NEGOEX Dissection ...

[Richard Sharpe <realrichardsharpe () gmail com>]

Hi folks,

During the SMB/CIFS presentation, an unknown OID was seen in the SPNEGO stuff.

It turns out to be NEGOEX, and the question as to why the server went
straight to NTLMSSP is answered. The server seems to have been some
version of Samba and it does not understand NEGOEX.

More info here:
http://msdn.microsoft.com/en-us/library/cc247030%28v=PROT.13%29.aspx

Here is the beginnings of a dissector, but it is very wrong. It
probably needs a separate packet-negoex.c:

Index: epan/dissectors/packet-ntlmssp.c
===================================================================
--- epan/dissectors/packet-ntlmssp.c    (revision 43186)
+++ epan/dissectors/packet-ntlmssp.c    (working copy)
@@ -3012,6 +3012,9 @@
   gssapi_init_oid("1.3.6.1.4.1.311.2.2.10", proto_ntlmssp, ett_ntlmssp,
                   ntlmssp_handle, ntlmssp_wrap_handle,
                   "NTLMSSP - Microsoft NTLM Security Support Provider");
+  gssapi_init_oid("1.3.6.1.4.1.311.2.2.30", proto_ntlmssp, ett_ntlmssp,
+                 ntlmssp_handle, ntlmssp_wrap_handle,
+                 "NEGOEX - Extended GSS-API Negotiation Mechanism");

   /* Register authenticated pipe dissector */



-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe