dcerpc-netlogon: improve NetrLogonGetCapabilities dissection
[wireshark-sm.git] / epan / dissectors / packet-dcerpc-netlogon.c
blobece892e023964be2018574b7ac8461af68016df8
1 /* packet-dcerpc-netlogon.c
2 * Routines for SMB \PIPE\NETLOGON packet disassembly
3 * Copyright 2001,2003 Tim Potter <tpot@samba.org>
4 * 2002 structure and command dissectors by Ronnie Sahlberg
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * SPDX-License-Identifier: GPL-2.0-or-later
13 #include "config.h"
15 #define WS_LOG_DOMAIN "packet-dcerpc-netlogon"
17 #include <epan/packet.h>
18 #include <epan/expert.h>
19 #include <epan/tfs.h>
21 #include <wsutil/wsgcrypt.h>
22 #include <wsutil/wslog.h>
23 #include <wsutil/str_util.h>
25 /* for dissect_mscldap_string */
26 #include "packet-ldap.h"
27 #include "packet-dcerpc.h"
28 #include "packet-dcerpc-nt.h"
29 #include "packet-dcerpc-netlogon.h"
30 #include "packet-windows-common.h"
31 #include "packet-dcerpc-lsa.h"
32 #include "packet-ntlmssp.h"
33 #include "packet-dcerpc-misc.h"
34 /* for keytab format */
35 #include <epan/asn1.h>
36 #include "packet-kerberos.h"
37 /* for routines to read the keytab file */
38 #include "read_keytab_file.h"
39 /* for decoding */
41 void proto_register_dcerpc_netlogon(void);
42 void proto_reg_handoff_dcerpc_netlogon(void);
44 static proto_item *
45 netlogon_dissect_neg_options(tvbuff_t *tvb,proto_tree *tree,uint32_t flags,int offset);
47 /* Debug function, log a hexdump of interesting memory */
48 static void printnbyte(wmem_allocator_t *scratch, const uint8_t* tab,int nb,const char* txt)
50 if (!ws_log_msg_is_active(WS_LOG_DOMAIN, LOG_LEVEL_DEBUG))
52 return;
55 char *hexdump = wmem_alloc0(scratch, nb*3 + 1);
56 int i;
58 for(i=0;i<nb;i++)
60 snprintf(hexdump+(i*3), 3, "%02X ", *(tab+i));
62 hexdump[nb*3] = '\0';
64 ws_debug("%s %s", txt, hexdump);
67 #define NETLOGON_FLAG_80000000 0x80000000
68 #define NETLOGON_FLAG_40000000 0x40000000
69 #define NETLOGON_FLAG_20000000 0x20000000
70 #define NETLOGON_FLAG_10000000 0x10000000
71 #define NETLOGON_FLAG_8000000 0x8000000
72 #define NETLOGON_FLAG_4000000 0x4000000
73 #define NETLOGON_FLAG_2000000 0x2000000
74 #define NETLOGON_FLAG_AES 0x1000000
75 #define NETLOGON_FLAG_800000 0x800000
76 #define NETLOGON_FLAG_400000 0x400000
77 #define NETLOGON_FLAG_200000 0x200000
78 #define NETLOGON_FLAG_100000 0x100000
79 #define NETLOGON_FLAG_80000 0x80000
80 #define NETLOGON_FLAG_40000 0x40000
81 #define NETLOGON_FLAG_20000 0x20000
82 #define NETLOGON_FLAG_10000 0x10000
83 #define NETLOGON_FLAG_8000 0x8000
84 #define NETLOGON_FLAG_STRONGKEY 0x4000
85 #define NETLOGON_FLAG_2000 0x2000
86 #define NETLOGON_FLAG_1000 0x1000
87 #define NETLOGON_FLAG_800 0x800
88 #define NETLOGON_FLAG_400 0x400
89 #define NETLOGON_FLAG_200 0x200
90 #define NETLOGON_FLAG_100 0x100
91 #define NETLOGON_FLAG_80 0x80
92 #define NETLOGON_FLAG_40 0x40
93 #define NETLOGON_FLAG_20 0x20
94 #define NETLOGON_FLAG_10 0x10
95 #define NETLOGON_FLAG_8 0x8
96 #define NETLOGON_FLAG_4 0x4
97 #define NETLOGON_FLAG_2 0x2
98 #define NETLOGON_FLAG_1 0x1
100 static wmem_map_t *netlogon_auths;
101 static wmem_map_t *schannel_auths;
102 static int proto_dcerpc_netlogon;
104 static int hf_netlogon_TrustedDomainName_string;
105 static int hf_netlogon_UserName_string;
106 static int hf_domain_info_sid;
107 static int hf_dns_domain_info_sid;
108 static int hf_dns_domain_info_domain_guid;
109 static int hf_dns_domain_info_dns_domain;
110 static int hf_dns_domain_info_dns_forest;
111 static int hf_dns_domain_info_name;
112 static int hf_client_challenge;
113 static int hf_server_rid;
114 static int hf_server_challenge;
115 static int hf_client_credential;
116 static int hf_server_credential;
117 static int hf_netlogon_logon_dnslogondomainname;
118 static int hf_netlogon_logon_upn;
119 static int hf_netlogon_opnum;
120 static int hf_netlogon_data_length;
121 static int hf_netlogon_extraflags;
122 static int hf_netlogon_extra_flags_root_forest;
123 static int hf_netlogon_trust_flags_dc_firsthop;
124 static int hf_netlogon_trust_flags_rodc_to_dc;
125 static int hf_netlogon_trust_flags_rodc_ntlm;
126 static int hf_netlogon_package_name;
127 static int hf_netlogon_rc;
128 static int hf_netlogon_dos_rc;
129 static int hf_netlogon_werr_rc;
130 static int hf_netlogon_len;
131 static int hf_netlogon_password_version_reserved;
132 static int hf_netlogon_password_version_number;
133 static int hf_netlogon_password_version_present;
134 static int hf_netlogon_sensitive_data_flag;
135 static int hf_netlogon_sensitive_data_len;
136 static int hf_netlogon_sensitive_data;
137 static int hf_netlogon_security_information;
138 static int hf_netlogon_dummy;
139 static int hf_netlogon_neg_flags;
140 static int hf_netlogon_neg_flags_80000000;
141 static int hf_netlogon_neg_flags_40000000;
142 static int hf_netlogon_neg_flags_20000000;
143 /* static int hf_netlogon_neg_flags_10000000; */
144 /* static int hf_netlogon_neg_flags_8000000; */
145 /* static int hf_netlogon_neg_flags_4000000; */
146 /* static int hf_netlogon_neg_flags_2000000; */
147 static int hf_netlogon_neg_flags_1000000;
148 /* static int hf_netlogon_neg_flags_800000; */
149 /* static int hf_netlogon_neg_flags_400000; */
150 static int hf_netlogon_neg_flags_200000;
151 static int hf_netlogon_neg_flags_100000;
152 static int hf_netlogon_neg_flags_80000;
153 static int hf_netlogon_neg_flags_40000;
154 static int hf_netlogon_neg_flags_20000;
155 static int hf_netlogon_neg_flags_10000;
156 static int hf_netlogon_neg_flags_8000;
157 static int hf_netlogon_neg_flags_4000;
158 static int hf_netlogon_neg_flags_2000;
159 static int hf_netlogon_neg_flags_1000;
160 static int hf_netlogon_neg_flags_800;
161 static int hf_netlogon_neg_flags_400;
162 static int hf_netlogon_neg_flags_200;
163 static int hf_netlogon_neg_flags_100;
164 static int hf_netlogon_neg_flags_80;
165 static int hf_netlogon_neg_flags_40;
166 static int hf_netlogon_neg_flags_20;
167 static int hf_netlogon_neg_flags_10;
168 static int hf_netlogon_neg_flags_8;
169 static int hf_netlogon_neg_flags_4;
170 static int hf_netlogon_neg_flags_2;
171 static int hf_netlogon_neg_flags_1;
172 static int hf_netlogon_minworkingsetsize;
173 static int hf_netlogon_maxworkingsetsize;
174 static int hf_netlogon_pagedpoollimit;
175 static int hf_netlogon_pagefilelimit;
176 static int hf_netlogon_timelimit;
177 static int hf_netlogon_nonpagedpoollimit;
178 /* static int hf_netlogon_pac_size; */
179 /* static int hf_netlogon_pac_data; */
180 /* static int hf_netlogon_auth_size; */
181 /* static int hf_netlogon_auth_data; */
182 static int hf_netlogon_cipher_len;
183 static int hf_netlogon_cipher_maxlen;
184 static int hf_netlogon_cipher_current_data;
185 static int hf_netlogon_cipher_current_set_time;
186 static int hf_netlogon_cipher_old_data;
187 static int hf_netlogon_cipher_old_set_time;
188 static int hf_netlogon_priv;
189 static int hf_netlogon_privilege_entries;
190 static int hf_netlogon_privilege_control;
191 static int hf_netlogon_privilege_name;
192 static int hf_netlogon_systemflags;
193 static int hf_netlogon_pdc_connection_status;
194 static int hf_netlogon_tc_connection_status;
195 static int hf_netlogon_restart_state;
196 static int hf_netlogon_attrs;
197 static int hf_netlogon_lsapolicy_len;
198 /* static int hf_netlogon_lsapolicy_referentid; */
199 /* static int hf_netlogon_lsapolicy_pointer; */
200 static int hf_netlogon_count;
201 static int hf_netlogon_entries;
202 static int hf_netlogon_minpasswdlen;
203 static int hf_netlogon_passwdhistorylen;
204 static int hf_netlogon_level16;
205 static int hf_netlogon_validation_level;
206 static int hf_netlogon_reference;
207 static int hf_netlogon_next_reference;
208 static int hf_netlogon_timestamp;
209 static int hf_netlogon_level;
210 static int hf_netlogon_challenge;
211 static int hf_netlogon_reserved;
212 static int hf_netlogon_audit_retention_period;
213 static int hf_netlogon_auditing_mode;
214 static int hf_netlogon_max_audit_event_count;
215 static int hf_netlogon_event_audit_option;
216 static int hf_netlogon_unknown_string;
217 static int hf_netlogon_new_password;
218 static int hf_netlogon_trust_extension;
219 static int hf_netlogon_trust_max;
220 static int hf_netlogon_trust_offset;
221 static int hf_netlogon_trust_len;
222 static int hf_netlogon_opaque_buffer_enc;
223 static int hf_netlogon_opaque_buffer_dec;
224 static int hf_netlogon_opaque_buffer_size;
225 static int hf_netlogon_dummy_string;
226 static int hf_netlogon_dummy_string2;
227 static int hf_netlogon_dummy_string3;
228 static int hf_netlogon_dummy_string4;
229 static int hf_netlogon_dummy_string5;
230 static int hf_netlogon_dummy_string6;
231 static int hf_netlogon_dummy_string7;
232 static int hf_netlogon_dummy_string8;
233 static int hf_netlogon_dummy_string9;
234 static int hf_netlogon_dummy_string10;
235 static int hf_netlogon_unknown_short;
236 static int hf_netlogon_unknown_long;
237 static int hf_netlogon_dummy1_long;
238 static int hf_netlogon_dummy2_long;
239 static int hf_netlogon_dummy3_long;
240 static int hf_netlogon_dummy4_long;
241 static int hf_netlogon_dummy5_long;
242 static int hf_netlogon_dummy6_long;
243 static int hf_netlogon_dummy7_long;
244 static int hf_netlogon_dummy8_long;
245 static int hf_netlogon_dummy9_long;
246 static int hf_netlogon_dummy10_long;
247 static int hf_netlogon_unknown_char;
248 static int hf_netlogon_logon_time;
249 static int hf_netlogon_logoff_time;
250 static int hf_netlogon_last_logoff_time;
251 static int hf_netlogon_kickoff_time;
252 static int hf_netlogon_pwd_age;
253 static int hf_netlogon_pwd_last_set_time;
254 static int hf_netlogon_pwd_can_change_time;
255 static int hf_netlogon_pwd_must_change_time;
256 static int hf_netlogon_nt_chal_resp;
257 static int hf_netlogon_lm_chal_resp;
258 static int hf_netlogon_credential;
259 static int hf_netlogon_acct_name;
260 static int hf_netlogon_acct_desc;
261 static int hf_netlogon_group_desc;
262 static int hf_netlogon_full_name;
263 static int hf_netlogon_comment;
264 static int hf_netlogon_parameters;
265 static int hf_netlogon_logon_script;
266 static int hf_netlogon_profile_path;
267 static int hf_netlogon_home_dir;
268 static int hf_netlogon_dir_drive;
269 static int hf_netlogon_logon_count;
270 static int hf_netlogon_logon_count16;
271 static int hf_netlogon_bad_pw_count;
272 static int hf_netlogon_bad_pw_count16;
273 static int hf_netlogon_user_rid;
274 static int hf_netlogon_alias_rid;
275 static int hf_netlogon_group_rid;
276 static int hf_netlogon_logon_srv;
277 /* static int hf_netlogon_principal; */
278 static int hf_netlogon_logon_dom;
279 static int hf_netlogon_resourcegroupcount;
280 static int hf_netlogon_accountdomaingroupcount;
281 static int hf_netlogon_domaingroupcount;
282 static int hf_netlogon_membership_domains_count;
283 static int hf_netlogon_downlevel_domain_name;
284 static int hf_netlogon_dns_domain_name;
285 static int hf_netlogon_ad_client_dns_name;
286 static int hf_netlogon_domain_name;
287 static int hf_netlogon_domain_create_time;
288 static int hf_netlogon_domain_modify_time;
289 static int hf_netlogon_modify_count;
290 static int hf_netlogon_db_modify_time;
291 static int hf_netlogon_db_create_time;
292 static int hf_netlogon_oem_info;
293 static int hf_netlogon_serial_number;
294 static int hf_netlogon_num_rids;
295 static int hf_netlogon_num_trusts;
296 static int hf_netlogon_num_controllers;
297 static int hf_netlogon_num_sid;
298 static int hf_netlogon_computer_name;
299 static int hf_netlogon_site_name;
300 static int hf_netlogon_trusted_dc_name;
301 static int hf_netlogon_dc_name;
302 static int hf_netlogon_dc_site_name;
303 static int hf_netlogon_dns_forest_name;
304 static int hf_netlogon_dc_address;
305 static int hf_netlogon_dc_address_type;
306 static int hf_netlogon_client_site_name;
307 static int hf_netlogon_workstation;
308 static int hf_netlogon_workstation_site_name;
309 static int hf_netlogon_os_version;
310 static int hf_netlogon_workstation_os;
311 static int hf_netlogon_workstation_flags;
312 static int hf_netlogon_supportedenctypes;
314 static int hf_netlogon_workstations;
315 static int hf_netlogon_workstation_fqdn;
316 static int hf_netlogon_group_name;
317 static int hf_netlogon_alias_name;
318 static int hf_netlogon_country;
319 static int hf_netlogon_codepage;
320 static int hf_netlogon_flags;
321 static int hf_netlogon_trust_attribs;
322 static int hf_netlogon_trust_attribs_non_transitive;
323 static int hf_netlogon_trust_attribs_uplevel_only;
324 static int hf_netlogon_trust_attribs_quarantined_domain;
325 static int hf_netlogon_trust_attribs_forest_transitive;
326 static int hf_netlogon_trust_attribs_cross_organization;
327 static int hf_netlogon_trust_attribs_within_forest;
328 static int hf_netlogon_trust_attribs_treat_as_external;
329 static int hf_netlogon_trust_type;
330 static int hf_netlogon_trust_flags;
331 static int hf_netlogon_trust_flags_inbound;
332 static int hf_netlogon_trust_flags_outbound;
333 static int hf_netlogon_trust_flags_in_forest;
334 static int hf_netlogon_trust_flags_native_mode;
335 static int hf_netlogon_trust_flags_primary;
336 static int hf_netlogon_trust_flags_tree_root;
337 static int hf_netlogon_trust_parent_index;
338 static int hf_netlogon_user_account_control;
339 static int hf_netlogon_user_account_control_dont_require_preauth;
340 static int hf_netlogon_user_account_control_use_des_key_only;
341 static int hf_netlogon_user_account_control_not_delegated;
342 static int hf_netlogon_user_account_control_trusted_for_delegation;
343 static int hf_netlogon_user_account_control_smartcard_required;
344 static int hf_netlogon_user_account_control_encrypted_text_password_allowed;
345 static int hf_netlogon_user_account_control_account_auto_locked;
346 static int hf_netlogon_user_account_control_dont_expire_password;
347 static int hf_netlogon_user_account_control_server_trust_account;
348 static int hf_netlogon_user_account_control_workstation_trust_account;
349 static int hf_netlogon_user_account_control_interdomain_trust_account;
350 static int hf_netlogon_user_account_control_mns_logon_account;
351 static int hf_netlogon_user_account_control_normal_account;
352 static int hf_netlogon_user_account_control_temp_duplicate_account;
353 static int hf_netlogon_user_account_control_password_not_required;
354 static int hf_netlogon_user_account_control_home_directory_required;
355 static int hf_netlogon_user_account_control_account_disabled;
356 static int hf_netlogon_user_flags;
357 static int hf_netlogon_user_flags_extra_sids;
358 static int hf_netlogon_user_flags_resource_groups;
359 static int hf_netlogon_auth_flags;
360 static int hf_netlogon_pwd_expired;
361 static int hf_netlogon_nt_pwd_present;
362 static int hf_netlogon_lm_pwd_present;
363 static int hf_netlogon_code;
364 static int hf_netlogon_database_id;
365 static int hf_netlogon_sync_context;
366 static int hf_netlogon_max_size;
367 static int hf_netlogon_max_log_size;
368 static int hf_netlogon_dns_host;
369 static int hf_netlogon_acct_expiry_time;
370 static int hf_netlogon_encrypted_lm_owf_password;
371 static int hf_netlogon_lm_owf_password;
372 static int hf_netlogon_nt_owf_password;
373 static int hf_netlogon_param_ctrl;
374 static int hf_netlogon_logon_id;
375 static int hf_netlogon_num_deltas;
376 static int hf_netlogon_user_session_key;
377 static int hf_netlogon_blob_size;
378 static int hf_netlogon_blob;
379 static int hf_netlogon_logon_attempts;
380 static int hf_netlogon_authoritative;
381 static int hf_netlogon_secure_channel_type;
382 static int hf_netlogon_logonsrv_handle;
383 static int hf_netlogon_delta_type;
384 static int hf_netlogon_get_dcname_request_flags;
385 static int hf_netlogon_get_dcname_request_flags_force_rediscovery;
386 static int hf_netlogon_get_dcname_request_flags_directory_service_required;
387 static int hf_netlogon_get_dcname_request_flags_directory_service_preferred;
388 static int hf_netlogon_get_dcname_request_flags_gc_server_required;
389 static int hf_netlogon_get_dcname_request_flags_pdc_required;
390 static int hf_netlogon_get_dcname_request_flags_background_only;
391 static int hf_netlogon_get_dcname_request_flags_ip_required;
392 static int hf_netlogon_get_dcname_request_flags_kdc_required;
393 static int hf_netlogon_get_dcname_request_flags_timeserv_required;
394 static int hf_netlogon_get_dcname_request_flags_writable_required;
395 static int hf_netlogon_get_dcname_request_flags_good_timeserv_preferred;
396 static int hf_netlogon_get_dcname_request_flags_avoid_self;
397 static int hf_netlogon_get_dcname_request_flags_only_ldap_needed;
398 static int hf_netlogon_get_dcname_request_flags_is_flat_name;
399 static int hf_netlogon_get_dcname_request_flags_is_dns_name;
400 static int hf_netlogon_get_dcname_request_flags_return_dns_name;
401 static int hf_netlogon_get_dcname_request_flags_return_flat_name;
402 static int hf_netlogon_dc_flags;
403 static int hf_netlogon_dc_flags_pdc_flag;
404 static int hf_netlogon_dc_flags_gc_flag;
405 static int hf_netlogon_dc_flags_ldap_flag;
406 static int hf_netlogon_dc_flags_ds_flag;
407 static int hf_netlogon_dc_flags_kdc_flag;
408 static int hf_netlogon_dc_flags_timeserv_flag;
409 static int hf_netlogon_dc_flags_closest_flag;
410 static int hf_netlogon_dc_flags_writable_flag;
411 static int hf_netlogon_dc_flags_good_timeserv_flag;
412 static int hf_netlogon_dc_flags_ndnc_flag;
413 static int hf_netlogon_dc_flags_dns_controller_flag;
414 static int hf_netlogon_dc_flags_dns_domain_flag;
415 static int hf_netlogon_dc_flags_dns_forest_flag;
416 /* static int hf_netlogon_dnsdomaininfo; */
417 static int hf_netlogon_s4u2proxytarget;
418 static int hf_netlogon_transitedlistsize;
419 static int hf_netlogon_transited_service;
420 static int hf_netlogon_logon_duration;
421 static int hf_netlogon_time_created;
423 static int ett_nt_counted_longs_as_string;
424 static int ett_dcerpc_netlogon;
425 static int ett_group_attrs;
426 static int ett_user_flags;
427 static int ett_user_account_control;
428 static int ett_QUOTA_LIMITS;
429 static int ett_IDENTITY_INFO;
430 static int ett_DELTA_ENUM;
431 static int ett_authenticate_flags;
432 static int ett_CYPHER_VALUE;
433 static int ett_UNICODE_MULTI;
434 static int ett_DOMAIN_CONTROLLER_INFO;
435 static int ett_netr_CryptPassword;
436 static int ett_NL_PASSWORD_VERSION;
437 static int ett_NL_GENERIC_RPC_DATA;
438 static int ett_TYPE_50;
439 static int ett_TYPE_52;
440 static int ett_DELTA_ID_UNION;
441 static int ett_CAPABILITIES;
442 static int ett_DELTA_UNION;
443 static int ett_LM_OWF_PASSWORD;
444 static int ett_NT_OWF_PASSWORD;
445 static int ett_GROUP_MEMBERSHIP;
446 static int ett_BLOB;
447 static int ett_DS_DOMAIN_TRUSTS;
448 static int ett_LSA_POLICY_INFO;
449 static int ett_DOMAIN_TRUST_INFO;
450 static int ett_trust_flags;
451 static int ett_trust_attribs;
452 static int ett_get_dcname_request_flags;
453 static int ett_dc_flags;
454 static int ett_wstr_LOGON_IDENTITY_INFO_string;
455 static int ett_domain_group_memberships;
456 static int ett_domains_group_memberships;
458 static expert_field ei_netlogon_auth_nthash;
459 static expert_field ei_netlogon_session_key;
461 typedef struct _netlogon_auth_vars {
462 uint64_t client_challenge;
463 uint64_t server_challenge;
464 md4_pass nthash;
465 int auth_fd_num;
466 uint8_t session_key[16];
467 uint8_t encryption_key[16];
468 uint8_t sequence[16];
469 uint32_t flags;
470 uint64_t seq;
471 uint64_t confounder;
472 uint8_t private_type;
473 bool can_decrypt;
474 char* client_name;
475 int start;
476 int next_start;
477 struct _netlogon_auth_vars *next;
478 } netlogon_auth_vars;
480 static gcry_error_t prepare_session_key_cipher(netlogon_auth_vars *vars,
481 gcry_cipher_hd_t *_cipher_hd);
483 typedef struct _seen_packet {
484 bool isseen;
485 uint32_t num;
486 } seen_packet;
488 static seen_packet seen;
490 static e_guid_t uuid_dcerpc_netlogon = {
491 0x12345678, 0x1234, 0xabcd,
492 { 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0xcf, 0xfb }
495 static uint16_t ver_dcerpc_netlogon = 1;
497 static int dissect_dcerpc_8bytes (tvbuff_t *tvb, int offset, packet_info *pinfo _U_,
498 proto_tree *tree, uint8_t *drep,
499 int hfindex, uint64_t *pdata)
501 uint64_t data;
503 data = ((drep[0] & DREP_LITTLE_ENDIAN)
504 ? tvb_get_letoh64 (tvb, offset)
505 : tvb_get_ntoh64 (tvb, offset));
507 /* These fields are FT_BYTES, hence the byte order doesn't matter */
508 if (tree) {
509 proto_tree_add_item(tree, hfindex, tvb, offset, 8, ENC_NA);
511 if (pdata)
512 *pdata = data;
513 return offset+8;
516 static const true_false_string user_account_control_dont_require_preauth= {
517 "This account DOESN'T_REQUIRE_PREAUTHENTICATION",
518 "This account REQUIRES preauthentication",
520 static const true_false_string user_account_control_use_des_key_only= {
521 "This account must USE_DES_KEY_ONLY for passwords",
522 "This account does NOT have to use_des_key_only",
524 static const true_false_string user_account_control_not_delegated= {
525 "This account is NOT_DELEGATED",
526 "This might have been delegated",
528 static const true_false_string user_account_control_trusted_for_delegation= {
529 "This account is TRUSTED_FOR_DELEGATION",
530 "This account is NOT trusted_for_delegation",
532 static const true_false_string user_account_control_smartcard_required= {
533 "This account REQUIRES_SMARTCARD to authenticate",
534 "This account does NOT require_smartcard to authenticate",
536 static const true_false_string user_account_control_encrypted_text_password_allowed= {
537 "This account allows ENCRYPTED_TEXT_PASSWORD",
538 "This account does NOT allow encrypted_text_password",
540 static const true_false_string user_account_control_account_auto_locked= {
541 "This account is AUTO_LOCKED",
542 "This account is NOT auto_locked",
544 static const true_false_string user_account_control_dont_expire_password= {
545 "This account DOESN'T_EXPIRE_PASSWORDs",
546 "This account might expire_passwords",
548 static const true_false_string user_account_control_server_trust_account= {
549 "This account is a SERVER_TRUST_ACCOUNT",
550 "This account is NOT a server_trust_account",
552 static const true_false_string user_account_control_workstation_trust_account= {
553 "This account is a WORKSTATION_TRUST_ACCOUNT",
554 "This account is NOT a workstation_trust_account",
556 static const true_false_string user_account_control_interdomain_trust_account= {
557 "This account is an INTERDOMAIN_TRUST_ACCOUNT",
558 "This account is NOT an interdomain_trust_account",
560 static const true_false_string user_account_control_mns_logon_account= {
561 "This account is a MNS_LOGON_ACCOUNT",
562 "This account is NOT a mns_logon_account",
564 static const true_false_string user_account_control_normal_account= {
565 "This account is a NORMAL_ACCOUNT",
566 "This account is NOT a normal_account",
568 static const true_false_string user_account_control_temp_duplicate_account= {
569 "This account is a TEMP_DUPLICATE_ACCOUNT",
570 "This account is NOT a temp_duplicate_account",
572 static const true_false_string user_account_control_password_not_required= {
573 "This account REQUIRES_NO_PASSWORD",
574 "This account REQUIRES a password",
576 static const true_false_string user_account_control_home_directory_required= {
577 "This account REQUIRES_HOME_DIRECTORY",
578 "This account does NOT require_home_directory",
580 static const true_false_string user_account_control_account_disabled= {
581 "This account is DISABLED",
582 "This account is NOT disabled",
585 typedef struct _netlogon_auth_key {
587 * For now we only match the client and server ip
588 * addresses, as keys can be used across tcp connections.
