//============================================================================= // MODULE: kdcreq.c // // Description: // // Bloodhound Parser DLL for Kerberos Authentication Protocol // // Modification History // // Michael Webb & Kris Frost Date: 06/04/99 //============================================================================= //#include "kerbparser.h" #include "kerbGlob.h" #include "kdcreq.h" LPBYTE KdcRequest(HFRAME hFrame, LPBYTE TempFrame) { // 1st attach command displays the 1st Identifier frame TempFrame = DispSeqOctets(hFrame, TempFrame, 3, ASN1UnivTagSumID, ASN1UnivTag); // Incrementing TempFrame by one to get to the correct frame. TempFrame+=CalcLenOctet(--TempFrame); // Display Protocol Version value at the Top level TempFrame = DispSum(hFrame, TempFrame, 0x02, 0x30, 1, DispProtocolVer); // Display pvno[1] TempFrame = KdcReqTypes(hFrame, TempFrame, KdcReqTagID, KdcReqSeq, KdcContentsValue); // Display Message Type value at the Top level TempFrame = DispSum(hFrame, TempFrame, 0x02, 0x30, 1, DispKerbMsgType); // Display msg-type[2] TempFrame = KdcReqTypes(hFrame, TempFrame, KdcReqTagID, KdcReqSeq, KrbMsgTypeID); // Start code to break down pa-data if(*(TempFrame+1) == 0xA3) { // Display Pre-Authentication Data at the Top level TempFrame = DispTopSum(hFrame, TempFrame, 1, DispSumPreAuth); // Display padata[3] TempFrame = HandlePaData(hFrame, TempFrame, 2, PaDataSummary); } // Display KDC Request Body at the Top level TempFrame = DispTopSum(hFrame, TempFrame, 1, DispSumReqBody); // Display req-body[4] TempFrame = DispASNTypes(hFrame, TempFrame, 2, KdcReqTagID, KdcReqSeq); // Calculate Length Octet TempFrame = CalcLengthSummary(hFrame, TempFrame, 4); // Incrementing TempFrame based on the number of octets // taken up by the Length octet TempFrame = IncTempFrame(TempFrame); // Display SEQUENCE TempFrame = DispSeqOctets(hFrame, TempFrame, 4, ASN1UnivTagSumID, ASN1UnivTag); // Following call breaks handles displaying req-body[4] TempFrame = HandleReqBody(hFrame, TempFrame, 2); return ++TempFrame; }; LPBYTE KdcReqTypes(HFRAME hFrame, LPBYTE TempFrame, DWORD TypeVal, DWORD TypeVal2, DWORD TypeVal3) { // Display ASN.1 Identifier TempFrame = DispASNTypes(hFrame, TempFrame, 2, TypeVal, TypeVal2); // Break Down INTEGER values TempFrame = DefineValue(hFrame, TempFrame, 4, TypeVal3); return TempFrame; } LPBYTE HandleReqBody(HFRAME hFrame, LPBYTE TempFrame, int OffSet) { // Display kdc-options[0] TempFrame = DispASNTypes(hFrame, TempFrame, OffSet, DispStringTixFlag, KdcReqBodyBitF); // Display Length Octet TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+3); // Incrementing TempFrame based on the number of octets // taken up by the Length octet TempFrame = IncTempFrame(TempFrame); // Display Universal Class Tag TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+2, ASN1UnivTagSumID, ASN1UnivTag); // Display Length Octet TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+5); // Must get TempFrame 2 bytes past Length octet 05 TempFrame+=2; // Display KDC-Option Flags TempFrame = DefineKdcOptions(hFrame, TempFrame, OffSet+1, DispFlagKdcOptions); // Move Adjust TempFrame past KDC-Options to start at cname[1] TempFrame+=3; // Display cname[1] OPTIONAL if(*(TempFrame+1) == 0xA1) { // Display Client Name value at the Top level TempFrame = DispSum(hFrame, TempFrame, 0x1B, 0x30, OffSet, DispStringCliName); // Display cname[1]. TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+1, KdcReqBodyID, KdcReqBodyBitF); // Display Length Octet TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+3); // Incrementing TempFrame based on the number of octets // taken up by the Length octet TempFrame = IncTempFrame(TempFrame); // Display SEQUENCE Octets TempFrame = DispSeqOctets(hFrame, TempFrame, OffSet+3, ASN1UnivTagSumID, ASN1UnivTag); // Display cname[1] TempFrame = DefinePrincipalName(hFrame, TempFrame, OffSet+3, DispStringCliName); TempFrame--; } // Display realm[2] // Display Realm name value at the Top level TempFrame = DispSum(hFrame, TempFrame, 0x1B, 0x30, OffSet, DispStringRealmName); TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+1, KdcReqBodyID, KdcReqBodyBitF); TempFrame = DefineValue(hFrame, TempFrame, OffSet+3, DispStringRealmName); // MUST FIND OUT WHY 8 IS GETTING APPENDED TO KRBTGT AT THE TOP LEVEL // Display sname[3] OPTIONAL if(*(TempFrame+1) == 0xA3) { // Display Server name value at the Top level