2011-09-30 15:21:16 +00:00
|
|
|
/* packet-credssp.c
|
|
|
|
|
* Routines for CredSSP (Credential Security Support Provider) packet dissection
|
|
|
|
|
* Graeme Lunt 2011
|
|
|
|
|
*
|
|
|
|
|
* Wireshark - Network traffic analyzer
|
|
|
|
|
* By Gerald Combs <gerald@wireshark.org>
|
|
|
|
|
* Copyright 1998 Gerald Combs
|
|
|
|
|
*
|
2018-02-12 11:23:27 +00:00
|
|
|
* SPDX-License-Identifier: GPL-2.0-or-later
|
2011-09-30 15:21:16 +00:00
|
|
|
*/
|
|
|
|
|
|
2012-09-20 01:29:52 +00:00
|
|
|
#include "config.h"
|
2011-09-30 15:21:16 +00:00
|
|
|
|
|
|
|
|
#include <epan/packet.h>
|
|
|
|
|
#include <epan/asn1.h>
|
2013-06-18 01:13:07 +00:00
|
|
|
#include <epan/tap.h>
|
|
|
|
|
#include <epan/exported_pdu.h>
|
2011-09-30 15:21:16 +00:00
|
|
|
|
|
|
|
|
#include "packet-ber.h"
|
2021-05-22 12:27:07 +00:00
|
|
|
#include "packet-dcerpc.h"
|
|
|
|
|
#include "packet-gssapi.h"
|
2021-06-20 19:28:36 +00:00
|
|
|
#include "packet-kerberos.h"
|
|
|
|
|
#include "packet-ntlmssp.h"
|
2011-09-30 15:21:16 +00:00
|
|
|
#include "packet-credssp.h"
|
|
|
|
|
|
|
|
|
|
#define PNAME "Credential Security Support Provider"
|
|
|
|
|
#define PSNAME "CredSSP"
|
|
|
|
|
#define PFNAME "credssp"
|
|
|
|
|
|
|
|
|
|
#define TS_PASSWORD_CREDS 1
|
|
|
|
|
#define TS_SMARTCARD_CREDS 2
|
2021-06-16 13:49:03 +00:00
|
|
|
#define TS_REMOTEGUARD_CREDS 6
|
|
|
|
|
|
2011-09-30 15:21:16 +00:00
|
|
|
static gint creds_type;
|
2021-05-16 18:09:24 +00:00
|
|
|
static gint credssp_ver;
|
2011-09-30 15:21:16 +00:00
|
|
|
|
2021-06-20 19:28:36 +00:00
|
|
|
static char kerberos_pname[] = "K\0e\0r\0b\0e\0r\0o\0s";
|
|
|
|
|
static char ntlm_pname[] = "N\0T\0L\0M";
|
|
|
|
|
|
|
|
|
|
#define TS_RGC_UNKNOWN 0
|
|
|
|
|
#define TS_RGC_KERBEROS 1
|
|
|
|
|
#define TS_RGC_NTLM 2
|
|
|
|
|
|
|
|
|
|
static gint credssp_TS_RGC_package;
|
|
|
|
|
|
2013-06-18 01:13:07 +00:00
|
|
|
static gint exported_pdu_tap = -1;
|
|
|
|
|
|
2011-09-30 15:21:16 +00:00
|
|
|
/* Initialize the protocol and registered fields */
|
|
|
|
|
static int proto_credssp = -1;
|
|
|
|
|
|
|
|
|
|
/* List of dissectors to call for negoToken data */
|
|
|
|
|
static heur_dissector_list_t credssp_heur_subdissector_list;
|
|
|
|
|
|
2021-05-22 12:14:14 +00:00
|
|
|
static dissector_handle_t gssapi_handle;
|
2021-05-22 12:27:07 +00:00
|
|
|
static dissector_handle_t gssapi_wrap_handle;
|
2021-05-22 12:14:14 +00:00
|
|
|
|
2011-09-30 15:21:16 +00:00
|
|
|
static int hf_credssp_TSPasswordCreds = -1; /* TSPasswordCreds */
|
|
|
|
|
static int hf_credssp_TSSmartCardCreds = -1; /* TSSmartCardCreds */
|
2021-06-16 13:49:03 +00:00
|
|
|
static int hf_credssp_TSRemoteGuardCreds = -1;/* TSRemoteGuardCreds */
|
2011-09-30 15:21:16 +00:00
|
|
|
static int hf_credssp_TSCredentials = -1; /* TSCredentials */
|
2021-05-22 12:47:03 +00:00
|
|
|
static int hf_credssp_decr_PublicKeyAuth = -1;/* decr_PublicKeyAuth */
|
2011-09-30 15:21:16 +00:00
|
|
|
#include "packet-credssp-hf.c"
|
|
|
|
|
|
|
|
|
|
