[PATCHES] winbindd: fix sid->xid for SID History SIDs
Uri Simchoni
uri at samba.org
Tue Mar 28 20:08:17 UTC 2017
On 03/28/2017 03:11 PM, Stefan Metzmacher wrote:
> Hi Uri,
>
>>> The fix finds the domain of the SID by resolving a SID with same domain
>>> component and an RID of 513 (domain users), which hopefully never gets
>>> migrated.
>
> I think we should better try to resolve the domain sid, instead
> of relying on RID 513.
>
> And we should only do that if we don't know about the domain yet.
>
>>> We've discussed other means such as smb.conf stuff or netsamlogon - I
>>> think those methods can come on top of this method, because if they
>>> don't work we should always fall back to something. The added resolving
>>> doesn't cost much because it's in the same round-trip.
>>>
>>> The key thing about this fix is that doesn't try to translate sid->xid
>>> in any possible case (such as when old domain is gone and forgotten), it
>>> just avoids getting the *wrong* result. As such, it's a good minimal fix
>>> that can be applied to stable versions. For master, we can add the
>>> smb.conf-based stuff, that will support more cases.
>>>
>>> Review appreciated.
>>> Thanks,
>>> Uri.
>>
>> mostly lgtm, just one issue, see below.
>>
>> Fwiw, I'm currently working on another issue in sids2xids. Not really related
>> but I'm mentioning it here as you're currently having fun with the same area of
>> code.
>
> I think this is related...
>
> I'm wondering if your fixes would also fix Uri's problem.
>
> At least we should carefully think about this and have one
> combined and tested patchset.
>
> Otherwise both of you have tested something that won't reflect the reality.
>
> Uri, can you run a command like this:
> bin/rpcclient -UW4EDOM-L4\\administrator%A1b2C3d4
> w2008r2-133.w4edom-l4.base -c 'lookupsids
> S-1-5-21-278041429-3399921908-1452754838-66666
> S-1-5-21-278041429-3399921908-1452754838
> S-1-5-21-278041429-3399921908-1452754837-77777
> S-1-5-21-278041429-3399921908-1452754837 S-1-5-32-66666 S-1-5-32
> S-1-5-32-544' -d 10
>
> That tries to resolve the primary sid of a user, the sid history value
> and both domain sids and invalid sids in both domains at the same time
> (in various order combinations)?
> I guess that will help a lot to see the answers from a Windows DC in that
> case.
>
> Thanks!
> metze
>
One of my DCs was moved somewhere, can't find it right now, will sort
this out tomorrow. So meanwhile I queried just one DC, in various
combinations - all provided the same results.
See attached Python script and its output. I'll extend that to work vs
two DCs of both domains simultaneously- throw some of the combinations
on one and some on the other.
Thanks,
Uri.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: resolve.py
Type: text/x-python
Size: 1120 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170328/4fbbc829/resolve.py>
-------------- next part --------------
OK
{'S-1-5-32-544': 'BUILTIN\\Administrators', 'S-1-5-32-1106': 'BUILTIN\\*unknown*', 'S-1-5-21-1387724271-3540671778-1971508351': 'DOMAIN2\\*unknown*', 'S-1-5-21-3293503978-489118715-2763867031': 'DOMAIN1\\*unknown*', 'S-1-5-21-1387724271-3540671778-1971508351-1115': 'DOMAIN2\\d1u1', 'S-1-5-21-3293503978-489118715-2763867031-1106': 'DOMAIN2\\d1u1', 'S-1-5-32': 'BUILTIN\\BUILTIN'}
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
Netbios name list:-
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
doing parameter workgroup = WORKGROUP
doing parameter server string = %h server (Samba, Ubuntu)
doing parameter dns proxy = no
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter syslog = 0
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter server role = standalone server
doing parameter passdb backend = tdbsam
doing parameter obey pam restrictions = yes
doing parameter unix password sync = yes
doing parameter passwd program = /usr/bin/passwd %u
doing parameter passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
doing parameter pam password change = yes
doing parameter map to guest = bad user
doing parameter usershare allow guests = yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface eth1 ip=192.168.0.2 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0:0 ip=192.168.0.102 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=192.168.82.33 bcast=192.168.82.255 netmask=255.255.255.0
