Ethereal-dev: [Ethereal-dev] [Kerberos] Kerberos SSP in MSRPC

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Jean-Baptiste Marchand <[email protected]>
Date: Sat, 17 Jul 2004 15:51:46 +0200
Hello,

attached patches add identification for Microsoft SSP (Security Service
Provider) used in DCE RPC:

http://msdn.microsoft.com/library/en-us/rpc/rpc/authentication_level_constants.asp

For the Kerberos SSP (#define DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS
16), dissection of AP_REQ and AP_REP tokens in DCE RPC Bind requests is
now supported.

The Kerberos SSP is used in Windows instead of the SPNEGO SSP when
applications want to use exclusively Kerberos (and not another SSP such
as NTLMSSP):

http://msdn.microsoft.com/library/en-us/rpc/rpc/which_security_provider_to_use.asp

For instance, the Kerberos SSP is used in tickets authenticating
sessions to the DRSUAPI RPC service, to call Active Directory database
replication operations:

summary: 

2004-xx-xx 17:55:35.593334 xxx.yyy.zzz.ttt -> xxx.yyy.zzz.ttt DCERPC Bind: call_id: 1 UUID: DRSUAPI

details of the frame:

...
    Auth type: Kerberos SSP (16)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^
    Auth level: Packet privacy (6)
    Auth pad len: 0
    Auth Rsrvd: 0
    Auth Context ID: 1
    Kerberos AP-REQ
        Pvno: 5
        MSG Type: AP-REQ (14)
        Padding: 0
        APOptions: 20000000 (Mutual required)
            .0.. .... .... .... .... .... .... .... = Use Session Key: Do NOT use the session key to encrypt the ticket
            ..1. .... .... .... .... .... .... .... = Mutual required: MUTUAL authentication is REQUIRED
        Ticket
            Tkt-vno: 5
            Realm: XXX.TLD
            Server Name (Service and Instance): E3514235-4B06-11D1-AB04-00C04FC2DCD2 276d4866-4940-49e4-91ec-991746baf84a xxx.tld
                Name-type: Service and Instance (2)
                Name: E3514235-4B06-11D1-AB04-00C04FC2DCD2
                Name: 276d4866-4940-49e4-91ec-991746baf84a
                Name: xxx.tld
...


Note the interesting server name in the Kerberos ticket, composed of the
UUID of the DRSUAPI interface, followed by the GUID of the AD DC.

Jean-Baptiste Marchand
-- 
[email protected]
HSC - http://www.hsc.fr/
Index: packet-dcerpc.c
===================================================================
--- packet-dcerpc.c	(revision 11394)
+++ packet-dcerpc.c	(working copy)
@@ -101,7 +101,14 @@
 	{ DCE_C_RPC_AUTHN_PROTOCOL_KRB5,    "Kerberos 5" },
 	{ DCE_C_RPC_AUTHN_PROTOCOL_SPNEGO,  "SPNEGO" },
 	{ DCE_C_RPC_AUTHN_PROTOCOL_NTLMSSP, "NTLMSSP" },
+	{ DCE_C_RPC_AUTHN_PROTOCOL_GSS_SCHANNEL, "SCHANNEL SSP" },
+	{ DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS, "Kerberos SSP" },
+	{ DCE_C_RPC_AUTHN_PROTOCOL_DPA, 
+		"Distributed Password Authentication SSP"},
+	{ DCE_C_RPC_AUTHN_PROTOCOL_MSN, "MSN SSP"},
+	{ DCE_C_RPC_AUTHN_PROTOCOL_DIGEST, "Digest SSP"},
 	{ DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,"NETLOGON Secure Channel" },
+	{ DCE_C_RPC_AUTHN_PROTOCOL_MQ, "MSMQ SSP"},
 	{ 0, NULL }
 };
 
Index: packet-gssapi.c
===================================================================
--- packet-gssapi.c	(revision 11394)
+++ packet-gssapi.c	(working copy)
@@ -449,7 +449,7 @@
 	return tvb_length_remaining(tvb, offset);
 }
 
-static int wrap_dissect_gssapi_verf(tvbuff_t *tvb, int offset, 
+int wrap_dissect_gssapi_verf(tvbuff_t *tvb, int offset, 
 				    packet_info *pinfo, 
 				    proto_tree *tree, guint8 *drep _U_)
 {
Index: packet-kerberos.c
===================================================================
--- packet-kerberos.c	(revision 11394)
+++ packet-kerberos.c	(working copy)
@@ -3894,6 +3894,37 @@
 #endif
 }
 
+static int wrap_dissect_gss_kerb(tvbuff_t *tvb, int offset, packet_info *pinfo,
+				 proto_tree *tree, guint8 *drep _U_)
+{
+	tvbuff_t *auth_tvb;
+
+	auth_tvb = tvb_new_subset(
+		tvb, offset, tvb_length_remaining(tvb, offset),
+		tvb_length_remaining(tvb, offset));
+
+	dissect_kerberos_main(auth_tvb, pinfo, tree, FALSE, NULL);
+
+	return tvb_length_remaining(tvb, offset);
+}
+
+
+/* from packet-gssapi.c */
+extern int wrap_dissect_gssapi_verf(tvbuff_t *tvb, int offset, 
+				    packet_info *pinfo, 
+				    proto_tree *tree, guint8 *drep);
+
+static dcerpc_auth_subdissector_fns gss_kerb_auth_fns = {
+	wrap_dissect_gss_kerb,		        /* Bind */
+	wrap_dissect_gss_kerb,	 	        /* Bind ACK */
+	NULL,					/* AUTH3 */
+	wrap_dissect_gssapi_verf, 		/* Request verifier */
+	wrap_dissect_gssapi_verf,		/* Response verifier */
+	NULL,			                /* Request data */
+	NULL			                /* Response data */
+};
+
+
 void
 proto_reg_handoff_kerberos(void)
 {
@@ -3907,6 +3938,10 @@
     dissector_add("udp.port", UDP_PORT_KERBEROS, kerberos_handle_udp);
     dissector_add("tcp.port", TCP_PORT_KERBEROS, kerberos_handle_tcp);
 
+    register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_PRIVACY,
+				      DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS,
+				      &gss_kerb_auth_fns);
+
 }
 
 /*
Index: packet-dcerpc.h
===================================================================
--- packet-dcerpc.h	(revision 11394)
+++ packet-dcerpc.h	(working copy)
@@ -313,11 +313,23 @@
 
 /* Authentication services */
 
+/* 
+ * For MS-specific SSPs (Security Service Provider), see
+ *
+ * http://msdn.microsoft.com/library/en-us/rpc/rpc/authentication_level_constants.asp
+ */
+ 
 #define DCE_C_RPC_AUTHN_PROTOCOL_NONE		0
 #define DCE_C_RPC_AUTHN_PROTOCOL_KRB5		1
 #define DCE_C_RPC_AUTHN_PROTOCOL_SPNEGO         9
 #define DCE_C_RPC_AUTHN_PROTOCOL_NTLMSSP	10
+#define DCE_C_RPC_AUTHN_PROTOCOL_GSS_SCHANNEL	14
+#define DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS	16
+#define DCE_C_RPC_AUTHN_PROTOCOL_DPA		17
+#define DCE_C_RPC_AUTHN_PROTOCOL_MSN		18
+#define DCE_C_RPC_AUTHN_PROTOCOL_DIGEST		21
 #define DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN       68
+#define DCE_C_RPC_AUTHN_PROTOCOL_MQ		100
 
 /* Protection levels */