Strange secblob returned from WIndows 2008 server

Love Hörnquist Åstrand lha at kth.se
Sun Jun 1 04:35:34 GMT 2008 

Maybe this is credssp ?

http://msdn.microsoft.com/en-us/library/bb204772.aspx

Love

16 apr 2008 kl. 12.53 skrev ronnie sahlberg:

> http://www.alvestrand.no/objectid/1.3.6.1.4.1.311.2.html
>
> is part of the tree for Microsoft authenticode objects.
> .2.30 is however not known by alvestrand nor by
> http://www.oid-info.com/get/1.3.6.1.4.1.311.2
>
> :-(
>
>
> On Thu, Apr 17, 2008 at 4:40 AM, Dan Sledz <dan.sledz at isilon.com>  
> wrote:
>> We had a report of a winbindd (v3.0.24 + Todd Stecher's 2k8 patches)
>> core on a customer's Windows 2008 forest.  On investigation, it  
>> appears
>> that the negTokenInit returned via Negotiate Protocol Response is
>> strangely formed.  In particular, it has a new OID that I've never  
>> seen
>> before (1.3.6.1.4.1.311.2.2.30) as well as a zero length mechToken
>> instead of it being omitted per spec.  All I have right now is the  
>> blob
>> itself since I've been unable to get a pcap of it occurring.
>>
>> Has anyone seen anything like this before?
>>
>> secblob:
>> 0x60 0x7a <-- GSSAPI
>>     0x06 0x06 <-- SPNEGO OID
>>          0x2b 0x06 0x01 0x05 0x05 0x02
>>     0xa0 0x70 <-- NegTokenInit
>>          0x30 0x6e
>>              0xa0 0x3 <-- mechTypes
>>                   0x30 0x3a
>>                        0x06 0x0a <-- 1.3.6.1.4.1.311.2.2.30 Unknown  
>> OID
>>                             0x2b    0x06    0x01    0x04    0x01     
>> 0x82    0x37  0x02
>>                             0x02    0x1e
>>                        0x06 0x09 <-- KRB5
>>                             0x2a    0x86    0x48    0x82    0xf7     
>> 0x12    0x01   0x02
>>                             0x02
>>                        0x06 0x09 <-- MS KRB5
>>                             0x2a    0x86    0x48    0x86    0xf7     
>> 0x12    0x01    0x02
>>                             0x02
>>                        0x06 0x0a <-- MS KRB5 U2U
>>                             0x2a    0x86    0x48    0x86    0xf7     
>> 0x12    0x01    0x02
>>                             0x02    0x03
>>                        0x06 0x0a <-- NTLMSSP
>>                             0x2b    0x06    0x01    0x04    0x01     
>> 0x82    0x37    0x02
>>                             0x02    0x0a
>>             0xa2 0x02 <-- mechToken
>>                  0x04    0x00
>>             0xa3 0x2a <-- negHints
>>                  0x30 0x28
>>                       0xa0 0x26 <-- nameHints
>>                            0x1b 0x24
>>                              "not_defined_in_RFC4178 at please_ignore"
>>                                0x6e    0x6f    0x74    0x5f     
>> 0x64    0x65    0x66    0x69
>>                                0x6e    0x65    0x64    0x5f     
>> 0x69    0x6e    0x5f    0x52
>>                                0x46    0x43    0x34    0x31     
>> 0x37    0x38    0x40    0x70
>>                                0x6c    0x65    0x61    0x73     
>> 0x65    0x5f    0x69    0x67
>>                                0x6e    0x6f    0x72    0x65
>>

More information about the samba-technical mailing list