/* Initialize the subtree pointers */
|
|
|
|
|
static gint ett_credssp = -1;
|
2021-06-20 19:28:36 +00:00
|
|
|
static gint ett_credssp_RGC_CredBuffer = -1;
|
|
|
|
|
|
2011-09-30 15:21:16 +00:00
|
|
|
#include "packet-credssp-ett.c"
|
|
|
|
|
|
|
|
|
|
#include "packet-credssp-fn.c"
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Dissect CredSSP PDUs
|
|
|
|
|
*/
|
2014-10-06 13:31:47 +00:00
|
|
|
static int
|
|
|
|
|
dissect_credssp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void *data)
|
2011-09-30 15:21:16 +00:00
|
|
|
{
|
|
|
|
|
proto_item *item=NULL;
|
|
|
|
|
proto_tree *tree=NULL;
|
|
|
|
|
|
|
|
|
|
if(parent_tree){
|
|
|
|
|
item = proto_tree_add_item(parent_tree, proto_credssp, tvb, 0, -1, ENC_NA);
|
|
|
|
|
tree = proto_item_add_subtree(item, ett_credssp);
|
|
|
|
|
}
|
|
|
|
|
col_set_str(pinfo->cinfo, COL_PROTOCOL, "CredSSP");
|
|
|
|
|
col_clear(pinfo->cinfo, COL_INFO);
|
|
|
|
|
|
|
|
|
|
creds_type = -1;
|
2021-05-16 18:09:24 +00:00
|
|
|
credssp_ver = -1;
|
|
|
|
|
|
2014-10-06 13:31:47 +00:00
|
|
|
return dissect_TSRequest_PDU(tvb, pinfo, tree, data);
|
2011-09-30 15:21:16 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static gboolean
|
2012-09-10 21:40:21 +00:00
|
|
|
dissect_credssp_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void *data _U_)
|
2011-09-30 15:21:16 +00:00
|
|
|
{
|
|
|
|
|
asn1_ctx_t asn1_ctx;
|
|
|
|
|
int offset = 0;
|
2013-03-03 21:22:25 +00:00
|
|
|
gint8 ber_class;
|
2011-09-30 15:21:16 +00:00
|
|
|
gboolean pc;
|
|
|
|
|
gint32 tag;
|
|
|
|
|
guint32 length;
|
2014-08-10 08:43:33 +00:00
|
|
|
gint8 ver;
|
2011-09-30 15:21:16 +00:00
|
|
|
|
|
|
|
|
asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
|
|
|
|
|
|
2014-02-26 19:29:17 +00:00
|
|
|
/* Look for SEQUENCE, CONTEXT 0, and INTEGER 2 */
|
2014-06-19 19:55:27 +00:00
|
|
|
if(tvb_captured_length(tvb) > 7) {
|
2014-02-26 19:29:17 +00:00
|
|
|
offset = get_ber_identifier(tvb, offset, &ber_class, &pc, &tag);
|
2013-03-03 21:22:25 +00:00
|
|
|
if((ber_class == BER_CLASS_UNI) && (tag == BER_UNI_TAG_SEQUENCE) && (pc == TRUE)) {
|
2011-09-30 15:21:16 +00:00
|
|
|
offset = get_ber_length(tvb, offset, NULL, NULL);
|
2014-02-26 19:29:17 +00:00
|
|
|
offset = get_ber_identifier(tvb, offset, &ber_class, &pc, &tag);
|
2013-03-03 21:22:25 +00:00
|
|
|
if((ber_class == BER_CLASS_CON) && (tag == 0)) {
|
2013-06-18 01:13:07 +00:00
|
|
|
offset = get_ber_length(tvb, offset, NULL, NULL);
|
2014-02-26 19:29:17 +00:00
|
|
|
offset = get_ber_identifier(tvb, offset, &ber_class, &pc, &tag);
|
2013-06-18 01:13:07 +00:00
|
|
|
if((ber_class == BER_CLASS_UNI) && (tag == BER_UNI_TAG_INTEGER)) {
|
|
|
|
|
offset = get_ber_length(tvb, offset, &length, NULL);
|
2014-08-10 08:43:33 +00:00
|
|
|
ver = tvb_get_guint8(tvb, offset);
|
2021-05-16 18:11:46 +00:00
|
|
|
if((length == 1) && (ver > 1) && (ver < 99)) {
|
2013-06-18 01:13:07 +00:00
|
|
|
if (have_tap_listener(exported_pdu_tap)) {
|
Dissector names are not protocol names.
