* Routines for NTLM Secure Service Provider
* Devin Heitmueller <dheitmueller@netilla.com>
*
- * $Id: packet-ntlmssp.c,v 1.39 2003/05/07 07:12:50 tpot Exp $
+ * $Id: packet-ntlmssp.c,v 1.40 2003/05/09 01:41:28 tpot Exp $
*
* Ethereal - Network traffic analyzer
* By Gerald Combs <gerald@ethereal.com>
{ 0, NULL }
};
-/* Name types */
-
-#define NTLMSSP_NAME_END 0x0000
-#define NTLMSSP_NAME_NB_HOST 0x0001
-#define NTLMSSP_NAME_NB_DOMAIN 0x0002
-#define NTLMSSP_NAME_DNS_HOST 0x0003
-#define NTLMSSP_NAME_DNS_DOMAIN 0x0004
-
-static const value_string ntlmssp_name_types[] = {
- { NTLMSSP_NAME_END, "End of list" },
- { NTLMSSP_NAME_NB_HOST, "NetBIOS host name" },
- { NTLMSSP_NAME_NB_DOMAIN, "NetBIOS domain name" },
- { NTLMSSP_NAME_DNS_HOST, "DNS host name" },
- { NTLMSSP_NAME_DNS_DOMAIN, "DNS domain name" },
- { 0, NULL }
-};
-
/*
* NTLMSSP negotiation flags
* Taken from Samba
#define NTLMSSP_NEGOTIATE_KEY_EXCH 0x40000000
#define NTLMSSP_NEGOTIATE_80000000 0x80000000
-
static int proto_ntlmssp = -1;
static int hf_ntlmssp = -1;
static int hf_ntlmssp_auth = -1;
static int hf_ntlmssp_verf_crc32 = -1;
static int hf_ntlmssp_verf_sequence = -1;
static int hf_ntlmssp_decrypted_payload = -1;
-static int hf_ntlmssp_ntlmv2_response = -1;
-static int hf_ntlmssp_ntlmv2_response_hmac = -1;
-static int hf_ntlmssp_ntlmv2_response_header = -1;
-static int hf_ntlmssp_ntlmv2_response_reserved = -1;
-static int hf_ntlmssp_ntlmv2_response_time = -1;
-static int hf_ntlmssp_ntlmv2_response_chal = -1;
-static int hf_ntlmssp_ntlmv2_response_unknown = -1;
-static int hf_ntlmssp_ntlmv2_response_name = -1;
-static int hf_ntlmssp_ntlmv2_response_name_type = -1;
-static int hf_ntlmssp_ntlmv2_response_name_len = -1;
static gint ett_ntlmssp = -1;
static gint ett_ntlmssp_negotiate_flags = -1;
static gint ett_ntlmssp_blob = -1;
static gint ett_ntlmssp_address_list = -1;
static gint ett_ntlmssp_decrypted_tree = -1;
-static gint ett_ntlmssp_ntlmv2_response = -1;
-static gint ett_ntlmssp_ntlmv2_response_name = -1;
/* Configuration variables */
static char *nt_password = NULL;
tvb_memcpy(tvb, result->contents, blob_offset, blob_length);
}
+ /* If we are dissecting the NTLM response and it is a NTLMv2
+ response call the appropriate dissector. */
- return offset;
-}
-
-/* Dissect a NTLM response. This could be either NTLMv1 in which case
- we just call the dissect_ntlmssp_blob() function, or NTLMv2 where
- the blob actually has some structure. This is documented at
- http://ubiqx.org/cifs/SMB.html#8, para 2.8.5.3 */
-
-static int
-dissect_ntlmssp_ntlm_response(tvbuff_t *tvb, int offset,
- proto_tree *ntlmssp_tree, int blob_hf,
- int *end, ntlmssp_blob *result)
-{
- guint16 blob_length = tvb_get_letohs(tvb, offset);
- guint16 blob_maxlen = tvb_get_letohs(tvb, offset+2);
- guint32 blob_offset = tvb_get_letohl(tvb, offset+4);
- proto_item *item = NULL;
- proto_tree *subtree = NULL, *ntlmv2_tree = NULL;
-
- if (blob_length <= 24) {
