Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-12 11:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Whitespace cleanup to the NTLM SSP file.

Browse source
This commit is contained in:
Seth Hall 2016-03-08 11:30:58 -05:00
parent 90559a3372
commit e8064ff189
1 changed files with 156 additions and 151 deletions
Download patch file Download diff file Expand all files Collapse all files

307
src/analyzer/protocol/smb/smb-ntlmssp.pac
View file

@ -2,32 +2,32 @@ refine connection SMB_Conn += {
function build_negotiate_flag_record(val: SMB_NTLM_Negotiate_Flags): BroVal
%{
RecordVal* flags = new RecordVal(BifType::Record::SMB::NTLMNegotiateFlags);
flags->Assign(0, new Val(${val.negotiate_56}, TYPE_BOOL));
flags->Assign(1, new Val(${val.negotiate_key_exch}, TYPE_BOOL));
flags->Assign(2, new Val(${val.negotiate_128}, TYPE_BOOL));
flags->Assign(3, new Val(${val.negotiate_version}, TYPE_BOOL));
flags->Assign(4, new Val(${val.negotiate_target_info}, TYPE_BOOL));
flags->Assign(0, new Val(${val.negotiate_56}, TYPE_BOOL));
flags->Assign(1, new Val(${val.negotiate_key_exch}, TYPE_BOOL));
flags->Assign(2, new Val(${val.negotiate_128}, TYPE_BOOL));
flags->Assign(3, new Val(${val.negotiate_version}, TYPE_BOOL));
flags->Assign(4, new Val(${val.negotiate_target_info}, TYPE_BOOL));
flags->Assign(5, new Val(${val.request_non_nt_session_key}, TYPE_BOOL));
flags->Assign(6, new Val(${val.negotiate_identify}, TYPE_BOOL));
flags->Assign(7, new Val(${val.negotiate_extended_sessionsecurity}, TYPE_BOOL));
flags->Assign(8, new Val(${val.target_type_server}, TYPE_BOOL));
flags->Assign(9, new Val(${val.target_type_domain}, TYPE_BOOL));
flags->Assign(5, new Val(${val.request_non_nt_session_key}, TYPE_BOOL));
flags->Assign(6, new Val(${val.negotiate_identify}, TYPE_BOOL));
flags->Assign(7, new Val(${val.negotiate_extended_sessionsecurity}, TYPE_BOOL));
flags->Assign(8, new Val(${val.target_type_server}, TYPE_BOOL));
flags->Assign(9, new Val(${val.target_type_domain}, TYPE_BOOL));
flags->Assign(10, new Val(${val.negotiate_always_sign}, TYPE_BOOL));
flags->Assign(11, new Val(${val.negotiate_oem_workstation_supplied}, TYPE_BOOL));
flags->Assign(12, new Val(${val.negotiate_oem_domain_supplied}, TYPE_BOOL));
flags->Assign(13, new Val(${val.negotiate_anonymous_connection}, TYPE_BOOL));
flags->Assign(14, new Val(${val.negotiate_ntlm}, TYPE_BOOL));
flags->Assign(10, new Val(${val.negotiate_always_sign}, TYPE_BOOL));
flags->Assign(11, new Val(${val.negotiate_oem_workstation_supplied}, TYPE_BOOL));
flags->Assign(12, new Val(${val.negotiate_oem_domain_supplied}, TYPE_BOOL));
flags->Assign(13, new Val(${val.negotiate_anonymous_connection}, TYPE_BOOL));
flags->Assign(14, new Val(${val.negotiate_ntlm}, TYPE_BOOL));
flags->Assign(15, new Val(${val.negotiate_lm_key}, TYPE_BOOL));
flags->Assign(16, new Val(${val.negotiate_datagram}, TYPE_BOOL));
flags->Assign(17, new Val(${val.negotiate_seal}, TYPE_BOOL));
flags->Assign(18, new Val(${val.negotiate_sign}, TYPE_BOOL));
flags->Assign(19, new Val(${val.request_target}, TYPE_BOOL));
flags->Assign(15, new Val(${val.negotiate_lm_key}, TYPE_BOOL));
flags->Assign(16, new Val(${val.negotiate_datagram}, TYPE_BOOL));
flags->Assign(17, new Val(${val.negotiate_seal}, TYPE_BOOL));
flags->Assign(18, new Val(${val.negotiate_sign}, TYPE_BOOL));
flags->Assign(19, new Val(${val.request_target}, TYPE_BOOL));
flags->Assign(20, new Val(${val.negotiate_oem}, TYPE_BOOL));
flags->Assign(21, new Val(${val.negotiate_unicode}, TYPE_BOOL));
flags->Assign(20, new Val(${val.negotiate_oem}, TYPE_BOOL));
flags->Assign(21, new Val(${val.negotiate_unicode}, TYPE_BOOL));
return flags;
%}
@ -37,7 +37,7 @@ refine connection SMB_Conn += {
RecordVal* result = new RecordVal(BifType::Record::SMB::NTLMVersion);
result->Assign(0, new Val(${val.major_version}, TYPE_COUNT));
result->Assign(1, new Val(${val.minor_version}, TYPE_COUNT));
result->Assign(2, new Val(${val.build_number}, TYPE_COUNT));
result->Assign(2, new Val(${val.build_number}, TYPE_COUNT));
result->Assign(3, new Val(${val.ntlm_revision}, TYPE_COUNT));
return result;
@ -46,8 +46,10 @@ refine connection SMB_Conn += {
function build_av_record(val: SMB_NTLM_AV_Pair_Sequence): BroVal
%{
RecordVal* result = new RecordVal(BifType::Record::SMB::NTLMAVs);
for ( uint i = 0; ${val.pairs[i].id} != 0; i++ ) {
switch ( ${val.pairs[i].id} ) {
for ( uint i = 0; ${val.pairs[i].id} != 0; i++ )
{
switch ( ${val.pairs[i].id} )
{
case 1:
result->Assign(0, uint8s_to_stringval(${val.pairs[i].nb_computer_name.data}));
break;
@ -75,8 +77,8 @@ refine connection SMB_Conn += {
case 9:
result->Assign(8, uint8s_to_stringval(${val.pairs[i].target_name.data}));
break;
}
}
}
return result;
%}
@ -84,13 +86,14 @@ refine connection SMB_Conn += {
%{
if ( ${val.gssapi.is_init} )
return true;
for ( uint i = 0; i < ${val.gssapi.resp.args}->size(); ++i )
{
switch ( ${val.gssapi.resp.args[i].seq_meta.index} )
{
case 0:
if ( ${val.gssapi.resp.args[i].args.neg_state} == 0 )
BifEvent::generate_smb_ntlm_accepted(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header));
BifEvent::generate_smb_ntlm_accepted(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header));
break;
default:
break;
@ -158,137 +161,139 @@ refine connection SMB_Conn += {
return true;
%}
};
type GSSAPI_NEG_TOKEN(header: SMB_Header) = record {
wrapper : ASN1EncodingMeta;
have_oid : case is_init of {
true -> oid: ASN1Encoding;
false -> no_oid: empty;
wrapper : ASN1EncodingMeta;
have_oid : case is_init of {
true -> oid : ASN1Encoding;
false -> no_oid : empty;
};
have_init_wrapper: case is_init of {
true -> init_wrapper: ASN1EncodingMeta;
false -> no_init_wrapper: empty;
have_init_wrapper : case is_init of {
true -> init_wrapper : ASN1EncodingMeta;
false -> no_init_wrapper : empty;
};
msg_type : case is_init of {
msg_type : case is_init of {
true -> init: GSSAPI_NEG_TOKEN_INIT(header);
false -> resp: GSSAPI_NEG_TOKEN_RESP(header);
};
} &let {
is_init: bool = wrapper.tag == 0x60;
is_init: bool = (wrapper.tag == 0x60);
};
type GSSAPI_NEG_TOKEN_INIT(header: SMB_Header) = record {
seq_meta: ASN1EncodingMeta;
args : GSSAPI_NEG_TOKEN_INIT_Arg(header)[];
seq_meta : ASN1EncodingMeta;
args : GSSAPI_NEG_TOKEN_INIT_Arg(header)[];
};
