~ubuntu-branches/ubuntu/gutsy/wireshark/gutsy-security

 * Devin Heitmueller <dheitmueller@netilla.com>

 * Copyright 2003, Tim Potter <tpot@samba.org>

 *

 *

 * Wireshark - Network traffic analyzer

 * By Gerald Combs <gerald@wireshark.org>

#include <epan/prefs.h>

#include <epan/emem.h>

#include <epan/tap.h>

#include "packet-dcerpc.h"

#include "packet-gssapi.h"

 

#define NTLMSSP_NEGOTIATE_NETWARE          0x00000100

#define NTLMSSP_NEGOTIATE_NTLM             0x00000200

#define NTLMSSP_NEGOTIATE_00000400         0x00000400

#define NTLMSSP_NEGOTIATE_DOMAIN_SUPPLIED  0x00001000

#define NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED 0x00002000

#define NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL  0x00004000

#define MAX_BLOB_SIZE 256

typedef struct _ntlmssp_blob {

  guint16 length;

} ntlmssp_blob;

 

/* Used in the conversation function */

  Returns output in response, which is expected to be 24 bytes.

*/

static int ntlmssp_generate_challenge_response(guint8 *response,

                                               const guint8 *challenge)

{

  guint8 pw21[21]; /* Password hash padded to 21 bytes */

  memset(pw21, 0x0, sizeof(pw21));

  memcpy(pw21, passhash, 16);

 

  return 1;

}

 

 * password points to the ANSI password to encrypt, challenge points to

 * the 8 octet challenge string, key128 will do a 128 bit key if set to 1,

 * sspkey (expected to be 16 octets)

 */

static void

                      int use_key_128, guint8 *sspkey)

{

  unsigned char lm_password_upper[16];

  guint8 pw21[21]; /* Password hash padded to 21 bytes */

  size_t password_len;

  unsigned int i;

    {0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25};

 

  memset(lm_password_upper, 0, sizeof(lm_password_upper));

 

  crypt_des_ecb(lm_password_hash, lmhash_key, lm_password_upper, 1);

  crypt_des_ecb(lm_password_hash+8, lmhash_key, lm_password_upper+7, 1);

  /* Generate the LanMan Challenge Response */

  ntlmssp_generate_challenge_response(lm_challenge_response,

                                      lm_password_hash, challenge);

  /* Generate the NTLMSSP-v1 RC4 Key.

   * See lkcl "DCE/RPC over SMB" page 254 for the algorithm.

   */

  memset(pw21, 0xBD, sizeof(pw21));

  crypt_des_ecb(rc4key, lm_challenge_response, pw21, 1);

  crypt_des_ecb(rc4key + 8, lm_challenge_response, pw21 + 7, 1);

  crypt_des_ecb(rc4key + 16, lm_challenge_response, pw21 + 14, 1);

  /* Create the SSP Key */

  memset(sspkey, 0, sizeof(sspkey));

  if (use_key_128) {

*/

static int

dissect_ntlmssp_string (tvbuff_t *tvb, int offset,

                        gboolean unicode_strings,

                        int string_hf, int *start, int *end,

                        const char **stringp)

*/

static int

dissect_ntlmssp_blob (tvbuff_t *tvb, int offset,

                      int blob_hf, int *end, ntlmssp_blob *result)

{

  proto_item *tf = NULL;

  }

 

  if (ntlmssp_tree) {

                              blob_offset, blob_length, FALSE);

    tree = proto_item_add_subtree(tf, ett_ntlmssp_blob);

  }

 

        if (tree) {

                ntlmv2_item = proto_tree_add_item(

                        offset, len, TRUE);

                ntlmv2_tree = proto_item_add_subtree(

                        ntlmv2_item, ett_ntlmssp_ntlmv2_response);

 

                if (ntlmv2_tree) {

                        name_item = proto_tree_add_item(

                                tvb, offset, 0, TRUE);

                        name_tree = proto_item_add_subtree(

                                name_item, ett_ntlmssp_ntlmv2_response_name);

                case NTLM_NAME_END:

                        name = "NULL";

                        proto_item_append_text(

                                val_to_str(name_type, ntlm_name_types,

                                           "Unknown"));

                        break;

                case NTLM_NAME_CLIENT_TIME:

                        dissect_nt_64bit_time(

                                hf_ntlmssp_ntlmv2_response_client_time);

                        proto_item_append_text(

                                name_item, "Client Time");

                                tvb, offset, name_len / 2, TRUE);

 

                        proto_tree_add_text(

                                "Name: %s", name);

                        proto_item_append_text(

                                name_item, "%s, %s",

   * sent at all, presumably meaning the length of the message

   * isn't enough to contain them.

