mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Merge remote-tracking branch 'origin/topic/awelzel/4275-ldap-gss-spnego-auth-miss'
* origin/topic/awelzel/4275-ldap-gss-spnego-auth-miss:
ldap: Clean up from code review
ldap: Add Sicily Authentication constants
ldap: Only switch into MS_KRB5 mode if responseToken exists
(cherry picked from commit a2a535d0c9)
This commit is contained in:
Arne Welzel
parent
ec18da8baa
commit
ceb798b42a
11 changed files with 113 additions and 16 deletions
|
|
@ -26,6 +26,8 @@ export {
|
||||||
|
|
||||||
const BIND_SIMPLE = "bind simple";
|
const BIND_SIMPLE = "bind simple";
|
||||||
const BIND_SASL = "bind SASL";
|
const BIND_SASL = "bind SASL";
|
||||||
|
const BIND_SICILY_NEGOTIATE = "sicily_negotiate";
|
||||||
|
const BIND_SICILY_RESPONSE= "sicily_response";
|
||||||
|
|
||||||
const RESULT_CODES = { [ LDAP::ResultCode_SUCCESS ] = "success", [
|
const RESULT_CODES = { [ LDAP::ResultCode_SUCCESS ] = "success", [
|
||||||
LDAP::ResultCode_OPERATIONS_ERROR ] = "operations error", [
|
LDAP::ResultCode_OPERATIONS_ERROR ] = "operations error", [
|
||||||
|
|
|
||||||
|
|
@ -372,13 +372,23 @@ event LDAP::bind_request(c: connection,
|
||||||
if ( m?$opcode )
|
if ( m?$opcode )
|
||||||
Reporter::conn_weird("LDAP_bind_opcode_already_set", c, m$opcode, "LDAP");
|
Reporter::conn_weird("LDAP_bind_opcode_already_set", c, m$opcode, "LDAP");
|
||||||
|
|
||||||
if (authType == LDAP::BindAuthType_BIND_AUTH_SIMPLE) {
|
switch ( authType ) {
|
||||||
|
case LDAP::BindAuthType_BIND_AUTH_SIMPLE:
|
||||||
m$opcode = BIND_SIMPLE;
|
m$opcode = BIND_SIMPLE;
|
||||||
} else if (authType == LDAP::BindAuthType_BIND_AUTH_SASL) {
|
break;
|
||||||
|
case LDAP::BindAuthType_BIND_AUTH_SASL:
|
||||||
m$opcode = BIND_SASL;
|
m$opcode = BIND_SASL;
|
||||||
} else {
|
break;
|
||||||
|
case LDAP::BindAuthType_SICILY_NEGOTIATE:
|
||||||
|
m$opcode = BIND_SICILY_NEGOTIATE;
|
||||||
|
break;
|
||||||
|
case LDAP::BindAuthType_SICILY_RESPONSE:
|
||||||
|
m$opcode = BIND_SICILY_RESPONSE;
|
||||||
|
break;
|
||||||
|
default:
|
||||||
Reporter::conn_weird("LDAP_unknown_auth_type", c, cat(authType), "LDAP");
|
Reporter::conn_weird("LDAP_unknown_auth_type", c, cat(authType), "LDAP");
|
||||||
m$opcode = cat(authType);
|
m$opcode = cat(authType);
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -365,6 +365,12 @@ public type Message = unit(ctx: Ctx&) {
|
||||||
public type BindAuthType = enum {
|
public type BindAuthType = enum {
|
||||||
BIND_AUTH_SIMPLE = 0,
|
BIND_AUTH_SIMPLE = 0,
|
||||||
BIND_AUTH_SASL = 3,
|
BIND_AUTH_SASL = 3,
|
||||||
|
|
||||||
|
# https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/8b9dbfb2-5b6a-497a-a533-7e709cb9a982
|
||||||
|
# 5.1.1.1.3 Sicily Authentication
|
||||||
|
SICILY_PACKAGE_DISCOVERY = 9,
|
||||||
|
SICILY_NEGOTIATE = 10,
|
||||||
|
SICILY_RESPONSE = 11,
|
||||||
};
|
};
|
||||||
|
|
||||||
type GSS_SPNEGO_negTokenInit = unit {
|
type GSS_SPNEGO_negTokenInit = unit {
|
||||||
|
|
@ -410,6 +416,13 @@ type SaslCredentials = unit() {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
type SicilyMessage = unit() {
|
||||||
|
# Just ensure the signature matches. We could do more,
|
||||||
|
# but it'd be better to forward to an NTLM analyzer.
|
||||||
|
signature: skip b"NTLMSSP";
|
||||||
|
var signature_decoded: string = "NTLMSSP";
|
||||||
|
};
|
||||||
|
|
||||||
type GSS_SPNEGO_Subsequent = unit {
|
type GSS_SPNEGO_Subsequent = unit {
|
||||||
switch {
|
switch {
|
||||||
-> spnegoChoiceByte: uint8(0xa1);
|
-> spnegoChoiceByte: uint8(0xa1);
|
||||||
|
|
@ -423,6 +436,7 @@ type GSS_SPNEGO_Subsequent = unit {
|
||||||
type GSS_SPNEGO_negTokenResp = unit {
|
type GSS_SPNEGO_negTokenResp = unit {
|
||||||
var accepted: bool;
|
var accepted: bool;
|
||||||
var supportedMech: ASN1::ASN1Message;
|
var supportedMech: ASN1::ASN1Message;
|
||||||
|
var responseToken: optional<bytes>;
|
||||||
|
|
||||||
# Parse the contained Sequence.
|
# Parse the contained Sequence.
|
||||||
seq: ASN1::ASN1Message(True) {
|
seq: ASN1::ASN1Message(True) {
|
||||||
|
|
@ -433,7 +447,7 @@ type GSS_SPNEGO_negTokenResp = unit {
|
||||||
} else if ( msg.application_id == 1 ) {
|
} else if ( msg.application_id == 1 ) {
|
||||||
self.supportedMech = msg;
|
self.supportedMech = msg;
|
||||||
} else if ( msg.application_id == 2 ) {
|
} else if ( msg.application_id == 2 ) {
|
||||||
# ignore responseToken
|
self.responseToken = msg.application_data;
|
||||||
} else if ( msg.application_id == 3 ) {
|
} else if ( msg.application_id == 3 ) {
|
||||||
# ignore mechListMec
|
# ignore mechListMec
|
||||||
} else {
|
} else {
|
||||||
|
|
@ -468,18 +482,30 @@ type BindRequest = unit(inout message: Message, ctx: Ctx&) {
|
||||||
self.authType = cast<BindAuthType>(cast<uint8>($$.application_id));
|
self.authType = cast<BindAuthType>(cast<uint8>($$.application_id));
|
||||||
self.authData = $$.application_data;
|
self.authData = $$.application_data;
|
||||||
}
|
}
|
||||||
if ((self.authType == BindAuthType::BIND_AUTH_SIMPLE) && (|self.authData| > 0)) {
|
|
||||||
self.simpleCreds = self.authData.decode();
|
|
||||||
if (|self.simpleCreds| > 0) {
|
|
||||||
message.arg = self.simpleCreds;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
saslCreds: SaslCredentials() &parse-from=self.authData if ((self.authType == BindAuthType::BIND_AUTH_SASL) &&
|
|
||||||
(|self.authData| > 0)) {
|
|
||||||
message.arg = self.saslCreds.mechanism;
|
|
||||||
ctx.saslMechanism = self.saslCreds.mechanism;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ( |self.authData| > 0 ) {
|
||||||
|
switch ( self.authType ) {
|
||||||
|
BindAuthType::BIND_AUTH_SIMPLE ->
|
||||||
|
: void {
|
||||||
|
self.simpleCreds = self.authData.decode();
|
||||||
|
message.arg = self.simpleCreds;
|
||||||
|
}
|
||||||
|
|
||||||
|
BindAuthType::BIND_AUTH_SASL ->
|
||||||
|
saslCreds: SaslCredentials {
|
||||||
|
message.arg = self.saslCreds.mechanism;
|
||||||
|
ctx.saslMechanism = self.saslCreds.mechanism;
|
||||||
|
}
|
||||||
|
|
||||||
|
BindAuthType::SICILY_NEGOTIATE, BindAuthType::SICILY_RESPONSE ->
|
||||||
|
sicilyMessage: SicilyMessage {
|
||||||
|
message.arg = self.sicilyMessage.signature_decoded;
|
||||||
|
}
|
||||||
|
|
||||||
|
* -> : void;
|
||||||
|
} &parse-from=self.authData;
|
||||||
|
};
|
||||||
} &requires=(self?.authType && (self.authType != BindAuthType::Undef));
|
} &requires=(self?.authType && (self.authType != BindAuthType::Undef));
|
||||||
|
|
||||||
type ServerSaslCreds = unit {
|
type ServerSaslCreds = unit {
|
||||||
|
|
@ -523,7 +549,7 @@ type BindResponse = unit(inout message: Message, ctx: Ctx&) {
|
||||||
if ( $$?.negTokenResp ) {
|
if ( $$?.negTokenResp ) {
|
||||||
local token = $$.negTokenResp;
|
local token = $$.negTokenResp;
|
||||||
if ( token.accepted && token?.supportedMechOid ) {
|
if ( token.accepted && token?.supportedMechOid ) {
|
||||||
if ( token.supportedMechOid == GSSAPI_MECH_MS_KRB5 ) {
|
if ( token.supportedMechOid == GSSAPI_MECH_MS_KRB5 && token.responseToken ) {
|
||||||
ctx.messageMode = MessageMode::MS_KRB5;
|
ctx.messageMode = MessageMode::MS_KRB5;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,11 @@
|
||||||
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
|
#separator \x09
|
||||||
|
#set_separator ,
|
||||||
|
#empty_field (empty)
|
||||||
|
#unset_field -
|
||||||
|
#path ldap
|
||||||
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcode result diagnostic_message object argument
