[Bro] GSSAPI - kerberos issue
william de ping
bill.de.ping at gmail.com
Wed Oct 26 05:01:48 PDT 2016
Hello all
The GSSAPI analyzer does not recognize KRB5 authentication made over SPNEGO.
looking at the code (gssapi-analyzer.pac), the analyzer does compare the
value of the mech_token variable with the id of krb5 and mskrb5:
**else if ( ${val.mech_token}.length() == 9 &&
(memcmp("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02",
${val.mech_token}.begin(), ${val.mech_token}.length()) == 0 ||
memcmp("\x2a\x86\x48\x82\xf7\x12\x01\x02\x02", ${val.mech_token}.begin(),
${val.mech_token}.length()) == 0 )) **
By looking with wireshark through pcaps containing relevant transactions, i
found out that these bytes are preceded by 6 more bytes in both smb1 and
smb2 (they change from session to session, possibly a part of the ASN1Meta
that is wrongly parsed?), and the length of the mech_token is quite large
(up to the end of the packet). by adjusting some offsets and lengths
(${val.mech_token}.begin() +6 etc.), I was able to reach the code that
delivers the packet to the KRB analyzer.
After this fix (+6 for request, +5 for response) I was able to produce
Kerberos logs from the said packets, but perhaps the problem lays in the
arguments of DeliverPacket function?
Hope this bug can be fixed in a more professional way
W
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161026/618daea0/attachment.html
More information about the Bro
mailing list