590 * Also note that ServerChallenge and ServerAuthenticate
591 * can be on different tcp connections!
593 * TODO:
594 * * We could have a challenge table indexed by client, server
595 * and computer name
596 * * A good ServerAuthenticate could fill a session key table
597 * indexed by computer name.
598 * * A DCERPC bind/alter context could lookup the session key table
599 * and copy the session key to the DCERPC connection/auth_context.
601 address client;
602 address server;
603 } netlogon_auth_key;
605 static int
606 netlogon_auth_equal (const void *k1, const void *k2)
608 const netlogon_auth_key *key1 = (const netlogon_auth_key *)k1;
609 const netlogon_auth_key *key2 = (const netlogon_auth_key *)k2;
611 return (addresses_equal(&key1->client,&key2->client) && addresses_equal(&key1->server,&key2->server));
614 static unsigned
615 netlogon_auth_hash (const void *k)
617 const netlogon_auth_key *key1 = (const netlogon_auth_key *)k;
618 unsigned hash_val1 = 0;
620 hash_val1 = add_address_to_hash(hash_val1, &key1->client);
621 hash_val1 = add_address_to_hash(hash_val1, &key1->server);
622 return hash_val1;
625 typedef struct _dcerpc_auth_schannel_key {
626 conversation_t *conv;
627 uint64_t transport_salt;
628 uint32_t auth_context_id;
629 } dcerpc_auth_schannel_key;
631 static unsigned
632 dcerpc_auth_schannel_key_hash(const void *k)
634 const dcerpc_auth_schannel_key *key = (const dcerpc_auth_schannel_key *)k;
635 unsigned hash;
637 hash = GPOINTER_TO_UINT(key->conv);
638 /* sizeof(unsigned) might be smaller than sizeof(uint64_t) */
639 hash += (unsigned)key->transport_salt;
640 hash += (unsigned)(key->transport_salt << sizeof(unsigned));
641 hash += key->auth_context_id;
643 return hash;
646 static int
647 dcerpc_auth_schannel_key_equal(const void *k1, const void *k2)
649 const dcerpc_auth_schannel_key *key1 = (const dcerpc_auth_schannel_key *)k1;
650 const dcerpc_auth_schannel_key *key2 = (const dcerpc_auth_schannel_key *)k2;
652 return ((key1->conv == key2->conv)
653 && (key1->transport_salt == key2->transport_salt)
654 && (key1->auth_context_id == key2->auth_context_id));
657 static int
658 netlogon_dissect_EXTRA_FLAGS(tvbuff_t *tvb, int offset,
659 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, uint8_t *drep)
661 uint32_t mask;
662 static int * const extraflags[] = {
663 &hf_netlogon_extra_flags_root_forest,
664 &hf_netlogon_trust_flags_dc_firsthop,
665 &hf_netlogon_trust_flags_rodc_to_dc,
666 &hf_netlogon_trust_flags_rodc_ntlm,
667 NULL
670 if(di->conformant_run){
671 /*just a run to handle conformant arrays, nothing to dissect */
672 return offset;
675 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
676 -1, &mask);
678 proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset-4, hf_netlogon_extraflags, ett_trust_flags, extraflags, mask, BMT_NO_APPEND);
679 return offset;
682 struct LOGON_INFO_STATE;
684 struct LOGON_INFO_STATE_CB {
685 struct LOGON_INFO_STATE *state;
686 ntlmssp_blob *response;
687 const uint8_t **name_ptr;
688 int name_levels;
691 struct LOGON_INFO_STATE {
692 packet_info *pinfo;
693 proto_tree *tree;
694 uint8_t server_challenge[8];
695 ntlmssp_blob nt_response;
696 ntlmssp_blob lm_response;
697 ntlmssp_header_t ntlmssph;
698 struct LOGON_INFO_STATE_CB domain_cb, acct_cb, host_cb, nt_cb, lm_cb;
701 static void dissect_LOGON_INFO_STATE_finish(struct LOGON_INFO_STATE *state)
703 if (state->ntlmssph.acct_name != NULL &&
704 state->nt_response.length >= 24 &&
705 state->lm_response.length >= 24)
707 if (state->ntlmssph.domain_name == NULL) {
708 state->ntlmssph.domain_name = (const uint8_t *)"";
710 if (state->ntlmssph.host_name == NULL) {
711 state->ntlmssph.host_name = (const uint8_t *)"";
714 ntlmssp_create_session_key(state->pinfo,
715 state->tree,
716 &state->ntlmssph,
717 0, /* NTLMSSP_ flags */
718 state->server_challenge,
719 NULL, /* encryptedsessionkey */
720 &state->nt_response,
721 &state->lm_response);
725 static void dissect_ndr_lm_nt_byte_array(packet_info *pinfo,
726 proto_tree *tree,
727 proto_item *item _U_,
728 dcerpc_info *di,
729 tvbuff_t *tvb,
730 int start_offset,
731 int end_offset,
732 void *callback_args)
734 struct LOGON_INFO_STATE_CB *cb_ref = (struct LOGON_INFO_STATE_CB *)callback_args;
735 struct LOGON_INFO_STATE *state = NULL;
736 int offset = start_offset;
737 uint64_t tmp;
738 uint16_t len;
740 if (cb_ref == NULL) {
741 return;
743 state = cb_ref->state;
745 if (di->conformant_run) {
746 /* just a run to handle conformant arrays, no scalars to dissect */
747 return;
750 /* NDR array header */
751 ALIGN_TO_5_BYTES
752 if (di->call_data->flags & DCERPC_IS_NDR64) {
753 offset += 3 * 8;
754 } else {
755 offset += 3 * 4;
758 tmp = end_offset - offset;
759 if (tmp > NTLMSSP_BLOB_MAX_SIZE) {
760 tmp = NTLMSSP_BLOB_MAX_SIZE;
762 len = (uint16_t)tmp;
763 cb_ref->response->length = len;
764 cb_ref->response->contents = (uint8_t *)tvb_memdup(pinfo->pool, tvb, offset, len);
765 if (len > 24) {
766 dissect_ntlmv2_response(tvb, pinfo, tree, offset, len);
769 dissect_LOGON_INFO_STATE_finish(state);
772 static int
773 dissect_ndr_lm_nt_hash_cb(tvbuff_t *tvb, int offset,
774 packet_info *pinfo, proto_tree *tree,
775 dcerpc_info *di, uint8_t *drep, int hf_index,
776 dcerpc_callback_fnct_t *callback,
777 void *callback_args)
779 uint16_t len, size;
781 /* Structure starts with short, but is aligned for longs */
783 ALIGN_TO_4_BYTES;
785 if (di->conformant_run)
786 return offset;
788 #if 0
789 struct {
790 short len;
791 short size;
792 [size_is(size/2), length_is(len/2), ptr] unsigned short *string;
793 } HASH;
795 #endif
797 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
798 hf_nt_cs_len, &len);
800 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
801 hf_nt_cs_size, &size);
803 offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, tree, di, drep,
804 dissect_ndr_byte_array, NDR_POINTER_UNIQUE,
805 "Bytes Array", hf_index, callback, callback_args);
807 return offset;
810 static int
811 dissect_ndr_lm_nt_hash_helper(tvbuff_t *tvb, int offset,
812 packet_info *pinfo, proto_tree *tree,
813 dcerpc_info *di, uint8_t *drep, int hf_index,
814 struct LOGON_INFO_STATE_CB *cb_ref)
816 proto_tree *subtree;
818 subtree = proto_tree_add_subtree(
819 tree, tvb, offset, 0, ett_LM_OWF_PASSWORD, NULL,
820 proto_registrar_get_name(hf_index));
822 return dissect_ndr_lm_nt_hash_cb(
823 tvb, offset, pinfo, subtree, di, drep, hf_index,
824 dissect_ndr_lm_nt_byte_array, cb_ref);
827 static int
828 netlogon_dissect_USER_ACCOUNT_CONTROL(tvbuff_t *tvb, int offset,
829 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, uint8_t *drep)
831 uint32_t mask;
832 static int * const uac[] = {
833 &hf_netlogon_user_account_control_dont_require_preauth,
834 &hf_netlogon_user_account_control_use_des_key_only,
835 &hf_netlogon_user_account_control_not_delegated,
836 &hf_netlogon_user_account_control_trusted_for_delegation,
837 &hf_netlogon_user_account_control_smartcard_required,
838 &hf_netlogon_user_account_control_encrypted_text_password_allowed,
839 &hf_netlogon_user_account_control_account_auto_locked,
840 &hf_netlogon_user_account_control_dont_expire_password,
841 &hf_netlogon_user_account_control_server_trust_account,
842 &hf_netlogon_user_account_control_workstation_trust_account,
843 &hf_netlogon_user_account_control_interdomain_trust_account,
844 &hf_netlogon_user_account_control_mns_logon_account,
845 &hf_netlogon_user_account_control_normal_account,
846 &hf_netlogon_user_account_control_temp_duplicate_account,
847 &hf_netlogon_user_account_control_password_not_required,
848 &hf_netlogon_user_account_control_home_directory_required,
849 &hf_netlogon_user_account_control_account_disabled,
850 NULL
853 if(di->conformant_run){
854 /*just a run to handle conformant arrays, nothing to dissect */
855 return offset;
858 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
859 -1, &mask);
861 proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset-4, hf_netlogon_user_account_control, ett_user_account_control, uac, mask, BMT_NO_APPEND);
863 return offset;
867 static int
868 netlogon_dissect_LOGONSRV_HANDLE(tvbuff_t *tvb, int offset,
869 packet_info *pinfo, proto_tree *tree,
870 dcerpc_info *di, uint8_t *drep)
872 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
873 NDR_POINTER_UNIQUE, "Server Handle",
874 hf_netlogon_logonsrv_handle, 0);
876 return offset;
880 * IDL typedef struct {
881 * IDL [unique][string] wchar_t *effective_name;
882 * IDL long priv;
883 * IDL long auth_flags;
884 * IDL long logon_count;
885 * IDL long bad_pw_count;
886 * IDL long last_logon;
887 * IDL long last_logoff;
888 * IDL long logoff_time;
889 * IDL long kickoff_time;
890 * IDL long password_age;
891 * IDL long pw_can_change;
892 * IDL long pw_must_change;
893 * IDL [unique][string] wchar_t *computer;
894 * IDL [unique][string] wchar_t *domain;
895 * IDL [unique][string] wchar_t *script_path;
896 * IDL long reserved;
898 static int
899 netlogon_dissect_VALIDATION_UAS_INFO(tvbuff_t *tvb, int offset,
900 packet_info *pinfo, proto_tree *tree,
901 dcerpc_info *di, uint8_t *drep)
903 if(di->conformant_run){
904 /*just a run to handle conformant arrays, nothing to dissect */
905 return offset;
908 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
909 NDR_POINTER_UNIQUE, "Effective Account",
910 hf_netlogon_acct_name, 0);
912 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
913 hf_netlogon_priv, NULL);
915 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
916 hf_netlogon_auth_flags, NULL);
918 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
919 hf_netlogon_logon_count, NULL);
921 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
922 hf_netlogon_bad_pw_count, NULL);
925 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_logon_time, NULL);
927 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_last_logoff_time, NULL);
929 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_logoff_time, NULL);
931 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_kickoff_time, NULL);
933 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_pwd_age, NULL);
935 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_pwd_can_change_time, NULL);
937 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_pwd_must_change_time, NULL);
939 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
940 NDR_POINTER_UNIQUE, "Computer", hf_netlogon_computer_name, 0);
942 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
943 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
945 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
946 NDR_POINTER_UNIQUE, "Script", hf_netlogon_logon_script, 0);
948 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
949 hf_netlogon_reserved, NULL);
951 return offset;
955 * IDL long NetrLogonUasLogon(
956 * IDL [in][unique][string] wchar_t *ServerName,
957 * IDL [in][ref][string] wchar_t *UserName,
958 * IDL [in][ref][string] wchar_t *Workstation,
959 * IDL [out][unique] VALIDATION_UAS_INFO *info
960 * IDL );
962 static int
963 netlogon_dissect_netrlogonuaslogon_rqst(tvbuff_t *tvb, int offset,
964 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
966 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
967 pinfo, tree, di, drep);
969 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
970 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, CB_STR_COL_INFO);
972 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
973 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
975 return offset;
979 static int
980 netlogon_dissect_netrlogonuaslogon_reply(tvbuff_t *tvb, int offset,
981 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
983 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
984 netlogon_dissect_VALIDATION_UAS_INFO, NDR_POINTER_UNIQUE,
985 "VALIDATION_UAS_INFO", -1);
987 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
988 hf_netlogon_dos_rc, NULL);
990 return offset;
994 * IDL typedef struct {
995 * IDL long duration;
996 * IDL short logon_count;
997 * IDL } LOGOFF_UAS_INFO;
999 static int
1000 netlogon_dissect_LOGOFF_UAS_INFO(tvbuff_t *tvb, int offset,
1001 packet_info *pinfo, proto_tree *tree,
1002 dcerpc_info *di, uint8_t *drep)
1004 uint32_t duration;
1006 if(di->conformant_run){
1007 /*just a run to handle conformant arrays, nothing to dissect */
1008 return offset;
1011 duration = tvb_get_uint32(tvb, offset, DREP_ENC_INTEGER(drep));
1012 proto_tree_add_uint_format_value(tree, hf_netlogon_logon_duration, tvb, offset, 4, duration, "unknown time format");
1013 offset+= 4;
1015 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1016 hf_netlogon_logon_count16, NULL);
1018 return offset;
1022 * IDL long NetrLogonUasLogoff(
1023 * IDL [in][unique][string] wchar_t *ServerName,
1024 * IDL [in][ref][string] wchar_t *UserName,
1025 * IDL [in][ref][string] wchar_t *Workstation,
1026 * IDL [out][ref] LOGOFF_UAS_INFO *info
1027 * IDL );
1029 static int
1030 netlogon_dissect_netrlogonuaslogoff_rqst(tvbuff_t *tvb, int offset,
1031 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
1033 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1034 pinfo, tree, di, drep);
1036 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
1037 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, CB_STR_COL_INFO);
1039 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
1040 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
1042 return offset;
1046 static int
1047 netlogon_dissect_netrlogonuaslogoff_reply(tvbuff_t *tvb, int offset,
1048 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
1050 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1051 netlogon_dissect_LOGOFF_UAS_INFO, NDR_POINTER_REF,
1052 "LOGOFF_UAS_INFO", -1);
1054 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
1055 hf_netlogon_dos_rc, NULL);
1057 return offset;
1060 static int
1061 netlogon_dissect_BYTE_byte(tvbuff_t *tvb, int offset,
1062 packet_info *pinfo, proto_tree *tree,
1063 dcerpc_info *di, uint8_t *drep)
1065 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
1066 hf_netlogon_unknown_char, NULL);
1068 return offset;
1071 static int
1072 netlogon_dissect_BYTE_array(tvbuff_t *tvb, int offset,
1073 packet_info *pinfo, proto_tree *tree,
1074 dcerpc_info *di, uint8_t *drep)
1076 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
1077 netlogon_dissect_BYTE_byte);
1079 return offset;
1083 static void cb_wstr_LOGON_IDENTITY_INFO(packet_info *pinfo, proto_tree *tree,
1084 proto_item *item, dcerpc_info *di,
1085 tvbuff_t *tvb,
1086 int start_offset, int end_offset,
1087 void *callback_args)
1089 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
1090 struct LOGON_INFO_STATE_CB *cb_ref =
1091 (struct LOGON_INFO_STATE_CB *)callback_args;
1092 struct LOGON_INFO_STATE *state = cb_ref->state;
1094 cb_wstr_postprocess(pinfo, tree, item, di, tvb, start_offset, end_offset,
1095 GINT_TO_POINTER(cb_ref->name_levels));
1097 if (*cb_ref->name_ptr == NULL) {
1098 *cb_ref->name_ptr = (const uint8_t *)dcv->private_data;
1101 dissect_LOGON_INFO_STATE_finish(state);
1104 static int
1105 dissect_ndr_wstr_LOGON_IDENTITY_INFO(tvbuff_t *tvb, int offset,
1106 packet_info *pinfo, proto_tree *tree,
1107 dcerpc_info *di, uint8_t *drep,
1108 int hf_index, int levels,
1109 struct LOGON_INFO_STATE_CB *cb_ref)
1111 proto_item *item = NULL;
1112 proto_tree *subtree = NULL;
1114 if (cb_ref == NULL) {
1115 return dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1116 hf_index, levels);
1119 subtree = proto_tree_add_subtree(tree, tvb, offset, 0,
1120 ett_wstr_LOGON_IDENTITY_INFO_string, &item,
1121 proto_registrar_get_name(hf_index));
1124 * Add 2 levels, so that the string gets attached to the
1125 * "Character Array" top-level item and to the top-level item
1126 * added above.
1128 cb_ref->name_levels = 2 + levels;
1129 cb_ref->name_levels |= CB_STR_SAVE;
1130 return dissect_ndr_counted_string_cb(tvb, offset, pinfo, subtree, di, drep,
1131 hf_index, cb_wstr_LOGON_IDENTITY_INFO, cb_ref);
1135 * IDL typedef struct {
1136 * IDL UNICODESTRING LogonDomainName;
1137 * IDL long ParameterControl;
1138 * IDL uint64 LogonID;
1139 * IDL UNICODESTRING UserName;
1140 * IDL UNICODESTRING Workstation;
1141 * IDL } LOGON_IDENTITY_INFO;
1143 static int
1144 netlogon_dissect_LOGON_IDENTITY_INFO(tvbuff_t *tvb, int offset,
1145 packet_info *pinfo, proto_tree *parent_tree,
1146 dcerpc_info *di, uint8_t *drep,
1147 struct LOGON_INFO_STATE *state)
1149 struct LOGON_INFO_STATE_CB *domain_cb = NULL;
1150 struct LOGON_INFO_STATE_CB *acct_cb = NULL;
1151 struct LOGON_INFO_STATE_CB *host_cb = NULL;
1152 proto_item *item=NULL;
1153 proto_tree *tree=NULL;
1154 int old_offset=offset;
1156 if (state != NULL) {
1157 domain_cb = &state->domain_cb;
1158 acct_cb = &state->acct_cb;
1159 host_cb = &state->host_cb;
1162 if(parent_tree){
1163 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
1164 ett_IDENTITY_INFO, &item, "IDENTITY_INFO:");
1167 /* XXX: It would be nice to get the domain and account name
1168 displayed in COL_INFO. */
1170 offset = dissect_ndr_wstr_LOGON_IDENTITY_INFO(tvb, offset, pinfo, tree, di, drep,
1171 hf_netlogon_logon_dom, 0, domain_cb);
1173 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1174 hf_netlogon_param_ctrl, NULL);
1176 offset = dissect_ndr_duint32(tvb, offset, pinfo, tree, di, drep,
1177 hf_netlogon_logon_id, NULL);
1179 offset = dissect_ndr_wstr_LOGON_IDENTITY_INFO(tvb, offset, pinfo, tree, di, drep,
1180 hf_netlogon_acct_name, 1, acct_cb);
1182 offset = dissect_ndr_wstr_LOGON_IDENTITY_INFO(tvb, offset, pinfo, tree, di, drep,
1183 hf_netlogon_workstation, 0, host_cb);
1185 #ifdef REMOVED
1186 /* NetMon does not recognize these bytes. I'll comment them out until someone complains */
1187 /* XXX 8 extra bytes here */
1188 /* there were 8 extra bytes, either here or in NETWORK_INFO that does not match
1189 the idl file. Could be a bug in either the NETLOGON implementation or in the
1190 idl file.
1192 offset = netlogon_dissect_8_unknown_bytes(tvb, offset, pinfo, tree, di, drep);
1193 #endif
1195 proto_item_set_len(item, offset-old_offset);
1196 return offset;
1201 * IDL typedef struct {
1202 * IDL char password[16];
1203 * IDL } LM_OWF_PASSWORD;
1205 static int
1206 netlogon_dissect_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
1207 packet_info *pinfo _U_, proto_tree *parent_tree,
1208 dcerpc_info *di, uint8_t *drep _U_)
1210 proto_item *item=NULL;
1211 proto_tree *tree=NULL;
1213 if(di->conformant_run){
1214 /*just a run to handle conformant arrays, nothing to dissect.*/
1215 return offset;
1218 if(parent_tree){
1219 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 16,
1220 ett_LM_OWF_PASSWORD, &item, "LM_OWF_PASSWORD:");
1223 proto_tree_add_item(tree, hf_netlogon_lm_owf_password, tvb, offset, 16,
1224 ENC_NA);
1225 offset += 16;
1227 return offset;
1231 * IDL typedef struct {
1232 * IDL char password[16];
1233 * IDL } NT_OWF_PASSWORD;
1235 static int
1236 netlogon_dissect_NT_OWF_PASSWORD(tvbuff_t *tvb, int offset,
1237 packet_info *pinfo _U_, proto_tree *parent_tree,
1238 dcerpc_info *di, uint8_t *drep _U_)
1240 proto_item *item=NULL;
1241 proto_tree *tree=NULL;
1243 if(di->conformant_run){
1244 /*just a run to handle conformant arrays, nothing to dissect.*/
1245 return offset;
1248 if(parent_tree){
1249 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 16,
1250 ett_NT_OWF_PASSWORD, &item, "NT_OWF_PASSWORD:");
1253 proto_tree_add_item(tree, hf_netlogon_nt_owf_password, tvb, offset, 16,
1254 ENC_NA);
1255 offset += 16;
1257 return offset;
1262 * IDL typedef struct {
1263 * IDL LOGON_IDENTITY_INFO identity_info;
1264 * IDL LM_OWF_PASSWORD lmpassword;
1265 * IDL NT_OWF_PASSWORD ntpassword;
1266 * IDL } INTERACTIVE_INFO;
1268 static int
1269 netlogon_dissect_INTERACTIVE_INFO(tvbuff_t *tvb, int offset,
1270 packet_info *pinfo, proto_tree *tree,
1271 dcerpc_info *di, uint8_t *drep)
1273 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
1274 pinfo, tree, di, drep,
1275 NULL);
1277 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
1278 pinfo, tree, di, drep);
1280 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
1281 pinfo, tree, di, drep);
1283 return offset;
1287 * IDL typedef struct {
1288 * IDL char chl[8];
1289 * IDL } CHALLENGE;
1291 static int
1292 netlogon_dissect_CHALLENGE(tvbuff_t *tvb, int offset,
1293 packet_info *pinfo _U_, proto_tree *tree,
1294 dcerpc_info *di, uint8_t *drep _U_)
1296 if(di->conformant_run){
1297 /*just a run to handle conformant arrays, nothing to dissect.*/
1298 return offset;
1301 proto_tree_add_item(tree, hf_netlogon_challenge, tvb, offset, 8,
1302 ENC_NA);
1303 offset += 8;
1305 return offset;
1308 static int
1309 netlogon_dissect_NETWORK_INFO(tvbuff_t *tvb, int offset,
1310 packet_info *pinfo, proto_tree *tree,
1311 dcerpc_info *di, uint8_t *drep)
1313 struct LOGON_INFO_STATE *state =
1314 (struct LOGON_INFO_STATE *)di->private_data;
1315 int last_offset;
1316 struct LOGON_INFO_STATE_CB *nt_cb = NULL;
1317 struct LOGON_INFO_STATE_CB *lm_cb = NULL;
1319 if (state == NULL) {
1320 state = wmem_new0(pinfo->pool, struct LOGON_INFO_STATE);
1321 state->ntlmssph = (ntlmssp_header_t) { .type = NTLMSSP_AUTH, };
1322 state->domain_cb.state = state;
1323 state->domain_cb.name_ptr = &state->ntlmssph.domain_name;
1324 state->acct_cb.state = state;
1325 state->acct_cb.name_ptr = &state->ntlmssph.acct_name;
1326 state->host_cb.state = state;
1327 state->host_cb.name_ptr = &state->ntlmssph.host_name;
1328 state->nt_cb.state = state;
1329 state->nt_cb.response = &state->nt_response;
1330 state->lm_cb.state = state;
1331 state->lm_cb.response = &state->lm_response;
1332 di->private_data = state;
1334 state->pinfo = pinfo;
1335 state->tree = tree;
1337 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
1338 pinfo, tree, di, drep,
1339 state);
1340 last_offset = offset;
1341 offset = netlogon_dissect_CHALLENGE(tvb, offset,
1342 pinfo, tree, di, drep);
1343 if (offset == (last_offset + 8)) {
1344 tvb_memcpy(tvb, state->server_challenge, last_offset, 8);
1345 nt_cb = &state->nt_cb;
1346 lm_cb = &state->lm_cb;
1348 offset = dissect_ndr_lm_nt_hash_helper(tvb,offset,pinfo, tree, di, drep,
1349 hf_netlogon_nt_chal_resp,
1350 nt_cb);
1351 offset = dissect_ndr_lm_nt_hash_helper(tvb,offset,pinfo, tree, di, drep,
1352 hf_netlogon_lm_chal_resp,
1353 lm_cb);
1354 return offset;
1359 * IDL typedef struct {
1360 * IDL LOGON_IDENTITY_INFO logon_info;
1361 * IDL LM_OWF_PASSWORD lmpassword;
1362 * IDL NT_OWF_PASSWORD ntpassword;
1363 * IDL } SERVICE_INFO;
1365 static int
1366 netlogon_dissect_SERVICE_INFO(tvbuff_t *tvb, int offset,
1367 packet_info *pinfo, proto_tree *tree,
1368 dcerpc_info *di, uint8_t *drep)
1370 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
1371 pinfo, tree, di, drep,
1372 NULL);
1374 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
1375 pinfo, tree, di, drep);
1377 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
1378 pinfo, tree, di, drep);
1380 return offset;
1383 static int
1384 netlogon_dissect_GENERIC_INFO(tvbuff_t *tvb, int offset,
1385 packet_info *pinfo, proto_tree *tree,
1386 dcerpc_info *di, uint8_t *drep)
1388 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
1389 pinfo, tree, di, drep,
1390 NULL);
1392 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1393 hf_netlogon_package_name, 0|CB_STR_SAVE);
1395 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1396 hf_netlogon_data_length, NULL);
1398 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1399 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
1400 "Logon Data", -1);
1401 return offset;
1404 * IDL typedef [switch_type(short)] union {
1405 * IDL [case(1)][unique] INTERACTIVE_INFO *iinfo;
1406 * IDL [case(2)][unique] NETWORK_INFO *ninfo;
1407 * IDL [case(3)][unique] SERVICE_INFO *sinfo;
1408 * IDL } LEVEL;
1410 static int
1411 netlogon_dissect_LEVEL(tvbuff_t *tvb, int offset,
1412 packet_info *pinfo, proto_tree *tree,
1413 dcerpc_info *di, uint8_t *drep)
1415 uint16_t level = 0;
1417 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1418 hf_netlogon_level16, &level);
1419 ALIGN_TO_4_BYTES;
1420 switch(level){
1421 case 1:
1422 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1423 netlogon_dissect_INTERACTIVE_INFO, NDR_POINTER_UNIQUE,
1424 "INTERACTIVE_INFO:", -1);
1425 break;
1426 case 2:
1427 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1428 netlogon_dissect_NETWORK_INFO, NDR_POINTER_UNIQUE,
1429 "NETWORK_INFO:", -1);
1430 break;
1431 case 3:
1432 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1433 netlogon_dissect_SERVICE_INFO, NDR_POINTER_UNIQUE,
1434 "SERVICE_INFO:", -1);
1435 break;
1436 case 4:
1437 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1438 netlogon_dissect_GENERIC_INFO, NDR_POINTER_UNIQUE,
1439 "GENERIC_INFO:", -1);
1440 break;
1441 case 5:
1442 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1443 netlogon_dissect_INTERACTIVE_INFO, NDR_POINTER_UNIQUE,
1444 "INTERACTIVE_TRANSITIVE_INFO:", -1);
1445 break;
1446 case 6:
1447 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1448 netlogon_dissect_NETWORK_INFO, NDR_POINTER_UNIQUE,
1449 "NETWORK_TRANSITIVE_INFO", -1);
1450 break;
1451 case 7:
1452 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1453 netlogon_dissect_SERVICE_INFO, NDR_POINTER_UNIQUE,
1454 "SERVICE_TRANSITIVE_INFO", -1);
1455 break;
1457 return offset;
1461 * IDL typedef struct {
1462 * IDL char cred[8];
1463 * IDL } CREDENTIAL;
1465 static int
1466 netlogon_dissect_CREDENTIAL(tvbuff_t *tvb, int offset,
1467 packet_info *pinfo _U_, proto_tree *tree,
1468 dcerpc_info *di, uint8_t *drep _U_)
1470 if(di->conformant_run){
1471 /*just a run to handle conformant arrays, nothing to dissect.*/
1472 return offset;
1475 proto_tree_add_item(tree, hf_netlogon_credential, tvb, offset, 8,
1476 ENC_NA);
1477 offset += 8;
1479 return offset;
1484 * IDL typedef struct {
1485 * IDL CREDENTIAL cred;
1486 * IDL long timestamp;
1487 * IDL } AUTHENTICATOR;
1489 static int
1490 netlogon_dissect_AUTHENTICATOR(tvbuff_t *tvb, int offset,
1491 packet_info *pinfo, proto_tree *tree,
1492 dcerpc_info *di, uint8_t *drep)
1494 if(di->conformant_run){
1495 /*just a run to handle conformant arrays, nothing to dissect */
1496 return offset;
1499 ALIGN_TO_4_BYTES;
1501 offset = netlogon_dissect_CREDENTIAL(tvb, offset,
1502 pinfo, tree, di, drep);
1505 * XXX - this appears to be a UNIX time_t in some credentials, but
1506 * appears to be random junk in other credentials.
1507 * For example, it looks like a UNIX time_t in "credential"
1508 * AUTHENTICATORs, but like random junk in "return_authenticator"
1509 * AUTHENTICATORs.
1511 proto_tree_add_item(tree, hf_netlogon_timestamp, tvb, offset, 4, ENC_TIME_SECS|ENC_LITTLE_ENDIAN);
1512 offset+= 4;
1514 return offset;
1519 * IDL typedef struct {
1520 * IDL long user_id;
1521 * IDL long attributes;
1522 * IDL } GROUP_MEMBERSHIP;
1524 static int
1525 netlogon_dissect_GROUP_MEMBERSHIP(tvbuff_t *tvb, int offset,
1526 packet_info *pinfo, proto_tree *parent_tree,
1527 dcerpc_info *di, uint8_t *drep)
1529 proto_item *item=NULL;
1530 proto_tree *tree=NULL;
1532 if(parent_tree){
1533 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
1534 ett_GROUP_MEMBERSHIP, &item, "GROUP_MEMBERSHIP:");
1537 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1538 hf_netlogon_group_rid, NULL);
1540 offset = dissect_ndr_nt_SE_GROUP_ATTRIBUTES(tvb, offset, pinfo, tree, di, drep);
1542 return offset;
1545 static int
1546 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY(tvbuff_t *tvb, int offset,
1547 packet_info *pinfo, proto_tree *tree,
1548 dcerpc_info *di, uint8_t *drep)
1550 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
1551 netlogon_dissect_GROUP_MEMBERSHIP);
1553 return offset;
1557 * IDL typedef struct {
1558 * IDL char user_session_key[16];
1559 * IDL } USER_SESSION_KEY;
1561 static int
1562 netlogon_dissect_USER_SESSION_KEY(tvbuff_t *tvb, int offset,
1563 packet_info *pinfo _U_, proto_tree *tree,
1564 dcerpc_info *di, uint8_t *drep _U_)
1566 if(di->conformant_run){
1567 /*just a run to handle conformant arrays, nothing to dissect.*/
1568 return offset;
1571 proto_tree_add_item(tree, hf_netlogon_user_session_key, tvb, offset, 16,
1572 ENC_NA);
1573 offset += 16;
1575 return offset;
1580 static const true_false_string user_flags_extra_sids= {
1581 "The EXTRA_SIDS bit is SET",
1582 "The extra_sids is NOT set",
1584 static const true_false_string user_flags_resource_groups= {
1585 "The RESOURCE_GROUPS bit is SET",
1586 "The resource_groups is NOT set",
1588 static int
1589 netlogon_dissect_USER_FLAGS(tvbuff_t *tvb, int offset,
1590 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, uint8_t *drep)
1592 uint32_t mask;
1593 static int * const flags[] = {
1594 &hf_netlogon_user_flags_resource_groups,
1595 &hf_netlogon_user_flags_extra_sids,
1596 NULL
1599 if(di->conformant_run){
1600 /*just a run to handle conformant arrays, nothing to dissect */
1601 return offset;
1604 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
1605 -1, &mask);
1607 proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset-4, hf_netlogon_user_flags, ett_user_flags, flags, mask, BMT_NO_APPEND);
1608 return offset;
1611 static int
1612 netlogon_dissect_GROUP_MEMBERSHIPS(tvbuff_t *tvb, int offset,
1613 packet_info *pinfo, proto_tree *tree,
1614 dcerpc_info *di, uint8_t *drep,
1615 int hf_count, const char *array_name)
1617 uint32_t rgc;
1619 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1620 hf_count, &rgc);
1622 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1623 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1624 array_name, -1);
1626 return offset;
1629 static int
1630 netlogon_dissect_DOMAIN_GROUP_MEMBERSHIPS(tvbuff_t *tvb, int offset,
1631 packet_info *pinfo, proto_tree *parent_tree,
1632 dcerpc_info *di, uint8_t *drep,
1633 int hf_count, const char *name)
1635 proto_item *item=NULL;
1636 proto_tree *tree=NULL;
1637 int old_offset=offset;
1639 if(parent_tree){
1640 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
1641 ett_domain_group_memberships,
1642 &item, name);
1645 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
1647 offset = netlogon_dissect_GROUP_MEMBERSHIPS(tvb, offset,
1648 pinfo, tree,
1649 di, drep,
1650 hf_count,
1651 "GroupIDs");
1653 proto_item_set_len(item, offset-old_offset);
1654 return offset;
1657 static int
1658 netlogon_dissect_DOMAIN_GROUP_MEMBERSHIPS_WRAPPER(tvbuff_t *tvb, int offset,
1659 packet_info *pinfo, proto_tree *tree,
1660 dcerpc_info *di, uint8_t *drep)
1662 return netlogon_dissect_DOMAIN_GROUP_MEMBERSHIPS(tvb, offset,
1663 pinfo, tree,
1664 di, drep,
1665 hf_netlogon_domaingroupcount,
1666 "DomainGroupIDs");
1669 static int
1670 netlogon_dissect_DOMAIN_GROUP_MEMBERSHIP_ARRAY(tvbuff_t *tvb, int offset,
1671 packet_info *pinfo, proto_tree *tree,
1672 dcerpc_info *di, uint8_t *drep)
1674 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
1675 netlogon_dissect_DOMAIN_GROUP_MEMBERSHIPS_WRAPPER);
1677 return offset;
1680 static int
1681 netlogon_dissect_DOMAINS_GROUP_MEMBERSHIPS(tvbuff_t *tvb, int offset,
1682 packet_info *pinfo, proto_tree *parent_tree,
1683 dcerpc_info *di, uint8_t *drep,
1684 int hf_count, const char *name)
1686 proto_item *item=NULL;
1687 proto_tree *tree=NULL;
1688 int old_offset=offset;
1689 uint32_t rgc;
1691 if(parent_tree){
1692 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
1693 ett_domains_group_memberships,
1694 &item, name);
1697 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1698 hf_count, &rgc);
1700 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1701 netlogon_dissect_DOMAIN_GROUP_MEMBERSHIP_ARRAY,
1702 NDR_POINTER_UNIQUE,
1703 name, -1);
1705 proto_item_set_len(item, offset-old_offset);
1706 return offset;
1710 * IDL typedef struct {
1711 * IDL uint64 LogonTime;
1712 * IDL uint64 LogoffTime;
1713 * IDL uint64 KickOffTime;
1714 * IDL uint64 PasswdLastSet;
1715 * IDL uint64 PasswdCanChange;
1716 * IDL uint64 PasswdMustChange;
1717 * IDL unicodestring effectivename;
1718 * IDL unicodestring fullname;
1719 * IDL unicodestring logonscript;
1720 * IDL unicodestring profilepath;
1721 * IDL unicodestring homedirectory;
1722 * IDL unicodestring homedirectorydrive;
1723 * IDL short LogonCount;
1724 * IDL short BadPasswdCount;
1725 * IDL long userid;
1726 * IDL long primarygroup;
1727 * IDL long groupcount;
1728 * IDL [unique][size_is(groupcount)] GROUP_MEMBERSHIP *groupids;
1729 * IDL long userflags;
1730 * IDL USER_SESSION_KEY key;
1731 * IDL unicodestring logonserver;
1732 * IDL unicodestring domainname;
1733 * IDL [unique] SID logondomainid;
1734 * IDL long expansionroom[2];
1735 * IDL long useraccountcontrol;
1736 * IDL long expansionroom[7];
1737 * IDL } VALIDATION_SAM_INFO;
1739 static int
1740 netlogon_dissect_VALIDATION_SAM_INFO(tvbuff_t *tvb, int offset,
1741 packet_info *pinfo, proto_tree *tree,
1742 dcerpc_info *di, uint8_t *drep)
1745 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1746 hf_netlogon_logon_time);
1748 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1749 hf_netlogon_logoff_time);
1751 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1752 hf_netlogon_kickoff_time);
1754 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1755 hf_netlogon_pwd_last_set_time);
1757 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1758 hf_netlogon_pwd_can_change_time);
1760 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1761 hf_netlogon_pwd_must_change_time);
1763 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1764 hf_netlogon_acct_name, 0);
1766 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1767 hf_netlogon_full_name, 0);
1769 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1770 hf_netlogon_logon_script, 0);
1772 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1773 hf_netlogon_profile_path, 0);
1775 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1776 hf_netlogon_home_dir, 0);
1778 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1779 hf_netlogon_dir_drive, 0);
1781 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1782 hf_netlogon_logon_count16, NULL);
1784 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1785 hf_netlogon_bad_pw_count16, NULL);
1787 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1788 hf_netlogon_user_rid, NULL);
1790 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1791 hf_netlogon_group_rid, NULL);
1793 offset = netlogon_dissect_GROUP_MEMBERSHIPS(tvb, offset,
1794 pinfo, tree, di, drep,
1795 hf_netlogon_num_rids,
1796 "GroupIDs");
1798 offset = netlogon_dissect_USER_FLAGS(tvb, offset,
1799 pinfo, tree, di, drep);
1801 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1802 pinfo, tree, di, drep);
1804 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1805 hf_netlogon_logon_srv, 0);
1807 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1808 hf_netlogon_logon_dom, 0);
1810 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
1812 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1813 hf_netlogon_dummy1_long, NULL);
1815 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1816 hf_netlogon_dummy2_long, NULL);
1818 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1819 pinfo, tree, di, drep);
1821 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1822 hf_netlogon_dummy4_long, NULL);
1824 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1825 hf_netlogon_dummy5_long, NULL);
1827 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1828 hf_netlogon_dummy6_long, NULL);
1830 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1831 hf_netlogon_dummy7_long, NULL);
1833 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1834 hf_netlogon_dummy8_long, NULL);
1836 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1837 hf_netlogon_dummy9_long, NULL);
1839 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1840 hf_netlogon_dummy10_long, NULL);
1842 return offset;
1848 * IDL typedef struct {
1849 * IDL uint64 LogonTime;
1850 * IDL uint64 LogoffTime;
1851 * IDL uint64 KickOffTime;
1852 * IDL uint64 PasswdLastSet;
1853 * IDL uint64 PasswdCanChange;
1854 * IDL uint64 PasswdMustChange;
1855 * IDL unicodestring effectivename;
1856 * IDL unicodestring fullname;
1857 * IDL unicodestring logonscript;
1858 * IDL unicodestring profilepath;
1859 * IDL unicodestring homedirectory;
1860 * IDL unicodestring homedirectorydrive;
1861 * IDL short LogonCount;
1862 * IDL short BadPasswdCount;
1863 * IDL long userid;
1864 * IDL long primarygroup;
1865 * IDL long groupcount;
1866 * IDL [unique] GROUP_MEMBERSHIP *groupids;
1867 * IDL long userflags;
1868 * IDL USER_SESSION_KEY key;
1869 * IDL unicodestring logonserver;
1870 * IDL unicodestring domainname;
1871 * IDL [unique] SID logondomainid;
1872 * IDL long expansionroom[2];
1873 * IDL long useraccountcontrol;
1874 * IDL long expansionroom[7];
1875 * IDL long sidcount;
1876 * IDL [unique] SID_AND_ATTRIBS;
1877 * IDL } VALIDATION_SAM_INFO2;
1879 static int
1880 netlogon_dissect_VALIDATION_SAM_INFO2(tvbuff_t *tvb, int offset,
1881 packet_info *pinfo, proto_tree *tree,
1882 dcerpc_info *di, uint8_t *drep)
1884 offset = netlogon_dissect_VALIDATION_SAM_INFO(tvb,offset,pinfo,tree,di,drep);
1885 #if 0
1886 int i;
1888 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1889 hf_netlogon_logon_time);
1891 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1892 hf_netlogon_logoff_time);
1894 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1895 hf_netlogon_kickoff_time);
1897 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1898 hf_netlogon_pwd_last_set_time);
1900 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1901 hf_netlogon_pwd_can_change_time);
1903 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1904 hf_netlogon_pwd_must_change_time);
1906 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1907 hf_netlogon_acct_name, 0);
1909 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1910 hf_netlogon_full_name, 0);
1912 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1913 hf_netlogon_logon_script, 0);
1915 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1916 hf_netlogon_profile_path, 0);
1918 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1919 hf_netlogon_home_dir, 0);
1921 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1922 hf_netlogon_dir_drive, 0);
1924 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1925 hf_netlogon_logon_count16, NULL);
1927 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1928 hf_netlogon_bad_pw_count16, NULL);
1930 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1931 hf_netlogon_user_rid, NULL);
1933 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1934 hf_netlogon_group_rid, NULL);
1936 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1937 hf_netlogon_num_rids, NULL);
1939 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1940 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1941 "GROUP_MEMBERSHIP_ARRAY", -1);
1943 offset = netlogon_dissect_USER_FLAGS(tvb, offset,
1944 pinfo, tree, di, drep);
1946 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1947 pinfo, tree, di, drep);
1949 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1950 hf_netlogon_logon_srv, 0);
1952 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1953 hf_netlogon_logon_dom, 0);
1955 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
1957 for(i=0;i<2;i++){
1958 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1959 hf_netlogon_unknown_long, NULL);
1961 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1962 pinfo, tree, di, drep);
1964 for(i=0;i<7;i++){
1965 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1966 hf_netlogon_unknown_long, NULL);
1968 #endif
1969 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1970 hf_netlogon_num_sid, NULL);
1972 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1973 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
1974 "SID_AND_ATTRIBUTES_ARRAY:", -1);
1976 return offset;
1980 static int
1981 netlogon_dissect_VALIDATION_SAM_INFO4(tvbuff_t *tvb, int offset,
1982 packet_info *pinfo, proto_tree *tree,
1983 dcerpc_info *di, uint8_t *drep)
1985 offset = netlogon_dissect_VALIDATION_SAM_INFO2(tvb,offset,pinfo,tree,di,drep);
1987 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1988 hf_netlogon_logon_dnslogondomainname, 0);
1990 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1991 hf_netlogon_logon_upn, 0);
1993 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1994 hf_netlogon_dummy_string, 0);
1996 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1997 hf_netlogon_dummy_string2, 0);
1999 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2000 hf_netlogon_dummy_string3, 0);
2002 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2003 hf_netlogon_dummy_string4, 0);
