Ethereal-dev: [Ethereal-dev] 'raw' NTLMSSP in GSS-SPNEGO disection
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: Andrew Bartlett <abartlet@xxxxxxxxx>
Date: Mon, 14 Mar 2005 17:02:14 +1100
When a win2k3 client contacts an LDAP (or indeed any protocol) server, and it has negotiated GSS-SPNEGO, it takes this as a cue to use 'Negotiate'. 'Negotiate' has this lovely property that it may include 'raw' (that is, unwrapped by GSS-API) NTLMSSP into the packet. This is already worked around in SMB for the session setup, but we also see this on LDAP, and anywhere else. The attached patch handles this in the GSSAPI layer, instead of a failure. I'm new to ethereal patches, so I don't know how to remove the extra layer of subtree (GSSAPI), but attached is the patch as-is. I also attach a sample capture. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
Index: epan/dissectors/packet-gssapi.c =================================================================== --- epan/dissectors/packet-gssapi.c (revision 13747) +++ epan/dissectors/packet-gssapi.c (working copy) @@ -55,6 +55,8 @@ * Subdissectors */ +static dissector_handle_t ntlmssp_handle = NULL; + static GHashTable *gssapi_oids; static gint gssapi_oid_equal(gconstpointer k1, gconstpointer k2) @@ -240,14 +242,19 @@ } if (!value) { - proto_tree_add_text(subtree, tvb, offset, 0, - "Unknown header (cls=%d, con=%d, tag=%d)", - cls, con, tag); + /* It could be NTLMSSP, with no OID. This can happen + for anything that microsoft calls 'Negotiate' or GSS-SPNEGO */ + if (tvb_strneql(tvb, offset, "NTLMSSP", 7) == 0) { + call_dissector(ntlmssp_handle, tvb_new_subset(tvb, offset, -1, -1), pinfo, subtree); + } else { + proto_tree_add_text(subtree, tvb, offset, 0, + "Unknown header (cls=%d, con=%d, tag=%d)", + cls, con, tag); + } return_offset = tvb_length(tvb); goto done; - } - else - { + + } else { tvbuff_t *oid_tvb; /* Naughty ... no way to reset the offset */ @@ -505,6 +512,8 @@ { data_handle = find_dissector("data"); + ntlmssp_handle = find_dissector("ntlmssp"); + register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_CONNECT, DCE_C_RPC_AUTHN_PROTOCOL_SPNEGO, &gssapi_auth_fns);
Attachment:
ntlmssp-ldap.cap
Description: Binary data
Attachment:
signature.asc
Description: This is a digitally signed message part
- Prev by Date: Re: [Ethereal-dev] IKEv2 support
- Next by Date: [Ethereal-dev] Query
- Previous by thread: Re: [Ethereal-dev] svn failing for win32 package dependencies
- Next by thread: [Ethereal-dev] Query
- Index(es):
- Get Wireshark
- Download
- Code of Conduct