1 /* packet-smb-sidsnooping.c
2 * Routines for snooping SID to name mappings
3 * Copyright 2003, Ronnie Sahlberg
7 * Wireshark - Network traffic analyzer
8 * By Gerald Combs <gerald@wireshark.org>
9 * Copyright 1998 Gerald Combs
11 * This program is free software; you can redistribute it and/or
12 * modify it under the terms of the GNU General Public License
13 * as published by the Free Software Foundation; either version 2
14 * of the License, or (at your option) any later version.
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
21 * You should have received a copy of the GNU General Public License
22 * along with this program; if not, write to the Free Software
23 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
32 #include <epan/packet_info.h>
33 #include <epan/epan_dissect.h>
34 #include <epan/proto.h>
36 #include <epan/emem.h>
37 #include <epan/strutil.h>
38 #include "packet-dcerpc.h"
39 #include "packet-dcerpc-nt.h"
41 #include <epan/dissectors/packet-smb.h>
42 #include "packet-smb-sidsnooping.h"
44 static int hf_lsa = -1;
45 static int hf_lsa_info_level = -1;
46 static int hf_lsa_opnum = -1;
47 static int hf_lsa_domain = -1;
48 static int hf_nt_domain_sid = -1;
49 static int hf_samr_hnd = -1;
50 static int hf_samr_rid = -1;
51 static int hf_samr_acct_name = -1;
52 static int hf_samr_level = -1;
55 GHashTable *sid_name_table = NULL;
58 static GHashTable *ctx_handle_table = NULL;
61 static gboolean lsa_policy_information_tap_installed = FALSE;
62 static gboolean samr_query_dispinfo_tap_installed = FALSE;
66 find_sid_name(char *sid)
72 sn=g_hash_table_lookup(sid_name_table, &old_sn);
80 add_sid_name_mapping(char *sid, char *name)
86 sn=g_hash_table_lookup(sid_name_table, &old_sn);
91 sn=se_alloc(sizeof(sid_name));
92 sn->sid=g_strdup(sid);
93 sn->name=g_strdup(name);
94 g_hash_table_insert(sid_name_table, sn, sn);
101 * level 1 : user displayinfo 1
104 samr_query_dispinfo(void *dummy _U_, packet_info *pinfo, epan_dissect_t *edt, const void *pri)
106 const dcerpc_info *ri=pri;
122 gp=proto_get_finfo_ptr_array(edt->tree, hf_samr_level);
123 if(!gp || gp->len!=1){
127 info_level=fi->value.value.sinteger;
139 if(ri->ptype == PDU_REQ){
140 gp=proto_get_finfo_ptr_array(edt->tree, hf_samr_hnd);
141 if(!gp || gp->len!=1){
146 old_ctx=g_hash_table_lookup(ctx_handle_table, GINT_TO_POINTER(pinfo->fd->num));
148 g_hash_table_remove(ctx_handle_table, GINT_TO_POINTER(pinfo->fd->num));
151 old_ctx=se_alloc(20);
152 memcpy(old_ctx, fi->value.value.bytes->data, 20);
154 g_hash_table_insert(ctx_handle_table, GINT_TO_POINTER(pinfo->fd->num), old_ctx);
159 if(!ri->call_data->req_frame){
163 old_ctx=g_hash_table_lookup(ctx_handle_table, GINT_TO_POINTER(ri->call_data->req_frame));
168 if (!dcerpc_fetch_polhnd_data(old_ctx, &pol_name, NULL, NULL, NULL, ri->call_data->req_frame)) {
175 sid=strstr(pol_name,"S-1-5");
180 for(sid_len=4;1;sid_len++){
181 if((sid[sid_len]>='0') && (sid[sid_len]<='9')){
184 if(sid[sid_len]=='-'){
190 gp_rids=proto_get_finfo_ptr_array(edt->tree, hf_samr_rid);
191 if(!gp_rids || gp_rids->len<1){
194 num_rids=gp_rids->len;
195 gp_names=proto_get_finfo_ptr_array(edt->tree, hf_samr_acct_name);
196 if(!gp_names || gp_names->len<1){
199 num_names=gp_names->len;
201 if(num_rids>num_names){
205 for(;num_rids;num_rids--){
208 fi_rid=gp_rids->pdata[num_rids-1];
209 fi_name=gp_names->pdata[num_rids-1];
210 g_strlcpy(sid_name, sid, 256);
212 g_snprintf(sid_name+len, 256-len, "%d",fi_rid->value.value.sinteger);
213 add_sid_name_mapping(sid_name, fi_name->value.value.string);
219 * PolicyInformation :
220 * level 3 : PRIMARY_DOMAIN_INFO lsa.domain_sid -> lsa.domain
221 * level 5 : ACCOUNT_DOMAIN_INFO lsa.domain_sid -> lsa.domain
222 * level 12 : DNS_DOMAIN_INFO lsa.domain_sid -> lsa.domain
225 lsa_policy_information(void *dummy _U_, packet_info *pinfo _U_, epan_dissect_t *edt, const void *pri _U_)
