Hi,
As this is my first interaction with the bro community, first things
first: thanks a lot for working on such an awesome project.
We are currently working on IVRE (https://ivre.rocks,
https://github.com/cea-sec/ivre), an open source framework aimed at
exploring and querying results from various network related tools
(such as nmap scans, bro logs, argus or netflow files), through either
a web interface, CLI tools or a python API.
As part of this work, I was very interested in Seth’s work on SMB, so
this mail is about the topic/seth/smb branch. Here again, thanks a lot
for the huge work on these protocols.
It turns out that for DCE RPC, the NTLM decoding seems broken: the
NTLM analyzer is called, but the decoding fails to recognize the
message type, and no ntlm.log
log is produced. It works very well
for SMB, though.
After debugging a bit, it turned out that the meta: ASN1EncodingMeta
field of NTLM_SSP_Token
in ntlm-protocol.pac
should in fact be
part of the underlying GSSAPI layer. Therefore, when directly decoding
NTLM without GSSAPI, the fields are shifted and have no meaning. Since
SMB uses GSSAPI in the examples I found and DCE RPC did not, NTLM over
GSSAPI over SMB worked great, but not NTLM over DCE RPC.
The first field of NTLM should actually be the “NTLMSSP\x00” magic
(according to:
http://davenport.sourceforge.net/ntlm.html#theNtlmMessageHeaderLayout
and wireshark dissectors). Moving the meta
field to the GSSAPI
layer will allow to properlly decode NTLM over DCE RPC and maybe HTLM
NTLM Authentication later on.
I am attaching a naive (git) patch to this mail; this fixes the
problem for me but might not be the exact way you want to do this.
Also, I might just have missed something from the start, maybe the way
it is currently done was on purpose. Please tell me if you have any
comments on the patch and/or want me to submit it to the bug tracker
or on github.
Sample captures the NTLM log generation can be tested on:
- DCE RPC: Not easy to find an open example capture, but this one
is ok
https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=mapi.cap
(from packet 711 in wireshark). You’ll have to register DCE RPC
on port 4997 (mapi) in bro. - SMB: I tested on
https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=smbtorture.cap.gz
but I guess you already have samples.
Cheers,
Florent
0001-Fix-GSSAPI-mech_token-to-include-ASN1EncodingMeta.patch (3.05 KB)