Previously, the GSSAPI analyzer blindly forwarded authentication
blobs to the NTLM analyzer (which it instantiated too early). Now
it waits to instantiate sub analyzers until a blob of a particular
type has been seen. It also makes the distinction between krb and
ntlm and forwards to the correct analyzer.
This required some fixes to the KRB analyzer because KRB over GSSAPI
looks slightly different than raw KRB.
The KRB analyzer also now includes support for the PA_ENCTYPE_INFO2
pre-auth data type.
From Florent's patch:
Previously, the ASN1EncodingMeta was in the NTLM_SSP_Token; this broke the
NTLM decoding when used directly with DCE-RPC. NTLM now works on DCE-RPC
and should work properly on other layers in the future (e.g. HTTP
Authentication data).
