/*
* kerberos.c
*
* Copyright (C) 2011-19 - ntop.org
* Copyright (C) 2009-2011 by ipoque GmbH
*
* This file is part of nDPI, an open source deep packet inspection
* library based on the OpenDPI and PACE technology by ipoque GmbH
*
* nDPI is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* nDPI is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with nDPI. If not, see .
*
*/
#include "ndpi_protocol_ids.h"
#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_KERBEROS
#include "ndpi_api.h"
/* #define KERBEROS_DEBUG 1 */
static void ndpi_int_kerberos_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow) {
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_KERBEROS, NDPI_PROTOCOL_UNKNOWN);
NDPI_LOG_DBG(ndpi_struct, "trace KERBEROS\n");
}
/* ************************************************* */
void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow) {
struct ndpi_packet_struct *packet = &flow->packet;
NDPI_LOG_DBG(ndpi_struct, "search KERBEROS\n");
/* I have observed 0a,0c,0d,0e at packet->payload[19/21], maybe there are other possibilities */
if(packet->payload_packet_len >= 4) {
u_int32_t kerberos_len = ntohl(get_u_int32_t(packet->payload, 0));
u_int32_t expected_len = packet->payload_packet_len - 4;
if(kerberos_len < 1514) {
/*
Kerberos packets might be too long for a TCP packet
so it could be split across two packets. Instead of
rebuilding the stream we use a heuristic approach
*/
if(kerberos_len >= expected_len) {
if(packet->payload_packet_len > 128) {
u_int16_t koffset;
if(packet->payload[14] == 0x05) /* PVNO */
koffset = 19;
else
koffset = 21;
if((packet->payload[koffset] == 0x0a || packet->payload[koffset] == 0x0c || packet->payload[koffset] == 0x0d || packet->payload[koffset] == 0x0e)) {
#ifdef KERBEROS_DEBUG
printf("[Kerberos] Packet found\n");
#endif
if(packet->payload[koffset] == 0x0a) /* AS-REQ */ {
u_int16_t koffsetp, pad_data_len, body_offset;
koffsetp = koffset + 4;
pad_data_len = packet->payload[koffsetp];
body_offset = pad_data_len + koffsetp;
if(body_offset < packet->payload_packet_len) {
u_int name_offset = body_offset + 30;
if(name_offset < packet->payload_packet_len) {
u_int cname_len = packet->payload[name_offset];
if((cname_len+name_offset) < packet->payload_packet_len) {
u_int realm_len, realm_offset = cname_len + name_offset + 4, i;
char cname_str[24];
if(cname_len > sizeof(cname_str)-1)
cname_len = sizeof(cname_str)-1;
strncpy(cname_str, (char*)&packet->payload[name_offset+1], cname_len);
cname_str[cname_len] = '\0';
for(i=0; iprotos.kerberos.hostname, sizeof(flow->protos.kerberos.hostname), "%s", cname_str);
} else
snprintf(flow->protos.kerberos.username, sizeof(flow->protos.kerberos.username), "%s", cname_str);
realm_len = packet->payload[realm_offset];
if((realm_offset+realm_len) < packet->payload_packet_len) {
char realm_str[24];
if(realm_len > sizeof(realm_str)-1)
realm_len = sizeof(realm_str);
strncpy(realm_str, (char*)&packet->payload[realm_offset+1], realm_len);
realm_str[realm_len] = '\0';
for(i=0; iprotos.kerberos.domain, sizeof(flow->protos.kerberos.domain), "%s", realm_str);
}
}
}
}
} else if(packet->payload[koffset] == 0x0c) /* TGS-REQ */ {
u_int16_t koffsetp, pad_data_len, body_offset;
koffsetp = koffset + 3;
pad_data_len = ntohs(*((u_int16_t*)&packet->payload[koffsetp]));
body_offset = pad_data_len + koffsetp + 4;
if(body_offset < packet->payload_packet_len) {
u_int name_offset = body_offset + 14;
if(name_offset < packet->payload_packet_len) {
u_int realm_len = packet->payload[name_offset];
if((realm_len+name_offset) < packet->payload_packet_len) {
u_int i;
char realm_str[24];
if(realm_len > sizeof(realm_str)-1)
realm_len = sizeof(realm_str)-1;
strncpy(realm_str, (char*)&packet->payload[name_offset+1], realm_len);
realm_str[realm_len] = '\0';
for(i=0; iprotos.kerberos.domain, sizeof(flow->protos.kerberos.domain), "%s", realm_str);
}
}
}
/* We set the protocol in the response */
return;
} else if(packet->payload[koffset] == 0x0d) /* TGS-RES */ {
u_int16_t koffsetp, pad_data_len, cname_offset;
koffsetp = koffset + 4;
pad_data_len = packet->payload[koffsetp];
/* Skip realm already filled in request */
cname_offset = pad_data_len + koffsetp + 15;
if(cname_offset < packet->payload_packet_len) {
u_int8_t cname_len = packet->payload[cname_offset];
if((cname_offset+cname_offset) < packet->payload_packet_len) {
char cname_str[24];
u_int i;
if(cname_len > sizeof(cname_str)-1)
cname_len = sizeof(cname_str)-1;
strncpy(cname_str, (char*)&packet->payload[cname_offset+1], cname_len);
cname_str[cname_len] = '\0';
for(i=0; iprotos.kerberos.hostname, sizeof(flow->protos.kerberos.hostname), "%s", cname_str);
} else
snprintf(flow->protos.kerberos.username, sizeof(flow->protos.kerberos.username), "%s", cname_str);
ndpi_int_kerberos_add_connection(ndpi_struct, flow);
}
}
}
return;
}
if(packet->payload_packet_len > 21 &&
packet->payload[16] == 0x05 &&
(packet->payload[21] == 0x0a ||
packet->payload[21] == 0x0c || packet->payload[21] == 0x0d || packet->payload[21] == 0x0e)) {
ndpi_int_kerberos_add_connection(ndpi_struct, flow);
return;
}
}
}
} else {
if(flow->protos.kerberos.domain[0] != '\0')
return;
}
}
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
void init_kerberos_dissector(struct ndpi_detection_module_struct *ndpi_struct,
u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) {
ndpi_set_bitmask_protocol_detection("Kerberos", ndpi_struct, detection_bitmask, *id,
NDPI_PROTOCOL_KERBEROS,
ndpi_search_kerberos,
NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
SAVE_DETECTION_BITMASK_AS_UNKNOWN,
ADD_TO_DETECTION_BITMASK);
*id += 1;
}