Implemented Kerberos metadata extraction

author: Luca Deri <deri@ntop.org> 2019-10-08 13:32:21 +0200
committer: Luca Deri <deri@ntop.org> 2019-10-08 13:32:21 +0200
commit: 6b5a9aa9929c6229a7bb0926edcf7ae713aabef9 (patch)
tree: 5244927a5108fccf60a6d33c50d2c7e372ef4073
parent: 256858d2e5d9db3777ccb113ed75bcd836fc8d16 (diff)
5 files changed, 135 insertions, 28 deletions
diff --git a/example/reader_util.c b/example/reader_util.c
index 4859d69e5..050ccc556 100644
--- a/example/reader_util.c
+++ b/example/reader_util.c
@@ -966,6 +966,14 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
   else if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UBNTAC2) {
     snprintf(flow->info, sizeof(flow->info), "%s", flow->ndpi_flow->protos.ubntac2.version);
   }
+  /* KERBEROS */
+  else if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_KERBEROS) {
+    if(flow->ndpi_flow->protos.kerberos.cname[0] != '\0') {
+      snprintf(flow->info, sizeof(flow->info), "%s (%s)",
+	       flow->ndpi_flow->protos.kerberos.cname,
+	       flow->ndpi_flow->protos.kerberos.realm);
+    }
+  }
   /* HTTP */
   else if(flow->detected_protocol.master_protocol == NDPI_PROTOCOL_HTTP) {
     if(flow->ndpi_flow->http.url != NULL) {
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 4e1eb915e..4366df5c1 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -1190,6 +1190,10 @@ struct ndpi_flow_struct {
     } ntp;
 
     struct {
+      char cname[24], realm[24];
+    } kerberos;
+
+    struct {
       struct {
 	u_int16_t ssl_version;
 	char client_certificate[64], server_certificate[64], server_organization[64];
diff --git a/src/lib/protocols/kerberos.c b/src/lib/protocols/kerberos.c
index a1c271387..fa73ab0ae 100644
--- a/src/lib/protocols/kerberos.c
+++ b/src/lib/protocols/kerberos.c
@@ -1,8 +1,8 @@
 /*
  * kerberos.c
  *
- * Copyright (C) 2009-2011 by ipoque GmbH
  * Copyright (C) 2011-19 - ntop.org
+ * Copyright (C) 2009-2011 by ipoque GmbH
  *
  * This file is part of nDPI, an open source deep packet inspection
  * library based on the OpenDPI and PACE technology by ipoque GmbH
@@ -19,7 +19,7 @@
  *
  * You should have received a copy of the GNU Lesser General Public License
  * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
- * 
+ *
  */
 
 #include "ndpi_protocol_ids.h"
@@ -28,46 +28,98 @@
 
 #include "ndpi_api.h"
 
+// #define KERBEROS_DEBUG 1
 
 static void ndpi_int_kerberos_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
-					     struct ndpi_flow_struct *flow)
-{
+					     struct ndpi_flow_struct *flow) {
   ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_KERBEROS, NDPI_PROTOCOL_UNKNOWN);
   NDPI_LOG_DBG(ndpi_struct, "trace KERBEROS\n");
 }
 
 
-void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
-{
-	struct ndpi_packet_struct *packet = &flow->packet;
+void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct,
+			  struct ndpi_flow_struct *flow) {
+  struct ndpi_packet_struct *packet = &flow->packet;
+
+  NDPI_LOG_DBG(ndpi_struct, "search KERBEROS\n");
+
+  /* I have observed 0a,0c,0d,0e at packet->payload[19/21], maybe there are other possibilities */
+  if(packet->payload_packet_len >= 4 && ntohl(get_u_int32_t(packet->payload, 0)) == packet->payload_packet_len - 4) {
+    if(packet->payload_packet_len > 19 &&
+	packet->payload[14] == 0x05 &&
+	(packet->payload[19] == 0x0a ||
+	 packet->payload[19] == 0x0c || packet->payload[19] == 0x0d || packet->payload[19] == 0x0e)) {
+      if(packet->payload[19] == 0x0a) /* AS-REQ */ {
+	u_int pad_data_len = packet->payload[23];
+	u_int body_offset  = pad_data_len + 23;
+
+	if(body_offset < packet->payload_packet_len) {
+	  u_int name_offset = body_offset + 30;
+
+	  if(name_offset < packet->payload_packet_len) {
+	    u_int cname_len = packet->payload[name_offset];
+
+	    if((cname_len+name_offset) < packet->payload_packet_len) {
+	      u_int realm_len, realm_offset = cname_len + name_offset + 4, i;
+	      char cname_str[24];
+
+	      if(cname_len >= sizeof(cname_str))
+		cname_len = sizeof(cname_str);
 
-	NDPI_LOG_DBG(ndpi_struct, "search KERBEROS\n");
+	      strncpy(cname_str, (char*)&packet->payload[name_offset+1], cname_len);
+	      cname_str[cname_len] = '\0';
+	      for(i=0; i<cname_len; i++) cname_str[i] = tolower(cname_str[i]);
+	      
+#ifdef KERBEROS_DEBUG
+	      printf("[Kerberos Cname][len: %u][%s]\n", cname_len, cname_str);
+#endif
 
-	/* I have observed 0a,0c,0d,0e at packet->payload[19/21], maybe there are other possibilities */
-	if (packet->payload_packet_len >= 4 && ntohl(get_u_int32_t(packet->payload, 0)) == packet->payload_packet_len - 4) {
-		if (packet->payload_packet_len > 19 &&
-			packet->payload[14] == 0x05 &&
-			(packet->payload[19] == 0x0a ||
-			 packet->payload[19] == 0x0c || packet->payload[19] == 0x0d || packet->payload[19] == 0x0e)) {
-			ndpi_int_kerberos_add_connection(ndpi_struct, flow);
-			return;
+	      snprintf(flow->protos.kerberos.cname, sizeof(flow->protos.kerberos.cname), "%s", cname_str);
+	      
+	      realm_len = packet->payload[realm_offset];
 
-		}
-		if (packet->payload_packet_len > 21 &&
-			packet->payload[16] == 0x05 &&
-			(packet->payload[21] == 0x0a ||
-			 packet->payload[21] == 0x0c || packet->payload[21] == 0x0d || packet->payload[21] == 0x0e)) {
-			ndpi_int_kerberos_add_connection(ndpi_struct, flow);
-			return;
+	      if((realm_offset+realm_len) < packet->payload_packet_len) {
+		char realm_str[24];
 
-		}
+		if(realm_len >= sizeof(realm_str))
+		  realm_len = sizeof(realm_str);
+
+		strncpy(realm_str, (char*)&packet->payload[realm_offset+1], realm_len);
+		realm_str[realm_len] = '\0';
+		for(i=0; i<realm_len; i++) realm_str[i] = tolower(realm_str[i]);
+
+
+#ifdef KERBEROS_DEBUG
+		printf("[Kerberos Realm][len: %u][%s]\n", realm_len, realm_str);
+#endif
+		snprintf(flow->protos.kerberos.realm, sizeof(flow->protos.kerberos.realm), "%s", realm_str);
+	      }
+	    }
+	  }
 	}
-	NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+      }
+
+      ndpi_int_kerberos_add_connection(ndpi_struct, flow);
+      return;
+
+    }
+
+    if(packet->payload_packet_len > 21 &&
+	packet->payload[16] == 0x05 &&
+	(packet->payload[21] == 0x0a ||
+	 packet->payload[21] == 0x0c || packet->payload[21] == 0x0d || packet->payload[21] == 0x0e)) {
+      ndpi_int_kerberos_add_connection(ndpi_struct, flow);
+      return;
+
+    }
+  }
+
+  NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
 }
 
