[Bro] NTLM parsing in DCE RPC

Florent Monjalet florent.monjalet at gmail.com
Thu Jul 7 06:45:00 PDT 2016


As this is my first interaction with the bro community, first things
first: thanks a lot for working on such an awesome project.

We are currently working on IVRE (https://ivre.rocks,
https://github.com/cea-sec/ivre), an open source framework aimed at
exploring and querying results from various network related tools
(such as nmap scans, bro logs, argus or netflow files), through either
a web interface, CLI tools or a python API.

As part of this work, I was very interested in Seth's work on SMB, so
this mail is about the topic/seth/smb branch. Here again, thanks a lot
for the huge work on these protocols.

It turns out that for DCE RPC, the NTLM decoding seems broken: the
NTLM analyzer is called, but the decoding fails to recognize the
message type, and no `ntlm.log` log is produced. It works very well
for SMB, though.

After debugging a bit, it turned out that the `meta: ASN1EncodingMeta`
field of `NTLM_SSP_Token` in `ntlm-protocol.pac` should in fact be
part of the underlying GSSAPI layer. Therefore, when directly decoding
NTLM without GSSAPI, the fields are shifted and have no meaning. Since
SMB uses GSSAPI in the examples I found and DCE RPC did not, NTLM over
GSSAPI over SMB worked great, but not NTLM over DCE RPC.

The first field of NTLM should actually be the "NTLMSSP\x00" magic
(according to:
and wireshark dissectors). Moving the `meta` field to the `GSSAPI`
layer will allow to properlly decode NTLM over DCE RPC and maybe HTLM
NTLM Authentication later on.

I am attaching a naive (git) patch to this mail; this fixes the
problem for me but might not be the exact way you want to do this.
Also, I might just have missed something from the start, maybe the way
it is currently done was on purpose. Please tell me if you have any
comments on the patch and/or want me to submit it to the bug tracker
or on github.

Sample captures the NTLM log generation can be tested on:
    - DCE RPC: Not easy to find an open example capture, but this one
      is ok

      (from packet 711 in wireshark). You'll have to register DCE RPC
      on port 4997 (mapi) in bro.
    - SMB: I tested on

      but I guess you already have samples.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160707/1b0ea233/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Fix-GSSAPI-mech_token-to-include-ASN1EncodingMeta.patch
Type: text/x-patch
Size: 3120 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160707/1b0ea233/attachment.bin 

More information about the Bro mailing list