00, 0x01, 0x00, 0x00, 0x35, 0x02, 0x88, 0xe0, 0x39, 0xdb, 0xdb, 0xeb,
                    0x1b, 0xdd, 0x29, 0xb0, 0x7a, 0x5d, 0x20, 0xc8, 0xf8, 0x2f, 0x2c, 0xb7, 0x01, 0x01, 0x00, 0x00,
                    0x00, 0x00, 0x00, 0x00, 0x8a, 0x8c, 0xe7, 0xa9, 0xf4, 0xce, 0xd2, 0x01, 0xe7, 0x96, 0x9a, 0x04,
                    0x87, 0x2c, 0x16, 0x89, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x08, 0x00, 0x53, 0x00, 0x55, 0x00,
                    0x53, 0x00, 0x45, 0x00, 0x01, 0x00, 0x0c, 0x00, 0x57, 0x00, 0x53, 0x00, 0x32, 0x00, 0x30, 0x00,
                    0x31, 0x00, 0x36, 0x00, 0x04, 0x00, 0x0e, 0x00, 0x73, 0x00, 0x75, 0x00, 0x73, 0x00, 0x65, 0x00,
                    0x2e, 0x00, 0x64, 0x00, 0x65, 0x00, 0x03, 0x00, 0x1c, 0x00, 0x57, 0x00, 0x53, 0x00, 0x32, 0x00,
                    0x30, 0x00, 0x31, 0x00, 0x36, 0x00, 0x2e, 0x00, 0x73, 0x00, 0x75, 0x00, 0x73, 0x00, 0x65, 0x00,
                    0x2e, 0x00, 0x64, 0x00, 0x65, 0x00, 0x05, 0x00, 0x0e, 0x00, 0x73, 0x00, 0x75, 0x00, 0x73, 0x00,
                    0x65, 0x00, 0x2e, 0x00, 0x64, 0x00, 0x65, 0x00, 0x07, 0x00, 0x08, 0x00, 0x8a, 0x8c, 0xe7, 0xa9,
                    0xf4, 0xce, 0xd2, 0x01, 0x00, 0x00, 0x00, 0x00, 0x53, 0x00, 0x55, 0x00, 0x53, 0x00, 0x45, 0x00,
                    0x61, 0x00, 0x64, 0x00, 0x6d, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x69, 0x00, 0x73, 0x00, 0x74, 0x00,
                    0x72, 0x00, 0x61, 0x00, 0x74, 0x00, 0x6f, 0x00, 0x72, 0x00, 0x00, 0x00, 0xb2, 0xe8, 0x76, 0x55,
                    0x9c, 0x9c, 0x58, 0xb0, 0x34, 0x4b, 0xd5, 0xa9, 0x9f, 0x8e, 0x98, 0x55
                }
            };

            session.Packets.Add(serverPacket);
            session.Packets.Add(clientPacket);

            // Act.
            var hash = ntlmParser.Parse(session) as PcapAnalyzer.NtlmHash;

            // Assert.
            Assert.AreEqual("NTLMSSP", hash.Protocol);
            Assert.AreEqual("administrator", hash.User);
            Assert.AreEqual("SUSE", hash.Domain);
            Assert.AreEqual(hash.NtHash.Length, 312);
        }