313 lines
9 KiB
C
313 lines
9 KiB
C
//=============================================================================
|
|
// MODULE: kdcreq.c
|
|
//
|
|
// Description:
|
|
//
|
|
// Bloodhound Parser DLL for Kerberos Authentication Protocol
|
|
//
|
|
// Modification History
|
|
//
|
|
// Michael Webb & Kris Frost Date: 06/04/99
|
|
//=============================================================================
|
|
|
|
//#include "kerbparser.h"
|
|
#include "kerbGlob.h"
|
|
#include "kdcreq.h"
|
|
|
|
|
|
LPBYTE KdcRequest(HFRAME hFrame, LPBYTE TempFrame)
|
|
{
|
|
|
|
// 1st attach command displays the 1st Identifier frame
|
|
TempFrame = DispSeqOctets(hFrame, TempFrame, 3, ASN1UnivTagSumID, ASN1UnivTag);
|
|
|
|
// Incrementing TempFrame by one to get to the correct frame.
|
|
TempFrame+=CalcLenOctet(--TempFrame);
|
|
|
|
// Display Protocol Version value at the Top level
|
|
TempFrame = DispSum(hFrame, TempFrame, 0x02, 0x30, 1, DispProtocolVer);
|
|
|
|
// Display pvno[1]
|
|
TempFrame = KdcReqTypes(hFrame, TempFrame, KdcReqTagID, KdcReqSeq, KdcContentsValue);
|
|
|
|
|
|
// Display Message Type value at the Top level
|
|
TempFrame = DispSum(hFrame, TempFrame, 0x02, 0x30, 1, DispKerbMsgType);
|
|
|
|
// Display msg-type[2]
|
|
TempFrame = KdcReqTypes(hFrame, TempFrame, KdcReqTagID, KdcReqSeq, KrbMsgTypeID);
|
|
|
|
// Start code to break down pa-data
|
|
if(*(TempFrame+1) == 0xA3)
|
|
{
|
|
|
|
// Display Pre-Authentication Data at the Top level
|
|
TempFrame = DispTopSum(hFrame, TempFrame, 1, DispSumPreAuth);
|
|
|
|
// Display padata[3]
|
|
TempFrame = HandlePaData(hFrame, TempFrame, 2, PaDataSummary);
|
|
|
|
}
|
|
|
|
|
|
// Display KDC Request Body at the Top level
|
|
TempFrame = DispTopSum(hFrame, TempFrame, 1, DispSumReqBody);
|
|
|
|
// Display req-body[4]
|
|
TempFrame = DispASNTypes(hFrame, TempFrame, 2, KdcReqTagID, KdcReqSeq);
|
|
|
|
// Calculate Length Octet
|
|
TempFrame = CalcLengthSummary(hFrame, TempFrame, 4);
|
|
|
|
// Incrementing TempFrame based on the number of octets
|
|
// taken up by the Length octet
|
|
TempFrame = IncTempFrame(TempFrame);
|
|
|
|
// Display SEQUENCE
|
|
TempFrame = DispSeqOctets(hFrame, TempFrame, 4, ASN1UnivTagSumID, ASN1UnivTag);
|
|
|
|
// Following call breaks handles displaying req-body[4]
|
|
TempFrame = HandleReqBody(hFrame, TempFrame, 2);
|
|
|
|
return ++TempFrame;
|
|
};
|
|
|
|
|
|
|
|
LPBYTE KdcReqTypes(HFRAME hFrame, LPBYTE TempFrame, DWORD TypeVal, DWORD TypeVal2, DWORD TypeVal3)
|
|
{
|
|
// Display ASN.1 Identifier
|
|
TempFrame = DispASNTypes(hFrame, TempFrame, 2, TypeVal, TypeVal2);
|
|
|
|
// Break Down INTEGER values
|
|
TempFrame = DefineValue(hFrame, TempFrame, 4, TypeVal3);
|
|
|
|
|
|
|
|
return TempFrame;
|
|
}
|
|
|
|
LPBYTE HandleReqBody(HFRAME hFrame, LPBYTE TempFrame, int OffSet)
|
|
{
|
|
// Display kdc-options[0]
|
|
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet, DispStringTixFlag, KdcReqBodyBitF);
|
|
|
|
// Display Length Octet
|
|
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+3);
|
|
|
|
// Incrementing TempFrame based on the number of octets
|
|
// taken up by the Length octet
|
|
TempFrame = IncTempFrame(TempFrame);
|
|
|
|
// Display Universal Class Tag
|
|
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+2, ASN1UnivTagSumID, ASN1UnivTag);
|
|
|
|
// Display Length Octet
|
|
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+5);
|
|
|
|
// Must get TempFrame 2 bytes past Length octet 05
|
|
TempFrame+=2;
|
|
|
|
// Display KDC-Option Flags
|
|
TempFrame = DefineKdcOptions(hFrame, TempFrame, OffSet+1, DispFlagKdcOptions);
|
|
|
|
|
|
// Move Adjust TempFrame past KDC-Options to start at cname[1]
|
|
TempFrame+=3;
|
|
|
|
// Display cname[1] OPTIONAL
|
|
|
|
if(*(TempFrame+1) == 0xA1)
|
|
{
|
|
// Display Client Name value at the Top level
|
|
TempFrame = DispSum(hFrame, TempFrame, 0x1B, 0x30, OffSet, DispStringCliName);
|
|
|
|
// Display cname[1].
