need more information about unknown bytes in RPC call
Matthieu Patou
mat+Informatique.Samba at matws.net
Mon Jul 13 04:37:58 MDT 2009
Andrew and all the team,
With the help of my netlogon dissector I'm sure that what ever version
of windows there is always undocumented bytes in netlogon and drsuapi
and LSA calls. They have the particularity to begin with the same
"signature": 8a e3 13 71 02 f4 36 71 01 40 04 00 01 00 00 00
For GetDomainInfo and LogonSamLogonWithFlags (when level == 6) and it is :
8a e3 13 71 02 f4 36 71 01 40 04 00 01 00 00 00
For DsBind
0000 8a e3 13 71 02 f4 36 71 01 00 04 00 01 00 00 00 ...q..6q........
0010 02 40 28 00 35 42 51 e3 06 4b d1 11 ab 04 00 c0 .@(.5BQ..K......
0020 4f c2 dc d2 04 00 00 00 04 5d 88 8a eb 1c c9 11 O........]......
0030 9f e8 08 00 2b 10 48 60 02 00 00 00 ....+.H`....
For LookupSid3Request
0000 8a e3 13 71 02 f4 36 71 01 00 04 00 01 00 00 00 ...q..6q........
0010 02 40 28 00 78 57 34 12 34 12 cd ab ef 00 01 23 .@(.xW4.4......#
0020 45 67 89 ab 00 00 00 00 04 5d 88 8a eb 1c c9 11 Eg.......]......
0030 9f e8 08 00 2b 10 48 60 02 00 00 00 ....+.H`....
For LogonSamLogonEx
0000 8a e3 13 71 02 f4 36 71 01 00 04 00 01 00 00 00 ...q..6q........
0010 02 40 28 00 78 56 34 12 34 12 cd ab ef 00 01 23 .@(.xV4.4......#
0020 45 67 cf fb 01 00 00 00 04 5d 88 8a eb 1c c9 11 Eg.......]......
0030 9f e8 08 00 2b 10 48 60 02 00 00 00 ....+.H`....
I can't stop thinking that something (maybe useful maybe not) is hidden
in it.
Can we ask the guys from wspp for more information ?
Matthieu.
More information about the samba-technical
mailing list