Parsing a NetLogon exchange.

Rafal Szczesniak mimir at
Tue Aug 10 07:20:18 MDT 2010


On Fri, Aug 06, 2010 at 12:29:24AM -0500, Christopher R. Hertel wrote:
> I am working on a side project that has me trying to decipher a NetLogon
> exchange.  I understand that RPCs on the NetLogon pipe are (at least
> partially) encrypted, but some of the information is visible.

By default, none of logon calls are visible. You can request signing-only
for schannel/netlogon binding but that's good only for hacking and testing.
In production environment it has to be sealed, obviously.

> How do I know whether the credentials presented by the client were accepted
> (successful authentication) or rejected?

Decrypt the PDU and check status code ?

> It looks to me as though the server is returning success, because there is a
> roughly 6K blob that is read from the named pipe.  I'm assuming that this
> blob is the authorization information that the DC sends back to the server,
> and that the server uses in order to determine what it is that the client
> may access.  As I understand it, that information would not be returned if
> the authentication failed.
> The thing is, the server implementation that I'm studying returns Bad
> Password to the client.  If I'm right that the authorization information is
> only returned by the DC if authentication is successful, then there must be
> something in the authorization information that is causing access to be denied.

You are right. Only successful authentication counts here. Is it password or network
logon (see netr_LogonLevel type in netlogon.idl) ?

Rafal Szczesniak
Samba Team member
Likewise Software

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: Digital signature
URL: <>

More information about the samba-technical mailing list