A given protocol's packet format may depend, for example, on which
lower-level protocol is transporting the protocol in question. For
example, protocols that run atop both byte-stream protocols such as TCP
and TLS, and packet-oriented protocols such as UDP or DTLS, might begin
the packet with a length when running atop a byte-stream protocol, to
indicate where this packet ends and the next packet begins in the byte
stream, but not do so when running atop a packet-oriented protocol.
Dissectors can handle this in various ways:
For example, the dissector could attempt to determine the protocol over
which the packet was transported.
Unfortunately, many of those mechanisms do so by fetching data from the
packet_info structure, and many items in that structure act as global
variables, so that, for example, if there are two two PDUs for protocol
A inside a TCP segment, and the first protocol for PDU A contains a PDU
for protocol B, and protocol B's dissector, or a dissector it calls,
modifies the information in the packet_info structure so that it no
longer indicates that the parent protocol is TCP, the second PDU for
protocol A might not be correctly dissected.
Another such mechanism is to query the previous element in the layers
structure of the packet_info structure, which is a list of protocol IDs.
Unfortunately, that is not a list of earlier protocols in the protocol
stack, it's a list of earlier protocols in the dissection, which means
that, in the above example, when the second PDU for protocol A is
dissected, the list is {...,TCP,A,B,...,A}, which means that the
previous element in the list is not TCP, so, again, the second PDU for
protocol A will not be correctly dissected.
An alternative is to have multiple dissectors for the same protocol,
with the part of the protocol that's independent of the protocol
transporting the PDU being dissected by common code. Protocol B might
have an "over a byte-stream transport" dissector and an "over a packet
transport" dissector, with the first dissector being registered for use
over TCP and TLS and the other dissector being registered for use over
packet protocols. This mechanism, unlike the other mechanisms, is not
dependent on information in the packet_info structure that might be
affected by dissectors other than the one for the protocol that
transports protocol B.
Furthermore, in a LINKTYPE_WIRESHARK_UPPER_PDU pcap or pcapng packet for
protocol B, there might not be any information to indicate the protocol
that transports protocol B, so there would have to be separate
dissectors for protocol B, with separate names, so that a tag giving the
protocol name would differ for B-over-byte-stream and B-over-packets.
So:
We rename EXP_PDU_TAG_PROTO_NAME and EXP_PDU_TAG_HEUR_PROTO_NAME to
EXP_PDU_TAG_DISSECTOR_NAME and EXP_PDU_TAG_HEUR_DISSECTOR_NAME, to
emphasize that they are *not* protocol names, they are dissector names
(which has always been the case - if there's a protocol with that name,
but no dissector with that name, Wireshark will not be able to handle
the packet, as it will try to look up a dissector given that name and
fail).
We fix that exported PDU dissector to refer to those tags as dissector
names, not protocol names.
We update documentation to refer to them as DISSECTOR_NAME tags, not
PROTO_NAME tags. (If there is any documentation for this outside the
Wireshark source, it should be updated as well.)
We add comments for calls to dissector_handle_get_dissector_name() where
the dissector name is shown to the user, to indicate that it might be
that the protocol name should be used.
We update the TLS and DTLS dissectors to show the encapsulated protocol
as the string returned by dissector_handle_get_long_name(); as the
default is "Application Data", it appeaers that a descriptive name,
rather than a short API name, should be used. (We continue to use the
dissector name in debugging messages, to indicate which dissector was
called.)
