Hello,
attached patches add identification for Microsoft SSP (Security Service
Provider) used in DCE RPC:
http://msdn.microsoft.com/library/en-us/rpc/rpc/authentication_level_constants.asp
For the Kerberos SSP (#define DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS
16), dissection of AP_REQ and AP_REP tokens in DCE RPC Bind requests is
now supported.
The Kerberos SSP is used in Windows instead of the SPNEGO SSP when
applications want to use exclusively Kerberos (and not another SSP such
as NTLMSSP):
http://msdn.microsoft.com/library/en-us/rpc/rpc/which_security_provider_to_use.asp
For instance, the Kerberos SSP is used in tickets authenticating
sessions to the DRSUAPI RPC service, to call Active Directory database
replication operations:
summary:
2004-xx-xx 17:55:35.593334 xxx.yyy.zzz.ttt -> xxx.yyy.zzz.ttt DCERPC Bind: call_id: 1 UUID: DRSUAPI
details of the frame:
...
Auth type: Kerberos SSP (16)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
Auth level: Packet privacy (6)
Auth pad len: 0
Auth Rsrvd: 0
Auth Context ID: 1
Kerberos AP-REQ
Pvno: 5
MSG Type: AP-REQ (14)
Padding: 0
APOptions: 20000000 (Mutual required)
.0.. .... .... .... .... .... .... .... = Use Session Key: Do NOT use the session key to encrypt the ticket
..1. .... .... .... .... .... .... .... = Mutual required: MUTUAL authentication is REQUIRED
Ticket
Tkt-vno: 5
Realm: XXX.TLD
Server Name (Service and Instance): E3514235-4B06-11D1-AB04-00C04FC2DCD2 276d4866-4940-49e4-91ec-991746baf84a xxx.tld
Name-type: Service and Instance (2)
Name: E3514235-4B06-11D1-AB04-00C04FC2DCD2
Name: 276d4866-4940-49e4-91ec-991746baf84a
Name: xxx.tld
...
Note the interesting server name in the Kerberos ticket, composed of the
UUID of the DRSUAPI interface, followed by the GUID of the AD DC.
Jean-Baptiste Marchand
--
Jean-Baptiste.Marchand@xxxxxx
HSC - http://www.hsc.fr/
Index: packet-dcerpc.c
===================================================================
--- packet-dcerpc.c (revision 11394)
+++ packet-dcerpc.c (working copy)
@@ -101,7 +101,14 @@
{ DCE_C_RPC_AUTHN_PROTOCOL_KRB5, "Kerberos 5" },
{ DCE_C_RPC_AUTHN_PROTOCOL_SPNEGO, "SPNEGO" },
{ DCE_C_RPC_AUTHN_PROTOCOL_NTLMSSP, "NTLMSSP" },
+ { DCE_C_RPC_AUTHN_PROTOCOL_GSS_SCHANNEL, "SCHANNEL SSP" },
+ { DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS, "Kerberos SSP" },
+ { DCE_C_RPC_AUTHN_PROTOCOL_DPA,
+ "Distributed Password Authentication SSP"},
+ { DCE_C_RPC_AUTHN_PROTOCOL_MSN, "MSN SSP"},
+ { DCE_C_RPC_AUTHN_PROTOCOL_DIGEST, "Digest SSP"},
{ DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,"NETLOGON Secure Channel" },
+ { DCE_C_RPC_AUTHN_PROTOCOL_MQ, "MSMQ SSP"},
{ 0, NULL }
};
Index: packet-gssapi.c
===================================================================
--- packet-gssapi.c (revision 11394)
+++ packet-gssapi.c (working copy)
@@ -449,7 +449,7 @@
return tvb_length_remaining(tvb, offset);
}
-static int wrap_dissect_gssapi_verf(tvbuff_t *tvb, int offset,
+int wrap_dissect_gssapi_verf(tvbuff_t *tvb, int offset,
packet_info *pinfo,
proto_tree *tree, guint8 *drep _U_)
{
Index: packet-kerberos.c
===================================================================
--- packet-kerberos.c (revision 11394)
+++ packet-kerberos.c (working copy)
@@ -3894,6 +3894,37 @@
#endif
}
+static int wrap_dissect_gss_kerb(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, guint8 *drep _U_)
+{
+ tvbuff_t *auth_tvb;
+
+ auth_tvb = tvb_new_subset(
+ tvb, offset, tvb_length_remaining(tvb, offset),
+ tvb_length_remaining(tvb, offset));
+
+ dissect_kerberos_main(auth_tvb, pinfo, tree, FALSE, NULL);
+
+ return tvb_length_remaining(tvb, offset);
+}
+
+
+/* from packet-gssapi.c */
+extern int wrap_dissect_gssapi_verf(tvbuff_t *tvb, int offset,
+ packet_info *pinfo,
+ proto_tree *tree, guint8 *drep);
+
+static dcerpc_auth_subdissector_fns gss_kerb_auth_fns = {
+ wrap_dissect_gss_kerb, /* Bind */
+ wrap_dissect_gss_kerb, /* Bind ACK */
+ NULL, /* AUTH3 */
+ wrap_dissect_gssapi_verf, /* Request verifier */
+ wrap_dissect_gssapi_verf, /* Response verifier */
+ NULL, /* Request data */
+ NULL /* Response data */
+};
+
+
void
proto_reg_handoff_kerberos(void)
{
@@ -3907,6 +3938,10 @@
dissector_add("udp.port", UDP_PORT_KERBEROS, kerberos_handle_udp);
dissector_add("tcp.port", TCP_PORT_KERBEROS, kerberos_handle_tcp);
+ register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_PRIVACY,
+ DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS,
+ &gss_kerb_auth_fns);
+
}
/*
Index: packet-dcerpc.h
===================================================================
--- packet-dcerpc.h (revision 11394)
+++ packet-dcerpc.h (working copy)
@@ -313,11 +313,23 @@
/* Authentication services */
+/*
+ * For MS-specific SSPs (Security Service Provider), see
+ *
+ * http://msdn.microsoft.com/library/en-us/rpc/rpc/authentication_level_constants.asp
+ */
+
#define DCE_C_RPC_AUTHN_PROTOCOL_NONE 0
#define DCE_C_RPC_AUTHN_PROTOCOL_KRB5 1
#define DCE_C_RPC_AUTHN_PROTOCOL_SPNEGO 9
#define DCE_C_RPC_AUTHN_PROTOCOL_NTLMSSP 10
+#define DCE_C_RPC_AUTHN_PROTOCOL_GSS_SCHANNEL 14
+#define DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS 16
+#define DCE_C_RPC_AUTHN_PROTOCOL_DPA 17
+#define DCE_C_RPC_AUTHN_PROTOCOL_MSN 18
+#define DCE_C_RPC_AUTHN_PROTOCOL_DIGEST 21
#define DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN 68
+#define DCE_C_RPC_AUTHN_PROTOCOL_MQ 100
/* Protection levels */