-
- /* Not NTLMv2 */
-
- return dissect_ntlmssp_blob(
- tvb, offset, ntlmssp_tree, blob_hf, end, result);
- }
-
- if (ntlmssp_tree) {
- item = proto_tree_add_item(
- ntlmssp_tree, blob_hf, tvb, blob_offset, blob_length,
- TRUE);
- subtree = proto_item_add_subtree(item, ett_ntlmssp_blob);
- }
-
- /* Dissect NTLMv2 response */
-
- proto_tree_add_uint(subtree, hf_ntlmssp_blob_len,
- tvb, offset, 2, blob_length);
- offset += 2;
-
- proto_tree_add_uint(subtree, hf_ntlmssp_blob_maxlen,
- tvb, offset, 2, blob_maxlen);
- offset += 2;
-
- proto_tree_add_uint(subtree, hf_ntlmssp_blob_offset,
- tvb, offset, 4, blob_offset);
- offset += 4;
-
- *end = blob_offset + blob_length;
-
- /* Dissect NTLMv2 bits&pieces */
-
- if (subtree) {
- item = proto_tree_add_item(
- subtree, hf_ntlmssp_ntlmv2_response, tvb,
- blob_offset, blob_length - 8, TRUE);
- ntlmv2_tree = proto_item_add_subtree(
- item, ett_ntlmssp_ntlmv2_response);
- }
-
- proto_tree_add_item(
- ntlmv2_tree, hf_ntlmssp_ntlmv2_response_hmac, tvb,
- blob_offset, 16, TRUE);
-
- blob_offset += 16;
-
- proto_tree_add_item(
- ntlmv2_tree, hf_ntlmssp_ntlmv2_response_header, tvb,
- blob_offset, 4, TRUE);
-
- blob_offset += 4;
+ if (blob_hf == hf_ntlmssp_auth_ntresponse && blob_length > 24)
+ dissect_ntlmv2_response(tvb, tree, blob_offset, blob_length);
- proto_tree_add_item(
- ntlmv2_tree, hf_ntlmssp_ntlmv2_response_reserved, tvb,
- blob_offset, 4, TRUE);
-
- blob_offset += 4;
-
- blob_offset = dissect_smb_64bit_time(
- tvb, ntlmv2_tree, blob_offset,
- hf_ntlmssp_ntlmv2_response_time);
-
- proto_tree_add_item(
- ntlmv2_tree, hf_ntlmssp_ntlmv2_response_chal, tvb,
- blob_offset, 8, TRUE);
-
- blob_offset += 8;
-
- proto_tree_add_item(
- ntlmv2_tree, hf_ntlmssp_ntlmv2_response_unknown, tvb,
- blob_offset, 4, TRUE);
-
- blob_offset += 4;
-
- /* Variable length list of names */
-
- while(1) {
- guint16 name_type = tvb_get_letohs(tvb, blob_offset);
- guint16 name_len = tvb_get_letohs(tvb, blob_offset + 2);
- proto_tree *name_tree = NULL;
- char *name = NULL;
-
- if (ntlmv2_tree) {
- item = proto_tree_add_item(
- ntlmv2_tree, hf_ntlmssp_ntlmv2_response_name,
- tvb, blob_offset, 0, TRUE);
- name_tree = proto_item_add_subtree(
- item, ett_ntlmssp_ntlmv2_response_name);
- }
-
- /* Dissect name header */
-
- proto_tree_add_item(
- name_tree, hf_ntlmssp_ntlmv2_response_name_type, tvb,
- blob_offset, 2, TRUE);
-
- blob_offset += 2;
-
- proto_tree_add_item(
- name_tree, hf_ntlmssp_ntlmv2_response_name_len, tvb,
- blob_offset, 2, TRUE);
-
- blob_offset += 2;
-
- /* Dissect name */
-
- if (name_len > 0) {
- name = tvb_fake_unicode(
- tvb, blob_offset, name_len / 2, TRUE);
-
- proto_tree_add_text(
- name_tree, tvb, blob_offset, name_len,
- "Name: %s", name);
- } else
- name = g_strdup("NULL");
-
- if (name_type == 0)
- proto_item_append_text(
- item, "%s",
- val_to_str(name_type, ntlmssp_name_types,
- "Unknown"));
- else
- proto_item_append_text(
- item, "%s, %s",
