Windows SSPs: various improvements (#4314)

- All SSPs: support PFC_SUPPORT_HEADER_SIGN for DCE/RPC
- Refactor SSPs and DCE/RPC client/server to use req_flags in GSS_Init_sec_context
- KerberosSSP:
  - support DCE_STYLE (for DCE/RPC)
  - add MIC/WRAP support
- NTLMSSP: fix SeqNum when used with SPNEGO
- Fix a bunch of SPNEGO edge cases
- Many tests

Author: gpotter2

doc/scapy/layers/dcerpc.rst

@@ -192,20 +192,77 @@ Here's an example sending a ``ServerAlive`` over the ``IObjectExporter`` interfa
     resp = client.sr1_req(req)
     resp.show()
 
-Here's a different example, this time connecting over ``NCACN_NP`` to `[MS-SAMR] <https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/4df07fab-1bbc-452f-8e92-7853a3c7e380>`_ to enumerate the domains a server is in:
+Here's the same example, but this time asking for :const:`~scapy.layers.dcerpc.RPC_C_AUTHN_LEVEL.PKT_PRIVACY` (encryption) using ``NTLMSSP``:
+
+.. code-block:: python
+
+    from scapy.layers.ntlm import *
+    from scapy.layers.dcerpc import *
+    from scapy.layers.msrpce.all import *
+
+    ssp = NTLMSSP(
+        UPN="Administrator",
+        PASSWORD="Password1",
+    )
+    client = DCERPC_Client(
+        DCERPC_Transport.NCACN_IP_TCP,
+        auth_level=DCE_C_AUTHN_LEVEL.PKT_PRIVACY,
+        ssp=ssp,
+        ndr64=False,
+    )
+    client.connect("192.168.0.100")
+    client.bind(find_dcerpc_interface("IObjectExporter"))
+
+    req = ServerAlive_Request(ndr64=False)
+    resp = client.sr1_req(req)
+    resp.show()
+
+Again, but this time using :const:`~scapy.layers.dcerpc.RPC_C_AUTHN_LEVEL.PKT_INTEGRITY` (signing) using ``SPNEGOSSP[KerberosSSP]``:
+
+.. code-block:: python
+
+    from scapy.layers.kerberos import *
+    from scapy.layers.spnego import *
+    from scapy.layers.dcerpc import *
+    from scapy.layers.msrpce.all import *
+
+    ssp = SPNEGOSSP(
+        [
+            KerberosSSP(
+                UPN="[email protected]",
+                PASSWORD="Password1",
+                SPN="host/dc1",
+            )
+        ]
+    )
+    client = DCERPC_Client(
+        DCERPC_Transport.NCACN_IP_TCP,
+        auth_level=DCE_C_AUTHN_LEVEL.PKT_INTEGRITY,
+        ssp=ssp,
+        ndr64=False,
+    )
+    client.connect("192.168.0.100")
+    client.bind(find_dcerpc_interface("IObjectExporter"))
+
+    req = ServerAlive_Request(ndr64=False)
+    resp = client.sr1_req(req)
+    resp.show()
+
+Here's a different example, this time connecting over :const:`~scapy.layers.dcerpc.DCERPC_Transport.NCACN_NP` to `[MS-SAMR] <https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/4df07fab-1bbc-452f-8e92-7853a3c7e380>`_ to enumerate the domains a server is in:
 
 .. code-block:: python
 
     from scapy.layers.ntlm import NTLMSSP, MD4le
     from scapy.layers.dcerpc import *
     from scapy.layers.msrpce.all import *
 
+    ssp = NTLMSSP(
+        UPN="User",
+        HASHNT=MD4le("Password"),
+    )
     client = DCERPC_Client(
         DCERPC_Transport.NCACN_NP,
-        ssp=NTLMSSP(
-            UPN="User",
-            HASHNT=MD4le("Password"),
-        ),
+        ssp=ssp,
         ndr64=False,
     )
     client.connect("192.168.0.100")
@@ -238,7 +295,9 @@ Here's a different example, this time connecting over ``NCACN_NP`` to `[MS-SAMR]
 
 .. note:: As you can see, we used the :class:`~scapy.layers.ntlm.NTLMSSP` security provider in the above connection.
 