added interface virbr0 ip=192.168.122.1 bcast=192.168.122.255 netmask=255.255.255.0
Connecting to 192.168.28.33 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 87040
SO_RCVBUF = 372480
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
Doing spnego session setup (blob length=120)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
negotiate: struct NEGOTIATE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmNegotiate (1)
NegotiateFlags : 0x60088215 (1611170325)
1: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
1: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
1: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
0: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
0: NTLMSSP_TARGET_TYPE_DOMAIN
0: NTLMSSP_TARGET_TYPE_SERVER
0: NTLMSSP_TARGET_TYPE_SHARE
1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
0: NTLMSSP_NEGOTIATE_IDENTIFY
0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
0: NTLMSSP_NEGOTIATE_TARGET_INFO
0: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
0: NTLMSSP_NEGOTIATE_56
DomainNameLen : 0x0009 (9)
DomainNameMaxLen : 0x0009 (9)
DomainName : *
DomainName : 'WORKGROUP'
WorkstationLen : 0x0008 (8)
WorkstationMaxLen : 0x0008 (8)
Workstation : *
Workstation : 'ZOOZI-14'
smb_signing_sign_pdu: sent SMB signature of
[0000] 42 53 52 53 50 59 4C 20 BSRSPYL
challenge: struct CHALLENGE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmChallenge (0x2)
TargetNameLen : 0x000e (14)
TargetNameMaxLen : 0x000e (14)
TargetName : *
TargetName : 'DOMAIN2'
NegotiateFlags : 0x62898215 (1653178901)
1: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
1: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
1: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
0: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
1: NTLMSSP_TARGET_TYPE_DOMAIN
0: NTLMSSP_TARGET_TYPE_SERVER
0: NTLMSSP_TARGET_TYPE_SHARE
1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
0: NTLMSSP_NEGOTIATE_IDENTIFY
0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
1: NTLMSSP_NEGOTIATE_TARGET_INFO
1: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
0: NTLMSSP_NEGOTIATE_56
ServerChallenge : c0e3ca2c06b12937
Reserved : 0000000000000000
TargetInfoLen : 0x0092 (146)
TargetNameInfoMaxLen : 0x0092 (146)
TargetInfo : *
TargetInfo: struct AV_PAIR_LIST
count : 0x00000007 (7)
pair: ARRAY(7)
pair: struct AV_PAIR
AvId : MsvAvNbDomainName (0x2)
AvLen : 0x000e (14)
Value : union ntlmssp_AvValue(case 0x2)
AvNbDomainName : 'DOMAIN2'
pair: struct AV_PAIR
AvId : MsvAvNbComputerName (0x1)
AvLen : 0x0008 (8)
Value : union ntlmssp_AvValue(case 0x1)
AvNbComputerName : 'DOM2'
pair: struct AV_PAIR
AvId : MsvAvDnsDomainName (0x4)
AvLen : 0x001a (26)
Value : union ntlmssp_AvValue(case 0x4)
AvDnsDomainName : 'domain2.local'
pair: struct AV_PAIR
AvId : MsvAvDnsComputerName (0x3)
AvLen : 0x0024 (36)
Value : union ntlmssp_AvValue(case 0x3)
AvDnsComputerName : 'DOM2.domain2.local'
pair: struct AV_PAIR
AvId : MsvAvDnsTreeName (0x5)
AvLen : 0x001a (26)
Value : union ntlmssp_AvValue(case 0x5)
AvDnsTreeName : 'Domain1.local'
pair: struct AV_PAIR
AvId : MsvAvTimestamp (0x7)
AvLen : 0x0008 (8)
Value : union ntlmssp_AvValue(case 0x7)
AvTimestamp : Tue Mar 28 10:10:37 PM 2017 IDT
pair: struct AV_PAIR
AvId : MsvAvEOL (0x0)
AvLen : 0x0000 (0)
Value : union ntlmssp_AvValue(case 0x0)
Version: struct ntlmssp_VERSION
ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (0x6)
ProductMinorVersion : UNKNOWN_ENUM_VALUE (0x3)
ProductBuild : 0x2580 (9600)
Reserved : 000000
NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (0xF)
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
authenticate: struct AUTHENTICATE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmAuthenticate (3)
LmChallengeResponseLen : 0x0018 (24)
LmChallengeResponseMaxLen: 0x0018 (24)
LmChallengeResponse : *
LmChallengeResponse : union ntlmssp_LM_RESPONSE(case 24)
v1: struct LM_RESPONSE
Response : 405b03841b8d2d2afe3f9c16b9a6247b570abe2bf12a6b42
NtChallengeResponseLen : 0x00be (190)
NtChallengeResponseMaxLen: 0x00be (190)
NtChallengeResponse : *
NtChallengeResponse : union ntlmssp_NTLM_RESPONSE(case 190)
v2: struct NTLMv2_RESPONSE
Response : 130f796e79585121b2083b287ff88f3a
Challenge: struct NTLMv2_CLIENT_CHALLENGE
RespType : 0x01 (1)
HiRespType : 0x01 (1)
Reserved1 : 0x0000 (0)
Reserved2 : 0x00000000 (0)
TimeStamp : Tue Mar 28 10:11:03 PM 2017 IDT
