Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fixes for NTLM.

Browse source 
- Attempted fix for some NTLM handling fixes that were leading
   to DPD errors.
 - Added some status codes to the list of auth failure status codes.
This commit is contained in:
Seth Hall 2016-08-14 01:31:07 -04:00
parent a2c8f8a9b6
commit c06dca3565
3 changed files with 20 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

2
scripts/base/protocols/ntlm/main.bro
View file

@ -39,7 +39,9 @@ export {
0x08c10002, # badLogonTime 0x08c10002, # badLogonTime
0x08c20002, # passwordExpired 0x08c20002, # passwordExpired
0xC0000022, # ACCESS_DENIED 0xC0000022, # ACCESS_DENIED
0xC0000061, # PRIVILEGE_NOT_HELD
0xC000006A, # WRONG_PASSWORD 0xC000006A, # WRONG_PASSWORD
0xC000006D, # LOGON_FAILURE
0xC000006F, # INVALID_LOGON_HOURS 0xC000006F, # INVALID_LOGON_HOURS
0xC0000070, # INVALID_WORKSTATION 0xC0000070, # INVALID_WORKSTATION
0xC0000071, # PASSWORD_EXPIRED 0xC0000071, # PASSWORD_EXPIRED

20
src/analyzer/protocol/ntlm/ntlm-analyzer.pac
View file

@ -97,13 +97,13 @@ refine connection NTLM_Conn += {
RecordVal* result = new RecordVal(BifType::Record::NTLM::Negotiate); RecordVal* result = new RecordVal(BifType::Record::NTLM::Negotiate);
result->Assign(0, build_negotiate_flag_record(${val.flags})); result->Assign(0, build_negotiate_flag_record(${val.flags}));
if ( ${val.flags.negotiate_oem_domain_supplied} ) if ( ${val}->has_domain_name() )
result->Assign(1, utf16_bytestring_to_utf8_val(${val.domain_name.string.data})); result->Assign(1, utf16_bytestring_to_utf8_val(${val.domain_name.string.data}));
if ( ${val.flags.negotiate_oem_workstation_supplied} ) if ( ${val}->has_workstation() )
result->Assign(2, utf16_bytestring_to_utf8_val(${val.workstation.string.data})); result->Assign(2, utf16_bytestring_to_utf8_val(${val.workstation.string.data}));
if ( ${val.flags.negotiate_version} ) if ( ${val}->has_version() )
result->Assign(3, build_version_record(${val.version})); result->Assign(3, build_version_record(${val.version}));
BifEvent::generate_ntlm_negotiate(bro_analyzer(), BifEvent::generate_ntlm_negotiate(bro_analyzer(),
@ -118,13 +118,13 @@ refine connection NTLM_Conn += {
RecordVal* result = new RecordVal(BifType::Record::NTLM::Challenge); RecordVal* result = new RecordVal(BifType::Record::NTLM::Challenge);
result->Assign(0, build_negotiate_flag_record(${val.flags})); result->Assign(0, build_negotiate_flag_record(${val.flags}));
if ( ${val.flags.request_target} ) if ( ${val}->has_target_name() )
result->Assign(1, utf16_bytestring_to_utf8_val(${val.target_name.string.data})); result->Assign(1, utf16_bytestring_to_utf8_val(${val.target_name.string.data}));
if ( ${val.flags.negotiate_version} ) if ( ${val}->has_version() )
result->Assign(2, build_version_record(${val.version})); result->Assign(2, build_version_record(${val.version}));
if ( ${val.flags.negotiate_target_info} ) if ( ${val}->has_target_info() )
result->Assign(3, build_av_record(${val.target_info})); result->Assign(3, build_av_record(${val.target_info}));
BifEvent::generate_ntlm_challenge(bro_analyzer(), BifEvent::generate_ntlm_challenge(bro_analyzer(),
@ -139,16 +139,16 @@ refine connection NTLM_Conn += {
RecordVal* result = new RecordVal(BifType::Record::NTLM::Authenticate); RecordVal* result = new RecordVal(BifType::Record::NTLM::Authenticate);
result->Assign(0, build_negotiate_flag_record(${val.flags})); result->Assign(0, build_negotiate_flag_record(${val.flags}));
if ( ${val.domain_name_fields.length} > 0 ) if ( ${val}->has_domain_name() > 0 )
result->Assign(1, utf16_bytestring_to_utf8_val(${val.domain_name.string.data})); result->Assign(1, utf16_bytestring_to_utf8_val(${val.domain_name.string.data}));
if ( ${val.user_name_fields.length} > 0 ) if ( ${val}->has_user_name() > 0 )
result->Assign(2, utf16_bytestring_to_utf8_val(${val.user_name.string.data})); result->Assign(2, utf16_bytestring_to_utf8_val(${val.user_name.string.data}));
if ( ${val.workstation_fields.length} > 0 ) if ( ${val}->has_workstation() > 0 )
result->Assign(3, utf16_bytestring_to_utf8_val(${val.workstation.string.data})); result->Assign(3, utf16_bytestring_to_utf8_val(${val.workstation.string.data}));
if ( ${val.flags.negotiate_version} ) if ( ${val}->has_version() )
result->Assign(4, build_version_record(${val.version})); result->Assign(4, build_version_record(${val.version}));
BifEvent::generate_ntlm_authenticate(bro_analyzer(), BifEvent::generate_ntlm_authenticate(bro_analyzer(),