- val_to_str(name_type, ntlmssp_name_types,
- "Unknown"), name);
-
- g_free(name);
-
- blob_offset += name_len;
-
- proto_item_set_len(item, name_len + 4);
-
- if (name_type == 0) /* End of list */
- break;
- };
-
- return offset;
+ return offset;
}
static int
if (!text) text = ""; /* Make sure we don't blow up below */
switch(item_type) {
- case NTLMSSP_NAME_NB_HOST:
+ case NTLM_NAME_NB_HOST:
proto_tree_add_string(tree, hf_ntlmssp_address_list_server_nb,
tvb, item_offset, item_length, text);
break;
- case NTLMSSP_NAME_NB_DOMAIN:
+ case NTLM_NAME_NB_DOMAIN:
proto_tree_add_string(tree, hf_ntlmssp_address_list_domain_nb,
tvb, item_offset, item_length, text);
break;
- case NTLMSSP_NAME_DNS_HOST:
+ case NTLM_NAME_DNS_HOST:
proto_tree_add_string(tree, hf_ntlmssp_address_list_server_dns,
tvb, item_offset, item_length, text);
break;
- case NTLMSSP_NAME_DNS_DOMAIN:
+ case NTLM_NAME_DNS_DOMAIN:
proto_tree_add_string(tree, hf_ntlmssp_address_list_domain_dns,
tvb, item_offset, item_length, text);
}
/* NTLM response */
item_start = tvb_get_letohl(tvb, offset+4);
- offset = dissect_ntlmssp_ntlm_response(tvb, offset, ntlmssp_tree,
- hf_ntlmssp_auth_ntresponse,
- &item_end,
- conv_ntlmssp_info == NULL ? NULL :
- &conv_ntlmssp_info->ntlm_response);
+ offset = dissect_ntlmssp_blob(tvb, offset, ntlmssp_tree,
+ hf_ntlmssp_auth_ntresponse,
+ &item_end,
+ conv_ntlmssp_info == NULL ? NULL :
+ &conv_ntlmssp_info->ntlm_response);
data_start = MIN(data_start, item_start);
data_end = MAX(data_end, item_end);
{ &hf_ntlmssp_verf_crc32,
{ "Verifier CRC32", "ntlmssp.verf.crc32", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }},
{ &hf_ntlmssp_verf_sequence,
- { "Verifier Sequence Number", "ntlmssp.verf.sequence", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }},
- { &hf_ntlmssp_ntlmv2_response,
- { "NTLMv2 Response", "ntlmssp.auth.ntresponsev2", FT_BYTES, BASE_HEX,
- NULL, 0x0, "", HFILL }},
- { &hf_ntlmssp_ntlmv2_response_hmac,
- { "HMAC", "ntlmssp.auth.ntresponsev2.hmac", FT_BYTES, BASE_HEX,
- NULL, 0x0, "", HFILL }},
- { &hf_ntlmssp_ntlmv2_response_header,
- { "Header", "ntlmssp.auth.ntresponsev2.header", FT_UINT32, BASE_HEX,
- NULL, 0x0, "", HFILL }},
- { &hf_ntlmssp_ntlmv2_response_reserved,
- { "Reserved", "ntlmssp.auth.ntresponsev2.reserved", FT_UINT32, BASE_HEX,
- NULL, 0x0, "", HFILL }},
- { &hf_ntlmssp_ntlmv2_response_time,
- { "Time", "ntlmssp.auth.ntresponsev2.time", FT_ABSOLUTE_TIME, BASE_NONE,
- NULL, 0, "", HFILL }},
- { &hf_ntlmssp_ntlmv2_response_chal,
- { "Client challenge", "ntlmssp.auth.ntresponsev2.chal", FT_BYTES,
- BASE_HEX, NULL, 0x0, "", HFILL }},
- { &hf_ntlmssp_ntlmv2_response_unknown,
- { "Unknown", "ntlmssp.auth.ntresponsev2.unknown", FT_UINT32, BASE_HEX,
- NULL, 0x0, "", HFILL }},
- { &hf_ntlmssp_ntlmv2_response_name,
- { "Name", "ntlmssp.auth.ntresponsev2.name", FT_STRING, BASE_NONE,
- NULL, 0x0, "", HFILL }},
- { &hf_ntlmssp_ntlmv2_response_name_type,