ChallengeFromClient : 43bfb3d568e73bfb
Reserved3 : 0x00000000 (0)
AvPairs: struct AV_PAIR_LIST
count : 0x00000007 (7)
pair: ARRAY(7)
pair: struct AV_PAIR
AvId : MsvAvNbDomainName (0x2)
AvLen : 0x000e (14)
Value : union ntlmssp_AvValue(case 0x2)
AvNbDomainName : 'DOMAIN2'
pair: struct AV_PAIR
AvId : MsvAvNbComputerName (0x1)
AvLen : 0x0008 (8)
Value : union ntlmssp_AvValue(case 0x1)
AvNbComputerName : 'DOM2'
pair: struct AV_PAIR
AvId : MsvAvDnsDomainName (0x4)
AvLen : 0x001a (26)
Value : union ntlmssp_AvValue(case 0x4)
AvDnsDomainName : 'domain2.local'
pair: struct AV_PAIR
AvId : MsvAvDnsComputerName (0x3)
AvLen : 0x0024 (36)
Value : union ntlmssp_AvValue(case 0x3)
AvDnsComputerName : 'DOM2.domain2.local'
pair: struct AV_PAIR
AvId : MsvAvDnsTreeName (0x5)
AvLen : 0x001a (26)
Value : union ntlmssp_AvValue(case 0x5)
AvDnsTreeName : 'Domain1.local'
pair: struct AV_PAIR
AvId : MsvAvTimestamp (0x7)
AvLen : 0x0008 (8)
Value : union ntlmssp_AvValue(case 0x7)
AvTimestamp : Tue Mar 28 10:10:37 PM 2017 IDT
pair: struct AV_PAIR
AvId : MsvAvEOL (0x0)
AvLen : 0x0000 (0)
Value : union ntlmssp_AvValue(case 0x0)
DomainNameLen : 0x0012 (18)
DomainNameMaxLen : 0x0012 (18)
DomainName : *
DomainName : 'WORKGROUP'
UserNameLen : 0x001a (26)
UserNameMaxLen : 0x001a (26)
UserName : *
UserName : 'administrator'
WorkstationLen : 0x0010 (16)
WorkstationMaxLen : 0x0010 (16)
Workstation : *
Workstation : 'ZOOZI-14'
EncryptedRandomSessionKeyLen: 0x0010 (16)
EncryptedRandomSessionKeyMaxLen: 0x0010 (16)
EncryptedRandomSessionKey: *
EncryptedRandomSessionKey: DATA_BLOB length=16
[0000] 60 2F F2 58 4F D8 10 BA 85 68 82 E8 34 26 2F F0 `/.XO... .h..4&/.
NegotiateFlags : 0x60088215 (1611170325)
1: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
1: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
1: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
0: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
0: NTLMSSP_TARGET_TYPE_DOMAIN
0: NTLMSSP_TARGET_TYPE_SERVER
0: NTLMSSP_TARGET_TYPE_SHARE
1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
0: NTLMSSP_NEGOTIATE_IDENTIFY
0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
0: NTLMSSP_NEGOTIATE_TARGET_INFO
0: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
0: NTLMSSP_NEGOTIATE_56
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
smb_signing_sign_pdu: sent SMB signature of
[0000] 42 53 52 53 50 59 4C 20 BSRSPYL
smb_signing_activate: user_session_key
[0000] D0 77 7B 45 91 B3 1B C8 B2 7B 4C 91 9E D7 66 5A .w{E.... .{L...fZ
smb_signing_activate: NULL response_data
smb_signing_md5: sequence number 1
smb_signing_check_pdu: seq 1: got good SMB signature of
[0000] 15 8F 49 21 89 31 4B 66 ..I!.1Kf
smb_signing_md5: sequence number 2
smb_signing_sign_pdu: sent SMB signature of
[0000] 88 CC D2 0F 3B 8A C9 C3 ....;...
smb_signing_md5: sequence number 3
smb_signing_check_pdu: seq 3: got good SMB signature of
[0000] 4E 24 26 E3 8C 66 71 0E N$&..fq.
cli_init_creds: user administrator domain WORKGROUP
smb_signing_md5: sequence number 4
smb_signing_sign_pdu: sent SMB signature of
[0000] CD C2 F8 90 EA D1 C1 0A ........
smb_signing_md5: sequence number 5
smb_signing_check_pdu: seq 5: got good SMB signature of
[0000] 57 7D 6F 41 12 AD 12 37 W}oA...7
Bind RPC Pipe: host 192.168.28.33 auth_type 0, auth_level 1
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_BIND (11)
pfc_flags : 0x03 (3)
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0048 (72)
auth_length : 0x0000 (0)
call_id : 0x00000001 (1)
u : union dcerpc_payload(case 11)
bind: struct dcerpc_bind
max_xmit_frag : 0x10b8 (4280)
max_recv_frag : 0x10b8 (4280)
assoc_group_id : 0x00000000 (0)
num_contexts : 0x01 (1)
ctx_list: ARRAY(1)
ctx_list: struct dcerpc_ctx_list
context_id : 0x0000 (0)
num_transfer_syntaxes : 0x01 (1)
abstract_syntax: struct ndr_syntax_id
uuid : 12345778-1234-abcd-ef00-0123456789ab
if_version : 0x00000000 (0)
transfer_syntaxes: ARRAY(1)
transfer_syntaxes: struct ndr_syntax_id
uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860
if_version : 0x00000002 (2)
auth_info : DATA_BLOB length=0
rpc_api_pipe: host 192.168.28.33
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=72, this_data=72, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0
smb_signing_md5: sequence number 6
smb_signing_sign_pdu: sent SMB signature of
[0000] 19 FD AE B6 CF 4D 92 B7 .....M..
