Ethereal-dev: [Ethereal-dev] [Kerberos] Kerberos SSP in MSRPC
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: Jean-Baptiste Marchand <Jean-Baptiste.Marchand@xxxxxx>
Date: Sat, 17 Jul 2004 15:51:46 +0200
Hello, attached patches add identification for Microsoft SSP (Security Service Provider) used in DCE RPC: http://msdn.microsoft.com/library/en-us/rpc/rpc/authentication_level_constants.asp For the Kerberos SSP (#define DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS 16), dissection of AP_REQ and AP_REP tokens in DCE RPC Bind requests is now supported. The Kerberos SSP is used in Windows instead of the SPNEGO SSP when applications want to use exclusively Kerberos (and not another SSP such as NTLMSSP): http://msdn.microsoft.com/library/en-us/rpc/rpc/which_security_provider_to_use.asp For instance, the Kerberos SSP is used in tickets authenticating sessions to the DRSUAPI RPC service, to call Active Directory database replication operations: summary: 2004-xx-xx 17:55:35.593334 xxx.yyy.zzz.ttt -> xxx.yyy.zzz.ttt DCERPC Bind: call_id: 1 UUID: DRSUAPI details of the frame: ... Auth type: Kerberos SSP (16) ^^^^^^^^^^^^^^^^^^^^^^^^^^^ Auth level: Packet privacy (6) Auth pad len: 0 Auth Rsrvd: 0 Auth Context ID: 1 Kerberos AP-REQ Pvno: 5 MSG Type: AP-REQ (14) Padding: 0 APOptions: 20000000 (Mutual required) .0.. .... .... .... .... .... .... .... = Use Session Key: Do NOT use the session key to encrypt the ticket ..1. .... .... .... .... .... .... .... = Mutual required: MUTUAL authentication is REQUIRED Ticket Tkt-vno: 5 Realm: XXX.TLD Server Name (Service and Instance): E3514235-4B06-11D1-AB04-00C04FC2DCD2 276d4866-4940-49e4-91ec-991746baf84a xxx.tld Name-type: Service and Instance (2) Name: E3514235-4B06-11D1-AB04-00C04FC2DCD2 Name: 276d4866-4940-49e4-91ec-991746baf84a Name: xxx.tld ... Note the interesting server name in the Kerberos ticket, composed of the UUID of the DRSUAPI interface, followed by the GUID of the AD DC. Jean-Baptiste Marchand -- Jean-Baptiste.Marchand@xxxxxx HSC - http://www.hsc.fr/
Index: packet-dcerpc.c =================================================================== --- packet-dcerpc.c (revision 11394) +++ packet-dcerpc.c (working copy) @@ -101,7 +101,14 @@ { DCE_C_RPC_AUTHN_PROTOCOL_KRB5, "Kerberos 5" }, { DCE_C_RPC_AUTHN_PROTOCOL_SPNEGO, "SPNEGO" }, { DCE_C_RPC_AUTHN_PROTOCOL_NTLMSSP, "NTLMSSP" }, + { DCE_C_RPC_AUTHN_PROTOCOL_GSS_SCHANNEL, "SCHANNEL SSP" }, + { DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS, "Kerberos SSP" }, + { DCE_C_RPC_AUTHN_PROTOCOL_DPA, + "Distributed Password Authentication SSP"}, + { DCE_C_RPC_AUTHN_PROTOCOL_MSN, "MSN SSP"}, + { DCE_C_RPC_AUTHN_PROTOCOL_DIGEST, "Digest SSP"}, { DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,"NETLOGON Secure Channel" }, + { DCE_C_RPC_AUTHN_PROTOCOL_MQ, "MSMQ SSP"}, { 0, NULL } };
Index: packet-gssapi.c =================================================================== --- packet-gssapi.c (revision 11394) +++ packet-gssapi.c (working copy) @@ -449,7 +449,7 @@ return tvb_length_remaining(tvb, offset); } -static int wrap_dissect_gssapi_verf(tvbuff_t *tvb, int offset, +int wrap_dissect_gssapi_verf(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep _U_) {
