http://nuke.vbcorner.net/Articles/VB60/VisualStudio6Installer/tabid/93/language/en-US/Default.aspx Recommendation Minimize 03/24/2016 Important note for Windows 10, Windows 7, Windows XP SP3 You must install and run VS6Installer 5.x ‘as administrator’, otherwise you get a error. Right-click on VS6Installer.exe -> Run As Administrator If you have already tried to install VB 6.0, before using VS6 Installer then you must: uninstall VB 6.0 and …
Category Archives: Uncategorized
Decrypt LSA Secrets with Powershell offline
I wrote this last week and found it useful to recover data offline from the LSA store. Make sure to replace the key, secret, and IV into the code in the same format and it should decrypt for you.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 |
function Initialize-AESCryptography($key) { $crypto = New-Object "System.Security.Cryptography.AesManaged" $crypto.Mode = [System.Security.Cryptography.CipherMode]::ECB $crypto.Padding = [System.Security.Cryptography.PaddingMode]::Zeros $crypto.BlockSize = 128 $crypto.KeySize = 256 $IV = $null if ($IV) { if ($IV.getType().Name -eq "String") { #depending on how you want to do this, you can either take a full string, not encoded #or an B64 encoded string. Comment/Uncomment what you want $crypto.IV = [System.Convert]::FromBase64String($IV) #$crypto.IV = [Text.Encoding]::UTF8.GetBytes($IV) } else { $crypto.IV = $IV } } else { #The default when called CreateEncryptor is to automatically create a Key or IV #Since we want to store the key later, better for us to do it. $crypto.GenerateIV() } if ($key) { if ($key.getType().Name -eq "String") { #depending on how you want to do this, you can either take a full string, not encoded #or an B64 encoded string. Comment/Uncomment what you want $crypto.Key = [System.Convert]::FromBase64String($key) #$crypto.Key = [Text.Encoding]::UTF8.GetBytes($key) } else { $crypto.Key = $key } } else { #The default when called CreateEncryptor is to automatically create a Key or IV #Since we want to store the key later, better for us to do it. $crypto.GenerateKey() } $crypto } function ConvertFrom-AESEncryptedString($crypto, $bytes) { $decryptor = $crypto.CreateDecryptor(); # a little obfuscution here. This isn't even needed. #changed to not use IV in the final String #$unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16); $unencryptedData = $decryptor.TransformFinalBlock($bytes, 0, $bytes.Length); #The below line shouldn't need to Trim Zeros (which was the pad) [System.Text.Encoding]::UTF8.GetString($unencryptedData).Trim([char]0) } [byte[]] $key = 0xed, 0xbc, 0x73, 0x26, 0xf8, 0x21, 0xe9, 0x6a, 0xbc, 0x38, 0x34, 0x7a, 0xfa, 0xbd, 0x1c, 0x70, 0x18, 0xf2, 0x24, 0xf5, 0x82, 0xe9, 0x00, 0xac, 0xf8, 0x41, 0x6f, 0x5b, 0x03, 0xe8, 0xac, 0xd4 [byte[]] $secret = 0x7e, 0x39, 0xfe, 0x9d, 0x51, 0xe2, 0x2d, 0x55, 0x14, 0x0e, 0xfe, 0x8b, 0x0b, 0x5f, 0x13, 0x19, 0x4a, 0x4b, 0x15, 0x52, 0x00, 0xb7, 0xd8, 0x2f, 0x6d, 0x46, 0x90, 0x40, 0xe9, 0x64, 0x30, 0x94, 0xef, 0x38, 0x96, 0x5a, 0x44, 0xa1, 0xb7, 0x2a, 0x79, 0x82, 0xbf, 0x15, 0x55, 0xc2, 0xab, 0x8b [byte[]] $iv = 0x68, 0x74, 0x86, 0x95, 0x9a, 0x69, 0x70, 0xb2, 0x66, 0x74, 0xc8, 0x30, 0x25, 0x60, 0x49, 0x71, 0xb9, 0xee, 0x06, 0x73, 0x42, 0xdb, 0x28, 0x8a, 0x22, 0x1f, 0xd0, 0x86, 0x0b, 0xfb, 0x41, 0xc5 $hasher = [System.Security.Cryptography.HashAlgorithm]::Create('sha256') [void]$hasher.TransformBlock($key,0,$key.Count,$hash,0) For ($i=0; $i -lt 999; $i++) { [void]$hasher.TransformBlock($iv,0,$iv.Count,$hash,0) } [void]$hasher.TransformFinalBlock($iv, 0, $iv.Count) $hashString = [System.BitConverter]::ToString($hasher.Hash) $hashString.Replace('-', '') $key = $hasher.Hash $crypto = Initialize-AESCryptography $key ConvertFrom-AESEncryptedString $crypto $secret |
I’ve been working on throwing together other code to mash it into one, I cant …
Continue reading “Decrypt LSA Secrets with Powershell offline”
Decryption LSA Secrets Offline with C++
So yesterday I took a few hours to throw together this sniblet after reviewing MimiKatz source code. This code takes a Blob that is in DPAPI format (Stright from the registery and decode’s it with the Key given. This key is your SysKey/BootKey.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 |
