[Bro] NTLM parsing in DCE RPC

Seth Hall seth at icir.org
Thu Jul 7 08:39:16 PDT 2016

> On Jul 7, 2016, at 9:45 AM, Florent Monjalet <florent.monjalet at gmail.com> wrote:
> As part of this work, I was very interested in Seth's work on SMB, so
> this mail is about the topic/seth/smb branch. Here again, thanks a lot
> for the huge work on these protocols.

This is a good time to reach out about that branch.  We are preparing to merge it into the master branch soon once we do a bit more review.

> The first field of NTLM should actually be the "NTLMSSP\x00" magic
> (according to:
> http://davenport.sourceforge.net/ntlm.html#theNtlmMessageHeaderLayout
> and wireshark dissectors). Moving the `meta` field to the `GSSAPI`
> layer will allow to properlly decode NTLM over DCE RPC and maybe HTLM
> NTLM Authentication later on.

Ugh, I'm not surprised that there is yet another case where this is done wrong.  I'll review the change you proposed and the look at the pcap.

>     - DCE RPC: Not easy to find an open example capture, but this one
>       is ok
>       https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=mapi.cap
>       (from packet 711 in wireshark). You'll have to register DCE RPC
>       on port 4997 (mapi) in bro.

Just for clarity, you're saying that this pcap should write out an ntlm log yet isn't?

>     - SMB: I tested on
>       https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=smbtorture.cap.gz

So many people point to this pcap, but I tend to avoid it because it doesn't seem to represent a normal smb client and server very well.  It's too hard to understand how that pcap should map into logs.  Maybe someday. :)


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list