Parsing a NetLogon exchange.

Christopher R. Hertel crh at
Tue Aug 10 14:16:42 MDT 2010

Rafal Szczesniak wrote:
> It's the server implementation so yes, of course, it is possible. It's possible
> to do that even with windows server given the right flags are negotiated during
> rpc bind phase. What is the client implementation ?

The client is a Windows XP box.
I am not supposed to identify the SMB server.
The DC is Windows 2003.

>> I can, for example, see the Identity Information as well as the LMv1 and
>> NTLMv1 crypto-responses in the NetLogon request.
> Is the traffic signed, by the way ? It can still be preceded by schannel
> auth handshake just the signing of rpc binding could have been requested.

What field(s) am I looking for in order to verify this.

>>> Decrypt the PDU and check status code ?
>> Which status code where?  :)
>> The NTSTATUS code in the NetrLogonSamLogon response shows success, but that
>> only indicates (to me) that the transaction operation was successful.  I was
>> hoping for a clear indication somewhere in the protocol that the DC was
>> happy with the credentials provided by the client.  As you say below, I
>> think the elongated response is that indication.
> I was assuming the traffic is encrypted so you couldn't see the NetrLogonSamLogon
> status code. If it was a success then the authentication was successful, obviously.

I don't know which field to look for to see the NetrLogonSamLogon status
code.  Sorry, that's why I'm asking about parsing.  There are several fields
that I can easily interpret but I'm lost when it gets to the details and I
can't seem to find an actual status field (other than the one in the SMB

> You could look at the hex dump and try to find the rpc opnum in rpc request.
> That would give you some hint as to what rpc gets called next.

Ah...  Opnum is 2, and that value is provided in the response as well.  So
that should tell me how to manually parse the data that was returned, yes?

I'll take a look at that that IDL file.


Chris -)-----

"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team --     -)-----   Christopher R. Hertel
jCIFS Team --   -)-----   ubiqx development, uninq.
ubiqx Team --     -)-----   crh at
OnLineBook --    -)-----   crh at

More information about the samba-technical mailing list