|
|
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+1, KdcReqBodyID, KdcReqBodyBitF);
|
|
|
|
// Display Length Octet
|
|
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+3);
|
|
|
|
// Incrementing TempFrame based on the number of octets
|
|
// taken up by the Length octet
|
|
TempFrame = IncTempFrame(TempFrame);
|
|
|
|
// Display SEQUENCE Octets
|
|
TempFrame = DispSeqOctets(hFrame, TempFrame, OffSet+3, ASN1UnivTagSumID, ASN1UnivTag);
|
|
|
|
// Display cname[1]
|
|
TempFrame = DefinePrincipalName(hFrame, TempFrame, OffSet+3, DispStringCliName);
|
|
|
|
TempFrame--;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Display realm[2]
|
|
// Display Realm name value at the Top level
|
|
TempFrame = DispSum(hFrame, TempFrame, 0x1B, 0x30, OffSet, DispStringRealmName);
|
|
|
|
|
|
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+1, KdcReqBodyID, KdcReqBodyBitF);
|
|
TempFrame = DefineValue(hFrame, TempFrame, OffSet+3, DispStringRealmName);
|
|
|
|
|
|
// MUST FIND OUT WHY 8 IS GETTING APPENDED TO KRBTGT AT THE TOP LEVEL
|
|
// Display sname[3] OPTIONAL
|
|
if(*(TempFrame+1) == 0xA3)
|
|
{
|
|
// Display Server name value at the Top level
|
|
TempFrame = DispSumString(hFrame, TempFrame, 0x1B, OffSet, DispStringServNameGS);
|
|
|
|
// Display sname[3]
|
|
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+1, KdcReqBodyID, KdcReqBodyBitF);
|
|
|
|
// Display Length Octet
|
|
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+4);
|
|
|
|
// Incrementing TempFrame based on the number of octets
|
|
// taken up by the Length octet
|
|
TempFrame = IncTempFrame(TempFrame);
|
|
|
|
// Display SEQUENCE Octets
|
|
TempFrame = DispSeqOctets(hFrame, TempFrame, OffSet+3, ASN1UnivTagSumID, ASN1UnivTag);
|
|
|
|
// Display sname[3]
|
|
TempFrame = DefinePrincipalName(hFrame, TempFrame, OffSet+3, DispStringServerName);
|
|
|
|
// --TempFrame;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Display from[4] OPTIONAL
|
|
if(*(TempFrame) == 0xA4)
|
|
{ //THIS CODE HASN'T BEEN TESTED. May need to put TempFrame-- on last line
|
|
|
|
// Display Post Date value at the Top level
|
|
TempFrame = DispSumTime(hFrame, TempFrame, 0x18, OffSet, DispStringPostDate);
|
|
|
|
// Display from[4]
|
|
TempFrame = DispASNTypes(hFrame, --TempFrame, OffSet+1, KdcReqBodyID, KdcReqBodyBitF);
|
|
|
|
// Display KerberosTime
|
|
TempFrame = DefineValue(hFrame, TempFrame, OffSet+2, DispString);
|
|
|
|
//TempFrame--
|
|
}
|
|
|
|
// Display Expiration Date value at the Top level (till[5])
|
|
TempFrame = DispSumTime(hFrame, TempFrame, 0x18, OffSet, DispStringExpDate);
|
|
|
|
// 1/27/00 KKF TODAY I NOTICED THAT TILL[5] WAS OFF ONE OFFSET. HADN'T NOTICED THIS
|
|
// BEFORE. WENT BACK AND CHECKED A BUILD FROM NOV. AND THE PROBLEM DIDN'T EXIST. HOWEVER
|
|
// I MATCHED THE CODE AND DON'T SEE THE DIFFERENCE. GOING TO DECREMENT TEMPFRAME WHILE
|
|
// SENDING TO DISPASNTYPES.
