ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online
Wireshark logo

Ethereal-dev: [Ethereal-dev] 'raw' NTLMSSP in GSS-SPNEGO disection

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Andrew Bartlett <abartlet@xxxxxxxxx>
Date: Mon, 14 Mar 2005 17:02:14 +1100
When a win2k3 client contacts an LDAP (or indeed any protocol) server,
and it has negotiated GSS-SPNEGO, it takes this as a cue to use
'Negotiate'. 

'Negotiate' has this lovely property that it may include 'raw' (that is,
unwrapped by GSS-API) NTLMSSP into the packet.  This is already worked
around in SMB for the session setup, but we also see this on LDAP, and
anywhere else.  The attached patch handles this in the GSSAPI layer,
instead of a failure.

I'm new to ethereal patches, so I don't know how to remove the extra
layer of subtree (GSSAPI), but attached is the patch as-is.  I also
attach a sample capture.

Andrew Bartlett 
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

Index: epan/dissectors/packet-gssapi.c
===================================================================
--- epan/dissectors/packet-gssapi.c	(revision 13747)
+++ epan/dissectors/packet-gssapi.c	(working copy)
@@ -55,6 +55,8 @@
  * Subdissectors
  */
 
+static dissector_handle_t ntlmssp_handle = NULL;
+
 static GHashTable *gssapi_oids;
 
 static gint gssapi_oid_equal(gconstpointer k1, gconstpointer k2)
@@ -240,14 +242,19 @@
 		  }
 		  if (!value)
 		  {
-		    proto_tree_add_text(subtree, tvb, offset, 0,
-			"Unknown header (cls=%d, con=%d, tag=%d)",
-			cls, con, tag);
+		    /* It could be NTLMSSP, with no OID.  This can happen 
+		       for anything that microsoft calls 'Negotiate' or GSS-SPNEGO */
+		    if (tvb_strneql(tvb, offset, "NTLMSSP", 7) == 0) {
+		      call_dissector(ntlmssp_handle, tvb_new_subset(tvb, offset, -1, -1), pinfo, subtree);
+		    } else {
+		      proto_tree_add_text(subtree, tvb, offset, 0,
+					  "Unknown header (cls=%d, con=%d, tag=%d)",
+					  cls, con, tag);
+		    }
 		    return_offset = tvb_length(tvb);
 		    goto done;
-		  }
-		  else 
-		  {
+
+		  } else {
 		    tvbuff_t *oid_tvb;
 
 		    /* Naughty ... no way to reset the offset */
@@ -505,6 +512,8 @@
 {
 	data_handle = find_dissector("data");
 
+	ntlmssp_handle = find_dissector("ntlmssp");
+
 	register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_CONNECT,
 					  DCE_C_RPC_AUTHN_PROTOCOL_SPNEGO,
 					  &gssapi_auth_fns);

Attachment: ntlmssp-ldap.cap
Description: Binary data

Attachment: signature.asc
Description: This is a digitally signed message part

Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube