Parsing a NetLogon exchange.
mimir at samba.org
Tue Aug 10 07:20:18 MDT 2010
On Fri, Aug 06, 2010 at 12:29:24AM -0500, Christopher R. Hertel wrote:
> I am working on a side project that has me trying to decipher a NetLogon
> exchange. I understand that RPCs on the NetLogon pipe are (at least
> partially) encrypted, but some of the information is visible.
By default, none of logon calls are visible. You can request signing-only
for schannel/netlogon binding but that's good only for hacking and testing.
In production environment it has to be sealed, obviously.
> How do I know whether the credentials presented by the client were accepted
> (successful authentication) or rejected?
Decrypt the PDU and check status code ?
> It looks to me as though the server is returning success, because there is a
> roughly 6K blob that is read from the named pipe. I'm assuming that this
> blob is the authorization information that the DC sends back to the server,
> and that the server uses in order to determine what it is that the client
> may access. As I understand it, that information would not be returned if
> the authentication failed.
> The thing is, the server implementation that I'm studying returns Bad
> Password to the client. If I'm right that the authorization information is
> only returned by the DC if authentication is successful, then there must be
> something in the authorization information that is causing access to be denied.
You are right. Only successful authentication counts here. Is it password or network
logon (see netr_LogonLevel type in netlogon.idl) ?
Samba Team member http://www.samba.org
Likewise Software http://www.likewise.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 190 bytes
Desc: Digital signature
More information about the samba-technical