need more information about unknown bytes in RPC call

[Stefan (metze) Metzmacher]

Hi Matthieu,

> With the help of my netlogon dissector I'm sure that what ever version
> of windows there is always undocumented bytes in netlogon and drsuapi
> and LSA calls. They have the particularity to begin with the same
> "signature": 8a e3 13 71 02 f4 36 71 01 40 04 00 01 00 00 00
> 
> For GetDomainInfo and LogonSamLogonWithFlags (when level == 6) and  it is :
> 
> 8a e3 13 71 02 f4 36 71 01 40 04 00 01 00 00 00
> 
> For DsBind
> 0000   8a e3 13 71 02 f4 36 71 01 00 04 00 01 00 00 00  ...q..6q........
> 0010   02 40 28 00 35 42 51 e3 06 4b d1 11 ab 04 00 c0  .@(.5BQ..K......
> 0020   4f c2 dc d2 04 00 00 00 04 5d 88 8a eb 1c c9 11  O........]......
> 0030   9f e8 08 00 2b 10 48 60 02 00 00 00              ....+.H`....
>
> For LookupSid3Request
> 0000   8a e3 13 71 02 f4 36 71 01 00 04 00 01 00 00 00  ...q..6q........
> 0010   02 40 28 00 78 57 34 12 34 12 cd ab ef 00 01 23  .@(.xW4.4......#
> 0020   45 67 89 ab 00 00 00 00 04 5d 88 8a eb 1c c9 11  Eg.......]......
> 0030   9f e8 08 00 2b 10 48 60 02 00 00 00              ....+.H`....
> 
> For LogonSamLogonEx
> 0000   8a e3 13 71 02 f4 36 71 01 00 04 00 01 00 00 00  ...q..6q........
> 0010   02 40 28 00 78 56 34 12 34 12 cd ab ef 00 01 23  .@(.xV4.4......#
> 0020   45 67 cf fb 01 00 00 00 04 5d 88 8a eb 1c c9 11  Eg.......]......
> 0030   9f e8 08 00 2b 10 48 60 02 00 00 00              ....+.H`....
> 
> I can't stop thinking that something (maybe useful maybe not) is hidden
> in it.
> Can we ask the guys from wspp for more information ?

I'd guess it's just garbage, but feel free to ask them...

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.samba.org/archive/samba-technical/attachments/20090713/89e85d4c/signature.bin