1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
# credssp.cnf
# Credential Security Support Provider (CredSSP) conformance file
#.PDU
TSRequest
#.FN_PARS TSRequest/version VAL_PTR = &credssp_ver
#.FN_BODY TSRequest/authInfo VAL_PTR = &auth_tvb
tvbuff_t *auth_tvb = NULL;
tvbuff_t *decr_tvb = NULL;
gssapi_encrypt_info_t gssapi_encrypt;
%(DEFAULT_BODY)s
memset(&gssapi_encrypt, 0, sizeof(gssapi_encrypt));
gssapi_encrypt.decrypt_gssapi_tvb=DECRYPT_GSSAPI_NORMAL;
call_dissector_with_data(gssapi_wrap_handle, auth_tvb, actx->pinfo, tree, &gssapi_encrypt);
decr_tvb = gssapi_encrypt.gssapi_decrypted_tvb;
if(decr_tvb != NULL)
dissect_credssp_TSCredentials(false, decr_tvb, 0, actx, tree, hf_credssp_TSCredentials);
#.FN_BODY TSRequest/pubKeyAuth VAL_PTR = &auth_tvb
tvbuff_t *auth_tvb = NULL;
tvbuff_t *decr_tvb = NULL;
gssapi_encrypt_info_t gssapi_encrypt;
%(DEFAULT_BODY)s
memset(&gssapi_encrypt, 0, sizeof(gssapi_encrypt));
gssapi_encrypt.decrypt_gssapi_tvb=DECRYPT_GSSAPI_NORMAL;
call_dissector_with_data(gssapi_wrap_handle, auth_tvb, actx->pinfo, tree, &gssapi_encrypt);
decr_tvb = gssapi_encrypt.gssapi_decrypted_tvb;
if(decr_tvb != NULL)
proto_tree_add_item(tree, hf_credssp_decr_PublicKeyAuth, decr_tvb, 0, -1, ENC_NA);
#.FN_BODY TSRequest/errorCode
if (credssp_ver < 3) {
return 0;
}
%(DEFAULT_BODY)s
#.FN_BODY TSRequest/clientNonce
if (credssp_ver < 5) {
return 0;
}
%(DEFAULT_BODY)s
#.FN_PARS TSCredentials/credType VAL_PTR = &creds_type
#.FN_PARS TSCredentials/credentials VAL_PTR = &creds_tvb
#.FN_BODY TSCredentials/credentials
tvbuff_t *creds_tvb = NULL;
%(DEFAULT_BODY)s
switch(creds_type) {
case TS_PASSWORD_CREDS:
dissect_credssp_TSPasswordCreds(false, creds_tvb, 0, actx, tree, hf_credssp_TSPasswordCreds);
break;
case TS_SMARTCARD_CREDS:
dissect_credssp_TSSmartCardCreds(false, creds_tvb, 0, actx, tree, hf_credssp_TSSmartCardCreds);
break;
case TS_REMOTEGUARD_CREDS:
dissect_credssp_TSRemoteGuardCreds(false, creds_tvb, 0, actx, tree, hf_credssp_TSRemoteGuardCreds);
break;
}
#.FN_PARS NegoData/_item/negoToken VAL_PTR = &token_tvb
#.FN_BODY NegoData/_item/negoToken
tvbuff_t *token_tvb = NULL;
%(DEFAULT_BODY)s
if(token_tvb != NULL)
call_dissector(gssapi_handle, token_tvb, actx->pinfo, tree);
#.TYPE_ATTR
TSRemoteGuardPackageCred/packageName TYPE = FT_STRING DISPLAY = BASE_NONE STRINGS = NULL
#.FN_BODY TSRemoteGuardPackageCred/packageName VAL_PTR = &pname
tvbuff_t *pname = NULL;
offset = dissect_ber_octet_string(implicit_tag, actx, NULL, tvb, offset, hf_index, &pname);
if(pname != NULL) {
int nlen = tvb_captured_length(pname);
if (nlen == sizeof(kerberos_pname) && memcmp(tvb_get_ptr(pname, 0, nlen), kerberos_pname, nlen) == 0) {
credssp_TS_RGC_package = TS_RGC_KERBEROS;
} else if (nlen == sizeof(ntlm_pname) && memcmp(tvb_get_ptr(pname, 0, nlen), ntlm_pname, nlen) == 0) {
credssp_TS_RGC_package = TS_RGC_NTLM;
}
proto_tree_add_item(tree, hf_index, pname, 0, -1, ENC_UTF_16|ENC_LITTLE_ENDIAN);
}
#.FN_BODY TSRemoteGuardPackageCred/credBuffer VAL_PTR = &creds
tvbuff_t *creds= NULL;
proto_tree *subtree;
%(DEFAULT_BODY)s
if (!creds)
return offset;
switch(credssp_TS_RGC_package) {
case TS_RGC_KERBEROS:
subtree = proto_item_add_subtree(actx->created_item, ett_credssp_RGC_CredBuffer);
dissect_kerberos_KERB_TICKET_LOGON(creds, 0, actx, subtree);
break;
case TS_RGC_NTLM:
subtree = proto_item_add_subtree(actx->created_item, ett_credssp_RGC_CredBuffer);
dissect_ntlmssp_NTLM_REMOTE_SUPPLEMENTAL_CREDENTIAL(creds, 0, subtree);
break;
}
#.END
|