-There's an extension of the ``DCERPC_Client``: the ``NetlogonClient`` which is unfinished because I can't seem to make ``NetrLogonGetCapabilities`` work, but worth mentioning because it implements its own ``NetlogonSSP``:
+There are extensions to the :class:`~scapy.layers.msrpce.rpcclient.DCERPC_Client` class:
+
+- the :class:`~scapy.layers.msrpce.msnrpc.NetlogonClient`, worth mentioning because it implements its own :class:`~scapy.layers.msrpce.msnrpc.NetlogonSSP`:
 
 .. code-block:: python
 
@@ -254,6 +313,8 @@ There's an extension of the ``DCERPC_Client``: the ``NetlogonClient`` which is u
     client.negotiate_sessionkey(bytes.fromhex("77777777777777777777777777777777"))
     client.close()
 
+- the :class:`~scapy.layers.msrpce.msdcom.DCOM_Client` (unfinished)
+
 Server
 ------
 
@@ -335,6 +396,41 @@ To start an endpoint mapper (this should be a separate process from your RPC ser
 .. note:: Currently, a DCERPC_Server will let a client bind on all interfaces that Scapy has registered (imported). Supposedly though, you know which RPCs are going to be queried.
 
 
+Passive sniffing
+----------------
+
+If you're doing passive sniffing of a DCE/RPC session, you can instruct Scapy to still use its DCE/RPC session in order to check the INTEGRITY and decrypt (if PRIVACY is used) the packets.
+
+.. code-block:: python
+
+    from scapy.all import *
+
+    # Bind DCE/RPC port
+    bind_bottom_up(TCP, DceRpc5, dport=12345)
+    bind_bottom_up(TCP, DceRpc5, dport=12345)
+
+    # Enable passive DCE/RPC session
+    conf.dcerpc_session_enable = True
+
+    # Define SSPs that can be used for decryption / verify
+    conf.winssps_passive = [
+        SPNEGOSSP([
+            NTLMSSP(
+                IDENTITIES={
+                    "User1": MD4le("Password1!"),
+                },
+            ),
+        ])
+    ]
+
+    # Sniff
+    pkts = sniff(offline="dcerpc_exchange.pcapng", session=TCPSession)
+    pkts.show()
+
+
+.. warning:: Only NTLM is currently fully supported. KerberosSSP is sadly not supported as of today, nor is NetlogonSSP.
+
+
 Define custom packets
 ---------------------
 

