Hello all
The GSSAPI analyzer does not recognize KRB5 authentication made over SPNEGO.
looking at the code (gssapi-analyzer.pac), the analyzer does compare the value of the mech_token variable with the id of krb5 and mskrb5:
**else if ( ${val.mech_token}.length() == 9 &&
(memcmp("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02", ${val.mech_token}.begin(), ${val.mech_token}.length()) == 0 ||
memcmp("\x2a\x86\x48\x82\xf7\x12\x01\x02\x02", ${val.mech_token}.begin(), ${val.mech_token}.length()) == 0 )) **
By looking with wireshark through pcaps containing relevant transactions, i found out that these bytes are preceded by 6 more bytes in both smb1 and smb2 (they change from session to session, possibly a part of the ASN1Meta that is wrongly parsed?), and the length of the mech_token is quite large (up to the end of the packet). by adjusting some offsets and lengths (${val.mech_token}.begin() +6 etc.), I was able to reach the code that delivers the packet to the KRB analyzer.
After this fix (+6 for request, +5 for response) I was able to produce Kerberos logs from the said packets, but perhaps the problem lays in the arguments of DeliverPacket function?
Hope this bug can be fixed in a more professional way
W