Hello,
I am working on decryption of DCE/RPC stubs for NTLMSSP version 1. I have successfully decrypted the first packet sent (which means the session key computatation is correct). However, I am having problems decrypting subsequent packets.
It looks like the problems I am having are tied to the fact that the authentication verifier needs to be decrypted as well as the PDU. This brings into question how the authentication verifier is dissected. Looking at packet-dcerpc.c shows that the authentication block is dissected prior to the encrypted stub. I would like to restructure this so that the dissect_dcerpc_cn_auth() function does not handle the verifier. Instead, the verifier would be dissected after the stub, based on the presence of a nonzero auth length.
Because the same routines are used for both NTLMSSP and SPNEGO dissector, I was wondering if anyone had SPNEGO traces they could send me?
If anyone wants to send me some NTLMSSP traces as well, that would be great, as it would reduce the chance of me breaking the dissector with my changes.
Thanks,
Devin Heitmueller
Senior Software Engineer
Netilla Networks Inc