#pragma comment(lib, "crypt32.lib") #include "stdafx.h" #include <iostream> #include <stdio.h> #include <tchar.h> #include <windows.h> #include <wincrypt.h> #include <minwindef.h> #define AES_256_KEY_SIZE (256/8) #define LAZY_NT6_IV_SIZE 32 typedef struct _NT6_CLEAR_SECRET { DWORD SecretSize; DWORD unk0; DWORD unk1; DWORD unk2; BYTE Secret[ANYSIZE_ARRAY]; } NT6_CLEAR_SECRET, *PNT6_CLEAR_SECRET; typedef struct _NT6_HARD_SECRET { DWORD version; GUID KeyId; DWORD algorithm; DWORD flag; BYTE lazyiv[LAZY_NT6_IV_SIZE]; union { NT6_CLEAR_SECRET clearSecret; BYTE encryptedSecret[ANYSIZE_ARRAY]; }; } NT6_HARD_SECRET, *PNT6_HARD_SECRET; typedef struct _GENERICKEY_BLOB { BLOBHEADER Header; DWORD dwKeyLen; } GENERICKEY_BLOB, *PGENERICKEY_BLOB; BOOL kull_m_crypto_hkey(HCRYPTPROV hProv, ALG_ID calgid, LPCVOID key, DWORD keyLen, DWORD flags, HCRYPTKEY *hKey, HCRYPTPROV *hSessionProv) { BOOL status = FALSE; PGENERICKEY_BLOB keyBlob; DWORD szBlob = sizeof(GENERICKEY_BLOB) + keyLen; if (calgid != CALG_3DES) { if (keyBlob = (PGENERICKEY_BLOB)LocalAlloc(LPTR, szBlob)) { keyBlob->Header.bType = PLAINTEXTKEYBLOB; keyBlob->Header.bVersion = CUR_BLOB_VERSION; keyBlob->Header.reserved = 0; keyBlob->Header.aiKeyAlg = calgid; keyBlob->dwKeyLen = keyLen; RtlCopyMemory((PBYTE)keyBlob + sizeof(GENERICKEY_BLOB), key, keyBlob->dwKeyLen); status = CryptImportKey(hProv, (LPCBYTE)keyBlob, szBlob, 0, flags, hKey); LocalFree(keyBlob); } } else if (hSessionProv) { return NULL; //status = kull_m_crypto_hkey_session(calgid, key, keyLen, flags, hKey, hSessionProv); } return status; } wchar_t * outputBuffer = NULL; size_t outputBufferElements = 0, outputBufferElementsPosition = 0; PCWCHAR WPRINTF_TYPES[] = { L"%02x", // WPRINTF_HEX_SHORT L"%02x ", // WPRINTF_HEX_SPACE L"0x%02x, ", // WPRINTF_HEX_C L"\\x%02x", // WPRINTF_HEX_PYTHON }; void kprintf(PCWCHAR format, ...) { int varBuf; size_t tempSize; wchar_t * tmpBuffer; va_list args; va_start(args, format); if (outputBuffer) { varBuf = _vscwprintf(format, args); if (varBuf > 0) { if ((size_t)varBuf > (outputBufferElements - outputBufferElementsPosition - 1)) // NULL character { tempSize = (outputBufferElements + varBuf + 1) * 2; // * 2, just to be cool if (tmpBuffer = (wchar_t *)LocalAlloc(LPTR, tempSize * sizeof(wchar_t))) { RtlCopyMemory(tmpBuffer, outputBuffer, outputBufferElementsPosition * sizeof(wchar_t)); LocalFree(outputBuffer); outputBuffer = tmpBuffer; outputBufferElements = tempSize; } else wprintf(L"Erreur LocalAlloc: %u\n", GetLastError()); //if(outputBuffer = (wchar_t *) LocalReAlloc(outputBuffer, tempSize * sizeof(wchar_t), LPTR)) // outputBufferElements = tempSize; //else wprintf(L"Erreur ReAlloc: %u\n", GetLastError()); } varBuf = vswprintf_s(outputBuffer + outputBufferElementsPosition, outputBufferElements - outputBufferElementsPosition, format, args); if (varBuf > 0) outputBufferElementsPosition += varBuf; } } //vwprintf(format, args); va_end(args); // } void kull_m_string_wprintf_hex2(LPCVOID lpData, DWORD cbData, DWORD flags) { DWORD i, sep = flags >> 16; PCWCHAR pType = WPRINTF_TYPES[flags & 0x0000000f]; if ((flags & 0x0000000f) == 2) std::cout << L"\nBYTE data[] = {\n\t"; for (i = 0; i < cbData; i++) { std::cout << pType, ((LPCBYTE)lpData)[i]; if (sep && !((i + 1) % sep)) { std::cout << L"\n"; if ((flags & 0x0000000f) == 2) std::cout << L"\t"; } } if ((flags & 0x0000000f) == 2) std::cout << L"\n};\n"; } void kull_m_string_wprintf_hex(LPCVOID lpData, DWORD cbData, DWORD flags) { DWORD i, sep = flags >> 16; PCWCHAR pType = WPRINTF_TYPES[flags & 0x0000000f]; if ((flags & 0x0000000f) == 2) printf("\nBYTE data[] = {\n\t"); for (i = 0; i < cbData; i++) { //kprintf(pType, ((LPCBYTE)lpData)[i]); printf("%02x", ((LPCBYTE)lpData)[i]); if (sep && !((i + 1) % sep)) { kprintf(L"\n"); if ((flags & 0x0000000f) == 2) kprintf(L"\t"); } } if ((flags & 0x0000000f) == 2) kprintf(L"\n};\n"); } int main() { std::cout << "Hello World!