Wireshark · Ethereal-dev: [Ethereal-dev] 'raw' NTLMSSP in GSS-SPNEGO disection

Ethereal-dev: [Ethereal-dev] 'raw' NTLMSSP in GSS-SPNEGO disection

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Andrew Bartlett <abartlet@xxxxxxxxx>

Date: Mon, 14 Mar 2005 17:02:14 +1100

When a win2k3 client contacts an LDAP (or indeed any protocol) server,
and it has negotiated GSS-SPNEGO, it takes this as a cue to use
'Negotiate'. 

'Negotiate' has this lovely property that it may include 'raw' (that is,
unwrapped by GSS-API) NTLMSSP into the packet.  This is already worked
around in SMB for the session setup, but we also see this on LDAP, and
anywhere else.  The attached patch handles this in the GSSAPI layer,
instead of a failure.

I'm new to ethereal patches, so I don't know how to remove the extra
layer of subtree (GSSAPI), but attached is the patch as-is.  I also
attach a sample capture.

Andrew Bartlett 
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

Index: epan/dissectors/packet-gssapi.c
===================================================================
--- epan/dissectors/packet-gssapi.c	(revision 13747)
+++ epan/dissectors/packet-gssapi.c	(working copy)
@@ -55,6 +55,8 @@
  * Subdissectors
  */
 
+static dissector_handle_t ntlmssp_handle = NULL;
+
 static GHashTable *gssapi_oids;
 
 static gint gssapi_oid_equal(gconstpointer k1, gconstpointer k2)
@@ -240,14 +242,19 @@
 		  }
 		  if (!value)
 		  {
-		    proto_tree_add_text(subtree, tvb, offset, 0,
-			"Unknown header (cls=%d, con=%d, tag=%d)",
-			cls, con, tag);
+		    /* It could be NTLMSSP, with no OID.  This can happen 
+		       for anything that microsoft calls 'Negotiate' or GSS-SPNEGO */
+		    if (tvb_strneql(tvb, offset, "NTLMSSP", 7) == 0) {
+		      call_dissector(ntlmssp_handle, tvb_new_subset(tvb, offset, -1, -1), pinfo, subtree);
+		    } else {
+		      proto_tree_add_text(subtree, tvb, offset, 0,
+					  "Unknown header (cls=%d, con=%d, tag=%d)",
+					  cls, con, tag);
+		    }
 		    return_offset = tvb_length(tvb);
 		    goto done;
-		  }
-		  else 
-		  {
+
+		  } else {
 		    tvbuff_t *oid_tvb;
 
 		    /* Naughty ... no way to reset the offset */
@@ -505,6 +512,8 @@
 {
 	data_handle = find_dissector("data");
 
+	ntlmssp_handle = find_dissector("ntlmssp");
+
 	register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_CONNECT,
 					  DCE_C_RPC_AUTHN_PROTOCOL_SPNEGO,
 					  &gssapi_auth_fns);

Attachment: ntlmssp-ldap.cap
Description: Binary data

Attachment: signature.asc
Description: This is a digitally signed message part

Prev by Date: Re: [Ethereal-dev] IKEv2 support
Next by Date: [Ethereal-dev] Query
Previous by thread: Re: [Ethereal-dev] svn failing for win32 package dependencies
Next by thread: [Ethereal-dev] Query
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$