   */

                                  hf_ntlmssp_negotiate_domain,

                                  &start, &workstation_end, NULL);

                                  hf_ntlmssp_negotiate_workstation,

                                  &start, &domain_end, NULL);

 

 

 

static int

                              int *end)

{

  guint16 list_length = tvb_get_letohs(tvb, offset);

  }

 

  if (ntlmssp_tree) {

                              list_offset, list_length, FALSE);

    tree = proto_item_add_subtree(tf, ett_ntlmssp_address_list);

  }

    }

 

    /* Now show the actual bytes that made up the summary line */

                                        ett_ntlmssp_address_list_item);

    proto_tree_add_item (addr_tree, hf_ntlmssp_address_list_item_type,

                         tvb, type_offset, 2, TRUE);

  ntlmssp_info *conv_ntlmssp_info;

  conversation_t *conversation;

  gboolean unicode_strings = FALSE;

  guint8 sspkey[16]; /* NTLMSSP cipher key */

  guint8 ssp_key_len; /* Either 8 or 16 (40 bit or 128) */

 

   * XXX - the davenport document calls this the "Target Name",

   * presumably because non-domain targets are supported.

   */

                         hf_ntlmssp_challenge_domain,

                         &item_start, &item_end, NULL);

  data_start = item_start;

                                   pinfo->ptype, pinfo->srcport,

                                   pinfo->destport, 0);

  if (!conversation) { /* Create one */

                                    pinfo->srcport, pinfo->destport, 0);

  }

 

 

  /* domain name */

  item_start = tvb_get_letohl(tvb, offset+4);

                                  hf_ntlmssp_auth_domain,

                                  &item_start, &item_end, &(ntlmssph->domain_name));

  data_start = MIN(data_start, item_start);

 

  /* user name */

  item_start = tvb_get_letohl(tvb, offset+4);

                                  hf_ntlmssp_auth_username,

                                  &item_start, &item_end, &(ntlmssph->acct_name));

  data_start = MIN(data_start, item_start);

 

  /* hostname */

  item_start = tvb_get_letohl(tvb, offset+4);

                                  hf_ntlmssp_auth_hostname,

                                  &item_start, &item_end, &(ntlmssph->host_name));

  data_start = MIN(data_start, item_start);

    proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_message_type,

                         tvb, offset, 4, TRUE);

    ntlmssph->type = tvb_get_letohl (tvb, offset);

 

    if (check_col(pinfo->cinfo, COL_INFO))

            col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",

                                       ntlmssp_message_types,

                                       "Unknown message type"));

 

}

 

/*

 * whether to retrieve the data for peer1 or peer2.

 */

static rc4_state_struct *

    /* Setup the buffer to decrypt to */

    tvb_memcpy(tvb, packet_ntlmssp_info->verifier,

               offset, encrypted_block_length);

    /* Do the actual decryption of the verifier */

    crypt_rc4(rc4_state, packet_ntlmssp_info->verifier,

              encrypted_block_length);

  /* Show the decrypted payload in the tree */

  tf = proto_tree_add_text(tree, decr_tvb, 0, -1,

                           "Decrypted Verifier (%d byte%s)",

                           plurality(encrypted_block_length, "", "s"));

  decr_tree = proto_item_add_subtree (tf, ett_ntlmssp);

 

    proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_verf_vers,

                         tvb, offset, 4, TRUE);

    offset += 4;

    /* Encrypted body */

    proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_verf_body,

                         tvb, offset, encrypted_block_length, TRUE);

}

 

static tvbuff_t *

                                  tvbuff_t *auth_tvb _U_,

                                  int offset,

                                  dcerpc_auth_info *auth_info _U_)

{

  tvbuff_t *decr_tvb; /* Used to display decrypted buffer */

    memset(packet_ntlmssp_info, 0, sizeof(ntlmssp_packet_info));

    p_add_proto_data(pinfo->fd, proto_ntlmssp, packet_ntlmssp_info);

