diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-10 20:34:10 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-10 20:34:10 +0000 |
commit | e4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc (patch) | |
tree | 68cb5ef9081156392f1dd62a00c6ccc1451b93df /epan/dissectors/asn1/credssp | |
parent | Initial commit. (diff) | |
download | wireshark-e4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc.tar.xz wireshark-e4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc.zip |
Adding upstream version 4.2.2.upstream/4.2.2
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'epan/dissectors/asn1/credssp')
-rw-r--r-- | epan/dissectors/asn1/credssp/CMakeLists.txt | 39 | ||||
-rw-r--r-- | epan/dissectors/asn1/credssp/CredSSP.asn | 56 | ||||
-rw-r--r-- | epan/dissectors/asn1/credssp/credssp.cnf | 130 | ||||
-rw-r--r-- | epan/dissectors/asn1/credssp/packet-credssp-template.c | 200 | ||||
-rw-r--r-- | epan/dissectors/asn1/credssp/packet-credssp-template.h | 20 |
5 files changed, 445 insertions, 0 deletions
diff --git a/epan/dissectors/asn1/credssp/CMakeLists.txt b/epan/dissectors/asn1/credssp/CMakeLists.txt new file mode 100644 index 00000000..59c80321 --- /dev/null +++ b/epan/dissectors/asn1/credssp/CMakeLists.txt @@ -0,0 +1,39 @@ +# CMakeLists.txt +# +# Wireshark - Network traffic analyzer +# By Gerald Combs <gerald@wireshark.org> +# Copyright 1998 Gerald Combs +# +# SPDX-License-Identifier: GPL-2.0-or-later +# + +set( PROTOCOL_NAME credssp ) + +set( PROTO_OPT ) + +set( EXPORT_FILES + ${PROTOCOL_NAME}-exp.cnf +) + +set( EXT_ASN_FILE_LIST +) + +set( ASN_FILE_LIST + CredSSP.asn +) + +set( EXTRA_DIST + ${ASN_FILE_LIST} + packet-${PROTOCOL_NAME}-template.c + packet-${PROTOCOL_NAME}-template.h + ${PROTOCOL_NAME}.cnf +) + +set( SRC_FILES + ${EXTRA_DIST} + ${EXT_ASN_FILE_LIST} +) + +set( A2W_FLAGS -b -C ) + +ASN2WRS() diff --git a/epan/dissectors/asn1/credssp/CredSSP.asn b/epan/dissectors/asn1/credssp/CredSSP.asn new file mode 100644 index 00000000..07298526 --- /dev/null +++ b/epan/dissectors/asn1/credssp/CredSSP.asn @@ -0,0 +1,56 @@ +-- Derived from http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-CSSP%5D.pdf + +CredSSP DEFINITIONS EXPLICIT TAGS ::= + +BEGIN + +NegoData ::= SEQUENCE OF SEQUENCE { + negoToken [0] OCTET STRING +} + +TSPasswordCreds ::= SEQUENCE { + domainName [0] OCTET STRING, + userName [1] OCTET STRING, + password [2] OCTET STRING +} + +TSCspDataDetail ::= SEQUENCE { + keySpec [0] INTEGER, + cardName [1] OCTET STRING OPTIONAL, + readerName [2] OCTET STRING OPTIONAL, + containerName [3] OCTET STRING OPTIONAL, + cspName [4] OCTET STRING OPTIONAL +} + +TSSmartCardCreds ::= SEQUENCE { + pin [0] OCTET STRING, + cspData [1] TSCspDataDetail, + userHint [2] OCTET STRING OPTIONAL, + domainHint [3] OCTET STRING OPTIONAL +} + +TSRemoteGuardPackageCred ::= SEQUENCE { + packageName [0] OCTET STRING, + credBuffer [1] OCTET STRING +} + +TSRemoteGuardCreds ::= SEQUENCE { + logonCred [0] TSRemoteGuardPackageCred, + supplementalCreds [1] SEQUENCE OF TSRemoteGuardPackageCred OPTIONAL +} + +TSCredentials ::= SEQUENCE { + credType [0] INTEGER, + credentials [1] OCTET STRING +} + +TSRequest ::= SEQUENCE { + version [0] INTEGER, + negoTokens [1] NegoData OPTIONAL, + authInfo [2] OCTET STRING OPTIONAL, + pubKeyAuth [3] OCTET STRING OPTIONAL, + errorCode [4] INTEGER OPTIONAL, + clientNonce [5] OCTET STRING OPTIONAL +} + +END diff --git a/epan/dissectors/asn1/credssp/credssp.cnf b/epan/dissectors/asn1/credssp/credssp.cnf new file mode 100644 index 