|
|
//=============================================================================
// MODULE: Kerbparser.c
//
// Description:
//
// Bloodhound Parser DLL for Kerberos Authentication Protocol
//
// Modification History
//
// Michael Webb & Kris Frost Date: 06/04/99
//=============================================================================
#define MAINPROG
#include "kerbparser.h"
#include "kerbGlob.h"
#include "kdcreq.h"
#include "kdcrep.h"
#include "krberr.h"
#include <stdio.h>
;// Need to find out why error is generated without this semicolon
//=============================================================================
// Forward references.
//=============================================================================
VOID WINAPIV KerberosFormatSummary(LPPROPERTYINST lpPropertyInst); //=============================================================================
// Protocol entry points.
//=============================================================================
VOID WINAPI KerberosRegister(HPROTOCOL);VOID WINAPI KerberosDeregister(HPROTOCOL);LPBYTE WINAPI KerberosRecognizeFrame(HFRAME, LPVOID, LPVOID, DWORD, DWORD, HPROTOCOL, DWORD, LPDWORD, LPHPROTOCOL, PDWORD_PTR);LPBYTE WINAPI KerberosAttachProperties(HFRAME, LPVOID, LPVOID, DWORD, DWORD, HPROTOCOL, DWORD, DWORD_PTR);DWORD WINAPI KerberosFormatProperties(HFRAME, LPVOID, LPVOID, DWORD, LPPROPERTYINST);
ENTRYPOINTS KerberosEntryPoints ={ KerberosRegister, KerberosDeregister, KerberosRecognizeFrame, KerberosAttachProperties, KerberosFormatProperties};
HPROTOCOL hKerberos = NULL;
DWORD Attached = 0;
PPF_PARSERDLLINFO WINAPI ParserAutoInstallInfo() { PPF_PARSERDLLINFO pParserDllInfo; PPF_PARSERINFO pParserInfo; DWORD NumProtocols, NumHandoffs; PPF_HANDOFFSET pHandoffSet; PPF_HANDOFFENTRY pHandoffEntry;
// Base structure ========================================================
// Allocate memory for parser info:
NumProtocols = 1; pParserDllInfo = (PPF_PARSERDLLINFO)HeapAlloc( GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof( PF_PARSERDLLINFO ) + NumProtocols * sizeof( PF_PARSERINFO) ); if( pParserDllInfo == NULL) { return NULL; } // fill in the parser DLL info
pParserDllInfo->nParsers = NumProtocols;
// fill in the individual parser infos...
// BLRPLATE ==============================================================
pParserInfo = &(pParserDllInfo->ParserInfo[0]); sprintf( pParserInfo->szProtocolName, "KERBEROS" ); sprintf( pParserInfo->szComment, "Kerberos Authentication Protocol" ); sprintf( pParserInfo->szHelpFile, "");
// the incoming handoff set ----------------------------------------------
// allocate
NumHandoffs = 2; pHandoffSet = (PPF_HANDOFFSET)HeapAlloc( GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof( PF_HANDOFFSET ) + NumHandoffs * sizeof( PF_HANDOFFENTRY) ); if( pHandoffSet == NULL ) { // just return early
return pParserDllInfo; }
// fill in the incoming handoff set
pParserInfo->pWhoHandsOffToMe = pHandoffSet; pHandoffSet->nEntries = NumHandoffs;
// UDP PORT 88
pHandoffEntry = &(pHandoffSet->Entry[0]); sprintf( pHandoffEntry->szIniFile, "TCPIP.INI" ); sprintf( pHandoffEntry->szIniSection, "UDP_HandoffSet" ); sprintf( pHandoffEntry->szProtocol, "KERBEROS" ); pHandoffEntry->dwHandOffValue = 88; pHandoffEntry->ValueFormatBase = HANDOFF_VALUE_FORMAT_BASE_DECIMAL; // TCP PORT 88
pHandoffEntry = &(pHandoffSet->Entry[1]); sprintf( pHandoffEntry->szIniFile, "TCPIP.INI" ); sprintf( pHandoffEntry->szIniSection, "TCP_HandoffSet" ); sprintf( pHandoffEntry->szProtocol, "KERBEROS" ); pHandoffEntry->dwHandOffValue = 88; pHandoffEntry->ValueFormatBase = HANDOFF_VALUE_FORMAT_BASE_DECIMAL;
return pParserDllInfo;}
//=============================================================================
// FUNCTION: DLLEntry()
//
// Modification History
//
// Michael Webb & Kris Frost Date: 06/04/99
//=============================================================================
BOOL WINAPI DLLEntry(HANDLE hInstance, ULONG Command, LPVOID Reserved){ //=========================================================================
// If we are loading!
//=========================================================================
if ( Command == DLL_PROCESS_ATTACH ) { if ( Attached++ == 0 ) { hKerberos = CreateProtocol("KERBEROS", &KerberosEntryPoints, ENTRYPOINTS_SIZE); } }
//=========================================================================
// If we are unloading!
//=========================================================================
if ( Command == DLL_PROCESS_DETACH ) { if ( --Attached == 0 ) { DestroyProtocol(hKerberos); } }
return TRUE; //... Bloodhound parsers ALWAYS return TRUE.
}
//=============================================================================
// FUNCTION: KerberosRegister()
//
// Modification History
//
// Michael Webb & Kris Frost Date: 06/04/99
//=============================================================================
VOID WINAPI KerberosRegister(HPROTOCOL hKerberosProtocol){ register DWORD i;
//=========================================================================
// Create the property database.
//=========================================================================
CreatePropertyDatabase(hKerberosProtocol, nKerberosProperties);
for(i = 0; i < nKerberosProperties; ++i) { AddProperty(hKerberosProtocol, &KerberosDatabase[i]); }
// Here we are checking to see whether TCP or UDP is being used.
hTCP = GetProtocolFromName("TCP"); hUDP = GetProtocolFromName("UDP");
}
//=============================================================================
// FUNCTION: Deregister()
//
// Modification History
//
// Michael Webb & Kris Frost Date: 06/04/99
//=============================================================================
VOID WINAPI KerberosDeregister(HPROTOCOL hKerberosProtocol){ DestroyPropertyDatabase(hKerberosProtocol);}
//=============================================================================
// FUNCTION: KerberosRecognizeFrame()
//
// Modification History
//
// Michael Webb & Kris Frost Date: 06/04/99
//=============================================================================
LPBYTE WINAPI KerberosRecognizeFrame(HFRAME hFrame, //... frame handle.
LPBYTE MacFrame, //... Frame pointer.
LPBYTE KerberosFrame, //... Relative pointer.
DWORD MacType, //... MAC type.
DWORD BytesLeft, //... Bytes left.
HPROTOCOL hPreviousProtocol, //... Previous protocol or NULL if none.
DWORD nPreviousProtocolOffset, //... Offset of previous protocol.
LPDWORD ProtocolStatusCode, //... Pointer to return status code in.
LPHPROTOCOL hNextProtocol, //... Next protocol to call (optional).
PDWORD_PTR InstData) //... Next protocol instance data.
{// ProtoInfo=GetProtocolInfo(hPreviousProtocol);
// MessageBox(NULL, _itoa(TestForUDP,test,10),"TestForUDP 1", MB_OK);
*ProtocolStatusCode = PROTOCOL_STATUS_CLAIMED; return NULL;}
//=============================================================================
// FUNCTION: KerberosAttachProperties()
//
// Modification History
//
// Michael Webb & Kris Frost Date: 06/04/99
//=============================================================================
LPBYTE WINAPI KerberosAttachProperties(HFRAME hFrame, LPBYTE Frame, LPBYTE KerberosFrame, DWORD MacType, DWORD BytesLeft, HPROTOCOL hPreviousProtocol, DWORD nPreviousProtocolOffset, DWORD_PTR InstData){// Local variable to hold the value of KerberosFrame, depending on whether
// the packet is TCP or UDP.