- { "Name type", "ntlmssp.auth.ntresponsev2.name.type", FT_UINT32,
- BASE_DEC, VALS(ntlmssp_name_types), 0x0, "", HFILL }},
- { &hf_ntlmssp_ntlmv2_response_name_len,
- { "Name len", "ntlmssp.auth.ntresponsev2.name.len", FT_UINT32,
- BASE_DEC, NULL, 0x0, "", HFILL }},
+ { "Verifier Sequence Number", "ntlmssp.verf.sequence", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }}
};
&ett_ntlmssp_string,
&ett_ntlmssp_blob,
&ett_ntlmssp_address_list,
- &ett_ntlmssp_decrypted_tree,
- &ett_ntlmssp_ntlmv2_response,
- &ett_ntlmssp_ntlmv2_response_name
+ &ett_ntlmssp_decrypted_tree
};
module_t *ntlmssp_module;
* Common routines for smb packet dissection
* Copyright 2000, Jeffrey C. Foster <jfoste@woodward.com>
*
- * $Id: packet-smb-common.c,v 1.16 2003/04/03 02:57:48 tpot Exp $
+ * $Id: packet-smb-common.c,v 1.17 2003/05/09 01:41:28 tpot Exp $
*
* Ethereal - Network traffic analyzer
* By Gerald Combs <gerald@ethereal.com>
return offset+tvb_length_remaining(tvb, offset);
}
+
+/* Dissect a NTLM response. This is documented at
+ http://ubiqx.org/cifs/SMB.html#8, para 2.8.5.3 */
+
+static int hf_ntlmv2_response = -1;
+static int hf_ntlmv2_response_hmac = -1;
+static int hf_ntlmv2_response_header = -1;
+static int hf_ntlmv2_response_reserved = -1;
+static int hf_ntlmv2_response_time = -1;
+static int hf_ntlmv2_response_chal = -1;
+static int hf_ntlmv2_response_unknown = -1;
+static int hf_ntlmv2_response_name = -1;
+static int hf_ntlmv2_response_name_type = -1;
+static int hf_ntlmv2_response_name_len = -1;
+
+static gint ett_ntlmv2_response = -1;
+static gint ett_ntlmv2_response_name = -1;
+
+/* Name types */
+
+const value_string ntlm_name_types[] = {
+ { NTLM_NAME_END, "End of list" },
+ { NTLM_NAME_NB_HOST, "NetBIOS host name" },
+ { NTLM_NAME_NB_DOMAIN, "NetBIOS domain name" },
+ { NTLM_NAME_DNS_HOST, "DNS host name" },
+ { NTLM_NAME_DNS_DOMAIN, "DNS domain name" },
+ { 0, NULL }
+};
+
+int
+dissect_ntlmv2_response(tvbuff_t *tvb, proto_tree *tree, int offset, int len)
+{
+ proto_item *ntlmv2_item = NULL;
+ proto_tree *ntlmv2_tree = NULL;
+
+ /* Dissect NTLMv2 bits&pieces */
+
+ if (tree) {
+ ntlmv2_item = proto_tree_add_item(
+ tree, hf_ntlmv2_response, tvb,
+ offset, len, TRUE);
+ ntlmv2_tree = proto_item_add_subtree(
+ ntlmv2_item, ett_ntlmv2_response);
+ }
+
+ proto_tree_add_item(
+ ntlmv2_tree, hf_ntlmv2_response_hmac, tvb,
+ offset, 16, TRUE);
+
+ offset += 16;
+
+ proto_tree_add_item(
+ ntlmv2_tree, hf_ntlmv2_response_header, tvb,
+ offset, 4, TRUE);
+
+ offset += 4;
+
+ proto_tree_add_item(
+ ntlmv2_tree, hf_ntlmv2_response_reserved, tvb,
+ offset, 4, TRUE);
+
+ offset += 4;
+
+ offset = dissect_smb_64bit_time(
+ tvb, ntlmv2_tree, offset, hf_ntlmv2_response_time);
+
+ proto_tree_add_item(
+ ntlmv2_tree, hf_ntlmv2_response_chal, tvb,
+ offset, 8, TRUE);
+
+ offset += 8;
+
+ proto_tree_add_item(
+ ntlmv2_tree, hf_ntlmv2_response_unknown, tvb,
+ offset, 4, TRUE);
+
+ offset += 4;
+
+ /* Variable length list of names */
