Wireshark-dev: Re: [Wireshark-dev] krb5 dcerpc decryption
From: ronnie sahlberg <ronniesahlberg@xxxxxxxxx>
Date: Tue, 28 Jul 2009 17:24:52 +1000
Thanks for the warning.

Ill try to port these changes over to samba4 pidl.
There are some changes in samba4 pidl we would need to import as well.



On Tue, Jul 28, 2009 at 4:46 PM, Anders Broman<a.broman@xxxxxxxxx> wrote:
> Hi Guys,
> Note that we have made some local changes to the tool:
> http://anonsvn.wireshark.org/viewvc/trunk/tools/pidl/lib/Parse/Pidl/Wireshar
> k/
> http://anonsvn.wireshark.org/viewvc/viewvc.cgi?view=rev&revision=28961
>
> Regards
> Anders
> -----Ursprungligt meddelande-----
> Från: wireshark-dev-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] För ronnie sahlberg
> Skickat: den 28 juli 2009 05:02
> Till: Stefan (metze) Metzmacher
> Kopia: wireshark-dev@xxxxxxxxxxxxx
> Ämne: Re: [Wireshark-dev] krb5 dcerpc decryption
>
> Hi Metze,
>
> Can you check those two patches again?
> I can not decrypt any of the captures you sent.
>
> I built wireshark with your patch and also patched mit 1.6.3 with the
> second patch and load it with
> LD_PRELOAD=...../lib/libk5crypto.so
>
> But can not decrypt any of the packets.
> The modified  krb5_dk_decrypt_maybe_trunc_hmac() is called from
> wireshark but this statement is never true :
>       if (hdr[0] == 0x05 && hdr[1] == 0x04) {
>
>
> I agree, we should have our own code here, just as we have for arcfour.
> Once I can get the decryption working using these hacks, I can look
> into re-implementing this code inside wireshark.
>
>
>
> The pidl command line to generate a ws dissector looks like this :
> pidl lsa.idl --ws-parser
>
>
> regards
> ronnie sahlberg
>
>
> On Sat, Jul 25, 2009 at 6:47 PM, Stefan (metze)
> Metzmacher<metze@xxxxxxxxx> wrote:
>> Hi Ronnie,
>>
>> could you please apply this patch
>>
> http://gitweb.samba.org/?p=metze/wireshark/wip.git;a=commitdiff;h=d4e3184d5f
> aca653ef053b3469ad3f8ec7605b7e
>>
>> With that patch decryption of aes encrypted traffic works as long as no
>> header signing is used.
>>
>> I tried some hacks to decrypt it when header signing is on
>> and use a hacked mit krb5 1.6 version loaded with LD_LIBRARY_PATH
>>
>> See
>>
> http://gitweb.samba.org/?p=metze/wireshark/wip.git;a=shortlog;h=refs/heads/w
> s-metze-gssapi-20090725
>>
>> I think we should have aes specific decryption code in wireshark like we
>> have for arcfour in packet-spnego.c.
>>
>> With this hacks I can decrypt every packet of the attached captures.
>>
>> BTW: with what commandline do I have to generate pidl dissectors?
>>     I want to add it for the DFS-R (FrsTransport) Interface.
>>
>> metze
>>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>