Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'nadav/topic/nadavk/ntlm'

Browse source 
* nadav/topic/nadavk/ntlm:
  Added NTLM challenge and response
This commit is contained in:
Tim Wojtulewicz 2022-11-21 09:09:09 -07:00
commit 26030f4a57
5 changed files with 17 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

10
src/analyzer/protocol/ntlm/ntlm-analyzer.pac
View file

@ -143,15 +143,16 @@ refine connection NTLM_Conn += {
auto result = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTLM::Challenge);
result->Assign(0, build_negotiate_flag_record(${val.flags}));
result->Assign(1, ${val.challenge});
if ( ${val}->has_target_name() )
result->Assign(1, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.target_name.string.data}));
result->Assign(2, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.target_name.string.data}));
if ( ${val}->has_version() )
result->Assign(2, build_version_record(${val.version}));
result->Assign(3, build_version_record(${val.version}));
if ( ${val}->has_target_info() )
result->Assign(3, {zeek::AdoptRef{}, build_av_record(${val.target_info}, ${val.target_info_fields.length})});
result->Assign(4, {zeek::AdoptRef{}, build_av_record(${val.target_info}, ${val.target_info_fields.length})});
zeek::BifEvent::enqueue_ntlm_challenge(zeek_analyzer(),
zeek_analyzer()->Conn(),
@ -183,6 +184,9 @@ refine connection NTLM_Conn += {
if ( ${val}->has_version() )
result->Assign(5, build_version_record(${val.version}));
if ( ${val}->has_response() )
result->Assign(6, to_stringval(${val.response.string.data}));
zeek::BifEvent::enqueue_ntlm_authenticate(zeek_analyzer(),
zeek_analyzer()->Conn(),
std::move(result));

1
src/analyzer/protocol/ntlm/ntlm-protocol.pac
View file

@ -58,6 +58,7 @@ type NTLM_Authenticate(offset: uint16) = record {
} &let {
absolute_offset : uint16 = offsetof(payload) + offset;
version : NTLM_Version withinput payload &if(flags.negotiate_version && (absolute_offset < min(min(min(domain_name_fields.offset, user_name_fields.offset), workstation_fields.offset), encrypted_session_key_fields.offset)));
response : NTLM_String(nt_challenge_response_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(nt_challenge_response_fields.length > 0);
domain_name : NTLM_String(domain_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(domain_name_fields.length > 0);
user_name : NTLM_String(user_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(user_name_fields.length > 0);
workstation : NTLM_String(workstation_fields, absolute_offset , flags.negotiate_unicode) withinput payload &if(workstation_fields.length > 0);