LPBYTE pKerberosFrame;
/* kf Here checking to see if first two octets of are equal to 00 00 which would be
the case should the packet be the first of TCP.
*/ if(KerberosFrame[0] == 0x00 && KerberosFrame[1] == 0x00) { TempFrame = KerberosFrame+4; pKerberosFrame = TempFrame; } else { TempFrame = KerberosFrame; pKerberosFrame = TempFrame; }
// Here we are going to do a check to see if the packet is TCP and
// check to see if the first two octets of the packet don't have the
// value of 00 00. If not, then we mark the frame as a continuation
// packet. Reason for doing this is because, sometimes 0x1F of the
// first packet can still match one of the case statements which
// erroneously displays a continuation packet.
// NOTE: THIS CODE BREAKS ON SOME OF THE OLDER SNIFFS BECAUSE THE 4
// OCTETS WHICH SPECIFY THE ENTIRE PACKET LENGTH WERE SENT IN A TCP
// PACKET ALL BY ITSELF. ACCORDING TO DEV, THIS ISN'T EXPECTED BEHAVIOR
// IN THE LATER W2K BUILDS. THE 4 LENGTH OCTETS FOR TCP SHOULD ALWAYS BE
// PRE-PENDED TO THE FIRST TCP PACKET
if( hPreviousProtocol == hTCP && KerberosFrame[0] != 0 && KerberosFrame[1] != 0 ) { // Displaying as a continutation packet
AttachPropertyInstance(hFrame, KerberosDatabase[KerberosDefaultlbl].hProperty, BytesLeft, TempFrame, 0, 0, 0); } else {
// pKerberosFrame is a local variable and is used
// to display TCP data as well.
switch (*(pKerberosFrame) & 0x1F) {
case ASN1_KRB_AS_REQ: case ASN1_KRB_TGS_REQ: TempFrame=EntryFrame(hFrame, TempFrame, BytesLeft); TempFrame=KdcRequest(hFrame, TempFrame); break;
case ASN1_KRB_AS_REP: case ASN1_KRB_TGS_REP: TempFrame=EntryFrame(hFrame, TempFrame, BytesLeft); TempFrame=KdcResponse(hFrame, TempFrame); break; case ASN1_KRB_AP_REQ: TempFrame=EntryFrame(hFrame, TempFrame, BytesLeft); break; case ASN1_KRB_AP_REP: TempFrame=EntryFrame(hFrame, TempFrame, BytesLeft); break; case ASN1_KRB_SAFE: TempFrame=EntryFrame(hFrame, TempFrame, BytesLeft); break; case ASN1_KRB_PRIV: TempFrame=EntryFrame(hFrame, TempFrame, BytesLeft); break; case ASN1_KRB_CRED: TempFrame=EntryFrame(hFrame, TempFrame, BytesLeft); break;
case ASN1_KRB_ERROR: TempFrame=EntryFrame(hFrame, TempFrame, BytesLeft); TempFrame=KrbError(hFrame, TempFrame); break;
default: AttachPropertyInstance(hFrame, KerberosDatabase[KerberosDefaultlbl].hProperty, BytesLeft, TempFrame, 0, 0, 0); break;
} }
return (LPBYTE) KerberosFrame + BytesLeft;
}
//==============================================================================
// FUNCTION: KerberosFormatProperties()
//
// Modification History
//
// Michael Webb & Kris Frost Date: 06/04/99
//==============================================================================
DWORD WINAPI KerberosFormatProperties(HFRAME hFrame, LPBYTE MacFrame, LPBYTE FrameData, DWORD nPropertyInsts, LPPROPERTYINST p){ //=========================================================================
// Format each property in the property instance table.
//
// The property-specific instance data was used to store the address of a
// property-specific formatting function so all we do here is call each
// function via the instance data pointer.
//=========================================================================
// kf Doing a check here for TCP packets. If it's the first packet,
// we increment FrameData by 4 to get past the length header
if(*FrameData == 0x00 && *(FrameData+1) == 0x00) FrameData+=4;
while (nPropertyInsts--) { switch (*FrameData & 0x1F) { case ASN1_KRB_AS_REQ: strcpy(MsgType, "KRB_AS_REQ"); break; case ASN1_KRB_AS_REP: strcpy(MsgType, "KRB_AS_REP"); break; case ASN1_KRB_TGS_REQ: strcpy(MsgType, "KRB_TGS_REQ"); break; case ASN1_KRB_TGS_REP: strcpy(MsgType, "KRB_TGS_REP"); break; case ASN1_KRB_AP_REQ: strcpy(MsgType, "KRB_AP_REQ"); break; case ASN1_KRB_AP_REP: strcpy(MsgType, "KRB_AP_REP"); break; case ASN1_KRB_SAFE: strcpy(MsgType, "KRB_SAFE"); break; case ASN1_KRB_PRIV: strcpy(MsgType, "KRB_PRIV"); break; case ASN1_KRB_CRED: strcpy(MsgType, "KRB_CRED"); break; case ASN1_KRB_ERROR: strcpy(MsgType, "KRB_ERROR"); break; default: strcpy(MsgType, "Didn't recognize"); break; }
((FORMAT) p->lpPropertyInfo->InstanceData)(p);
p++; }
return NMERR_SUCCESS;}
LPBYTE EntryFrame(HFRAME hFrame, LPBYTE KerberosFrame, DWORD BytesLeft){ int LenVal = 0;
TempFrame=KerberosFrame; AttachPropertyInstance(hFrame, KerberosDatabase[KerberosSummary].hProperty, BytesLeft, TempFrame, 0, 0, 0);
AttachPropertyInstance(hFrame, KerberosDatabase[KerberosIDSummary].hProperty, sizeof(BYTE), TempFrame, 0, 1, 0);// Adding Code here to display Summary, thus letting us indent the ASN breakdown of the
// Identifier Octets to where the user won't initially see this.
AttachPropertyInstance(hFrame, KerberosDatabase[DispSummary].hProperty, 0, TempFrame, 0, 2, 0);
// Break down the Identifier Octet for Message Type
TempFrame=CalcMsgType(hFrame, TempFrame, 3, KerberosIdentifier);
// Display Length Octet
TempFrame=CalcLengthSummary(hFrame, TempFrame, 3);
// Adjust TempFrame the appropriate # of octets
LenVal=CalcLenOctet(TempFrame-1);
// This code handles incrementing to the proper octet based
// on the number of octets occupied by TempFrame.
