//============================================================================= // MODULE: krberr.c // // Description: // // Bloodhound Parser DLL for Kerberos Authentication Protocol // // Modification History // // Michael Webb & Kris Frost Date: 06/04/99 //============================================================================= //#include "kerbparser.h" #include "kerbGlob.h" #include "krberr.h" int lValueKrbErr; BYTE TempError; LPBYTE KrbError(HFRAME hFrame, LPBYTE TempFrame) { // Display SEQUENCE (First frame we handle in this file. TempFrame = DispASNTypes(hFrame, TempFrame, 3, ASN1UnivTagSumID, ASN1UnivTag); lValueKrbErr=CalcLenOctet(TempFrame); // Display Length Octet TempFrame = CalcLengthSummary(hFrame, TempFrame, 4); // Next line increments TempFrame appropriately based on the number of Length octets // caculated previously TempFrame+=lValueKrbErr; // Display Protocol Version value at the Top level TempFrame = DispSum(hFrame, TempFrame, 0x02, 0x30, 1, DispProtocolVer); // Display pvno[0] TempFrame = DispASNTypes(hFrame, --TempFrame, 2, KrbErrTagSumID, KrbErrTagID); // Display octets associated with Integer TempFrame = DefineValue(hFrame, TempFrame, 4, KdcContentsValue); // Display Message Type value at the Top level TempFrame = DispSum(hFrame, TempFrame, 0x02, 0x30, 1, DispKerbMsgType); // Display msg-type[1] TempFrame = DispASNTypes(hFrame, TempFrame, 2, KrbErrTagSumID, KrbErrTagID); // Display octets associated with Integer TempFrame = DefineValue(hFrame, TempFrame, 4, KrbMsgTypeID); /* Here we need to check for ctime[2] which is an optional value. If present, display the data if not go to the next tag. */ TempError = *(TempFrame+1); if(TempError == 0xA2) {// Display Client Time value at the Top level // TempFrame = DispSum(hFrame, TempFrame, 0x18, 0x30, 1, DispStringCliTime); TempFrame = DispSumTime(hFrame, TempFrame, 0x18, 1, DispStringCliTime); // Display ctime[2]. TempFrame = DispASNTypes(hFrame, TempFrame, 2, KrbErrTagSumID, KrbErrTagID); // Display octets associated with KerberosTime TempFrame = DefineValue(hFrame, TempFrame, 4, DispString); // Need to put code here to display the timestamp. } TempError = *(TempFrame+1); //Display cusec[3] (If available) if(TempError == 0xA3) {// NEED TO GET THIS CODE TO PRINT OUT THE COMBINED VALUE OF MICROSECONDS // Display MicroSec of Client value at the Top level TempFrame = DispSumSec(hFrame, TempFrame, 0x02, 0x30, 1, DispSumCuSec); // Display cusec[3] TempFrame = DispASNTypes(hFrame, TempFrame, 2, KrbErrTagSumID, KrbErrTagID); // Display octets associated with Integer TempFrame = DefineValue(hFrame, TempFrame, 4, DispTimeID); } // Display Server Time value at the Top level // TempFrame = DispSum(hFrame, TempFrame, 0x18, 0x30, 1, DispStringSrvTime); TempFrame = DispSumTime(hFrame, TempFrame, 0x18, 1, DispStringSrvTime); // Display stime[4] TempFrame = DispASNTypes(hFrame, TempFrame, 2, KrbErrTagSumID, KrbErrTagID); // Display KerberosTime TempFrame = DefineValue(hFrame, TempFrame, 4, DispString); // NEED TO GET THIS CODE TO PRINT OUT THE TOTAL VALUE OF MICROSECOND // Display MicroSec of Server value at the Top level TempFrame = DispSumSec(hFrame, TempFrame, 0x02, 0x30, 1, DispSumSuSec); //Display susec[5] TempFrame = DispASNTypes(hFrame, TempFrame, 2, KrbErrTagSumID, KrbErrTagID); // Display value of susec TempFrame = DefineValue(hFrame, TempFrame, 4, DispTimeID); // Display Error value at the Top level TempFrame = DispSum(hFrame, TempFrame, 0x02, 0x30, 1, DispSumKerbErr); // Display error-code[6] TempFrame = DispASNTypes(hFrame, TempFrame, 2, KrbErrTagSumID, KrbErrTagID); // Display value of error-code[6] TempFrame = DefineValue(hFrame, TempFrame, 4, KrbErrCodeID); // Get the value of TempFrame+1 TempError = *(TempFrame+1); // Display value of crealm[7] (Optional if(TempError == 0xA7) {// Display Client Realm name value at the Top level TempFrame = DispSum(hFrame, TempFrame, 0x1B, 0x30, 1, DispStringCliRealm); // Display crealm[7] TempFrame = DispASNTypes(hFrame, TempFrame, 2, KrbErrTagSumID, KrbErrTagID); // Display Realm string TempFrame = DefineValue(hFrame, TempFrame, 4, DispString); } // Get the value of TempFrame+1 TempError = *(TempFrame+1); // Display cname[8] if(TempError == 0xA8) {// This code wasn't tested as it wasn't in the sniff // Display Client name value at the Top level TempFrame = DispSum(hFrame, TempFrame, 0x1B, 0x30, 1, DispStringCliName); // Display cname[8] TempFrame = DispASNTypes(hFrame, TempFrame, 2, KrbErrTagSumID, KrbErrTagID); //Display Length Octet TempFrame = CalcLengthSummary(hFrame, TempFrame, 4); // Incrementing TempFrame based on the number of octets // taken up by the Length octet TempFrame = IncTempFrame(TempFrame); // Display SEQUENCE TempFrame = DispASNTypes(hFrame, TempFrame, 5, ASN1UnivTagSumID, ASN1UnivTag); // Print out Length Octet TempFrame = CalcLengthSummary(hFrame, TempFrame, 6); // Incrementing TempFrame based on the number of octets // taken up by the Length octet TempFrame = IncTempFrame(TempFrame); // This call breaks down PrincipalName defined in cname[8] TempFrame =DefinePrincipalName(hFrame, TempFrame, 3, DispString); // Decrementing TempFrame by 1 as DefinePrincipal takes the offset // to where Realm Name starts --TempFrame; } // Display Realm name value at the Top level TempFrame = DispSum(hFrame, TempFrame, 0x1B, 0x30, 1, DispStringRealmName); //Display realm[9] TempFrame = DispASNTypes(hFrame, TempFrame, 2, KrbErrTagSumID, KrbErrTagID); // Display realm[9] string TempFrame = DefineValue(hFrame, TempFrame, 4, DispString); // Begin breaking out sname[10] // Display Server name value at the Top level // TempFrame = DispSum(hFrame, TempFrame, 0x1B, 0x30, 1, DispStringServerName); TempFrame = DispSumString(hFrame, TempFrame, 0x1B, 1, DispStringServNameGS); // Display sname[10] TempFrame = DispASNTypes(hFrame, TempFrame, 2, KrbErrTagSumID, KrbErrTagID); //Display Length TempFrame = CalcLengthSummary(hFrame, TempFrame, 4); // Incrementing TempFrame based on the number of octets // taken up by the Length octet TempFrame = IncTempFrame(TempFrame); // Display SEQUENCE TempFrame = DispASNTypes(hFrame, TempFrame, 4, ASN1UnivTagSumID, ASN1UnivTag); // Calculate short length TempFrame = CalcLengthSummary(hFrame, TempFrame, 5); // Incrementing TempFrame based on the number of octets // taken up by the Length octet TempFrame = IncTempFrame(TempFrame); // This call will break down the PrincipalName portion of sname[2] TempFrame =DefinePrincipalName(hFrame, TempFrame, 4, DispString); TempFrame--; // End code for displaying sname[10] // Get the value of TempFrame+1 TempError = *(TempFrame+1); // Display e-text[11] Optional if(TempError == 0xAB) {// Display Error Text at the Top Level TempFrame = DispSum(hFrame, TempFrame, 0x1B, 0x30, 1, DispStringErrorText); // Display e-text[11] TempFrame = DispASNTypes(hFrame, TempFrame, 2, KrbErrTagSumID, KrbErrTagID); // Display Realm string TempFrame = DefineValue(hFrame, TempFrame, 4, DispString); } // Get the value of TempFrame+1 TempError = *(TempFrame+1); // Display e-data[12] if(TempError == 0xAC) {// Not sure how to display this data at this time. Adding code and will // worry about the accuracy at a later stage. // Display Error Text at the Top Level TempFrame = DispSum(hFrame, TempFrame, 0x04, 0x30, 1, DispStringErrorData); // Display e-data[12] TempFrame = DispASNTypes(hFrame, TempFrame, 2, KrbErrTagSumID, KrbErrTagID); // Display e-data string TempFrame = DispEdata(hFrame, TempFrame, 4, DispString); } /* 8/17 ADDITIONALLY, IT LOOKS AS E-DATA[12] IS A SEQUENCE OF PADATA. HOWEVER I AM CURRENTLY PREPARING TO TRANSITION TO ANOTHER POSITION SO I'M LEAVING THIS CODE OUT FOR NOW. WILL LOOK AT ADDING IT WHEN I START ADJUSTING THE CODE TO WORK WITH THE COALESCER. */ return TempFrame; }