Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Added NTLM challenge and response

Browse source
This commit is contained in:
nadavkluger 2022-11-17 11:57:38 +02:00
parent 53394bca0c
commit dd849bc339
3 changed files with 12 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

4
scripts/base/init-bare.zeek
View file

@ -2871,6 +2871,8 @@ export {
type NTLM::Challenge: record { type NTLM::Challenge: record {
## The negotiate flags ## The negotiate flags
flags : NTLM::NegotiateFlags; flags : NTLM::NegotiateFlags;
## A 64-bit value that contains the NTLM challenge.
challenge : count;
## The server authentication realm. If the server is ## The server authentication realm. If the server is
## domain-joined, the name of the domain. Otherwise ## domain-joined, the name of the domain. Otherwise
## the server name. See flags.target_type_domain ## the server name. See flags.target_type_domain
@ -2895,6 +2897,8 @@ export {
session_key : string &optional; session_key : string &optional;
## The Windows version information, if supplied ## The Windows version information, if supplied
version : NTLM::Version &optional; version : NTLM::Version &optional;
## The client's response for the challenge
response : string &optional;
}; };
} }

10
src/analyzer/protocol/ntlm/ntlm-analyzer.pac
View file

@ -143,15 +143,16 @@ refine connection NTLM_Conn += {
auto result = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTLM::Challenge); auto result = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::NTLM::Challenge);
result->Assign(0, build_negotiate_flag_record(${val.flags})); result->Assign(0, build_negotiate_flag_record(${val.flags}));
result->Assign(1, ${val.challenge});
if ( ${val}->has_target_name() ) if ( ${val}->has_target_name() )
result->Assign(1, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.target_name.string.data})); result->Assign(2, utf16_to_utf8_val(zeek_analyzer()->Conn(), ${val.target_name.string.data}));
if ( ${val}->has_version() ) if ( ${val}->has_version() )
result->Assign(2, build_version_record(${val.version})); result->Assign(3, build_version_record(${val.version}));
if ( ${val}->has_target_info() ) if ( ${val}->has_target_info() )
result->Assign(3, {zeek::AdoptRef{}, build_av_record(${val.target_info}, ${val.target_info_fields.length})}); result->Assign(4, {zeek::AdoptRef{}, build_av_record(${val.target_info}, ${val.target_info_fields.length})});
zeek::BifEvent::enqueue_ntlm_challenge(zeek_analyzer(), zeek::BifEvent::enqueue_ntlm_challenge(zeek_analyzer(),
zeek_analyzer()->Conn(), zeek_analyzer()->Conn(),
@ -183,6 +184,9 @@ refine connection NTLM_Conn += {
if ( ${val}->has_version() ) if ( ${val}->has_version() )
result->Assign(5, build_version_record(${val.version})); result->Assign(5, build_version_record(${val.version}));
if ( ${val}->has_response() )
result->Assign(6, to_stringval(${val.response.string.data}));
zeek::BifEvent::enqueue_ntlm_authenticate(zeek_analyzer(), zeek::BifEvent::enqueue_ntlm_authenticate(zeek_analyzer(),
zeek_analyzer()->Conn(), zeek_analyzer()->Conn(),
std::move(result)); std::move(result));

1
src/analyzer/protocol/ntlm/ntlm-protocol.pac
View file

@ -58,6 +58,7 @@ type NTLM_Authenticate(offset: uint16) = record {
} &let { } &let {
absolute_offset : uint16 = offsetof(payload) + offset; absolute_offset : uint16 = offsetof(payload) + offset;
version : NTLM_Version withinput payload &if(flags.negotiate_version && (absolute_offset < min(min(min(domain_name_fields.offset, user_name_fields.offset), workstation_fields.offset), encrypted_session_key_fields.offset))); version : NTLM_Version withinput payload &if(flags.negotiate_version && (absolute_offset < min(min(min(domain_name_fields.offset, user_name_fields.offset), workstation_fields.offset), encrypted_session_key_fields.offset)));
response : NTLM_String(nt_challenge_response_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(nt_challenge_response_fields.length > 0);
domain_name : NTLM_String(domain_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(domain_name_fields.length > 0); domain_name : NTLM_String(domain_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(domain_name_fields.length > 0);
user_name : NTLM_String(user_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(user_name_fields.length > 0); user_name : NTLM_String(user_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(user_name_fields.length > 0);
workstation : NTLM_String(workstation_fields, absolute_offset , flags.negotiate_unicode) withinput payload &if(workstation_fields.length > 0); workstation : NTLM_String(workstation_fields, absolute_offset , flags.negotiate_unicode) withinput payload &if(workstation_fields.length > 0);