diff options
| -rw-r--r-- | Makefile.am | 3 | ||||
| -rw-r--r-- | Makefile.nmake | 3 | ||||
| -rw-r--r-- | packet-dcerpc.c | 21 | ||||
| -rw-r--r-- | packet-ntlmssp.c | 526 |
4 files changed, 548 insertions, 5 deletions
diff --git a/Makefile.am b/Makefile.am index 3c9cf99dc3..37eca320e0 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,7 +1,7 @@ # Makefile.am # Automake file for Ethereal # -# $Id: Makefile.am,v 1.444 2002/06/29 00:05:05 guy Exp $ +# $Id: Makefile.am,v 1.445 2002/07/09 20:49:27 tpot Exp $ # # Ethereal - Network traffic analyzer # By Gerald Combs <gerald@ethereal.com> @@ -227,6 +227,7 @@ DISSECTOR_SRC = \ packet-nisplus.c \ packet-nlm.c \ packet-nntp.c \ + packet-ntlmssp.c \ packet-ntp.c \ packet-null.c \ packet-osi.c \ diff --git a/Makefile.nmake b/Makefile.nmake index 3ec1b720ab..1b7c8bd138 100644 --- a/Makefile.nmake +++ b/Makefile.nmake @@ -1,7 +1,7 @@ ## Makefile for building ethereal.exe with Microsoft C and nmake ## Use: $(MAKE) /$(MAKEFLAGS) -f makefile.nmake # -# $Id: Makefile.nmake,v 1.195 2002/06/28 21:02:55 gerald Exp $ +# $Id: Makefile.nmake,v 1.196 2002/07/09 20:49:27 tpot Exp $ include config.nmake include <win32.mak> @@ -168,6 +168,7 @@ DISSECTOR_SRC = \ packet-nisplus.c \ packet-nlm.c \ packet-nntp.c \ + packet-ntlmssp.c \ packet-ntp.c \ packet-null.c \ packet-osi.c \ diff --git a/packet-dcerpc.c b/packet-dcerpc.c index 3f0a037acd..ef41a54d2d 100644 --- a/packet-dcerpc.c +++ b/packet-dcerpc.c @@ -2,7 +2,7 @@ * Routines for DCERPC packet disassembly * Copyright 2001, Todd Sabin <tas@webspan.net> * - * $Id: packet-dcerpc.c,v 1.64 2002/06/24 09:23:39 guy Exp $ + * $Id: packet-dcerpc.c,v 1.65 2002/07/09 20:49:27 tpot Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs <gerald@ethereal.com> @@ -96,6 +96,7 @@ static const true_false_string flags_set_truth = { static const value_string authn_protocol_vals[] = { { 0, "None" }, { 1, "Kerberos 5" }, + { 10, "NTLMSSP" }, { 0, NULL } }; @@ -391,6 +392,8 @@ static gint ett_dcerpc_pointer_data = -1; static gint ett_dcerpc_fragments = -1; static gint ett_dcerpc_fragment = -1; +static dissector_handle_t ntlmssp_handle=NULL; + fragment_items dcerpc_frag_items = { &ett_dcerpc_fragments, &ett_dcerpc_fragment, @@ -1304,6 +1307,7 @@ dissect_dcerpc_cn_auth (tvbuff_t *tvb, packet_info *pinfo, proto_tree *dcerpc_tr int offset; guint8 auth_pad_len; guint8 auth_level; + guint8 auth_type; /* * Initially set "*auth_level_p" to -1 to indicate that we haven't @@ -1327,7 +1331,7 @@ dissect_dcerpc_cn_auth (tvbuff_t *tvb, packet_info *pinfo, proto_tree *dcerpc_tr offset = hdr->frag_len - (hdr->auth_len + 8); offset = dissect_dcerpc_uint8 (tvb, offset, pinfo, dcerpc_tree, hdr->drep, - hf_dcerpc_auth_type, NULL); + hf_dcerpc_auth_type, &auth_type); offset = dissect_dcerpc_uint8 (tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_auth_level, &auth_level); if (auth_level_p != NULL) @@ -1339,7 +1343,17 @@ dissect_dcerpc_cn_auth (tvbuff_t *tvb, packet_info *pinfo, proto_tree *dcerpc_tr offset = dissect_dcerpc_uint32 (tvb, offset, pinfo, dcerpc_tree, hdr->drep, hf_dcerpc_auth_ctx_id, NULL); - proto_tree_add_text (dcerpc_tree, tvb, offset, hdr->auth_len, "Auth Data"); + /* Dissect NTLMSSP Parameters if the auth_type is 10 and this is a + BIND request, BIND response, or AUTH3) + */ + if ((auth_type == 10) && + ((hdr->ptype == PDU_BIND) || (hdr->ptype == PDU_BIND_ACK) || + (hdr->ptype == PDU_AUTH3))) { + tvbuff_t *ntlmssp_tvb; + ntlmssp_tvb=tvb_new_subset(tvb, offset, hdr->auth_len, + hdr->auth_len); + call_dissector(ntlmssp_handle, ntlmssp_tvb, pinfo, dcerpc_tree); + } /* figure out where the auth padding starts */ offset = hdr->frag_len - (hdr->auth_len + 8 + auth_pad_len); @@ -3466,4 +3480,5 @@ proto_reg_handoff_dcerpc (void) heur_dissector_add ("netbios", dissect_dcerpc_cn_pk, proto_dcerpc); heur_dissector_add ("udp", dissect_dcerpc_dg, proto_dcerpc); heur_dissector_add ("smb_transact", dissect_dcerpc_cn_bs, proto_dcerpc); + ntlmssp_handle = find_dissector("ntlmssp"); } diff --git a/packet-ntlmssp.c b/packet-ntlmssp.c new file mode 100644 index 0000000000..8d4d996b4e --- /dev/null +++ b/packet-ntlmssp.c @@ -0,0 +1,526 @@ +/* packet-ntlmssp.c + * Routines for NTLM Secure Service Provider + * Devin Heitmueller <dheitmueller@netilla.com> + * + * $Id: packet-ntlmssp.c,v 1.1 2002/07/09 20:49:27 tpot Exp $ + * + * Ethereal - Network traffic analyzer + * By Gerald Combs <gerald@ethereal.com> + * Copyright 1998 Gerald Combs + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + +#ifdef HAVE_SYS_TYPES_H +# include <sys/types.h> +#endif + +#include <glib.h> +#include <epan/packet.h> + +/* Message types */ + +#define NTLMSSP_NEGOTIATE 1 +#define NTLMSSP_CHALLENGE 2 +#define NTLMSSP_AUTH 3 +#define NTLMSSP_UNKNOWN 4 + +static const value_string ntlmssp_message_types[] = { + { NTLMSSP_NEGOTIATE, "NTLMSSP_NEGOTIATE" }, + { NTLMSSP_CHALLENGE, "NTLMSSP_CHALLENGE" }, + { NTLMSSP_AUTH, "NTLMSSP_AUTH" }, + { NTLMSSP_UNKNOWN, "NTLMSSP_UNKNOWN" } +}; + +static const true_false_string flags_set_truth = { + "Set", + "Not set" +}; + +/* + * NTLMSSP negotiation flags + * Taken from Samba + */ +#define NTLMSSP_NEGOTIATE_UNICODE 0x00000001 +#define NTLMSSP_NEGOTIATE_OEM 0x00000002 +#define NTLMSSP_REQUEST_TARGET 0x00000004 +#define NTLMSSP_NEGOTIATE_00000008 0x00000008 +#define NTLMSSP_NEGOTIATE_SIGN 0x00000010 +#define NTLMSSP_NEGOTIATE_SEAL 0x00000020 +#define NTLMSSP_NEGOTIATE_DATAGRAM_STYLE 0x00000040 +#define NTLMSSP_NEGOTIATE_LM_KEY 0x00000080 +#define NTLMSSP_NEGOTIATE_NETWARE 0x00000100 +#define NTLMSSP_NEGOTIATE_NTLM 0x00000200 +#define NTLMSSP_NEGOTIATE_00000400 0x00000400 +#define NTLMSSP_NEGOTIATE_00000800 0x00000800 +#define NTLMSSP_NEGOTIATE_DOMAIN_SUPPLIED 0x00001000 +#define NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED 0x00002000 +#define NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL 0x00004000 +#define NTLMSSP_NEGOTIATE_ALWAYS_SIGN 0x00008000 +#define NTLMSSP_CHAL_INIT_RESPONSE 0x00010000 +#define NTLMSSP_CHAL_ACCEPT_RESPONSE 0x00020000 +#define NTLMSSP_CHAL_NON_NT_SESSION_KEY 0x00040000 +#define NTLMSSP_NEGOTIATE_NTLM2 0x00080000 +#define NTLMSSP_NEGOTIATE_00100000 0x00100000 +#define NTLMSSP_NEGOTIATE_00200000 0x00200000 +#define NTLMSSP_NEGOTIATE_00400000 0x00400000 +#define NTLMSSP_CHAL_TARGET_INFO 0x00800000 +#define NTLMSSP_NEGOTIATE_01000000 0x01000000 +#define NTLMSSP_NEGOTIATE_02000000 0x02000000 +#define NTLMSSP_NEGOTIATE_04000000 0x04000000 +#define NTLMSSP_NEGOTIATE_08000000 0x08000000 +#define NTLMSSP_NEGOTIATE_10000000 0x10000000 +#define NTLMSSP_NEGOTIATE_128 0x20000000 +#define NTLMSSP_NEGOTIATE_KEY_EXCH 0x40000000 +#define NTLMSSP_NEGOTIATE_80000000 0x80000000 + + +static int proto_ntlmssp = -1; +static int hf_ntlmssp = -1; +static int hf_ntlmssp_auth = -1; +static int hf_ntlmssp_message_type = -1; +static int hf_ntlmssp_negotiate_flags = -1; +static int hf_ntlmssp_negotiate_flags_01 = -1; +static int hf_ntlmssp_negotiate_flags_02 = -1; +static int hf_ntlmssp_negotiate_flags_04 = -1; +static int hf_ntlmssp_negotiate_flags_08 = -1; +static int hf_ntlmssp_negotiate_flags_10 = -1; +static int hf_ntlmssp_negotiate_flags_20 = -1; +static int hf_ntlmssp_negotiate_flags_40 = -1; +static int hf_ntlmssp_negotiate_flags_80 = -1; +static int hf_ntlmssp_negotiate_flags_100 = -1; +static int hf_ntlmssp_negotiate_flags_200 = -1; +static int hf_ntlmssp_negotiate_flags_400 = -1; +static int hf_ntlmssp_negotiate_flags_800 = -1; +static int hf_ntlmssp_negotiate_flags_1000 = -1; +static int hf_ntlmssp_negotiate_flags_2000 = -1; +static int hf_ntlmssp_negotiate_flags_4000 = -1; +static int hf_ntlmssp_negotiate_flags_8000 = -1; +static int hf_ntlmssp_negotiate_flags_10000 = -1; +static int hf_ntlmssp_negotiate_flags_20000 = -1; +static int hf_ntlmssp_negotiate_flags_40000 = -1; +static int hf_ntlmssp_negotiate_flags_80000 = -1; +static int hf_ntlmssp_negotiate_flags_100000 = -1; +static int hf_ntlmssp_negotiate_flags_200000 = -1; +static int hf_ntlmssp_negotiate_flags_400000 = -1; +static int hf_ntlmssp_negotiate_flags_800000 = -1; +static int hf_ntlmssp_negotiate_flags_1000000 = -1; +static int hf_ntlmssp_negotiate_flags_2000000 = -1; +static int hf_ntlmssp_negotiate_flags_4000000 = -1; +static int hf_ntlmssp_negotiate_flags_8000000 = -1; +static int hf_ntlmssp_negotiate_flags_10000000 = -1; +static int hf_ntlmssp_negotiate_flags_20000000 = -1; +static int hf_ntlmssp_negotiate_flags_40000000 = -1; +static int hf_ntlmssp_negotiate_flags_80000000 = -1; +static int hf_ntlmssp_negotiate_workstation_strlen = -1; +static int hf_ntlmssp_negotiate_workstation_maxlen = -1; +static int hf_ntlmssp_negotiate_workstation_buffer = -1; +static int hf_ntlmssp_negotiate_workstation = -1; +static int hf_ntlmssp_negotiate_domain_strlen = -1; +static int hf_ntlmssp_negotiate_domain_maxlen = -1; +static int hf_ntlmssp_negotiate_domain_buffer = -1; +static int hf_ntlmssp_negotiate_domain = -1; +static int hf_ntlmssp_ntlm_challenge = -1; +static int hf_ntlmssp_reserved = -1; +static int hf_ntlmssp_challenge_unknown1 = -1; +static int hf_ntlmssp_challenge_unknown2 = -1; + +static gint ett_ntlmssp = -1; +static gint ett_ntlmssp_negotiate_flags = -1; + +static int +dissect_ntlmssp_negotiate_flags (tvbuff_t *tvb, int offset, + proto_tree *ntlmssp_tree, + guint32 negotiate_flags) +{ + proto_tree *negotiate_flags_tree = NULL; + proto_item *tf = NULL; + + if (ntlmssp_tree) { + tf = proto_tree_add_uint (ntlmssp_tree, + hf_ntlmssp_negotiate_flags, + tvb, offset, 4, negotiate_flags); + negotiate_flags_tree = proto_item_add_subtree (tf, ett_ntlmssp_negotiate_flags); + } + + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_01, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_02, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_04, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_08, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_10, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_20, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_40, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_80, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_100, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_200, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_400, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_800, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_1000, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_2000, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_4000, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_8000, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_10000, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_20000, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_40000, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_80000, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_100000, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_200000, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_400000, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_800000, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_1000000, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_2000000, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_4000000, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_8000000, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_10000000, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_20000000, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_40000000, + tvb, offset, 4, negotiate_flags); + proto_tree_add_boolean (negotiate_flags_tree, + hf_ntlmssp_negotiate_flags_80000000, + tvb, offset, 4, negotiate_flags); + + + return (offset + 4); +} + + +static int +dissect_ntlmssp_negotiate (tvbuff_t *tvb, int offset, + proto_tree *ntlmssp_tree) +{ + guint32 negotiate_flags; + guint16 workstation_length; + guint16 domain_length; + + /* NTLMSSP Negotiate Flags */ + negotiate_flags = tvb_get_letohs (tvb, offset); + offset = dissect_ntlmssp_negotiate_flags (tvb, offset, ntlmssp_tree, + negotiate_flags); + + /* Calling workstation domain name length */ + proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_negotiate_domain_strlen, + tvb, offset, 2, TRUE); + domain_length = tvb_get_letohs (tvb, offset); + offset += 2; + + /* Calling workstation domain name max length */ + proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_negotiate_domain_maxlen, + tvb, offset, 2, TRUE); + offset += 2; + + + /* Calling workstation domain name buffer? */ + proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_negotiate_domain_buffer, + tvb, offset, 4, TRUE); + offset += 4; + + /* Calling workstation name length */ + proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_negotiate_workstation_strlen, + tvb, offset, 2, TRUE); + workstation_length = tvb_get_letohs (tvb, offset); + offset += 2; + + /* Calling workstation name max length */ + proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_negotiate_workstation_maxlen, + tvb, offset, 2, TRUE); + offset += 2; + + /* Calling workstation name buffer? */ + proto_tree_add_uint(ntlmssp_tree, hf_ntlmssp_negotiate_workstation_buffer, + tvb, offset, 4, TRUE); + offset += 4; + + /* Calling workstation name */ + proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_negotiate_workstation, + tvb, offset, workstation_length, FALSE); + offset += workstation_length; + + /* Calling domain name */ + proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_negotiate_domain, + tvb, offset, domain_length, FALSE); + offset += domain_length; + + return offset; +} + + +static int +dissect_ntlmssp_challenge (tvbuff_t *tvb, int offset, proto_tree *ntlmssp_tree) +{ + guint32 negotiate_flags; + + /* Skip over the two unknown fields */ + proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_challenge_unknown1, + tvb, offset, 4, TRUE); + offset += 4; + + proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_challenge_unknown2, + tvb, offset, 4, TRUE); + offset += 4; + + /* NTLMSSP Negotiate Flags */ + negotiate_flags = tvb_get_letohs (tvb, offset); + offset = dissect_ntlmssp_negotiate_flags (tvb, offset, ntlmssp_tree, + negotiate_flags); + + /* NTLMSSP NT Lan Manager Challenge */ + proto_tree_add_item (ntlmssp_tree, + hf_ntlmssp_ntlm_challenge, + tvb, offset, 8, FALSE); + offset += 8; + + /* Reserved (function not completely known) */ + proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_reserved, + tvb, offset, 8, FALSE); + offset += 8; + + return offset; +} + + +static void +dissect_ntlmssp(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree) +{ + guint32 ntlmssp_message_type; + int offset = 0; + int payloadsize = 0; + proto_tree *ntlmssp_tree = NULL; + proto_item *tf = NULL; + + /* Compute the total size of the data to be parsed */ + payloadsize = tvb_length_remaining(tvb, 0); + + /* Setup a new tree for the NTLMSSP payload */ + if (tree) { + tf = proto_tree_add_item (tree, + hf_ntlmssp, + tvb, offset, payloadsize, FALSE); + + ntlmssp_tree = proto_item_add_subtree (tf, + ett_ntlmssp); + } + + /* NTLMSSP constant */ + proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_auth, + tvb, offset, 8, FALSE); + offset += 8; + + /* NTLMSSP Message Type */ + proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_message_type, + tvb, offset, 4, TRUE); + ntlmssp_message_type = tvb_get_letohl (tvb, offset); + offset += 4; + + /* Call the appropriate dissector based on the Message Type */ + if (ntlmssp_message_type == NTLMSSP_NEGOTIATE) + offset = dissect_ntlmssp_negotiate (tvb, offset, ntlmssp_tree); + else if (ntlmssp_message_type == NTLMSSP_CHALLENGE) + offset = dissect_ntlmssp_challenge (tvb, offset, ntlmssp_tree); + else { + /* Unrecognized message type */ + proto_tree_add_text (ntlmssp_tree, tvb, offset, + (payloadsize - 12), + "Unrecognized NTLMSSP Message"); + } +} + +void +proto_register_ntlmssp(void) +{ + + static hf_register_info hf[] = { + { &hf_ntlmssp, + { "NTLMSSP", "ntlmssp", FT_NONE, BASE_NONE, NULL, 0x0, "NTLMSSP", HFILL }}, + + { &hf_ntlmssp_auth, + { "NTLMSSP identifier", "ntlmssp.identifier", FT_STRING, BASE_NONE, NULL, 0x0, "NTLMSSP Identifier", HFILL }}, + + { &hf_ntlmssp_message_type, + { "NTLM Message Type", "ntlmssp.messagetype", FT_UINT32, BASE_HEX, VALS(ntlmssp_message_types), 