if(LenVal <= 1) return TempFrame; else return TempFrame+=(LenVal-1);
}
/*************************************************************************************
****** This function handles: pa-data ::= SEQUENCE{** padata-type[1] INTEGER,** padata-value[2] OCTET STRING** }** hFrame = Handle to the frame.**** TempFrame = Offset we which we are at in the current packet**** OffSet = The indention level to display the data within Netmon**** TypeVal = Variable used to identify node from KerberosDatabase[]**************************************************************************************/
LPBYTE HandlePaData(HFRAME hFrame, LPBYTE TempFrame, int OffSet, DWORD TypeVal){ int TempLength; int lValueReqPadata = 0;
//Display Padata[?] NEED TO CHANGE THIS FUNCTION TO PASS THE PARAMETERS SO THE FUNCTION
// WILL DISPLAY THE PROPER PADATA
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet, KdcReqTagID, KdcReqSeq);
// Display Length Octet(s)
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+3);
// Incrementing TempFrame based on the number of octets
// taken up by the Length octet
TempFrame = IncTempFrame(TempFrame);
//Display SEQUENCE OF
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+2, ASN1UnivTagSumID, ASN1UnivTag);
// Display Length Octet(s)
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+5);
/* Incrementing TempFrame based on the number of octets
taken up by the Length octet*/ TempFrame = IncTempFrame(TempFrame);
//Display SEQUENCE OF
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+2, ASN1UnivTagSumID, ASN1UnivTag);
// Display Length Octet(s)
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+5);
// Incrementing TempFrame based on the number of octets
// taken up by the Length octet
TempFrame = IncTempFrame(TempFrame);
// Display padata-type[1]
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+2, PaDataSummary, PaDataSeq);
// Display INTEGER value
TempFrame =DispPadata(hFrame, TempFrame, OffSet+4, PadataTypeValID);
// Display padata-value[2]
DispASNTypes(hFrame, TempFrame, OffSet+2, PaDataSummary, PaDataSeq);
// Display Length Octet(s)
TempFrame = CalcLengthSummary(hFrame, ++TempFrame, OffSet+5);
// Incrementing TempFrame based on the number of octets
// taken up by the Length octet
TempFrame = IncTempFrame(TempFrame);
//Display OCTET STRING
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+4, ASN1UnivTagSumID, ASN1UnivTag);
// Display Length Octet(s)
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+7);
// Incrementing TempFrame based on the number of octets
// taken up by the Length octet
TempFrame = IncTempFrame(TempFrame);
// HERE IT LOOKS AS IF AN AS-REQ, PADATA-VALUE IS FORMATTED AS ENCRYPTEDDATA
// AND TGS IS FORMATTED AS AP-REQ. HOWEVER, IF A SMART CARD IS PRESENT, IT IS
// FORMATTED AS.
// Check to see if formatted as AP-REQ (6E)
if(*(TempFrame+1) == 0x6E ) TempFrame = HandleAPReq(hFrame, TempFrame); // If true, handle AP-REQ traffic
else if(*(TempFrame+1) == 0x81) {// Here I'm incrementing TempFrame by two to get it to the first
// offset making up the Length Octet.
TempFrame++; // Here I'm going to label the rest of the data as a Certificate
TempLength = CalcMsgLength(TempFrame);
AttachPropertyInstance(hFrame, KerberosDatabase[Certificatelbl].hProperty, TempLength, TempFrame, 0, OffSet+4, 0);
// Increment TempFrame by the length octet value returned by CalcMsgLength
TempFrame+=TempLength;
// Pretty sloppy hack here but hoping Dev will supply me doc
// of how the certificate is structured in ASN.1. For the time
// being, CalcMsgLength doesn't take us to the end of padata and the
// start of KDC-Req-Body. With no idea of what the A1 and A2 tags I see
// in the smart card sniff. I don't know if it will possibly ever contain
// an A4. But at anyrate, I'm going to increase TempFrame by one until
// a value of A4 is matched. (This signifies the start of KDC-Req-Body.)
while(*TempFrame != 0xA3) { ++TempFrame; }
// Once TempFrame is A4, have to decrement TempFrame by one
// in order for KDC-Req-Body to start on the correct offset.
// Again this whole else statement is a Kludge but not much I can
// until I get the ASN.1 layout of Certificates.
--TempFrame; } else { //Display SEQUENCE OF
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+4, ASN1UnivTagSumID, ASN1UnivTag);
// Display Length Octet(s)
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+7);
// Incrementing TempFrame based on the number of octets
// taken up by the Length octet
TempFrame = IncTempFrame(TempFrame);
if(*(TempFrame+1) == 0xA0) { // Handle EncryptedData
TempFrame = HandleEncryptedData( hFrame, TempFrame, OffSet+2);
}// kfrost 11/12 In smart card the value here is 0x80 or 0x81 in as-req & as-rep respectively.
// Can not find out or get Dev to produce the appropriate ASN.1 format that is being
// followed here. Basically, whatever encoding layout that is being followed, the first
// parameter is 06 Object Identifier. The only thing I have found is KERB-ALGORITHM-IDENTIFIER
// found in krb5.asn. Until I get some assistance walking through the offsets, I'm going to label
// the data as PKCS and increment TempFrame past all of this and start parsing again at KDC-Req-Body
else { if(*(TempFrame+1) == 0x80) { // Here I'm incrementing TempFrame by two to get it to the first
// offset making up the Length Octet.
TempFrame++; // Here I'm going to label the rest of the data as a Certificate
TempLength = CalcMsgLength(TempFrame);
AttachPropertyInstance(hFrame, KerberosDatabase[Certificatelbl].hProperty, TempLength, TempFrame, 0, OffSet+4, 0);
// Increment TempFrame by the length octet value returned by CalcMsgLength
TempFrame+=TempLength;
// Pretty sloppy hack here but hoping Dev will supply me doc
// of how the certificate is structured in ASN.1. For the time
// being, CalcMsgLength doesn't take us to the end of padata and the
// start of KDC-Req-Body. With no idea of what the A1 and A2 tags I see
// in the smart card sniff. I don't know if it will possibly ever contain
// an A4. But at anyrate, I'm going to increase TempFrame by one until
// a value of A4 is matched. (This signifies the start of KDC-Req-Body.)
while(*TempFrame != 0xA4) { ++TempFrame; }
// Once TempFrame is A4, have to decrement TempFrame by one
// in order for KDC-Req-Body to start on the correct offset.
// Again this whole else statement is a Kludge but not much I can
// until I get the ASN.1 layout of Certificates.
--TempFrame;
} }
}
// Not going to display anymore padata after this point. padata[3] is a
// SequenceOf. Any repetition traffic will get highlighted and TempFrame will
// be incremented to the appropriate frame which starts req-body[4]
while(*(TempFrame+1) == 0x30) { TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+4, ASN1UnivTagSumID, ASN1UnivTag);
// Display Length Octet(s)
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+7);
// Adjust TempFrame to the appropriate octet
TempFrame+=(CalcMsgLength(--TempFrame)+1); }
return TempFrame;}
LPBYTE HandleEncryptedData(HFRAME hFrame, LPBYTE TempFrame, int OffSet){ int size = 0; int value = 0;// Display Encryption Type
TempFrame = DefineEtype(hFrame, TempFrame, OffSet+2, DispSumEtype2, EncryptedDataTag, EncryptedDataTagBitF);
// Display Kvno[1] OPTIONAL
if(*TempFrame == 0xA1) {// KF LEFT OFF HERE. CLEAN UP CODE TO DISPLAY KVNO CORRECT
// Display Universal Class Tag
TempFrame = DispASNTypes(hFrame, --TempFrame, OffSet+2, EncryptedDataTag, EncryptedDataTagBitF); // Need to finish handling kvno[1]
// Display INTEGER value
TempFrame =DispPadata(hFrame, TempFrame, OffSet+4, PadataTypeValID); // The following increments TempFrame by 1 to get to the cipher[2] octet, however
// it doesn't take into account if the integer value takes up more than one octet.