2005 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2006 hf_netlogon_dummy_string5, 0);
2008 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2009 hf_netlogon_dummy_string6, 0);
2011 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2012 hf_netlogon_dummy_string7, 0);
2014 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2015 hf_netlogon_dummy_string8, 0);
2017 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2018 hf_netlogon_dummy_string9, 0);
2020 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2021 hf_netlogon_dummy_string10, 0);
2022 return offset;
2026 * IDL typedef struct {
2027 * IDL uint64 LogonTime;
2028 * IDL uint64 LogoffTime;
2029 * IDL uint64 KickOffTime;
2030 * IDL uint64 PasswdLastSet;
2031 * IDL uint64 PasswdCanChange;
2032 * IDL uint64 PasswdMustChange;
2033 * IDL unicodestring effectivename;
2034 * IDL unicodestring fullname;
2035 * IDL unicodestring logonscript;
2036 * IDL unicodestring profilepath;
2037 * IDL unicodestring homedirectory;
2038 * IDL unicodestring homedirectorydrive;
2039 * IDL short LogonCount;
2040 * IDL short BadPasswdCount;
2041 * IDL long userid;
2042 * IDL long primarygroup;
2043 * IDL long groupcount;
2044 * IDL [unique] GROUP_MEMBERSHIP *groupids;
2045 * IDL long userflags;
2046 * IDL USER_SESSION_KEY key;
2047 * IDL unicodestring logonserver;
2048 * IDL unicodestring domainname;
2049 * IDL [unique] SID logondomainid;
2050 * IDL long expansionroom[2];
2051 * IDL long useraccountcontrol;
2052 * IDL long expansionroom[7];
2053 * IDL long sidcount;
2054 * IDL [unique] SID_AND_ATTRIBS;
2055 * IDL [unique] SID resourcegroupdomainsid;
2056 * IDL long resourcegroupcount;
2058 * IDL } PAC_LOGON_INFO;
2061 netlogon_dissect_PAC_LOGON_INFO(tvbuff_t *tvb, int offset,
2062 packet_info *pinfo, proto_tree *tree,
2063 dcerpc_info *di, uint8_t *drep)
2065 offset = netlogon_dissect_VALIDATION_SAM_INFO(tvb,offset,pinfo,tree,di, drep);
2066 #if 0
2067 int i;
2069 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
2070 hf_netlogon_logon_time);
2072 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
2073 hf_netlogon_logoff_time);
2075 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
2076 hf_netlogon_kickoff_time);
2078 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
2079 hf_netlogon_pwd_last_set_time);
2081 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
2082 hf_netlogon_pwd_can_change_time);
2084 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
2085 hf_netlogon_pwd_must_change_time);
2087 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2088 hf_netlogon_acct_name, 0);
2090 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2091 hf_netlogon_full_name, 0);
2093 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2094 hf_netlogon_logon_script, 0);
2096 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2097 hf_netlogon_profile_path, 0);
2099 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2100 hf_netlogon_home_dir, 0);
2102 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2103 hf_netlogon_dir_drive, 0);
2105 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2106 hf_netlogon_logon_count16, NULL);
2108 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2109 hf_netlogon_bad_pw_count16, NULL);
2111 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2112 hf_netlogon_user_rid, NULL);
2114 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2115 hf_netlogon_group_rid, NULL);
2117 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2118 hf_netlogon_num_rids, NULL);
2120 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2121 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
2122 "GROUP_MEMBERSHIP_ARRAY", -1);
2124 offset = netlogon_dissect_USER_FLAGS(tvb, offset,
2125 pinfo, tree, di, drep);
2127 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
2128 pinfo, tree, di, drep);
2130 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2131 hf_netlogon_logon_srv, 0);
2133 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2134 hf_netlogon_logon_dom, 0);
2136 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
2138 for(i=0;i<2;i++){
2139 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2140 hf_netlogon_unknown_long, NULL);
2142 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
2143 pinfo, tree, di, drep);
2145 for(i=0;i<7;i++){
2146 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2147 hf_netlogon_unknown_long, NULL);
2149 #endif
2151 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2152 hf_netlogon_num_sid, NULL);
2154 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2155 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
2156 "SID_AND_ATTRIBUTES_ARRAY:", -1);
2158 offset = netlogon_dissect_DOMAIN_GROUP_MEMBERSHIPS(tvb, offset,
2159 pinfo, tree, di, drep,
2160 hf_netlogon_resourcegroupcount,
2161 "ResourceGroupIDs");
2163 return offset;
2166 static int
2167 netlogon_dissect_S4U_Transited_Service_name(tvbuff_t *tvb, int offset,
2168 packet_info *pinfo, proto_tree *tree,
2169 dcerpc_info *di, uint8_t *drep)
2171 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2172 hf_netlogon_transited_service, 1);
2174 return offset;
2177 static int
2178 netlogon_dissect_S4U_Transited_Services_array(tvbuff_t *tvb, int offset,
2179 packet_info *pinfo, proto_tree *tree,
2180 dcerpc_info *di, uint8_t *drep)
2182 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
2183 netlogon_dissect_S4U_Transited_Service_name);
2185 return offset;
2189 netlogon_dissect_PAC_S4U_DELEGATION_INFO(tvbuff_t *tvb, int offset,
2190 packet_info *pinfo, proto_tree *tree,
2191 dcerpc_info *di, uint8_t *drep)
2193 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2194 hf_netlogon_s4u2proxytarget, 0);
2196 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2197 hf_netlogon_transitedlistsize, NULL);
2199 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2200 netlogon_dissect_S4U_Transited_Services_array, NDR_POINTER_UNIQUE,
2201 "S4UTransitedServices", -1);
2203 return offset;
2206 struct device_sid_callback_args {
2207 const char **device_sid_ptr;
2208 uint32_t user_rid;
2209 const char *domain_sid;
2210 const char *device_sid;
2213 static void device_sid_callback_fnct(packet_info *pinfo _U_,
2214 proto_tree *tree _U_,
2215 proto_item *item _U_,
2216 dcerpc_info *di,
2217 tvbuff_t *tvb _U_,
2218 int start_offset _U_,
2219 int end_offset _U_,
2220 void *callback_args)
2222 struct device_sid_callback_args *args =
2223 (struct device_sid_callback_args *)callback_args;
2224 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
2225 const char *p = NULL;
2226 ptrdiff_t len;
2228 if (di->ptype != UINT8_MAX) {
2229 return;
2232 if (dcv == NULL) {
2233 return;
2236 if (args == NULL) {
2237 return;
2240 args->domain_sid = (const char *)dcv->private_data;
2241 if (args->domain_sid == NULL) {
2242 /* this should not happen... */
2243 return;
2246 len = strnlen(args->domain_sid, 64);
2248 /* remove any debug info after the sid */
2249 p = memchr(args->domain_sid, ' ', len);
2250 if (p != NULL) {
2251 ptrdiff_t mlen = p - args->domain_sid;
2252 if (mlen < len) {
2253 len = mlen;
2256 p = memchr(args->domain_sid, '(', len);
2257 if (p != NULL) {
2258 ptrdiff_t mlen = p - args->domain_sid;
2259 if (mlen < len) {
2260 len = mlen;
2265 * we know we're called dissect_krb5_PAC_DEVICE_INFO
2266 * so we should allocate the device_sid on wmem_epan_scope()
2268 args->device_sid = wmem_strdup_printf(wmem_epan_scope(),
2269 "%*.*s-%" PRIu32,
2270 (int)len, (int)len,
2271 args->domain_sid,
2272 args->user_rid);
2273 *args->device_sid_ptr = args->device_sid;
2277 * IDL typedef struct {
2278 * IDL long UserId;
2279 * IDL long PrimaryGroupId;
2280 * IDL SID AccountDomainId;
2281 * IDL long AccountGroupCount;
2282 * IDL [size_is(AccountGroupCount)] PGROUP_MEMBERSHIP AccountGroupIds;
2283 * IDL ULONG SidCount;
2284 * IDL [size_is(SidCount)] PKERB_SID_AND_ATTRIBUTES ExtraSids;
2285 * IDL ULONG DomainGroupCount;
2286 * IDL [size_is(DomainGroupCount)] PDOMAIN_GROUP_MEMBERSHIP DomainGroup;
2287 * IDL } PAC_DEVICE_INFO;
2290 netlogon_dissect_PAC_DEVICE_INFO(tvbuff_t *tvb, int offset,
2291 packet_info *pinfo, proto_tree *tree,
2292 dcerpc_info *di, uint8_t *drep)
2294 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
2295 struct device_sid_callback_args *args = NULL;
2296 uint32_t *user_rid_ptr = NULL;
2298 if (dcv && di->ptype == UINT8_MAX && dcv->private_data) {
2299 args = wmem_new0(pinfo->pool, struct device_sid_callback_args);
2301 * dissect_krb5_PAC_DEVICE_INFO passes
2302 * a pointer to const char *device_sid
2304 args->device_sid_ptr = dcv->private_data;
2305 user_rid_ptr = &args->user_rid;
2308 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2309 hf_netlogon_user_rid, user_rid_ptr);
2311 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2312 hf_netlogon_group_rid, NULL);
2314 offset = dissect_ndr_nt_PSID_cb(tvb, offset, pinfo, tree, di, drep,
2315 device_sid_callback_fnct, args);
2317 offset = netlogon_dissect_GROUP_MEMBERSHIPS(tvb, offset,
2318 pinfo, tree, di, drep,
2319 hf_netlogon_accountdomaingroupcount,
2320 "AccountDomainGroupIds");
2322 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2323 hf_netlogon_num_sid, NULL);
2325 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2326 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
2327 "ExtraSids:SID_AND_ATTRIBUTES_ARRAY:", -1);
2329 offset = netlogon_dissect_DOMAINS_GROUP_MEMBERSHIPS(tvb, offset,
2330 pinfo, tree, di, drep,
2331 hf_netlogon_membership_domains_count,
2332 "ExtraDomain Membership Array");
2334 return offset;
2337 #if 0
2338 static int
2339 netlogon_dissect_PAC(tvbuff_t *tvb, int offset,
2340 packet_info *pinfo, proto_tree *tree,
2341 dcerpc_info *di, uint8_t *drep _U_)
2343 uint32_t pac_size;
2345 if(di->conformant_run){
2346 return offset;
2349 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2350 hf_netlogon_pac_size, &pac_size);
2352 proto_tree_add_item(tree, hf_netlogon_pac_data, tvb, offset, pac_size,
2353 ENC_NA);
2354 offset += pac_size;
2356 return offset;
2359 static int
2360 netlogon_dissect_AUTH(tvbuff_t *tvb, int offset,
2361 packet_info *pinfo, proto_tree *tree,
2362 dcerpc_info *di, uint8_t *drep _U_)
2364 uint32_t auth_size;
2366 if(di->conformant_run){
2367 return offset;
2370 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2371 hf_netlogon_auth_size, &auth_size);
2373 proto_tree_add_item(tree, hf_netlogon_auth_data, tvb, offset, auth_size,
2374 ENC_NA);
2375 offset += auth_size;
2377 return offset;
2379 #endif
2381 static int
2382 netlogon_dissect_VALIDATION_GENERIC_INFO2 (tvbuff_t *tvb, int offset,
2383 packet_info *pinfo, proto_tree *tree,
2384 dcerpc_info *di, uint8_t *drep)
2386 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2387 hf_netlogon_data_length, NULL);
2389 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2390 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
2391 "Validation Data", -1);
2393 return offset;
2396 * IDL typedef struct {
2397 * IDL long pac_size
2398 * IDL [unique][size_is(pac_size)] char *pac;
2399 * IDL UNICODESTRING logondomain;
2400 * IDL UNICODESTRING logonserver;
2401 * IDL UNICODESTRING principalname;
2402 * IDL long auth_size;
2403 * IDL [unique][size_is(auth_size)] char *auth;
2404 * IDL USER_SESSION_KEY user_session_key;
2405 * IDL long expansionroom[2];
2406 * IDL long useraccountcontrol;
2407 * IDL long expansionroom[7];
2408 * IDL UNICODESTRING dummy1;
2409 * IDL UNICODESTRING dummy2;
2410 * IDL UNICODESTRING dummy3;
2411 * IDL UNICODESTRING dummy4;
2412 * IDL } VALIDATION_PAC_INFO;
2414 #if 0 /* Not used (anymore ?) */
2415 static int
2416 netlogon_dissect_VALIDATION_PAC_INFO(tvbuff_t *tvb, int offset,
2417 packet_info *pinfo, proto_tree *tree,
2418 dcerpc_info *di, uint8_t *drep)
2420 int i;
2422 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2423 hf_netlogon_pac_size, NULL);
2425 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2426 netlogon_dissect_PAC, NDR_POINTER_UNIQUE, "PAC:", -1);
2428 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2429 hf_netlogon_logon_dom, 0);
2431 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2432 hf_netlogon_logon_srv, 0);
2434 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2435 hf_netlogon_principal, 0);
2437 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2438 hf_netlogon_auth_size, NULL);
2440 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2441 netlogon_dissect_AUTH, NDR_POINTER_UNIQUE, "AUTH:", -1);
2443 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
2444 pinfo, tree, di, drep);
2446 for(i=0;i<2;i++){
2447 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2448 hf_netlogon_unknown_long, NULL);
2450 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
2451 pinfo, tree, di, drep);
2453 for(i=0;i<7;i++){
2454 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2455 hf_netlogon_unknown_long, NULL);
2458 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2459 hf_netlogon_dummy, 0);
2461 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2462 hf_netlogon_dummy, 0);
2464 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2465 hf_netlogon_dummy, 0);
2467 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2468 hf_netlogon_dummy, 0);
2470 return offset;
2472 #endif
2475 * IDL typedef [switch_type(short)] union {
2476 * IDL [case(1)][unique] VALIDATION_UAS *uas;
2477 * IDL [case(2)][unique] VALIDATION_SAM_INFO *sam;
2478 * IDL [case(3)][unique] VALIDATION_SAM_INFO2 *sam2;
2479 * IDL [case(4)][unique] VALIDATION_GENERIC_INFO *generic;
2480 * IDL [case(5)][unique] VALIDATION_GENERIC_INFO *generic2;
2481 * IDL [case(5)][unique] VALIDATION_GENERIC_INFO *generic2;
2482 * IDL [case(6)][unique] VALIDATION_SAM_INFO4 *sam4;
2483 * IDL } VALIDATION;
2485 static int
2486 netlogon_dissect_VALIDATION(tvbuff_t *tvb, int offset,
2487 packet_info *pinfo, proto_tree *tree,
2488 dcerpc_info *di, uint8_t *drep)
2490 uint16_t level = 0;
2492 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2493 hf_netlogon_validation_level, &level);
2495 ALIGN_TO_4_BYTES;
2496 switch(level){
2497 case 1:
2498 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2499 netlogon_dissect_VALIDATION_UAS_INFO, NDR_POINTER_UNIQUE,
2500 "VALIDATION_UAS_INFO:", -1);
2501 break;
2502 case 2:
2503 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2504 netlogon_dissect_VALIDATION_SAM_INFO, NDR_POINTER_UNIQUE,
2505 "VALIDATION_SAM_INFO:", -1);
2506 break;
2507 case 3:
2508 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2509 netlogon_dissect_VALIDATION_SAM_INFO2, NDR_POINTER_UNIQUE,
2510 "VALIDATION_SAM_INFO2:", -1);
2511 break;
2512 case 4:
2513 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2514 netlogon_dissect_VALIDATION_GENERIC_INFO2, NDR_POINTER_UNIQUE,
2515 "VALIDATION_INFO:", -1);
2516 break;
2517 case 5:
2518 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2519 netlogon_dissect_VALIDATION_GENERIC_INFO2, NDR_POINTER_UNIQUE,
2520 "VALIDATION_INFO2:", -1);
2521 break;
2522 case 6:
2523 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2524 netlogon_dissect_VALIDATION_SAM_INFO4, NDR_POINTER_UNIQUE,
2525 "VALIDATION_SAM_INFO4:", -1);
2526 break;
2528 return offset;
2531 * IDL long NetrLogonSamLogonWithFlags(
2532 * IDL [in][unique][string] wchar_t *ServerName,
2533 * IDL [in][unique][string] wchar_t *Workstation,
2534 * IDL [in][unique] AUTHENTICATOR *credential,
2535 * IDL [in][out][unique] AUTHENTICATOR *returnauthenticator,
2536 * IDL [in] short LogonLevel,
2537 * IDL [in][ref] LOGON_LEVEL *logonlevel,
2538 * IDL [in] short ValidationLevel,
2539 * IDL [out][ref] VALIDATION *validation,
2540 * IDL [out][ref] boolean Authoritative
2541 * IDL [in][out] unsigned long ExtraFlags
2542 * IDL );
2544 static int
2545 netlogon_dissect_netrlogonsamlogonflags_rqst(tvbuff_t *tvb, int offset,
2546 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
2548 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
2549 pinfo, tree, di, drep);
2551 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
2552 NDR_POINTER_UNIQUE, "Computer Name",
2553 hf_netlogon_computer_name, 0);
2555 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2556 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2557 "AUTHENTICATOR: credential", -1);
2559 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2560 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2561 "AUTHENTICATOR: return_authenticator", -1);
2563 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2564 hf_netlogon_level16, NULL);
2566 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2567 netlogon_dissect_LEVEL, NDR_POINTER_REF,
2568 "LEVEL: LogonLevel", -1);
2570 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2571 hf_netlogon_validation_level, NULL);
2573 offset = netlogon_dissect_EXTRA_FLAGS(tvb, offset, pinfo, tree, di, drep);
2575 return offset;
2578 static int
2579 netlogon_dissect_netrlogonsamlogonflags_reply(tvbuff_t *tvb, int offset,
2580 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
2582 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2583 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2584 "AUTHENTICATOR: return_authenticator", -1);
2586 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2587 netlogon_dissect_VALIDATION, NDR_POINTER_REF,
2588 "VALIDATION:", -1);
2590 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
2591 hf_netlogon_authoritative, NULL);
2593 offset = netlogon_dissect_EXTRA_FLAGS(tvb, offset, pinfo, tree, di, drep);
2595 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
2596 hf_netlogon_rc, NULL);
2598 return offset;
2604 * IDL long NetrLogonSamLogon(
2605 * IDL [in][unique][string] wchar_t *ServerName,
2606 * IDL [in][unique][string] wchar_t *Workstation,
2607 * IDL [in][unique] AUTHENTICATOR *credential,
2608 * IDL [in][out][unique] AUTHENTICATOR *returnauthenticator,
2609 * IDL [in] short LogonLevel,
2610 * IDL [in][ref] LOGON_LEVEL *logonlevel,
2611 * IDL [in] short ValidationLevel,
2612 * IDL [out][ref] VALIDATION *validation,
2613 * IDL [out][ref] boolean Authoritative
2614 * IDL );
2616 static int
2617 netlogon_dissect_netrlogonsamlogon_rqst(tvbuff_t *tvb, int offset,
2618 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
2620 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
2621 pinfo, tree, di, drep);
2623 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
2624 NDR_POINTER_UNIQUE, "Computer Name",
2625 hf_netlogon_computer_name, 0);
2627 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2628 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2629 "AUTHENTICATOR: credential", -1);
2631 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2632 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2633 "AUTHENTICATOR: return_authenticator", -1);
2635 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2636 hf_netlogon_level16, NULL);
2638 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2639 netlogon_dissect_LEVEL, NDR_POINTER_REF,
2640 "LEVEL: LogonLevel", -1);
2642 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2643 hf_netlogon_validation_level, NULL);
2645 return offset;
2648 static int
2649 netlogon_dissect_netrlogonsamlogon_reply(tvbuff_t *tvb, int offset,
2650 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
2652 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2653 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2654 "AUTHENTICATOR: return_authenticator", -1);
2656 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2657 netlogon_dissect_VALIDATION, NDR_POINTER_REF,
2658 "VALIDATION:", -1);
2660 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
2661 hf_netlogon_authoritative, NULL);
2663 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
2664 hf_netlogon_rc, NULL);
2666 return offset;
2671 * IDL long NetrLogonSamLogoff(
2672 * IDL [in][unique][string] wchar_t *ServerName,
2673 * IDL [in][unique][string] wchar_t *ComputerName,
2674 * IDL [in][unique] AUTHENTICATOR credential,
2675 * IDL [in][unique] AUTHENTICATOR return_authenticator,
2676 * IDL [in] short logon_level,
2677 * IDL [in][ref] LEVEL logoninformation
2678 * IDL );
2680 static int
2681 netlogon_dissect_netrlogonsamlogoff_rqst(tvbuff_t *tvb, int offset,
2682 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
2684 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
2685 pinfo, tree, di, drep);
2687 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
2688 NDR_POINTER_UNIQUE, "Computer Name",
2689 hf_netlogon_computer_name, 0);
2691 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2692 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2693 "AUTHENTICATOR: credential", -1);
2695 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2696 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2697 "AUTHENTICATOR: return_authenticator", -1);
2699 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2700 hf_netlogon_level16, NULL);
2702 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2703 netlogon_dissect_LEVEL, NDR_POINTER_REF,
2704 "LEVEL: logoninformation", -1);
2706 return offset;
2708 static int
2709 netlogon_dissect_netrlogonsamlogoff_reply(tvbuff_t *tvb, int offset,
2710 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
2713 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2714 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2715 "AUTHENTICATOR: return_authenticator", -1);
2717 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
2718 hf_netlogon_rc, NULL);
2720 return offset;
2723 static void generate_hash_key(packet_info *pinfo,unsigned char is_server,netlogon_auth_key *key)
2725 if(is_server) {
2726 copy_address_shallow(&key->server,&pinfo->src);
2727 copy_address_shallow(&key->client,&pinfo->dst);
2729 else {
2730 copy_address_shallow(&key->server,&pinfo->dst);
2731 copy_address_shallow(&key->client,&pinfo->src);
2736 static netlogon_auth_vars *find_global_netlogon_auth_vars(packet_info *pinfo, unsigned char is_server)
2738 netlogon_auth_vars *lvars = NULL;
2739 netlogon_auth_vars *avars = NULL;
2740 netlogon_auth_key akey;
2742 generate_hash_key(pinfo, is_server, &akey);
2743 lvars = (netlogon_auth_vars *)wmem_map_lookup(netlogon_auths, &akey);
2745 for (; lvars != NULL; lvars = lvars->next) {
2746 int fd_num = (int) pinfo->num;
2748 if (fd_num <= lvars->start) {
2750 * Before it even started,
2751 * can't be used..., keep
2752 * avars if we already found
2753 * one.
2755 break;
2757 if (lvars->auth_fd_num == -1) {
2759 * No ServerAuthenticate{,1,3},
2760 * no session key available,
2761 * just ignore...
2763 continue;
2765 if (fd_num <= lvars->auth_fd_num) {
2767 * Before ServerAuthenticate{,1,3}
2768 * can't be used..., keep
2769 * avars if we already found
2770 * one.
2772 break;
2775 * remember the current match,
2776 * but try to find a better one...