smb_signing_md5: sequence number 7
smb_signing_check_pdu: seq 7: got good SMB signature of
[0000] 05 A5 AB 42 62 1E 58 5B ...Bb.X[
rpc_read_send: data_to_read: 52
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_BIND_ACK (12)
pfc_flags : 0x03 (3)
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0044 (68)
auth_length : 0x0000 (0)
call_id : 0x00000001 (1)
u : union dcerpc_payload(case 12)
bind_ack: struct dcerpc_bind_ack
max_xmit_frag : 0x10b8 (4280)
max_recv_frag : 0x10b8 (4280)
assoc_group_id : 0x000157fb (88059)
secondary_address_size : 0x000c (12)
secondary_address : '\pipe\lsass'
_pad1 : DATA_BLOB length=2
[0000] 00 00 ..
num_results : 0x01 (1)
ctx_list: ARRAY(1)
ctx_list: struct dcerpc_ack_ctx
result : 0x0000 (0)
reason : 0x0000 (0)
syntax: struct ndr_syntax_id
uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860
if_version : 0x00000002 (2)
auth_info : DATA_BLOB length=0
rpc_api_pipe: got frag len of 68 at offset 0: NT_STATUS_OK
rpc_api_pipe: host 192.168.28.33 returned 68 bytes.
check_bind_response: accepted!
cli_rpc_pipe_open_noauth: opened pipe \lsarpc to machine 192.168.28.33 and bound anonymously.
lsa_OpenPolicy: struct lsa_OpenPolicy
in: struct lsa_OpenPolicy
system_name : *
system_name : 0x005c (92)
attr : *
attr: struct lsa_ObjectAttribute
len : 0x00000018 (24)
root_dir : NULL
object_name : NULL
attributes : 0x00000000 (0)
sec_desc : NULL
sec_qos : *
sec_qos: struct lsa_QosInfo
len : 0x0000000c (12)
impersonation_level : 0x0002 (2)
context_mode : 0x01 (1)
effective_only : 0x00 (0)
access_mask : 0x02000000 (33554432)
0: LSA_POLICY_VIEW_LOCAL_INFORMATION
0: LSA_POLICY_VIEW_AUDIT_INFORMATION
0: LSA_POLICY_GET_PRIVATE_INFORMATION
0: LSA_POLICY_TRUST_ADMIN
0: LSA_POLICY_CREATE_ACCOUNT
0: LSA_POLICY_CREATE_SECRET
0: LSA_POLICY_CREATE_PRIVILEGE
0: LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS
0: LSA_POLICY_SET_AUDIT_REQUIREMENTS
0: LSA_POLICY_AUDIT_LOG_ADMIN
0: LSA_POLICY_SERVER_ADMIN
0: LSA_POLICY_LOOKUP_NAMES
0: LSA_POLICY_NOTIFICATION
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000002 (2)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x0000002c (44)
context_id : 0x0000 (0)
opnum : 0x0006 (6)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host 192.168.28.33
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=68, this_data=68, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0
smb_signing_md5: sequence number 8
smb_signing_sign_pdu: sent SMB signature of
[0000] 41 25 E6 30 A1 B0 1B 30 A%.0...0
smb_signing_md5: sequence number 9
smb_signing_check_pdu: seq 9: got good SMB signature of
[0000] 87 54 00 9F 73 31 AC BA .T..s1..
rpc_read_send: data_to_read: 32
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0030 (48)
auth_length : 0x0000 (0)
call_id : 0x00000002 (2)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000018 (24)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=24
[0000] 00 00 00 00 32 4B 1C A4 9E 30 E1 41 AE B4 A2 84 ....2K.. .0.A....
[0010] 45 90 34 2E 00 00 00 00 E.4.....
Got pdu len 48, data_len 24, ss_len 0
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host 192.168.28.33 returned 24 bytes.
lsa_OpenPolicy: struct lsa_OpenPolicy
out: struct lsa_OpenPolicy
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : a41c4b32-309e-41e1-aeb4-a2844590342e
result : NT_STATUS_OK
lsa_QueryInfoPolicy: struct lsa_QueryInfoPolicy
in: struct lsa_QueryInfoPolicy
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : a41c4b32-309e-41e1-aeb4-a2844590342e
level : LSA_POLICY_INFO_ACCOUNT_DOMAIN (5)
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000003 (3)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x00000016 (22)
context_id : 0x0000 (0)
opnum : 0x0007 (7)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host 192.168.28.33
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=46, this_data=46, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0
smb_signing_md5: sequence number 10
smb_signing_sign_pdu: sent SMB signature of
[0000] F1 C8 46 9E 1D 6E A0 83 ..F..n..
smb_signing_md5: sequence number 11
smb_signing_check_pdu: seq 11: got good SMB signature of
[0000] 49 38 39 24 73 87 41 40 I89$s.A@
rpc_read_send: data_to_read: 88
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0068 (104)
auth_length : 0x0000 (0)
call_id : 0x00000003 (3)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000050 (80)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=80
[0000] 00 00 02 00 05 00 00 00 0E 00 10 00 04 00 02 00 ........ ........
[0010] 08 00 02 00 08 00 00 00 00 00 00 00 07 00 00 00 ........ ........
[0020] 44 00 4F 00 4D 00 41 00 49 00 4E 00 32 00 00 00 D.O.M.A. I.N.2...
[0030] 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 00 ........ ........
[0040] EF FD B6 52 22 5D 0A D3 7F D4 82 75 00 00 00 00 ...R"].. ...u....
Got pdu len 104, data_len 80, ss_len 0
rpc_api_pipe: got frag len of 104 at offset 0: NT_STATUS_OK
rpc_api_pipe: host 192.168.28.33 returned 80 bytes.
lsa_QueryInfoPolicy: struct lsa_QueryInfoPolicy
out: struct lsa_QueryInfoPolicy
info : *
info : *
info : union lsa_PolicyInformation(case 5)
account_domain: struct lsa_DomainInfo
name: struct lsa_StringLarge
length : 0x000e (14)
size : 0x0010 (16)
string : *
string : 'DOMAIN2'
sid : *
sid : S-1-5-21-1387724271-3540671778-1971508351
result : NT_STATUS_OK
lsa_Close: struct lsa_Close
in: struct lsa_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : a41c4b32-309e-41e1-aeb4-a2844590342e
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000004 (4)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x00000014 (20)
context_id : 0x0000 (0)
opnum : 0x0000 (0)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host 192.168.28.33
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=44, this_data=44, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0
smb_signing_md5: sequence number 12
smb_signing_sign_pdu: sent SMB signature of
[0000] 99 30 94 A4 0A 09 06 18 .0......
smb_signing_md5: sequence number 13
smb_signing_check_pdu: seq 13: got good SMB signature of
[0000] 97 B0 C0 AE DC 42 F7 6E .....B.n
rpc_read_send: data_to_read: 32
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0030 (48)
auth_length : 0x0000 (0)
call_id : 0x00000004 (4)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000018 (24)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=24
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0010] 00 00 00 00 00 00 00 00 ........
Got pdu len 48, data_len 24, ss_len 0
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host 192.168.28.33 returned 24 bytes.
lsa_Close: struct lsa_Close
out: struct lsa_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000000-0000-0000-0000-000000000000
result : NT_STATUS_OK
smb_signing_md5: sequence number 14
smb_signing_sign_pdu: sent SMB signature of
[0000] EA B8 8E BE 72 D3 01 3F ....r..?
smb_signing_md5: sequence number 15
smb_signing_check_pdu: seq 15: got good SMB signature of
[0000] 97 C2 B3 66 DC 72 94 6D ...f.r.m
smb_signing_md5: sequence number 16
smb_signing_sign_pdu: sent SMB signature of
[0000] 2A C2 08 91 3A BA E7 5F *...:.._
smb_signing_md5: sequence number 17
smb_signing_check_pdu: seq 17: got good SMB signature of
[0000] 9F 08 10 9C FA 81 D1 AD ........
Bind RPC Pipe: host 192.168.28.33 auth_type 0, auth_level 1
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_BIND (11)
pfc_flags : 0x03 (3)
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0048 (72)
auth_length : 0x0000 (0)
call_id : 0x00000005 (5)
u : union dcerpc_payload(case 11)
bind: struct dcerpc_bind
max_xmit_frag : 0x10b8 (4280)
max_recv_frag : 0x10b8 (4280)
assoc_group_id : 0x00000000 (0)
num_contexts : 0x01 (1)
ctx_list: ARRAY(1)
ctx_list: struct dcerpc_ctx_list
context_id : 0x0000 (0)
num_transfer_syntaxes : 0x01 (1)
abstract_syntax: struct ndr_syntax_id
uuid : 12345778-1234-abcd-ef00-0123456789ab
if_version : 0x00000000 (0)
transfer_syntaxes: ARRAY(1)
transfer_syntaxes: struct ndr_syntax_id
uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860
if_version : 0x00000002 (2)
auth_info : DATA_BLOB length=0
rpc_api_pipe: host 192.168.28.33
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=72, this_data=72, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0
smb_signing_md5: sequence number 18
smb_signing_sign_pdu: sent SMB signature of
[0000] EC 9E 69 86 E9 9E 92 26 ..i....&
smb_signing_md5: sequence number 19
smb_signing_check_pdu: seq 19: got good SMB signature of
[0000] A2 0B 81 47 1A B8 72 E3 ...G..r.
rpc_read_send: data_to_read: 52
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_BIND_ACK (12)
pfc_flags : 0x03 (3)
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0044 (68)
auth_length : 0x0000 (0)
call_id : 0x00000005 (5)
u : union dcerpc_payload(case 12)
bind_ack: struct dcerpc_bind_ack
max_xmit_frag : 0x10b8 (4280)
max_recv_frag : 0x10b8 (4280)
assoc_group_id : 0x000157fc (88060)
secondary_address_size : 0x000c (12)
secondary_address : '\pipe\lsass'
_pad1 : DATA_BLOB length=2
[0000] 00 00 ..
