smbinfo dump encryption keys for using wireshark

Message ID	CAH2r5mvfb3nkdz8r8sAUXGJkx678XZkt4dn=4xiuq0UD2vxFrw@mail.gmail.com
State	New
Headers	show Return-Path: <linux-cifs-owner@vger.kernel.org> MIME-Version: 1.0 From: Steve French <smfrench@gmail.com> Date: Mon, 23 Sep 2019 23:50:46 -0500 Message-ID: <CAH2r5mvfb3nkdz8r8sAUXGJkx678XZkt4dn=4xiuq0UD2vxFrw@mail.gmail.com> Subject: [PATCH] smbinfo dump encryption keys for using wireshark To: CIFS <linux-cifs@vger.kernel.org>, samba-technical <samba-technical@lists.samba.org> Content-Type: multipart/mixed; boundary="00000000000047a2540593454896" Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk
Series	smbinfo dump encryption keys for using wireshark \| expand smbinfo dump encryption keys for using wireshark

Message ID

CAH2r5mvfb3nkdz8r8sAUXGJkx678XZkt4dn=4xiuq0UD2vxFrw@mail.gmail.com

State

New

Headers

MIME-Version: 1.0
From: Steve French <smfrench@gmail.com>
Date: Mon, 23 Sep 2019 23:50:46 -0500
Message-ID: <CAH2r5mvfb3nkdz8r8sAUXGJkx678XZkt4dn=4xiuq0UD2vxFrw@mail.gmail.com>
Subject: [PATCH] smbinfo dump encryption keys for using wireshark
To: CIFS <linux-cifs@vger.kernel.org>,
	samba-technical <samba-technical@lists.samba.org>
Content-Type: multipart/mixed; boundary="00000000000047a2540593454896"
Sender: linux-cifs-owner@vger.kernel.org
Precedence: bulk

Series

smbinfo dump encryption keys for using wireshark | expand

Comments

Pavel Shilovsky Sept. 24, 2019, 3:18 p.m. UTC | #1

+ if (keys_info.cipher_type == 1)
+ printf("CCM encryption");
+ else if (keys_info.cipher_type == 2)
+ printf("GCM encryption");
+ else if (keys_info.cipher_type == 0)
+ printf("SMB3.0 CCM encryption");

Do we need to mention SMB3.0 here? It is the same CCM as cipher_type
1, why don't just extend the 1st IF to

if (keys_info.cipher_type == 0 || keys_info.cipher_type == 1)

+ else
+ printf("unknown encryption type");

Best regards,
Pavel Shilovskiy

пн, 23 сент. 2019 г. в 21:51, Steve French via samba-technical
<samba-technical@lists.samba.org>:
>
> Updated with feedback from Aurelien and Pavel
>
>
>
> --
> Thanks,
>
> Steve

Pavel Shilovsky Oct. 4, 2019, 12:21 a.m. UTC | #2

Merged, thanks.
Best regards,
Pavel Shilovskiy

пн, 23 сент. 2019 г. в 21:51, Steve French via samba-technical
<samba-technical@lists.samba.org>:
>
> Updated with feedback from Aurelien and Pavel
>
>
>
> --
> Thanks,
>
> Steve

From 6bf40fd1460489a66a31b6fb43bc4661c8dc597e Mon Sep 17 00:00:00 2001
From: Steve French <stfrench@microsoft.com>
Date: Thu, 19 Sep 2019 04:21:16 -0500
Subject: [PATCH] smbinfo: print the security information needed to decrypt
 wireshark trace

CCM encryption
Session Id:   e2 3e ea ae 00 00 00 00
Session Key:  65 7e 0e d5 3c 06 5a 06 50 a3 ef 96 c1 64 3d 1f
Server Encryption Key:  5e 42 a7 b5 57 75 d6 56 4a 5d 33 97 e6 45 07 76
Server Decryption Key:  1f 64 db a3 0f 24 e3 4d b6 31 00 ab 9a af 22 47

