Hallo. I am trying to find a way to sanitise Information contained in NTLMSSP embedded(Yes I know I can remove everything from level 4 up, but that doesn't help when I am looking at an Authentication problem in a web page) I have openened the packet in an editor. I have found the token and decoded from base64, I have replaced the offending strings. I have then reencoded to Base64 and replaced the Binary data. I have set the length of the Packet (I think) but I cannot get it to open after editing it. Is there a way to actually do this? Strings I can replace, Hex even, but as soon as I change the Base64 (yes the whole encode) the packet and capture are dead.. I am suddenly finding a lot of respect for TraceWrangler + Bittwiste. My HOPE was to change the file manually, run it through TraceWrangler to recalculate the CRCs and have a good time afterall. Any Ideas where I am going wrong or if I can actually go right? asked 24 Jul '15, 23:13  DarrenWright |
One Answer:
Have you tried replacing the base64 encode parts with the new base64 encodings using the string replacement feature of TraceWrangler? Only requirement is to keep the string length identical, but it should work. answered 25 Jul '15, 08:19  Jasper ♦♦ showing 5 of 6 show 1 more comments |
Hi Jasper, I was playing with it until around 3 this morning (we finally got rain so I stayed up and enjoyed it..) I was going to try later on again. I have the feeling my last 90 minutes were a little too Whisky laden and not very productive :(
Just out of curiosity, I would need to re encode the strings and search for the old ones to replace in Hex or Binary? I tried just searching on Hex, that didn't work yet.
The problem sa I see it is a Base 64 of one 10 letter word wont be the same length as a Base64 of another 10 letter word. If I replace the STRING in a decoded Base64 and reencode it, it is never going to be the same length as the one I am replacing. And just to annoy me further the NTLMSSP seem to be a abse64 encode of the whole token at once. Even harder to match, and if I pad or remove, then the dissector wont be able to recognize it.. Or I just really am doing something worng.. which at this point would probably make me happier than the alternatives..
You can search in Hex if you put the values between pipe symbols, similar to how Snort patterns work. E.g. if you search for 0x12ab you'd use |12 ab|
Problem with the length is that if you replace something with more or less bytes all sequence numbers of the following packets are incorrect and the TCP expert will go crazy, so right now I don't allow it. I'll have to deal with that in the future though when I start working on sanitization of protocols on top of TCP.
I need to find a packet with NTLMSSP to see how it looks like; maybe I can do something to make things easier for you somehow.
Also, I wonder why same length strings end up in different length Base64 encodings for you - in my tests that never happened.
Hmm. I tested this about 50 times today and I didn't manage to get a different length string (That was probably the whisky..)
I am back at work tomorrow, I will test this again with the snort type search. For the sake of splitting hairs:
Is this correct? You're definately earning a coffee here :)
Yeah, let's blame the Whisky (not that Whisky is a bad thing, cheers! :-))
And your steps sound about right; it's what I'd do to see if it gets me the correct results. If it doesn't work let me know; the content replacement in the payloads may still have some bugs.
I'm gonna mark this as answered, if it doesn't ACTUALLY work, I'll send you a Bug + pcap + steps taken via Mail, may help you in Bug tracking at some point.
hm, okay, thanks, I'll take a look as soon as I can to see what I can do and where the problem is.