From 6b5a9aa9929c6229a7bb0926edcf7ae713aabef9 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Tue, 8 Oct 2019 13:32:21 +0200 Subject: Implemented Kerberos metadata extraction --- src/include/ndpi_typedefs.h | 4 ++ src/lib/protocols/kerberos.c | 107 ++++++++++++++++++++++++++++++++----------- 2 files changed, 83 insertions(+), 28 deletions(-) (limited to 'src') diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 4e1eb915e..4366df5c1 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1189,6 +1189,10 @@ struct ndpi_flow_struct { u_int8_t version; } ntp; + struct { + char cname[24], realm[24]; + } kerberos; + struct { struct { u_int16_t ssl_version; diff --git a/src/lib/protocols/kerberos.c b/src/lib/protocols/kerberos.c index a1c271387..fa73ab0ae 100644 --- a/src/lib/protocols/kerberos.c +++ b/src/lib/protocols/kerberos.c @@ -1,8 +1,8 @@ /* * kerberos.c * - * Copyright (C) 2009-2011 by ipoque GmbH * Copyright (C) 2011-19 - ntop.org + * Copyright (C) 2009-2011 by ipoque GmbH * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -19,7 +19,7 @@ * * You should have received a copy of the GNU Lesser General Public License * along with nDPI. If not, see . - * + * */ #include "ndpi_protocol_ids.h" @@ -28,46 +28,98 @@ #include "ndpi_api.h" +// #define KERBEROS_DEBUG 1 static void ndpi_int_kerberos_add_connection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) -{ + struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_KERBEROS, NDPI_PROTOCOL_UNKNOWN); NDPI_LOG_DBG(ndpi_struct, "trace KERBEROS\n"); } -void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ - struct ndpi_packet_struct *packet = &flow->packet; +void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + + NDPI_LOG_DBG(ndpi_struct, "search KERBEROS\n"); + + /* I have observed 0a,0c,0d,0e at packet->payload[19/21], maybe there are other possibilities */ + if(packet->payload_packet_len >= 4 && ntohl(get_u_int32_t(packet->payload, 0)) == packet->payload_packet_len - 4) { + if(packet->payload_packet_len > 19 && + packet->payload[14] == 0x05 && + (packet->payload[19] == 0x0a || + packet->payload[19] == 0x0c || packet->payload[19] == 0x0d || packet->payload[19] == 0x0e)) { + if(packet->payload[19] == 0x0a) /* AS-REQ */ { + u_int pad_data_len = packet->payload[23]; + u_int body_offset = pad_data_len + 23; + + if(body_offset < packet->payload_packet_len) { + u_int name_offset = body_offset + 30; + + if(name_offset < packet->payload_packet_len) { + u_int cname_len = packet->payload[name_offset]; + + if((cname_len+name_offset) < packet->payload_packet_len) { + u_int realm_len, realm_offset = cname_len + name_offset + 4, i; + char cname_str[24]; + + if(cname_len >= sizeof(cname_str)) + cname_len = sizeof(cname_str); - NDPI_LOG_DBG(ndpi_struct, "search KERBEROS\n"); + strncpy(cname_str, (char*)&packet->payload[name_offset+1], cname_len); + cname_str[cname_len] = '\0'; + for(i=0; ipayload[19/21], maybe there are other possibilities */ - if (packet->payload_packet_len >= 4 && ntohl(get_u_int32_t(packet->payload, 0)) == packet->payload_packet_len - 4) { - if (packet->payload_packet_len > 19 && - packet->payload[14] == 0x05 && - (packet->payload[19] == 0x0a || - packet->payload[19] == 0x0c || packet->payload[19] == 0x0d || packet->payload[19] == 0x0e)) { - ndpi_int_kerberos_add_connection(ndpi_struct, flow); - return; + snprintf(flow->protos.kerberos.cname, sizeof(flow->protos.kerberos.cname), "%s", cname_str); + + realm_len = packet->payload[realm_offset]; - } - if (packet->payload_packet_len > 21 && - packet->payload[16] == 0x05 && - (packet->payload[21] == 0x0a || - packet->payload[21] == 0x0c || packet->payload[21] == 0x0d || packet->payload[21] == 0x0e)) { - ndpi_int_kerberos_add_connection(ndpi_struct, flow); - return; + if((realm_offset+realm_len) < packet->payload_packet_len) { + char realm_str[24]; - } + if(realm_len >= sizeof(realm_str)) + realm_len = sizeof(realm_str); + + strncpy(realm_str, (char*)&packet->payload[realm_offset+1], realm_len); + realm_str[realm_len] = '\0'; + for(i=0; iprotos.kerberos.realm, sizeof(flow->protos.kerberos.realm), "%s", realm_str); + } + } + } } - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + } + + ndpi_int_kerberos_add_connection(ndpi_struct, flow); + return; + + } + + if(packet->payload_packet_len > 21 && + packet->payload[16] == 0x05 && + (packet->payload[21] == 0x0a || + packet->payload[21] == 0x0c || packet->payload[21] == 0x0d || packet->payload[21] == 0x0e)) { + ndpi_int_kerberos_add_connection(ndpi_struct, flow); + return; + + } + } + + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } -void init_kerberos_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) -{ +void init_kerberos_dissector(struct ndpi_detection_module_struct *ndpi_struct, + u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { ndpi_set_bitmask_protocol_detection("Kerberos", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_KERBEROS, ndpi_search_kerberos, @@ -77,4 +129,3 @@ void init_kerberos_dissector(struct ndpi_detection_module_struct *ndpi_struct, u *id += 1; } - -- cgit v1.2.3