Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

ldap: Add Sicily Authentication constants

Browse source 
The aduser1-ntlm.pcap contains bindRequest messages using Microsoft AD
specific Sicily Authentication [1]. Add the entries to the enum so we
don't log undefined for these and also check the NTLMSSP signature.

[1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/8b9dbfb2-5b6a-497a-a533-7e709cb9a982
This commit is contained in:
Arne Welzel 2025-04-11 17:38:58 +02:00
parent ff58be2f36
commit 07bf7f8b18
3 changed files with 26 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
scripts/base/protocols/ldap/main.zeek
View file

@ -380,6 +380,10 @@ event LDAP::bind_request(c: connection,
m$opcode = BIND_SIMPLE;
} else if (authType == LDAP::BindAuthType_BIND_AUTH_SASL) {
m$opcode = BIND_SASL;
} else if (authType == LDAP::BindAuthType_SICILY_NEGOTIATE ) {
m$opcode = "sicily_negotiate";
} else if (authType == LDAP::BindAuthType_SICILY_RESPONSE ) {
m$opcode = "sicily_response";
} else {
Reporter::conn_weird("LDAP_unknown_auth_type", c, cat(authType), "LDAP");
m$opcode = cat(authType);

20
src/analyzer/protocol/ldap/ldap.spicy
View file

@ -365,6 +365,12 @@ public type Message = unit(ctx: Ctx&) {
public type BindAuthType = enum {
BIND_AUTH_SIMPLE = 0,
BIND_AUTH_SASL = 3,
# https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/8b9dbfb2-5b6a-497a-a533-7e709cb9a982
# 5.1.1.1.3 Sicily Authentication
SICILY_PACKAGE_DISCOVERY = 9,
SICILY_NEGOTIATE = 10,
SICILY_RESPONSE = 11,
};
type GSS_SPNEGO_negTokenInit = unit {
@ -410,6 +416,12 @@ type SaslCredentials = unit() {
};
};
type SicilyMessage = unit(bat: BindAuthType) {
# Just ensure the signature matches. We could do more,
# but it'd be better to forward to an NTLM analyzer.
signature: b"NTLMSSP";
};
type GSS_SPNEGO_Subsequent = unit {
switch {
-> spnegoChoiceByte: uint8(0xa1);
@ -481,6 +493,14 @@ type BindRequest = unit(inout message: Message, ctx: Ctx&) {
message.arg = self.saslCreds.mechanism;
ctx.saslMechanism = self.saslCreds.mechanism;
}
sicilyMessage: SicilyMessage(self.authType) &parse-from=self.authData if ((self.authType == BindAuthType::SICILY_NEGOTIATE
|| self.authType == BindAuthType::SICILY_RESPONSE)
&& (|self.authData| > 0)) {
message.arg = self.sicilyMessage.signature.decode();
}
} &requires=(self?.authType && (self.authType != BindAuthType::Undef));
type ServerSaslCreds = unit {

4
testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/ntlm.ldap.log
View file

@ -7,6 +7,6 @@
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcode result diagnostic_message object argument
#types time string addr port addr port int int string string string string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.226.131 37618 192.168.226.136 389 173945320 3 <undefined> success - User1 -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.226.131 37618 192.168.226.136 389 1489001992 3 <undefined> success - User1 -
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.226.131 37618 192.168.226.136 389 173945320 3 sicily_negotiate success - User1 NTLMSSP
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.226.131 37618 192.168.226.136 389 1489001992 3 sicily_response success - User1 NTLMSSP
#close XXXX-XX-XX-XX-XX-XX