num_results : 0x01 (1)
ctx_list: ARRAY(1)
ctx_list: struct dcerpc_ack_ctx
result : 0x0000 (0)
reason : 0x0000 (0)
syntax: struct ndr_syntax_id
uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860
if_version : 0x00000002 (2)
auth_info : DATA_BLOB length=0
rpc_api_pipe: got frag len of 68 at offset 0: NT_STATUS_OK
rpc_api_pipe: host 192.168.28.33 returned 68 bytes.
check_bind_response: accepted!
cli_rpc_pipe_open_noauth: opened pipe \lsarpc to machine 192.168.28.33 and bound anonymously.
lsa_OpenPolicy: struct lsa_OpenPolicy
in: struct lsa_OpenPolicy
system_name : *
system_name : 0x005c (92)
attr : *
attr: struct lsa_ObjectAttribute
len : 0x00000018 (24)
root_dir : NULL
object_name : NULL
attributes : 0x00000000 (0)
sec_desc : NULL
sec_qos : *
sec_qos: struct lsa_QosInfo
len : 0x0000000c (12)
impersonation_level : 0x0002 (2)
context_mode : 0x01 (1)
effective_only : 0x00 (0)
access_mask : 0x02000000 (33554432)
0: LSA_POLICY_VIEW_LOCAL_INFORMATION
0: LSA_POLICY_VIEW_AUDIT_INFORMATION
0: LSA_POLICY_GET_PRIVATE_INFORMATION
0: LSA_POLICY_TRUST_ADMIN
0: LSA_POLICY_CREATE_ACCOUNT
0: LSA_POLICY_CREATE_SECRET
0: LSA_POLICY_CREATE_PRIVILEGE
0: LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS
0: LSA_POLICY_SET_AUDIT_REQUIREMENTS
0: LSA_POLICY_AUDIT_LOG_ADMIN
0: LSA_POLICY_SERVER_ADMIN
0: LSA_POLICY_LOOKUP_NAMES
0: LSA_POLICY_NOTIFICATION
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000006 (6)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x0000002c (44)
context_id : 0x0000 (0)
opnum : 0x0006 (6)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host 192.168.28.33
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=68, this_data=68, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0
smb_signing_md5: sequence number 20
smb_signing_sign_pdu: sent SMB signature of
[0000] D2 B4 EE D5 67 B8 40 4E ....g. at N
smb_signing_md5: sequence number 21
smb_signing_check_pdu: seq 21: got good SMB signature of
[0000] 77 85 85 10 D8 03 10 D5 w.......
rpc_read_send: data_to_read: 32
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0030 (48)
auth_length : 0x0000 (0)
call_id : 0x00000006 (6)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000018 (24)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=24
[0000] 00 00 00 00 86 35 4F 34 E4 7D 1D 4E 96 A9 8C 6C .....5O4 .}.N...l
[0010] 23 E4 B2 F0 00 00 00 00 #.......
Got pdu len 48, data_len 24, ss_len 0
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host 192.168.28.33 returned 24 bytes.
lsa_OpenPolicy: struct lsa_OpenPolicy
out: struct lsa_OpenPolicy
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 344f3586-7de4-4e1d-96a9-8c6c23e4b2f0
result : NT_STATUS_OK
rpccli_lsa_lookup_sids: processing items 0 -- 6 of 7.
lsa_LookupSids: struct lsa_LookupSids
in: struct lsa_LookupSids
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 344f3586-7de4-4e1d-96a9-8c6c23e4b2f0
sids : *
sids: struct lsa_SidArray
num_sids : 0x00000007 (7)
sids : *
sids: ARRAY(7)
sids: struct lsa_SidPtr
sid : *
sid : S-1-5-21-1387724271-3540671778-1971508351-1115
sids: struct lsa_SidPtr
sid : *
sid : S-1-5-21-1387724271-3540671778-1971508351
sids: struct lsa_SidPtr
sid : *
sid : S-1-5-21-3293503978-489118715-2763867031-1106
sids: struct lsa_SidPtr
sid : *
sid : S-1-5-21-3293503978-489118715-2763867031
sids: struct lsa_SidPtr
sid : *
sid : S-1-5-32-1106
sids: struct lsa_SidPtr
sid : *
sid : S-1-5-32
sids: struct lsa_SidPtr
sid : *
sid : S-1-5-32-544
names : *
names: struct lsa_TransNameArray
count : 0x00000000 (0)
names : NULL
level : LSA_LOOKUP_NAMES_ALL (1)
count : *
count : 0x00000000 (0)
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000007 (7)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x000000fc (252)
context_id : 0x0000 (0)
opnum : 0x000f (15)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host 192.168.28.33
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=276, this_data=276, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0
smb_signing_md5: sequence number 22
smb_signing_sign_pdu: sent SMB signature of
[0000] 1A 04 26 BE D3 1E 41 17 ..&...A.
smb_signing_md5: sequence number 23
smb_signing_check_pdu: seq 23: got good SMB signature of
[0000] 5E 50 F0 1E A9 8F 0F 60 ^P.....`
rpc_read_send: data_to_read: 460
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x01dc (476)
auth_length : 0x0000 (0)
call_id : 0x00000007 (7)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x000001c4 (452)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=452
[0000] 00 00 02 00 03 00 00 00 04 00 02 00 20 00 00 00 ........ .... ...
[0010] 03 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........
[0020] 0E 00 10 00 10 00 02 00 14 00 02 00 0E 00 10 00 ........ ........
[0030] 18 00 02 00 1C 00 02 00 08 00 00 00 00 00 00 00 ........ ........
[0040] 07 00 00 00 42 00 55 00 49 00 4C 00 54 00 49 00 ....B.U. I.L.T.I.
[0050] 4E 00 00 00 01 00 00 00 01 01 00 00 00 00 00 05 N....... ........
[0060] 20 00 00 00 08 00 00 00 00 00 00 00 07 00 00 00 ....... ........
[0070] 44 00 4F 00 4D 00 41 00 49 00 4E 00 32 00 00 00 D.O.M.A. I.N.2...
[0080] 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 00 ........ ........
[0090] EF FD B6 52 22 5D 0A D3 7F D4 82 75 08 00 00 00 ...R"].. ...u....
[00A0] 00 00 00 00 07 00 00 00 44 00 4F 00 4D 00 41 00 ........ D.O.M.A.
[00B0] 49 00 4E 00 31 00 00 00 04 00 00 00 01 04 00 00 I.N.1... ........
[00C0] 00 00 00 05 15 00 00 00 EA E1 4E C4 FB 5B 27 1D ........ ..N..['.
[00D0] 97 43 BD A4 07 00 00 00 20 00 02 00 07 00 00 00 .C...... .......
[00E0] 01 00 00 00 08 00 08 00 24 00 02 00 01 00 00 00 ........ $.......
[00F0] 03 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ........ ........
[0100] 01 00 00 00 08 00 08 00 28 00 02 00 01 00 00 00 ........ (.......
[0110] 03 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 ........ ........
[0120] 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0130] 03 00 00 00 0E 00 10 00 2C 00 02 00 00 00 00 00 ........ ,.......
[0140] 04 00 00 00 1C 00 1C 00 30 00 02 00 00 00 00 00 ........ 0.......
[0150] 04 00 00 00 00 00 00 00 04 00 00 00 64 00 31 00 ........ ....d.1.
[0160] 75 00 31 00 04 00 00 00 00 00 00 00 04 00 00 00 u.1..... ........
[0170] 64 00 31 00 75 00 31 00 08 00 00 00 00 00 00 00 d.1.u.1. ........
[0180] 07 00 00 00 42 00 55 00 49 00 4C 00 54 00 49 00 ....B.U. I.L.T.I.
[0190] 4E 00 00 00 0E 00 00 00 00 00 00 00 0E 00 00 00 N....... ........
[01A0] 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 A.d.m.i. n.i.s.t.
[01B0] 72 00 61 00 74 00 6F 00 72 00 73 00 06 00 00 00 r.a.t.o. r.s.....
[01C0] 07 01 00 00 ....
Got pdu len 476, data_len 452, ss_len 0
rpc_api_pipe: got frag len of 476 at offset 0: NT_STATUS_OK
rpc_api_pipe: host 192.168.28.33 returned 452 bytes.