\n"; BOOL status = FALSE; BYTE keyBuffer[AES_256_KEY_SIZE]; DWORD i, offset, szNeeded; HCRYPTPROV hContext; HCRYPTHASH hHash; HCRYPTKEY hKey; PBYTE pKey = NULL; PNT6_HARD_SECRET hardSecretBlob = (PNT6_HARD_SECRET)LocalAlloc(LPTR, sizeof(PNT6_HARD_SECRET)); BYTE key[] = { 0xed, 0xbc, 0x23, 0x26, 0xf8, 0x21, 0xe9, 0x6a, 0xbc, 0x38, 0x34, 0x7a, 0xfa, 0xbd, 0x1c, 0x90, 0x18, 0xf2, 0x24, 0xf5, 0x82, 0xe9, 0x00, 0xac, 0xf8, 0x41, 0x6f, 0xdb, 0x03, 0xe8, 0xac, 0xd4 }; BYTE FullBlob[] = { 0x00, 0x00, 0x00, 0x01, 0xdd, 0x7b, 0xe8, 0xa2, 0x48, 0xd1, 0x45, 0x0b, 0x29, 0xf7, 0x6f, 0xd2, 0x93, 0x88, 0x16, 0x63, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xd6, 0x2c, 0x25, 0x10, 0x31, 0x73, 0x57, 0xba, 0xb4, 0x86, 0x6f, 0xb4, 0x8c, 0xd7, 0xe2, 0x8a, 0xb8, 0x6d, 0x22, 0xf6, 0x6d, 0xa3, 0x61, 0xb4, 0x3c, 0xa9, 0xec, 0x48, 0x72, 0x96, 0xcf, 0x9a, 0xad, 0xc2, 0xc6, 0x72, 0x26, 0x91, 0xa4, 0x99, 0x51, 0x8a, 0x54, 0xf8, 0xc2, 0xdf, 0x1e, 0x3a, 0x8d, 0xf4, 0x5e, 0xd3, 0xff, 0xad, 0x18, 0x9d, 0xb7, 0x2b, 0x06, 0xc2, 0x75, 0xb1, 0xb5, 0xc7, 0x3d, 0x52, 0xc1, 0x40, 0x17, 0xd0, 0x75, 0x3a, 0x64, 0x9f, 0x99, 0x3e, 0xa4, 0x95, 0xd2, 0x4e }; memcpy(hardSecretBlob, FullBlob, sizeof(FullBlob)); DWORD hardSecretBlobSize = sizeof(FullBlob); pKey = key; szNeeded = 32; //Keysize is always 32 if (CryptAcquireContext(&hContext, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) { if (CryptCreateHash(hContext, CALG_SHA_256, 0, 0, &hHash)) { CryptHashData(hHash, pKey, szNeeded, 0); for (i = 0; i < 1000; i++) CryptHashData(hHash, hardSecretBlob->lazyiv, LAZY_NT6_IV_SIZE, 0); //kull_m_string_wprintf_hex(hHash, 64, 0); szNeeded = sizeof(keyBuffer); if (CryptGetHashParam(hHash, HP_HASHVAL, keyBuffer, &szNeeded, 0)) { if (kull_m_crypto_hkey(hContext, CALG_AES_256, keyBuffer, sizeof(keyBuffer), 0, &hKey, NULL)) { i = CRYPT_MODE_ECB; if (CryptSetKeyParam(hKey, KP_MODE, (LPCBYTE)&i, 0)) { szNeeded = hardSecretBlobSize - FIELD_OFFSET(NT6_HARD_SECRET, encryptedSecret); status = CryptDecrypt(hKey, 0, FALSE, 0, hardSecretBlob->encryptedSecret, &szNeeded); kull_m_string_wprintf_hex(hardSecretBlob->encryptedSecret, szNeeded, 0); if (!status) std::cout << "CryptDecrypt"; } else std::cout << "CryptSetKeyParam"; CryptDestroyKey(hKey); } else std::cout << "kull_m_crypto_hkey"; } CryptDestroyHash(hHash); } CryptReleaseContext(hContext, 0); } } |
Sending Appointments to Outlook via SMTP
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 |
Imports System.Net.Mail Module Module1 Sub Main() Dim MyAppt As New AppointmentBLL(RoundUpToQuarterHour(Now.AddMinutes(60)), RoundUpToQuarterHour(Now.AddMinutes(90)), "Subject", "Open to discuss", "Location", "To@to.org", "To@to.org", "From@From.org", "From@From.org") MyAppt.EmailAppointment() End Sub Function RoundUpToQuarterHour(ByVal theDate As Date) As Date Do Until theDate.Minute Mod 15 = 0 theDate = theDate.AddMinutes(1) Loop theDate = theDate.AddSeconds(-(theDate.Second)) 'Remove the seconds Return theDate End Function End Module Public Class AppointmentBLL ' This class formats and sends a meeting request via SMTP email Public StartDate As DateTime Public EndDate As DateTime Public Subject As String Public Summary As String Public Location As String Public AttendeeName As String Public AttendeeEmail As String Public OrganizerName As String Public OrganizerEmail As String Public Sub New(ByVal pdtStartDate As DateTime, ByVal pdtEndDate As DateTime, ByVal psSubject As String, ByVal psSummary As String, ByVal psLocation As String, ByVal psAttendeeName As String, ByVal psAttendeeEmail As String, ByVal psOrganizerName As String, ByVal psOrganizerEmail As String) ' Copy constructor parameters to public propeties StartDate = pdtStartDate EndDate = pdtEndDate Subject = psSubject Summary = psSummary Location = psLocation AttendeeName = psAttendeeName AttendeeEmail = psAttendeeEmail OrganizerName = psOrganizerName OrganizerEmail = psOrganizerEmail End Sub Public Sub EmailAppointment() ' Send the calendar message to the attendee Dim loMsg As New MailMessage Dim loTextView As AlternateView = Nothing Dim loHTMLView As AlternateView = Nothing Dim loCalendarView As AlternateView = Nothing Dim loSMTPServer As New SmtpClient("exchange.info.sys") ' SMTP settings set up in web.config such as: ' <system.net> ' <mailSettings> ' <smtp> ' <network ' host = "exchange.mycompany.com" ' port = "25" ' userName = "username" ' password="password" /> ' </smtp> ' </mailSettings> ' </system.net> ' Set up the different mime types contained in the message Dim loTextType As System.Net.Mime.ContentType = New System.Net.Mime.ContentType("text/plain") Dim loHTMLType As System.Net.Mime.ContentType = New System.Net.Mime.ContentType("text/html") Dim loCalendarType As System.Net.Mime.ContentType = New System.Net.Mime.ContentType("text/calendar") ' Add parameters to the calendar header loCalendarType.Parameters.Add("method", "REQUEST") loCalendarType.Parameters.Add("name", "meeting.ics") ' Create message body parts loTextView = AlternateView.CreateAlternateViewFromString(BodyText(), loTextType) loMsg.AlternateViews.Add(loTextView) loHTMLView = AlternateView.CreateAlternateViewFromString(BodyHTML(), loHTMLType) loMsg.AlternateViews.Add(loHTMLView) loCalendarView = AlternateView.CreateAlternateViewFromString(VCalendar(), loCalendarType) loCalendarView.TransferEncoding = Net.Mime.TransferEncoding.SevenBit loMsg.AlternateViews.Add(loCalendarView) ' Adress the message loMsg.From = New MailAddress(OrganizerEmail) loMsg.To.Add(New MailAddress(AttendeeEmail)) loMsg.Subject = Subject ' Send the message loSMTPServer.DeliveryMethod = SmtpDeliveryMethod.Network loSMTPServer.Send(loMsg) End Sub Public Function BodyText() As String ' Return the Body in text format Const BODY_TEXT = "Type:Single Meeting" & vbCrLf & "Organizer: {0}" & vbCrLf & "Start Time:{1}" & vbCrLf & "End Time:{2}" & vbCrLf & "Time Zone:{3}" & vbCrLf & "Location: {4}" & vbCrLf & vbCrLf & "*~*~*~*~*~*~*~*~*~*" & vbCrLf & vbCrLf & "{5}" Return String.Format(BODY_TEXT, OrganizerName, StartDate.ToLongDateString & " " & StartDate.ToLongTimeString, EndDate.ToLongDateString & " " & EndDate.ToLongTimeString, System.TimeZone.CurrentTimeZone.StandardName, Location, Summary) End Function Public Function BodyHTML() As String ' Return the Body in HTML format Const BODY_HTML = "<!DOCTYPE HTML PUBLIC ""-//W3C//DTD HTML 3.2//EN"">" & vbCrLf & "<HTML>" & vbCrLf & "<HEAD>" & vbCrLf & "<META HTTP-EQUIV=""Content-Type"" CONTENT=""text/html; charset=utf-8"">" & vbCrLf & "<META NAME=""Generator"" CONTENT=""MS Exchange Server version 6.5.7652.24"">" & vbCrLf & "<TITLE>{0}</TITLE>" & vbCrLf & "</HEAD>" & vbCrLf & "<BODY>" & vbCrLf & "<!-- Converted from text/plain format -->" & vbCrLf & "<P><FONT SIZE=2>Type:Single Meeting<BR>" & vbCrLf & "Organizer:{1}<BR>" & vbCrLf & "Start Time:{2}<BR>" & vbCrLf & "End Time:{3}<BR>" & vbCrLf & "Time Zone:{4}<BR>" & vbCrLf & "Location:{5}<BR>" & vbCrLf & "<BR>" & vbCrLf & "*~*~*~*~*~*Generated by Server*~*~*~*~*~*<BR>" & vbCrLf & "<BR>" & vbCrLf & "{6}<BR>" & vbCrLf & "</FONT>" & vbCrLf & "</P>" & vbCrLf & vbCrLf & "</BODY>" & vbCrLf & "</HTML>" Return String.Format(BODY_HTML, Summary, OrganizerName, StartDate.ToLongDateString & " " & StartDate.ToLongTimeString, EndDate.ToLongDateString & " " & EndDate.ToLongTimeString, System.TimeZone.CurrentTimeZone.StandardName, Location, Summary) End Function ' Reference to Microsoft ActiveX Data Objects 2.5 Library ' Reference to Microsoft CDO for Exchange 2000 Library ' Reference to Active DS Type Library ' Note: It is recommended that all input parameters be validated when they are ' first obtained from the user or user interface. Function GetFreeBusyString(ByVal strUserUPN As String, ByVal dtStartDate As Date, ByVal dtEndDate As Date, ByVal Interval As Integer) As String Try ' Variables. 'Dim iAddr As New CDO.Addressee() 'Dim freebusy As String 'Dim Info As New ActiveDs.ADSystemInfo() 'iAddr.EmailAddress = strUserUPN 'If Not iAddr.CheckName("LDAP://" & Info.DomainDNSName) Then 'Throw New System.Exception("Error occured!") 'End If ' Get the free/busy status in Interval minute intervals ' from dtStartDate to dtEndDate. 'freebusy = iAddr.GetFreeBusy(dtStartDate, dtEndDate, Interval) 'GetFreeBusyString = freebusy Catch err As Exception Console.WriteLine(err.ToString()) GetFreeBusyString = "" End Try End Function Public Function VCalendar() As String ' Return the Calendar text in vCalendar format, compatible with most calendar programs Const lcDateFormat = "yyyyMMddTHHmmssZ" Dim loGUID As Guid = Guid.NewGuid ' Or use the guid of an exiting meeting? Const VCAL_FILE = "BEGIN:VCALENDAR" & vbCrLf & "METHOD:REQUEST" & vbCrLf & "PRODID:Microsoft CDO for Microsoft Exchange" & vbCrLf & "VERSION:2.0" & vbCrLf & "BEGIN:VTIMEZONE" & vbCrLf & "TZID:(GMT-06.00) Central