2778 avars = lvars;
2781 return avars;
2784 static netlogon_auth_vars *find_or_create_schannel_netlogon_auth_vars(packet_info *pinfo,
2785 dcerpc_auth_info *auth_info,
2786 unsigned char is_server)
2788 dcerpc_auth_schannel_key skey = {
2789 .conv = find_or_create_conversation(pinfo),
2790 .transport_salt = dcerpc_get_transport_salt(pinfo),
2791 .auth_context_id = auth_info->auth_context_id,
2793 dcerpc_auth_schannel_key *sk = NULL;
2794 netlogon_auth_vars *svars = NULL;
2795 netlogon_auth_vars *avars = NULL;
2797 svars = (netlogon_auth_vars *)wmem_map_lookup(schannel_auths, &skey);
2798 if (svars != NULL) {
2799 return svars;
2802 avars = find_global_netlogon_auth_vars(pinfo, is_server);
2803 if (avars == NULL) {
2804 return NULL;
2807 sk = wmem_memdup(wmem_file_scope(), &skey, sizeof(dcerpc_auth_schannel_key));
2808 if (sk == NULL) {
2809 return NULL;
2812 svars = wmem_memdup(wmem_file_scope(), avars, sizeof(netlogon_auth_vars));
2813 if (svars == NULL) {
2814 return NULL;
2816 svars->client_name = wmem_strdup(wmem_file_scope(), avars->client_name);
2817 if (svars->client_name == NULL) {
2818 return NULL;
2820 svars->next_start = -1;
2821 svars->next = NULL;
2823 wmem_map_insert(schannel_auths, sk, svars);
2825 return svars;
2829 * IDL long NetrServerReqChallenge(
2830 * IDL [in][unique][string] wchar_t *ServerName,
2831 * IDL [in][ref][string] wchar_t *ComputerName,
2832 * IDL [in][ref] CREDENTIAL client_credential,
2833 * IDL [out][ref] CREDENTIAL server_credential
2834 * IDL );
2836 static int
2837 netlogon_dissect_netrserverreqchallenge_rqst(tvbuff_t *tvb, int offset,
2838 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
2840 /*int oldoffset = offset;*/
2841 netlogon_auth_vars *vars;
2842 netlogon_auth_vars *existing_vars;
2843 netlogon_auth_key key;
2844 uint8_t tab[8] = { 0,0,0,0,0,0,0,0};
2845 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
2847 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset, pinfo, tree, di, drep);
2848 offset = dissect_ndr_pointer_cb(
2849 tvb, offset, pinfo, tree, di, drep,
2850 dissect_ndr_wchar_cvstring, NDR_POINTER_REF,
2851 "Computer Name", hf_netlogon_computer_name,
2852 cb_wstr_postprocess,
2853 GINT_TO_POINTER(CB_STR_COL_INFO |CB_STR_SAVE | 1));
2855 ws_debug("1)Len %d offset %d txt %s",(int) strlen((char *)dcv->private_data),offset,(char*)dcv->private_data);
2856 vars = wmem_new0(wmem_file_scope(), netlogon_auth_vars);
2857 vars->client_name = wmem_strdup(wmem_file_scope(), (char *)dcv->private_data);
2858 ws_debug("2)Len %d offset %d txt %s",(int) strlen((char *)dcv->private_data),offset,vars->client_name);
2860 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, tree, drep,
2861 hf_client_challenge,&vars->client_challenge);
2862 memcpy(tab,&vars->client_challenge,8);
2864 vars->start = pinfo->num;
2865 vars->auth_fd_num = -1;
2866 vars->next_start = -1;
2867 vars->next = NULL;
2869 generate_hash_key(pinfo,0,&key);
2870 existing_vars = (netlogon_auth_vars *)wmem_map_lookup(netlogon_auths, &key);
2871 if (!existing_vars) {
2872 netlogon_auth_key *k = (netlogon_auth_key *)wmem_memdup(wmem_file_scope(), &key, sizeof(netlogon_auth_key));
2873 copy_address_wmem(wmem_file_scope(), &k->client, &key.client);
2874 copy_address_wmem(wmem_file_scope(), &k->server, &key.server);
2875 ws_debug("Adding initial vars with this start packet = %d",vars->start);
2876 wmem_map_insert(netlogon_auths, k, vars);
2878 else {
2879 while(existing_vars->next != NULL && existing_vars->start < vars->start) {
2880 ws_debug("Looping to find existing vars ...");
2881 existing_vars = existing_vars->next;
2883 if(existing_vars->next != NULL || existing_vars->start == vars->start) {
2884 ws_debug("It seems that I already record this vars start packet = %d",vars->start);
2885 wmem_free(wmem_file_scope(), vars);
2887 else {
2888 ws_debug("Adding a new entry with this start packet = %d",vars->start);
2889 existing_vars->next_start = pinfo->num;
2890 existing_vars->next = vars;
2893 return offset;
2896 static int
2897 netlogon_dissect_netrserverreqchallenge_reply(tvbuff_t *tvb, int offset,
2898 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
2900 netlogon_auth_vars *vars;
2901 netlogon_auth_key key;
2902 uint64_t server_challenge;
2904 generate_hash_key(pinfo,1,&key);
2905 vars = (netlogon_auth_vars *)wmem_map_lookup(netlogon_auths,(const void **) &key);
2907 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, tree, drep,
2908 hf_server_challenge, &server_challenge);
2909 /*offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2910 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
2911 "CREDENTIAL: server credential", -1);*/
2913 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
2914 hf_netlogon_rc, NULL);
2915 if(vars != NULL) {
2916 while(vars !=NULL && vars->next_start != -1 && vars->next_start < (int)pinfo->num )
2918 vars = vars->next;
2919 ws_debug("looping challenge reply... %d %d ", vars->next_start, pinfo->num);
2921 if(vars == NULL)
2923 ws_debug("Something strange happened while searching for challenge_reply");
2925 else
2927 vars->server_challenge = server_challenge;
2931 else
2933 ws_debug("Vars not found in challenge reply");
2936 return offset;
2940 static int
2941 netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvbuff_t *tvb, int offset,
2942 packet_info *pinfo, proto_tree *tree,
2943 dcerpc_info *di, uint8_t *drep)
2945 offset = dissect_ndr_uint1632(tvb, offset, pinfo, tree, di, drep,
2946 hf_netlogon_secure_channel_type, NULL);
2948 return offset;
2953 * IDL long NetrServerAuthenticate(
2954 * IDL [in][unique][string] wchar_t *ServerName,
2955 * IDL [in][ref][string] wchar_t *UserName,
2956 * IDL [in] short secure_challenge_type,
2957 * IDL [in][ref][string] wchar_t *ComputerName,
2958 * IDL [in][ref] CREDENTIAL client_challenge,
2959 * IDL [out][ref] CREDENTIAL server_challenge
2960 * IDL );
2962 static int
2963 netlogon_dissect_netrserverauthenticate_rqst(tvbuff_t *tvb, int offset,
2964 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
2966 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
2967 pinfo, tree, di, drep);
2969 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
2970 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, CB_STR_COL_INFO);
2972 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
2973 pinfo, tree, di, drep);
2975 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
2976 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, CB_STR_COL_INFO);
2978 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2979 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
2980 "CREDENTIAL: client challenge", -1);
2982 return offset;
2984 static int
2985 netlogon_dissect_netrserverauthenticate023_reply(tvbuff_t *tvb, int offset,
2986 packet_info *pinfo,
2987 proto_tree *tree,
2988 dcerpc_info *di,
2989 uint8_t *drep,
2990 int version);
2991 static int
2992 netlogon_dissect_netrserverauthenticate_reply(tvbuff_t *tvb, int offset,
2993 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
2995 return netlogon_dissect_netrserverauthenticate023_reply(tvb,offset,pinfo,tree,di,drep,0);
3001 * IDL typedef struct {
3002 * IDL char encrypted_password[16];
3003 * IDL } ENCRYPTED_LM_OWF_PASSWORD;
3005 static int
3006 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
3007 packet_info *pinfo _U_, proto_tree *tree,
3008 dcerpc_info *di, uint8_t *drep _U_)
3010 if(di->conformant_run){
3011 /*just a run to handle conformant arrays, nothing to dissect.*/
3012 return offset;
3015 proto_tree_add_item(tree, hf_netlogon_encrypted_lm_owf_password, tvb, offset, 16,
3016 ENC_NA);
3017 offset += 16;
3019 return offset;
3023 * IDL long NetrServerPasswordSet(
3024 * IDL [in][unique][string] wchar_t *ServerName,
3025 * IDL [in][ref][string] wchar_t *UserName,
3026 * IDL [in] short secure_challenge_type,
3027 * IDL [in][ref][string] wchar_t *ComputerName,
3028 * IDL [in][ref] AUTHENTICATOR credential,
3029 * IDL [in][ref] LM_OWF_PASSWORD UasNewPassword,
3030 * IDL [out][ref] AUTHENTICATOR return_authenticator
3031 * IDL );
3033 static int
3034 netlogon_dissect_netrserverpasswordset_rqst(tvbuff_t *tvb, int offset,
3035 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
3037 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3038 pinfo, tree, di, drep);
3040 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
3041 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, 0);
3043 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
3044 pinfo, tree, di, drep);
3046 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
3047 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3049 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3050 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3051 "AUTHENTICATOR: credential", -1);
3053 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3054 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD, NDR_POINTER_REF,
3055 "ENCRYPTED_LM_OWF_PASSWORD: hashed_pwd", -1);
3057 return offset;
3059 static int
3060 netlogon_dissect_netrserverpasswordset_reply(tvbuff_t *tvb, int offset,
3061 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
3063 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3064 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3065 "AUTHENTICATOR: return_authenticator", -1);
3067 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
3068 hf_netlogon_rc, NULL);
3070 return offset;
3075 * IDL typedef struct {
3076 * IDL [unique][string] wchar_t *UserName;
3077 * IDL UNICODESTRING dummy1;
3078 * IDL UNICODESTRING dummy2;
3079 * IDL UNICODESTRING dummy3;
3080 * IDL UNICODESTRING dummy4;
3081 * IDL long dummy5;
3082 * IDL long dummy6;
3083 * IDL long dummy7;
3084 * IDL long dummy8;
3085 * IDL } DELTA_DELETE_USER;
3087 static int
3088 netlogon_dissect_DELTA_DELETE_USER(tvbuff_t *tvb, int offset,
3089 packet_info *pinfo, proto_tree *tree,
3090 dcerpc_info *di, uint8_t *drep)
3092 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
3093 NDR_POINTER_UNIQUE, "Account Name", hf_netlogon_acct_name, 0);
3095 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3096 hf_netlogon_dummy, 0);
3098 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3099 hf_netlogon_dummy, 0);
3101 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3102 hf_netlogon_dummy, 0);
3104 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3105 hf_netlogon_dummy, 0);
3107 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3108 hf_netlogon_reserved, NULL);
3110 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3111 hf_netlogon_reserved, NULL);
3113 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3114 hf_netlogon_reserved, NULL);
3116 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3117 hf_netlogon_reserved, NULL);
3119 return offset;
3124 * IDL typedef struct {
3125 * IDL bool SensitiveDataFlag;
3126 * IDL long DataLength;
3127 * IDL [unique][size_is(DataLength)] char *SensitiveData;
3128 * IDL } USER_PRIVATE_INFO;
3130 static int
3131 netlogon_dissect_SENSITIVE_DATA(tvbuff_t *tvb, int offset,
3132 packet_info *pinfo, proto_tree *tree,
3133 dcerpc_info *di, uint8_t *drep)
3135 uint32_t data_len;
3137 if(di->conformant_run){
3138 /*just a run to handle conformant arrays, nothing to dissect */
3139 return offset;
3142 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3143 hf_netlogon_sensitive_data_len, &data_len);
3145 proto_tree_add_item(tree, hf_netlogon_sensitive_data, tvb, offset,
3146 data_len, ENC_NA);
3147 offset += data_len;
3149 return offset;
3151 static int
3152 netlogon_dissect_USER_PRIVATE_INFO(tvbuff_t *tvb, int offset,
3153 packet_info *pinfo, proto_tree *tree,
3154 dcerpc_info *di, uint8_t *drep)
3156 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
3157 hf_netlogon_sensitive_data_flag, NULL);
3159 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3160 hf_netlogon_sensitive_data_len, NULL);
3162 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3163 netlogon_dissect_SENSITIVE_DATA, NDR_POINTER_UNIQUE,
3164 "SENSITIVE_DATA", -1);
3166 return offset;
3170 * IDL typedef struct {
3171 * IDL UNICODESTRING UserName;
3172 * IDL UNICODESTRING FullName;
3173 * IDL long UserID;
3174 * IDL long PrimaryGroupID;
3175 * IDL UNICODESTRING HomeDir;
3176 * IDL UNICODESTRING HomeDirDrive;
3177 * IDL UNICODESTRING LogonScript;
3178 * IDL UNICODESTRING Comment;
3179 * IDL UNICODESTRING Workstations;
3180 * IDL NTTIME LastLogon;
3181 * IDL NTTIME LastLogoff;
3182 * IDL LOGON_HOURS logonhours;
3183 * IDL short BadPwCount;
3184 * IDL short LogonCount;
3185 * IDL NTTIME PwLastSet;
3186 * IDL NTTIME AccountExpires;
3187 * IDL long AccountControl;
3188 * IDL LM_OWF_PASSWORD lmpw;
3189 * IDL NT_OWF_PASSWORD ntpw;
3190 * IDL bool NTPwPresent;
3191 * IDL bool LMPwPresent;
3192 * IDL bool PwExpired;
3193 * IDL UNICODESTRING UserComment;
3194 * IDL UNICODESTRING Parameters;
3195 * IDL short CountryCode;
3196 * IDL short CodePage;
3197 * IDL USER_PRIVATE_INFO user_private_info;
3198 * IDL long SecurityInformation;
3199 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3200 * IDL UNICODESTRING dummy1;
3201 * IDL UNICODESTRING dummy2;
3202 * IDL UNICODESTRING dummy3;
3203 * IDL UNICODESTRING dummy4;
3204 * IDL long dummy5;
3205 * IDL long dummy6;
3206 * IDL long dummy7;
3207 * IDL long dummy8;
3208 * IDL } DELTA_USER;
3210 static int
3211 netlogon_dissect_DELTA_USER(tvbuff_t *tvb, int offset,
3212 packet_info *pinfo, proto_tree *tree,
3213 dcerpc_info *di, uint8_t *drep)
3215 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3216 hf_netlogon_acct_name, 3);
3218 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3219 hf_netlogon_full_name, 0);
3221 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3222 hf_netlogon_user_rid, NULL);
3224 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3225 hf_netlogon_group_rid, NULL);
3227 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3228 hf_netlogon_home_dir, 0);
3230 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3231 hf_netlogon_dir_drive, 0);
3233 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3234 hf_netlogon_logon_script, 0);
3236 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3237 hf_netlogon_acct_desc, 0);
3239 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3240 hf_netlogon_workstations, 0);
3242 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3243 hf_netlogon_logon_time);
3245 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3246 hf_netlogon_logoff_time);
3248 offset = dissect_ndr_nt_LOGON_HOURS(tvb, offset, pinfo, tree, di, drep);
3250 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
3251 hf_netlogon_bad_pw_count16, NULL);
3253 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
3254 hf_netlogon_logon_count16, NULL);
3256 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3257 hf_netlogon_pwd_last_set_time);
3259 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3260 hf_netlogon_acct_expiry_time);
3262 offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, di, drep);
3264 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
3265 pinfo, tree, di, drep);
3267 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
3268 pinfo, tree, di, drep);
3270 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
3271 hf_netlogon_nt_pwd_present, NULL);
3273 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
3274 hf_netlogon_lm_pwd_present, NULL);
3276 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
3277 hf_netlogon_pwd_expired, NULL);
3279 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3280 hf_netlogon_comment, 0);
3282 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3283 hf_netlogon_parameters, 0);
3285 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
3286 hf_netlogon_country, NULL);
3288 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
3289 hf_netlogon_codepage, NULL);
3291 offset = netlogon_dissect_USER_PRIVATE_INFO(tvb, offset, pinfo, tree,
3292 di, drep);
3294 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3295 hf_netlogon_security_information, NULL);
3297 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3299 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3300 hf_netlogon_dummy, 0);
3302 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3303 hf_netlogon_dummy, 0);
3305 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3306 hf_netlogon_dummy, 0);
3308 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3309 hf_netlogon_dummy, 0);
3311 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3312 hf_netlogon_reserved, NULL);
3314 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3315 hf_netlogon_reserved, NULL);
3317 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3318 hf_netlogon_reserved, NULL);
3320 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3321 hf_netlogon_reserved, NULL);
3323 return offset;
3328 * IDL typedef struct {
3329 * IDL UNICODESTRING DomainName;
3330 * IDL UNICODESTRING OEMInfo;
3331 * IDL NTTIME forcedlogoff;
3332 * IDL short minpasswdlen;
3333 * IDL short passwdhistorylen;
3334 * IDL NTTIME pwd_must_change_time;
3335 * IDL NTTIME pwd_can_change_time;
3336 * IDL NTTIME domain_modify_time;
3337 * IDL NTTIME domain_create_time;
3338 * IDL long SecurityInformation;
3339 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3340 * IDL UNICODESTRING dummy1;
3341 * IDL UNICODESTRING dummy2;
3342 * IDL UNICODESTRING dummy3;
3343 * IDL UNICODESTRING dummy4;
3344 * IDL long dummy5;
3345 * IDL long dummy6;
3346 * IDL long dummy7;
3347 * IDL long dummy8;
3348 * IDL } DELTA_DOMAIN;
3350 static int
3351 netlogon_dissect_DELTA_DOMAIN(tvbuff_t *tvb, int offset,
3352 packet_info *pinfo, proto_tree *tree,
3353 dcerpc_info *di, uint8_t *drep)
3355 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3356 hf_netlogon_domain_name, 3);
3358 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3359 hf_netlogon_oem_info, 0);
3361 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3362 hf_netlogon_kickoff_time);
3364 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
3365 hf_netlogon_minpasswdlen, NULL);
3367 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
3368 hf_netlogon_passwdhistorylen, NULL);
3370 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3371 hf_netlogon_pwd_must_change_time);
3373 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3374 hf_netlogon_pwd_can_change_time);
3376 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3377 hf_netlogon_domain_modify_time);
3379 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3380 hf_netlogon_domain_create_time);
3382 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3383 hf_netlogon_security_information, NULL);
3385 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3387 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3388 hf_netlogon_dummy, 0);
3390 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3391 hf_netlogon_dummy, 0);
3393 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3394 hf_netlogon_dummy, 0);
3396 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3397 hf_netlogon_dummy, 0);
3399 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3400 hf_netlogon_reserved, NULL);
3402 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3403 hf_netlogon_reserved, NULL);
3405 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3406 hf_netlogon_reserved, NULL);
3408 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3409 hf_netlogon_reserved, NULL);
3411 return offset;
3416 * IDL typedef struct {
3417 * IDL UNICODESTRING groupname;
3418 * IDL GROUP_MEMBERSHIP group_membership;
3419 * IDL UNICODESTRING comment;
3420 * IDL long SecurityInformation;
3421 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3422 * IDL UNICODESTRING dummy1;
3423 * IDL UNICODESTRING dummy2;
3424 * IDL UNICODESTRING dummy3;
3425 * IDL UNICODESTRING dummy4;
3426 * IDL long dummy5;
3427 * IDL long dummy6;
3428 * IDL long dummy7;
3429 * IDL long dummy8;
3430 * IDL } DELTA_GROUP;
3432 static int
3433 netlogon_dissect_DELTA_GROUP(tvbuff_t *tvb, int offset,
3434 packet_info *pinfo, proto_tree *tree,
3435 dcerpc_info *di, uint8_t *drep)
3437 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3438 hf_netlogon_group_name, 3);
3440 offset = netlogon_dissect_GROUP_MEMBERSHIP(tvb, offset,
3441 pinfo, tree, di, drep);
3443 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3444 hf_netlogon_group_desc, 0);
3446 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3447 hf_netlogon_security_information, NULL);
3449 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3451 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3452 hf_netlogon_dummy, 0);
3454 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3455 hf_netlogon_dummy, 0);
3457 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3458 hf_netlogon_dummy, 0);
3460 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3461 hf_netlogon_dummy, 0);
3463 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3464 hf_netlogon_reserved, NULL);
3466 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3467 hf_netlogon_reserved, NULL);
3469 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3470 hf_netlogon_reserved, NULL);
3472 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3473 hf_netlogon_reserved, NULL);
3475 return offset;
3480 * IDL typedef struct {
3481 * IDL UNICODESTRING OldName;
3482 * IDL UNICODESTRING NewName;
3483 * IDL UNICODESTRING dummy1;
3484 * IDL UNICODESTRING dummy2;
3485 * IDL UNICODESTRING dummy3;
3486 * IDL UNICODESTRING dummy4;
3487 * IDL long dummy5;
3488 * IDL long dummy6;
3489 * IDL long dummy7;
3490 * IDL long dummy8;
3491 * IDL } DELTA_RENAME;
3493 static int
3494 netlogon_dissect_DELTA_RENAME(tvbuff_t *tvb, int offset,
3495 packet_info *pinfo, proto_tree *tree,
3496 dcerpc_info *di, uint8_t *drep)
3498 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3499 di->hf_index, 0);
3501 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3502 di->hf_index, 0);
3504 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3505 hf_netlogon_dummy, 0);
3507 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3508 hf_netlogon_dummy, 0);
3510 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3511 hf_netlogon_dummy, 0);
3513 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3514 hf_netlogon_dummy, 0);
3516 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3517 hf_netlogon_reserved, NULL);
3519 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3520 hf_netlogon_reserved, NULL);
3522 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3523 hf_netlogon_reserved, NULL);
3525 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3526 hf_netlogon_reserved, NULL);
3528 return offset;
3532 static int
3533 netlogon_dissect_RID(tvbuff_t *tvb, int offset,
3534 packet_info *pinfo, proto_tree *tree,
3535 dcerpc_info *di, uint8_t *drep)
3537 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3538 hf_netlogon_user_rid, NULL);
3540 return offset;
3543 static int
3544 netlogon_dissect_RID_array(tvbuff_t *tvb, int offset,
3545 packet_info *pinfo, proto_tree *tree,
3546 dcerpc_info *di, uint8_t *drep)
3548 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
3549 netlogon_dissect_RID);
3551 return offset;
3554 static int
3555 netlogon_dissect_ATTRIB(tvbuff_t *tvb, int offset,
3556 packet_info *pinfo, proto_tree *tree,
3557 dcerpc_info *di, uint8_t *drep)
3559 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3560 hf_netlogon_attrs, NULL);
3562 return offset;
3565 static int
3566 netlogon_dissect_ATTRIB_array(tvbuff_t *tvb, int offset,
3567 packet_info *pinfo, proto_tree *tree,
3568 dcerpc_info *di, uint8_t *drep)
3570 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
3571 netlogon_dissect_ATTRIB);
3573 return offset;
3577 * IDL typedef struct {
3578 * IDL [unique][size_is(num_rids)] long *rids;
3579 * IDL [unique][size_is(num_rids)] long *attribs;
3580 * IDL long num_rids;
3581 * IDL long dummy1;
3582 * IDL long dummy2;
3583 * IDL long dummy3;
3584 * IDL long dummy4;
3585 * IDL } DELTA_GROUP_MEMBER;
3587 static int
3588 netlogon_dissect_DELTA_GROUP_MEMBER(tvbuff_t *tvb, int offset,
