[Patch] Support for LDAP with GSSAPI/NTLMSSP auth scheme decoding in wireshark

Stefan (metze) Metzmacher metze at samba.org
Tue May 5 09:19:29 GMT 2009

Matthieu Patou schrieb:
> On 05/04/2009 02:53 PM, Matthieu Patou wrote:
>> Hello Metze !
>>> Stefan (metze) Metzmacher schrieb:
>>>> Hi Matthieu,
>>>>>>> I finally finished my patch to support NTLMSSP auth in LDAP.
>>>>>>> As metze proposed I add the option that read all the keytab that
>>>>>>> were
>>>>>>> provided, and try all the encoded password inside it.
>>>>>>> It seems to work quite well, I tried with a few keytab generated for
>>>>>>> pure "traditional" LDAP with kerberos auth and I've been able to
>>>>>>> decode
>>>>>>> (well if the keytab contains the md4(password) of the user trying to
>>>>>>> authenticate himself).
>>>>>>> I'm quite surprised that when "extracting" crypted password in a
>>>>>>> keytab
>>>>>>> they are only stored by using md4(unicode(password))) even if we ask
>>>>>>> keytab to use arc4_hmac (but I'm far from being well aware of all in
>>>>>>> kerberos ...).
>>>>>>> Concerning protocols, I tested NTLM v1 and NTLM v2, for NTLM v1 I
>>>>>>> tested
>>>>>>> mostly with extended security flags so for less secure (and maybe
>>>>>>> not
>>>>>>> anymore really used ?) scheme (like pure lan manager auth or
>>>>>>> simple nt
>>>>>>> auth) problems might still exist.
>>>>>>> It would be just great if you can provide me some feedback, in
>>>>>>> anycase
>>>>>>> my goal is to submit it to wireshark devs soon.
>>>>>> Thanks! I'll give it a try in the next days.
>>> For LDAP it works fine, it's only DCERPC that doesn't work completely.
>> I've seen it through your other email !
>> I didn't spend time on DCERPC before that's why it might not work in
>> every case
>> In fact the code for DCE/RPC was still using the old code (that didn't
>> handle ntlm v2 session ...).
>> I already corrected the code for this, I'll have a look on the SPNEGO ...
>> Matthieu.
> Find attached the updated version that take care of DCE/RPC in SPNEGO
> and NTLMSSP mode.

It works fine now, thanks!

If you could somehow could decrypt DCERPC connections with schannel it
would be absolutely perfect. I think if we have the nthash from the
machine account in the keytab and the NetrServerReqChallenge and
NetrAuthenticate* we should be able to construct the seal key
for the schannel secured connection.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.samba.org/archive/samba-technical/attachments/20090505/0d3e0f31/signature.bin

More information about the samba-technical mailing list