From 779206012c76b7e8ba6e69239ce9fb653ada3150 Mon Sep 17 00:00:00 2001 From: Graeme Lunt Date: Fri, 30 Sep 2011 15:21:16 +0000 Subject: Microsoft Credential Security Support Provider (CredSSP) support. Used by direct approach RDP for NTLMSSP authentication under SSL. svn path=/trunk/; revision=39196 --- asn1/credssp/CredSSP.asn | 46 +++++++++ asn1/credssp/Makefile.am | 26 ++++++ asn1/credssp/Makefile.common | 50 ++++++++++ asn1/credssp/Makefile.nmake | 29 ++++++ asn1/credssp/credssp.cnf | 57 +++++++++++ asn1/credssp/packet-credssp-template.c | 166 +++++++++++++++++++++++++++++++++ asn1/credssp/packet-credssp-template.h | 34 +++++++ 7 files changed, 408 insertions(+) create mode 100644 asn1/credssp/CredSSP.asn create mode 100644 asn1/credssp/Makefile.am create mode 100644 asn1/credssp/Makefile.common create mode 100644 asn1/credssp/Makefile.nmake create mode 100644 asn1/credssp/credssp.cnf create mode 100644 asn1/credssp/packet-credssp-template.c create mode 100644 asn1/credssp/packet-credssp-template.h (limited to 'asn1/credssp') diff --git a/asn1/credssp/CredSSP.asn b/asn1/credssp/CredSSP.asn new file mode 100644 index 0000000000..61e34c2193 --- /dev/null +++ b/asn1/credssp/CredSSP.asn @@ -0,0 +1,46 @@ +-- $Id$ +-- +-- Derived from http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-CSSP%5D.pdf + +CredSSP DEFINITIONS EXPLICIT TAGS ::= + +BEGIN + +NegoData ::= SEQUENCE OF SEQUENCE { + negoToken [0] OCTET STRING +} + +TSPasswordCreds ::= SEQUENCE { + domainName [0] OCTET STRING, + userName [1] OCTET STRING, + password [2] OCTET STRING +} + +TSCspDataDetail ::= SEQUENCE { + keySpec [0] INTEGER, + cardName [1] OCTET STRING OPTIONAL, + readerName [2] OCTET STRING OPTIONAL, + containerName [3] OCTET STRING OPTIONAL, + cspName [4] OCTET STRING OPTIONAL +} + +TSSmartCardCreds ::= SEQUENCE { + pin [0] OCTET STRING, + cspData [1] TSCspDataDetail, + userHint [2] OCTET STRING OPTIONAL, + domainHint [3] OCTET STRING OPTIONAL +} + +TSCredentials ::= SEQUENCE { + credType [0] INTEGER, + credentials [1] OCTET STRING +} + +TSRequest ::= SEQUENCE { + version [0] INTEGER, + negoTokens [1] NegoData OPTIONAL, + authInfo [2] OCTET STRING OPTIONAL, + pubKeyAuth [3] OCTET STRING OPTIONAL +} + +END diff --git a/asn1/credssp/Makefile.am b/asn1/credssp/Makefile.am new file mode 100644 index 0000000000..462af31e88 --- /dev/null +++ b/asn1/credssp/Makefile.am @@ -0,0 +1,26 @@ +# $Id$ +# +# +# Wireshark - Network traffic analyzer +# By Gerald Combs +# Copyright 1998 Gerald Combs +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + + +include ../Makefile.preinc +include Makefile.common +include ../Makefile.inc + diff --git a/asn1/credssp/Makefile.common b/asn1/credssp/Makefile.common new file mode 100644 index 0000000000..24ead6d71f --- /dev/null +++ b/asn1/credssp/Makefile.common @@ -0,0 +1,50 @@ +# $Id$ +# +# +# Wireshark - Network traffic analyzer +# By Gerald Combs +# Copyright 1998 Gerald Combs +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + + +PROTOCOL_NAME=credssp + +DISSECTOR_FILES=packet-$(PROTOCOL_NAME).c \ + packet-$(PROTOCOL_NAME).h + + +EXPORT_FILES = $(PROTOCOL_NAME)-exp.cnf + +EXT_ASN_FILE_LIST = + +ASN_FILE_LIST = CredSSP.asn + +# The packet-$(PROTOCOL_NAME)-template.h and $(PROTOCOL_NAME).asn +# files do not exist for all protocols: Please add/remove as required. +EXTRA_DIST = \ + Makefile.nmake \ + $(ASN_FILE_LIST) \ + packet-$(PROTOCOL_NAME)-template.c \ + packet-$(PROTOCOL_NAME)-template.h \ + $(PROTOCOL_NAME).cnf + +SRC_FILES = \ + $(EXTRA_DIST) \ + $(EXT_ASN_FILE_LIST) + +A2W_FLAGS= -b -e -C + +EXTRA_CNF= diff --git a/asn1/credssp/Makefile.nmake b/asn1/credssp/Makefile.nmake new file mode 100644 index 0000000000..5a32997c60 --- /dev/null +++ b/asn1/credssp/Makefile.nmake @@ -0,0 +1,29 @@ +## Use: $(MAKE) /$(MAKEFLAGS) -f makefile.nmake +# +# $Id$ +# +# +# Wireshark - Network traffic analyzer +# By Gerald Combs +# Copyright 1998 Gerald Combs +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + + +include ../../config.nmake +include ../Makefile.preinc.nmake +include Makefile.common +include ../Makefile.inc.nmake + diff --git a/asn1/credssp/credssp.cnf b/asn1/credssp/credssp.cnf new file mode 100644 index 0000000000..b53c7a663e --- /dev/null +++ b/asn1/credssp/credssp.cnf @@ -0,0 +1,57 @@ +# credssp.cnf +# Credential Security Support Provider (CredSSP) conformance file +# $Id$ + +#.PDU +TSRequest + +#.FN_PARS TSRequest/authInfo VAL_PTR = &auth_tvb + +#.FN_BODY TSRequest/authInfo + tvbuff_t *auth_tvb = NULL; + tvbuff_t *decr_tvb = NULL; + + %(DEFAULT_BODY)s + + if(decr_tvb != NULL) + offset = dissect_credssp_TSCredentials(FALSE, decr_tvb, 0, actx, tree, hf_credssp_TSCredentials); + + +#.FN_PARS TSCredentials/credType VAL_PTR = &creds_type +#.FN_PARS TSCredentials/credentials VAL_PTR = &creds_tvb + +#.FN_BODY TSCredentials/credentials + tvbuff_t *creds_tvb = NULL; + tvbuff_t *decr_tvb = NULL; + + %(DEFAULT_BODY)s + + if((decr_tvb != NULL) && + ((creds_type == TS_PASSWORD_CREDS) || (creds_type == TS_SMARTCARD_CREDS))) { + + switch(creds_type) { + case TS_PASSWORD_CREDS: + offset = dissect_credssp_TSPasswordCreds(FALSE, decr_tvb, 0, actx, tree, hf_credssp_TSPasswordCreds); + break; + case TS_SMARTCARD_CREDS: + offset = dissect_credssp_TSSmartCardCreds(FALSE, decr_tvb, 0, actx, tree, hf_credssp_TSSmartCardCreds); + break; + } + } + + +#.FN_PARS NegoData/_item/negoToken VAL_PTR = &token_tvb + +#.FN_BODY NegoData/_item/negoToken + tvbuff_t *token_tvb = NULL; + + %(DEFAULT_BODY)s + + if(token_tvb != NULL) + dissector_try_heuristic(credssp_heur_subdissector_list, + token_tvb, actx->pinfo, proto_tree_get_root(tree)); + + +#.END + + diff --git a/asn1/credssp/packet-credssp-template.c b/asn1/credssp/packet-credssp-template.c new file mode 100644 index 0000000000..aa57e2c16e --- /dev/null +++ b/asn1/credssp/packet-credssp-template.c @@ -0,0 +1,166 @@ +/* packet-credssp.c + * Routines for CredSSP (Credential Security Support Provider) packet dissection + * Graeme Lunt 2011 + * + * $Id$ + * + * Wireshark - Network traffic analyzer + * By Gerald Combs + * Copyright 1998 Gerald Combs + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include +#include + +#include "packet-ber.h" +#include "packet-credssp.h" + + +#define PNAME "Credential Security Support Provider" +#define PSNAME "CredSSP" +#define PFNAME "credssp" + +#define TS_PASSWORD_CREDS 1 +#define TS_SMARTCARD_CREDS 2 +static gint creds_type; + +/* Initialize the protocol and registered fields */ +static int proto_credssp = -1; + +/* List of dissectors to call for negoToken data */ +static heur_dissector_list_t credssp_heur_subdissector_list; + +static int hf_credssp_TSPasswordCreds = -1; /* TSPasswordCreds */ +static int hf_credssp_TSSmartCardCreds = -1; /* TSSmartCardCreds */ +static int hf_credssp_TSCredentials = -1; /* TSCredentials */ +#include "packet-credssp-hf.c" + +/* Initialize the subtree pointers */ +static gint ett_credssp = -1; +#include "packet-credssp-ett.c" + +#include "packet-credssp-fn.c" + +/* +* Dissect CredSSP PDUs +*/ +static void +dissect_credssp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree) +{ + proto_item *item=NULL; + proto_tree *tree=NULL; + + if(parent_tree){ + item = proto_tree_add_item(parent_tree, proto_credssp, tvb, 0, -1, ENC_NA); + tree = proto_item_add_subtree(item, ett_credssp); + } + col_set_str(pinfo->cinfo, COL_PROTOCOL, "CredSSP"); + col_clear(pinfo->cinfo, COL_INFO); + + creds_type = -1; + dissect_TSRequest_PDU(tvb, pinfo, tree); +} + +static gboolean +dissect_credssp_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree) +{ + asn1_ctx_t asn1_ctx; + int offset = 0; + gint8 class; + gboolean pc; + gint32 tag; + guint32 length; + + asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo); + + /* Look for SEQUENCE, CONTEXT 0, and INTEGER 2 */ + if(tvb_length(tvb) > 7) { + offset = get_ber_identifier(tvb, offset, &class, &pc, &tag); + if((class == BER_CLASS_UNI) && (tag == BER_UNI_TAG_SEQUENCE) && (pc == TRUE)) { + offset = get_ber_length(tvb, offset, NULL, NULL); + offset = get_ber_identifier(tvb, offset, &class, &pc, &tag); + if((class == BER_CLASS_CON) && (tag == 0)) { + offset = get_ber_length(tvb, offset, NULL, NULL); + offset = get_ber_identifier(tvb, offset, &class, &pc, &tag); + if((class == BER_CLASS_UNI) && (tag == BER_UNI_TAG_INTEGER)) { + offset = get_ber_length(tvb, offset, &length, NULL); + if((length == 1) && (tvb_get_guint8(tvb, offset) == 2)) { + dissect_credssp(tvb, pinfo, parent_tree); + return TRUE; + } + } + } + } + } + return FALSE; +} + + +/*--- proto_register_credssp -------------------------------------------*/ +void proto_register_credssp(void) { + + /* List of fields */ + static hf_register_info hf[] = + { + { &hf_credssp_TSPasswordCreds, + { "TSPasswordCreds", "credssp.TSPasswordCreds", + FT_NONE, BASE_NONE, NULL, 0, + NULL, HFILL }}, + { &hf_credssp_TSSmartCardCreds, + { "TSSmartCardCreds", "credssp.TSSmartCardCreds", + FT_NONE, BASE_NONE, NULL, 0, + NULL, HFILL }}, + { &hf_credssp_TSCredentials, + { "TSCredentials", "credssp.TSCredentials", + FT_NONE, BASE_NONE, NULL, 0, + NULL, HFILL }}, +#include "packet-credssp-hfarr.c" + }; + + /* List of subtrees */ + static gint *ett[] = { + &ett_credssp, +#include "packet-credssp-ettarr.c" + }; + + + /* Register protocol */ + proto_credssp = proto_register_protocol(PNAME, PSNAME, PFNAME); + register_dissector("credssp", dissect_credssp, proto_credssp); + + /* Register fields and subtrees */ + proto_register_field_array(proto_credssp, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); + + /* heuristic dissectors for any premable e.g. CredSSP before RDP */ + register_heur_dissector_list("credssp", &credssp_heur_subdissector_list); + +} + + +/*--- proto_reg_handoff_credssp --- */ +void proto_reg_handoff_credssp(void) { + + heur_dissector_add("ssl", dissect_credssp_heur, proto_credssp); + +} + diff --git a/asn1/credssp/packet-credssp-template.h b/asn1/credssp/packet-credssp-template.h new file mode 100644 index 0000000000..8fe243a180 --- /dev/null +++ b/asn1/credssp/packet-credssp-template.h @@ -0,0 +1,34 @@ +/* packet-credssp.h + * Routines for CredSSP (Credential Security Support Provider) packet dissection + * Graeme Lunt 2011 + * + * $Id$ + * + * Wireshark - Network traffic analyzer + * By Gerald Combs + * Copyright 1998 Gerald Combs + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +#ifndef PACKET_CREDSSP_H +#define PACKET_CREDSSP_H + +#include "packet-credssp-val.h" + +void proto_reg_handoff_credssp(void); +void proto_register_credssp(void); + +#endif /* PACKET_CREDSSP_H */ -- cgit v1.2.3