From dd849bc339d86b2f9b2093423c3e5cd751e997e7 Mon Sep 17 00:00:00 2001 From: nadavkluger Date: Thu, 17 Nov 2022 11:57:38 +0200 Subject: [PATCH] Added NTLM challenge and response --- scripts/base/init-bare.zeek | 4 ++++ src/analyzer/protocol/ntlm/ntlm-analyzer.pac | 10 +++++++--- src/analyzer/protocol/ntlm/ntlm-protocol.pac | 1 + 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index 58b529e819..a39af302ca 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -2871,6 +2871,8 @@ export { type NTLM::Challenge: record { ## The negotiate flags flags : NTLM::NegotiateFlags; + ## A 64-bit value that contains the NTLM challenge. + challenge : count; ## The server authentication realm. If the server is ## domain-joined, the name of the domain. Otherwise ## the server name. See flags.target_type_domain @@ -2895,6 +2897,8 @@ export { session_key : string &optional; ## The Windows version information, if supplied version : NTLM::Version &optional; + ## The client's response for the challenge + response : string &optional; }; } diff --git a/src/analyzer/protocol/ntlm/ntlm-analyzer.pac b/src/analyzer/protocol/ntlm/ntlm-analyzer.pac index 3ea5d8a9bb..88d99ea446 100644 --- a/src/analyzer/protocol/ntlm/ntlm-analyzer.pac +++ b/src/analyzer/protocol/ntlm/ntlm-analyzer.pac @@ -143,15 +143,16 @@ refine connection NTLM_Conn += { auto result = zeek::make_intrusive(zeek::BifType::Record::NTLM::Challenge); result->Assign(0, build_negotiate_flag_record(${val.flags})); + result->Assign(1, ${val.challenge}); if ( ${val}->has_target_name() ) - result->Assign(1, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.target_name.string.data})); + result->Assign(2, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.target_name.string.data})); if ( ${val}->has_version() ) - result->Assign(2, build_version_record(${val.version})); + result->Assign(3, build_version_record(${val.version})); if ( ${val}->has_target_info() ) - result->Assign(3, {zeek::AdoptRef{}, build_av_record(${val.target_info}, ${val.target_info_fields.length})}); + result->Assign(4, {zeek::AdoptRef{}, build_av_record(${val.target_info}, ${val.target_info_fields.length})}); zeek::BifEvent::enqueue_ntlm_challenge(zeek_analyzer(), zeek_analyzer()->Conn(), @@ -183,6 +184,9 @@ refine connection NTLM_Conn += { if ( ${val}->has_version() ) result->Assign(5, build_version_record(${val.version})); + if ( ${val}->has_response() ) + result->Assign(6, to_stringval(${val.response.string.data})); + zeek::BifEvent::enqueue_ntlm_authenticate(zeek_analyzer(), zeek_analyzer()->Conn(), std::move(result)); diff --git a/src/analyzer/protocol/ntlm/ntlm-protocol.pac b/src/analyzer/protocol/ntlm/ntlm-protocol.pac index f8784c74c7..3a687bcd95 100644 --- a/src/analyzer/protocol/ntlm/ntlm-protocol.pac +++ b/src/analyzer/protocol/ntlm/ntlm-protocol.pac @@ -58,6 +58,7 @@ type NTLM_Authenticate(offset: uint16) = record { } &let { absolute_offset : uint16 = offsetof(payload) + offset; version : NTLM_Version withinput payload &if(flags.negotiate_version && (absolute_offset < min(min(min(domain_name_fields.offset, user_name_fields.offset), workstation_fields.offset), encrypted_session_key_fields.offset))); + response : NTLM_String(nt_challenge_response_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(nt_challenge_response_fields.length > 0); domain_name : NTLM_String(domain_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(domain_name_fields.length > 0); user_name : NTLM_String(user_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(user_name_fields.length > 0); workstation : NTLM_String(workstation_fields, absolute_offset , flags.negotiate_unicode) withinput payload &if(workstation_fields.length > 0);