Time (US & Canada)" & vbCrLf & "X-MICROSOFT-CDO-TZID:11" & vbCrLf & "BEGIN:STANDARD" & vbCrLf & "DTSTART:16010101T020000" & vbCrLf & "TZOFFSETFROM:-0500" & vbCrLf & "TZOFFSETTO:-0600" & vbCrLf & "RRULE:FREQ=YEARLY;WKST=MO;INTERVAL=1;BYMONTH=11;BYDAY=1SU" & vbCrLf & "END:STANDARD" & vbCrLf & "BEGIN:DAYLIGHT" & vbCrLf & "DTSTART:16010101T020000" & vbCrLf & "TZOFFSETFROM:-0600" & vbCrLf & "TZOFFSETTO:-0500" & vbCrLf & "RRULE:FREQ=YEARLY;WKST=MO;INTERVAL=1;BYMONTH=3;BYDAY=2SU" & vbCrLf & "END:DAYLIGHT" & vbCrLf & "END:VTIMEZONE" & vbCrLf & "BEGIN:VEVENT" & vbCrLf & "DTSTAMP:{8}" & vbCrLf & "DTSTART:{0}" & vbCrLf & "SUMMARY:{7}" & vbCrLf & "UID:{5}" & vbCrLf & "ATTENDEE;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP=TRUE;CN=""{9}"":MAILTO:{9}" & vbCrLf & "ACTION;RSVP=TRUE;CN=""{4}"":MAILTO:{4}" & vbCrLf & "ORGANIZER;CN=""{3}"":mailto:{4}" & vbCrLf & "LOCATION:{2}" & vbCrLf & "DTEND:{1}" & vbCrLf & "DESCRIPTION:{7}\N" & vbCrLf & "SEQUENCE:1" & vbCrLf & "PRIORITY:5" & vbCrLf & "CLASS:" & vbCrLf & "CREATED:{8}" & vbCrLf & "LAST-MODIFIED:{8}" & vbCrLf & "STATUS:CONFIRMED" & vbCrLf & "TRANSP:OPAQUE" & vbCrLf & "X-MICROSOFT-CDO-BUSYSTATUS:BUSY" & vbCrLf & "X-MICROSOFT-CDO-INSTTYPE:0" & vbCrLf & "X-MICROSOFT-CDO-INTENDEDSTATUS:BUSY" & vbCrLf & "X-MICROSOFT-CDO-ALLDAYEVENT:FALSE" & vbCrLf & "X-MICROSOFT-CDO-IMPORTANCE:1" & vbCrLf & "X-MICROSOFT-CDO-OWNERAPPTID:-1" & vbCrLf & "X-MICROSOFT-CDO-ATTENDEE-CRITICAL-CHANGE:{8}" & vbCrLf & "X-MICROSOFT-CDO-OWNER-CRITICAL-CHANGE:{8}" & vbCrLf & "BEGIN:VALARM" & vbCrLf & "ACTION:DISPLAY" & vbCrLf & "DESCRIPTION:REMINDER" & vbCrLf & "TRIGGER;RELATED=START:-PT00H15M00S" & vbCrLf & "END:VALARM" & vbCrLf & "END:VEVENT" & vbCrLf & "END:VCALENDAR" & vbCrLf Return String.Format(VCAL_FILE, StartDate.ToUniversalTime().ToString(lcDateFormat), EndDate.ToUniversalTime().ToString(lcDateFormat), Location, OrganizerName, OrganizerEmail, "{" & loGUID.ToString() & "}", Summary, Subject, Now.ToUniversalTime().ToString(lcDateFormat), AttendeeEmail) End Function End Class |
Listening for incomming calls via Cisco Jabber
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 |
Sub Main() ListenForRawData() end sub Dim RAWSocket As System.Net.Sockets.Socket Private Const IOC_VENDOR As Integer = &H18000000 Private Const IOC_IN As Integer = -2147483648 Private Const SIO_RCVALL As Integer = IOC_IN Or IOC_VENDOR Or 1 Private Const SECURITY_BUILTIN_DOMAIN_RID As Integer = &H20 Private Const DOMAIN_ALIAS_RID_ADMINS As Integer = &H220 Dim MyIPAddr As String = vbNullString Dim MyStateObject As StateObject Public Class StateObject Public workSocket As System.Net.Sockets.Socket = Nothing Public Const BUFFER_SIZE As Integer = 65535 Public buffer(BUFFER_SIZE) As Byte Public sb As New System.Text.StringBuilder() End Class 'StateObject Private Sub ListenForRawData() 'To get local address Dim sHostName As String sHostName = System.Net.Dns.GetHostName() Dim ipE As System.Net.IPHostEntry = System.Net.Dns.GetHostByName(sHostName) Dim IpA() As System.Net.IPAddress = ipE.AddressList MyIPAddr = IpA(0).ToString() MyStateObject = New StateObject() RAWSocket = New System.Net.Sockets.Socket(System.Net.Sockets.AddressFamily.InterNetwork, System.Net.Sockets.SocketType.Raw, System.Net.Sockets.ProtocolType.IP) Dim OptionIn() As Byte = BitConverter.GetBytes(1) Dim OptionOut() As Byte = Nothing Dim InByte() As Byte = {1, 0, 0, 0} Dim outByte(4) As Byte 'RAWSocket.Bind(New System.Net.IPEndPoint(Net.IPAddress.Any, 0)) RAWSocket.Bind(New System.Net.IPEndPoint(System.Net.IPAddress.Parse(MyIPAddr), 0)) 'must be bound to a IP ' RAWSocket.IOControl(SIO_RCVALL, InByte, outByte) RAWSocket.BeginReceive(MyStateObject.buffer, 0, StateObject.BUFFER_SIZE, System.Net.Sockets.SocketFlags.Peek, New AsyncCallback(AddressOf SockCallBack), Nothing) Debug.WriteLine("Listening On: " & MyIPAddr) End Sub Private Sub SockCallBack(ByVal ar As System.IAsyncResult) Dim BytesReturned = RAWSocket.EndReceive(ar) Dim ListboxData As String = vbNullString Select Case MyStateObject.buffer(9) Case &H1 'Protocol ICMP Case &H2 'Debug.WriteLine("IGAP,IGMP,RGMP") Case &H6 'TCP 'MyThreadToCall.TypeOfData = TypeOfPacket.TCP 'MyThreadToCall.STRData = DumpTCP(MyStateObject.buffer, BytesReturned, MyThreadToCall.TypeOfData) Case &H11 'UDP Case Else 'Debug.Write("Protocol Unknown - " & Hex$(MyStateObject.buffer(9))) End Select 'For i = 0 To BytesReturned - 1 ' Debug.Write(Hex$(MyStateObject.buffer(i)) & " ") ' If i = 9 Or i = 19 Or i = 29 Or i = 39 Or i = 49 Then Debug.WriteLine("") ' Next ' Debug.WriteLine("") ' Debug.WriteLine("") ' Select Case MyStateObject.buffer(9) Case &H1 Dim FROMIP As String = MyStateObject.buffer(12) & "." & MyStateObject.buffer(13) & "." & MyStateObject.buffer(14) & "." & MyStateObject.buffer(15) Dim DESTIP As String = MyStateObject.buffer(16) & "." & MyStateObject.buffer(17) & "." & MyStateObject.buffer(18) & "." & MyStateObject.buffer(19) If FROMIP = MyIPAddr Then If MyStateObject.buffer(20) = 0 Then 'Ping Reply Debug.WriteLine("You sent a Ping Reply to: " & DESTIP) Else Debug.WriteLine("You sent a Ping Request to: " & DESTIP) End If RAWSocket.BeginReceive(MyStateObject.buffer, 0, MyStateObject.BUFFER_SIZE, System.Net.Sockets.SocketFlags.None, New AsyncCallback(AddressOf SockCallBack), Nothing) Exit Sub End If If MyStateObject.buffer(20) = 0 Then 'Ping Reply Debug.WriteLine("Ping Reply: " & FROMIP) RAWSocket.BeginReceive(MyStateObject.buffer, 0, MyStateObject.BUFFER_SIZE, System.Net.Sockets.SocketFlags.None, New AsyncCallback(AddressOf SockCallBack), Nothing) Exit Sub End If Debug.WriteLine("Ping Request From - " & FROMIP & " | Bytes: " & (BytesReturned - 28) & " | TTL=" & MyStateObject.buffer(8)) '-28 shows the ping payload 'If TempClass.STRData <> vbNullString Then 'Me.Invoke(New MyDelPtr(AddressOf TempClass.ADDTOLISTBOX)) 'Invoke on main thread 'End If 'For i = 0 To BytesReturned - 1 ' Debug.Write(Hex$(MyStateObject.buffer(i)) & " ") ' If i = 9 Or i = 19 Or i = 29 Or i = 39 Or i = 49 Then Debug.WriteLine("") ' Next Case &H2 'Debug.WriteLine("IGAP,IGMP,RGMP") Case &H6 Debug.WriteLine("TCP ") Dim DestPort As UInteger = MyStateObject.buffer(22) DestPort <<= 8 DestPort += MyStateObject.buffer(23) Dim SrcPort As UInteger = MyStateObject.buffer(20) SrcPort <<= 8 SrcPort += MyStateObject.buffer(21) Dim FROMIP As String = MyStateObject.buffer(12) & "." & MyStateObject.buffer(13) & "." & MyStateObject.buffer(14) & "." & MyStateObject.buffer(15) Dim Data As String = vbNullString '= System.Text.ASCIIEncoding.ASCII.GetString(MyStateObject.buffer) For Each MyByte As Byte In MyStateObject.buffer If MyByte >= 32 AndAlso MyByte <= 126 Then Data &= Chr(MyByte) End If Next If DestPort = 5060 Or SrcPort = 5060 Then Debug.WriteLine("Phone!") Debug.WriteLine("Data: " & SrcPort & " -> " & DestPort & " | " & Data) End If If (Data.Contains("INVITE sip:")) Then 'From: "IS Sys Ops 1" <sip:1549@10.1.20.42> 'To: <sip:6588@ccm-02.emc.org> End If Dim myTo As String Dim myFrom As String Dim matches As MatchCollection = Regex.Matches(Data, "(To|From):.*?<sip:[\d]{1,4}@.*?>") ' Loop over matches. For Each m As Match In matches ' Loop over captures. For Each c As Capture In m.Captures ' Display. 'Console.WriteLine("Index={0}, Value={1}", c.Index, c.Value) If c.Value.Contains("From:") Then myFrom = c.Value End If If c.Value.Contains("To:") Then myTo = c.Value End If Next Next If Data.Contains("INVITE sip") Then Console.WriteLine("Incomming call: " & myFrom & " -> " & myTo) 'RaiseEvent CallIncomming() End If If Data.Contains("Request Cancelled") Then Console.WriteLine("Request Canceled: " & myFrom & " -> " & myTo) 'RaiseEvent CallMissed() End If If Data.Contains("RingingVia") Then Console.WriteLine("Rining Phone: " & myFrom & " -> " & myTo) 'RaiseEvent CallMissed() End If If Data.Contains("CANCEL sip") Then Console.WriteLine("CANCEL sip: " & myFrom & " -> " & myTo) 'RaiseEvent CallMissed() End If If Data.Contains("UPDATE sip") Then Console.WriteLine("UPDATE sip: " & myFrom & " -> " & myTo) 'RaiseEvent CallMissed() End If If Data.Contains("BYE sip") Then Console.WriteLine("Call ending: " & myFrom & " -> " & myTo) ' RaiseEvent CallEnded() End If If Data.Contains("Accepted") Then Console.WriteLine("Accepted: " & myFrom & " -> " & myTo) 'RaiseEvent CallStarted() End If Select Case MyStateObject.buffer(33) Case &H2 'Debug.Write("[SYN] - ") Case &H10 'Debug.Write("[ACK] - ") Case &H11 'Debug.Write("[FIN, ACK] - ") Case &H12 'Debug.Write("[SYN, ACK] - ") Case &H14 