++TempFrame; }
// Display cipher[2]
TempFrame = DispASNTypes(hFrame, --TempFrame, OffSet+2, EncryptedDataTag, EncryptedDataTagBitF);
// Determing the size of cipher[2]
size = CalcMsgLength(TempFrame);
// Determine whether Length Octet is short or long to
// use in incrementing TempFrame in return value
value = *(TempFrame+1);
// Display Length Octet(s) and highlight cipher text
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+5);
// The following return takes the offset to the end of cipher[2]. If
// value is equal to 0x81 then the length octet was short form
// else it's long form so add to size to TempFrame. If long from assumming
// length octet will be 2.
if(value <= 0x81) { return TempFrame+=(size); } else { return TempFrame+=(size+1); }}
// This function is used to break down Identifier Octets and display their types
LPBYTE CalcMsgType(HFRAME hFrame, LPBYTE TempFrame, int OffSet, DWORD TypeVal ){
AttachPropertyInstance(hFrame, KerberosDatabase[KerberosClassTag].hProperty, sizeof(BYTE), TempFrame, 0, OffSet, 0);
AttachPropertyInstance(hFrame, KerberosDatabase[PCIdentifier].hProperty, sizeof(BYTE), TempFrame, 0, OffSet, 0);
AttachPropertyInstance(hFrame, KerberosDatabase[TypeVal].hProperty, sizeof(BYTE), TempFrame, 0, OffSet, 0);
return TempFrame;}
LPBYTE CalcLengthSummary(HFRAME hFrame, LPBYTE TempFrame, int OffSet){ // Check the first bit of the length octet to see if length is short form (Value 0)
// or Long Form (Value is 1)
if(*(++TempFrame) & 0x80) { // This code handles long form. Bits 7-1 of this octet give the number of additional
// octets associated with this length octet. We need some type of checking after the last
// octet in length to determine if the next octet is an Identifier or Contents.
// The additional octets specified in bits 7-1 of the first octet give the length.
LongSize = *(TempFrame) & 0x7F; // Assign LongSize to the value of bits 7-1
lValueRepMsg = CalcMsgLength(TempFrame-1); AttachPropertyInstance(hFrame, KerberosDatabase[LengthSummary].hProperty, sizeof(BYTE)+LongSize, // This highlights all bits associated with Length
TempFrame, 0, OffSet, 0); AttachPropertyInstance(hFrame, KerberosDatabase[LengthFlag].hProperty, // Will display short or Long
sizeof(BYTE), TempFrame, 0, OffSet+1, 0);
AttachPropertyInstanceEx(hFrame, KerberosDatabase[LengthBits].hProperty, // Shows how many octets used in Length
sizeof(BYTE), TempFrame, 1, &LongSize, 0, OffSet+1, 0);
if(LongSize > 1) AttachPropertyInstance(hFrame, KerberosDatabase[LongLength1].hProperty, LongSize, TempFrame+=1, 0, OffSet+1, 0); else AttachPropertyInstance(hFrame, KerberosDatabase[LongLength2].hProperty, LongSize, TempFrame+=1, 0, OffSet+1, 0); } else { // Assuming this code is to handle short form.
lValueRepMsg = CalcMsgLength(TempFrame-1); AttachPropertyInstance(hFrame, KerberosDatabase[KdcReqSeqLength].hProperty, sizeof(BYTE)+lValueRepMsg, TempFrame, 0, OffSet, 0); }
return TempFrame;}
LPBYTE DefineValue(HFRAME hFrame, LPBYTE TempFrame, int OffSet, DWORD TypeVal){ BYTE Size[4]; PBYTE lSize = (PBYTE)&Size;
// Display Length Octet
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+2);
// Need to advance TempFrame the proper # of frames.
TempFrame = IncTempFrame(TempFrame);
// Display Universal Class Tag
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet, ASN1UnivTagSumID, ASN1UnivTag);
// Display Length Octet
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+3);
// Need to advance TempFrame the proper # of frames.
TempFrame = IncTempFrame(TempFrame); // Code below is used to display Integer values if they occupy more than 2 octets
if (*(TempFrame) == 3) { memcpy(lSize, TempFrame, 4); *lSize = *lSize & 0xffffff00; // Prints out Value. Need to change the Array to give better description
AttachPropertyInstanceEx(hFrame, KerberosDatabase[TypeVal].hProperty, *(TempFrame-1), ++TempFrame, *(TempFrame) == 3 ? 4 : *(TempFrame), lSize, 0, OffSet, 0); } else { // Prints out Value. Need to change the Array to give better description
AttachPropertyInstance(hFrame, KerberosDatabase[TypeVal].hProperty, *(TempFrame-1), ++TempFrame, 0, OffSet+1, 0); }
// kf 8/16 This wasn't returning to the proper octet in some cases
return (TempFrame-1)+*(TempFrame-1); }
/* This is spinoff of DefineValue. However, this code has been modified
to handle displaying the ASN.1 breakdown of etype[?]*/
LPBYTE DefineEtype(HFRAME hFrame, LPBYTE TempFrame, int OffSet, DWORD TypeVal, DWORD TypeVal2, DWORD TypeVal3){// Display Universal Class Tag
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+2, TypeVal2, TypeVal3);
// Display Length Octet
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+3);
// Incrementing TempFrame based on the number of octets
// taken up by the Length octet
TempFrame = IncTempFrame(TempFrame);
while(*(++TempFrame) == 0x02) { --TempFrame;
TempFrame = DispSum(hFrame, TempFrame, 0x02, 0x02, OffSet, DispSumEtype2);
// Display Unversal Class Tag
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+2, ASN1UnivTagSumID, ASN1UnivTag);
// Display Length Octet
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+5);
// Increment TempFrame according to length octet
TempFrame+=CalcMsgLength(--TempFrame); ++TempFrame;
// Display First Encryption Type
AttachPropertyInstance(hFrame, KerberosDatabase[TypeVal].hProperty, 1, TempFrame, 0, OffSet+4, 0);
}
return TempFrame;}
int CalcMsgLength(LPBYTE TempFrame){ if(*(TempFrame+1) & 0x80) {
LongSize = *(TempFrame+1) & 0x7F;
if(LongSize > 1) // Here we are or'd the two values of the length octets together
// Note this could fail if the Length octet ever took up more than
// two octets in defining a length
return (*(TempFrame+3)) | (*(TempFrame+2) << 8); else // This is in case the length octet only had one following defining octet
return (BYTE) *(TempFrame+2); } else // For a short form Length octet
return *(TempFrame+1) & 0x7F;
}
/***********************************************************************************************************
**** This function will break down ASN.1 PrincipalName.** PrincipalName ::= SEQUENCE{** name-type[0] INTEGER, Specifies the type of name that follows.** Pre-defined values for this field are specified in ** section 7.2.** ** name-string[1] SEQUENCE OF GeneralString Encodes a sequence of components** that form a name, each component** encoded as a GeneralString. Taken** together, a PrincipalName and a Realm** form a principal Identifier.****************************************************************************************************************/
LPBYTE DefinePrincipalName(HFRAME hFrame, LPBYTE TempFrame, int OffSet, DWORD TypeVal){// This functions starts breaking down the A0 octet of a PrincipalName
// Print out name-type[0] of PrincipalName
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet, KrbPrincipalNamelSet, KrbPrincipalNamelBitF);
// Display octets associated with INTEGER
TempFrame = DefineValue(hFrame, TempFrame, OffSet+2, KrbPrincNameType);// End code to display name-type[0] of PrincipalName
// Print out name-string[1] of PrincipalName
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet, KrbPrincipalNamelSet, KrbPrincipalNamelBitF);
// Display Length Summary
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+2);
// Incrementing TempFrame based on the number of octets
// taken up by the Length octet
TempFrame = IncTempFrame(TempFrame);
// Display SEQUENCE
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+2, ASN1UnivTagSumID, ASN1UnivTag); // Print out Length Octet
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+3);
// Incrementing TempFrame based on the number of octets
// taken up by the Length octet
TempFrame = IncTempFrame(TempFrame); // Checking for GeneralString 0x1B
TempRepGString = *(++TempFrame) & 0x1F; while(TempRepGString == 0x1B) { //Display GeneralString
TempFrame = DispASNTypes(hFrame, --TempFrame, OffSet+2, ASN1UnivTagSumID, ASN1UnivTag); // Calculate the size of the Length Octet
lValueRepMsg = CalcMsgLength(TempFrame); //Display Length Octet
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+4);
// Incrementing TempFrame based on the number of octets
// taken up by the Length octet
TempFrame = IncTempFrame(TempFrame);
AttachPropertyInstance(hFrame, KerberosDatabase[TypeVal].hProperty, sizeof(BYTE)+(lValueRepMsg - 1), ++TempFrame, 0, OffSet+3, 0); // Assign TempRepGString to value of octet after the string to see if another SEQUENCE OF
// GeneralString exists.