Index: packet-kerberos.c =================================================================== --- packet-kerberos.c (revision 11394) +++ packet-kerberos.c (working copy) @@ -3894,6 +3894,37 @@ #endif } +static int wrap_dissect_gss_kerb(tvbuff_t *tvb, int offset, packet_info *pinfo, + proto_tree *tree, guint8 *drep _U_) +{ + tvbuff_t *auth_tvb; + + auth_tvb = tvb_new_subset( + tvb, offset, tvb_length_remaining(tvb, offset), + tvb_length_remaining(tvb, offset)); + + dissect_kerberos_main(auth_tvb, pinfo, tree, FALSE, NULL); + + return tvb_length_remaining(tvb, offset); +} + + +/* from packet-gssapi.c */ +extern int wrap_dissect_gssapi_verf(tvbuff_t *tvb, int offset, + packet_info *pinfo, + proto_tree *tree, guint8 *drep); + +static dcerpc_auth_subdissector_fns gss_kerb_auth_fns = { + wrap_dissect_gss_kerb, /* Bind */ + wrap_dissect_gss_kerb, /* Bind ACK */ + NULL, /* AUTH3 */ + wrap_dissect_gssapi_verf, /* Request verifier */ + wrap_dissect_gssapi_verf, /* Response verifier */ + NULL, /* Request data */ + NULL /* Response data */ +}; + + void proto_reg_handoff_kerberos(void) { @@ -3907,6 +3938,10 @@ dissector_add("udp.port", UDP_PORT_KERBEROS, kerberos_handle_udp); dissector_add("tcp.port", TCP_PORT_KERBEROS, kerberos_handle_tcp); + register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_PRIVACY, + DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS, + &gss_kerb_auth_fns); + } /*
Index: packet-dcerpc.h =================================================================== --- packet-dcerpc.h (revision 11394) +++ packet-dcerpc.h (working copy) @@ -313,11 +313,23 @@ /* Authentication services */ +/* + * For MS-specific SSPs (Security Service Provider), see + * + * http://msdn.microsoft.com/library/en-us/rpc/rpc/authentication_level_constants.asp + */ + #define DCE_C_RPC_AUTHN_PROTOCOL_NONE 0 #define DCE_C_RPC_AUTHN_PROTOCOL_KRB5 1 #define DCE_C_RPC_AUTHN_PROTOCOL_SPNEGO 9 #define DCE_C_RPC_AUTHN_PROTOCOL_NTLMSSP 10 +#define DCE_C_RPC_AUTHN_PROTOCOL_GSS_SCHANNEL 14 +#define DCE_C_RPC_AUTHN_PROTOCOL_GSS_KERBEROS 16 +#define DCE_C_RPC_AUTHN_PROTOCOL_DPA 17 +#define DCE_C_RPC_AUTHN_PROTOCOL_MSN 18 +#define DCE_C_RPC_AUTHN_PROTOCOL_DIGEST 21 #define DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN 68 +#define DCE_C_RPC_AUTHN_PROTOCOL_MQ 100 /* Protection levels */
- Follow-Ups:
- Re: [Ethereal-dev] [Kerberos] Kerberos SSP in MSRPC
- From: Guy Harris
- Re: [Ethereal-dev] [Kerberos] Kerberos SSP in MSRPC
- Prev by Date: Re: [Ethereal-dev] patch to add resource info to libethereal.dll
- Next by Date: [Ethereal-dev] Re: [Ethereal-cvs] r11396 - trunk/gtk: trunk/gtk/Makefile.common trunk/gtk/capture_dlg.h trunk/gtk/capture_if_dlg.c
- Previous by thread: [Ethereal-dev] Re: ethereal: Capture preference don't take effect until Ethereal is restarted
- Next by thread: Re: [Ethereal-dev] [Kerberos] Kerberos SSP in MSRPC
- Index(es):