forked from osmocom/wireshark
Move the ntlmv2 response dissection out of packet-ntlmssp.c and in to
packet-smb-common.c so it can be used elsewhere. Dissect a ntlmv2 response in a session setup SMB if detected. svn path=/trunk/; revision=7655
This commit is contained in:
parent
d812376fe4
commit
2b39831b5b
248
packet-ntlmssp.c
248
packet-ntlmssp.c
|
@ -2,7 +2,7 @@
|
|||
* Routines for NTLM Secure Service Provider
|
||||
* Devin Heitmueller <dheitmueller@netilla.com>
|
||||
*
|
||||
* $Id: packet-ntlmssp.c,v 1.39 2003/05/07 07:12:50 tpot Exp $
|
||||
* $Id: packet-ntlmssp.c,v 1.40 2003/05/09 01:41:28 tpot Exp $
|
||||
*
|
||||
* Ethereal - Network traffic analyzer
|
||||
* By Gerald Combs <gerald@ethereal.com>
|
||||
|
@ -55,23 +55,6 @@ static const value_string ntlmssp_message_types[] = {
|
|||
{ 0, NULL }
|
||||
};
|
||||
|
||||
/* Name types */
|
||||
|
||||
#define NTLMSSP_NAME_END 0x0000
|
||||
#define NTLMSSP_NAME_NB_HOST 0x0001
|
||||
#define NTLMSSP_NAME_NB_DOMAIN 0x0002
|
||||
#define NTLMSSP_NAME_DNS_HOST 0x0003
|
||||
#define NTLMSSP_NAME_DNS_DOMAIN 0x0004
|
||||
|
||||
static const value_string ntlmssp_name_types[] = {
|
||||
{ NTLMSSP_NAME_END, "End of list" },
|
||||
{ NTLMSSP_NAME_NB_HOST, "NetBIOS host name" },
|
||||
{ NTLMSSP_NAME_NB_DOMAIN, "NetBIOS domain name" },
|
||||
{ NTLMSSP_NAME_DNS_HOST, "DNS host name" },
|
||||
{ NTLMSSP_NAME_DNS_DOMAIN, "DNS domain name" },
|
||||
{ 0, NULL }
|
||||
};
|
||||
|
||||
/*
|
||||
* NTLMSSP negotiation flags
|
||||
* Taken from Samba
|
||||
|
@ -109,7 +92,6 @@ static const value_string ntlmssp_name_types[] = {
|
|||
#define NTLMSSP_NEGOTIATE_KEY_EXCH 0x40000000
|
||||
#define NTLMSSP_NEGOTIATE_80000000 0x80000000
|
||||
|
||||
|
||||
static int proto_ntlmssp = -1;
|
||||
static int hf_ntlmssp = -1;
|
||||
static int hf_ntlmssp_auth = -1;
|
||||
|
@ -185,16 +167,6 @@ static int hf_ntlmssp_verf_unknown1 = -1;
|
|||
static int hf_ntlmssp_verf_crc32 = -1;
|
||||
static int hf_ntlmssp_verf_sequence = -1;
|
||||
static int hf_ntlmssp_decrypted_payload = -1;
|
||||
static int hf_ntlmssp_ntlmv2_response = -1;
|
||||
static int hf_ntlmssp_ntlmv2_response_hmac = -1;
|
||||
static int hf_ntlmssp_ntlmv2_response_header = -1;
|
||||
static int hf_ntlmssp_ntlmv2_response_reserved = -1;
|
||||
static int hf_ntlmssp_ntlmv2_response_time = -1;
|
||||
static int hf_ntlmssp_ntlmv2_response_chal = -1;
|
||||
static int hf_ntlmssp_ntlmv2_response_unknown = -1;
|
||||
static int hf_ntlmssp_ntlmv2_response_name = -1;
|
||||
static int hf_ntlmssp_ntlmv2_response_name_type = -1;
|
||||
static int hf_ntlmssp_ntlmv2_response_name_len = -1;
|
||||
|
||||
static gint ett_ntlmssp = -1;
|
||||
static gint ett_ntlmssp_negotiate_flags = -1;
|
||||
|
@ -202,8 +174,6 @@ static gint ett_ntlmssp_string = -1;
|
|||
static gint ett_ntlmssp_blob = -1;
|
||||
static gint ett_ntlmssp_address_list = -1;
|
||||
static gint ett_ntlmssp_decrypted_tree = -1;
|
||||
static gint ett_ntlmssp_ntlmv2_response = -1;
|
||||
static gint ett_ntlmssp_ntlmv2_response_name = -1;
|
||||
|
||||
/* Configuration variables */
|
||||
static char *nt_password = NULL;
|
||||
|
@ -451,167 +421,15 @@ dissect_ntlmssp_blob (tvbuff_t *tvb, int offset,
|
|||
tvb_memcpy(tvb, result->contents, blob_offset, blob_length);
|
||||
}
|
||||
|
||||
/* If we are dissecting the NTLM response and it is a NTLMv2
|
||||
response call the appropriate dissector. */
|
||||
|
||||
if (blob_hf == hf_ntlmssp_auth_ntresponse && blob_length > 24)
|
||||
dissect_ntlmv2_response(tvb, tree, blob_offset, blob_length);
|
||||
|
||||
return offset;
|
||||
}
|
||||
|
||||
/* Dissect a NTLM response. This could be either NTLMv1 in which case
|
||||
we just call the dissect_ntlmssp_blob() function, or NTLMv2 where
|
||||
the blob actually has some structure. This is documented at
|
||||
http://ubiqx.org/cifs/SMB.html#8, para 2.8.5.3 */
|
||||
|
||||
static int
|
||||
dissect_ntlmssp_ntlm_response(tvbuff_t *tvb, int offset,
|
||||
proto_tree *ntlmssp_tree, int blob_hf,
|
||||
int *end, ntlmssp_blob *result)
|
||||
{
|
||||
guint16 blob_length = tvb_get_letohs(tvb, offset);
|
||||
guint16 blob_maxlen = tvb_get_letohs(tvb, offset+2);
|
||||
guint32 blob_offset = tvb_get_letohl(tvb, offset+4);
|
||||
proto_item *item = NULL;
|
||||
proto_tree *subtree = NULL, *ntlmv2_tree = NULL;
|
||||
|
||||
if (blob_length <= 24) {
|
||||
|
||||
/* Not NTLMv2 */
|
||||
|
||||
return dissect_ntlmssp_blob(
|
||||
tvb, offset, ntlmssp_tree, blob_hf, end, result);
|
||||
}
|
||||
|
||||
if (ntlmssp_tree) {
|
||||
item = proto_tree_add_item(
|
||||
ntlmssp_tree, blob_hf, tvb, blob_offset, blob_length,
|
||||
TRUE);
|
||||
subtree = proto_item_add_subtree(item, ett_ntlmssp_blob);
|
||||
}
|
||||
|
||||
/* Dissect NTLMv2 response */
|
||||
|
||||
proto_tree_add_uint(subtree, hf_ntlmssp_blob_len,
|
||||
tvb, offset, 2, blob_length);
|
||||
offset += 2;
|
||||
|
||||
proto_tree_add_uint(subtree, hf_ntlmssp_blob_maxlen,
|
||||
tvb, offset, 2, blob_maxlen);
|
||||
offset += 2;
|
||||
|
||||
proto_tree_add_uint(subtree, hf_ntlmssp_blob_offset,
|
||||
tvb, offset, 4, blob_offset);
|
||||
offset += 4;
|
||||
|
||||
*end = blob_offset + blob_length;
|
||||
|
||||
/* Dissect NTLMv2 bits&pieces */
|
||||
|
||||
if (subtree) {
|
||||
item = proto_tree_add_item(
|
||||
subtree, hf_ntlmssp_ntlmv2_response, tvb,
|
||||
blob_offset, blob_length - 8, TRUE);
|
||||
ntlmv2_tree = proto_item_add_subtree(
|
||||
item, ett_ntlmssp_ntlmv2_response);
|
||||
}
|
||||
|
||||
proto_tree_add_item(
|
||||
ntlmv2_tree, hf_ntlmssp_ntlmv2_response_hmac, tvb,
|
||||
blob_offset, 16, TRUE);
|
||||
|
||||
blob_offset += 16;
|
||||
|
||||
proto_tree_add_item(
|
||||
ntlmv2_tree, hf_ntlmssp_ntlmv2_response_header, tvb,
|
||||
blob_offset, 4, TRUE);
|
||||
|
||||
blob_offset += 4;
|
||||
|
||||
proto_tree_add_item(
|
||||
ntlmv2_tree, hf_ntlmssp_ntlmv2_response_reserved, tvb,
|
||||
blob_offset, 4, TRUE);
|
||||
|
||||
blob_offset += 4;
|
||||
|
||||
blob_offset = dissect_smb_64bit_time(
|
||||
tvb, ntlmv2_tree, blob_offset,
|
||||
hf_ntlmssp_ntlmv2_response_time);
|
||||
|
||||
proto_tree_add_item(
|
||||
ntlmv2_tree, hf_ntlmssp_ntlmv2_response_chal, tvb,
|
||||
blob_offset, 8, TRUE);
|
||||
|
||||
blob_offset += 8;
|
||||
|
||||
proto_tree_add_item(
|
||||
ntlmv2_tree, hf_ntlmssp_ntlmv2_response_unknown, tvb,
|
||||
blob_offset, 4, TRUE);
|
||||
|
||||
blob_offset += 4;
|
||||
|
||||
/* Variable length list of names */
|
||||
|
||||
while(1) {
|
||||
guint16 name_type = tvb_get_letohs(tvb, blob_offset);
|
||||
guint16 name_len = tvb_get_letohs(tvb, blob_offset + 2);
|
||||
proto_tree *name_tree = NULL;
|
||||
char *name = NULL;
|
||||
|
||||
if (ntlmv2_tree) {
|
||||
item = proto_tree_add_item(
|
||||
ntlmv2_tree, hf_ntlmssp_ntlmv2_response_name,
|
||||
tvb, blob_offset, 0, TRUE);
|
||||
name_tree = proto_item_add_subtree(
|
||||
item, ett_ntlmssp_ntlmv2_response_name);
|
||||
}
|
||||
|
||||
/* Dissect name header */
|
||||
|
||||
proto_tree_add_item(
|
||||
name_tree, hf_ntlmssp_ntlmv2_response_name_type, tvb,
|
||||
blob_offset, 2, TRUE);
|
||||
|
||||
blob_offset += 2;
|
||||
|
||||
proto_tree_add_item(
|
||||
name_tree, hf_ntlmssp_ntlmv2_response_name_len, tvb,
|
||||
blob_offset, 2, TRUE);
|
||||
|
||||
blob_offset += 2;
|
||||
|
||||
/* Dissect name */
|
||||
|
||||
if (name_len > 0) {
|
||||
name = tvb_fake_unicode(
|
||||
tvb, blob_offset, name_len / 2, TRUE);
|
||||
|
||||
proto_tree_add_text(
|
||||
name_tree, tvb, blob_offset, name_len,
|
||||
"Name: %s", name);
|
||||
} else
|
||||
name = g_strdup("NULL");
|
||||
|
||||
if (name_type == 0)
|
||||
proto_item_append_text(
|
||||
item, "%s",
|
||||
val_to_str(name_type, ntlmssp_name_types,
|
||||
"Unknown"));
|
||||
else
|
||||
proto_item_append_text(
|
||||
item, "%s, %s",
|
||||
val_to_str(name_type, ntlmssp_name_types,
|
||||
"Unknown"), name);
|
||||
|
||||
g_free(name);
|
||||
|
||||
blob_offset += name_len;
|
||||
|
||||
proto_item_set_len(item, name_len + 4);
|
||||
|
||||
if (name_type == 0) /* End of list */
|
||||
break;
|
||||
};
|
||||
|
||||
return offset;
|
||||
}
|
||||
|
||||
static int
|
||||
dissect_ntlmssp_negotiate_flags (tvbuff_t *tvb, int offset,
|
||||
proto_tree *ntlmssp_tree,
|
||||
|
@ -812,19 +630,19 @@ dissect_ntlmssp_address_list (tvbuff_t *tvb, int offset,
|
|||
if (!text) text = ""; /* Make sure we don't blow up below */
|
||||
|
||||
switch(item_type) {
|
||||
case NTLMSSP_NAME_NB_HOST:
|
||||
case NTLM_NAME_NB_HOST:
|
||||
proto_tree_add_string(tree, hf_ntlmssp_address_list_server_nb,
|
||||
tvb, item_offset, item_length, text);
|
||||
break;
|
||||
case NTLMSSP_NAME_NB_DOMAIN:
|
||||
case NTLM_NAME_NB_DOMAIN:
|
||||
proto_tree_add_string(tree, hf_ntlmssp_address_list_domain_nb,
|
||||
tvb, item_offset, item_length, text);
|
||||
break;
|
||||
case NTLMSSP_NAME_DNS_HOST:
|
||||
case NTLM_NAME_DNS_HOST:
|
||||
proto_tree_add_string(tree, hf_ntlmssp_address_list_server_dns,
|
||||
tvb, item_offset, item_length, text);
|
||||
break;
|
||||
case NTLMSSP_NAME_DNS_DOMAIN:
|
||||
case NTLM_NAME_DNS_DOMAIN:
|
||||
proto_tree_add_string(tree, hf_ntlmssp_address_list_domain_dns,
|
||||
tvb, item_offset, item_length, text);
|
||||
}
|
||||
|
@ -1007,11 +825,11 @@ dissect_ntlmssp_auth (tvbuff_t *tvb, packet_info *pinfo, int offset,
|
|||
|
||||
/* NTLM response */
|
||||
item_start = tvb_get_letohl(tvb, offset+4);
|
||||
offset = dissect_ntlmssp_ntlm_response(tvb, offset, ntlmssp_tree,
|
||||
hf_ntlmssp_auth_ntresponse,
|
||||
&item_end,
|
||||
conv_ntlmssp_info == NULL ? NULL :
|
||||
&conv_ntlmssp_info->ntlm_response);
|
||||
offset = dissect_ntlmssp_blob(tvb, offset, ntlmssp_tree,
|
||||
hf_ntlmssp_auth_ntresponse,
|
||||
&item_end,
|
||||
conv_ntlmssp_info == NULL ? NULL :
|
||||
&conv_ntlmssp_info->ntlm_response);
|
||||
data_start = MIN(data_start, item_start);
|
||||
data_end = MAX(data_end, item_end);
|
||||
|
||||
|
@ -1649,37 +1467,7 @@ proto_register_ntlmssp(void)
|
|||
{ &hf_ntlmssp_verf_crc32,
|
||||
{ "Verifier CRC32", "ntlmssp.verf.crc32", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }},
|
||||
{ &hf_ntlmssp_verf_sequence,
|
||||
{ "Verifier Sequence Number", "ntlmssp.verf.sequence", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }},
|
||||
{ &hf_ntlmssp_ntlmv2_response,
|
||||
{ "NTLMv2 Response", "ntlmssp.auth.ntresponsev2", FT_BYTES, BASE_HEX,
|
||||
NULL, 0x0, "", HFILL }},
|
||||
{ &hf_ntlmssp_ntlmv2_response_hmac,
|
||||
{ "HMAC", "ntlmssp.auth.ntresponsev2.hmac", FT_BYTES, BASE_HEX,
|
||||
NULL, 0x0, "", HFILL }},
|
||||
{ &hf_ntlmssp_ntlmv2_response_header,
|
||||
{ "Header", "ntlmssp.auth.ntresponsev2.header", FT_UINT32, BASE_HEX,
|
||||
NULL, 0x0, "", HFILL }},
|
||||
{ &hf_ntlmssp_ntlmv2_response_reserved,
|
||||
{ "Reserved", "ntlmssp.auth.ntresponsev2.reserved", FT_UINT32, BASE_HEX,
|
||||
NULL, 0x0, "", HFILL }},
|
||||
{ &hf_ntlmssp_ntlmv2_response_time,
|
||||
{ "Time", "ntlmssp.auth.ntresponsev2.time", FT_ABSOLUTE_TIME, BASE_NONE,
|
||||
NULL, 0, "", HFILL }},
|
||||
{ &hf_ntlmssp_ntlmv2_response_chal,
|
||||
{ "Client challenge", "ntlmssp.auth.ntresponsev2.chal", FT_BYTES,
|
||||
BASE_HEX, NULL, 0x0, "", HFILL }},
|
||||
{ &hf_ntlmssp_ntlmv2_response_unknown,
|
||||
{ "Unknown", "ntlmssp.auth.ntresponsev2.unknown", FT_UINT32, BASE_HEX,
|
||||
NULL, 0x0, "", HFILL }},
|
||||
{ &hf_ntlmssp_ntlmv2_response_name,
|
||||
{ "Name", "ntlmssp.auth.ntresponsev2.name", FT_STRING, BASE_NONE,
|
||||
NULL, 0x0, "", HFILL }},
|
||||
{ &hf_ntlmssp_ntlmv2_response_name_type,
|
||||
{ "Name type", "ntlmssp.auth.ntresponsev2.name.type", FT_UINT32,
|
||||
BASE_DEC, VALS(ntlmssp_name_types), 0x0, "", HFILL }},
|
||||
{ &hf_ntlmssp_ntlmv2_response_name_len,
|
||||
{ "Name len", "ntlmssp.auth.ntresponsev2.name.len", FT_UINT32,
|
||||
BASE_DEC, NULL, 0x0, "", HFILL }},
|
||||
{ "Verifier Sequence Number", "ntlmssp.verf.sequence", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }}
|
||||
};
|
||||
|
||||
|
||||
|
@ -1689,9 +1477,7 @@ proto_register_ntlmssp(void)
|
|||
&ett_ntlmssp_string,
|
||||
&ett_ntlmssp_blob,
|
||||
&ett_ntlmssp_address_list,
|
||||
&ett_ntlmssp_decrypted_tree,
|
||||
&ett_ntlmssp_ntlmv2_response,
|
||||
&ett_ntlmssp_ntlmv2_response_name
|
||||
&ett_ntlmssp_decrypted_tree
|
||||
};
|
||||
module_t *ntlmssp_module;
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
* Common routines for smb packet dissection
|
||||
* Copyright 2000, Jeffrey C. Foster <jfoste@woodward.com>
|
||||
*
|
||||
* $Id: packet-smb-common.c,v 1.16 2003/04/03 02:57:48 tpot Exp $
|
||||
* $Id: packet-smb-common.c,v 1.17 2003/05/09 01:41:28 tpot Exp $
|
||||
*
|
||||
* Ethereal - Network traffic analyzer
|
||||
* By Gerald Combs <gerald@ethereal.com>
|
||||
|
@ -284,3 +284,201 @@ dissect_smb_unknown(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int
|
|||
|
||||
return offset+tvb_length_remaining(tvb, offset);
|
||||
}
|
||||
|
||||
/* Dissect a NTLM response. This is documented at
|
||||
http://ubiqx.org/cifs/SMB.html#8, para 2.8.5.3 */
|
||||
|
||||
static int hf_ntlmv2_response = -1;
|
||||
static int hf_ntlmv2_response_hmac = -1;
|
||||
static int hf_ntlmv2_response_header = -1;
|
||||
static int hf_ntlmv2_response_reserved = -1;
|
||||
static int hf_ntlmv2_response_time = -1;
|
||||
static int hf_ntlmv2_response_chal = -1;
|
||||
static int hf_ntlmv2_response_unknown = -1;
|
||||
static int hf_ntlmv2_response_name = -1;
|
||||
static int hf_ntlmv2_response_name_type = -1;
|
||||
static int hf_ntlmv2_response_name_len = -1;
|
||||
|
||||
static gint ett_ntlmv2_response = -1;
|
||||
static gint ett_ntlmv2_response_name = -1;
|
||||
|
||||
/* Name types */
|
||||
|
||||
const value_string ntlm_name_types[] = {
|
||||
{ NTLM_NAME_END, "End of list" },
|
||||
{ NTLM_NAME_NB_HOST, "NetBIOS host name" },
|
||||
{ NTLM_NAME_NB_DOMAIN, "NetBIOS domain name" },
|
||||
{ NTLM_NAME_DNS_HOST, "DNS host name" },
|
||||
{ NTLM_NAME_DNS_DOMAIN, "DNS domain name" },
|
||||
{ 0, NULL }
|
||||
};
|
||||
|
||||
int
|
||||
dissect_ntlmv2_response(tvbuff_t *tvb, proto_tree *tree, int offset, int len)
|
||||
{
|
||||
proto_item *ntlmv2_item = NULL;
|
||||
proto_tree *ntlmv2_tree = NULL;
|
||||
|
||||
/* Dissect NTLMv2 bits&pieces */
|
||||
|
||||
if (tree) {
|
||||
ntlmv2_item = proto_tree_add_item(
|
||||
tree, hf_ntlmv2_response, tvb,
|
||||
offset, len, TRUE);
|
||||
ntlmv2_tree = proto_item_add_subtree(
|
||||
ntlmv2_item, ett_ntlmv2_response);
|
||||
}
|
||||
|
||||
proto_tree_add_item(
|
||||
ntlmv2_tree, hf_ntlmv2_response_hmac, tvb,
|
||||
offset, 16, TRUE);
|
||||
|
||||
offset += 16;
|
||||
|
||||
proto_tree_add_item(
|
||||
ntlmv2_tree, hf_ntlmv2_response_header, tvb,
|
||||
offset, 4, TRUE);
|
||||
|
||||
offset += 4;
|
||||
|
||||
proto_tree_add_item(
|
||||
ntlmv2_tree, hf_ntlmv2_response_reserved, tvb,
|
||||
offset, 4, TRUE);
|
||||
|
||||
offset += 4;
|
||||
|
||||
offset = dissect_smb_64bit_time(
|
||||
tvb, ntlmv2_tree, offset, hf_ntlmv2_response_time);
|
||||
|
||||
proto_tree_add_item(
|
||||
ntlmv2_tree, hf_ntlmv2_response_chal, tvb,
|
||||
offset, 8, TRUE);
|
||||
|
||||
offset += 8;
|
||||
|
||||
proto_tree_add_item(
|
||||
ntlmv2_tree, hf_ntlmv2_response_unknown, tvb,
|
||||
offset, 4, TRUE);
|
||||
|
||||
offset += 4;
|
||||
|
||||
/* Variable length list of names */
|
||||
|
||||
while(1) {
|
||||
guint16 name_type = tvb_get_letohs(tvb, offset);
|
||||
guint16 name_len = tvb_get_letohs(tvb, offset + 2);
|
||||
proto_tree *name_tree = NULL;
|
||||
proto_item *name_item = NULL;
|
||||
char *name = NULL;
|
||||
|
||||
if (ntlmv2_tree) {
|
||||
name_item = proto_tree_add_item(
|
||||
ntlmv2_tree, hf_ntlmv2_response_name,
|
||||
tvb, offset, 0, TRUE);
|
||||
name_tree = proto_item_add_subtree(
|
||||
name_item, ett_ntlmv2_response_name);
|
||||
}
|
||||
|
||||
/* Dissect name header */
|
||||
|
||||
proto_tree_add_item(
|
||||
name_tree, hf_ntlmv2_response_name_type, tvb,
|
||||
offset, 2, TRUE);
|
||||
|
||||
offset += 2;
|
||||
|
||||
proto_tree_add_item(
|
||||
name_tree, hf_ntlmv2_response_name_len, tvb,
|
||||
offset, 2, TRUE);
|
||||
|
||||
offset += 2;
|
||||
|
||||
/* Dissect name */
|
||||
|
||||
if (name_len > 0) {
|
||||
name = tvb_fake_unicode(
|
||||
tvb, offset, name_len / 2, TRUE);
|
||||
|
||||
proto_tree_add_text(
|
||||
name_tree, tvb, offset, name_len,
|
||||
"Name: %s", name);
|
||||
} else
|
||||
name = g_strdup("NULL");
|
||||
|
||||
if (name_type == 0)
|
||||
proto_item_append_text(
|
||||
name_item, "%s",
|
||||
val_to_str(name_type, ntlm_name_types,
|
||||
"Unknown"));
|
||||
else
|
||||
proto_item_append_text(
|
||||
name_item, "%s, %s",
|
||||
val_to_str(name_type, ntlm_name_types,
|
||||
"Unknown"), name);
|
||||
|
||||
g_free(name);
|
||||
|
||||
offset += name_len;
|
||||
|
||||
proto_item_set_len(name_item, name_len + 4);
|
||||
|
||||
if (name_type == 0) /* End of list */
|
||||
break;
|
||||
};
|
||||
|
||||
return offset;
|
||||
}
|
||||
|
||||
void register_smb_common(int proto_smb)
|
||||
{
|
||||
static hf_register_info hf[] = {
|
||||
|
||||
{ &hf_ntlmv2_response,
|
||||
{ "NTLMv2 Response", "smb.ntlmv2response", FT_BYTES,
|
||||
BASE_HEX, NULL, 0x0, "", HFILL }},
|
||||
|
||||
{ &hf_ntlmv2_response_hmac,
|
||||
{ "HMAC", "smb.ntlmv2response.hmac", FT_BYTES, BASE_HEX,
|
||||
NULL, 0x0, "", HFILL }},
|
||||
|
||||
{ &hf_ntlmv2_response_header,
|
||||
{ "Header", "smb.ntlmv2response.header", FT_UINT32,
|
||||
BASE_HEX, NULL, 0x0, "", HFILL }},
|
||||
|
||||
{ &hf_ntlmv2_response_reserved,
|
||||
{ "Reserved", "smb.ntlmv2response.reserved", FT_UINT32,
|
||||
BASE_HEX, NULL, 0x0, "", HFILL }},
|
||||
|
||||
{ &hf_ntlmv2_response_time,
|
||||
{ "Time", "smb.ntlmv2response.time", FT_ABSOLUTE_TIME,
|
||||
BASE_NONE, NULL, 0, "", HFILL }},
|
||||
|
||||
{ &hf_ntlmv2_response_chal,
|
||||
{ "Client challenge", "smb.ntlmv2response.chal", FT_BYTES,
|
||||
BASE_HEX, NULL, 0x0, "", HFILL }},
|
||||
|
||||
{ &hf_ntlmv2_response_unknown,
|
||||
{ "Unknown", "smb.ntlmv2response.unknown", FT_UINT32,
|
||||
BASE_HEX, NULL, 0x0, "", HFILL }},
|
||||
|
||||
{ &hf_ntlmv2_response_name,
|
||||
{ "Name", "smb.ntlmv2response.name", FT_STRING, BASE_NONE,
|
||||
NULL, 0x0, "", HFILL }},
|
||||
|
||||
{ &hf_ntlmv2_response_name_type,
|
||||
{ "Name type", "smb.ntlmv2response.name.type", FT_UINT32,
|
||||
BASE_DEC, VALS(ntlm_name_types), 0x0, "", HFILL }},
|
||||
|
||||
{ &hf_ntlmv2_response_name_len,
|
||||
{ "Name len", "smb.ntlmv2response.name.len", FT_UINT32,
|
||||
BASE_DEC, NULL, 0x0, "", HFILL }}
|
||||
};
|
||||
|
||||
static gint *ett[] = {
|
||||
&ett_ntlmv2_response,
|
||||
&ett_ntlmv2_response_name
|
||||
};
|
||||
|
||||
proto_register_subtree_array(ett, array_length(ett));
|
||||
proto_register_field_array(proto_smb, hf, array_length(hf));
|
||||
}
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
* Routines for SMB packet dissection
|
||||
* Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com>
|
||||
*
|
||||
* $Id: packet-smb-common.h,v 1.21 2003/04/28 04:44:54 tpot Exp $
|
||||
* $Id: packet-smb-common.h,v 1.22 2003/05/09 01:41:28 tpot Exp $
|
||||
*
|
||||
* Ethereal - Network traffic analyzer
|
||||
* By Gerald Combs <gerald@ethereal.com>
|
||||
|
@ -80,4 +80,20 @@ dissect_nt_sec_desc(tvbuff_t *tvb, int offset, packet_info *pinfo,
|
|||
|
||||
extern const value_string share_type_vals[];
|
||||
|
||||
/* Dissect a ntlmv2 response */
|
||||
|
||||
int
|
||||
dissect_ntlmv2_response(tvbuff_t *tvb, proto_tree *ntlmssp_tree, int offset,
|
||||
int len);
|
||||
|
||||
void register_smb_common(int proto_smb);
|
||||
|
||||
extern const value_string ntlm_name_types[];
|
||||
|
||||
#define NTLM_NAME_END 0x0000
|
||||
#define NTLM_NAME_NB_HOST 0x0001
|
||||
#define NTLM_NAME_NB_DOMAIN 0x0002
|
||||
#define NTLM_NAME_DNS_HOST 0x0003
|
||||
#define NTLM_NAME_DNS_DOMAIN 0x0004
|
||||
|
||||
#endif
|
||||
|
|
25
packet-smb.c
25
packet-smb.c
|
@ -3,7 +3,7 @@
|
|||
* Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com>
|
||||
* 2001 Rewrite by Ronnie Sahlberg and Guy Harris
|
||||
*
|
||||
* $Id: packet-smb.c,v 1.337 2003/04/29 21:27:05 guy Exp $
|
||||
* $Id: packet-smb.c,v 1.338 2003/05/09 01:41:28 tpot Exp $
|
||||
*
|
||||
* Ethereal - Network traffic analyzer
|
||||
* By Gerald Combs <gerald@ethereal.com>
|
||||
|
@ -673,7 +673,7 @@ static gint ett_smb_ace_flags = -1;
|
|||
static gint ett_smb_sec_desc_type = -1;
|
||||
static gint ett_smb_quotaflags = -1;
|
||||
static gint ett_smb_secblob = -1;
|
||||
|
||||
static gint ett_smb_unicode_password = -1;
|
||||
|
||||
static int smb_tap = -1;
|
||||
|
||||
|
@ -5753,10 +5753,22 @@ dissect_session_setup_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree
|
|||
}
|
||||
|
||||
if(upwlen){
|
||||
proto_item *item;
|
||||
|
||||
/* password, Unicode */
|
||||
CHECK_BYTE_COUNT(upwlen);
|
||||
proto_tree_add_item(tree, hf_smb_unicode_password,
|
||||
item = proto_tree_add_item(tree, hf_smb_unicode_password,
|
||||
tvb, offset, upwlen, TRUE);
|
||||
|
||||
if (upwlen > 24) {
|
||||
proto_tree *subtree;
|
||||
|
||||
subtree = proto_item_add_subtree(item, ett_smb_unicode_password);
|
||||
|
||||
dissect_ntlmv2_response(
|
||||
tvb, subtree, offset, upwlen);
|
||||
}
|
||||
|
||||
COUNT_BYTES(upwlen);
|
||||
}
|
||||
|
||||
|
@ -18228,8 +18240,9 @@ proto_register_smb(void)
|
|||
{ &hf_access_specific_0,
|
||||
{ "Specific access, bit 0", "nt.access_mask.specific_0",
|
||||
FT_BOOLEAN, 32, TFS(&flags_set_truth),
|
||||
0x0001, "Specific access, bit 0", HFILL }},
|
||||
0x0001, "Specific access, bit 0", HFILL }}
|
||||
};
|
||||
|
||||
static gint *ett[] = {
|
||||
&ett_smb,
|
||||
&ett_smb_hdr,
|
||||
|
@ -18310,6 +18323,7 @@ proto_register_smb(void)
|
|||
&ett_nt_access_mask_generic,
|
||||
&ett_nt_access_mask_standard,
|
||||
&ett_nt_access_mask_specific,
|
||||
&ett_smb_unicode_password
|
||||
};
|
||||
module_t *smb_module;
|
||||
|
||||
|
@ -18317,6 +18331,9 @@ proto_register_smb(void)
|
|||
"SMB", "smb");
|
||||
proto_register_subtree_array(ett, array_length(ett));
|
||||
proto_register_field_array(proto_smb, hf, array_length(hf));
|
||||
|
||||
register_smb_common(proto_smb);
|
||||
|
||||
register_init_routine(&smb_init_protocol);
|
||||
smb_module = prefs_register_protocol(proto_smb, NULL);
|
||||
prefs_register_bool_preference(smb_module, "trans_reassembly",
|
||||
|
|
Loading…
Reference in New Issue