TempRepGString = *(TempFrame+=lValueRepMsg) & 0x1F; }// End Code to display name-string[1]
return TempFrame;
}
// Function used parse Length octets in PrincipalName
int CalcLenOctet(LPBYTE TempFrame){ int size = 0;// If long form, assign size to value of bits 7-1
if(*(TempFrame) & 0x80) size = (*(TempFrame) & 0x7F); else// Short form, only takes one octet
size = 1; return size;
}/**********************************************************************************************
**** LPBYTE DispASNTypes(HFRAME hFrame, LPBYTE TempFrame, int OffSet, DWORD TypeVal, DWORD TypeVal2)**** This function is used to break down and display the ASN.1 Universal Tags.** (Universal Tag Allocations can be found at page 155 in ASN.1 by Douglas Steedman.)**** hFrame - Handle to the fram** TempFrame - Pointer to the current offset in the packet** Offset - Used for indenting the parser display** TypeVal - Used to distinguish which node out of the KerberosDatbase to use** TypeVal2 - Same use as TypeVal************************************************************************************************/
LPBYTE DispASNTypes(HFRAME hFrame, LPBYTE TempFrame, int OffSet, DWORD TypeVal, DWORD TypeVal2){ // Assign the value of last 5 bits to TempAsnMsg
TempAsnMsg = *(++TempFrame) & 0x1F;
// Calculates the length octet to see how many octets should be highlighted
lValueRepMsg = CalcMsgLength(TempFrame);
// Display the Identifier and the appropriate # of octets are highlighted
AttachPropertyInstanceEx(hFrame, KerberosDatabase[TypeVal].hProperty, sizeof(WORD) + lValueRepMsg, TempFrame, 1, &TempAsnMsg, 0, OffSet, 0);
// Adding Code here to display Summary, thus letting us indent the ASN breakdown of the
// Identifier Octets to where the user won't initially see this.
AttachPropertyInstance(hFrame, KerberosDatabase[DispSummary].hProperty, 0, TempFrame, 0, OffSet+1, 0);
// Break out the identifier octet to ASN.1 format
TempFrame=CalcMsgType(hFrame, TempFrame, OffSet+2, TypeVal2);
return TempFrame;}
LPBYTE DispSeqOctets(HFRAME hFrame, LPBYTE TempFrame, int OffSet, DWORD TypeVal, DWORD TypeVal2){// Display SEQUENCE (First frame we handle in this file.
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet, TypeVal, TypeVal2);
// Display Length Octet
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+3);
return TempFrame;
}
/***********************************************************************************************************
**** This function will break down ASN.1 HostAddresses. P39 rfc 1510** HostAddresses::= SEQUENCE OF SEQUENCE{** addr-type[0] INTEGER,** address[1] OCTET STRING,** }****** ** ** ****************************************************************************************************************/LPBYTE DispHostAddresses(HFRAME hFrame, LPBYTE TempFrame, int OffSet){// Determine the number of octets occupied by the length ocet
lValueRepMsg = CalcLenOctet(TempFrame);
// Checking for SEQUENCE OF 0x30
TempReq = *(TempFrame+lValueRepMsg); // while loop is calculate SEQUENCE OF SEQUENCE
while(TempReq == 0x30){ // Display SEQUENCE Octets
TempFrame = DispSeqOctets(hFrame, TempFrame, OffSet+2, ASN1UnivTagSumID, ASN1UnivTag);
// Display addr-type[0]
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+2, HostAddressesID, HostAddressesBitF);
// Calculate the size of the Length Octet
lValueRepMsg = CalcMsgLength(TempFrame);
// Display INTEGER
TempFrame = DefineValue(hFrame, TempFrame, OffSet+4, KdcContentsValue);
// Display address[1]
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+2, HostAddressesID, HostAddressesBitF);
// Display String value
TempFrame = DefineValue(hFrame, TempFrame, OffSet+4, DispString);
TempReq = *(TempFrame+lValueRepMsg);
}
return TempFrame;}
LPBYTE DispSum(HFRAME hFrame, LPBYTE TempFrame, int ClassValue, int ClassValue2, int OffSet, DWORD TypeVal){ /* Working here now to display info name at the top. Will indent everything
else 1 to the right. Not sure how well this is going to work since name-string[1] is a SEQUENCE OF. Writing code now to assume there is only going to be one name and display the first one.
*/ TempFrameReq = (TempFrame+1); TempFrameReq2 = (TempFrame+2);
// This while statement increments TempFrameReq until 1B is reached
// If 1B is ever used in a length octet or elsewhere this will fail.
// Might look at doing a memcopy later on to a global variable
// THINK WE CAN USE BERGETSTRING TO DISPLAY FULL SERVER NAME. WE CAN
// USE A STRING CONSTANTS WITH TO DISPLAY THE FULL VALUE.
// Incrementing TempFrameReq until String is found
while(*(TempFrameReq) != ClassValue || *(TempFrameReq2) == ClassValue2) { TempFrameReq++; TempFrameReq2++;
// Trying to come up with a way to make sure the Length Value doesn't == ClassValue
// Still need some type of checking in case the length octet's value after the SEQUENCE OF
// turns out to be equal to ClassValue.
if(*(TempFrameReq) == ClassValue && *(TempFrameReq2) == ClassValue2) { TempFrameReq++; TempFrameReq2++; // Checking to see if Length Octet's value after SEQUENCE OF is equal to ClassValue. If so,
// incrementing TempFrameReq in order to get to the correct offset.
if(*(TempFrameReq) == ClassValue2 && *(TempFrameReq2) == ClassValue) { TempFrameReq++; TempFrameReq2++; } } } if(ClassValue2 == 0x02) {// Put this if statement to handle highlighting the appropriate # of
// Octets for EType. Don't know how valid this is going to be but trying
// to get all the code in. Will worry about later.
// Calculate the value of the length octet
lValueReq = CalcMsgLength(TempFrameReq-1);
AttachPropertyInstance(hFrame, KerberosDatabase[TypeVal].hProperty, 1, TempFrameReq+=2, 0, OffSet, 0); } else { // Calculate the value of the length octet
lValueReq = CalcMsgLength(TempFrameReq); // Increment TempFrameReq to the proper Octet
TempFrameReq+=CalcLenOctet(TempFrameReq);
AttachPropertyInstance(hFrame, KerberosDatabase[TypeVal].hProperty, sizeof(BYTE)+(lValueReq-1), ++TempFrameReq, 0, OffSet, 0); } return TempFrame;}
/****************************************************************************
****** This function is used to display a top level Summary description********************************************************************************/LPBYTE DispTopSum(HFRAME hFrame, LPBYTE TempFrame, int OffSet, DWORD TypeVal){ AttachPropertyInstance(hFrame, KerberosDatabase[TypeVal].hProperty, 0, TempFrame, 0, OffSet, 0);
return TempFrame;
}
/*********************************************************************************
**** Another Subset of DispSum. Altering this function to gather string info** and reformat to print out in a Date, Time format.***********************************************************************************/
LPBYTE DispSumTime(HFRAME hFrame, LPBYTE TempFrame, int ClassValue, int OffSet, DWORD TypeVal){ char RawTimeBuf[16]; char TimeFormatBuf[TIME_FORMAT_SIZE]; LPSTR TimeFormat = TimeFormatBuf;
TempFrameReq = (TempFrame+1); TempFrameReq2 = (TempFrame+2);
// This while statement increments TempFrameReq until 1B is reached
// If 1B is ever used in a length octet or elsewhere this will fail.
// Next loop is to find 1B value and is designed to prevent mistakenly
// going to the wrong octet in case a 1b is the value in a Length octet
// Incrementing TempFrameReq until String is found
while(*(TempFrameReq) != ClassValue || *(TempFrameReq2) == 0x30) { TempFrameReq++; TempFrameReq2++;
// Trying to come up with a way to make sure the Length Value doesn't == ClassValue
// Still need some type of checking in case the length octet's value after the SEQUENCE OF
// turns out to be equal to ClassValue.
if(*(TempFrameReq) == ClassValue && *(TempFrameReq2) == 0x30) { TempFrameReq++; TempFrameReq2++; // Checking to see if Length Octet's value after SEQUENCE OF is equal to ClassValue. If so,
// incrementing TempFrameReq in order to get to the correct offset.
if(*(TempFrameReq) == 0x30 && *(TempFrameReq2) == ClassValue) { TempFrameReq++; TempFrameReq2++; } } } // Calculate the value of the length octet
lValueReq = CalcMsgLength(TempFrameReq);
if( lValueReq > ((sizeof RawTimeBuf) / (sizeof RawTimeBuf[0])) ) { memcpy( RawTimeBuf, (TempFrameReq+2), sizeof RawTimeBuf / sizeof RawTimeBuf[0] ); } else { memcpy(RawTimeBuf, (TempFrameReq+2), lValueReq); } sprintf( TimeFormat, TIME_FORMAT_STRING, RawTimeBuf[4], RawTimeBuf[5], // month
RawTimeBuf[6], RawTimeBuf[7], // day
RawTimeBuf[0], RawTimeBuf[1], RawTimeBuf[2], RawTimeBuf[3], // year
RawTimeBuf[8], RawTimeBuf[9], // hours
RawTimeBuf[10], RawTimeBuf[11], // minutes
RawTimeBuf[12], RawTimeBuf[13] ); // seconds
// Increment TempFrameReq to the proper Octet
TempFrameReq+=CalcLenOctet(TempFrameReq); // Display initial Time
AttachPropertyInstanceEx( hFrame, KerberosDatabase[TypeVal].hProperty, lValueReq, ++TempFrameReq, TIME_FORMAT_SIZE, TimeFormat, 0, OffSet, 0 );
return TempFrame;}
/******************************************************************************
**** Created this function to address displaying the FQDN of the server name (under KDC-Options)** at the top level. *********************************************************************************/
LPBYTE DispSumString(HFRAME hFrame, LPBYTE TempFrame, int ClassValue, int OffSet, DWORD TypeVal){ LPBYTE TempFrameSname, TempFrameSnameB; int segments = 0; int j = 0; int ServNameCount = 0; int lValueStr = 0; int sizeAsString = 0; LPSTR cServName = NULL; LPSTR ServNameBuf[MAX_SERVER_NAME_SEGMENTS]; memset( ServNameBuf, 0, sizeof ServNameBuf ); TempFrameSname = (TempFrame+1); TempFrameSnameB = (TempFrame+2);
// This while statement increments TempFrameReq until ClassValue is reached
// Incrementing TempFrameReq until ClassValue
while(*(TempFrameSname) != ClassValue || *(TempFrameSnameB) == 0x30) { TempFrameSname++; TempFrameSnameB++;
// Trying to come up with a way to make sure the Length Value doesn't == ClassValue
// Still need some type of checking in case the length octet's value after the SEQUENCE OF
// turns out to be equal to ClassValue. 11/18. Found a situation where the first part of
// of a principal name had the length of 1B. Added the || *(TempFrameSnameB) == 0xA0 to
// handle this problem The 0xA0 is the first tag of Principal Name
if(*(TempFrameSname) == ClassValue && *(TempFrameSnameB) == 0x30 || *(TempFrameSnameB) == 0xA0) { TempFrameSname++; TempFrameSnameB++; // Checking to see if Length Octet's value after SEQUENCE OF is equal to ClassValue. If so,
// incrementing TempFrameReq in order to get to the correct offset.
if(*(TempFrameSname) == 0x30 && *(TempFrameSnameB) == ClassValue) { TempFrameSname++; TempFrameSnameB++; } } }
TempFrameSnameB = TempFrameSname;
while(*(TempFrameSnameB) == ClassValue) { if( segments >= MAX_SERVER_NAME_SEGMENTS ) { break; }
lValueStr = CalcMsgLength(TempFrameSnameB); sizeAsString = lValueStr + sizeof '\0';
ServNameCount += lValueStr; ServNameBuf[ segments ] = (LPSTR) malloc( sizeAsString );
if( ServNameBuf[ segments ] == NULL ) { for( ; segments > 0; segments-- ) { free( ServNameBuf[segments - 1] ); } return TempFrame; }
ZeroMemory( ServNameBuf[ segments ], sizeAsString ); memcpy( ServNameBuf[ segments ], TempFrameSnameB+2, lValueStr );
// Use the Length Octet to progress TempFrameReq
TempFrameSnameB+=CalcMsgLength(TempFrameSnameB);
// Need to Increment TempFrameSnameB by number of ASN.1 octets
// Increasing by two here. This could be wrong if the Length octet
// were ever in Long Form.
TempFrameSnameB+=2;
segments++; }
cServName = (LPSTR) malloc( ServNameCount + segments ); if (NULL == cServName) { for( ; segments > 0; segments-- ) { free( ServNameBuf[segments - 1] ); } return TempFrame; }
ZeroMemory(cServName, ServNameCount + segments ); strcpy(cServName, ServNameBuf[0]);
for( j = 1; j < segments; j++ ) { strcat(cServName, "/"); strcat(cServName, ServNameBuf[j]); }
AttachPropertyInstanceEx(hFrame, KerberosDatabase[TypeVal].hProperty, ServNameCount + 2*segments, TempFrameSname+=2, ServNameCount + segments, cServName, 0, OffSet, 0);
for( ; segments > 0; segments-- ) { free( ServNameBuf[segments - 1] ); } if (NULL != cServName) { free(cServName); }
return TempFrame;}
/*********************************************************************************
****** This function was copied from DefineValue but was created to display the ** Ticket Flags for KDC-Options in the KDC-Req packet.***********************************************************************************/
LPBYTE DefineKdcOptions(HFRAME hFrame, LPBYTE TempFrame, int OffSet, DWORD TypeVal){
AttachPropertyInstance(hFrame, KerberosDatabase[TypeVal].hProperty, sizeof(DWORD), TempFrame, 0, OffSet, 0);
return (TempFrame);}
/*****************************************************************************
* This function is used to display the initial values of padata-type[1] & * padata-value[2] found in the AS-REQ packet* NOTE: I LEFT *INTVAL AND THE OTHER LINES COMMENTED AS FOR IF THE INT VALUE* TAKES UP TWO OCTETS, WE ONLY DISPLAY THE # INSTEAD OF ENCRYPTION TYPE. NOT* WORRYING WITH THIS AT THIS TIME BUT LEAVING THE CODE IN PLACE SHOULD IT NEED* TO BE IMPLEMENTED.*****************************************************************************/LPBYTE DispPadata(HFRAME hFrame, LPBYTE TempFrame, int OffSet, DWORD TypeVal){// Calculate Length Octet and highligh the # of octets
// BYTE *intval;
int size = 0;
// Display Length Octet
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+1);
// Incrementing TempFrame based on the number of octets
// taken up by the Length octet
TempFrame = IncTempFrame(TempFrame);
// Display Universal Class Tag
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet, ASN1UnivTagSumID, ASN1UnivTag);
// Display Length Octet
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+3);
//Assumming the Integer value will always be contained in
// either 1 or 2 octets.