2022-09-11 05:37:11 +00:00
|
|
|
exp_pdu_data_t *exp_pdu_data = export_pdu_create_common_tags(pinfo, "credssp", EXP_PDU_TAG_DISSECTOR_NAME);
|
2013-06-18 01:13:07 +00:00
|
|
|
|
2014-03-18 22:01:22 +00:00
|
|
|
exp_pdu_data->tvb_captured_length = tvb_captured_length(tvb);
|
|
|
|
|
exp_pdu_data->tvb_reported_length = tvb_reported_length(tvb);
|
2013-06-18 01:13:07 +00:00
|
|
|
exp_pdu_data->pdu_tvb = tvb;
|
|
|
|
|
|
|
|
|
|
tap_queue_packet(exported_pdu_tap, pinfo, exp_pdu_data);
|
|
|
|
|
}
|
2014-10-06 13:31:47 +00:00
|
|
|
dissect_credssp(tvb, pinfo, parent_tree, NULL);
|
2013-06-18 01:13:07 +00:00
|
|
|
return TRUE;
|
|
|
|
|
}
|
|
|
|
|
}
|
2011-09-30 15:21:16 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/*--- proto_register_credssp -------------------------------------------*/
|
|
|
|
|
void proto_register_credssp(void) {
|
|
|
|
|
|
|
|
|
|
/* List of fields */
|
|
|
|
|
static hf_register_info hf[] =
|
|
|
|
|
{
|
|
|
|
|
{ &hf_credssp_TSPasswordCreds,
|
|
|
|
|
{ "TSPasswordCreds", "credssp.TSPasswordCreds",
|
|
|
|
|
FT_NONE, BASE_NONE, NULL, 0,
|
|
|
|
|
NULL, HFILL }},
|
|
|
|
|
{ &hf_credssp_TSSmartCardCreds,
|
|
|
|
|
{ "TSSmartCardCreds", "credssp.TSSmartCardCreds",
|
|
|
|
|
FT_NONE, BASE_NONE, NULL, 0,
|
|
|
|
|
NULL, HFILL }},
|
2021-06-16 13:49:03 +00:00
|
|
|
{ &hf_credssp_TSRemoteGuardCreds,
|
|
|
|
|
{ "TSRemoteGuardCreds", "credssp.TSRemoteGuardCreds",
|
|
|
|
|
FT_NONE, BASE_NONE, NULL, 0,
|
|
|
|
|
NULL, HFILL }},
|
2011-09-30 15:21:16 +00:00
|
|
|
{ &hf_credssp_TSCredentials,
|
|
|
|
|
{ "TSCredentials", "credssp.TSCredentials",
|
|
|
|
|
FT_NONE, BASE_NONE, NULL, 0,
|
|
|
|
|
NULL, HFILL }},
|
2021-05-22 12:47:03 +00:00
|
|
|
{ &hf_credssp_decr_PublicKeyAuth,
|
|
|
|
|
{ "Decrypted PublicKeyAuth (sha256)", "credssp.decr_PublicKeyAuth",
|
|
|
|
|
FT_BYTES, BASE_NONE, NULL, 0,
|
|
|
|
|
NULL, HFILL }},
|
2011-09-30 15:21:16 +00:00
|
|
|
#include "packet-credssp-hfarr.c"
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/* List of subtrees */
|
|
|
|
|
static gint *ett[] = {
|
|
|
|
|
&ett_credssp,
|
2021-06-20 19:28:36 +00:00
|
|
|
&ett_credssp_RGC_CredBuffer,
|
2011-09-30 15:21:16 +00:00
|
|
|
#include "packet-credssp-ettarr.c"
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Register protocol */
|
|
|
|
|
proto_credssp = proto_register_protocol(PNAME, PSNAME, PFNAME);
|
2015-12-09 02:06:20 +00:00
|
|
|
register_dissector("credssp", dissect_credssp, proto_credssp);
|
2011-09-30 15:21:16 +00:00
|
|
|
|
|
|
|
|
/* Register fields and subtrees */
|
|
|
|
|
proto_register_field_array(proto_credssp, hf, array_length(hf));
|
|
|
|
|
proto_register_subtree_array(ett, array_length(ett));
|
|
|
|
|
|
|
|
|
|
/* heuristic dissectors for any premable e.g. CredSSP before RDP */
|
2016-03-13 11:51:45 +00:00
|
|
|
credssp_heur_subdissector_list = register_heur_dissector_list("credssp", proto_credssp);
|
2011-09-30 15:21:16 +00:00
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/*--- proto_reg_handoff_credssp --- */
|
|
|
|
|
void proto_reg_handoff_credssp(void) {
|
|
|
|
|
|
2021-05-22 12:14:14 +00:00
|
|
|
gssapi_handle = find_dissector_add_dependency("gssapi", proto_credssp);
|
2021-05-22 12:27:07 +00:00
|
|
|
gssapi_wrap_handle = find_dissector_add_dependency("gssapi_verf", proto_credssp);
|
2021-05-22 12:14:14 +00:00
|
|
|
|
2018-09-13 15:40:27 +00:00
|
|
|
heur_dissector_add("tls", dissect_credssp_heur, "CredSSP over TLS", "credssp_tls", proto_credssp, HEURISTIC_ENABLE);
|
2021-05-29 17:35:56 +00:00
|
|
|
heur_dissector_add("rdp", dissect_credssp_heur, "CredSSP in TPKT", "credssp_tpkt", proto_credssp, HEURISTIC_ENABLE);
|
2013-06-18 01:13:07 +00:00
|
|
|
exported_pdu_tap = find_tap_id(EXPORT_PDU_TAP_NAME_LAYER_7);
|
2011-09-30 15:21:16 +00:00
|
|
|
}
|
|
|
|
|
|