|
||||||
|
#types time string addr port addr port int int string string string string string
|
||||||
|
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.226.131 54544 192.168.226.136 389 1440128865 3 bind SASL success - User1 GSS-SPNEGO
|
||||||
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
@ -0,0 +1,11 @@
|
||||||
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
|
#separator \x09
|
||||||
|
#set_separator ,
|
||||||
|
#empty_field (empty)
|
||||||
|
#unset_field -
|
||||||
|
#path ldap_search
|
||||||
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id scope deref_aliases base_object result_count result diagnostic_message filter attributes
|
||||||
|
#types time string addr port addr port int string string string count string string string vector[string]
|
||||||
|
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.226.131 54544 192.168.226.136 389 1319382063 tree never dc=ADHACKING,dc=LOCAL 3 success - (&(&(sAMAccountName=*)(mail=*))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) -
|
||||||
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
@ -0,0 +1,12 @@
|
||||||
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
|
#separator \x09
|
||||||
|
#set_separator ,
|
||||||
|
#empty_field (empty)
|
||||||
|
#unset_field -
|
||||||
|
#path ldap
|
||||||
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id version opcode result diagnostic_message object argument
|
||||||
|
#types time string addr port addr port int int string string string string string
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.226.131 37618 192.168.226.136 389 173945320 3 sicily_negotiate success - User1 NTLMSSP
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.226.131 37618 192.168.226.136 389 1489001992 3 sicily_response success - User1 NTLMSSP
|
||||||
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
@ -0,0 +1,11 @@
|
||||||
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
|
#separator \x09
|
||||||
|
#set_separator ,
|
||||||
|
#empty_field (empty)
|
||||||
|
#unset_field -
|
||||||
|
#path ldap_search
|
||||||
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p message_id scope deref_aliases base_object result_count result diagnostic_message filter attributes
|
||||||
|
#types time string addr port addr port int string string string count string string string vector[string]
|
||||||
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.226.131 37618 192.168.226.136 389 1673297393 tree never dc=ADHACKING,dc=LOCAL 3 success - (&(&(sAMAccountName=*)(mail=*))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) -
|
||||||
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
|
|
@ -32,3 +32,6 @@ Trace Index/Sources:
|
||||||
- quic/merlinc2_Zeek_example.pcapng
|
- quic/merlinc2_Zeek_example.pcapng
|
||||||
Provided by Faan Rossouw on #4198
|
Provided by Faan Rossouw on #4198
|
||||||
https://github.com/zeek/zeek/issues/4198
|
https://github.com/zeek/zeek/issues/4198
|
||||||
|
- ldap/adduser1.pcap ldap/adduser1-ntlm.pcap
|
||||||
|
Provided by Mohan-Dhawan on #4275
|
||||||
|
https://github.com/zeek/zeek/issues/4275
|
||||||
|
|
|
||||||
BIN
testing/btest/Traces/ldap/aduser1-ntlm.pcap
Normal file
BIN
testing/btest/Traces/ldap/aduser1-ntlm.pcap
Normal file
Binary file not shown.
BIN
testing/btest/Traces/ldap/aduser1.pcap
Normal file
BIN
testing/btest/Traces/ldap/aduser1.pcap
Normal file
Binary file not shown.
11
testing/btest/scripts/base/protocols/ldap/aduser1.zeek
Normal file
11
testing/btest/scripts/base/protocols/ldap/aduser1.zeek
Normal file
|
|
@ -0,0 +1,11 @@
|
||||||
|
# @TEST-REQUIRES: have-spicy
|
||||||
|
# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/aduser1.pcap %INPUT
|
||||||
|
# @TEST-EXEC: mkdir krb && mv *.log krb
|
||||||
|
# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/aduser1-ntlm.pcap %INPUT
|
||||||
|
# @TEST-EXEC: mkdir ntlm && mv *.log ntlm
|
||||||
|
# @TEST-EXEC: btest-diff krb/ldap.log
|
||||||
|
# @TEST-EXEC: btest-diff krb/ldap_search.log
|
||||||
|
# @TEST-EXEC: btest-diff ntlm/ldap.log
|
||||||
|
# @TEST-EXEC: btest-diff ntlm/ldap_search.log
|
||||||
|
#
|
||||||
|
# @TEST-DOC: Check two traces using different authentication mechanisms, but the same search request.
|
||||||
Loading…
Add table
Add a link
Reference in a new issue