#include <epan/crypt/crypt-des.h>
#include "packet-dcerpc.h"
#include "packet-gssapi.h"
-#include <epan/crc32.h>
+#include <wsutil/crc32.h>
#include "packet-ntlmssp.h"
{
proto_tree_add_item (ntlmssp_tree,
hf_ntlmssp_ntlm_client_challenge,
- tvb, blob_offset, 8, FALSE);
+ tvb, blob_offset, 8, ENC_NA);
}
}
}
{
proto_tree_add_item (ntlmssp_tree,
hf_ntlmssp_ntlm_client_challenge,
- tvb, blob_offset+32, 8, FALSE);
+ tvb, blob_offset+32, 8, ENC_NA);
dissect_ntlmv2_response(tvb, tree, blob_offset, blob_length);
}
if (tree) {
ntlmv2_item = proto_tree_add_item(
tree, hf_ntlmssp_ntlmv2_response, tvb,
- offset, len, TRUE);
+ offset, len, ENC_NA);
ntlmv2_tree = proto_item_add_subtree(
ntlmv2_item, ett_ntlmssp_ntlmv2_response);
}
proto_tree_add_item(
ntlmv2_tree, hf_ntlmssp_ntlmv2_response_hmac, tvb,
- offset, 16, TRUE);
+ offset, 16, ENC_NA);
offset += 16;
proto_tree_add_item(
ntlmv2_tree, hf_ntlmssp_ntlmv2_response_header, tvb,
- offset, 4, TRUE);
+ offset, 4, ENC_LITTLE_ENDIAN);
offset += 4;
proto_tree_add_item(
ntlmv2_tree, hf_ntlmssp_ntlmv2_response_reserved, tvb,
- offset, 4, TRUE);
+ offset, 4, ENC_LITTLE_ENDIAN);
offset += 4;
proto_tree_add_item(
ntlmv2_tree, hf_ntlmssp_ntlmv2_response_chal, tvb,
- offset, 8, TRUE);
+ offset, 8, ENC_NA);
offset += 8;
proto_tree_add_item(
ntlmv2_tree, hf_ntlmssp_ntlmv2_response_unknown, tvb,
- offset, 4, TRUE);
+ offset, 4, ENC_LITTLE_ENDIAN);
offset += 4;
if (ntlmssp_tree) {
tf = proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_challenge_target_info, tvb,
- challenge_target_info_offset, challenge_target_info_length, FALSE);
+ challenge_target_info_offset, challenge_target_info_length, ENC_NA);
challenge_target_info_tree = proto_item_add_subtree(tf, ett_ntlmssp_challenge_target_info);
}
proto_tree_add_uint(challenge_target_info_tree, hf_ntlmssp_challenge_target_info_len,
/* NTLMSSP NT Lan Manager Challenge */
proto_tree_add_item (ntlmssp_tree,
hf_ntlmssp_ntlm_server_challenge,
- tvb, offset, 8, FALSE);
+ tvb, offset, 8, ENC_NA);
/*
* Store the flags and the RC4 state information with the conversation,
* It also says that that information may be omitted.
*/
proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_reserved,
- tvb, offset, 8, FALSE);
+ tvb, offset, 8, ENC_NA);
offset += 8;
/*
data_start = MIN(data_start, item_start);
data_end = MAX(data_end, item_end);
- col_append_fstr(pinfo->cinfo, COL_INFO, ", User: %s\\%s",
+ col_append_sep_fstr(pinfo->cinfo, COL_INFO, ", ", "User: %s\\%s",
ntlmssph->domain_name, ntlmssph->acct_name);
/* hostname */
if (tree) {
tf = proto_tree_add_item (tree,
hf_ntlmssp_verf,
- tvb, offset, -1, FALSE);
+ tvb, offset, -1, ENC_NA);
ntlmssp_tree = proto_item_add_subtree (tf,
ett_ntlmssp);
TRY {
/* Version number */
proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_verf_vers,
- tvb, offset, 4, TRUE);
+ tvb, offset, 4, ENC_LITTLE_ENDIAN);
offset += 4;
/* Encrypted body */
proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_verf_body,
- tvb, offset, ntlm_signature_size + ntlm_seq_size, TRUE);
+ tvb, offset, ntlm_signature_size + ntlm_seq_size, ENC_NA);
tvb_memcpy(tvb, key, offset, ntlm_signature_size + ntlm_seq_size);
/* Try to decrypt */
decrypt_data_payload (tvb, offset+(ntlm_signature_size + ntlm_seq_size), encrypted_block_length-(ntlm_signature_size + ntlm_seq_size), pinfo, ntlmssp_tree,key);