lsa_LookupSids: struct lsa_LookupSids
out: struct lsa_LookupSids
domains : *
domains : *
domains: struct lsa_RefDomainList
count : 0x00000003 (3)
domains : *
domains: ARRAY(3)
domains: struct lsa_DomainInfo
name: struct lsa_StringLarge
length : 0x000e (14)
size : 0x0010 (16)
string : *
string : 'BUILTIN'
sid : *
sid : S-1-5-32
domains: struct lsa_DomainInfo
name: struct lsa_StringLarge
length : 0x000e (14)
size : 0x0010 (16)
string : *
string : 'DOMAIN2'
sid : *
sid : S-1-5-21-1387724271-3540671778-1971508351
domains: struct lsa_DomainInfo
name: struct lsa_StringLarge
length : 0x000e (14)
size : 0x0010 (16)
string : *
string : 'DOMAIN1'
sid : *
sid : S-1-5-21-3293503978-489118715-2763867031
max_size : 0x00000020 (32)
names : *
names: struct lsa_TransNameArray
count : 0x00000007 (7)
names : *
names: ARRAY(7)
names: struct lsa_TranslatedName
sid_type : SID_NAME_USER (1)
name: struct lsa_String
length : 0x0008 (8)
size : 0x0008 (8)
string : *
string : 'd1u1'
sid_index : 0x00000001 (1)
names: struct lsa_TranslatedName
sid_type : SID_NAME_DOMAIN (3)
name: struct lsa_String
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
sid_index : 0x00000001 (1)
names: struct lsa_TranslatedName
sid_type : SID_NAME_USER (1)
name: struct lsa_String
length : 0x0008 (8)
size : 0x0008 (8)
string : *
string : 'd1u1'
sid_index : 0x00000001 (1)
names: struct lsa_TranslatedName
sid_type : SID_NAME_DOMAIN (3)
name: struct lsa_String
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
sid_index : 0x00000002 (2)
names: struct lsa_TranslatedName
sid_type : SID_NAME_UNKNOWN (8)
name: struct lsa_String
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
sid_index : 0x00000000 (0)
names: struct lsa_TranslatedName
sid_type : SID_NAME_DOMAIN (3)
name: struct lsa_String
length : 0x000e (14)
size : 0x0010 (16)
string : *
string : 'BUILTIN'
sid_index : 0x00000000 (0)
names: struct lsa_TranslatedName
sid_type : SID_NAME_ALIAS (4)
name: struct lsa_String
length : 0x001c (28)
size : 0x001c (28)
string : *
string : 'Administrators'
sid_index : 0x00000000 (0)
count : *
count : 0x00000006 (6)
result : STATUS_SOME_UNMAPPED
LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'STATUS_SOME_UNMAPPED', mapped count = 6'
S-1-5-21-1387724271-3540671778-1971508351-1115 DOMAIN2\d1u1 (1)
S-1-5-21-1387724271-3540671778-1971508351 DOMAIN2\*unknown* (3)
S-1-5-21-3293503978-489118715-2763867031-1106 DOMAIN2\d1u1 (1)
S-1-5-21-3293503978-489118715-2763867031 DOMAIN1\*unknown* (3)
S-1-5-32-1106 BUILTIN\*unknown* (8)
S-1-5-32 BUILTIN\BUILTIN (3)
S-1-5-32-544 BUILTIN\Administrators (4)
lsa_Close: struct lsa_Close
in: struct lsa_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 344f3586-7de4-4e1d-96a9-8c6c23e4b2f0
&r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_REQUEST (0)
pfc_flags : 0x03 (3)
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0018 (24)
auth_length : 0x0000 (0)
call_id : 0x00000008 (8)
u : union dcerpc_payload(case 0)
request: struct dcerpc_request
alloc_hint : 0x00000014 (20)
context_id : 0x0000 (0)
opnum : 0x0000 (0)
object : union dcerpc_object(case 0)
empty: struct dcerpc_empty
_pad : DATA_BLOB length=0
stub_and_verifier : DATA_BLOB length=0
rpc_api_pipe: host 192.168.28.33
num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=44, this_data=44, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0
smb_signing_md5: sequence number 24
smb_signing_sign_pdu: sent SMB signature of
[0000] C5 98 68 F4 D5 6F E4 21 ..h..o.!
smb_signing_md5: sequence number 25
smb_signing_check_pdu: seq 25: got good SMB signature of
[0000] 3C 55 89 E8 7D 5F 21 D9 <U..}_!.
rpc_read_send: data_to_read: 32
r: struct ncacn_packet
rpc_vers : 0x05 (5)
rpc_vers_minor : 0x00 (0)
ptype : DCERPC_PKT_RESPONSE (2)
pfc_flags : 0x03 (3)
drep: ARRAY(4)
[0] : 0x10 (16)
[1] : 0x00 (0)
[2] : 0x00 (0)
[3] : 0x00 (0)
frag_length : 0x0030 (48)
auth_length : 0x0000 (0)
call_id : 0x00000008 (8)
u : union dcerpc_payload(case 2)
response: struct dcerpc_response
alloc_hint : 0x00000018 (24)
context_id : 0x0000 (0)
cancel_count : 0x00 (0)
_pad : DATA_BLOB length=1
[0000] 00 .
stub_and_verifier : DATA_BLOB length=24
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0010] 00 00 00 00 00 00 00 00 ........
Got pdu len 48, data_len 24, ss_len 0
rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK
rpc_api_pipe: host 192.168.28.33 returned 24 bytes.
lsa_Close: struct lsa_Close
out: struct lsa_Close
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 00000000-0000-0000-0000-000000000000
result : NT_STATUS_OK
smb_signing_md5: sequence number 26
smb_signing_sign_pdu: sent SMB signature of
[0000] 59 6D 81 9D E9 C7 BE 08 Ym......
smb_signing_md5: sequence number 27
smb_signing_check_pdu: seq 27: got good SMB signature of
[0000] F3 10 DB 54 FE A5 D4 69 ...T...i
smb_signing_md5: sequence number 28
smb_signing_sign_pdu: sent SMB signature of
[0000] D2 A3 17 B2 FC 6D F9 18 .....m..
smb_signing_md5: sequence number 29
smb_signing_check_pdu: seq 29: got good SMB signature of
[0000] 24 5C 1D BC F9 7E 4D 76 $\...~Mv
More information about the samba-technical
mailing list