|
|
|
|
// Display till[5]
|
|
TempFrame = DispASNTypes(hFrame, --TempFrame, OffSet+1, KdcReqBodyID, KdcReqBodyBitF);
|
|
|
|
|
|
// Display KerberosTime
|
|
TempFrame = DefineValue(hFrame, TempFrame, OffSet+3, DispString);
|
|
|
|
|
|
// Display rtime[6] OPTIONAL
|
|
if(*(TempFrame+1) == 0xA6)
|
|
{
|
|
// Display Expiration Date value at the Top level
|
|
TempFrame = DispSumTime(hFrame, TempFrame, 0x18, OffSet, DispStringRenewTill);
|
|
|
|
// Display from[4]
|
|
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+1, KdcReqBodyID, KdcReqBodyBitF);
|
|
|
|
// Display KerberosTime
|
|
TempFrame = DefineValue(hFrame, TempFrame, OffSet+3, DispString);
|
|
|
|
//TempFrame--
|
|
}
|
|
|
|
|
|
// Display Top level for nonce[7]
|
|
TempFrame = DispSum(hFrame, TempFrame, 0x02, 0x30, OffSet, DispSumRandomNumber);
|
|
|
|
// Display nonce[7]
|
|
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+1, KdcReqBodyID, KdcReqBodyBitF);
|
|
|
|
//Display INTEGER
|
|
TempFrame = DefineValue(hFrame, TempFrame, OffSet+3, DispSumRandomNumber);
|
|
|
|
|
|
|
|
// SINCE THIS FIELD LISTS THE NUMEROUS ENCRYPTION OPTIONS A CLIENT
|
|
// SUPPORTS, IT CAN BE CONFUSING DISPLAYING THE FIRST OPTION AT THE TOP
|
|
// LEVEL SO I'M REMMING OUT THE NEXT LINE OF CODE.
|
|
//Display Encryption Algorithm at the top Level etype[8]
|
|
// TempFrame = DispSum(hFrame, TempFrame, 0x02, 0x02, OffSet, DispSumEtype2);
|
|
|
|
//Display Encryption Type Option(s) at the top Level etype[8]
|
|
TempFrame = DispTopSum(hFrame, TempFrame, 2, DispEncryptionOptions);
|
|
// Display etype[8]
|
|
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+1, KdcReqBodyID, KdcReqBodyBitF);
|
|
|
|
// Display Length Octet
|
|
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+4);
|
|
|
|
// Incrementing TempFrame based on the number of octets
|
|
// taken up by the Length octet
|
|
TempFrame = IncTempFrame(TempFrame);
|
|
|
|
// Display all the encryption types.
|
|
TempFrame = DefineEtype(hFrame, TempFrame, OffSet+1, DispSumEtype2, ASN1UnivTagSumID, ASN1UnivTag);
|
|
|
|
|
|
// Display addresses[9]
|
|
|
|
if(*(TempFrame) == 0xA9)
|
|
|
|
{
|
|
// Display Expiration Date value at the Top level
|
|
TempFrame = DispSum(hFrame, TempFrame, 0x04, 0x30, OffSet, DispStringAddresses);
|
|
|
|
// Adjust TempFrame to proper octet
|
|
--TempFrame;
|
|
// Display addresses[9]
|
|
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+1, KdcReqBodyID, KdcReqBodyBitF);
|
|
|
|
// Display Length Octet
|
|
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+4);
|
|
|
|
// Incrementing TempFrame based on the number of octets
|
|
// taken up by the Length octet
|
|
TempFrame = IncTempFrame(TempFrame);
|
|
|
|
// Display SEQUENCE OF Octets
|
|
TempFrame = DispSeqOctets(hFrame, TempFrame, OffSet+3, ASN1UnivTagSumID, ASN1UnivTag);
|
|
|
|
//Display addresses[9]
|
|
TempFrame = DispHostAddresses(hFrame, TempFrame, OffSet+1);
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
/*
|
|
LEFT OFF HERE BECAUSE THE SNIFFS I HAVE DON'T HAVE THE FINAL OPTIONS. FINISH HANDLING THE KDC-REQ PACKET
|
|
IF/WHEN YOU GET A SNIFF WITH THE INFO, THEN GO BACK AND ADD CODE FOR THE OPTIONAL'S IN KRB-ERROR
|
|
USING MIKE'S SNIFF.
|
|
|
|
Missing enc-authorization-data[10] & additional-tickets[11]
|
|
|
|
*/
|
|
|
|
|
|
return TempFrame;
|
|
|
|
}
|
|
|
|
|