00000000..a55b1507 --- /dev/null +++ b/epan/dissectors/asn1/credssp/credssp.cnf @@ -0,0 +1,130 @@ +# credssp.cnf +# Credential Security Support Provider (CredSSP) conformance file + +#.PDU +TSRequest + +#.FN_PARS TSRequest/version VAL_PTR = &credssp_ver + +#.FN_BODY TSRequest/authInfo VAL_PTR = &auth_tvb + tvbuff_t *auth_tvb = NULL; + tvbuff_t *decr_tvb = NULL; + gssapi_encrypt_info_t gssapi_encrypt; + + %(DEFAULT_BODY)s + + memset(&gssapi_encrypt, 0, sizeof(gssapi_encrypt)); + gssapi_encrypt.decrypt_gssapi_tvb=DECRYPT_GSSAPI_NORMAL; + call_dissector_with_data(gssapi_wrap_handle, auth_tvb, actx->pinfo, tree, &gssapi_encrypt); + decr_tvb = gssapi_encrypt.gssapi_decrypted_tvb; + + if(decr_tvb != NULL) + dissect_credssp_TSCredentials(FALSE, decr_tvb, 0, actx, tree, hf_credssp_TSCredentials); + +#.FN_BODY TSRequest/pubKeyAuth VAL_PTR = &auth_tvb + tvbuff_t *auth_tvb = NULL; + tvbuff_t *decr_tvb = NULL; + gssapi_encrypt_info_t gssapi_encrypt; + + %(DEFAULT_BODY)s + + memset(&gssapi_encrypt, 0, sizeof(gssapi_encrypt)); + gssapi_encrypt.decrypt_gssapi_tvb=DECRYPT_GSSAPI_NORMAL; + call_dissector_with_data(gssapi_wrap_handle, auth_tvb, actx->pinfo, tree, &gssapi_encrypt); + decr_tvb = gssapi_encrypt.gssapi_decrypted_tvb; + + if(decr_tvb != NULL) + proto_tree_add_item(tree, hf_credssp_decr_PublicKeyAuth, decr_tvb, 0, -1, ENC_NA); + +#.FN_BODY TSRequest/errorCode + + if (credssp_ver < 3) { + return 0; + } + + %(DEFAULT_BODY)s + + +#.FN_BODY TSRequest/clientNonce + + if (credssp_ver < 5) { + return 0; + } + + %(DEFAULT_BODY)s + + +#.FN_PARS TSCredentials/credType VAL_PTR = &creds_type +#.FN_PARS TSCredentials/credentials VAL_PTR = &creds_tvb + +#.FN_BODY TSCredentials/credentials + tvbuff_t *creds_tvb = NULL; + + %(DEFAULT_BODY)s + + switch(creds_type) { + case TS_PASSWORD_CREDS: + dissect_credssp_TSPasswordCreds(FALSE, creds_tvb, 0, actx, tree, hf_credssp_TSPasswordCreds); + break; + case TS_SMARTCARD_CREDS: + dissect_credssp_TSSmartCardCreds(FALSE, creds_tvb, 0, actx, tree, hf_credssp_TSSmartCardCreds); + break; + case TS_REMOTEGUARD_CREDS: + dissect_credssp_TSRemoteGuardCreds(FALSE, creds_tvb, 0, actx, tree, hf_credssp_TSRemoteGuardCreds); + break; + } + + +#.FN_PARS NegoData/_item/negoToken VAL_PTR = &token_tvb + +#.FN_BODY NegoData/_item/negoToken + tvbuff_t *token_tvb = NULL; + + %(DEFAULT_BODY)s + + if(token_tvb != NULL) + call_dissector(gssapi_handle, token_tvb, actx->pinfo, tree); + + +#.TYPE_ATTR +TSRemoteGuardPackageCred/packageName TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL + +#.FN_BODY TSRemoteGuardPackageCred/packageName VAL_PTR = &pname + tvbuff_t *pname = NULL; + + offset = dissect_ber_octet_string(implicit_tag, actx, NULL, tvb, offset, hf_index, &pname); + + if(pname != NULL) { + gint nlen = tvb_captured_length(pname); + + if (nlen == sizeof(kerberos_pname) && memcmp(tvb_get_ptr(pname, 0, nlen), kerberos_pname, nlen) == 0) { + credssp_TS_RGC_package = TS_RGC_KERBEROS; + } else if (nlen == sizeof(ntlm_pname) && memcmp(tvb_get_ptr(pname, 0, nlen), ntlm_pname, nlen) == 0) { + credssp_TS_RGC_package = TS_RGC_NTLM; + } + proto_tree_add_item(tree, hf_index, pname, 0, -1, ENC_UTF_16|ENC_LITTLE_ENDIAN); + } + +#.FN_BODY TSRemoteGuardPackageCred/credBuffer VAL_PTR = &creds + tvbuff_t *creds= NULL; + proto_tree *subtree; + + %(DEFAULT_BODY)s + + if (!creds) + return offset; + + switch(credssp_TS_RGC_package) { + case TS_RGC_KERBEROS: + subtree = proto_item_add_subtree(actx->created_item, ett_credssp_RGC_CredBuffer); + dissect_kerberos_KERB_TICKET_LOGON(creds, 