size = *TempFrame;
// Here need to check the length octet and determine whether
// it is short or long form
if(size == 1) {// intval = malloc(2);
// memcpy(intval, (TempFrame+1), 2);
// Prints out Value. Need to change the Array to give better description
AttachPropertyInstance(hFrame, KerberosDatabase[TypeVal].hProperty, 1, ++TempFrame, 0, OffSet+1, 0);
/* AttachPropertyInstanceEx(hFrame,
KerberosDatabase[TypeVal].hProperty, 1, ++TempFrame, 4, intval, 0, OffSet, 0);*/ } else {// intval = malloc(4);
// memcpy(intval, (TempFrame+1), 4);
// *intval = *(intval) & 0xffff;
AttachPropertyInstance(hFrame, KerberosDatabase[PaDataSummaryMulti].hProperty, 1, ++TempFrame, 0, OffSet+1, 0);/*
// Prints out Value. Need to change the Array to give better description
AttachPropertyInstanceEx(hFrame, KerberosDatabase[PaDataSummaryMulti].hProperty, 2, ++TempFrame, 4, intval, 0, OffSet, 0);*/ // Incrementing TempFrame by an extra Octet because the Integer here takes
// up 2 octets instead of one.
++TempFrame; }
return (TempFrame);}
LPBYTE IncTempFrame(LPBYTE TempFrame){ if(*(TempFrame-1) >= 0x81 && *(TempFrame-1) <= 0x84) TempFrame+=CalcLenOctet(--TempFrame); else TempFrame;
return TempFrame;}
LPBYTE HandleTicket(HFRAME hFrame, LPBYTE TempFrame, int OffSet){
// Display Summary ASN.1
TempFrame = DispASNSum(hFrame, TempFrame, OffSet+1, DispSummary);
//Display Ticket[3]
// Display msg-type[2]
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+2, KrbApReqID, KrbApReqBitF);
// Display Length Octet
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+4);
// Incrementing TempFrame based on the number of octets
// taken up by the Length octet
TempFrame = IncTempFrame(TempFrame);
// Display Ticket (61)
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+2, ApTicketID, ApTicketBitF);
// Display Length Octet
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+4);
// Incrementing TempFrame based on the number of octets
// taken up by the Length octet
TempFrame = IncTempFrame(TempFrame);
// Display SEQUENCE
TempFrame = DispSeqOctets(hFrame, TempFrame, OffSet+3, ASN1UnivTagSumID, ASN1UnivTag);
// Incrementing TempFrame based on the number of octets
// taken up by the Length octet
TempFrame = IncTempFrame(TempFrame);
// Display Ticket Version value at the Top level
TempFrame = DispSum(hFrame, TempFrame, 0x02, 0x30, OffSet+2, DispSumTixVer);
// Display tvt-vno[0]
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+3, TicketStructID, TicketStructBitF);
// Break Down INTEGER values
TempFrame = DefineValue(hFrame, TempFrame, OffSet+4, KdcContentsValue);
// Display Realm name value at the Top level
TempFrame = DispSum(hFrame, TempFrame, 0x1B, 0x30, OffSet+2, DispStringRealmName);
// Display realm[1]
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+3, TicketStructID, TicketStructBitF); TempFrame = DefineValue(hFrame, TempFrame, OffSet+5, DispStringRealmName);
// Display Server name value at the Top level
TempFrame = DispSumString(hFrame, TempFrame, 0x1B, OffSet+2, DispStringServNameGS);
// Display sname[2]
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+3, TicketStructID, TicketStructBitF);
// Display Length Octet
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+4);
// Incrementing TempFrame based on the number of octets
// taken up by the Length octet
TempFrame = IncTempFrame(TempFrame);
// Display SEQUENCE Octets
TempFrame = DispSeqOctets(hFrame, TempFrame, OffSet+4, ASN1UnivTagSumID, ASN1UnivTag);
// Display sname[2]
TempFrame = DefinePrincipalName(hFrame, TempFrame, OffSet+3, DispStringServerName);
--TempFrame;
// Display enc-part[3]
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+2, TicketStructID, TicketStructBitF); // Display Length Octet
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+4);
// Incrementing TempFrame based on the number of octets
// taken up by the Length octet
TempFrame = IncTempFrame(TempFrame);
// Display SEQUENCE Octets
TempFrame = DispSeqOctets(hFrame, TempFrame, OffSet+4, ASN1UnivTagSumID, ASN1UnivTag); // Incrementing TempFrame based on the number of octets
// taken up by the Length octet
TempFrame = IncTempFrame(TempFrame);
//Display EncryptedData
TempFrame = HandleEncryptedData(hFrame, TempFrame, OffSet+1);
return TempFrame;
}
LPBYTE DispASNSum(HFRAME hFrame, LPBYTE TempFrame, int OffSet, DWORD TypeVal){ AttachPropertyInstance(hFrame, KerberosDatabase[TypeVal].hProperty, 0, TempFrame, 0, OffSet, 0); return TempFrame;
}
/************************************************************************************
****This function is a spinoff of DispSum. I created this one separately for the sole**purpose of displaying the full value of susec and cusec at the top levels***************************************************************************************/LPBYTE DispSumSec(HFRAME hFrame, LPBYTE TempFrame, int ClassValue, int ClassValue2, int OffSet, DWORD TypeVal){ /* Working here now to display info name at the top. Will indent everything
else 1 to the right. Not sure how well this is going to work since name-string[1] is a SEQUENCE OF. Writing code now to assume there is only going to be one name and display the first one.
*/
BYTE SizeSec[4]; PBYTE lSizeSec = (PBYTE)&SizeSec;
TempFrameReq = (TempFrame+1); TempFrameReq2 = (TempFrame+2);
// This while statement increments TempFrameReq until 1B is reached
// If 1B is ever used in a length octet or elsewhere this will fail.
// Might look at doing a me mcopy later on to a global variable
// THINK WE CAN USE BERGETSTRING TO DISPLAY FULL SERVER NAME. WE CAN
// USE A STRING CONSTANTS WITH TO DISPLAY THE FULL VALUE.
