diff options
-rw-r--r-- | epan/dissectors/Makefile.common | 1 | ||||
-rw-r--r-- | epan/dissectors/packet-dcerpc-netlogon.c | 2 | ||||
-rw-r--r-- | epan/dissectors/packet-ntlmssp.c | 185 | ||||
-rw-r--r-- | epan/dissectors/packet-ntlmssp.h | 35 | ||||
-rw-r--r-- | epan/dissectors/packet-smb-common.c | 198 | ||||
-rw-r--r-- | epan/dissectors/packet-smb-common.h | 25 | ||||
-rw-r--r-- | epan/dissectors/packet-smb.c | 3 |
7 files changed, 217 insertions, 232 deletions
diff --git a/epan/dissectors/Makefile.common b/epan/dissectors/Makefile.common index 642351fb6c..d7ad940620 100644 --- a/epan/dissectors/Makefile.common +++ b/epan/dissectors/Makefile.common @@ -632,6 +632,7 @@ DISSECTOR_INCLUDES = \ packet-nfs.h \ packet-nisplus.h \ packet-nlm.h \ + packet-ntlmssp.h \ packet-ntp.h \ packet-null.h \ packet-osi-options.h \ diff --git a/epan/dissectors/packet-dcerpc-netlogon.c b/epan/dissectors/packet-dcerpc-netlogon.c index 7f06a040ac..cb9f160adc 100644 --- a/epan/dissectors/packet-dcerpc-netlogon.c +++ b/epan/dissectors/packet-dcerpc-netlogon.c @@ -34,7 +34,7 @@ #include "packet-dcerpc-nt.h" #include "packet-dcerpc-netlogon.h" #include "smb.h" /* for "NT_errors[]" */ -#include "packet-smb-common.h" +#include "packet-ntlmssp.h" #include "packet-dcerpc-lsa.h" static int proto_dcerpc_netlogon = -1; diff --git a/epan/dissectors/packet-ntlmssp.c b/epan/dissectors/packet-ntlmssp.c index 4f02faed50..e38af3cf37 100644 --- a/epan/dissectors/packet-ntlmssp.c +++ b/epan/dissectors/packet-ntlmssp.c @@ -41,6 +41,8 @@ #include "crypt-des.h" #include "packet-dcerpc.h" +#include "packet-ntlmssp.h" + /* Message types */ #define NTLMSSP_NEGOTIATE 1 @@ -187,6 +189,16 @@ static int hf_ntlmssp_verf_unknown1 = -1; static int hf_ntlmssp_verf_crc32 = -1; static int hf_ntlmssp_verf_sequence = -1; static int hf_ntlmssp_decrypted_payload = -1; +static int hf_ntlmssp_ntlmv2_response = -1; +static int hf_ntlmssp_ntlmv2_response_hmac = -1; +static int hf_ntlmssp_ntlmv2_response_header = -1; +static int hf_ntlmssp_ntlmv2_response_reserved = -1; +static int hf_ntlmssp_ntlmv2_response_time = -1; +static int hf_ntlmssp_ntlmv2_response_chal = -1; +static int hf_ntlmssp_ntlmv2_response_unknown = -1; +static int hf_ntlmssp_ntlmv2_response_name = -1; +static int hf_ntlmssp_ntlmv2_response_name_type = -1; +static int hf_ntlmssp_ntlmv2_response_name_len = -1; static gint ett_ntlmssp = -1; static gint ett_ntlmssp_negotiate_flags = -1; @@ -194,6 +206,8 @@ static gint ett_ntlmssp_string = -1; static gint ett_ntlmssp_blob = -1; static gint ett_ntlmssp_address_list = -1; static gint ett_ntlmssp_address_list_item = -1; +static gint ett_ntlmssp_ntlmv2_response = -1; +static gint ett_ntlmssp_ntlmv2_response_name = -1; /* Configuration variables */ static char *nt_password = NULL; @@ -563,6 +577,147 @@ dissect_ntlmssp_negotiate_flags (tvbuff_t *tvb, int offset, return (offset + 4); } +/* Dissect a NTLM response. This is documented at + http://ubiqx.org/cifs/SMB.html#8, para 2.8.5.3 */ + +/* Name types */ + +/* + * XXX - the davenport document says that a type of 5 has been seen, + * "apparently containing the 'parent' DNS domain for servers in + * subdomains". + */ + +#define NTLM_NAME_END 0x0000 +#define NTLM_NAME_NB_HOST 0x0001 +#define NTLM_NAME_NB_DOMAIN 0x0002 +#define NTLM_NAME_DNS_HOST 0x0003 +#define NTLM_NAME_DNS_DOMAIN 0x0004 + +static const value_string ntlm_name_types[] = { + { NTLM_NAME_END, "End of list" }, + { NTLM_NAME_NB_HOST, "NetBIOS host name" }, + { NTLM_NAME_NB_DOMAIN, "NetBIOS domain name" }, + { NTLM_NAME_DNS_HOST, "DNS host name" }, + { NTLM_NAME_DNS_DOMAIN, "DNS domain name" }, + { 0, NULL } +}; + +int +dissect_ntlmv2_response(tvbuff_t *tvb, proto_tree *tree, int offset, int len) +{ + proto_item *ntlmv2_item = NULL; + proto_tree *ntlmv2_tree = NULL; + + /* Dissect NTLMv2 bits&pieces */ + + if (tree) { + ntlmv2_item = proto_tree_add_item( + tree, hf_ntlmssp_ntlmv2_response, tvb, + offset, len, TRUE); + ntlmv2_tree = proto_item_add_subtree( + ntlmv2_item, ett_ntlmssp_ntlmv2_response); + } + + proto_tree_add_item( + ntlmv2_tree, hf_ntlmssp_ntlmv2_response_hmac, tvb, + offset, 16, TRUE); + + offset += 16; + + proto_tree_add_item( + ntlmv2_tree, hf_ntlmssp_ntlmv2_response_header, tvb, + offset, 4, TRUE); + + offset += 4; + + proto_tree_add_item( + ntlmv2_tree, hf_ntlmssp_ntlmv2_response_reserved, tvb, + offset, 4, TRUE); + + offset += 4; + + offset = dissect_smb_64bit_time( + tvb, ntlmv2_tree, offset, hf_ntlmssp_ntlmv2_response_time); + + proto_tree_add_item( + ntlmv2_tree, hf_ntlmssp_ntlmv2_response_chal, tvb, + offset, 8, TRUE); + + offset += 8; + + proto_tree_add_item( + ntlmv2_tree, hf_ntlmssp_ntlmv2_response_unknown, tvb, + offset, 4, TRUE); + + offset += 4; + + /* Variable length list of names */ + + while(1) { + guint16 name_type = tvb_get_letohs(tvb, offset); + guint16 name_len = tvb_get_letohs(tvb, offset + 2); + proto_tree *name_tree = NULL; + proto_item *name_item = NULL; + char *name = NULL; + + if (ntlmv2_tree) { + name_item = proto_tree_add_item( + ntlmv2_tree, hf_ntlmssp_ntlmv2_response_name, + tvb, offset, 0, TRUE); + name_tree = proto_item_add_subtree( + name_item, ett_ntlmssp_ntlmv2_response_name); + } + + /* Dissect name header */ + + proto_tree_add_item( + name_tree, hf_ntlmssp_ntlmv2_response_name_type, tvb, + offset, 2, TRUE); + + offset += 2; + + proto_tree_add_item( + name_tree, hf_ntlmssp_ntlmv2_response_name_len, tvb, + offset, 2, TRUE); + + offset += 2; + + /* Dissect name */ + + if (name_len > 0) { + name = tvb_fake_unicode( + tvb, offset, name_len / 2, TRUE); + + proto_tree_add_text( + name_tree, tvb, offset, name_len, + "Name: %s", name); + } else + name = g_strdup("NULL"); + + if (name_type == 0) + proto_item_append_text( + name_item, "%s", + val_to_str(name_type, ntlm_name_types, + "Unknown")); + else + proto_item_append_text( + name_item, "%s, %s", + val_to_str(name_type, ntlm_name_types, + "Unknown"), name); + + g_free(name); + + offset += name_len; + + proto_item_set_len(name_item, name_len + 4); + + if (name_type == 0) /* End of list */ + break; + }; + + return offset; +} static int dissect_ntlmssp_negotiate (tvbuff_t *tvb, int offset, proto_tree *ntlmssp_tree) @@ -1373,17 +1528,13 @@ proto_register_ntlmssp(void) static hf_register_info hf[] = { { &hf_ntlmssp, { "NTLMSSP", "ntlmssp", FT_NONE, BASE_NONE, NULL, 0x0, "NTLMSSP", HFILL }}, - { &hf_ntlmssp_auth, { "NTLMSSP identifier", "ntlmssp.identifier", FT_STRING, BASE_NONE, NULL, 0x0, "NTLMSSP Identifier", HFILL }}, - { &hf_ntlmssp_message_type, { "NTLM Message Type", "ntlmssp.messagetype", FT_UINT32, BASE_HEX, VALS(ntlmssp_message_types), 0x0, "", HFILL }}, - { &hf_ntlmssp_negotiate_flags, { "Flags", "ntlmssp.negotiateflags", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }}, { &hf_ntlmssp_negotiate_flags_01, - { "Negotiate UNICODE", "ntlmssp.negotiateunicode", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_UNICODE, "", HFILL }}, { &hf_ntlmssp_negotiate_flags_02, { "Negotiate OEM", "ntlmssp.negotiateoem", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_OEM, "", HFILL }}, @@ -1530,7 +1681,27 @@ proto_register_ntlmssp(void) { &hf_ntlmssp_verf_crc32, { "Verifier CRC32", "ntlmssp.verf.crc32", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }}, { &hf_ntlmssp_verf_sequence, - { "Verifier Sequence Number", "ntlmssp.verf.sequence", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }} + { "Verifier Sequence Number", "ntlmssp.verf.sequence", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_ntlmv2_response, + { "NTLMv2 Response", "ntlmssp.ntlmv2response", FT_BYTES, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_ntlmv2_response_hmac, + { "HMAC", "ntlmssp.ntlmv2response.hmac", FT_BYTES, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_ntlmv2_response_header, + { "Header", "ntlmssp.ntlmv2response.header", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_ntlmv2_response_reserved, + { "Reserved", "ntlmssp.ntlmv2response.reserved", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_ntlmv2_response_time, + { "Time", "ntlmssp.ntlmv2response.time", FT_ABSOLUTE_TIME, BASE_NONE, NULL, 0, "", HFILL }}, + { &hf_ntlmssp_ntlmv2_response_chal, + { "Client challenge", "ntlmssp.ntlmv2response.chal", FT_BYTES, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_ntlmv2_response_unknown, + { "Unknown", "ntlmssp.ntlmv2response.unknown", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_ntlmv2_response_name, + { "Name", "ntlmssp.ntlmv2response.name", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_ntlmv2_response_name_type, + { "Name type", "ntlmssp.ntlmv2response.name.type", FT_UINT32, BASE_DEC, VALS(ntlm_name_types), 0x0, "", HFILL }}, + { &hf_ntlmssp_ntlmv2_response_name_len, + { "Name len", "ntlmssp.ntlmv2response.name.len", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }} }; @@ -1540,7 +1711,9 @@ proto_register_ntlmssp(void) &ett_ntlmssp_string, &ett_ntlmssp_blob, &ett_ntlmssp_address_list, - &ett_ntlmssp_address_list_item + &ett_ntlmssp_address_list_item, + &ett_ntlmssp_ntlmv2_response, + &ett_ntlmssp_ntlmv2_response_name }; module_t *ntlmssp_module; diff --git a/epan/dissectors/packet-ntlmssp.h b/epan/dissectors/packet-ntlmssp.h new file mode 100644 index 0000000000..597a90b9cc --- /dev/null +++ b/epan/dissectors/packet-ntlmssp.h @@ -0,0 +1,35 @@ +/* packet-ntlmssp.h + * Declarations for NTLM Secure Service Provider + * Copyright 2003, Tim Potter <tpot@samba.org> + * + * $Id$ + * + * Ethereal - Network traffic analyzer + * By Gerald Combs <gerald@ethereal.com> + * Copyright 1998 Gerald Combs + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +#ifndef __PACKET_NTLMSSP_H__ +#define __PACKET_NTLMSSP_H__ + +/* Dissect a ntlmv2 response */ + +int +dissect_ntlmv2_response(tvbuff_t *tvb, proto_tree *ntlmssp_tree, int offset, + int len); + +#endif diff --git a/epan/dissectors/packet-smb-common.c b/epan/dissectors/packet-smb-common.c index f5e4d09275..da62cbf5ea 100644 --- a/epan/dissectors/packet-smb-common.c +++ b/epan/dissectors/packet-smb-common.c @@ -290,201 +290,3 @@ dissect_smb_unknown(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int return offset+tvb_length_remaining(tvb, offset); } - -/* Dissect a NTLM response. This is documented at - http://ubiqx.org/cifs/SMB.html#8, para 2.8.5.3 */ - -static int hf_ntlmv2_response = -1; -static int hf_ntlmv2_response_hmac = -1; -static int hf_ntlmv2_response_header = -1; -static int hf_ntlmv2_response_reserved = -1; -static int hf_ntlmv2_response_time = -1; -static int hf_ntlmv2_response_chal = -1; -static int hf_ntlmv2_response_unknown = -1; -static int hf_ntlmv2_response_name = -1; -static int hf_ntlmv2_response_name_type = -1; -static int hf_ntlmv2_response_name_len = -1; - -static gint ett_ntlmv2_response = -1; -static gint ett_ntlmv2_response_name = -1; - -/* Name types */ - -const value_string ntlm_name_types[] = { - { NTLM_NAME_END, "End of list" }, - { NTLM_NAME_NB_HOST, "NetBIOS host name" }, - { NTLM_NAME_NB_DOMAIN, "NetBIOS domain name" }, - { NTLM_NAME_DNS_HOST, "DNS host name" }, - { NTLM_NAME_DNS_DOMAIN, "DNS domain name" }, - { 0, NULL } -}; - -int -dissect_ntlmv2_response(tvbuff_t *tvb, proto_tree *tree, int offset, int len) -{ - proto_item *ntlmv2_item = NULL; - proto_tree *ntlmv2_tree = NULL; - - /* Dissect NTLMv2 bits&pieces */ - - if (tree) { - ntlmv2_item = proto_tree_add_item( - tree, hf_ntlmv2_response, tvb, - offset, len, TRUE); - ntlmv2_tree = proto_item_add_subtree( - ntlmv2_item, ett_ntlmv2_response); - } - - proto_tree_add_item( - ntlmv2_tree, hf_ntlmv2_response_hmac, tvb, - offset, 16, TRUE); - - offset += 16; - - proto_tree_add_item( - ntlmv2_tree, hf_ntlmv2_response_header, tvb, - offset, 4, TRUE); - - offset += 4; - - proto_tree_add_item( - ntlmv2_tree, hf_ntlmv2_response_reserved, tvb, - offset, 4, TRUE); - - offset += 4; - - offset = dissect_smb_64bit_time( - tvb, ntlmv2_tree, offset, hf_ntlmv2_response_time); - - proto_tree_add_item( - ntlmv2_tree, hf_ntlmv2_response_chal, tvb, - offset, 8, TRUE); - - offset += 8; - - proto_tree_add_item( - ntlmv2_tree, hf_ntlmv2_response_unknown, tvb, - offset, 4, TRUE); - - offset += 4; - - /* Variable length list of names */ - - while(1) { - guint16 name_type = tvb_get_letohs(tvb, offset); - guint16 name_len = tvb_get_letohs(tvb, offset + 2); - proto_tree *name_tree = NULL; - proto_item *name_item = NULL; - char *name = NULL; - - if (ntlmv2_tree) { - name_item = proto_tree_add_item( - ntlmv2_tree, hf_ntlmv2_response_name, - tvb, offset, 0, TRUE); - name_tree = proto_item_add_subtree( - name_item, ett_ntlmv2_response_name); - } - - /* Dissect name header */ - - proto_tree_add_item( - name_tree, hf_ntlmv2_response_name_type, tvb, - offset, 2, TRUE); - - offset += 2; - - proto_tree_add_item( - name_tree, hf_ntlmv2_response_name_len, tvb, - offset, 2, TRUE); - - offset += 2; - - /* Dissect name */ - - if (name_len > 0) { - name = tvb_fake_unicode( - tvb, offset, name_len / 2, TRUE); - - proto_tree_add_text( - name_tree, tvb, offset, name_len, - "Name: %s", name); - } else - name = g_strdup("NULL"); - - if (name_type == 0) - proto_item_append_text( - name_item, "%s", - val_to_str(name_type, ntlm_name_types, - "Unknown")); - else - proto_item_append_text( - name_item, "%s, %s", - val_to_str(name_type, ntlm_name_types, - "Unknown"), name); - - g_free(name); - - offset += name_len; - - proto_item_set_len(name_item, name_len + 4); - - if (name_type == 0) /* End of list */ - break; - }; - - return offset; -} - -void register_smb_common(int proto_smb) -{ - static hf_register_info hf[] = { - - { &hf_ntlmv2_response, - { "NTLMv2 Response", "smb.ntlmv2response", FT_BYTES, - BASE_HEX, NULL, 0x0, "", HFILL }}, - - { &hf_ntlmv2_response_hmac, - { "HMAC", "smb.ntlmv2response.hmac", FT_BYTES, BASE_HEX, - NULL, 0x0, "", HFILL }}, - - { &hf_ntlmv2_response_header, - { "Header", "smb.ntlmv2response.header", FT_UINT32, - BASE_HEX, NULL, 0x0, "", HFILL }}, - - { &hf_ntlmv2_response_reserved, - { "Reserved", "smb.ntlmv2response.reserved", FT_UINT32, - BASE_HEX, NULL, 0x0, "", HFILL }}, - - { &hf_ntlmv2_response_time, - { "Time", "smb.ntlmv2response.time", FT_ABSOLUTE_TIME, - BASE_NONE, NULL, 0, "", HFILL }}, - - { &hf_ntlmv2_response_chal, - { "Client challenge", "smb.ntlmv2response.chal", FT_BYTES, - BASE_HEX, NULL, 0x0, "", HFILL }}, - - { &hf_ntlmv2_response_unknown, - { "Unknown", "smb.ntlmv2response.unknown", FT_UINT32, - BASE_HEX, NULL, 0x0, "", HFILL }}, - - { &hf_ntlmv2_response_name, - { "Name", "smb.ntlmv2response.name", FT_STRING, BASE_NONE, - NULL, 0x0, "", HFILL }}, - - { &hf_ntlmv2_response_name_type, - { "Name type", "smb.ntlmv2response.name.type", FT_UINT32, - BASE_DEC, VALS(ntlm_name_types), 0x0, "", HFILL }}, - - { &hf_ntlmv2_response_name_len, - { "Name len", "smb.ntlmv2response.name.len", FT_UINT32, - BASE_DEC, NULL, 0x0, "", HFILL }} - }; - - static gint *ett[] = { - &ett_ntlmv2_response, - &ett_ntlmv2_response_name - }; - - proto_register_subtree_array(ett, array_length(ett)); - proto_register_field_array(proto_smb, hf, array_length(hf)); -} diff --git a/epan/dissectors/packet-smb-common.h b/epan/dissectors/packet-smb-common.h index 78d4b8602c..1949a11c49 100644 --- a/epan/dissectors/packet-smb-common.h +++ b/epan/dissectors/packet-smb-common.h @@ -102,29 +102,4 @@ dissect_nt_sec_desc(tvbuff_t *tvb, int offset, packet_info *pinfo, extern const value_string share_type_vals[]; -/* Dissect a ntlmv2 response */ - -int -dissect_ntlmv2_response(tvbuff_t *tvb, proto_tree *ntlmssp_tree, int offset, - int len); - -void register_smb_common(int proto_smb); - -extern const value_string ntlm_name_types[]; - -/* - * XXX - the document at - * - * http://davenport.sourceforge.net/ntlm.html - * - * says that a type of 5 has been seen, "apparently containing the - * 'parent' DNS domain for servers in subdomains". - */ - -#define NTLM_NAME_END 0x0000 -#define NTLM_NAME_NB_HOST 0x0001 -#define NTLM_NAME_NB_DOMAIN 0x0002 -#define NTLM_NAME_DNS_HOST 0x0003 -#define NTLM_NAME_DNS_DOMAIN 0x0004 - #endif diff --git a/epan/dissectors/packet-smb.c b/epan/dissectors/packet-smb.c index 250c06250b..cd40568044 100644 --- a/epan/dissectors/packet-smb.c +++ b/epan/dissectors/packet-smb.c @@ -51,6 +51,7 @@ #include "packet-smb-pipe.h" #include "packet-dcerpc.h" #include "packet-smb-sidsnooping.h" +#include "packet-ntlmssp.h" /* * Various specifications and documents about SMB can be found in @@ -19401,8 +19402,6 @@ proto_register_smb(void) proto_register_subtree_array(ett, array_length(ett)); proto_register_field_array(proto_smb, hf, array_length(hf)); - register_smb_common(proto_smb); - register_init_routine(&smb_init_protocol); smb_module = prefs_register_protocol(proto_smb, NULL); prefs_register_bool_preference(smb_module, "trans_reassembly", |