wireshark decryption
Stefan Metzmacher
metze at samba.org
Wed May 24 16:21:33 UTC 2017
Hi Aurélien,
> I've sent a couple of changes to Wireshark to add a table in the the
> SMB2 protocol preference to add Session ID => (secret) Session Key
> mappings so that Wireshark can derive the decryption keys and decrypt
> the traffic.
>
> The way wireshark prefs works allows you to pass them via the command
> line e.g.:
>
> % ./tshark -o 'uat:custom_smb2_seskey_list:"3d00009400480000","28f2847263c83dc00621f742dd3f2e7b"' -r
> ~/prog/smbcrypto/filt.pcap
> ...SMB2 172 Negotiate Protocol Request
> ...SMB2 318 Negotiate Protocol Response
> ...SMB2 190 Session Setup Request, NTLMSSP_NEGOTIATE
> ...SMB2 318 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
> ...SMB2 430 Session Setup Request, NTLMSSP_AUTH, User: SUSE\administrator
> ...SMB2 142 Session Setup Response
> ...SMB2 180 Tree Connect Request Tree: \\WS2016\encrypted
> ...SMB2 150 Tree Connect Response
> ...SMB2 268 Decrypted SMB3;Ioctl Request FSCTL_VALIDATE_NEGOTIATE_INFO
> ...SMB2 258 Decrypted SMB3;Ioctl Response FSCTL_VALIDATE_NEGOTIATE_INFO
> ...SMB2 250 Decrypted SMB3;Create Request File:
> ....
>
> Otherwise you can add them manually in
> Edit > Preferences > Protocols > SMB2.
>
> The change can be found here [1], any help in getting it reviewed/merged
> welcome.
I like the concept, but you need to handle keys of variable size.
> The session key is computed by the client, it's different than the
> "session key" generated in SMB1 ([2]) which is sent on the wire and not
> safe to use for anything cryptographic. I suspect the dissector was
> already trying to use this one but it's most likely wrong.
No, it tries to use the session key based on the configured
NTLMSSP password or the kerberos key provided by a keytab.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170524/86102020/signature.sig>
More information about the samba-technical
mailing list