From 07bf7f8b18e9dee2dec560ec955f3318e334a577 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Fri, 11 Apr 2025 17:38:58 +0200 Subject: [PATCH] ldap: Add Sicily Authentication constants The aduser1-ntlm.pcap contains bindRequest messages using Microsoft AD specific Sicily Authentication [1]. Add the entries to the enum so we don't log undefined for these and also check the NTLMSSP signature. [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/8b9dbfb2-5b6a-497a-a533-7e709cb9a982 --- scripts/base/protocols/ldap/main.zeek | 4 ++++ src/analyzer/protocol/ldap/ldap.spicy | 20 +++++++++++++++++++ .../ntlm.ldap.log | 4 ++-- 3 files changed, 26 insertions(+), 2 deletions(-) diff --git a/scripts/base/protocols/ldap/main.zeek b/scripts/base/protocols/ldap/main.zeek index 8b7f062901..9033333c04 100644 --- a/scripts/base/protocols/ldap/main.zeek +++ b/scripts/base/protocols/ldap/main.zeek @@ -380,6 +380,10 @@ event LDAP::bind_request(c: connection, m$opcode = BIND_SIMPLE; } else if (authType == LDAP::BindAuthType_BIND_AUTH_SASL) { m$opcode = BIND_SASL; + } else if (authType == LDAP::BindAuthType_SICILY_NEGOTIATE ) { + m$opcode = "sicily_negotiate"; + } else if (authType == LDAP::BindAuthType_SICILY_RESPONSE ) { + m$opcode = "sicily_response"; } else { Reporter::conn_weird("LDAP_unknown_auth_type", c, cat(authType), "LDAP"); m$opcode = cat(authType); diff --git a/src/analyzer/protocol/ldap/ldap.spicy b/src/analyzer/protocol/ldap/ldap.spicy index 63379d9a83..0fef1e2b8a 100644 --- a/src/analyzer/protocol/ldap/ldap.spicy +++ b/src/analyzer/protocol/ldap/ldap.spicy @@ -365,6 +365,12 @@ public type Message = unit(ctx: Ctx&) { public type BindAuthType = enum { BIND_AUTH_SIMPLE = 0, BIND_AUTH_SASL = 3, + + # https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/8b9dbfb2-5b6a-497a-a533-7e709cb9a982 + # 5.1.1.1.3 Sicily Authentication + SICILY_PACKAGE_DISCOVERY = 9, + SICILY_NEGOTIATE = 10, + SICILY_RESPONSE = 11, }; type GSS_SPNEGO_negTokenInit = unit { @@ -410,6 +416,12 @@ type SaslCredentials = unit() { }; }; +type SicilyMessage = unit(bat: BindAuthType) { + # Just ensure the signature matches. We could do more, + # but it'd be better to forward to an NTLM analyzer. + signature: b"NTLMSSP"; +}; + type GSS_SPNEGO_Subsequent = unit { switch { -> spnegoChoiceByte: uint8(0xa1); @@ -481,6 +493,14 @@ type BindRequest = unit(inout message: Message, ctx: Ctx&) { message.arg = self.saslCreds.mechanism; ctx.saslMechanism = self.saslCreds.mechanism; } + + + sicilyMessage: SicilyMessage(self.authType) &parse-from=self.authData if ((self.authType == BindAuthType::SICILY_NEGOTIATE + || self.authType == BindAuthType::SICILY_RESPONSE) + && (|self.authData| > 0)) { + message.arg = self.sicilyMessage.signature.decode(); + } + } &requires=(self?.authType && (self.authType != BindAuthType::Undef)); type ServerSaslCreds = unit { diff --git a/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/ntlm.ldap.log b/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/ntlm.ldap.log index 502d28b4f4..a1caacd709 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/ntlm.ldap.log +++ b/testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/ntlm.ldap.log @@ -7,6 +7,6 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcode result diagnostic_message object argument #types time string addr port addr port int int string string string string string -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.226.131 37618 192.168.226.136 389 173945320 3 success - User1 - -XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.226.131 37618 192.168.226.136 389 1489001992 3 success - User1 - +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.226.131 37618 192.168.226.136 389 173945320 3 sicily_negotiate success - User1 NTLMSSP +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.226.131 37618 192.168.226.136 389 1489001992 3 sicily_response success - User1 NTLMSSP #close XXXX-XX-XX-XX-XX-XX