+
+ while(1) {
+ guint16 name_type = tvb_get_letohs(tvb, offset);
+ guint16 name_len = tvb_get_letohs(tvb, offset + 2);
+ proto_tree *name_tree = NULL;
+ proto_item *name_item = NULL;
+ char *name = NULL;
+
+ if (ntlmv2_tree) {
+ name_item = proto_tree_add_item(
+ ntlmv2_tree, hf_ntlmv2_response_name,
+ tvb, offset, 0, TRUE);
+ name_tree = proto_item_add_subtree(
+ name_item, ett_ntlmv2_response_name);
+ }
+
+ /* Dissect name header */
+
+ proto_tree_add_item(
+ name_tree, hf_ntlmv2_response_name_type, tvb,
+ offset, 2, TRUE);
+
+ offset += 2;
+
+ proto_tree_add_item(
+ name_tree, hf_ntlmv2_response_name_len, tvb,
+ offset, 2, TRUE);
+
+ offset += 2;
+
+ /* Dissect name */
+
+ if (name_len > 0) {
+ name = tvb_fake_unicode(
+ tvb, offset, name_len / 2, TRUE);
+
+ proto_tree_add_text(
+ name_tree, tvb, offset, name_len,
+ "Name: %s", name);
+ } else
+ name = g_strdup("NULL");
+
+ if (name_type == 0)
+ proto_item_append_text(
+ name_item, "%s",
+ val_to_str(name_type, ntlm_name_types,
+ "Unknown"));
+ else
+ proto_item_append_text(
+ name_item, "%s, %s",
+ val_to_str(name_type, ntlm_name_types,
+ "Unknown"), name);
+
+ g_free(name);
+
+ offset += name_len;
+
+ proto_item_set_len(name_item, name_len + 4);
+
+ if (name_type == 0) /* End of list */
+ break;
+ };
+
+ return offset;
+}
+
+void register_smb_common(int proto_smb)
+{
+ static hf_register_info hf[] = {
+
+ { &hf_ntlmv2_response,
+ { "NTLMv2 Response", "smb.ntlmv2response", FT_BYTES,
+ BASE_HEX, NULL, 0x0, "", HFILL }},
+
+ { &hf_ntlmv2_response_hmac,
+ { "HMAC", "smb.ntlmv2response.hmac", FT_BYTES, BASE_HEX,
+ NULL, 0x0, "", HFILL }},
+
+ { &hf_ntlmv2_response_header,
+ { "Header", "smb.ntlmv2response.header", FT_UINT32,
+ BASE_HEX, NULL, 0x0, "", HFILL }},
+
+ { &hf_ntlmv2_response_reserved,
+ { "Reserved", "smb.ntlmv2response.reserved", FT_UINT32,
+ BASE_HEX, NULL, 0x0, "", HFILL }},
+
+ { &hf_ntlmv2_response_time,
+ { "Time", "smb.ntlmv2response.time", FT_ABSOLUTE_TIME,
+ BASE_NONE, NULL, 0, "", HFILL }},
+
+ { &hf_ntlmv2_response_chal,
+ { "Client challenge", "smb.ntlmv2response.chal", FT_BYTES,
+ BASE_HEX, NULL, 0x0, "", HFILL }},
+
+ { &hf_ntlmv2_response_unknown,
+ { "Unknown", "smb.ntlmv2response.unknown", FT_UINT32,
+ BASE_HEX, NULL, 0x0, "", HFILL }},
+
+ { &hf_ntlmv2_response_name,
+ { "Name", "smb.ntlmv2response.name", FT_STRING, BASE_NONE,
+ NULL, 0x0, "", HFILL }},
+
+ { &hf_ntlmv2_response_name_type,
+ { "Name type", "smb.ntlmv2response.name.type", FT_UINT32,
+ BASE_DEC, VALS(ntlm_name_types), 0x0, "", HFILL }},
+
+ { &hf_ntlmv2_response_name_len,
+ { "Name len", "smb.ntlmv2response.name.len", FT_UINT32,
+ BASE_DEC, NULL, 0x0, "", HFILL }}
+ };
+
+ static gint *ett[] = {
+ &ett_ntlmv2_response,
+ &ett_ntlmv2_response_name
+ };
+
+ proto_register_subtree_array(ett, array_length(ett));
+ proto_register_field_array(proto_smb, hf, array_length(hf));
+}
git.samba.org / metze / wireshark / wip.git / commitdiff