'Debug.Write("[RST, ACK] - ") Case &H18 Debug.Write("[PSH, ACK] - ") Case Else 'Debug.Write("[Unknown] - ") End Select 'DumpLayer4(MyStateObject.buffer) Case &H11 'Debug.Write("UDP - ") 'Debug.WriteLine("") Case Else 'Debug.Write("Protocol Unknown - " & Hex$(MyStateObject.buffer(9))) End Select 'For i = 0 To BytesReturned - 1 ' Debug.Write(Hex$(MyStateObject.buffer(i)) & " ") ' If i = 9 Or i = 19 Or i = 29 Or i = 39 Or i = 49 Then Debug.WriteLine("") ' Next ' Debug.WriteLine("") ' Debug.WriteLine("") ' RAWSocket.BeginReceive(MyStateObject.buffer, 0, MyStateObject.BUFFER_SIZE, System.Net.Sockets.SocketFlags.None, New AsyncCallback(AddressOf SockCallBack), Nothing) End Sub |
Now I had to do a conversion to C# to add to my VSTO plugin. This is a translations but also includes removing duped packets based on session id’s to prevent duplicate events being kicked off on the same pickup / hangup.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 |
ArrayList ByeServerList = new ArrayList(); ArrayList ByeSipList = new ArrayList(); private System.Net.Sockets.Socket RAWSocket; private const int IOC_VENDOR = 0x18000000; private const int IOC_IN = -2147483648; private const int SIO_RCVALL = IOC_IN | IOC_VENDOR | 1; private const int SECURITY_BUILTIN_DOMAIN_RID = 0x20; private const int DOMAIN_ALIAS_RID_ADMINS = 0x220; private string MyIPAddr = ""; private StateObject MyStateObject; public class StateObject { public System.Net.Sockets.Socket workSocket = null; public const int BUFFER_SIZE = 65535; public byte[] buffer = new byte[65536]; public System.Text.StringBuilder sb = new System.Text.StringBuilder(); } // StateObject private void ListenForRawData() { // To get local address string sHostName; sHostName = System.Net.Dns.GetHostName(); System.Net.IPHostEntry ipE = System.Net.Dns.GetHostByName(sHostName); System.Net.IPAddress[] IpA = ipE.AddressList; MyIPAddr = IpA[0].ToString(); MyStateObject = new StateObject(); RAWSocket = new System.Net.Sockets.Socket(System.Net.Sockets.AddressFamily.InterNetwork, System.Net.Sockets.SocketType.Raw, System.Net.Sockets.ProtocolType.IP); byte[] OptionIn = BitConverter.GetBytes(1); byte[] OptionOut = null; byte[] InByte = new byte[] { 1, 0, 0, 0 }; byte[] outByte = new byte[5]; // RAWSocket.Bind(New System.Net.IPEndPoint(Net.IPAddress.Any, 0)) RAWSocket.Bind(new System.Net.IPEndPoint(System.Net.IPAddress.Parse(MyIPAddr), 0)); // must be bound to a IP // RAWSocket.IOControl(SIO_RCVALL, InByte, outByte); RAWSocket.BeginReceive(MyStateObject.buffer, 0, StateObject.BUFFER_SIZE, System.Net.Sockets.SocketFlags.Peek, new AsyncCallback(SockCallBack), null); Debug.WriteLine("Listening On: " + MyIPAddr); } private void SockCallBack(System.IAsyncResult ar) { var BytesReturned = RAWSocket.EndReceive(ar); string ListboxData = null; switch (MyStateObject.buffer[9]) { case 0x1 // Protocol ICMP : { break; } case 0x2: { break; } case 0x6 // TCP : { break; } case 0x11 // UDP : { break; } default: { break; } } // For i = 0 To BytesReturned - 1 // Debug.Write(Hex$(MyStateObject.buffer(i)) & " ") // If i = 9 Or i = 19 Or i = 29 Or i = 39 Or i = 49 Then Debug.WriteLine("") // Next // Debug.WriteLine("") // Debug.WriteLine("") // switch (MyStateObject.buffer[9]) { case 0x1: { string FROMIP = MyStateObject.buffer[12] + "." + MyStateObject.buffer[13] + "." + MyStateObject.buffer[14] + "." + MyStateObject.buffer[15]; string DESTIP = MyStateObject.buffer[16] + "." + MyStateObject.buffer[17] + "." + MyStateObject.buffer[18] + "." + MyStateObject.buffer[19]; if (FROMIP == MyIPAddr) { if (MyStateObject.buffer[20] == 0) Debug.WriteLine("You sent a Ping Reply to: " + DESTIP); else Debug.WriteLine("You sent a Ping Request to: " + DESTIP); RAWSocket.BeginReceive(MyStateObject.buffer, 0, 65535, System.Net.Sockets.SocketFlags.None, new AsyncCallback(SockCallBack), null); return; } if (MyStateObject.buffer[20] == 0) { Debug.WriteLine("Ping Reply: " + FROMIP); RAWSocket.BeginReceive(MyStateObject.buffer, 0, 65535, System.Net.Sockets.SocketFlags.None, new AsyncCallback(SockCallBack), null); return; } Debug.WriteLine("Ping Request From - " + FROMIP + " | Bytes: " + (BytesReturned - 28) + " | TTL=" + MyStateObject.buffer[8]); // -28 shows the ping payload break; } case 