  }

  if (!packet_ntlmssp_info->payload_decrypted) {

    /* Pull the challenge info from the conversation */

    conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst,

      /* There is no conversation, thus no encryption state */

      return NULL;

    }

    conv_ntlmssp_info = conversation_get_proto_data(conversation,

                                                    proto_ntlmssp);

    if (conv_ntlmssp_info == NULL) {

      /* There is no NTLMSSP state tied to the conversation */

            return NULL;

    }

    /* Get the pair of RC4 state structures.  One is used for to decrypt the

       payload.  The other is used to re-encrypt the payload to represent

       the peer */

      rc4_state = get_encrypted_state(pinfo, 0);

      rc4_state_peer = get_encrypted_state(pinfo, 1);

    }

    if (rc4_state == NULL || rc4_state_peer == NULL) {

      /* There is no encryption state, so we cannot decrypt */

      return NULL;

                                                        encrypted_block_length);

    decrypted_payloads = g_slist_prepend(decrypted_payloads,

                                         packet_ntlmssp_info->decrypted_payload);

    /* Do the decryption of the payload */

              encrypted_block_length);

    /* We setup a temporary buffer so we can re-encrypt the payload after

       decryption.  This is to update the opposite peer's RC4 state */

    peer_block = g_malloc(encrypted_block_length);

           encrypted_block_length);

    crypt_rc4(rc4_state_peer, peer_block, encrypted_block_length);

    g_free(peer_block);

    packet_ntlmssp_info->payload_decrypted = TRUE;

  }

 

                               encrypted_block_length);

 

  tvb_set_child_real_data_tvbuff(data_tvb, decr_tvb);

  offset += encrypted_block_length;

 

  return decr_tvb;

    { &hf_ntlmssp_negotiate_flags_400,

      { "Negotiate 0x00000400", "ntlmssp.negotiate00000400", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_00000400, "", HFILL }},

    { &hf_ntlmssp_negotiate_flags_800,

    { &hf_ntlmssp_negotiate_flags_1000,

      { "Negotiate Domain Supplied", "ntlmssp.negotiatedomainsupplied", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_DOMAIN_SUPPLIED, "", HFILL }},

    { &hf_ntlmssp_negotiate_flags_2000,

    &ett_ntlmssp_ntlmv2_response_name

  };

  module_t *ntlmssp_module;

  proto_ntlmssp = proto_register_protocol (

                                           "NTLM Secure Service Provider", /* name */

                                           "NTLMSSP",   /* short name */

  register_init_routine(&ntlmssp_init_protocol);

 

  ntlmssp_module = prefs_register_protocol(proto_ntlmssp, NULL);

  prefs_register_string_preference(ntlmssp_module, "nt_password",

                                   "NT Password",

                                   "NT Password (used to decrypt payloads)",

  new_register_dissector("ntlmssp_verf", dissect_ntlmssp_verf, proto_ntlmssp);

}

 

                                proto_tree *tree, guint8 *drep _U_)

{

        tvbuff_t *auth_tvb;

        auth_tvb = tvb_new_subset(

                tvb, offset, tvb_length_remaining(tvb, offset),

                tvb_length_remaining(tvb, offset));

        dissect_ntlmssp(auth_tvb, pinfo, tree);

 

        return tvb_length_remaining(tvb, offset);

}

 

                                     proto_tree *tree, guint8 *drep _U_)

{

        tvbuff_t *auth_tvb;

        auth_tvb = tvb_new_subset(

                tvb, offset, tvb_length_remaining(tvb, offset),

                tvb_length_remaining(tvb, offset));

        return dissect_ntlmssp_verf(auth_tvb, pinfo, tree);

}

 

 

void

proto_reg_handoff_ntlmssp(void)

  dissector_handle_t ntlmssp_handle, ntlmssp_wrap_handle;

 

  /* Register protocol with the GSS-API module */

 

  ntlmssp_handle = find_dissector("ntlmssp");

  ntlmssp_wrap_handle = find_dissector("ntlmssp_verf");

                  ntlmssp_handle, ntlmssp_wrap_handle,

                  "NTLMSSP - Microsoft NTLM Security Support Provider");