Wireshark-dev: Re: [Wireshark-dev] krb5 dcerpc decryption
From: "Anders Broman" <a.broman@xxxxxxxxx>
Date: Tue, 28 Jul 2009 08:46:34 +0200
Hi Guys,
Note that we have made some local changes to the tool:
http://anonsvn.wireshark.org/viewvc/trunk/tools/pidl/lib/Parse/Pidl/Wireshar
k/
http://anonsvn.wireshark.org/viewvc/viewvc.cgi?view=rev&revision=28961

Regards
Anders
-----Ursprungligt meddelande-----
Från: wireshark-dev-bounces@xxxxxxxxxxxxx
[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] För ronnie sahlberg
Skickat: den 28 juli 2009 05:02
Till: Stefan (metze) Metzmacher
Kopia: wireshark-dev@xxxxxxxxxxxxx
Ämne: Re: [Wireshark-dev] krb5 dcerpc decryption

Hi Metze,

Can you check those two patches again?
I can not decrypt any of the captures you sent.

I built wireshark with your patch and also patched mit 1.6.3 with the
second patch and load it with
LD_PRELOAD=...../lib/libk5crypto.so

But can not decrypt any of the packets.
The modified  krb5_dk_decrypt_maybe_trunc_hmac() is called from
wireshark but this statement is never true :
       if (hdr[0] == 0x05 && hdr[1] == 0x04) {


I agree, we should have our own code here, just as we have for arcfour.
Once I can get the decryption working using these hacks, I can look
into re-implementing this code inside wireshark.



The pidl command line to generate a ws dissector looks like this :
pidl lsa.idl --ws-parser


regards
ronnie sahlberg


On Sat, Jul 25, 2009 at 6:47 PM, Stefan (metze)
Metzmacher<metze@xxxxxxxxx> wrote:
> Hi Ronnie,
>
> could you please apply this patch
>
http://gitweb.samba.org/?p=metze/wireshark/wip.git;a=commitdiff;h=d4e3184d5f
aca653ef053b3469ad3f8ec7605b7e
>
> With that patch decryption of aes encrypted traffic works as long as no
> header signing is used.
>
> I tried some hacks to decrypt it when header signing is on
> and use a hacked mit krb5 1.6 version loaded with LD_LIBRARY_PATH
>
> See
>
http://gitweb.samba.org/?p=metze/wireshark/wip.git;a=shortlog;h=refs/heads/w
s-metze-gssapi-20090725
>
> I think we should have aes specific decryption code in wireshark like we
> have for arcfour in packet-spnego.c.
>
> With this hacks I can decrypt every packet of the attached captures.
>
> BTW: with what commandline do I have to generate pidl dissectors?
>     I want to add it for the DFS-R (FrsTransport) Interface.
>
> metze
>
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe