From f6e347bbc5f43da06ae6765a9b2ac864c8cdf542 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Thu, 15 May 2003 02:01:39 +0000 Subject: [PATCH] Dissect authentication data for netlogon secure channel bind and bind acks. svn path=/trunk/; revision=7667 --- packet-dcerpc-netlogon.c | 127 ++++++++++++++++++++++++++++++++++++++- packet-dcerpc-netlogon.h | 12 +++- 2 files changed, 135 insertions(+), 4 deletions(-) diff --git a/packet-dcerpc-netlogon.c b/packet-dcerpc-netlogon.c index 9be2f23028..218cdf4942 100644 --- a/packet-dcerpc-netlogon.c +++ b/packet-dcerpc-netlogon.c @@ -3,7 +3,7 @@ * Copyright 2001,2003 Tim Potter * 2002 structure and command dissectors by Ronnie Sahlberg * - * $Id: packet-dcerpc-netlogon.c,v 1.78 2003/05/09 01:46:13 tpot Exp $ + * $Id: packet-dcerpc-netlogon.c,v 1.79 2003/05/15 02:01:39 tpot Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs @@ -5936,7 +5936,98 @@ netlogon_dissect_dsrderegisterdnshostrecords_reply(tvbuff_t *tvb, int offset, return offset; } +/* Dissect secure channel stuff */ +static int hf_netlogon_secchan_bind_unknown1 = -1; +static int hf_netlogon_secchan_bind_unknown2 = -1; +static int hf_netlogon_secchan_domain = -1; +static int hf_netlogon_secchan_host = -1; +static int hf_netlogon_secchan_bind_ack_unknown1 = -1; +static int hf_netlogon_secchan_bind_ack_unknown2 = -1; +static int hf_netlogon_secchan_bind_ack_unknown3 = -1; + +static gint ett_secchan_bind_creds = -1; +static gint ett_secchan_bind_ack_creds = -1; + +int netlogon_dissect_secchan_bind_creds(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, + char *drep) +{ + int start_offset = offset; + proto_item *item = NULL; + proto_tree *subtree = NULL; + int len; + + if (tree) { + item = proto_tree_add_text( + tree, tvb, offset, 0, + "Secure Channel Bind Credentials"); + subtree = proto_item_add_subtree( + item, ett_secchan_bind_creds); + } + + /* We can't use the NDR routines as the DCERPC call data hasn't + been initialised since we haven't made a DCERPC call yet, just + a bind request. */ + + offset = dissect_dcerpc_uint32( + tvb, offset, pinfo, subtree, drep, + hf_netlogon_secchan_bind_unknown1, NULL); + + offset = dissect_dcerpc_uint32( + tvb, offset, pinfo, subtree, drep, + hf_netlogon_secchan_bind_unknown2, NULL); + + len = tvb_strsize(tvb, offset); + + proto_tree_add_item( + subtree, hf_netlogon_secchan_domain, tvb, offset, len, FALSE); + + offset += len; + + len = tvb_strsize(tvb, offset); + + proto_tree_add_item( + subtree, hf_netlogon_secchan_host, tvb, offset, len, FALSE); + + offset += len; + + proto_item_set_len(item, offset - start_offset); + + return offset; +} + +int netlogon_dissect_secchan_bind_ack_creds(tvbuff_t *tvb, int offset, + packet_info *pinfo, + proto_tree *tree, char *drep) +{ + proto_item *item = NULL; + proto_tree *subtree = NULL; + + if (tree) { + item = proto_tree_add_text( + tree, tvb, offset, 0, + "Secure Channel Bind ACK Credentials"); + subtree = proto_item_add_subtree( + item, ett_secchan_bind_ack_creds); + } + + /* Don't use NDR routines here */ + + offset = dissect_dcerpc_uint32( + tvb, offset, pinfo, subtree, drep, + hf_netlogon_secchan_bind_ack_unknown1, NULL); + + offset = dissect_dcerpc_uint32( + tvb, offset, pinfo, subtree, drep, + hf_netlogon_secchan_bind_ack_unknown2, NULL); + + offset = dissect_dcerpc_uint32( + tvb, offset, pinfo, subtree, drep, + hf_netlogon_secchan_bind_ack_unknown3, NULL); + + return offset; +} static dcerpc_sub_dissector dcerpc_netlogon_dissectors[] = { { NETLOGON_UASLOGON, "UasLogon", @@ -6903,7 +6994,35 @@ static hf_register_info hf[] = { { &hf_netlogon_timelimit, { "Time Limit", "netlogon.time_limit", FT_RELATIVE_TIME, BASE_NONE, - NULL, 0, "", HFILL }} + NULL, 0, "", HFILL }}, + + { &hf_netlogon_secchan_bind_unknown1, + { "Unknown1", "netlogon.secchan.bind.unknown1", FT_UINT32, BASE_HEX, + NULL, 0x0, "", HFILL }}, + + { &hf_netlogon_secchan_bind_unknown2, + { "Unknown2", "netlogon.secchan.bind.unknown2", FT_UINT32, BASE_HEX, + NULL, 0x0, "", HFILL }}, + + { &hf_netlogon_secchan_domain, + { "Domain", "netlogon.secchan.domain", FT_STRING, BASE_NONE, + NULL, 0, "", HFILL }}, + + { &hf_netlogon_secchan_host, + { "Host", "netlogon.secchan.host", FT_STRING, BASE_NONE, + NULL, 0, "", HFILL }}, + + { &hf_netlogon_secchan_bind_ack_unknown1, + { "Unknown1", "netlogon.secchan.bind_ack.unknown1", FT_UINT32, + BASE_HEX, NULL, 0x0, "", HFILL }}, + + { &hf_netlogon_secchan_bind_ack_unknown2, + { "Unknown2", "netlogon.secchan.bind_ack.unknown2", FT_UINT32, + BASE_HEX, NULL, 0x0, "", HFILL }}, + + { &hf_netlogon_secchan_bind_ack_unknown3, + { "Unknown3", "netlogon.secchan.bind_ack.unknown3", FT_UINT32, + BASE_HEX, NULL, 0x0, "", HFILL }}, }; @@ -6929,7 +7048,9 @@ static hf_register_info hf[] = { &ett_DOMAIN_TRUST_INFO, &ett_trust_flags, &ett_get_dcname_request_flags, - &ett_dc_flags + &ett_dc_flags, + &ett_secchan_bind_creds, + &ett_secchan_bind_ack_creds }; proto_dcerpc_netlogon = proto_register_protocol( diff --git a/packet-dcerpc-netlogon.h b/packet-dcerpc-netlogon.h index bfaaa82b27..7f6ba0e0ba 100644 --- a/packet-dcerpc-netlogon.h +++ b/packet-dcerpc-netlogon.h @@ -2,7 +2,7 @@ * Routines for SMB \PIPE\NETLOGON packet disassembly * Copyright 2001,2003 Tim Potter * - * $Id: packet-dcerpc-netlogon.h,v 1.11 2003/01/14 05:09:16 tpot Exp $ + * $Id: packet-dcerpc-netlogon.h,v 1.12 2003/05/15 02:01:39 tpot Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs @@ -75,4 +75,14 @@ #define SEC_CHAN_DOMAIN 4 #define SEC_CHAN_BDC 6 +/* Function prototypes */ + +int netlogon_dissect_secchan_bind_creds(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, + char *drep); + +int netlogon_dissect_secchan_bind_ack_creds(tvbuff_t *tvb, int offset, + packet_info *pinfo, + proto_tree *tree, char *drep); + #endif /* packet-dcerpc-netlogon.h */