0x0, "", HFILL }}, + + { &hf_ntlmssp_negotiate_flags, + { "Flags", "dcerpc.negotiateflags", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_01, + + { "Negotiate UNICODE", "ntlmssp.negotiateunicode", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_UNICODE, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_02, + { "Negotiate OEM", "ntlmssp.negotiateoem", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_OEM, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_04, + { "Request Target", "ntlmssp.requesttarget", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_REQUEST_TARGET, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_08, + { "Request 0x00000008", "ntlmssp.negotiate00000008", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_00000008, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_10, + { "Negotiate Sign", "ntlmssp.negotiatesign", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_SIGN, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_20, + { "Negotiate Seal", "ntlmssp.negotiateseal", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_SEAL, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_40, + { "Negotiate Datagram Style", "ntlmssp.negotiatedatagramstyle", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_DATAGRAM_STYLE, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_80, + { "Negotiate Lan Manager Key", "ntlmssp.negotiatelmkey", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_LM_KEY, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_100, + { "Negotiate Netware", "ntlmssp.negotiatenetware", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_NETWARE, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_200, + { "Negotiate NTLM key", "ntlmssp.negotiatentlm", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_NTLM, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_400, + { "Negotiate 0x00000400", "ntlmssp.negotiate00000400", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_00000400, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_800, + { "Negotiate 0x00000800", "ntlmssp.negotiate00000800", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_00000800, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_1000, + { "Negotiate Domain Supplied", "ntlmssp.negotiatedomainsupplied", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_DOMAIN_SUPPLIED, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_2000, + { "Negotiate Workstation Supplied", "ntlmssp.negotiateworkstationsupplied", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_4000, + { "Negotiate This is Local Call", "ntlmssp.negotiatethisislocalcall", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_8000, + { "Negotiate Always Sign", "ntlmssp.negotiatealwayssign", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_ALWAYS_SIGN, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_10000, + { "Negotiate Challenge Init Response", "ntlmssp.negotiatechallengeinitresponse", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_CHAL_INIT_RESPONSE, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_20000, + { "Negotiate Challenge Accept Response", "ntlmssp.negotiatechallengeacceptresponse", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_CHAL_ACCEPT_RESPONSE, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_40000, + { "Negotiate Challenge Non NT Session Key", "ntlmssp.negotiatechallengenonntsessionkey", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_CHAL_NON_NT_SESSION_KEY, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_80000, + { "Negotiate NTLM2 key", "ntlmssp.negotiatentlm2", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_NTLM2, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_100000, + { "Negotiate 0x00100000", "ntlmssp.negotiatent00100000", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_00100000, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_200000, + { "Negotiate 0x00200000", "ntlmssp.negotiatent00200000", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_00200000, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_400000, + { "Negotiate 0x00400000", "ntlmssp.negotiatent00400000", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_00400000, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_800000, + { "Negotiate Target Info", "ntlmssp.negotiatetargetinfo", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_CHAL_TARGET_INFO, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_1000000, + { "Negotiate 0x01000000", "ntlmssp.negotiatent01000000", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_01000000, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_2000000, + { "Negotiate 0x02000000", "ntlmssp.negotiatent02000000", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_02000000, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_4000000, + { "Negotiate 0x04000000", "ntlmssp.negotiatent04000000", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_04000000, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_8000000, + { "Negotiate 0x08000000", "ntlmssp.negotiatent08000000", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_08000000, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_10000000, + { "Negotiate 0x10000000", "ntlmssp.negotiatent10000000", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_10000000, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_20000000, + { "Negotiate 128", "ntlmssp.negotiate128", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_128, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_40000000, + { "Negotiate Key Exchange", "ntlmssp.negotiatekeyexch", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_KEY_EXCH, "", HFILL }}, + { &hf_ntlmssp_negotiate_flags_80000000, + { "Negotiate 0x80000000", "ntlmssp.negotiatent80000000", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_80000000, "", HFILL }}, + { &hf_ntlmssp_negotiate_workstation_strlen, + { "Calling workstation name length", "ntlmssp.negotiate.callingworkstation.strlen", FT_UINT16, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_negotiate_workstation_maxlen, + { "Calling workstation name max length", "ntlmssp.negotiate.callingworkstation.maxlen", FT_UINT16, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_negotiate_workstation_buffer, + { "Calling workstation name buffer", "ntlmssp.negotiate.callingworkstation.buffer", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_negotiate_workstation, + { "Calling workstation name", "ntlmssp.negotiate.callingworkstation", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_negotiate_domain_strlen, + { "Calling workstation domain length", "ntlmssp.negotiate.domain.strlen", FT_UINT16, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_negotiate_domain_maxlen, + { "Calling workstation domain max length", "ntlmssp.negotiate.domain.maxlen", FT_UINT16, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_negotiate_domain_buffer, + { "Calling workstation domain buffer", "ntlmssp.negotiate.domain.buffer", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_negotiate_domain, + { "Calling workstation domain", "ntlmssp.negotiate.domain", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_ntlm_challenge, + { "NTLM Challenge", "ntlmssp.ntlmchallenge", FT_BYTES, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_reserved, + { "Reserved", "ntlmssp.reserved", FT_BYTES, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_challenge_unknown1, + { "Unknown1", "ntlmssp.challenge.unknown1", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_challenge_unknown2, + { "Unknown2", "ntlmssp.challenge.unknown2", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }}, + }; + + + static gint *ett[] = { + &ett_ntlmssp, + &ett_ntlmssp_negotiate_flags, + }; + + proto_ntlmssp = proto_register_protocol ( + "NTLM Secure Service Provider", /* name */ + "NTLMSSP", /* short name */ + "ntlmssp" /* abbrev */ + ); + proto_register_field_array (proto_ntlmssp, hf, array_length (hf)); + proto_register_subtree_array (ett, array_length (ett)); + + register_dissector("ntlmssp", dissect_ntlmssp, proto_ntlmssp); +} |