3589 packet_info *pinfo, proto_tree *tree,
3590 dcerpc_info *di, uint8_t *drep)
3592 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3593 netlogon_dissect_RID_array, NDR_POINTER_UNIQUE,
3594 "RIDs:", -1);
3596 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3597 netlogon_dissect_ATTRIB_array, NDR_POINTER_UNIQUE,
3598 "Attribs:", -1);
3600 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3601 hf_netlogon_num_rids, NULL);
3603 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3604 hf_netlogon_reserved, NULL);
3606 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3607 hf_netlogon_reserved, NULL);
3609 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3610 hf_netlogon_reserved, NULL);
3612 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3613 hf_netlogon_reserved, NULL);
3615 return offset;
3620 * IDL typedef struct {
3621 * IDL UNICODESTRING alias_name;
3622 * IDL long rid;
3623 * IDL long SecurityInformation;
3624 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3625 * IDL UNICODESTRING dummy1;
3626 * IDL UNICODESTRING dummy2;
3627 * IDL UNICODESTRING dummy3;
3628 * IDL UNICODESTRING dummy4;
3629 * IDL long dummy5;
3630 * IDL long dummy6;
3631 * IDL long dummy7;
3632 * IDL long dummy8;
3633 * IDL } DELTA_ALIAS;
3635 static int
3636 netlogon_dissect_DELTA_ALIAS(tvbuff_t *tvb, int offset,
3637 packet_info *pinfo, proto_tree *tree,
3638 dcerpc_info *di, uint8_t *drep)
3640 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3641 hf_netlogon_alias_name, 0);
3643 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3644 hf_netlogon_alias_rid, NULL);
3646 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3647 hf_netlogon_security_information, NULL);
3649 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3651 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3652 hf_netlogon_dummy, 0);
3654 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3655 hf_netlogon_dummy, 0);
3657 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3658 hf_netlogon_dummy, 0);
3660 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3661 hf_netlogon_dummy, 0);
3663 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3664 hf_netlogon_reserved, NULL);
3666 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3667 hf_netlogon_reserved, NULL);
3669 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3670 hf_netlogon_reserved, NULL);
3672 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3673 hf_netlogon_reserved, NULL);
3675 return offset;
3680 * IDL typedef struct {
3681 * IDL [unique] SID_ARRAY sids;
3682 * IDL long dummy1;
3683 * IDL long dummy2;
3684 * IDL long dummy3;
3685 * IDL long dummy4;
3686 * IDL } DELTA_ALIAS_MEMBER;
3688 static int
3689 netlogon_dissect_DELTA_ALIAS_MEMBER(tvbuff_t *tvb, int offset,
3690 packet_info *pinfo, proto_tree *tree,
3691 dcerpc_info *di, uint8_t *drep)
3693 offset = dissect_ndr_nt_PSID_ARRAY(tvb, offset, pinfo, tree, di, drep);
3695 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3696 hf_netlogon_reserved, NULL);
3698 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3699 hf_netlogon_reserved, NULL);
3701 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3702 hf_netlogon_reserved, NULL);
3704 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3705 hf_netlogon_reserved, NULL);
3707 return offset;
3711 static int
3712 netlogon_dissect_EVENT_AUDIT_OPTION(tvbuff_t *tvb, int offset,
3713 packet_info *pinfo, proto_tree *tree,
3714 dcerpc_info *di, uint8_t *drep)
3716 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3717 hf_netlogon_event_audit_option, NULL);
3719 return offset;
3722 static int
3723 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY(tvbuff_t *tvb, int offset,
3724 packet_info *pinfo, proto_tree *tree,
3725 dcerpc_info *di, uint8_t *drep)
3727 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
3728 netlogon_dissect_EVENT_AUDIT_OPTION);
3730 return offset;
3735 * IDL typedef struct {
3736 * IDL long pagedpoollimit;
3737 * IDL long nonpagedpoollimit;
3738 * IDL long minimumworkingsetsize;
3739 * IDL long maximumworkingsetsize;
3740 * IDL long pagefilelimit;
3741 * IDL NTTIME timelimit;
3742 * IDL } QUOTA_LIMITS;
3744 static int
3745 netlogon_dissect_QUOTA_LIMITS(tvbuff_t *tvb, int offset,
3746 packet_info *pinfo, proto_tree *parent_tree,
3747 dcerpc_info *di, uint8_t *drep)
3749 proto_item *item=NULL;
3750 proto_tree *tree=NULL;
3751 int old_offset=offset;
3753 if(parent_tree){
3754 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
3755 ett_QUOTA_LIMITS, &item, "QUOTA_LIMTS:");
3758 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3759 hf_netlogon_pagedpoollimit, NULL);
3761 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3762 hf_netlogon_nonpagedpoollimit, NULL);
3764 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3765 hf_netlogon_minworkingsetsize, NULL);
3767 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3768 hf_netlogon_maxworkingsetsize, NULL);
3770 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3771 hf_netlogon_pagefilelimit, NULL);
3773 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3774 hf_netlogon_timelimit);
3776 proto_item_set_len(item, offset-old_offset);
3777 return offset;
3782 * IDL typedef struct {
3783 * IDL long maxlogsize;
3784 * IDL NTTIME auditretentionperiod;
3785 * IDL bool auditingmode;
3786 * IDL long maxauditeventcount;
3787 * IDL [unique][size_is(maxauditeventcount)] long *eventauditoptions;
3788 * IDL UNICODESTRING primarydomainname;
3789 * IDL [unique] SID *sid;
3790 * IDL QUOTA_LIMITS quota_limits;
3791 * IDL NTTIME db_modify_time;
3792 * IDL NTTIME db_create_time;
3793 * IDL long SecurityInformation;
3794 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3795 * IDL UNICODESTRING dummy1;
3796 * IDL UNICODESTRING dummy2;
3797 * IDL UNICODESTRING dummy3;
3798 * IDL UNICODESTRING dummy4;
3799 * IDL long dummy5;
3800 * IDL long dummy6;
3801 * IDL long dummy7;
3802 * IDL long dummy8;
3803 * IDL } DELTA_POLICY;
3805 static int
3806 netlogon_dissect_DELTA_POLICY(tvbuff_t *tvb, int offset,
3807 packet_info *pinfo, proto_tree *tree,
3808 dcerpc_info *di, uint8_t *drep)
3810 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3811 hf_netlogon_max_log_size, NULL);
3813 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3814 hf_netlogon_audit_retention_period);
3816 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
3817 hf_netlogon_auditing_mode, NULL);
3819 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3820 hf_netlogon_max_audit_event_count, NULL);
3822 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3823 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY, NDR_POINTER_UNIQUE,
3824 "Event Audit Options:", -1);
3826 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3827 hf_netlogon_domain_name, 0);
3829 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
3831 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
3832 pinfo, tree, di, drep);
3834 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3835 hf_netlogon_db_modify_time);
3837 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3838 hf_netlogon_db_create_time);
3840 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3841 hf_netlogon_security_information, NULL);
3843 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3845 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3846 hf_netlogon_dummy, 0);
3848 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3849 hf_netlogon_dummy, 0);
3851 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3852 hf_netlogon_dummy, 0);
3854 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3855 hf_netlogon_dummy, 0);
3857 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3858 hf_netlogon_reserved, NULL);
3860 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3861 hf_netlogon_reserved, NULL);
3863 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3864 hf_netlogon_reserved, NULL);
3866 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3867 hf_netlogon_reserved, NULL);
3869 return offset;
3873 static int
3874 netlogon_dissect_CONTROLLER(tvbuff_t *tvb, int offset,
3875 packet_info *pinfo, proto_tree *tree,
3876 dcerpc_info *di, uint8_t *drep)
3878 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3879 hf_netlogon_dc_name, 0);
3881 return offset;
3884 static int
3885 netlogon_dissect_CONTROLLER_ARRAY(tvbuff_t *tvb, int offset,
3886 packet_info *pinfo, proto_tree *tree,
3887 dcerpc_info *di, uint8_t *drep)
3889 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
3890 netlogon_dissect_CONTROLLER);
3892 return offset;
3897 * IDL typedef struct {
3898 * IDL UNICODESTRING DomainName;
3899 * IDL long num_controllers;
3900 * IDL [unique][size_is(num_controllers)] UNICODESTRING *controller_names;
3901 * IDL long SecurityInformation;
3902 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3903 * IDL UNICODESTRING dummy1;
3904 * IDL UNICODESTRING dummy2;
3905 * IDL UNICODESTRING dummy3;
3906 * IDL UNICODESTRING dummy4;
3907 * IDL long dummy5;
3908 * IDL long dummy6;
3909 * IDL long dummy7;
3910 * IDL long dummy8;
3911 * IDL } DELTA_TRUSTED_DOMAINS;
3913 static int
3914 netlogon_dissect_DELTA_TRUSTED_DOMAINS(tvbuff_t *tvb, int offset,
3915 packet_info *pinfo, proto_tree *tree,
3916 dcerpc_info *di, uint8_t *drep)
3918 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3919 hf_netlogon_domain_name, 0);
3921 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3922 hf_netlogon_num_controllers, NULL);
3924 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3925 netlogon_dissect_CONTROLLER_ARRAY, NDR_POINTER_UNIQUE,
3926 "Domain Controllers:", -1);
3928 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3929 hf_netlogon_security_information, NULL);
3931 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3933 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3934 hf_netlogon_dummy, 0);
3936 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3937 hf_netlogon_dummy, 0);
3939 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3940 hf_netlogon_dummy, 0);
3942 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3943 hf_netlogon_dummy, 0);
3945 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3946 hf_netlogon_reserved, NULL);
3948 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3949 hf_netlogon_reserved, NULL);
3951 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3952 hf_netlogon_reserved, NULL);
3954 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3955 hf_netlogon_reserved, NULL);
3957 return offset;
3961 static int
3962 netlogon_dissect_PRIV_ATTR(tvbuff_t *tvb, int offset,
3963 packet_info *pinfo, proto_tree *tree,
3964 dcerpc_info *di, uint8_t *drep)
3966 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3967 hf_netlogon_attrs, NULL);
3969 return offset;
3972 static int
3973 netlogon_dissect_PRIV_ATTR_ARRAY(tvbuff_t *tvb, int offset,
3974 packet_info *pinfo, proto_tree *tree,
3975 dcerpc_info *di, uint8_t *drep)
3977 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
3978 netlogon_dissect_PRIV_ATTR);
3980 return offset;
3983 static int
3984 netlogon_dissect_PRIV_NAME(tvbuff_t *tvb, int offset,
3985 packet_info *pinfo, proto_tree *tree,
3986 dcerpc_info *di, uint8_t *drep)
3988 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3989 hf_netlogon_privilege_name, 1);
3991 return offset;
3994 static int
3995 netlogon_dissect_PRIV_NAME_ARRAY(tvbuff_t *tvb, int offset,
3996 packet_info *pinfo, proto_tree *tree,
3997 dcerpc_info *di, uint8_t *drep)
3999 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
4000 netlogon_dissect_PRIV_NAME);
4002 return offset;
4008 * IDL typedef struct {
4009 * IDL long privilegeentries;
4010 * IDL long provolegecontrol;
4011 * IDL [unique][size_is(privilege_entries)] long *privilege_attrib;
4012 * IDL [unique][size_is(privilege_entries)] UNICODESTRING *privilege_name;
4013 * IDL QUOTALIMITS quotalimits;
4014 * IDL long SecurityInformation;
4015 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
4016 * IDL UNICODESTRING dummy1;
4017 * IDL UNICODESTRING dummy2;
4018 * IDL UNICODESTRING dummy3;
4019 * IDL UNICODESTRING dummy4;
4020 * IDL long dummy5;
4021 * IDL long dummy6;
4022 * IDL long dummy7;
4023 * IDL long dummy8;
4024 * IDL } DELTA_ACCOUNTS;
4026 static int
4027 netlogon_dissect_DELTA_ACCOUNTS(tvbuff_t *tvb, int offset,
4028 packet_info *pinfo, proto_tree *tree,
4029 dcerpc_info *di, uint8_t *drep)
4031 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4032 hf_netlogon_privilege_entries, NULL);
4034 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4035 hf_netlogon_privilege_control, NULL);
4037 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4038 netlogon_dissect_PRIV_ATTR_ARRAY, NDR_POINTER_UNIQUE,
4039 "PRIV_ATTR_ARRAY:", -1);
4041 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4042 netlogon_dissect_PRIV_NAME_ARRAY, NDR_POINTER_UNIQUE,
4043 "PRIV_NAME_ARRAY:", -1);
4045 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
4046 pinfo, tree, di, drep);
4048 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4049 hf_netlogon_systemflags, NULL);
4051 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4052 hf_netlogon_security_information, NULL);
4054 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
4056 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4057 hf_netlogon_dummy, 0);
4059 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4060 hf_netlogon_dummy, 0);
4062 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4063 hf_netlogon_dummy, 0);
4065 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4066 hf_netlogon_dummy, 0);
4068 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4069 hf_netlogon_reserved, NULL);
4071 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4072 hf_netlogon_reserved, NULL);
4074 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4075 hf_netlogon_reserved, NULL);
4077 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4078 hf_netlogon_reserved, NULL);
4080 return offset;
4084 * IDL typedef struct {
4085 * IDL long len;
4086 * IDL long maxlen;
4087 * IDL [unique][size_is(maxlen)][length_is(len)] char *cipher_data;
4088 * IDL } CIPHER_VALUE;
4090 static int
4091 netlogon_dissect_CIPHER_VALUE_DATA(tvbuff_t *tvb, int offset,
4092 packet_info *pinfo, proto_tree *tree,
4093 dcerpc_info *di, uint8_t *drep)
4095 uint32_t data_len;
4097 if(di->conformant_run){
4098 /*just a run to handle conformant arrays, nothing to dissect */
4099 return offset;
4102 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
4103 hf_netlogon_cipher_maxlen, NULL);
4105 /* skip offset */
4106 offset += 4;
4108 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
4109 hf_netlogon_cipher_len, &data_len);
4111 proto_tree_add_item(tree, di->hf_index, tvb, offset,
4112 data_len, ENC_NA);
4113 offset += data_len;
4115 return offset;
4117 static int
4118 netlogon_dissect_CIPHER_VALUE(tvbuff_t *tvb, int offset,
4119 packet_info *pinfo, proto_tree *parent_tree,
4120 dcerpc_info *di, uint8_t *drep, const char *name, int hf_index)
4122 proto_item *item=NULL;
4123 proto_tree *tree=NULL;
4124 int old_offset=offset;
4126 if(parent_tree){
4127 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
4128 ett_CYPHER_VALUE, &item, name);
4131 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
4132 hf_netlogon_cipher_len, NULL);
4134 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
4135 hf_netlogon_cipher_maxlen, NULL);
4137 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4138 netlogon_dissect_CIPHER_VALUE_DATA, NDR_POINTER_UNIQUE,
4139 name, hf_index);
4141 proto_item_set_len(item, offset-old_offset);
4142 return offset;
4146 * IDL typedef struct {
4147 * IDL CIPHER_VALUE current_cipher;
4148 * IDL NTTIME current_cipher_set_time;
4149 * IDL CIPHER_VALUE old_cipher;
4150 * IDL NTTIME old_cipher_set_time;
4151 * IDL long SecurityInformation;
4152 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
4153 * IDL UNICODESTRING dummy1;
4154 * IDL UNICODESTRING dummy2;
4155 * IDL UNICODESTRING dummy3;
4156 * IDL UNICODESTRING dummy4;
4157 * IDL long dummy5;
4158 * IDL long dummy6;
4159 * IDL long dummy7;
4160 * IDL long dummy8;
4161 * IDL } DELTA_SECRET;
4163 static int
4164 netlogon_dissect_DELTA_SECRET(tvbuff_t *tvb, int offset,
4165 packet_info *pinfo, proto_tree *tree,
4166 dcerpc_info *di, uint8_t *drep)
4168 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
4169 pinfo, tree, di, drep,
4170 "CIPHER_VALUE: current cipher value",
4171 hf_netlogon_cipher_current_data);
4173 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
4174 hf_netlogon_cipher_current_set_time);
4176 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
4177 pinfo, tree, di, drep,
4178 "CIPHER_VALUE: old cipher value",
4179 hf_netlogon_cipher_old_data);
4181 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
4182 hf_netlogon_cipher_old_set_time);
4184 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4185 hf_netlogon_security_information, NULL);
4187 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
4189 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4190 hf_netlogon_dummy, 0);
4192 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4193 hf_netlogon_dummy, 0);
4195 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4196 hf_netlogon_dummy, 0);
4198 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4199 hf_netlogon_dummy, 0);
4201 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4202 hf_netlogon_reserved, NULL);
4204 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4205 hf_netlogon_reserved, NULL);
4207 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4208 hf_netlogon_reserved, NULL);
4210 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4211 hf_netlogon_reserved, NULL);
4213 return offset;
4217 * IDL typedef struct {
4218 * IDL long low_value;
4219 * IDL long high_value;
4220 * } MODIFIED_COUNT;
4222 static int
4223 netlogon_dissect_MODIFIED_COUNT(tvbuff_t *tvb, int offset,
4224 packet_info *pinfo, proto_tree *tree,
4225 dcerpc_info *di, uint8_t *drep)
4227 offset = dissect_ndr_duint32(tvb, offset, pinfo, tree, di, drep,
4228 hf_netlogon_modify_count, NULL);
4230 return offset;
4234 #define DT_DELTA_DOMAIN 1
4235 #define DT_DELTA_GROUP 2
4236 #define DT_DELTA_DELETE_GROUP 3
4237 #define DT_DELTA_RENAME_GROUP 4
4238 #define DT_DELTA_USER 5
4239 #define DT_DELTA_DELETE_USER 6
4240 #define DT_DELTA_RENAME_USER 7
4241 #define DT_DELTA_GROUP_MEMBER 8
4242 #define DT_DELTA_ALIAS 9
4243 #define DT_DELTA_DELETE_ALIAS 10
4244 #define DT_DELTA_RENAME_ALIAS 11
4245 #define DT_DELTA_ALIAS_MEMBER 12
4246 #define DT_DELTA_POLICY 13
4247 #define DT_DELTA_TRUSTED_DOMAINS 14
4248 #define DT_DELTA_DELETE_TRUST 15
4249 #define DT_DELTA_ACCOUNTS 16
4250 #define DT_DELTA_DELETE_ACCOUNT 17
4251 #define DT_DELTA_SECRET 18
4252 #define DT_DELTA_DELETE_SECRET 19
4253 #define DT_DELTA_DELETE_GROUP2 20
4254 #define DT_DELTA_DELETE_USER2 21
4255 #define DT_MODIFIED_COUNT 22
4257 static const value_string delta_type_vals[] = {
4258 { DT_DELTA_DOMAIN, "Domain" },
4259 { DT_DELTA_GROUP, "Group" },
4260 { DT_DELTA_DELETE_GROUP, "Delete Group" },
4261 { DT_DELTA_RENAME_GROUP, "Rename Group" },
4262 { DT_DELTA_USER, "User" },
4263 { DT_DELTA_DELETE_USER, "Delete User" },
4264 { DT_DELTA_RENAME_USER, "Rename User" },
4265 { DT_DELTA_GROUP_MEMBER, "Group Member" },
4266 { DT_DELTA_ALIAS, "Alias" },
4267 { DT_DELTA_DELETE_ALIAS, "Delete Alias" },
4268 { DT_DELTA_RENAME_ALIAS, "Rename Alias" },
4269 { DT_DELTA_ALIAS_MEMBER, "Alias Member" },
4270 { DT_DELTA_POLICY, "Policy" },
4271 { DT_DELTA_TRUSTED_DOMAINS, "Trusted Domains" },
4272 { DT_DELTA_DELETE_TRUST, "Delete Trust" },
4273 { DT_DELTA_ACCOUNTS, "Accounts" },
4274 { DT_DELTA_DELETE_ACCOUNT, "Delete Account" },
4275 { DT_DELTA_SECRET, "Secret" },
4276 { DT_DELTA_DELETE_SECRET, "Delete Secret" },
4277 { DT_DELTA_DELETE_GROUP2, "Delete Group2" },
4278 { DT_DELTA_DELETE_USER2, "Delete User2" },
4279 { DT_MODIFIED_COUNT, "Modified Count" },
4280 { 0, NULL }
4283 * IDL typedef [switch_type(short)] union {
4284 * IDL [case(1)][unique] DELTA_DOMAIN *domain;
4285 * IDL [case(2)][unique] DELTA_GROUP *group;
4286 * IDL [case(3)][unique] rid only ;
4287 * IDL [case(4)][unique] DELTA_RENAME_GROUP *rename_group;
4288 * IDL [case(5)][unique] DELTA_USER *user;
4289 * IDL [case(6)][unique] rid only ;
4290 * IDL [case(7)][unique] DELTA_RENAME_USER *rename_user;
4291 * IDL [case(8)][unique] DELTA_GROUP_MEMBER *group_member;
4292 * IDL [case(9)][unique] DELTA_ALIAS *alias;
4293 * IDL [case(10)][unique] rid only ;
4294 * IDL [case(11)][unique] DELTA_RENAME_ALIAS *alias;
4295 * IDL [case(12)][unique] DELTA_ALIAS_MEMBER *alias_member;
4296 * IDL [case(13)][unique] DELTA_POLICY *policy;
4297 * IDL [case(14)][unique] DELTA_TRUSTED_DOMAINS *trusted_domains;
4298 * IDL [case(15)][unique] PSID ;
4299 * IDL [case(16)][unique] DELTA_ACCOUNTS *accounts;
4300 * IDL [case(17)][unique] PSID ;
4301 * IDL [case(18)][unique] DELTA_SECRET *secret;
4302 * IDL [case(19)][unique] string;
4303 * IDL [case(20)][unique] DELTA_DELETE_GROUP2 *delete_group;
4304 * IDL [case(21)][unique] DELTA_DELETE_USER2 *delete_user;
4305 * IDL [case(22)][unique] MODIFIED_COUNT *modified_count;
4306 * IDL } DELTA_UNION;
4308 static int
4309 netlogon_dissect_DELTA_UNION(tvbuff_t *tvb, int offset,
4310 packet_info *pinfo, proto_tree *parent_tree,
4311 dcerpc_info *di, uint8_t *drep)
4313 proto_item *item=NULL;
4314 proto_tree *tree=NULL;
4315 int old_offset=offset;
4316 uint16_t level = 0;
4318 if(parent_tree){
4319 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
4320 ett_DELTA_UNION, &item, "DELTA_UNION:");
4323 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
4324 hf_netlogon_delta_type, &level);
4326 ALIGN_TO_4_BYTES;
4327 switch(level){
4328 case 1:
4329 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4330 netlogon_dissect_DELTA_DOMAIN, NDR_POINTER_UNIQUE,
4331 "DELTA_DOMAIN:", -1);
4332 break;
4333 case 2:
4334 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4335 netlogon_dissect_DELTA_GROUP, NDR_POINTER_UNIQUE,
4336 "DELTA_GROUP:", -1);
4337 break;
4338 case 4:
4339 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4340 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
4341 "DELTA_RENAME_GROUP:", hf_netlogon_group_name);
4342 break;
4343 case 5:
4344 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4345 netlogon_dissect_DELTA_USER, NDR_POINTER_UNIQUE,
4346 "DELTA_USER:", -1);
4347 break;
4348 case 7:
4349 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4350 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
4351 "DELTA_RENAME_USER:", hf_netlogon_acct_name);
4352 break;
4353 case 8:
4354 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4355 netlogon_dissect_DELTA_GROUP_MEMBER, NDR_POINTER_UNIQUE,
4356 "DELTA_GROUP_MEMBER:", -1);
4357 break;
4358 case 9:
4359 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4360 netlogon_dissect_DELTA_ALIAS, NDR_POINTER_UNIQUE,
4361 "DELTA_ALIAS:", -1);
4362 break;
4363 case 11:
4364 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4365 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
4366 "DELTA_RENAME_ALIAS:", hf_netlogon_alias_name);
4367 break;
4368 case 12:
4369 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4370 netlogon_dissect_DELTA_ALIAS_MEMBER, NDR_POINTER_UNIQUE,
4371 "DELTA_ALIAS_MEMBER:", -1);
4372 break;
4373 case 13:
4374 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4375 netlogon_dissect_DELTA_POLICY, NDR_POINTER_UNIQUE,
4376 "DELTA_POLICY:", -1);
4377 break;
4378 case 14:
4379 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4380 netlogon_dissect_DELTA_TRUSTED_DOMAINS, NDR_POINTER_UNIQUE,
4381 "DELTA_TRUSTED_DOMAINS:", -1);
4382 break;
4383 case 16:
4384 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4385 netlogon_dissect_DELTA_ACCOUNTS, NDR_POINTER_UNIQUE,
4386 "DELTA_ACCOUNTS:", -1);
4387 break;
4388 case 18:
4389 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4390 netlogon_dissect_DELTA_SECRET, NDR_POINTER_UNIQUE,
4391 "DELTA_SECRET:", -1);
4392 break;
4393 case 20:
