diff options
author | Guy Harris <guy@alum.mit.edu> | 2004-08-02 23:14:32 +0000 |
---|---|---|
committer | Guy Harris <guy@alum.mit.edu> | 2004-08-02 23:14:32 +0000 |
commit | 1ef3caa637f22b27147012d53d94221667d1907a (patch) | |
tree | 0f711b96c1368ab082558d69c65569b5633eacba /epan/dissectors/packet-ntlmssp.c | |
parent | b37500aadc6eaa188552ea16b8e96841484eecc5 (diff) |
Move the NTLMv2 blob stuff back into packet-ntlmssp.c - it's more
NTLMSSP-related than SMB-related, and documents about NTLMSSP talk about
it, so it's a little more convenient to keep all that stuff together -
and export it through a packet-ntlmssp.h header.
svn path=/trunk/; revision=11585
Diffstat (limited to 'epan/dissectors/packet-ntlmssp.c')
-rw-r--r-- | epan/dissectors/packet-ntlmssp.c | 185 |
1 files changed, 179 insertions, 6 deletions
diff --git a/epan/dissectors/packet-ntlmssp.c b/epan/dissectors/packet-ntlmssp.c index 4f02faed50..e38af3cf37 100644 --- a/epan/dissectors/packet-ntlmssp.c +++ b/epan/dissectors/packet-ntlmssp.c @@ -41,6 +41,8 @@ #include "crypt-des.h" #include "packet-dcerpc.h" +#include "packet-ntlmssp.h" + /* Message types */ #define NTLMSSP_NEGOTIATE 1 @@ -187,6 +189,16 @@ static int hf_ntlmssp_verf_unknown1 = -1; static int hf_ntlmssp_verf_crc32 = -1; static int hf_ntlmssp_verf_sequence = -1; static int hf_ntlmssp_decrypted_payload = -1; +static int hf_ntlmssp_ntlmv2_response = -1; +static int hf_ntlmssp_ntlmv2_response_hmac = -1; +static int hf_ntlmssp_ntlmv2_response_header = -1; +static int hf_ntlmssp_ntlmv2_response_reserved = -1; +static int hf_ntlmssp_ntlmv2_response_time = -1; +static int hf_ntlmssp_ntlmv2_response_chal = -1; +static int hf_ntlmssp_ntlmv2_response_unknown = -1; +static int hf_ntlmssp_ntlmv2_response_name = -1; +static int hf_ntlmssp_ntlmv2_response_name_type = -1; +static int hf_ntlmssp_ntlmv2_response_name_len = -1; static gint ett_ntlmssp = -1; static gint ett_ntlmssp_negotiate_flags = -1; @@ -194,6 +206,8 @@ static gint ett_ntlmssp_string = -1; static gint ett_ntlmssp_blob = -1; static gint ett_ntlmssp_address_list = -1; static gint ett_ntlmssp_address_list_item = -1; +static gint ett_ntlmssp_ntlmv2_response = -1; +static gint ett_ntlmssp_ntlmv2_response_name = -1; /* Configuration variables */ static char *nt_password = NULL; @@ -563,6 +577,147 @@ dissect_ntlmssp_negotiate_flags (tvbuff_t *tvb, int offset, return (offset + 4); } +/* Dissect a NTLM response. This is documented at + http://ubiqx.org/cifs/SMB.html#8, para 2.8.5.3 */ + +/* Name types */ + +/* + * XXX - the davenport document says that a type of 5 has been seen, + * "apparently containing the 'parent' DNS domain for servers in + * subdomains". + */ + +#define NTLM_NAME_END 0x0000 +#define NTLM_NAME_NB_HOST 0x0001 +#define NTLM_NAME_NB_DOMAIN 0x0002 +#define NTLM_NAME_DNS_HOST 0x0003 +#define NTLM_NAME_DNS_DOMAIN 0x0004 + +static const value_string ntlm_name_types[] = { + { NTLM_NAME_END, "End of list" }, + { NTLM_NAME_NB_HOST, "NetBIOS host name" }, + { NTLM_NAME_NB_DOMAIN, "NetBIOS domain name" }, + { NTLM_NAME_DNS_HOST, "DNS host name" }, + { NTLM_NAME_DNS_DOMAIN, "DNS domain name" }, + { 0, NULL } +}; + +int +dissect_ntlmv2_response(tvbuff_t *tvb, proto_tree *tree, int offset, int len) +{ + proto_item *ntlmv2_item = NULL; + proto_tree *ntlmv2_tree = NULL; + + /* Dissect NTLMv2 bits&pieces */ + + if (tree) { + ntlmv2_item = proto_tree_add_item( + tree, hf_ntlmssp_ntlmv2_response, tvb, + offset, len, TRUE); + ntlmv2_tree = proto_item_add_subtree( + ntlmv2_item, ett_ntlmssp_ntlmv2_response); + } + + proto_tree_add_item( + ntlmv2_tree, hf_ntlmssp_ntlmv2_response_hmac, tvb, + offset, 16, TRUE); + + offset += 16; + + proto_tree_add_item( + ntlmv2_tree, hf_ntlmssp_ntlmv2_response_header, tvb, + offset, 4, TRUE); + + offset += 4; + + proto_tree_add_item( + ntlmv2_tree, hf_ntlmssp_ntlmv2_response_reserved, tvb, + offset, 4, TRUE); + + offset += 4; + + offset = dissect_smb_64bit_time( + tvb, ntlmv2_tree, offset, hf_ntlmssp_ntlmv2_response_time); + + proto_tree_add_item( + ntlmv2_tree, hf_ntlmssp_ntlmv2_response_chal, tvb, + offset, 8, TRUE); + + offset += 8; + + proto_tree_add_item( + ntlmv2_tree, hf_ntlmssp_ntlmv2_response_unknown, tvb, + offset, 4, TRUE); + + offset += 4; + + /* Variable length list of names */ + + while(1) { + guint16 name_type = tvb_get_letohs(tvb, offset); + guint16 name_len = tvb_get_letohs(tvb, offset + 2); + proto_tree *name_tree = NULL; + proto_item *name_item = NULL; + char *name = NULL; + + if (ntlmv2_tree) { + name_item = proto_tree_add_item( + ntlmv2_tree, hf_ntlmssp_ntlmv2_response_name, + tvb, offset, 0, TRUE); + name_tree = proto_item_add_subtree( + name_item, ett_ntlmssp_ntlmv2_response_name); + } + + /* Dissect name header */ + + proto_tree_add_item( + name_tree, hf_ntlmssp_ntlmv2_response_name_type, tvb, + offset, 2, TRUE); + + offset += 2; + + proto_tree_add_item( + name_tree, hf_ntlmssp_ntlmv2_response_name_len, tvb, + offset, 2, TRUE); + + offset += 2; + + /* Dissect name */ + + if (name_len > 0) { + name = tvb_fake_unicode( + tvb, offset, name_len / 2, TRUE); + + proto_tree_add_text( + name_tree, tvb, offset, name_len, + "Name: %s", name); + } else + name = g_strdup("NULL"); + + if (name_type == 0) + proto_item_append_text( + name_item, "%s", + val_to_str(name_type, ntlm_name_types, + "Unknown")); + else + proto_item_append_text( + name_item, "%s, %s", + val_to_str(name_type, ntlm_name_types, + "Unknown"), name); + + g_free(name); + + offset += name_len; + + proto_item_set_len(name_item, name_len + 4); + + if (name_type == 0) /* End of list */ + break; + }; + + return offset; +} static int dissect_ntlmssp_negotiate (tvbuff_t *tvb, int offset, proto_tree *ntlmssp_tree) @@ -1373,17 +1528,13 @@ proto_register_ntlmssp(void) static hf_register_info hf[] = { { &hf_ntlmssp, { "NTLMSSP", "ntlmssp", FT_NONE, BASE_NONE, NULL, 0x0, "NTLMSSP", HFILL }}, - { &hf_ntlmssp_auth, { "NTLMSSP identifier", "ntlmssp.identifier", FT_STRING, BASE_NONE, NULL, 0x0, "NTLMSSP Identifier", HFILL }}, - { &hf_ntlmssp_message_type, { "NTLM Message Type", "ntlmssp.messagetype", FT_UINT32, BASE_HEX, VALS(ntlmssp_message_types), 0x0, "", HFILL }}, - { &hf_ntlmssp_negotiate_flags, { "Flags", "ntlmssp.negotiateflags", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }}, { &hf_ntlmssp_negotiate_flags_01, - { "Negotiate UNICODE", "ntlmssp.negotiateunicode", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_UNICODE, "", HFILL }}, { &hf_ntlmssp_negotiate_flags_02, { "Negotiate OEM", "ntlmssp.negotiateoem", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_OEM, "", HFILL }}, @@ -1530,7 +1681,27 @@ proto_register_ntlmssp(void) { &hf_ntlmssp_verf_crc32, { "Verifier CRC32", "ntlmssp.verf.crc32", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }}, { &hf_ntlmssp_verf_sequence, - { "Verifier Sequence Number", "ntlmssp.verf.sequence", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }} + { "Verifier Sequence Number", "ntlmssp.verf.sequence", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_ntlmv2_response, + { "NTLMv2 Response", "ntlmssp.ntlmv2response", FT_BYTES, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_ntlmv2_response_hmac, + { "HMAC", "ntlmssp.ntlmv2response.hmac", FT_BYTES, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_ntlmv2_response_header, + { "Header", "ntlmssp.ntlmv2response.header", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_ntlmv2_response_reserved, + { "Reserved", "ntlmssp.ntlmv2response.reserved", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_ntlmv2_response_time, + { "Time", "ntlmssp.ntlmv2response.time", FT_ABSOLUTE_TIME, BASE_NONE, NULL, 0, "", HFILL }}, + { &hf_ntlmssp_ntlmv2_response_chal, + { "Client challenge", "ntlmssp.ntlmv2response.chal", FT_BYTES, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_ntlmv2_response_unknown, + { "Unknown", "ntlmssp.ntlmv2response.unknown", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_ntlmv2_response_name, + { "Name", "ntlmssp.ntlmv2response.name", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_ntlmv2_response_name_type, + { "Name type", "ntlmssp.ntlmv2response.name.type", FT_UINT32, BASE_DEC, VALS(ntlm_name_types), 0x0, "", HFILL }}, + { &hf_ntlmssp_ntlmv2_response_name_len, + { "Name len", "ntlmssp.ntlmv2response.name.len", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }} }; @@ -1540,7 +1711,9 @@ proto_register_ntlmssp(void) &ett_ntlmssp_string, &ett_ntlmssp_blob, &ett_ntlmssp_address_list, - &ett_ntlmssp_address_list_item + &ett_ntlmssp_address_list_item, + &ett_ntlmssp_ntlmv2_response, + &ett_ntlmssp_ntlmv2_response_name }; module_t *ntlmssp_module; |