0x2: { break; } case 0x6: { //Debug.WriteLine("TCP "); uint DestPort = MyStateObject.buffer[22]; DestPort <<= 8; DestPort += MyStateObject.buffer[23]; uint SrcPort = MyStateObject.buffer[20]; SrcPort <<= 8; SrcPort += MyStateObject.buffer[21]; string FROMIP = MyStateObject.buffer[12] + "." + MyStateObject.buffer[13] + "." + MyStateObject.buffer[14] + "." + MyStateObject.buffer[15]; string Data = null; // = System.Text.ASCIIEncoding.ASCII.GetString(MyStateObject.buffer) foreach (byte MyByte in MyStateObject.buffer) { if (MyByte >= 32 && MyByte <= 126) Data += System.Text.ASCIIEncoding.ASCII.GetString(new[] { MyByte }); } if (DestPort == 5060 | SrcPort == 5060) { Debug.WriteLine("Data: " + SrcPort + " -> " + DestPort + " | " + Data); } if ((Data.Contains("INVITE sip:"))) { } string myTo = null; string myFrom = null; string myDuration = null; MatchCollection matches = Regex.Matches(Data, @"(To|From):.*?<sip:[\d]{1,4}@.*?>"); // Loop over matches. foreach (Match m in matches) { // Loop over captures. foreach (Capture c in m.Captures) { // Display. // Console.WriteLine("Index={0}, Value={1}", c.Index, c.Value) if (c.Value.Contains("From:")) myFrom = c.Value; if (c.Value.Contains("To:")) myTo = c.Value; } } if (Data.Contains("INVITE sip")) Debug.WriteLine("Incomming call: " + myFrom + " -> " + myTo); if (Data.Contains("Request Cancelled")) Debug.WriteLine("Request Canceled: " + myFrom + " -> " + myTo); if (Data.Contains("RingingVia")) Debug.WriteLine("Rining Phone: " + myFrom + " -> " + myTo); if (Data.Contains("CANCEL sip")) Debug.WriteLine("CANCEL sip: " + myFrom + " -> " + myTo); if (Data.Contains("UPDATE sip")) Debug.WriteLine("UPDATE sip: " + myFrom + " -> " + myTo); if (Data.Contains("BYE sip")) { MatchCollection matches3 = Regex.Matches(Data, @"Session-ID: [[0-9a-fA-F]+;"); // Loop over matches. foreach (Match m in matches3) { if (ByeSipList.Contains(m.Value)) { //Debug.WriteLine("Call Concluded"); return; } ByeSipList.Add(m.Value); } Debug.WriteLine("Call ending: " + myFrom + " -> " + myTo); MatchCollection matches2 = Regex.Matches(Data, @"RTP-RxStat: Dur=[\d]+,"); // Loop over matches. foreach (Match m in matches2) { myDuration = m.Value.ToString().Replace("RTP-RxStat: Dur=", "").Replace(",", ""); Debug.WriteLine("BYE sip: Duration of call in seconds: " + myDuration); } if (myDuration != null) { if (!AddCallLog(" " + myFrom + " -> " + myTo, Convert.ToDouble(myDuration +60))) //Add a minute to each call. Each call takes at least a minute of our day right? { Debug.WriteLine("Failed to write calllog"); //break; } } } if (Data.Contains("BYEServer: Cisco-CSF") && Data.Contains("RTP-TxStat:")) //OKVia: SIP { MatchCollection matches3 = Regex.Matches(Data, @"Session-ID: [[0-9a-fA-F]+;"); // Loop over matches. foreach (Match m in matches3) { if (ByeServerList.Contains(m.Value)) { //Debug.WriteLine("Call Concluded"); return; } ByeServerList.Add(m.Value); } Debug.WriteLine("Call ending from Callee: " + myFrom + " -> " + myTo); MatchCollection matches2 = Regex.Matches(Data, @"RTP-RxStat: Dur=[\d]+,"); // Loop over matches. foreach (Match m in matches2) { myDuration = m.Value.ToString().Replace("RTP-RxStat: Dur=", "").Replace(",", ""); Debug.WriteLine("BYEServer: Duration of call in seconds: " + myDuration); } if (myDuration != null) { if (!AddCallLog(" " + myFrom + " -> " + myTo, Convert.ToDouble(myDuration + 60))) //Add a minute to each call. Each call takes at least a minute of our day right? { Debug.WriteLine("Failed to write calllog"); //break; } } } if (Data.Contains("Accepted")) Debug.WriteLine("Accepted: " + myFrom + " -> " + myTo); switch (MyStateObject.buffer[33]) { case 0x2: { break; } case 0x10: { break; } case 0x11: { break; } case 0x12: { break; } case 0x14: { break; } case 0x18: { //Debug.Write("[PSH, ACK] - "); break; } default: { break; } } break; } case 0x11: { break; } default: { break; } } // For i = 0 To BytesReturned - 1 // Debug.Write(Hex$(MyStateObject.buffer(i)) & " ") // If i = 9 Or i = 19 Or i = 29 Or i = 39 Or i = 49 Then Debug.WriteLine("") // Next // Debug.WriteLine("") // Debug.WriteLine("") // RAWSocket.BeginReceive(MyStateObject.buffer, 0, 65535, System.Net.Sockets.SocketFlags.None, new AsyncCallback(SockCallBack), null); } |