TempFrame = DispSumString(hFrame, TempFrame, 0x1B, OffSet, DispStringServNameGS); // Display sname[3] TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+1, KdcReqBodyID, KdcReqBodyBitF); // Display Length Octet TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+4); // Incrementing TempFrame based on the number of octets // taken up by the Length octet TempFrame = IncTempFrame(TempFrame); // Display SEQUENCE Octets TempFrame = DispSeqOctets(hFrame, TempFrame, OffSet+3, ASN1UnivTagSumID, ASN1UnivTag); // Display sname[3] TempFrame = DefinePrincipalName(hFrame, TempFrame, OffSet+3, DispStringServerName); // --TempFrame; } // Display from[4] OPTIONAL if(*(TempFrame) == 0xA4) { //THIS CODE HASN'T BEEN TESTED. May need to put TempFrame-- on last line // Display Post Date value at the Top level TempFrame = DispSumTime(hFrame, TempFrame, 0x18, OffSet, DispStringPostDate); // Display from[4] TempFrame = DispASNTypes(hFrame, --TempFrame, OffSet+1, KdcReqBodyID, KdcReqBodyBitF); // Display KerberosTime TempFrame = DefineValue(hFrame, TempFrame, OffSet+2, DispString); //TempFrame-- } // Display Expiration Date value at the Top level (till[5]) TempFrame = DispSumTime(hFrame, TempFrame, 0x18, OffSet, DispStringExpDate); // 1/27/00 KKF TODAY I NOTICED THAT TILL[5] WAS OFF ONE OFFSET. HADN'T NOTICED THIS // BEFORE. WENT BACK AND CHECKED A BUILD FROM NOV. AND THE PROBLEM DIDN'T EXIST. HOWEVER // I MATCHED THE CODE AND DON'T SEE THE DIFFERENCE. GOING TO DECREMENT TEMPFRAME WHILE // SENDING TO DISPASNTYPES. // Display till[5] TempFrame = DispASNTypes(hFrame, --TempFrame, OffSet+1, KdcReqBodyID, KdcReqBodyBitF); // Display KerberosTime TempFrame = DefineValue(hFrame, TempFrame, OffSet+3, DispString); // Display rtime[6] OPTIONAL if(*(TempFrame+1) == 0xA6) { // Display Expiration Date value at the Top level TempFrame = DispSumTime(hFrame, TempFrame, 0x18, OffSet, DispStringRenewTill); // Display from[4] TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+1, KdcReqBodyID, KdcReqBodyBitF); // Display KerberosTime TempFrame = DefineValue(hFrame, TempFrame, OffSet+3, DispString); //TempFrame-- } // Display Top level for nonce[7] TempFrame = DispSum(hFrame, TempFrame, 0x02, 0x30, OffSet, DispSumRandomNumber); // Display nonce[7] TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+1, KdcReqBodyID, KdcReqBodyBitF); //Display INTEGER TempFrame = DefineValue(hFrame, TempFrame, OffSet+3, DispSumRandomNumber); // SINCE THIS FIELD LISTS THE NUMEROUS ENCRYPTION OPTIONS A CLIENT // SUPPORTS, IT CAN BE CONFUSING DISPLAYING THE FIRST OPTION AT THE TOP // LEVEL SO I'M REMMING OUT THE NEXT LINE OF CODE. //Display Encryption Algorithm at the top Level etype[8] // TempFrame = DispSum(hFrame, TempFrame, 0x02, 0x02, OffSet, DispSumEtype2); //Display Encryption Type Option(s) at the top Level etype[8] TempFrame = DispTopSum(hFrame, TempFrame, 2, DispEncryptionOptions); // Display etype[8] TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+1, KdcReqBodyID, KdcReqBodyBitF); // Display Length Octet TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+4); // Incrementing TempFrame based on the number of octets // taken up by the Length octet TempFrame = IncTempFrame(TempFrame); // Display all the encryption types. TempFrame = DefineEtype(hFrame, TempFrame, OffSet+1, DispSumEtype2, ASN1UnivTagSumID, ASN1UnivTag); // Display addresses[9] if(*(TempFrame) == 0xA9) { // Display Expiration Date value at the Top level TempFrame = DispSum(hFrame, TempFrame, 0x04, 0x30, OffSet, DispStringAddresses); // Adjust TempFrame to proper octet --TempFrame; // Display addresses[9] TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+1, KdcReqBodyID, KdcReqBodyBitF); // Display Length Octet TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+4); // Incrementing TempFrame based on the number of octets // taken up by the Length octet TempFrame = IncTempFrame(TempFrame); // Display SEQUENCE OF Octets TempFrame = DispSeqOctets(hFrame, TempFrame, OffSet+3, ASN1UnivTagSumID, ASN1UnivTag); //Display addresses[9] TempFrame = DispHostAddresses(hFrame, TempFrame, OffSet+1); } /* LEFT OFF HERE BECAUSE THE SNIFFS I HAVE DON'T HAVE THE FINAL OPTIONS. FINISH HANDLING THE KDC-REQ PACKET IF/WHEN YOU GET A SNIFF WITH THE INFO, THEN GO BACK AND ADD CODE FOR THE OPTIONAL'S IN KRB-ERROR USING MIKE'S SNIFF. Missing enc-authorization-data[10] & additional-tickets[11] */ return TempFrame; }