[cifs-protocol] unused bytes after while decoding bkrp requests
Matthieu Patou
mat at samba.org
Sun Jul 18 12:26:37 MDT 2010
Dear dochelp team,
I started to implement the backup key remote protocol for samba.
Right now I'm a bit suspicious I got the data structure ok as when I
parse some bytes with ndrdump I have ~52 bytes unused.
From the attached capture called protected_storage.pcap I managed to
extract and decrypt the payload (452 bytes + 12 bytes of padding) at
packet 485.
The payload is also attached to this email as protected_xtr.
Here are the result of ndrdump
mat at ares:/usr/local/src/samba4/source4$ ./bin/ndrdump protected_storage
bkrp_BakuprKey in ~/protected_xtr
pull returned NT_STATUS_OK
WARNING! 52 unread bytes
[0000] 8A E3 13 71 02 F4 36 71 02 40 28 00 30 7C DE 3D ...q..6q .@(.0|.=
[0010] 5D 16 D1 11 AB 8F 00 80 5F 14 DB 40 01 00 00 00 ]....... _.. at ....
[0020] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]...... ....+.H`
[0030] 02 00 00 00 ....
bkrp_BakuprKey: struct bkrp_BakuprKey
in: struct bkrp_BakuprKey
guidActionAgent : *
guidActionAgent :
47270c64-2fc7-499b-ac5b-0e37cdce899a
data_in: struct bkrp_client_side_wrapped
version : 0x00000002 (2)
encrypted_secret_len : 0x00000100 (256)
access_check_len : 0x00000058 (88)
guid :
a1dc8bbd-743f-473e-8d00-0a4742df76bd
encrypted_secret : DATA_BLOB length=256
access_check : DATA_BLOB length=88
data_in_len : 0x00000174 (372)
param : 0x00000000 (0)
dump OK
To me the result looks sensible I'm just concerned that it seems to have
some garbage at the end.
I tried to analyze the frames with netmon 3.4 but it says that it's
encrypted (and I didn't find a way to tell him to decrypt ...).
So here is my question: is it normal that I found some trailing bytes ?
do you have the capacity to parse the protected_xtr file and give us the
result of the parsing with your tools ?
Cheers, Matthieu.
--
Matthieu Patou
Samba Team http://samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: protected_xtr
Type: application/octet-stream
Size: 452 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20100718/0d880591/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: protected_storage.pcap
Type: application/cap
Size: 148319 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20100718/0d880591/attachment-0001.pcap>
More information about the cifs-protocol
mailing list