Signed-off-by: Steve French <stfrench@microsoft.com>
---
 smbinfo.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 52 insertions(+), 1 deletion(-)

diff --git a/smbinfo.c b/smbinfo.c
index f9de7fd..c9472e9 100644
--- a/smbinfo.c
+++ b/smbinfo.c
@@ -54,7 +54,17 @@  struct smb_query_info {
 	/* char buffer[]; */
 } __packed;
 
+#define SMB3_SIGN_KEY_SIZE 16
+struct smb3_key_debug_info {
+	uint64_t Suid;
+	uint16_t cipher_type;
+	uint8_t auth_key[16]; /* SMB2_NTLMV2_SESSKEY_SIZE */
+	uint8_t	smb3encryptionkey[SMB3_SIGN_KEY_SIZE];
+	uint8_t	smb3decryptionkey[SMB3_SIGN_KEY_SIZE];
+} __attribute__((packed));
+
 #define CIFS_QUERY_INFO _IOWR(CIFS_IOCTL_MAGIC, 7, struct smb_query_info)
+#define CIFS_DUMP_KEY _IOWR(CIFS_IOCTL_MAGIC, 8, struct smb3_key_debug_info)
 #define INPUT_BUFFER_LENGTH 16384
 
 int verbose;
@@ -92,7 +102,9 @@  usage(char *name)
 		"  quota:\n"
 		"      Prints the quota for a cifs file.\n"
 		"  secdesc:\n"
-		"      Prints the security descriptor for a cifs file.\n",
+		"      Prints the security descriptor for a cifs file.\n"
+		"  keys:\n"
+		"      Prints the decryption information needed to view encrypted network traces.\n",
 		name);
 	exit(1);
 }
@@ -1015,6 +1027,43 @@  static void print_snapshots(struct smb_snapshot_array *psnap)
 	printf("\n");
 }
 
+static void
+dump_keys(int f)
+{
+	struct smb3_key_debug_info keys_info;
+	uint8_t *psess_id;
+
+	if (ioctl(f, CIFS_DUMP_KEY, &keys_info) < 0) {
+		fprintf(stderr, "Querying keys information failed with %s\n", strerror(errno));
+		exit(1);
+	}
+
+	if (keys_info.cipher_type == 1)
+		printf("CCM encryption");
+	else if (keys_info.cipher_type == 2)
+		printf("GCM encryption");
+	else if (keys_info.cipher_type == 0)
+		printf("SMB3.0 CCM encryption");
+	else
+		printf("unknown encryption type");
+
+	printf("\nSession Id:  ");
+	psess_id = (uint8_t *)&keys_info.Suid;
+	for (int i = 0; i < 8; i++)
+		printf(" %02x", psess_id[i]);
+
+	printf("\nSession Key: ");
+	for (int i = 0; i < 16; i++)
+		printf(" %02x", keys_info.auth_key[i]);
+	printf("\nServer Encryption Key: ");
+	for (int i = 0; i < SMB3_SIGN_KEY_SIZE; i++)
+		printf(" %02x", keys_info.smb3encryptionkey[i]);
+	printf("\nServer Decryption Key: ");
+	for (int i = 0; i < SMB3_SIGN_KEY_SIZE; i++)
+		printf(" %02x", keys_info.smb3decryptionkey[i]);
+	printf("\n");
+}
+
 #define CIFS_ENUMERATE_SNAPSHOTS _IOR(CIFS_IOCTL_MAGIC, 6, struct smb_snapshot_array)
 
 #define MIN_SNAPSHOT_ARRAY_SIZE 16 /* See MS-SMB2 section 3.3.5.15.1 */
@@ -1124,6 +1173,8 @@  int main(int argc, char *argv[])
 		quota(f);
 	else if (!strcmp(argv[optind], "secdesc"))
 		secdesc(f);
+	else if (!strcmp(argv[optind], "keys"))
+		dump_keys(f);
 	else {
 		fprintf(stderr, "Unknown command %s\n", argv[optind]);
 		exit(1);
-- 
2.20.1

smbinfo dump encryption keys for using wireshark

Commit Message

Comments

Patch