type GSSAPI_NEG_TOKEN_INIT_Arg(header: SMB_Header) = record {
seq_meta: ASN1EncodingMeta;
args : GSSAPI_NEG_TOKEN_INIT_Arg_Data(header, seq_meta.index) &length=seq_meta.length;
seq_meta : ASN1EncodingMeta;
args : GSSAPI_NEG_TOKEN_INIT_Arg_Data(header, seq_meta.index) &length=seq_meta.length;
};
type GSSAPI_NEG_TOKEN_INIT_Arg_Data(header: SMB_Header, index: uint8) = case index of {
0 -> mech_type_list : ASN1Encoding;
1 -> req_flags : ASN1Encoding;
2 -> mech_token : SMB_NTLM_SSP_Token(header);
3 -> mech_list_mic : ASN1OctetString;
1 -> req_flags : ASN1Encoding;
2 -> mech_token : SMB_NTLM_SSP_Token(header);
3 -> mech_list_mic : ASN1OctetString;
};
type GSSAPI_NEG_TOKEN_RESP(header: SMB_Header) = record {
seq_meta: ASN1EncodingMeta;
args : GSSAPI_NEG_TOKEN_RESP_Arg(header)[];
seq_meta : ASN1EncodingMeta;
args : GSSAPI_NEG_TOKEN_RESP_Arg(header)[];
};
type GSSAPI_NEG_TOKEN_RESP_Arg(header: SMB_Header) = record {
seq_meta: ASN1EncodingMeta;
args : GSSAPI_NEG_TOKEN_RESP_Arg_Data(header, seq_meta.index) &length=seq_meta.length;
seq_meta : ASN1EncodingMeta;
args : GSSAPI_NEG_TOKEN_RESP_Arg_Data(header, seq_meta.index) &length=seq_meta.length;
};
type GSSAPI_NEG_TOKEN_RESP_Arg_Data(header: SMB_Header, index: uint8) = case index of {
0 -> neg_state : ASN1Integer;
1 -> supported_mech : ASN1Encoding;
2 -> response_token : SMB_NTLM_SSP_Token(header);
3 -> mech_list_mic : ASN1OctetString;
0 -> neg_state : ASN1Integer;
1 -> supported_mech : ASN1Encoding;
2 -> response_token : SMB_NTLM_SSP_Token(header);
3 -> mech_list_mic : ASN1OctetString;
};
type SMB_NTLM_SSP(header: SMB_Header) = record {
gssapi: GSSAPI_NEG_TOKEN(header);
} &let {
proc: bool = $context.connection.proc_smb_ntlm_ssp(header, this);
proc: bool = $context.connection.proc_smb_ntlm_ssp(header, this);
};
type SMB_NTLM_SSP_Token(header: SMB_Header) = record {
meta : ASN1EncodingMeta;
signature : bytestring &length=8;
msg_type : uint32;
msg : case msg_type of {
1 -> negotiate : SMB_NTLM_Negotiate(header, offsetof(msg) - offsetof(signature));
2 -> challenge : SMB_NTLM_Challenge(header, offsetof(msg) - offsetof(signature));
3 -> authenticate : SMB_NTLM_Authenticate(header, offsetof(msg) - offsetof(signature));
};
meta : ASN1EncodingMeta;
signature : bytestring &length=8;
msg_type : uint32;
msg : case msg_type of {
1 -> negotiate : SMB_NTLM_Negotiate(header, offsetof(msg) - offsetof(signature));
2 -> challenge : SMB_NTLM_Challenge(header, offsetof(msg) - offsetof(signature));
3 -> authenticate : SMB_NTLM_Authenticate(header, offsetof(msg) - offsetof(signature));
};
};
type SMB_NTLM_Negotiate(header: SMB_Header, offset: uint16) = record {
flags : SMB_NTLM_Negotiate_Flags;
domain_name_fields : SMB_NTLM_StringData;
workstation_fields : SMB_NTLM_StringData;
version_present : case flags.negotiate_version of {
true -> version : SMB_NTLM_Version;
false -> no_version : empty;
flags : SMB_NTLM_Negotiate_Flags;
domain_name_fields : SMB_NTLM_StringData;
workstation_fields : SMB_NTLM_StringData;
version_present : case flags.negotiate_version of {
true -> version : SMB_NTLM_Version;
false -> no_version : empty;
};
payload : bytestring &restofdata;
payload : bytestring &restofdata;
} &let {
absolute_offset : uint16 = offsetof(payload) + offset;
domain_name : SMB_NTLM_String(domain_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(flags.negotiate_oem_domain_supplied);
workstation : SMB_NTLM_String(workstation_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(flags.negotiate_oem_workstation_supplied);
proc : bool = $context.connection.proc_smb_ntlm_negotiate(header, this);
absolute_offset : uint16 = offsetof(payload) + offset;
domain_name : SMB_NTLM_String(domain_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(flags.negotiate_oem_domain_supplied);
workstation : SMB_NTLM_String(workstation_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(flags.negotiate_oem_workstation_supplied);
proc : bool = $context.connection.proc_smb_ntlm_negotiate(header, this);
};
type SMB_NTLM_Challenge(header: SMB_Header, offset: uint16) = record {
target_name_fields : SMB_NTLM_StringData;
flags : SMB_NTLM_Negotiate_Flags;
challenge : uint64;
reserved : padding[8];
target_info_fields : SMB_NTLM_StringData;
version_present : case flags.negotiate_version of {
true -> version : SMB_NTLM_Version;
false -> no_version : empty;
target_name_fields : SMB_NTLM_StringData;
flags : SMB_NTLM_Negotiate_Flags;
challenge : uint64;
reserved : padding[8];
target_info_fields : SMB_NTLM_StringData;
version_present : case flags.negotiate_version of {
true -> version : SMB_NTLM_Version;
false -> no_version : empty;
};
payload : bytestring &restofdata;
payload : bytestring &restofdata;
} &let {
absolute_offset : uint16 = offsetof(payload) + offset;
target_name : SMB_NTLM_String(target_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(flags.request_target);
target_info : SMB_NTLM_AV_Pair_Sequence(target_info_fields.offset - absolute_offset) withinput payload &if(flags.negotiate_target_info);
proc : bool = $context.connection.proc_smb_ntlm_challenge(header, this);
absolute_offset : uint16 = offsetof(payload) + offset;
target_name : SMB_NTLM_String(target_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(flags.request_target);
target_info : SMB_NTLM_AV_Pair_Sequence(target_info_fields.offset - absolute_offset) withinput payload &if(flags.negotiate_target_info);
proc : bool = $context.connection.proc_smb_ntlm_challenge(header, this);
};
type SMB_NTLM_Authenticate(header: SMB_Header, offset: uint16) = record {
lm_challenge_response_fields: SMB_NTLM_StringData;
nt_challenge_response_fields: SMB_NTLM_StringData;
domain_name_fields : SMB_NTLM_StringData;
user_name_fields : SMB_NTLM_StringData;
workstation_fields : SMB_NTLM_StringData;
encrypted_session_key_fields: SMB_NTLM_StringData;
flags : SMB_NTLM_Negotiate_Flags;
version_present : case flags.negotiate_version of {
true -> version : SMB_NTLM_Version;
false -> no_version : empty;
lm_challenge_response_fields : SMB_NTLM_StringData;
nt_challenge_response_fields : SMB_NTLM_StringData;
domain_name_fields : SMB_NTLM_StringData;
user_name_fields : SMB_NTLM_StringData;
workstation_fields : SMB_NTLM_StringData;
encrypted_session_key_fields : SMB_NTLM_StringData;
flags : SMB_NTLM_Negotiate_Flags;
version_present : case flags.negotiate_version of {
true -> version : SMB_NTLM_Version;
false -> no_version : empty;
};
# Windows NT, 2000, XP, and 2003 don't have the MIC field
# TODO - figure out how to parse this for those that do have it
# mic : bytestring &length=16;
# mic : bytestring &length=16;
payload : bytestring &restofdata;
payload : bytestring &restofdata;
} &let {
absolute_offset : uint16 = offsetof(payload) + offset;
domain_name : SMB_NTLM_String(domain_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(domain_name_fields.length > 0);
user_name : SMB_NTLM_String(user_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(user_name_fields.length > 0);
workstation : SMB_NTLM_String(workstation_fields, absolute_offset , flags.negotiate_unicode) withinput payload &if(workstation_fields.length > 0);
encrypted_session_key : SMB_NTLM_String(encrypted_session_key_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(flags.negotiate_key_exch);
proc : bool = $context.connection.proc_smb_ntlm_authenticate(header, this);
absolute_offset : uint16 = offsetof(payload) + offset;
domain_name : SMB_NTLM_String(domain_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(domain_name_fields.length > 0);
user_name : SMB_NTLM_String(user_name_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(user_name_fields.length > 0);
workstation : SMB_NTLM_String(workstation_fields, absolute_offset , flags.negotiate_unicode) withinput payload &if(workstation_fields.length > 0);
encrypted_session_key : SMB_NTLM_String(encrypted_session_key_fields, absolute_offset, flags.negotiate_unicode) withinput payload &if(flags.negotiate_key_exch);
proc : bool = $context.connection.proc_smb_ntlm_authenticate(header, this);
};
type SMB_NTLM_Version = record {
@ -302,7 +307,7 @@ type SMB_NTLM_Version = record {
type SMB_NTLM_StringData = record {
length : uint16;
max_length : uint16;
offset : uint32;
offset : uint32;
};
type SMB_Fixed_Length_String(unicode: bool) = record {
@ -310,13 +315,13 @@ type SMB_Fixed_Length_String(unicode: bool) = record {
};
type SMB_NTLM_String(fields: SMB_NTLM_StringData, offset: uint16, unicode: bool) = record {
: padding to fields.offset - offset;
string: SMB_Fixed_Length_String(unicode) &length=fields.length;
pad1 : padding to fields.offset - offset;
string : SMB_Fixed_Length_String(unicode) &length=fields.length;
};
type SMB_NTLM_AV_Pair_Sequence(offset: uint16) = record {
: padding to offset;
pairs: SMB_NTLM_AV_Pair[] &until ($element.last);
pad1 : padding to offset;
pairs : SMB_NTLM_AV_Pair[] &until($element.last);
};
type SMB_NTLM_AV_Pair = record {
@ -344,14 +349,14 @@ type SMB_NTLM_AV_Pair = record {
};
type SMB_NTLM_Single_Host = record {
size : uint32;
padpad : padding[4];
data_present: uint32;
optional : case custom_data_present of {
size : uint32;
padpad : padding[4];
data_present : uint32;
optional : case custom_data_present of {
true -> custom_data : bytestring &length=4;
false -> nothing : empty;
};
machine_id : uint32;
machine_id : uint32;
} &let {
custom_data_present: bool = (data_present & 0x00000001) > 0;
};