if (tree) {
tf = proto_tree_add_item (tree,
proto_ntlmssp,
- tvb, offset, -1, FALSE);
+ tvb, offset, -1, ENC_NA);
ntlmssp_tree = proto_item_add_subtree (tf,
ett_ntlmssp);
TRY {
/* NTLMSSP constant */
proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_auth,
- tvb, offset, 8, FALSE);
+ tvb, offset, 8, ENC_ASCII|ENC_NA);
offset += 8;
/* NTLMSSP Message Type */
proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_message_type,
- tvb, offset, 4, TRUE);
+ tvb, offset, 4, ENC_LITTLE_ENDIAN);
ntlmssph->type = tvb_get_letohl (tvb, offset);
offset += 4;
- col_append_fstr(pinfo->cinfo, COL_INFO, ", %s",
+ col_append_sep_fstr(pinfo->cinfo, COL_INFO, ", ","%s",
val_to_str(ntlmssph->type,
ntlmssp_message_types,
"Unknown message type"));
/*tap_queue_packet(ntlmssp_tap, pinfo, ntlmssph);*/
}
+static gboolean
+dissect_ntlmssp_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
+{
+
+ if(tvb_memeql(tvb, 0, "NTLMSSP", 8) == 0) {
+
+ dissect_ntlmssp(tvb, pinfo, parent_tree);
+ return TRUE;
+ }
+
+ return FALSE;
+}
/*
if(( conv_ntlmssp_info->flags & NTLMSSP_NEGOTIATE_EXTENDED_SECURITY )) {
proto_tree_add_item (decr_tree, hf_ntlmssp_verf_hmacmd5,
- decr_tvb, decrypted_offset, 8,TRUE);
+ decr_tvb, decrypted_offset, 8,ENC_NA);
decrypted_offset += 8;
/* Incrementing sequence number of DCE conversation */
proto_tree_add_item (decr_tree, hf_ntlmssp_verf_sequence,
- decr_tvb, decrypted_offset, 4, TRUE);
+ decr_tvb, decrypted_offset, 4, ENC_NA);
decrypted_offset += 4;
}
else {
/* RANDOM PAD usually it's 0 */
proto_tree_add_item (decr_tree, hf_ntlmssp_verf_randompad,
- decr_tvb, decrypted_offset, 4, TRUE);
+ decr_tvb, decrypted_offset, 4, ENC_LITTLE_ENDIAN);
decrypted_offset += 4;
/* CRC32 of the DCE fragment data */
proto_tree_add_item (decr_tree, hf_ntlmssp_verf_crc32,
- decr_tvb, decrypted_offset, 4, TRUE);
+ decr_tvb, decrypted_offset, 4, ENC_LITTLE_ENDIAN);
decrypted_offset += 4;
/* Incrementing sequence number of DCE conversation */
proto_tree_add_item (decr_tree, hf_ntlmssp_verf_sequence,
- decr_tvb, decrypted_offset, 4, TRUE);
+ decr_tvb, decrypted_offset, 4, ENC_NA);
decrypted_offset += 4;
}
}
if (tree) {
tf = proto_tree_add_item (tree,
hf_ntlmssp_verf,
- tvb, offset, -1, FALSE);
+ tvb, offset, -1, ENC_NA);
ntlmssp_tree = proto_item_add_subtree (tf,
ett_ntlmssp);
if (tree) {
tf = proto_tree_add_item (tree,
hf_ntlmssp_verf,
- tvb, offset, -1, FALSE);
+ tvb, offset, -1, ENC_NA);
ntlmssp_tree = proto_item_add_subtree (tf,
ett_ntlmssp);
TRY {
/* Version number */
proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_verf_vers,
- tvb, offset, 4, TRUE);
+ tvb, offset, 4, ENC_LITTLE_ENDIAN);
offset += 4;
/* Encrypted body */
proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_verf_body,
- tvb, offset, encrypted_block_length, TRUE);
+ tvb, offset, encrypted_block_length, ENC_NA);
/* Try to decrypt */
decrypt_verifier (tvb, offset, encrypted_block_length, pinfo, ntlmssp_tree,NULL);
DCE_C_RPC_AUTHN_PROTOCOL_NTLMSSP,
&ntlmssp_seal_fns);
ntlmssp_tap = register_tap("ntlmssp");
+
+ heur_dissector_add("credssp", dissect_ntlmssp_heur, proto_ntlmssp);
+
}
/*
* indent-tabs-mode: nil
* End:
*
- * vi: set shiftwidth=2 tabstop=8 expandtab
+ * vi: set shiftwidth=2 tabstop=8 expandtab:
* :indentSize=2:tabSize=8:noTabs=true:
*/