0, actx, subtree); + break; + case TS_RGC_NTLM: + subtree = proto_item_add_subtree(actx->created_item, ett_credssp_RGC_CredBuffer); + dissect_ntlmssp_NTLM_REMOTE_SUPPLEMENTAL_CREDENTIAL(creds, 0, subtree); + break; + } + +#.END + + diff --git a/epan/dissectors/asn1/credssp/packet-credssp-template.c b/epan/dissectors/asn1/credssp/packet-credssp-template.c new file mode 100644 index 00000000..5eef5741 --- /dev/null +++ b/epan/dissectors/asn1/credssp/packet-credssp-template.c @@ -0,0 +1,200 @@ +/* packet-credssp.c + * Routines for CredSSP (Credential Security Support Provider) packet dissection + * Graeme Lunt 2011 + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "config.h" + +#include <epan/packet.h> +#include <epan/asn1.h> +#include <epan/tap.h> +#include <epan/exported_pdu.h> + +#include "packet-ber.h" +#include "packet-gssapi.h" +#include "packet-kerberos.h" +#include "packet-ntlmssp.h" +#include "packet-credssp.h" + +#define PNAME "Credential Security Support Provider" +#define PSNAME "CredSSP" +#define PFNAME "credssp" + +#define TS_PASSWORD_CREDS 1 +#define TS_SMARTCARD_CREDS 2 +#define TS_REMOTEGUARD_CREDS 6 + +static gint creds_type; +static gint credssp_ver; + +static char kerberos_pname[] = "K\0e\0r\0b\0e\0r\0o\0s"; +static char ntlm_pname[] = "N\0T\0L\0M"; + +#define TS_RGC_UNKNOWN 0 +#define TS_RGC_KERBEROS 1 +#define TS_RGC_NTLM 2 + +static gint credssp_TS_RGC_package; + +static gint exported_pdu_tap = -1; + +/* Initialize the protocol and registered fields */ +static int proto_credssp = -1; + +/* List of dissectors to call for negoToken data */ +static heur_dissector_list_t credssp_heur_subdissector_list; + +static dissector_handle_t gssapi_handle; +static dissector_handle_t gssapi_wrap_handle; + +static int hf_credssp_TSPasswordCreds = -1; /* TSPasswordCreds */ +static int hf_credssp_TSSmartCardCreds = -1; /* TSSmartCardCreds */ +static int hf_credssp_TSRemoteGuardCreds = -1;/* TSRemoteGuardCreds */ +static int hf_credssp_TSCredentials = -1; /* TSCredentials */ +static int hf_credssp_decr_PublicKeyAuth = -1;/* decr_PublicKeyAuth */ +#include "packet-credssp-hf.c" + +/* Initialize the subtree pointers */ +static gint ett_credssp = -1; +static gint ett_credssp_RGC_CredBuffer = -1; + +#include "packet-credssp-ett.c" + +#include "packet-credssp-fn.c" + +/* +* Dissect CredSSP PDUs +*/ +static int +dissect_credssp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void *data) +{ + proto_item *item=NULL; + proto_tree *tree=NULL; + + if(parent_tree){ + item = proto_tree_add_item(parent_tree, proto_credssp, tvb, 0, -1, ENC_NA); + tree = proto_item_add_subtree(item, ett_credssp); + } + col_set_str(pinfo->cinfo, COL_PROTOCOL, "CredSSP"); + col_clear(pinfo->cinfo, COL_INFO); + + creds_type = -1; + credssp_ver = -1; + + return dissect_TSRequest_PDU(tvb, pinfo, tree, data); +} + +static gboolean +dissect_credssp_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void *data _U_) +{ + asn1_ctx_t asn1_ctx; + int offset = 0; + gint8 ber_class; + bool pc; + gint32 tag; + guint32 length; + gint8 ver; + + asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo); + + /* Look for SEQUENCE, CONTEXT 0, and INTEGER 2 */ + if(tvb_captured_length(tvb) > 7) { + offset = get_ber_identifier(tvb, offset, &ber_class, &pc, &tag); + if((ber_class == BER_CLASS_UNI) && (tag == BER_UNI_TAG_SEQUENCE) && (pc == TRUE)) { + offset = get_ber_length(tvb, offset, NULL, NULL); + offset = get_ber_identifier(tvb, offset, &ber_class, &pc, &tag); + if((ber_class == BER_CLASS_CON) && (tag == 0)) { + offset = get_ber_length(tvb, offset, NULL, NULL); + offset = get_ber_identifier(tvb, offset, &ber_class, &pc, &tag); + if((ber_class == BER_CLASS_UNI) && (tag == BER_UNI_TAG_INTEGER)) { + offset = get_ber_length(tvb, offset, &length, NULL); + ver = tvb_get_guint8(tvb, offset); + if((length == 1) && (ver > 1) && (ver < 99)) { + if (have_tap_listener(exported_pdu_tap)) { + exp_pdu_data_t *exp_pdu_data = export_pdu_create_common_tags(pinfo, "credssp", EXP_PDU_TAG_DISSECTOR_NAME); + + exp_pdu_data->tvb_captured_length = tvb_captured_length(tvb); + exp_pdu_data->tvb_reported_length = tvb_reported_length(tvb); + exp_pdu_data->pdu_tvb = tvb; + + tap_queue_packet(exported_pdu_tap, pinfo, exp_pdu_data); + } + dissect_credssp(tvb, pinfo, parent_tree, NULL); + return TRUE; + } + } + } + } + } + return FALSE; +} + + +/*--- proto_register_credssp -------------------------------------------*/ +void proto_register_credssp(void) { + + /* List of fields */ + static hf_register_info hf[] = + { + { &hf_credssp_TSPasswordCreds, + { "TSPasswordCreds", "credssp.TSPasswordCreds", + FT_NONE, BASE_NONE, NULL, 0, + NULL, HFILL }}, + { &hf_credssp_TSSmartCardCreds, + { "TSSmartCardCreds", "credssp.TSSmartCardCreds", + FT_NONE, BASE_NONE, NULL, 0, + NULL, HFILL }}, + { &hf_credssp_TSRemoteGuardCreds, + { "TSRemoteGuardCreds", "credssp.TSRemoteGuardCreds", + FT_NONE, BASE_NONE, NULL, 0, + NULL, HFILL }}, + { &hf_credssp_TSCredentials, + { "TSCredentials", "credssp.TSCredentials", + FT_NONE, BASE_NONE, NULL, 0, + NULL, HFILL }}, + { &hf_credssp_decr_PublicKeyAuth, + { "Decrypted PublicKeyAuth (sha256)", "credssp.decr_PublicKeyAuth", + FT_BYTES, BASE_NONE, NULL, 0, + NULL, HFILL }}, +#include "packet-credssp-hfarr.c" + }; + + /* List of subtrees */ + static gint *ett[] = { + &ett_credssp, + &ett_credssp_RGC_CredBuffer, +#include "packet-credssp-ettarr.c" + }; + + + /* Register protocol */ + proto_credssp = proto_register_protocol(PNAME, PSNAME, PFNAME); + register_dissector("credssp", dissect_credssp, proto_credssp); + + /* Register fields and subtrees */ + proto_register_field_array(proto_credssp, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); + + /* heuristic dissectors for any premable e.g. CredSSP before RDP */ + credssp_heur_subdissector_list = register_heur_dissector_list("credssp", proto_credssp); + +} + + +/*--- proto_reg_handoff_credssp --- */ +void proto_reg_handoff_credssp(void) { + + gssapi_handle = find_dissector_add_dependency("gssapi", proto_credssp); + gssapi_wrap_handle = find_dissector_add_dependency("gssapi_verf", proto_credssp); + + heur_dissector_add("tls", dissect_credssp_heur, "CredSSP over TLS", "credssp_tls", proto_credssp, HEURISTIC_ENABLE); + heur_dissector_add("rdp", dissect_credssp_heur, "CredSSP in TPKT", "credssp_tpkt", proto_credssp, HEURISTIC_ENABLE); + exported_pdu_tap = find_tap_id(EXPORT_PDU_TAP_NAME_LAYER_7); +} + diff --git a/epan/dissectors/asn1/credssp/packet-credssp-template.h b/epan/dissectors/asn1/credssp/packet-credssp-template.h new file mode 100644 index 00000000..fda51f3b --- /dev/null +++ b/epan/dissectors/asn1/credssp/packet-credssp-template.h @@ -0,0 +1,20 @@ +/* packet-credssp.h + * Routines for CredSSP (Credential Security Support Provider) packet dissection + * Graeme Lunt 2011 + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef PACKET_CREDSSP_H +#define PACKET_CREDSSP_H + +#include "packet-credssp-val.h" + +void proto_reg_handoff_credssp(void); +void proto_register_credssp(void); + +#endif /* PACKET_CREDSSP_H */ |