wireshark decryption

Aurélien Aptel aaptel at suse.com
Mon May 29 10:24:42 UTC 2017

Hi Stefan,

Stefan Metzmacher <metze at samba.org> writes:
> I like the concept, but you need to handle keys of variable size.

I will look into it, thanks.

>> The session key is computed by the client, it's different than the
>> "session key" generated in SMB1 ([2]) which is sent on the wire and not
>> safe to use for anything cryptographic. I suspect the dissector was
>> already trying to use this one but it's most likely wrong.
> No, it tries to use the session key based on the configured
> NTLMSSP password or the kerberos key provided by a keytab.

Previously the session key used to derive the keys was taken from the
local keytab (which I think is safe) but also directly from the wire in
dissect_smb2_session_setup_request (ntlmssph->session_key) which is the
part I have a problem with. If the session key is sent on the wire in
clear then the encryption is no good.

If we assume this is not flawed by design in the protocol, this session
key serves a different purpose and the previous code is probably not
right. Am I missing something?

Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)

More information about the samba-technical mailing list