4394 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4395 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
4396 "DELTA_DELETE_GROUP:", -1);
4397 break;
4398 case 21:
4399 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4400 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
4401 "DELTA_DELETE_USER:", -1);
4402 break;
4403 case 22:
4404 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4405 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_UNIQUE,
4406 "MODIFIED_COUNT:", -1);
4407 break;
4410 proto_item_set_len(item, offset-old_offset);
4411 return offset;
4416 /* IDL XXX must verify this one, especially 13-19
4417 * IDL typedef [switch_type(short)] union {
4418 * IDL [case(1)] long rid;
4419 * IDL [case(2)] long rid;
4420 * IDL [case(3)] long rid;
4421 * IDL [case(4)] long rid;
4422 * IDL [case(5)] long rid;
4423 * IDL [case(6)] long rid;
4424 * IDL [case(7)] long rid;
4425 * IDL [case(8)] long rid;
4426 * IDL [case(9)] long rid;
4427 * IDL [case(10)] long rid;
4428 * IDL [case(11)] long rid;
4429 * IDL [case(12)] long rid;
4430 * IDL [case(13)] [unique] SID *sid;
4431 * IDL [case(14)] [unique] SID *sid;
4432 * IDL [case(15)] [unique] SID *sid;
4433 * IDL [case(16)] [unique] SID *sid;
4434 * IDL [case(17)] [unique] SID *sid;
4435 * IDL [case(18)] [unique][string] wchar_t *Name ;
4436 * IDL [case(19)] [unique][string] wchar_t *Name ;
4437 * IDL [case(20)] long rid;
4438 * IDL [case(21)] long rid;
4439 * IDL } DELTA_ID_UNION;
4441 static int
4442 netlogon_dissect_DELTA_ID_UNION(tvbuff_t *tvb, int offset,
4443 packet_info *pinfo, proto_tree *parent_tree,
4444 dcerpc_info *di, uint8_t *drep)
4446 proto_item *item=NULL;
4447 proto_tree *tree=NULL;
4448 int old_offset=offset;
4449 uint16_t level = 0;
4451 if(parent_tree){
4452 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
4453 ett_DELTA_ID_UNION, &item, "DELTA_ID_UNION:");
4456 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
4457 hf_netlogon_delta_type, &level);
4459 ALIGN_TO_4_BYTES;
4460 switch(level){
4461 case 1:
4462 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4463 hf_netlogon_group_rid, NULL);
4464 break;
4465 case 2:
4466 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4467 hf_netlogon_user_rid, NULL);
4468 break;
4469 case 3:
4470 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4471 hf_netlogon_user_rid, NULL);
4472 break;
4473 case 4:
4474 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4475 hf_netlogon_user_rid, NULL);
4476 break;
4477 case 5:
4478 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4479 hf_netlogon_user_rid, NULL);
4480 break;
4481 case 6:
4482 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4483 hf_netlogon_user_rid, NULL);
4484 break;
4485 case 7:
4486 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4487 hf_netlogon_user_rid, NULL);
4488 break;
4489 case 8:
4490 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4491 hf_netlogon_user_rid, NULL);
4492 break;
4493 case 9:
4494 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4495 hf_netlogon_user_rid, NULL);
4496 break;
4497 case 10:
4498 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4499 hf_netlogon_user_rid, NULL);
4500 break;
4501 case 11:
4502 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4503 hf_netlogon_user_rid, NULL);
4504 break;
4505 case 12:
4506 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4507 hf_netlogon_user_rid, NULL);
4508 break;
4509 case 13:
4510 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
4511 break;
4512 case 14:
4513 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
4514 break;
4515 case 15:
4516 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
4517 break;
4518 case 16:
4519 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
4520 break;
4521 case 17:
4522 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
4523 break;
4524 case 18:
4525 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
4526 tree, di, drep, NDR_POINTER_UNIQUE, "unknown",
4527 hf_netlogon_unknown_string, 0);
4528 break;
4529 case 19:
4530 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
4531 tree, di, drep, NDR_POINTER_UNIQUE, "unknown",
4532 hf_netlogon_unknown_string, 0);
4533 break;
4534 case 20:
4535 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4536 hf_netlogon_user_rid, NULL);
4537 break;
4538 case 21:
4539 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4540 hf_netlogon_user_rid, NULL);
4541 break;
4544 proto_item_set_len(item, offset-old_offset);
4545 return offset;
4549 * IDL typedef struct {
4550 * IDL short delta_type;
4551 * IDL DELTA_ID_UNION delta_id_union;
4552 * IDL DELTA_UNION delta_union;
4553 * IDL } DELTA_ENUM;
4555 static int
4556 netlogon_dissect_DELTA_ENUM(tvbuff_t *tvb, int offset,
4557 packet_info *pinfo, proto_tree *parent_tree,
4558 dcerpc_info *di, uint8_t *drep)
4560 proto_item *item=NULL;
4561 proto_tree *tree=NULL;
4562 int old_offset=offset;
4563 uint16_t type;
4565 if(parent_tree){
4566 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
4567 ett_DELTA_ENUM, &item, "DELTA_ENUM:");
4570 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
4571 hf_netlogon_delta_type, &type);
4573 proto_item_append_text(item, "%s", val_to_str(
4574 type, delta_type_vals, "Unknown"));
4576 offset = netlogon_dissect_DELTA_ID_UNION(tvb, offset,
4577 pinfo, tree, di, drep);
4579 offset = netlogon_dissect_DELTA_UNION(tvb, offset,
4580 pinfo, tree, di, drep);
4582 proto_item_set_len(item, offset-old_offset);
4583 return offset;
4586 static int
4587 netlogon_dissect_DELTA_ENUM_array(tvbuff_t *tvb, int offset,
4588 packet_info *pinfo, proto_tree *tree,
4589 dcerpc_info *di, uint8_t *drep)
4591 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
4592 netlogon_dissect_DELTA_ENUM);
4594 return offset;
4598 * IDL typedef struct {
4599 * IDL long num_deltas;
4600 * IDL [unique][size_is(num_deltas)] DELTA_ENUM *delta_enum;
4601 * IDL } DELTA_ENUM_ARRAY;
4603 static int
4604 netlogon_dissect_DELTA_ENUM_ARRAY(tvbuff_t *tvb, int offset,
4605 packet_info *pinfo, proto_tree *tree,
4606 dcerpc_info *di, uint8_t *drep)
4608 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4609 hf_netlogon_num_deltas, NULL);
4611 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4612 netlogon_dissect_DELTA_ENUM_array, NDR_POINTER_UNIQUE,
4613 "DELTA_ENUM: deltas", -1);
4615 return offset;
4620 * IDL long NetrDatabaseDeltas(
4621 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
4622 * IDL [in][string][ref] wchar_t *computername,
4623 * IDL [in][ref] AUTHENTICATOR credential,
4624 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4625 * IDL [in] long database_id,
4626 * IDL [in][out][ref] MODIFIED_COUNT domain_modify_count,
4627 * IDL [in] long preferredmaximumlength,
4628 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
4629 * IDL );
4631 static int
4632 netlogon_dissect_netrdatabasedeltas_rqst(tvbuff_t *tvb, int offset,
4633 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
4635 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4636 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
4638 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4639 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4641 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4642 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4643 "AUTHENTICATOR: credential", -1);
4645 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4646 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4647 "AUTHENTICATOR: return_authenticator", -1);
4649 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4650 hf_netlogon_database_id, NULL);
4652 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4653 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
4654 "MODIFIED_COUNT: domain modified count", -1);
4656 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4657 hf_netlogon_max_size, NULL);
4659 return offset;
4661 static int
4662 netlogon_dissect_netrdatabasedeltas_reply(tvbuff_t *tvb, int offset,
4663 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
4665 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4666 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4667 "AUTHENTICATOR: return_authenticator", -1);
4669 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4670 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
4671 "MODIFIED_COUNT: domain modified count", -1);
4673 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4674 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
4675 "DELTA_ENUM_ARRAY: deltas", -1);
4677 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
4678 hf_netlogon_rc, NULL);
4680 return offset;
4685 * IDL long NetrDatabaseSync(
4686 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
4687 * IDL [in][string][ref] wchar_t *computername,
4688 * IDL [in][ref] AUTHENTICATOR credential,
4689 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4690 * IDL [in] long database_id,
4691 * IDL [in][out][ref] long sync_context,
4692 * IDL [in] long preferredmaximumlength,
4693 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
4694 * IDL );
4696 static int
4697 netlogon_dissect_netrdatabasesync_rqst(tvbuff_t *tvb, int offset,
4698 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
4700 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4701 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
4703 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4704 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4706 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4707 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4708 "AUTHENTICATOR: credential", -1);
4710 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4711 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4712 "AUTHENTICATOR: return_authenticator", -1);
4714 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4715 hf_netlogon_database_id, NULL);
4717 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4718 hf_netlogon_sync_context, NULL);
4720 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4721 hf_netlogon_max_size, NULL);
4723 return offset;
4727 static int
4728 netlogon_dissect_netrdatabasesync_reply(tvbuff_t *tvb, int offset,
4729 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
4731 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4732 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4733 "AUTHENTICATOR: return_authenticator", -1);
4735 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4736 hf_netlogon_sync_context, NULL);
4738 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4739 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
4740 "DELTA_ENUM_ARRAY: deltas", -1);
4742 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
4743 hf_netlogon_rc, NULL);
4745 return offset;
4749 * IDL typedef struct {
4750 * IDL char computer_name[16];
4751 * IDL long timecreated;
4752 * IDL long serial_number;
4753 * IDL } UAS_INFO_0;
4755 static int
4756 netlogon_dissect_UAS_INFO_0(tvbuff_t *tvb, int offset,
4757 packet_info *pinfo, proto_tree *tree,
4758 dcerpc_info *di, uint8_t *drep)
4760 uint32_t time_created;
4761 if(di->conformant_run){
4762 /*just a run to handle conformant arrays, nothing to dissect */
4763 return offset;
4766 proto_tree_add_item(tree, hf_netlogon_computer_name, tvb, offset, 16, ENC_ASCII);
4767 offset += 16;
4769 time_created = tvb_get_uint32(tvb, offset, DREP_ENC_INTEGER(drep));
4770 proto_tree_add_uint_format_value(tree, hf_netlogon_time_created, tvb, offset, 4, time_created, "unknown time format");
4771 offset+= 4;
4773 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4774 hf_netlogon_serial_number, NULL);
4776 return offset;
4781 * IDL long NetrAccountDeltas(
4782 * IDL [in][string][unique] wchar_t *logonserver,
4783 * IDL [in][string][ref] wchar_t *computername,
4784 * IDL [in][ref] AUTHENTICATOR credential,
4785 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4786 * IDL [out][ref][size_is(count_returned)] char *Buffer,
4787 * IDL [out][ref] long count_returned,
4788 * IDL [out][ref] long total_entries,
4789 * IDL [in][out][ref] UAS_INFO_0 recordid,
4790 * IDL [in][long] count,
4791 * IDL [in][long] level,
4792 * IDL [in][long] buffersize,
4793 * IDL );
4795 static int
4796 netlogon_dissect_netraccountdeltas_rqst(tvbuff_t *tvb, int offset,
4797 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
4799 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4800 pinfo, tree, di, drep);
4802 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4803 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4805 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4806 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4807 "AUTHENTICATOR: credential", -1);
4809 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4810 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4811 "AUTHENTICATOR: return_authenticator", -1);
4813 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4814 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
4815 "UAS_INFO_0: RecordID", -1);
4817 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4818 hf_netlogon_count, NULL);
4820 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4821 hf_netlogon_level, NULL);
4823 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4824 hf_netlogon_max_size, NULL);
4826 return offset;
4828 static int
4829 netlogon_dissect_netraccountdeltas_reply(tvbuff_t *tvb, int offset,
4830 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
4832 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4833 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4834 "AUTHENTICATOR: return_authenticator", -1);
4836 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4837 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
4838 "BYTE_array: Buffer", -1);
4840 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4841 hf_netlogon_count, NULL);
4843 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4844 hf_netlogon_entries, NULL);
4846 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4847 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
4848 "UAS_INFO_0: RecordID", -1);
4850 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
4851 hf_netlogon_rc, NULL);
4853 return offset;
4858 * IDL long NetrAccountSync(
4859 * IDL [in][string][unique] wchar_t *logonserver,
4860 * IDL [in][string][ref] wchar_t *computername,
4861 * IDL [in][ref] AUTHENTICATOR credential,
4862 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4863 * IDL [out][ref][size_is(count_returned)] char *Buffer,
4864 * IDL [out][ref] long count_returned,
4865 * IDL [out][ref] long total_entries,
4866 * IDL [out][ref] long next_reference,
4867 * IDL [in][long] reference,
4868 * IDL [in][long] level,
4869 * IDL [in][long] buffersize,
4870 * IDL [in][out][ref] UAS_INFO_0 recordid,
4871 * IDL );
4873 static int
4874 netlogon_dissect_netraccountsync_rqst(tvbuff_t *tvb, int offset,
4875 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
4877 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4878 pinfo, tree, di, drep);
4880 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4881 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4883 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4884 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4885 "AUTHENTICATOR: credential", -1);
4887 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4888 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4889 "AUTHENTICATOR: return_authenticator", -1);
4891 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4892 hf_netlogon_reference, NULL);
4894 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4895 hf_netlogon_level, NULL);
4897 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4898 hf_netlogon_max_size, NULL);
4900 return offset;
4902 static int
4903 netlogon_dissect_netraccountsync_reply(tvbuff_t *tvb, int offset,
4904 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
4906 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4907 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4908 "AUTHENTICATOR: return_authenticator", -1);
4910 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4911 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
4912 "BYTE_array: Buffer", -1);
4914 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4915 hf_netlogon_count, NULL);
4917 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4918 hf_netlogon_entries, NULL);
4920 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4921 hf_netlogon_next_reference, NULL);
4923 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4924 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
4925 "UAS_INFO_0: RecordID", -1);
4927 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
4928 hf_netlogon_rc, NULL);
4930 return offset;
4935 * IDL long NetrGetDcName(
4936 * IDL [in][ref][string] wchar_t *logon_server,
4937 * IDL [in][unique][string] wchar_t *domainname,
4938 * IDL [out][unique][string] wchar_t *dcname,
4939 * IDL };
4941 static int
4942 netlogon_dissect_netrgetdcname_rqst(tvbuff_t *tvb, int offset,
4943 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
4945 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4946 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
4948 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4949 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
4951 return offset;
4953 static int
4954 netlogon_dissect_netrgetdcname_reply(tvbuff_t *tvb, int offset,
4955 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
4957 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4958 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
4960 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
4961 hf_netlogon_rc, NULL);
4963 return offset;
4969 * IDL typedef struct {
4970 * IDL long flags;
4971 * IDL long pdc_connection_status;
4972 * IDL } NETLOGON_INFO_1;
4974 static int
4975 netlogon_dissect_NETLOGON_INFO_1(tvbuff_t *tvb, int offset,
4976 packet_info *pinfo, proto_tree *tree,
4977 dcerpc_info *di, uint8_t *drep)
4979 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4980 hf_netlogon_flags, NULL);
4982 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4983 hf_netlogon_pdc_connection_status, NULL);
4985 return offset;
4990 * IDL typedef struct {
4991 * IDL long flags;
4992 * IDL long pdc_connection_status;
4993 * IDL [unique][string] wchar_t trusted_dc_name;
4994 * IDL long tc_connection_status;
4995 * IDL } NETLOGON_INFO_2;
4997 static int
4998 netlogon_dissect_NETLOGON_INFO_2(tvbuff_t *tvb, int offset,
4999 packet_info *pinfo, proto_tree *tree,
5000 dcerpc_info *di, uint8_t *drep)
5002 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5003 hf_netlogon_flags, NULL);
5005 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5006 hf_netlogon_pdc_connection_status, NULL);
5008 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5009 NDR_POINTER_UNIQUE, "Trusted DC Name",
5010 hf_netlogon_trusted_dc_name, 0);
5012 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5013 hf_netlogon_tc_connection_status, NULL);
5015 return offset;
5020 * IDL typedef struct {
5021 * IDL long flags;
5022 * IDL long logon_attempts;
5023 * IDL long reserved;
5024 * IDL long reserved;
5025 * IDL long reserved;
5026 * IDL long reserved;
5027 * IDL long reserved;
5028 * IDL } NETLOGON_INFO_3;
5030 static int
5031 netlogon_dissect_NETLOGON_INFO_3(tvbuff_t *tvb, int offset,
5032 packet_info *pinfo, proto_tree *tree,
5033 dcerpc_info *di, uint8_t *drep)
5035 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5036 hf_netlogon_flags, NULL);
5038 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5039 hf_netlogon_logon_attempts, NULL);
5041 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5042 hf_netlogon_reserved, NULL);
5044 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5045 hf_netlogon_reserved, NULL);
5047 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5048 hf_netlogon_reserved, NULL);
5050 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5051 hf_netlogon_reserved, NULL);
5053 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5054 hf_netlogon_reserved, NULL);
5056 return offset;
5061 * IDL typedef [switch_type(long)] union {
5062 * IDL [case(1)] [unique] NETLOGON_INFO_1 *i1;
5063 * IDL [case(2)] [unique] NETLOGON_INFO_2 *i2;
5064 * IDL [case(3)] [unique] NETLOGON_INFO_3 *i3;
5065 * IDL } CONTROL_QUERY_INFORMATION;
5067 static int
5068 netlogon_dissect_CONTROL_QUERY_INFORMATION(tvbuff_t *tvb, int offset,
5069 packet_info *pinfo, proto_tree *tree,
5070 dcerpc_info *di, uint8_t *drep)
5072 uint32_t level = 0;
5074 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5075 hf_netlogon_level, &level);
5077 ALIGN_TO_4_BYTES;
5078 switch(level){
5079 case 1:
5080 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5081 netlogon_dissect_NETLOGON_INFO_1, NDR_POINTER_UNIQUE,
5082 "NETLOGON_INFO_1:", -1);
5083 break;
5084 case 2:
5085 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5086 netlogon_dissect_NETLOGON_INFO_2, NDR_POINTER_UNIQUE,
5087 "NETLOGON_INFO_2:", -1);
5088 break;
5089 case 3:
5090 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5091 netlogon_dissect_NETLOGON_INFO_3, NDR_POINTER_UNIQUE,
5092 "NETLOGON_INFO_3:", -1);
5093 break;
5096 return offset;
5101 * IDL long NetrLogonControl(
5102 * IDL [in][string][unique] wchar_t *logonserver,
5103 * IDL [in] long function_code,
5104 * IDL [in] long level,
5105 * IDL [out][ref] CONTROL_QUERY_INFORMATION
5106 * IDL );
5108 static int
5109 netlogon_dissect_netrlogoncontrol_rqst(tvbuff_t *tvb, int offset,
5110 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5112 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5113 pinfo, tree, di, drep);
5115 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5116 hf_netlogon_code, NULL);
5118 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5119 hf_netlogon_level, NULL);
5121 return offset;
5123 static int
5124 netlogon_dissect_netrlogoncontrol_reply(tvbuff_t *tvb, int offset,
5125 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5127 uint32_t status;
5129 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5130 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
5131 "CONTROL_QUERY_INFORMATION:", -1);
5133 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_netlogon_werr_rc, &status);
5135 if (status != 0)
5136 col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str_ext(status, &WERR_errors_ext, "Unknown WERR error 0x%08x"));
5138 return offset;
5143 * IDL long NetrGetAnyDCName(
5144 * IDL [in][unique][string] wchar_t *logon_server,
5145 * IDL [in][unique][string] wchar_t *domainname,
5146 * IDL [out][unique][string] wchar_t *dcname,
5147 * IDL };
5149 static int
5150 netlogon_dissect_netrgetanydcname_rqst(tvbuff_t *tvb, int offset,
5151 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5153 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5154 NDR_POINTER_UNIQUE, "Server Handle",
5155 hf_netlogon_logonsrv_handle, 0);
5157 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5158 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
5160 return offset;
5162 static int
5163 netlogon_dissect_netrgetanydcname_reply(tvbuff_t *tvb, int offset,
5164 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5166 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5167 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
5169 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
5170 hf_netlogon_dos_rc, NULL);
5172 return offset;
5177 * IDL typedef [switch_type(long)] union {
5178 * IDL [case(5)] [unique][string] wchar_t *unknown;
5179 * IDL [case(6)] [unique][string] wchar_t *unknown;
5180 * IDL [case(0xfffe)] long unknown;
5181 * IDL [case(7)] [unique][string] wchar_t *unknown;
5182 * IDL } CONTROL_DATA_INFORMATION;
5184 /* XXX
5185 * According to muddle this is what CONTROL_DATA_INFORMATION is supposed
5186 * to look like. However NetMon does not recognize any such informationlevels.
5188 * I'll leave it as CONTROL_DATA_INFORMATION with no informationlevels
5189 * until someone has any source of better authority to call upon.
