Parsing a NetLogon exchange.

Rafal Szczesniak mimir at
Tue Aug 10 15:52:39 MDT 2010

On Tue, Aug 10, 2010 at 03:16:42PM -0500, Christopher R. Hertel wrote:
> Rafal Szczesniak wrote:
> :
> > It's the server implementation so yes, of course, it is possible. It's possible
> > to do that even with windows server given the right flags are negotiated during
> > rpc bind phase. What is the client implementation ?
> The client is a Windows XP box.
> I am not supposed to identify the SMB server.
> The DC is Windows 2003.

ok, so the server in this matter is an rpc client here (just to avoid confusion).
So yes, it is absolutely possible that it negotiates signed-only schannel.

> >> I can, for example, see the Identity Information as well as the LMv1 and
> >> NTLMv1 crypto-responses in the NetLogon request.
> > 
> > Is the traffic signed, by the way ? It can still be preceded by schannel
> > auth handshake just the signing of rpc binding could have been requested.
> What field(s) am I looking for in order to verify this.

Look for rpc bind request right after inital NetrServerRequestChallenge and
NetrServerAuthenticate. It should have schannel trailer with flags field
specifying whether the binding is to be sealed or signed-only.

> >> The NTSTATUS code in the NetrLogonSamLogon response shows success, but that
> >> only indicates (to me) that the transaction operation was successful.  I was
> >> hoping for a clear indication somewhere in the protocol that the DC was
> >> happy with the credentials provided by the client.  As you say below, I
> >> think the elongated response is that indication.
> > 
> > I was assuming the traffic is encrypted so you couldn't see the NetrLogonSamLogon
> > status code. If it was a success then the authentication was successful, obviously.
> I don't know which field to look for to see the NetrLogonSamLogon status
> code.  Sorry, that's why I'm asking about parsing.  There are several fields
> that I can easily interpret but I'm lost when it gets to the details and I
> can't seem to find an actual status field (other than the one in the SMB
> header).

The last 4 bytes of the response PDU should tell you what's the status code.

> Ah...  Opnum is 2, and that value is provided in the response as well.  So
> that should tell me how to manually parse the data that was returned, yes?

Opnum 2 is NetrLogonSamLogon function. I thought you said there was something
following that call.

It might help if I could look at the packet trace but I understand you're not
allowed to send it.

Rafal Szczesniak
Samba Team member
Likewise Software

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: Digital signature
URL: <>

More information about the samba-technical mailing list