 
-void init_kerberos_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
-{
+void init_kerberos_dissector(struct ndpi_detection_module_struct *ndpi_struct,
+			     u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) {
   ndpi_set_bitmask_protocol_detection("Kerberos", ndpi_struct, detection_bitmask, *id,
 				      NDPI_PROTOCOL_KERBEROS,
 				      ndpi_search_kerberos,
@@ -77,4 +129,3 @@ void init_kerberos_dissector(struct ndpi_detection_module_struct *ndpi_struct, u
 
   *id += 1;
 }
-
diff --git a/tests/pcap/kerberos.pcap b/tests/pcap/kerberos.pcap
new file mode 100644
index 000000000..790196f17
--- /dev/null
+++ b/tests/pcap/kerberos.pcap
diff --git a/tests/result/kerberos.pcap.out b/tests/result/kerberos.pcap.out
new file mode 100644
index 000000000..f56a94611
--- /dev/null
+++ b/tests/result/kerberos.pcap.out
@@ -0,0 +1,44 @@
+Unknown	9	3031	2
+SMBv23	6	1914	3
+Kerberos	48	19194	24
+LDAP	14	4152	7
+
+	1	TCP 172.16.8.201:49171 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/1486 bytes <-> 1 pkts/1506 bytes][PLAIN TEXT (HAPPYCRAFT.ORG)]
+	2	TCP 172.16.8.201:49160 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/1485 bytes <-> 1 pkts/1498 bytes][PLAIN TEXT (HAPPYCRAFT.ORG)]
+	3	TCP 172.16.8.201:49176 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/1485 bytes <-> 1 pkts/1498 bytes][PLAIN TEXT (HAPPYCRAFT.ORG)]
+	4	TCP 172.16.8.201:49173 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/1118 bytes <-> 1 pkts/190 bytes][PLAIN TEXT (HAPPYCRAFT.ORG)]
+	5	TCP 172.16.8.201:49194 <-> 172.16.8.8:445 [proto: 41/SMBv23][cat: System/18][1 pkts/410 bytes <-> 1 pkts/314 bytes]
+	6	TCP 172.16.8.201:49193 <-> 172.16.8.8:389 [proto: 112/LDAP][cat: System/18][1 pkts/384 bytes <-> 1 pkts/264 bytes]
+	7	TCP 172.16.8.201:49191 <-> 172.16.8.8:389 [proto: 112/LDAP][cat: System/18][1 pkts/368 bytes <-> 1 pkts/264 bytes]
+	8	TCP 172.16.8.201:49157 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/293 bytes <-> 1 pkts/332 bytes][johnson-pc$ (happycraft.org)][PLAIN TEXT (johnson)]
+	9	TCP 172.16.8.201:49166 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/293 bytes <-> 1 pkts/332 bytes][johnson-pc$ (happycraft.org)][PLAIN TEXT (johnson)]
+	10	TCP 172.16.8.201:49181 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/293 bytes <-> 1 pkts/332 bytes][johnson-pc$ (happycraft.org)][PLAIN TEXT (JOHNSON)]
+	11	TCP 172.16.8.201:49156 <-> 172.16.8.8:445 [proto: 41/SMBv23][cat: System/18][1 pkts/281 bytes <-> 1 pkts/314 bytes]
+	12	TCP 172.16.8.201:49174 <-> 172.16.8.8:445 [proto: 41/SMBv23][cat: System/18][1 pkts/281 bytes <-> 1 pkts/314 bytes]
+	13	TCP 172.16.8.201:49188 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/369 bytes <-> 1 pkts/216 bytes][PLAIN TEXT (theresa.johnson)]
+	14	TCP 172.16.8.201:49161 <-> 172.16.8.8:389 [proto: 112/LDAP][cat: System/18][1 pkts/320 bytes <-> 1 pkts/264 bytes]
+	15	TCP 172.16.8.201:49179 <-> 172.16.8.8:389 [proto: 112/LDAP][cat: System/18][1 pkts/320 bytes <-> 1 pkts/264 bytes]
+	16	TCP 172.16.8.201:49180 <-> 172.16.8.8:389 [proto: 112/LDAP][cat: System/18][1 pkts/320 bytes <-> 1 pkts/264 bytes]