233 gp=proto_get_finfo_ptr_array(edt->tree, hf_lsa_info_level);
234 if(!gp || gp->len!=1){
238 info_level=fi->value.value.sinteger;
244 gp=proto_get_finfo_ptr_array(edt->tree, hf_lsa_domain);
245 if(!gp || gp->len!=1){
249 domain=fi->value.value.string;
251 gp=proto_get_finfo_ptr_array(edt->tree, hf_nt_domain_sid);
252 if(!gp || gp->len!=1){
256 sid=fi->value.value.string;
258 add_sid_name_mapping(sid, domain);
265 free_all_sid_names(gpointer key_arg, gpointer value _U_, gpointer user_data _U_)
267 sid_name *sn = (sid_name *)key_arg;
270 g_free((gpointer)sn->sid);
274 g_free((gpointer)sn->name);
281 sid_name_equal(gconstpointer k1, gconstpointer k2)
283 const sid_name *sn1 = (const sid_name *)k1;
284 const sid_name *sn2 = (const sid_name *)k2;
286 return !strcmp(sn1->sid, sn2->sid);
290 sid_name_hash(gconstpointer k)
292 const sid_name *sn = (const sid_name *)k;
295 for(sum=0,i=(int)strlen(sn->sid)-1;i>=0;i--){
304 free_all_ctx_handle(gpointer key_arg _U_, gpointer value _U_, gpointer user_data _U_)
309 ctx_handle_equal(gconstpointer k1, gconstpointer k2)
311 int sn1 = GPOINTER_TO_INT(k1);
312 int sn2 = GPOINTER_TO_INT(k2);
318 ctx_handle_hash(gconstpointer k)
320 int sn = GPOINTER_TO_INT(k);
327 sid_snooping_init(void)
329 header_field_info *hfi;
330 GString *error_string;
332 if(lsa_policy_information_tap_installed){
333 remove_tap_listener(&lsa_policy_information_tap_installed);
334 lsa_policy_information_tap_installed=FALSE;
336 if(samr_query_dispinfo_tap_installed){
337 remove_tap_listener(&samr_query_dispinfo_tap_installed);
338 samr_query_dispinfo_tap_installed=FALSE;
342 g_hash_table_foreach_remove(sid_name_table, free_all_sid_names, NULL);
345 if(ctx_handle_table){
346 g_hash_table_foreach_remove(ctx_handle_table, free_all_ctx_handle, NULL);
347 ctx_handle_table=NULL;
351 /* this code needs to be rewritten from scratch
352 disabling it now so that it wont cause wireshark to abort due to
357 if(!sid_name_snooping){
361 sid_name_table=g_hash_table_new(sid_name_hash, sid_name_equal);
364 ctx_handle_table=g_hash_table_new(ctx_handle_hash, ctx_handle_equal);
367 hf_lsa=proto_get_id_by_filter_name("lsa");
369 hfi=proto_registrar_get_byname("lsa.opnum");
371 hf_lsa_opnum=hfi->id;
374 hfi=proto_registrar_get_byname("nt.domain_sid");
376 hf_nt_domain_sid=hfi->id;
379 hfi=proto_registrar_get_byname("lsa.domain");
381 hf_lsa_domain=hfi->id;
384 hfi=proto_registrar_get_byname("lsa.info.level");
386 hf_lsa_info_level=hfi->id;
389 hfi=proto_registrar_get_byname("samr.handle");
393 hfi=proto_registrar_get_byname("samr.rid");
397 hfi=proto_registrar_get_byname("samr.acct_name");
399 hf_samr_acct_name=hfi->id;
401 hfi=proto_registrar_get_byname("samr.level");
403 hf_samr_level=hfi->id;
407 error_string=register_tap_listener("dcerpc",
408 &lsa_policy_information_tap_installed,
409 "lsa.policy_information and ( lsa.info.level or lsa.domain or nt.domain_sid )",
410 TL_REQUIRES_PROTO_TREE, NULL, lsa_policy_information, NULL);
412 /* error, we failed to attach to the tap. clean up */
414 fprintf(stderr, "tshark: Couldn't register proto_reg_handoff_smb_sidsnooping()/lsa_policy_information tap: %s\n",
416 g_string_free(error_string, TRUE);
419 lsa_policy_information_tap_installed=TRUE;
421 error_string=register_tap_listener("dcerpc",
422 &samr_query_dispinfo_tap_installed,
423 "samr and samr.opnum==40 and ( samr.handle or samr.rid or samr.acct_name or samr.level )",
424 TL_REQUIRES_PROTO_TREE, NULL, samr_query_dispinfo, NULL);
426 /* error, we failed to attach to the tap. clean up */
428 fprintf(stderr, "tshark: Couldn't register proto_reg_handoff_smb_sidsnooping()/samr_query_dispinfo tap: %s\n",
430 g_string_free(error_string, TRUE);
433 samr_query_dispinfo_tap_installed=TRUE;
437 proto_register_smb_sidsnooping(void)
439 register_init_routine(sid_snooping_init);
443 proto_reg_handoff_smb_sidsnooping(void)
git.samba.org / obnox / wireshark / wip.git / blob