20
src/analyzer/protocol/ntlm/ntlm-protocol.pac
View file

@ -1,4 +1,9 @@
function min(v1: uint32, v2: uint32): uint32
%{
return v1 < v2 ? v1 : v2;
%}
type NTLM_SSP_Token(is_orig: bool) = record { type NTLM_SSP_Token(is_orig: bool) = record {
signature : bytestring &length=8; signature : bytestring &length=8;
msg_type : uint32; msg_type : uint32;
@ -14,13 +19,10 @@ type NTLM_Negotiate(offset: uint16) = record {
flags : NTLM_Negotiate_Flags; flags : NTLM_Negotiate_Flags;
domain_name_fields : NTLM_StringData; domain_name_fields : NTLM_StringData;
workstation_fields : NTLM_StringData; workstation_fields : NTLM_StringData;
version_present : case flags.negotiate_version of {
true -> version : NTLM_Version;
false -> no_version : empty;
};
payload : bytestring &restofdata; payload : bytestring &restofdata;
} &let { } &let {
absolute_offset : uint16 = offsetof(payload) + offset; absolute_offset : uint16 = offsetof(payload) + offset;
version : NTLM_Version withinput payload &if(flags.negotiate_version && (absolute_offset < min(domain_name_fields.offset, workstation_fields.offset)));
domain_name : NTLM_String(domain_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(flags.negotiate_oem_domain_supplied); domain_name : NTLM_String(domain_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(flags.negotiate_oem_domain_supplied);
workstation : NTLM_String(workstation_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(flags.negotiate_oem_workstation_supplied); workstation : NTLM_String(workstation_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(flags.negotiate_oem_workstation_supplied);
}; };
@ -31,13 +33,10 @@ type NTLM_Challenge(offset: uint16) = record {
challenge : uint64; challenge : uint64;
reserved : padding[8]; reserved : padding[8];
target_info_fields : NTLM_StringData; target_info_fields : NTLM_StringData;
version_present : case flags.negotiate_version of {
true -> version : NTLM_Version;
false -> no_version : empty;
};
payload : bytestring &restofdata; payload : bytestring &restofdata;
} &let { } &let {
absolute_offset : uint16 = offsetof(payload) + offset; absolute_offset : uint16 = offsetof(payload) + offset;
version : NTLM_Version withinput payload &if(flags.negotiate_version && (absolute_offset < min(target_name_fields.offset, target_info_fields.offset)));
target_name : NTLM_String(target_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(flags.request_target); target_name : NTLM_String(target_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(flags.request_target);
target_info : NTLM_AV_Pair_Sequence(target_info_fields.offset - absolute_offset) withinput payload &if(flags.negotiate_target_info); target_info : NTLM_AV_Pair_Sequence(target_info_fields.offset - absolute_offset) withinput payload &if(flags.negotiate_target_info);
}; };
@ -50,10 +49,6 @@ type NTLM_Authenticate(offset: uint16) = record {
workstation_fields : NTLM_StringData; workstation_fields : NTLM_StringData;
encrypted_session_key_fields : NTLM_StringData; encrypted_session_key_fields : NTLM_StringData;
flags : NTLM_Negotiate_Flags; flags : NTLM_Negotiate_Flags;
version_present : case flags.negotiate_version of {
true -> version : NTLM_Version;
false -> no_version : empty;
};
# Windows NT, 2000, XP, and 2003 don't have the MIC field # Windows NT, 2000, XP, and 2003 don't have the MIC field
# TODO - figure out how to parse this for those that do have it # TODO - figure out how to parse this for those that do have it
@ -62,6 +57,7 @@ type NTLM_Authenticate(offset: uint16) = record {
payload : bytestring &restofdata; payload : bytestring &restofdata;
} &let { } &let {
absolute_offset : uint16 = offsetof(payload) + offset; absolute_offset : uint16 = offsetof(payload) + offset;
version : NTLM_Version withinput payload &if(flags.negotiate_version && (absolute_offset < min(min(min(domain_name_fields.offset, user_name_fields.offset), workstation_fields.offset), encrypted_session_key_fields.offset)));
domain_name : NTLM_String(domain_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(domain_name_fields.length > 0); domain_name : NTLM_String(domain_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(domain_name_fields.length > 0);
user_name : NTLM_String(user_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(user_name_fields.length > 0); user_name : NTLM_String(user_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(user_name_fields.length > 0);
workstation : NTLM_String(workstation_fields, absolute_offset , flags.negotiate_unicode) withinput payload &if(workstation_fields.length > 0); workstation : NTLM_String(workstation_fields, absolute_offset , flags.negotiate_unicode) withinput payload &if(workstation_fields.length > 0);