+	17	TCP 172.16.8.201:49187 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/289 bytes <-> 1 pkts/294 bytes][theresa.johnson (happycraft)][PLAIN TEXT (theresa.johnson)]
+	18	TCP 172.16.8.201:49169 <-> 172.16.8.8:389 [proto: 112/LDAP][cat: System/18][1 pkts/296 bytes <-> 1 pkts/264 bytes][PLAIN TEXT (PSTUsM)]
+	19	TCP 172.16.8.201:49172 <-> 172.16.8.8:389 [proto: 112/LDAP][cat: System/18][1 pkts/296 bytes <-> 1 pkts/264 bytes]
+	20	TCP 172.16.8.201:49158 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/373 bytes <-> 1 pkts/166 bytes][PLAIN TEXT (johnson)]
+	21	TCP 172.16.8.201:49167 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/373 bytes <-> 1 pkts/166 bytes][PLAIN TEXT (johnson)]
+	22	TCP 172.16.8.201:49182 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/373 bytes <-> 1 pkts/166 bytes][PLAIN TEXT (JOHNSON)]
+	23	TCP 172.16.8.201:49190 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/271 bytes <-> 1 pkts/244 bytes][PLAIN TEXT (happycraft.org)]
+	24	TCP 172.16.8.201:49192 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/255 bytes <-> 1 pkts/233 bytes][PLAIN TEXT (20370913024805Z)]
+	25	TCP 172.16.8.201:49195 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/255 bytes <-> 1 pkts/233 bytes][PLAIN TEXT (20370913024805Z)]
+	26	TCP 172.16.8.201:49162 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/207 bytes <-> 1 pkts/180 bytes]
+	27	TCP 172.16.8.201:49168 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/207 bytes <-> 1 pkts/180 bytes]
+	28	TCP 172.16.8.201:49159 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/191 bytes <-> 1 pkts/169 bytes]
+	29	TCP 172.16.8.201:49175 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/191 bytes <-> 1 pkts/169 bytes]
+	30	TCP 172.16.8.201:49186 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/191 bytes <-> 1 pkts/169 bytes]
+	31	TCP 172.16.8.201:49170 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/167 bytes <-> 1 pkts/122 bytes]
+	32	TCP 172.16.8.201:49183 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/134 bytes <-> 1 pkts/94 bytes]
+	33	TCP 172.16.8.201:49189 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/95 bytes <-> 1 pkts/120 bytes][PLAIN TEXT (370913024805Z)]
+	34	TCP 172.16.8.201:49196 <-> 172.16.8.8:88 [proto: 111/Kerberos][cat: Network/14][1 pkts/89 bytes <-> 1 pkts/102 bytes][PLAIN TEXT (20370913024805Z)]
+
+
+Undetected flows:
+	1	TCP 172.16.8.201:49165 <-> 172.16.8.8:49155 [proto: 0/Unknown][4 pkts/1382 bytes <-> 2 pkts/624 bytes][bytes ratio: 0.378 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/21492 7163.7/21492.0 21491/21492 10131.0/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 274/286 345.5/312.0 429/338 72.0/26.0]
+	2	TCP 172.16.8.201:49185 <-> 172.16.8.8:49155 [proto: 0/Unknown][2 pkts/687 bytes <-> 1 pkts/338 bytes]
author	Luca Deri <deri@ntop.org>	2019-10-08 13:32:21 +0200
committer	Luca Deri <deri@ntop.org>	2019-10-08 13:32:21 +0200
commit	6b5a9aa9929c6229a7bb0926edcf7ae713aabef9 (patch)
tree	5244927a5108fccf60a6d33c50d2c7e372ef4073
parent	256858d2e5d9db3777ccb113ed75bcd836fc8d16 (diff)