From 832f6d34b4beb7548ef56a97b02f5f427da75f0c Mon Sep 17 00:00:00 2001 From: "John E. Rollinson" Date: Sun, 29 Jan 2017 09:39:12 +0900 Subject: [PATCH 1/3] Add ciphertext to ticket data structures --- scripts/base/init-bare.bro | 2 ++ src/analyzer/protocol/krb/krb-types.pac | 1 + 2 files changed, 3 insertions(+) diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index ffee527bb7..b5bf5d298d 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -3955,6 +3955,8 @@ export { service_name : string; ## Cipher the ticket was encrypted with cipher : count; + ## Cipher text of the ticket + ciphertext : string &optional; }; type KRB::Ticket_Vector: vector of KRB::Ticket; diff --git a/src/analyzer/protocol/krb/krb-types.pac b/src/analyzer/protocol/krb/krb-types.pac index a5b2eb1041..bb2bfba3e8 100644 --- a/src/analyzer/protocol/krb/krb-types.pac +++ b/src/analyzer/protocol/krb/krb-types.pac @@ -95,6 +95,7 @@ RecordVal* proc_ticket(const KRB_Ticket* ticket) rv->Assign(1, bytestring_to_val(ticket->realm()->data()->content())); rv->Assign(2, GetStringFromPrincipalName(ticket->sname())); rv->Assign(3, asn1_integer_to_val(ticket->enc_part()->data()->etype()->data(), TYPE_COUNT)); + rv->Assign(4, bytestring_to_val(ticket->enc_part()->data()->ciphertext())); return rv; } From 68e3f0d96ac404a2abdcc4f975b4d9ce088b0eca Mon Sep 17 00:00:00 2001 From: "John E. Rollinson" Date: Sun, 29 Jan 2017 09:39:40 +0900 Subject: [PATCH 2/3] Ensure TGS req does not stomp out AP data --- scripts/base/protocols/krb/main.bro | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/scripts/base/protocols/krb/main.bro b/scripts/base/protocols/krb/main.bro index 13200a559e..fc6abc5bff 100644 --- a/scripts/base/protocols/krb/main.bro +++ b/scripts/base/protocols/krb/main.bro @@ -164,9 +164,16 @@ event krb_tgs_request(c: connection, msg: KDC_Request) &priority=5 return; local info: Info; - info$ts = network_time(); - info$uid = c$uid; - info$id = c$id; + + if ( !c?$krb ) + { + info$ts = network_time(); + info$uid = c$uid; + info$id = c$id; + } + else + info = c$krb; + info$request_type = "TGS"; info$service = msg$service_name; if ( msg?$from ) info$from = msg$from; From 7caf5071631ce69620c462826d99e367f0140354 Mon Sep 17 00:00:00 2001 From: "John E. Rollinson" Date: Sun, 29 Jan 2017 09:40:11 +0900 Subject: [PATCH 3/3] Add script to log ticket hashes in krb log --- .../policy/protocols/krb/ticket-logging.bro | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 scripts/policy/protocols/krb/ticket-logging.bro diff --git a/scripts/policy/protocols/krb/ticket-logging.bro b/scripts/policy/protocols/krb/ticket-logging.bro new file mode 100644 index 0000000000..e254b6dc26 --- /dev/null +++ b/scripts/policy/protocols/krb/ticket-logging.bro @@ -0,0 +1,43 @@ +module KRB; + +redef record Info += { + ## Hash of ticket used to authorize request/transaction + auth_ticket: string &log &optional; + ## Hash of ticket returned by the KDC + new_ticket: string &log &optional; +}; + +event krb_ap_request(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options) + { + if ( c?$krb && c$krb$logged ) + return; + + local info: Info; + + if ( !c?$krb ) + { + info$ts = network_time(); + info$uid = c$uid; + info$id = c$id; + } + else + info = c$krb; + + info$request_type = "AP"; # Will be overwritten when request is a TGS + if ( ticket?$ciphertext ) + info$auth_ticket = md5_hash(ticket$ciphertext); + + c$krb = info; + } + +event krb_as_response(c: connection, msg: KDC_Response) + { + if ( msg$ticket?$ciphertext ) + c$krb$new_ticket = md5_hash(msg$ticket$ciphertext); + } + +event krb_tgs_response(c: connection, msg: KDC_Response) + { + if ( msg$ticket?$ciphertext ) + c$krb$new_ticket = md5_hash(msg$ticket$ciphertext); + } \ No newline at end of file