SMB2 - NTLM GSSAPI messages

Hello all,

We are using the topic/vladg/smb branch for its SMB support. This branch supports the parsing of SMB1/NTLM/SSP traffic, thereby parsing the so-called ‘GSS-API’-security blob which contains (among other things) the domain, user name and workstation name of the client attempting to authenticate.

Of course, the GSS-API protocol can also be done over SMB2 for which we would also like to have support. At first I was under the impression that this would be a mutatis-mutandis since it obviously already supports these types of messages. It proved to be a little more difficult and I want to cross check with the devs to see if I’m overlooking something.

It appears that the parsing of the GSSAPI is very much intertwined with the SMB parsing itself. The sequence of types defined, SMB_NTLM_SSP, GSS_APINEGTOKEN, GSS_API_INIT, …, SMB_NTLM_AUTH all require the SMB(1) header to be supplied. I think this makes it less trivial to make it quickly support SMB2. ​

There are two strategies that I can think of:

  1. (pac level) Make a separate library of the parsing of the GSSAPI blob ( as I think this is independent of whether SMB1 or SMB2 is used ), which returns the parsed ASN1 structure when called. Then both the SMB1 and SMB2 parser can use these functions.

  2. (bro script level) Make an ASN1 parser at the bro script level that does the parsing there. I would not opt for this route as it probably would be to slow and then we would have two places where this parsing is done.

Does anyone have insights what the best approach is or whether or not bro-dev is already busy with implementing this feature?

Thanks in advance!

-Martin

1) (pac level) Make a separate library of the parsing of the GSSAPI blob ( as I think this is independent of whether SMB1 or SMB2 is used ), which returns the parsed ASN1 structure when called. Then both the SMB1 and SMB2 parser can use these functions.

Yep, that's probably the right way. We never had enough time to get that integrated more cleanly.

2) (bro script level) Make an ASN1 parser at the bro script level that does the parsing there. I would not opt for this route as it probably would be to slow and then we would have two places where this parsing is done.

This is almost certainly not a great idea as you learned. :slight_smile:

  .Seth

My intention for this was to do the parsing at the PAC level, but it wasn’t possible at the time. In the meantime, BinPAC now supports including files from other directories, so just how ASN1 is now a BinPAC library shared by SNMP and Kerberos, I would envision GSSAPI to become a library. This would also allow parsing of NTLM auth over HTTP.

–Vlad