Wireshark · Ethereal-dev: [Ethereal-dev] NTLMSSP auth padding

Ethereal-dev: [Ethereal-dev] NTLMSSP auth padding

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: dheitmueller <dheitmueller@xxxxxxxxxxx>

Date: Thu, 13 Feb 2003 22:43:12 -0500 (EST)

Hello,

I was using decryption component in the DCERPC dissector, and found an NTLMSSPv1 trace that was not working.  It would appear that the DCE/RPC "auth padding" field is really a "PDU padding".  I knew this when I did the original decryption routine, which is why the auth_size field does not include the size of the auth padding.  But it would appear that I coded it in a fashion where sometimes it gets included, but not other times.

If the contents of the auth padding are not sent to the NTLMSSP dissector as part of the PDU, decryption fails for the verifier and all subsequent packets.  
===================================
/*
 * XXX - sometimes the padding is a multiple of 4 and greater
 * than 3, meaning it's not padding to put the authentication
 * data on a 4-byte boundary.
 *
 * For now, we take its value mod 4.
 *
 * XXX - what is going on there?
 */
 auth_info->auth_pad_len %= 4;

  /* figure out where the auth padding starts */
     offset = hdr->frag_len - (hdr->auth_len + 8 +   
   auth_info->auth_pad_len);
#ifdef DJH_DEBUG
        if (offset > 0 && auth_info->auth_pad_len) {
            proto_tree_add_text (dcerpc_tree, tvb, offset,
                                 auth_info->auth_pad_len, "Auth padding");
	    auth_info->auth_size = hdr->auth_len + 8 + auth_info->auth_pad_len;
        } else {
#endif 
	    auth_info->auth_size = hdr->auth_len + 8;
#ifdef DJH_DEBUG
        }
#endif 
===================================

Note that when the above sections are commented out from packet-dcerpc.c, the decryption works fine. 

So here's the question.  Is there ever an instance where the auth padding should not be considered part of the PDU?

I suspect ultimately the change is to remove the code that is #defined above, and pass an additional argument into the PDU dissector to acknowledge the padding.  In cases where encryption is used, the PDU, including the padding, will be decrypted, then the padding will be ignored when the PDU is disssected.  In cases where decryption is not used, the PDU dissector denotes the padding at the end of the payload.

Any supporting traces that show unexpected behavior with the auth padding field would be appreciated.  In particular, the trace that prompted the XXX comment would be very helpful (as it was not my comment).

Thanks,

Devin Heitmueller
Senior Software Engineer
Netilla Networks Inc

Prev by Date: Re: [Ethereal-dev] Dissector Question
Next by Date: Re: [Ethereal-dev] [patch] follow up minor bug in tcp graph and sequence overflow
Previous by thread: Re: [Ethereal-dev] Append column data from a prevoious dissector
Next by thread: [Ethereal-dev] [patch] Don't let make distclean remove files we distribute
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$