[Patch] Support for LDAP with GSSAPI/NTLMSSP auth scheme decoding in wireshark

Matthieu Patou mat+Informatique.Samba at matws.net
Mon May 4 10:53:23 GMT 2009

Hello Metze !
> Stefan (metze) Metzmacher schrieb:
>> Hi Matthieu,
>>>>> I finally finished my patch to support NTLMSSP auth in LDAP.
>>>>> As metze proposed I add the option that read all the keytab that were
>>>>> provided, and try all the encoded password inside it.
>>>>> It seems to work quite well, I tried with a few keytab generated for
>>>>> pure "traditional" LDAP with kerberos auth and I've been able to decode
>>>>> (well if the keytab contains the md4(password) of the user trying to
>>>>> authenticate himself).
>>>>> I'm quite surprised that when "extracting" crypted password in a keytab
>>>>> they are only stored by using md4(unicode(password))) even if we ask
>>>>> keytab to use arc4_hmac (but I'm far from being well aware of all in
>>>>> kerberos ...).
>>>>> Concerning protocols, I tested NTLM v1 and NTLM v2, for NTLM v1 I tested
>>>>> mostly with extended security flags so for less secure (and maybe not
>>>>> anymore really used ?) scheme (like pure lan manager auth or simple nt
>>>>> auth) problems might still exist.
>>>>> It would be just great if you can provide me some feedback, in anycase
>>>>> my goal is to submit it to wireshark devs soon.
>>>> Thanks! I'll give it a try in the next days.
> For LDAP it works fine, it's only DCERPC that doesn't work completely.
I've seen it through your other email !
I didn't spend time on DCERPC before that's why it might not work in 
every case
In fact the code for DCE/RPC was still using the old code (that didn't 
handle ntlm v2 session ...).
I already corrected the code for this, I'll have a look on the SPNEGO ...


More information about the samba-technical mailing list