doc/scapy/layers/gssapi.rst

@@ -0,0 +1,117 @@
+GSSAPI
+======
+
+Scapy provides access to various `Security Providers <https://learn.microsoft.com/en-us/windows-server/security/windows-authentication/security-support-provider-interface-architecture>`_ following the GSSAPI model, but aiming at interacting with the Windows world.
+
+.. note::
+
+    The GSSAPI interfaces are based off the following documentations:
+    
+        - GSSAPI: `RFC4121 <https://datatracker.ietf.org/doc/html/rfc4121>`_ / `RFC2743 <https://datatracker.ietf.org/doc/html/rfc2743>`_
+        - GSSAPI C bindings: `RFC2744 <https://datatracker.ietf.org/doc/html/rfc2744>`_
+
+Usage
+-----
+
+The following SSPs are currently provided:
+
+    - :class:`~scapy.layers.ntlm.NTLMSSP`
+    - :class:`~scapy.layers.kerberos.KerberosSSP`
+    - :class:`~scapy.layers.spnego.SPNEGOSSP`
+    - :class:`~scapy.layers.msrpce.msnrpc.NetlogonSSP`
+
+Basically those are classes that implement two functions, trying to micmic the RFCs:
+
+- :func:`~scapy.layers.gssapi.SSP.GSS_Init_sec_context`: called by the client, passing it a ``Context`` and optionally a token
+- :func:`~scapy.layers.gssapi.SSP.GSS_Accept_sec_context`: called by the server, passing it a ``Context`` and optionally a token
+
+They both return the updated Context, a token to optionally send to the server/client and a GSSAPI status code.
+
+.. note::
+
+    You can typically use it in :class:`~scapy.layers.smbclient.SMB_Client`, :class:`~scapy.layers.smbserver.SMB_Server`, :class:`~scapy.layers.msrpce.rpcclient.DCERPC_Client` or :class:`~scapy.layers.msrpce.rpcserver.DCERPC_Server`.
+    Have a look at `SMB <smb.html>`_ and `DCE/RPC <dcerpc.html>`_ to get examples on how to use it.
+
+Let's implement our own client that uses one of those SSPs.
+
+Client
+~~~~~~
+
+First let's create the SSP. We'll take :class:`~scapy.layers.ntlm.NTLMSSP` as an example but the others would work just as well.
+
+.. code:: python
+
+    from scapy.layers.ntlm import *
+    clissp = NTLMSSP(
+        UPN="[email protected]",
+        PASSWORD="Password1!",
+    )
+
+Let's get the first token (in this case, the ntlm negotiate):
+
+.. code:: python
+
+    # We start with a context = None and a val (server answer) = None
+    sspcontext, token, status = clissp.GSS_Init_sec_context(None, None)
+    # sspcontext will be passed to subsequent calls and stores information
+    # regarding this NTLM session, token is the NTLM_NEGOTIATE and status
+    # the state of the SSP
+    assert status == GSS_S_CONTINUE_NEEDED
+
+Send this token to the server, or use it as required, and get back the server's token.
+You can then pass that token as the second parameter of :func:`~scapy.layers.gssapi.SSP.GSS_Init_sec_context`.
+To give an example, this is what is done in the LDAP client:
+
+.. code:: python
+
+    # Do we have a token to send to the server?
+    while token:
+        resp = self.sr1(
+            LDAP_BindRequest(
+                bind_name=ASN1_STRING(b""),
+                authentication=LDAP_Authentication_SaslCredentials(
+                    mechanism=ASN1_STRING(b"SPNEGO"),
+                    credentials=ASN1_STRING(bytes(token)),
+                ),
+            )
+        )
+        sspcontext, token, status = clissp.GSS_Init_sec_context(
+            self.sspcontext, GSSAPI_BLOB(resp.protocolOp.serverSaslCreds.val)
+        )
+
+If you want to use :class:`~scapy.layers.spnego.SPEGOSSP`, you could wrap the SSP as so:
+
+.. code:: python
+
+    from scapy.layers.ntlm import *
+    from scapy.layers.spnegossp import SPNEGOSSP
+    clissp = SPNEGOSSP(
+        [
+            NTLMSSP(
+                UPN="[email protected]",
+                PASSWORD="Password1!",
+            ),
+            KerberosSSP(
+                UPN="[email protected]",
+                PASSWORD="Password1!",
+                SPN="host/dc1.domain.local",
+            ),
+        ]
+    )
+
+You can override the GSS-API ``req_flags`` when calling :func:`~scapy.layers.gssapi.SSP.GSS_Init_sec_context`, using values from :class:`~scapy.layers.gssapi.GSS_C_FLAGS`:
+
+.. code:: python
+
+    sspcontext, token, status = clissp.GSS_Init_sec_context(None, None, req_flags=(
+        GSS_C_FLAGS.GSS_C_EXTENDED_ERROR_FLAG |
+        GSS_C_FLAGS.GSS_C_MUTUAL_FLAG |
+        GSS_C_FLAGS.GSS_C_CONF_FLAG  # Asking for CONFIDENTIALITY
+    ))
+
+
+Server
+~~~~~~
+
+Implementing a server is very similar to a client but you'd use :func:`~scapy.layers.gssapi.SSP.GSS_Accept_sec_context` instead.
+The client is properly authenticated when `status` is `GSS_S_COMPLETE`.

doc/scapy/layers/ntlm.rst

@@ -1103,6 +1103,15 @@ class Conf(ConfClass):
     )
     #: Dictionary containing parsed NSS Keys
     tls_nss_keys: Dict[str, bytes] = None
+    #: When TCPSession is used, parse DCE/RPC sessions automatically.
+    #: This should be used for passive sniffing.
+    dcerpc_session_enable = False
+    #: Some implementations of DCE/RPC incorrectly use header signing
+    #: without properly negotiating it. This forces it on.
+    dcerpc_force_header_signing = False
+    #: Windows SSPs for sniffing. This is used with
+    #: dcerpc_session_enable
+    winssps_passive = []
 
     def __getattribute__(self, attr):
         # type: (str) -> Any