need more information about unknown bytes in RPC call
Stefan (metze) Metzmacher
metze at samba.org
Mon Jul 13 04:48:27 MDT 2009
Hi Matthieu,
> With the help of my netlogon dissector I'm sure that what ever version
> of windows there is always undocumented bytes in netlogon and drsuapi
> and LSA calls. They have the particularity to begin with the same
> "signature": 8a e3 13 71 02 f4 36 71 01 40 04 00 01 00 00 00
>
> For GetDomainInfo and LogonSamLogonWithFlags (when level == 6) and it is :
>
> 8a e3 13 71 02 f4 36 71 01 40 04 00 01 00 00 00
>
> For DsBind
> 0000 8a e3 13 71 02 f4 36 71 01 00 04 00 01 00 00 00 ...q..6q........
> 0010 02 40 28 00 35 42 51 e3 06 4b d1 11 ab 04 00 c0 .@(.5BQ..K......
> 0020 4f c2 dc d2 04 00 00 00 04 5d 88 8a eb 1c c9 11 O........]......
> 0030 9f e8 08 00 2b 10 48 60 02 00 00 00 ....+.H`....
>
> For LookupSid3Request
> 0000 8a e3 13 71 02 f4 36 71 01 00 04 00 01 00 00 00 ...q..6q........
> 0010 02 40 28 00 78 57 34 12 34 12 cd ab ef 00 01 23 .@(.xW4.4......#
> 0020 45 67 89 ab 00 00 00 00 04 5d 88 8a eb 1c c9 11 Eg.......]......
> 0030 9f e8 08 00 2b 10 48 60 02 00 00 00 ....+.H`....
>
> For LogonSamLogonEx
> 0000 8a e3 13 71 02 f4 36 71 01 00 04 00 01 00 00 00 ...q..6q........
> 0010 02 40 28 00 78 56 34 12 34 12 cd ab ef 00 01 23 .@(.xV4.4......#
> 0020 45 67 cf fb 01 00 00 00 04 5d 88 8a eb 1c c9 11 Eg.......]......
> 0030 9f e8 08 00 2b 10 48 60 02 00 00 00 ....+.H`....
>
> I can't stop thinking that something (maybe useful maybe not) is hidden
> in it.
> Can we ask the guys from wspp for more information ?
I'd guess it's just garbage, but feel free to ask them...
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.samba.org/archive/samba-technical/attachments/20090713/89e85d4c/signature.bin
More information about the samba-technical
mailing list