// Incrementing TempFrameReq until String is found
while(*(TempFrameReq) != ClassValue || *(TempFrameReq2) == ClassValue2) { TempFrameReq++; TempFrameReq2++;
// Trying to come up with a way to make sure the Length Value doesn't == ClassValue
// Still need some type of checking in case the length octet's value after the SEQUENCE OF
// turns out to be equal to ClassValue.
if(*(TempFrameReq) == ClassValue && *(TempFrameReq2) == ClassValue2) { TempFrameReq++; TempFrameReq2++; // Checking to see if Length Octet's value after SEQUENCE OF is equal to ClassValue. If so,
// incrementing TempFrameReq in order to get to the correct offset.
if(*(TempFrameReq) == ClassValue2 && *(TempFrameReq2) == ClassValue) { TempFrameReq++; TempFrameReq2++; } } }
memcpy(lSizeSec, (TempFrameReq2++), 4); *lSizeSec = *(lSizeSec) & 0xffffff00;
// Prints out Value. Need to change the Array to give better description
AttachPropertyInstanceEx(hFrame, KerberosDatabase[TypeVal].hProperty, 3, TempFrameReq2, 4, lSizeSec, 0, OffSet, 0);
return TempFrame;}
/*******************************************************************************************
* LPBYTE DispEdata(HFRAME hFrame, LPBYTE TempFrame, int OffSet, DWORD TypeVal)** This function is a spinoff of DefineValue. Problem is, e-data for Kerb error can be* displayed in two different formats. Even though this does present duplicate code,* it does make it more convenenient and cleaner to have specific functions to handle specific data.********************************************************************************************/LPBYTE DispEdata(HFRAME hFrame, LPBYTE TempFrame, int OffSet, DWORD TypeVal){ // Display Length Octet
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+2);
// Need to advance TempFrame the proper # of frames.
TempFrame = IncTempFrame(TempFrame);
// Display Universal Class Tag
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet, ASN1UnivTagSumID, ASN1UnivTag);
// Display Length Octet
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+3);
// Need to advance TempFrame the proper # of frames.
TempFrame = IncTempFrame(TempFrame);
// This if statement is checking to see if e-data is a Sequence of PA-DATA's. If so
// we send the data to function to handle padata, if not, we display the Octet String.
if (*((TempFrame)+1) == 0x30) { // Display padata
TempFrame = HandlePadataKrbErr(hFrame, TempFrame, 2, PaDataSummary);
// 1/18/00 LEFT OFF HERE. NEED TO DISPLAY E-DATA WHEN IT'S FORMATTED AS PA-DATA. LOOK AT
// ADDING THE IF STATEMENT IN HANDLEPADATA AS YOU DID YESTERDAY.
} else { AttachPropertyInstance(hFrame, KerberosDatabase[TypeVal].hProperty, *(TempFrame-1), ++TempFrame, 0, OffSet+1, 0); }
return (TempFrame-1)+*(TempFrame-1); }
/*******************************************************************************************
** LPBYTE HandlePadataKrbErr(HFRAME hFrame, LPBYTE TempFrame, int OffSet, DWORD TypeVal)** This function handles the initial display of padata include in Kerb-Error*********************************************************************************************/
LPBYTE HandlePadataKrbErr(HFRAME hFrame, LPBYTE TempFrame, int OffSet, DWORD TypeVal){
//Display SEQUENCE OF
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+2, ASN1UnivTagSumID, ASN1UnivTag);
// Display Length Octet(s)
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+5);
// Incrementing TempFrame based on the number of octets
// taken up by the Length octet
TempFrame = IncTempFrame(TempFrame);
//Display SEQUENCE OF
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+2, ASN1UnivTagSumID, ASN1UnivTag);
// Display Length Octet(s)
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+5);
// Incrementing TempFrame based on the number of octets
// taken up by the Length octet
TempFrame = IncTempFrame(TempFrame);
// Display padata-type[1]
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+2, PaDataSummary, PaDataSeq);
// Display INTEGER value
TempFrame =DispPadata(hFrame, TempFrame, OffSet+4, PadataTypeValID);
// Display padata-value[2]
DispASNTypes(hFrame, TempFrame, OffSet+2, PaDataSummary, PaDataSeq);
// Display Length Octet(s)
TempFrame = CalcLengthSummary(hFrame, ++TempFrame, OffSet+5);
// Incrementing TempFrame based on the number of octets
// taken up by the Length octet
TempFrame = IncTempFrame(TempFrame);
//Display OCTET STRING
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+4, ASN1UnivTagSumID, ASN1UnivTag);
// Display Length Octet(s)
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+7);
// Incrementing TempFrame based on the number of octets
// taken up by the Length octet
TempFrame = IncTempFrame(TempFrame);
//Display SEQUENCE OF
TempFrame = DispASNTypes(hFrame, TempFrame, OffSet+4, ASN1UnivTagSumID, ASN1UnivTag);
// Display Length Octet(s)
TempFrame = CalcLengthSummary(hFrame, TempFrame, OffSet+7);
// Incrementing TempFrame based on the number of octets
// taken up by the Length octet
TempFrame = IncTempFrame(TempFrame);
// Handle MethodData
TempFrame = HandleMethodData(hFrame, TempFrame);
return(TempFrame);
}
/******************************************************************************************
**** LPBYTE HandleMethodData(HFRAME hFrame, LPBYTE TempFrame)**** This function displays METHOD-DATA as described in kerb-error********************************************************************************************/LPBYTE HandleMethodData(HFRAME hFrame, LPBYTE TempFrame){ int iStringLength = 0; int inc = 0;// METHOD-DATA :: = SEQUENCE of PA-DATA. This is a Sequence of, thus creating a loop to display
// all info. Added the inc variable so that the look will only go through twice. In the sniff
// I was going by, the 3rd sequence of looked to be formatted in a whole different form than
// METHOD-DATA. Even if this is by design, off-hand, I don't see how to code this to break
// out a different data format without any type of signifier in the frame.
while(*(TempFrame+1) == 0x30 && inc <= 1) { //Display SEQUENCE OF
TempFrame = DispASNTypes(hFrame, TempFrame, 6, ASN1UnivTagSumID, ASN1UnivTag);
// Display Length Octet(s)
TempFrame = CalcLengthSummary(hFrame, TempFrame, 8);
// Incrementing TempFrame based on the number of octets
// taken up by the Length octet
TempFrame = IncTempFrame(TempFrame);
// Display method-type[0]
TempFrame = DispASNTypes(hFrame, TempFrame, 5, MethodDataSummary, MethodDataBitF);
// Break Down INTEGER values
TempFrame = DefineValue(hFrame, TempFrame, 7, DispSumEtype2);
// Display method-data[1]
TempFrame = DispASNTypes(hFrame, TempFrame, 5, MethodDataSummary, MethodDataBitF);
// Display Length Octet(s)
TempFrame = CalcLengthSummary(hFrame, TempFrame, 8);
// Incrementing TempFrame based on the number of octets
// taken up by the Length octet
TempFrame = IncTempFrame(TempFrame);
//Display OCTET STRING
TempFrame = DispASNTypes(hFrame, TempFrame, 7, ASN1UnivTagSumID, ASN1UnivTag);
// Calculate the size of the Length Octet
iStringLength = CalcMsgLength(TempFrame); //Display Length Octet
TempFrame = CalcLengthSummary(hFrame, TempFrame, 10);
// Incrementing TempFrame based on the number of octets
// taken up by the Length octet
TempFrame = IncTempFrame(TempFrame);
AttachPropertyInstance(hFrame, KerberosDatabase[DispReqAddInfo].hProperty, sizeof(BYTE)+(iStringLength - 1), ++TempFrame, 0, 9, 0);
// Increment TempFrame to the end of the string so we can check for another Sequence
TempFrame += (iStringLength - 1);
++inc;
}
// LEFT OFF HERE 1/19/00 THIS IS A SEQUENCE OF, SO YOU NEED TO INCREMENT TEMPFRAME APPROPRIATELY
// AND THEN CHECK FOR 0x30. IF PRESENT, KEEP LOOPING.
return(TempFrame);}
|