@ -360,64 +365,64 @@ type SMB_LM_Response(offset: uint16) = record {
# This can be either LM (24 byte response) or
# LMv2 (16 byte response + 8 byte client challenge. No way to
# know for sure.
padpad : padding to offset;
response: bytestring &length=24;
padpad : padding to offset;
response : bytestring &length=24;
};
type SMB_NTLM_Response(offset: uint16) = record {
padpad : padding to offset;
response: bytestring &length=24;
padpad : padding to offset;
response : bytestring &length=24;
};
type SMB_NTLMv2_Response(flags: SMB_NTLM_Negotiate_Flags, offset: uint16) = record {
padpad : padding to offset;
response : bytestring &length=16;
client_challenge: SMB_NTLMv2_Client_Challenge(flags);
padpad : padding to offset;
response : bytestring &length=16;
client_challenge : SMB_NTLMv2_Client_Challenge(flags);
};
type SMB_NTLMv2_Client_Challenge(flags: SMB_NTLM_Negotiate_Flags) = record {
resp_type : uint8;
max_resp_type : uint8;
reserved : padding[6];
timestamp : uint64;
client_challenge: bytestring &length=8;
reserved2 : padding[4];
av_pairs : SMB_NTLM_AV_Pair_Sequence(0);
resp_type : uint8;
max_resp_type : uint8;
reserved : padding[6];
timestamp : uint64;
client_challenge : bytestring &length=8;
reserved2 : padding[4];
av_pairs : SMB_NTLM_AV_Pair_Sequence(0);
};
type SMB_NTLM_Negotiate_Flags = record {
flags: uint32;
} &let {
negotiate_56 : bool = (flags & 0x80000000) > 0;
negotiate_key_exch : bool = (flags & 0x40000000) > 0;
negotiate_128 : bool = (flags & 0x20000000) > 0;
negotiate_56 : bool = (flags & 0x80000000) > 0;
negotiate_key_exch : bool = (flags & 0x40000000) > 0;
negotiate_128 : bool = (flags & 0x20000000) > 0;
negotiate_version : bool = (flags & 0x02000000) > 0;
negotiate_version : bool = (flags & 0x02000000) > 0;
negotiate_target_info : bool = (flags & 0x00800000) > 0;
request_non_nt_session_key : bool = (flags & 0x00400000) > 0;
negotiate_identify : bool = (flags & 0x00100000) > 0;
negotiate_target_info : bool = (flags & 0x00800000) > 0;
request_non_nt_session_key : bool = (flags & 0x00400000) > 0;
negotiate_identify : bool = (flags & 0x00100000) > 0;
negotiate_extended_sessionsecurity : bool = (flags & 0x00040000) > 0;
target_type_server : bool = (flags & 0x00020000) > 0;
target_type_domain : bool = (flags & 0x00010000) > 0;
negotiate_extended_sessionsecurity : bool = (flags & 0x00040000) > 0;
target_type_server : bool = (flags & 0x00020000) > 0;
target_type_domain : bool = (flags & 0x00010000) > 0;
negotiate_always_sign : bool = (flags & 0x00008000) > 0;
negotiate_oem_workstation_supplied : bool = (flags & 0x00002000) > 0;
negotiate_oem_domain_supplied : bool = (flags & 0x00001000) > 0;
negotiate_always_sign : bool = (flags & 0x00008000) > 0;
negotiate_oem_workstation_supplied : bool = (flags & 0x00002000) > 0;
negotiate_oem_domain_supplied : bool = (flags & 0x00001000) > 0;
negotiate_anonymous_connection : bool = (flags & 0x00000400) > 0;
negotiate_ntlm : bool = (flags & 0x00000100) > 0;
negotiate_anonymous_connection : bool = (flags & 0x00000400) > 0;
negotiate_ntlm : bool = (flags & 0x00000100) > 0;
negotiate_lm_key : bool = (flags & 0x00000080) > 0;
negotiate_datagram : bool = (flags & 0x00000040) > 0;
negotiate_seal : bool = (flags & 0x00000020) > 0;
negotiate_lm_key : bool = (flags & 0x00000080) > 0;
negotiate_datagram : bool = (flags & 0x00000040) > 0;
negotiate_seal : bool = (flags & 0x00000020) > 0;
negotiate_sign : bool = (flags & 0x00000008) > 0;
request_target : bool = (flags & 0x00000004) > 0;
negotiate_oem : bool = (flags & 0x00000002) > 0;
negotiate_unicode : bool = (flags & 0x00000001) > 0;
negotiate_sign : bool = (flags & 0x00000008) > 0;
request_target : bool = (flags & 0x00000004) > 0;
negotiate_oem : bool = (flags & 0x00000002) > 0;
negotiate_unicode : bool = (flags & 0x00000001) > 0;
is_oem : bool = !negotiate_unicode && negotiate_oem;
is_invalid : bool = !negotiate_unicode && !negotiate_oem;
is_oem : bool = !negotiate_unicode && negotiate_oem;
is_invalid : bool = !negotiate_unicode && !negotiate_oem;
};