5191 static int
5192 netlogon_dissect_CONTROL_DATA_INFORMATION(tvbuff_t *tvb, int offset,
5193 packet_info *pinfo, proto_tree *tree,
5194 dcerpc_info *di, uint8_t *drep)
5196 uint32_t level = 0;
5198 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5199 hf_netlogon_level, &level);
5201 ALIGN_TO_4_BYTES;
5202 switch(level){
5203 case 5:
5204 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
5205 tree, di, drep, NDR_POINTER_UNIQUE, "Trusted Domain Name",
5206 hf_netlogon_TrustedDomainName_string, 0);
5207 break;
5208 case 6:
5209 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
5210 tree, di, drep, NDR_POINTER_UNIQUE, "Trusted Domain Name",
5211 hf_netlogon_TrustedDomainName_string, 0);
5212 break;
5213 case 0xfffe:
5214 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5215 hf_netlogon_unknown_long, NULL);
5216 break;
5217 case 8:
5218 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
5219 tree, di, drep, NDR_POINTER_UNIQUE, "UserName",
5220 hf_netlogon_UserName_string, 0);
5221 break;
5224 return offset;
5229 * IDL long NetrLogonControl2(
5230 * IDL [in][string][unique] wchar_t *logonserver,
5231 * IDL [in] long function_code,
5232 * IDL [in] long level,
5233 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
5234 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
5235 * IDL );
5237 static int
5238 netlogon_dissect_netrlogoncontrol2_rqst(tvbuff_t *tvb, int offset,
5239 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5241 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5242 pinfo, tree, di, drep);
5244 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5245 hf_netlogon_code, NULL);
5247 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5248 hf_netlogon_level, NULL);
5250 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5251 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
5252 "CONTROL_DATA_INFORMATION: ", -1);
5254 return offset;
5257 static int
5258 netlogon_dissect_netrlogoncontrol2_reply(tvbuff_t *tvb, int offset,
5259 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5261 return netlogon_dissect_netrlogoncontrol_reply(tvb, offset, pinfo, tree, di, drep);
5268 * IDL long NetrDatabaseSync2(
5269 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
5270 * IDL [in][string][ref] wchar_t *computername,
5271 * IDL [in][ref] AUTHENTICATOR credential,
5272 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
5273 * IDL [in] long database_id,
5274 * IDL [in] short restart_state,
5275 * IDL [in][out][ref] long *sync_context,
5276 * IDL [in] long preferredmaximumlength,
5277 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
5278 * IDL );
5280 static int
5281 netlogon_dissect_netrdatabasesync2_rqst(tvbuff_t *tvb, int offset,
5282 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5284 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5285 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
5287 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5288 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
5290 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5291 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5292 "AUTHENTICATOR: credential", -1);
5294 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5295 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5296 "AUTHENTICATOR: return_authenticator", -1);
5298 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5299 hf_netlogon_database_id, NULL);
5301 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
5302 hf_netlogon_restart_state, NULL);
5304 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5305 hf_netlogon_sync_context, NULL);
5307 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5308 hf_netlogon_max_size, NULL);
5310 return offset;
5313 static int
5314 netlogon_dissect_netrdatabasesync2_reply(tvbuff_t *tvb, int offset,
5315 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5317 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5318 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5319 "AUTHENTICATOR: return_authenticator", -1);
5321 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5322 hf_netlogon_sync_context, NULL);
5324 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5325 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
5326 "DELTA_ENUM_ARRAY: deltas", -1);
5328 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
5329 hf_netlogon_rc, NULL);
5331 return offset;
5336 * IDL long NetrDatabaseRedo(
5337 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
5338 * IDL [in][string][ref] wchar_t *computername,
5339 * IDL [in][ref] AUTHENTICATOR credential,
5340 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
5341 * IDL [in][ref][size_is(change_log_entry_size)] char *change_log_entry,
5342 * IDL [in] long change_log_entry_size,
5343 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
5344 * IDL );
5346 static int
5347 netlogon_dissect_netrdatabaseredo_rqst(tvbuff_t *tvb, int offset,
5348 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5350 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5351 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
5353 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5354 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
5356 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5357 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5358 "AUTHENTICATOR: credential", -1);
5360 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5361 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5362 "AUTHENTICATOR: return_authenticator", -1);
5364 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5365 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
5366 "Change log entry: ", -1);
5368 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5369 hf_netlogon_max_log_size, NULL);
5371 return offset;
5374 static int
5375 netlogon_dissect_netrdatabaseredo_reply(tvbuff_t *tvb, int offset,
5376 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5378 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5379 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5380 "AUTHENTICATOR: return_authenticator", -1);
5382 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5383 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
5384 "DELTA_ENUM_ARRAY: deltas", -1);
5386 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
5387 hf_netlogon_rc, NULL);
5389 return offset;
5394 * IDL long NetrLogonControl2Ex(
5395 * IDL [in][string][unique] wchar_t *logonserver,
5396 * IDL [in] long function_code,
5397 * IDL [in] long level,
5398 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
5399 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
5400 * IDL );
5402 static int
5403 netlogon_dissect_netrlogoncontrol2ex_rqst(tvbuff_t *tvb, int offset,
5404 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5406 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5407 pinfo, tree, di, drep);
5409 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5410 hf_netlogon_code, NULL);
5412 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5413 hf_netlogon_level, NULL);
5415 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5416 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
5417 "CONTROL_DATA_INFORMATION: ", -1);
5419 return offset;
5421 static int
5422 netlogon_dissect_netrlogoncontrol2ex_reply(tvbuff_t *tvb, int offset,
5423 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5425 return netlogon_dissect_netrlogoncontrol_reply(tvb, offset, pinfo, tree, di, drep);
5431 static const value_string trust_type_vals[] = {
5432 { 1, "NT4 Domain" },
5433 { 2, "AD Domain" },
5434 { 3, "MIT Kerberos realm" },
5435 { 4, "DCE realm" },
5436 { 0, NULL }
5439 #define DS_INET_ADDRESS 1
5440 #define DS_NETBIOS_ADDRESS 2
5442 static const value_string dc_address_types[] = {
5443 { DS_INET_ADDRESS, "IP/DNS name" },
5444 { DS_NETBIOS_ADDRESS, "NetBIOS name" },
5445 { 0, NULL}
5449 #define RQ_ROOT_FOREST 0x0001
5450 #define RQ_DC_XFOREST 0x0002
5451 #define RQ_RODC_DIF_DOMAIN 0x0004
5452 #define RQ_NTLM_FROM_RODC 0x0008
5454 #define DS_DOMAIN_IN_FOREST 0x0001
5455 #define DS_DOMAIN_DIRECT_OUTBOUND 0x0002
5456 #define DS_DOMAIN_TREE_ROOT 0x0004
5457 #define DS_DOMAIN_PRIMARY 0x0008
5458 #define DS_DOMAIN_NATIVE_MODE 0x0010
5459 #define DS_DOMAIN_DIRECT_INBOUND 0x0020
5461 static const true_false_string trust_inbound = {
5462 "There is a DIRECT INBOUND trust for the servers domain",
5463 "There is NO direct inbound trust for the servers domain"
5465 static const true_false_string trust_outbound = {
5466 "There is a DIRECT OUTBOUND trust for this domain",
5467 "There is NO direct outbound trust for this domain"
5469 static const true_false_string trust_in_forest = {
5470 "The domain is a member IN the same FOREST as the queried server",
5471 "The domain is NOT a member of the queried servers domain"
5473 static const true_false_string trust_native_mode = {
5474 "The primary domain is a NATIVE MODE w2k domain",
5475 "The primary is NOT a native mode w2k domain"
5477 static const true_false_string trust_primary = {
5478 "The domain is the PRIMARY domain of the queried server",
5479 "The domain is NOT the primary domain of the queried server"
5481 static const true_false_string trust_tree_root = {
5482 "The domain is the ROOT of a domain TREE",
5483 "The domain is NOT a root of a domain tree"
5487 static int
5488 netlogon_dissect_DOMAIN_TRUST_FLAGS(tvbuff_t *tvb, int offset,
5489 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, uint8_t *drep)
5491 uint32_t mask;
5492 static int * const flags[] = {
5493 &hf_netlogon_trust_flags_inbound,
5494 &hf_netlogon_trust_flags_native_mode,
5495 &hf_netlogon_trust_flags_primary,
5496 &hf_netlogon_trust_flags_tree_root,
5497 &hf_netlogon_trust_flags_outbound,
5498 &hf_netlogon_trust_flags_in_forest,
5499 NULL
5502 if(di->conformant_run){
5503 /*just a run to handle conformant arrays, nothing to dissect */
5504 return offset;
5507 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
5508 -1, &mask);
5510 proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset-4, hf_netlogon_trust_flags, ett_trust_flags, flags, mask, BMT_NO_APPEND);
5511 return offset;
5516 static const true_false_string trust_attribs_non_transitive = {
5517 "This is a NON TRANSITIVE trust relation",
5518 "This is a normal trust"
5520 static const true_false_string trust_attribs_uplevel_only = {
5521 "This is an UPLEVEL ONLY trust relation",
5522 "This is a normal trust"
5524 static const true_false_string trust_attribs_quarantined_domain = {
5525 "This is a QUARANTINED DOMAIN (so don't expect lookupsids to work)",
5526 "This is a normal trust"
5528 static const true_false_string trust_attribs_forest_transitive = {
5529 "This is a FOREST TRANSITIVE trust",
5530 "This is a normal trust"
5532 static const true_false_string trust_attribs_cross_organization = {
5533 "This is a CROSS ORGANIZATION trust",
5534 "This is a normal trust"
5536 static const true_false_string trust_attribs_within_forest = {
5537 "This is a WITHIN FOREST trust",
5538 "This is a normal trust"
5540 static const true_false_string trust_attribs_treat_as_external = {
5541 "TREAT this trust AS an EXTERNAL trust",
5542 "This is a normal trust"
5545 static int
5546 netlogon_dissect_DOMAIN_TRUST_ATTRIBS(tvbuff_t *tvb, int offset,
5547 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, uint8_t *drep)
5549 uint32_t mask;
5550 static int * const attr[] = {
5551 &hf_netlogon_trust_attribs_treat_as_external,
5552 &hf_netlogon_trust_attribs_within_forest,
5553 &hf_netlogon_trust_attribs_cross_organization,
5554 &hf_netlogon_trust_attribs_forest_transitive,
5555 &hf_netlogon_trust_attribs_quarantined_domain,
5556 &hf_netlogon_trust_attribs_uplevel_only,
5557 &hf_netlogon_trust_attribs_non_transitive,
5558 NULL
5561 if(di->conformant_run){
5562 /*just a run to handle conformant arrays, nothing to dissect */
5563 return offset;
5566 offset = dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
5567 -1, &mask);
5569 proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset-4, hf_netlogon_trust_attribs, ett_trust_attribs, attr, mask, BMT_NO_APPEND);
5570 return offset;
5574 #define DS_FORCE_REDISCOVERY 0x00000001
5575 #define DS_DIRECTORY_SERVICE_REQUIRED 0x00000010
5576 #define DS_DIRECTORY_SERVICE_PREFERRED 0x00000020
5577 #define DS_GC_SERVER_REQUIRED 0x00000040
5578 #define DS_PDC_REQUIRED 0x00000080
5579 #define DS_BACKGROUND_ONLY 0x00000100
5580 #define DS_IP_REQUIRED 0x00000200
5581 #define DS_KDC_REQUIRED 0x00000400
5582 #define DS_TIMESERV_REQUIRED 0x00000800
5583 #define DS_WRITABLE_REQUIRED 0x00001000
5584 #define DS_GOOD_TIMESERV_PREFERRED 0x00002000
5585 #define DS_AVOID_SELF 0x00004000
5586 #define DS_ONLY_LDAP_NEEDED 0x00008000
5587 #define DS_IS_FLAT_NAME 0x00010000
5588 #define DS_IS_DNS_NAME 0x00020000
5589 #define DS_RETURN_DNS_NAME 0x40000000
5590 #define DS_RETURN_FLAT_NAME 0x80000000
5592 static const true_false_string get_dcname_request_flags_force_rediscovery = {
5593 "FORCE REDISCOVERY of any cached data",
5594 "You may return cached data"
5596 static const true_false_string get_dcname_request_flags_directory_service_required = {
5597 "DIRECTORY SERVICE is REQUIRED on the server",
5598 "We do NOT require directory service servers"
5600 static const true_false_string get_dcname_request_flags_directory_service_preferred = {
5601 "DIRECTORY SERVICE servers are PREFERRED",
5602 "We do NOT have a preference for directory service servers"
5604 static const true_false_string get_dcname_request_flags_gc_server_required = {
5605 "GC SERVER is REQUIRED",
5606 "gc server is NOT required"
5608 static const true_false_string get_dcname_request_flags_pdc_required = {
5609 "PDC SERVER is REQUIRED",
5610 "pdc server is NOT required"
5612 static const true_false_string get_dcname_request_flags_background_only = {
5613 "Only return cached data, even if it has expired",
5614 "Return cached data unless it has expired"
5616 static const true_false_string get_dcname_request_flags_ip_required = {
5617 "IP address is REQUIRED",
5618 "ip address is NOT required"
5620 static const true_false_string get_dcname_request_flags_kdc_required = {
5621 "KDC server is REQUIRED",
5622 "kdc server is NOT required"
5624 static const true_false_string get_dcname_request_flags_timeserv_required = {
5625 "TIMESERV service is REQUIRED",
5626 "timeserv service is NOT required"
5628 static const true_false_string get_dcname_request_flags_writable_required = {
5629 "the returned dc MUST be WRITEABLE",
5630 "a read-only dc may be returned"
5632 static const true_false_string get_dcname_request_flags_good_timeserv_preferred = {
5633 "GOOD TIMESERV servers are PREFERRED",
5634 "we do NOT have a preference for good timeserv servers"
5636 static const true_false_string get_dcname_request_flags_avoid_self = {
5637 "do NOT return self as dc; return someone else",
5638 "you may return yourSELF as the dc"
5640 static const true_false_string get_dcname_request_flags_only_ldap_needed = {
5641 "we ONLY NEED LDAP; you don't have to return a dc",
5642 "we need a normal dc; an ldap only server will not do"
5644 static const true_false_string get_dcname_request_flags_is_flat_name = {
5645 "the name we specify is a NetBIOS name",
5646 "the name we specify is NOT a NetBIOS name"
5648 static const true_false_string get_dcname_request_flags_is_dns_name = {
5649 "the name we specify is a DNS name",
5650 "the name we specify is NOT a dns name"
5652 static const true_false_string get_dcname_request_flags_return_dns_name = {
5653 "return a DNS name",
5654 "you may return a NON-dns name"
5656 static const true_false_string get_dcname_request_flags_return_flat_name = {
5657 "return a NetBIOS name",
5658 "you may return a NON-NetBIOS name"
5660 static int
5661 netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvbuff_t *tvb, int offset,
5662 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, uint8_t *drep)
5664 uint32_t mask;
5665 static int * const flags[] = {
5666 &hf_netlogon_get_dcname_request_flags_return_flat_name,
5667 &hf_netlogon_get_dcname_request_flags_return_dns_name,
5668 &hf_netlogon_get_dcname_request_flags_is_flat_name,
5669 &hf_netlogon_get_dcname_request_flags_is_dns_name,
5670 &hf_netlogon_get_dcname_request_flags_only_ldap_needed,
5671 &hf_netlogon_get_dcname_request_flags_avoid_self,
5672 &hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
5673 &hf_netlogon_get_dcname_request_flags_writable_required,
5674 &hf_netlogon_get_dcname_request_flags_timeserv_required,
5675 &hf_netlogon_get_dcname_request_flags_kdc_required,
5676 &hf_netlogon_get_dcname_request_flags_ip_required,
5677 &hf_netlogon_get_dcname_request_flags_background_only,
5678 &hf_netlogon_get_dcname_request_flags_pdc_required,
5679 &hf_netlogon_get_dcname_request_flags_gc_server_required,
5680 &hf_netlogon_get_dcname_request_flags_directory_service_preferred,
5681 &hf_netlogon_get_dcname_request_flags_directory_service_required,
5682 &hf_netlogon_get_dcname_request_flags_force_rediscovery,
5683 NULL
5686 if(di->conformant_run){
5687 /*just a run to handle conformant arrays, nothing to dissect */
5688 return offset;
5691 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep, -1, &mask);
5693 proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset-4, hf_netlogon_get_dcname_request_flags, ett_get_dcname_request_flags, flags, mask, BMT_NO_APPEND);
5694 return offset;
5699 #define DS_PDC_FLAG 0x00000001
5700 #define DS_GC_FLAG 0x00000004
5701 #define DS_LDAP_FLAG 0x00000008
5702 #define DS_DS_FLAG 0x00000010
5703 #define DS_KDC_FLAG 0x00000020
5704 #define DS_TIMESERV_FLAG 0x00000040
5705 #define DS_CLOSEST_FLAG 0x00000080
5706 #define DS_WRITABLE_FLAG 0x00000100
5707 #define DS_GOOD_TIMESERV_FLAG 0x00000200
5708 #define DS_NDNC_FLAG 0x00000400
5709 #define DS_DNS_CONTROLLER_FLAG 0x20000000
5710 #define DS_DNS_DOMAIN_FLAG 0x40000000
5711 #define DS_DNS_FOREST_FLAG 0x80000000
5713 static const true_false_string dc_flags_pdc_flag = {
5714 "this is the PDC of the domain",
5715 "this is NOT the pdc of the domain"
5717 static const true_false_string dc_flags_gc_flag = {
5718 "this is the GC of the forest",
5719 "this is NOT the gc of the forest"
5721 static const true_false_string dc_flags_ldap_flag = {
5722 "this is an LDAP server",
5723 "this is NOT an ldap server"
5725 static const true_false_string dc_flags_ds_flag = {
5726 "this is a DS server",
5727 "this is NOT a ds server"
5729 static const true_false_string dc_flags_kdc_flag = {
5730 "this is a KDC server",
5731 "this is NOT a kdc server"
5733 static const true_false_string dc_flags_timeserv_flag = {
5734 "this is a TIMESERV server",
5735 "this is NOT a timeserv server"
5737 static const true_false_string dc_flags_closest_flag = {
5738 "this is the CLOSEST server",
5739 "this is NOT the closest server"
5741 static const true_false_string dc_flags_writable_flag = {
5742 "this server has a WRITABLE ds database",
5743 "this server has a READ-ONLY ds database"
5745 static const true_false_string dc_flags_good_timeserv_flag = {
5746 "this server is a GOOD TIMESERV server",
5747 "this is NOT a good timeserv server"
5749 static const true_false_string dc_flags_ndnc_flag = {
5750 "NDNC is set",
5751 "ndnc is NOT set"
5753 static const true_false_string dc_flags_dns_controller_flag = {
5754 "DomainControllerName is a DNS name",
5755 "DomainControllerName is NOT a dns name"
5757 static const true_false_string dc_flags_dns_domain_flag = {
5758 "DomainName is a DNS name",
5759 "DomainName is NOT a dns name"
5761 static const true_false_string dc_flags_dns_forest_flag = {
5762 "DnsForestName is a DNS name",
5763 "DnsForestName is NOT a dns name"
5765 static int
5766 netlogon_dissect_DC_FLAGS(tvbuff_t *tvb, int offset,
5767 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, uint8_t *drep)
5769 uint32_t mask;
5770 proto_item *item;
5771 static int * const flags[] = {
5772 &hf_netlogon_dc_flags_dns_forest_flag,
5773 &hf_netlogon_dc_flags_dns_domain_flag,
5774 &hf_netlogon_dc_flags_dns_controller_flag,
5775 &hf_netlogon_dc_flags_ndnc_flag,
5776 &hf_netlogon_dc_flags_good_timeserv_flag,
5777 &hf_netlogon_dc_flags_writable_flag,
5778 &hf_netlogon_dc_flags_closest_flag,
5779 &hf_netlogon_dc_flags_timeserv_flag,
5780 &hf_netlogon_dc_flags_kdc_flag,
5781 &hf_netlogon_dc_flags_ds_flag,
5782 &hf_netlogon_dc_flags_ldap_flag,
5783 &hf_netlogon_dc_flags_gc_flag,
5784 &hf_netlogon_dc_flags_pdc_flag,
5785 NULL
5788 if(di->conformant_run){
5789 /*just a run to handle conformant arrays, nothing to dissect */
5790 return offset;
5793 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep, -1, &mask);
5795 item = proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset-4, hf_netlogon_dc_flags, ett_dc_flags, flags, mask, BMT_NO_APPEND);
5796 if (mask==0x0000ffff)
5797 proto_item_append_text(item, " PING (mask==0x0000ffff)");
5799 return offset;
5804 static int
5805 netlogon_dissect_pointer_long(tvbuff_t *tvb, int offset,
5806 packet_info *pinfo, proto_tree *tree,
5807 dcerpc_info *di, uint8_t *drep)
5809 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
5810 di->hf_index, NULL);
5811 return offset;
5814 #if 0
5815 static int
5816 netlogon_dissect_pointer_char(tvbuff_t *tvb, int offset,
5817 packet_info *pinfo, proto_tree *tree,
5818 dcerpc_info *di, uint8_t *drep)
5820 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
5821 di->hf_index, NULL);
5822 return offset;
5824 #endif
5826 static int
5827 netlogon_dissect_UNICODE_MULTI_byte(tvbuff_t *tvb, int offset,
5828 packet_info *pinfo, proto_tree *tree,
5829 dcerpc_info *di, uint8_t *drep)
5831 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
5832 hf_netlogon_unknown_char, NULL);
5834 return offset;
5837 static int
5838 netlogon_dissect_UNICODE_MULTI_array(tvbuff_t *tvb, int offset,
5839 packet_info *pinfo, proto_tree *tree,
5840 dcerpc_info *di, uint8_t *drep)
5842 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
5843 netlogon_dissect_UNICODE_MULTI_byte);
5845 return offset;
5848 static int
5849 netlogon_dissect_UNICODE_MULTI(tvbuff_t *tvb, int offset,
5850 packet_info *pinfo, proto_tree *parent_tree,
5851 dcerpc_info *di, uint8_t *drep)
5853 proto_item *item=NULL;
5854 proto_tree *tree=NULL;
5855 int old_offset=offset;
5857 if(parent_tree){
5858 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
5859 ett_UNICODE_MULTI, &item, "UNICODE_MULTI:");
5862 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5863 hf_netlogon_len, NULL);
5865 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5866 netlogon_dissect_UNICODE_MULTI_array, NDR_POINTER_UNIQUE,
5867 "unknown", hf_netlogon_unknown_string);
5869 proto_item_set_len(item, offset-old_offset);
5870 return offset;
5873 static int
5874 netlogon_dissect_DOMAIN_CONTROLLER_INFO(tvbuff_t *tvb, int offset,
5875 packet_info *pinfo, proto_tree *parent_tree,
5876 dcerpc_info *di, uint8_t *drep)
5878 proto_item *item=NULL;
5879 proto_tree *tree=NULL;
5880 int old_offset=offset;
5882 if(parent_tree){
5883 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
5884 ett_DOMAIN_CONTROLLER_INFO, &item, "DOMAIN_CONTROLLER_INFO:");
5887 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5888 NDR_POINTER_UNIQUE, "DC Name", hf_netlogon_dc_name, 0);
5890 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5891 NDR_POINTER_UNIQUE, "DC Address", hf_netlogon_dc_address, 0);
5893 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5894 hf_netlogon_dc_address_type, NULL);
5896 offset = dissect_nt_GUID(tvb, offset,
5897 pinfo, tree, di, drep);
5899 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5900 NDR_POINTER_UNIQUE, "Logon Domain", hf_netlogon_logon_dom, 0);
5902 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5903 NDR_POINTER_UNIQUE, "DNS Forest", hf_netlogon_dns_forest_name, 0);
5905 offset = netlogon_dissect_DC_FLAGS(tvb, offset, pinfo, tree, di, drep);
5907 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5908 NDR_POINTER_UNIQUE, "DC Site", hf_netlogon_dc_site_name, 0);
5910 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5911 NDR_POINTER_UNIQUE, "Client Site",
5912 hf_netlogon_client_site_name, 0);
5914 proto_item_set_len(item, offset-old_offset);
5915 return offset;
5920 static int
5921 dissect_ndr_trust_extension(tvbuff_t *tvb, int offset,
5922 packet_info *pinfo, proto_tree *tree,
5923 dcerpc_info *di, uint8_t *drep)
5925 uint64_t len,max;
5927 if(di->conformant_run){
5928 return offset;
5930 offset = dissect_ndr_uint3264(tvb, offset, pinfo, tree, di, drep,
5931 hf_netlogon_trust_max, &max);
5933 offset = dissect_ndr_uint3264(tvb, offset, pinfo, tree, di, drep,
5934 hf_netlogon_trust_offset, NULL);
5936 offset = dissect_ndr_uint3264(tvb, offset, pinfo, tree, di, drep,
5937 hf_netlogon_trust_len, &len);
5939 if( max * 2 == 16 ) {
5940 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, di, drep);
5942 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5943 hf_netlogon_trust_parent_index, NULL);
5945 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5946 hf_netlogon_trust_type, NULL);
5948 offset = netlogon_dissect_DOMAIN_TRUST_ATTRIBS(tvb, offset, pinfo, tree, di, drep);
5950 /* else do something scream shout .... */
5952 return offset;
5955 static int
5956 netlogon_dissect_BLOB_array(tvbuff_t *tvb, int offset,
5957 packet_info *pinfo, proto_tree *tree,
5958 dcerpc_info *di, uint8_t *drep)
5960 uint32_t len;
5962 if(di->conformant_run){
5963 return offset;
5966 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5967 hf_netlogon_blob_size, &len);
5969 proto_tree_add_item(tree, hf_netlogon_blob, tvb, offset, len,
5970 ENC_NA);
5971 offset += len;
5973 return offset;
5976 static int
5977 dissect_ndr_ulongs_as_counted_string(tvbuff_t *tvb, int offset,
5978 packet_info *pinfo, proto_tree *tree,
5979 dcerpc_info *di, uint8_t *drep, int hf_index)
5981 uint16_t len, size;
5982 bool add_subtree = true; /* Manage room for evolution*/
5983 proto_item *item;
5984 proto_tree *subtree = tree;
5986 if (add_subtree) {
5988 subtree = proto_tree_add_subtree(
5989 tree, tvb, offset, 0, ett_nt_counted_longs_as_string, &item,
5990 proto_registrar_get_name(hf_index));
5992 /* Structure starts with short, but is aligned for longs */
5993 ALIGN_TO_4_BYTES;
5995 if (di->conformant_run)
5996 return offset;
5999 struct {
6000 short len;
6001 short size;
6002 [size_is(size/2), length_is(len/2), ptr] unsigned short *string;
6003 } UNICODE_STRING;
6007 offset = dissect_ndr_uint16(tvb, offset, pinfo, subtree, di, drep,
6008 hf_nt_cs_len, &len);
6009 offset = dissect_ndr_uint16(tvb, offset, pinfo, subtree, di, drep,
6010 hf_nt_cs_size, &size);
6011 offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, subtree, di, drep,
6012 dissect_ndr_trust_extension, NDR_POINTER_UNIQUE,
6013 "Buffer", hf_index,NULL,NULL);
6014 return offset;
6017 static int
6018 DomainInfo_sid_(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6020 offset = lsarpc_dissect_struct_dom_sid2(tvb, offset, pinfo, tree, di, drep, hf_domain_info_sid, 0);
6022 return offset;
6024 static int
6025 dissect_element_lsa_DnsDomainInfo_sid(tvbuff_t *tvb , int offset , packet_info *pinfo , proto_tree *tree , dcerpc_info *di, uint8_t *drep )
6027 offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, di, drep, DomainInfo_sid_, NDR_POINTER_UNIQUE, "Pointer to Sid (dom_sid2)", hf_dns_domain_info_sid);
6029 return offset;
6031 static int
6032 dissect_element_lsa_DnsDomainInfo_domain_guid(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep )
6034 offset = dissect_ndr_uuid_t(tvb, offset, pinfo, tree, di, drep, hf_dns_domain_info_domain_guid, NULL);
6036 return offset;
6040 static int dissect_part_DnsDomainInfo(tvbuff_t *tvb , int offset, packet_info *pinfo, proto_tree *tree , dcerpc_info *di, uint8_t *drep, int hf_index _U_, uint32_t param _U_)
6043 offset = lsarpc_dissect_struct_lsa_StringLarge(tvb, offset, pinfo, tree, di, drep, hf_dns_domain_info_name, 0);
6045 offset = lsarpc_dissect_struct_lsa_StringLarge(tvb,offset, pinfo, tree, di, drep, hf_dns_domain_info_dns_domain, 0);
6047 offset = lsarpc_dissect_struct_lsa_StringLarge(tvb,offset, pinfo, tree, di, drep, hf_dns_domain_info_dns_forest, 0);
6049 offset = dissect_element_lsa_DnsDomainInfo_domain_guid(tvb, offset, pinfo, tree, di, drep);
6051 offset = dissect_element_lsa_DnsDomainInfo_sid(tvb, offset, pinfo, tree, di, drep);
6054 return offset;
6058 static int
6059 netlogon_dissect_ONE_DOMAIN_INFO(tvbuff_t *tvb, int offset,
6060 packet_info *pinfo, proto_tree *parent_tree,
6061 dcerpc_info *di, uint8_t *drep)
6063 proto_item *item=NULL;
6064 proto_tree *tree=NULL;
6065 int old_offset=offset;
6067 if(parent_tree){
6068 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
6069 ett_DOMAIN_TRUST_INFO, &item, "ONE_DOMAIN_INFO");
6071 /*hf_netlogon_dnsdomaininfo*/
6072 offset = dissect_part_DnsDomainInfo(tvb, offset, pinfo, tree, di, drep, 0, 0);
6075 /* It is structed as a string but it's not ... it's 4 ulong */
6076 offset = dissect_ndr_ulongs_as_counted_string(tvb, offset, pinfo, tree, di, drep,
6077 hf_netlogon_trust_extension);
6079 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6080 hf_netlogon_dummy_string2, 0);
6082 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6083 hf_netlogon_dummy_string3, 0);
6085 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6086 hf_netlogon_dummy_string4, 0);
6088 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6089 hf_netlogon_dummy1_long, NULL);
6091 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6092 hf_netlogon_dummy2_long, NULL);
6094 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6095 hf_netlogon_dummy3_long, NULL);
6097 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6098 hf_netlogon_dummy4_long, NULL);
6100 proto_item_set_len(item, offset-old_offset);
6101 return offset;
6104 static int
6105 netlogon_dissect_DOMAIN_TRUST_INFO(tvbuff_t *tvb, int offset,
6106 packet_info *pinfo, proto_tree *tree,
6107 dcerpc_info *di, uint8_t *drep)
6109 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
6110 netlogon_dissect_ONE_DOMAIN_INFO);
6112 return offset;
6116 static int
6117 netlogon_dissect_LSA_POLICY_INFO(tvbuff_t *tvb, int offset,
6118 packet_info *pinfo, proto_tree *tree,
6119 dcerpc_info *di, uint8_t *drep )
6121 proto_item *item=NULL;
6122 proto_tree *subtree=NULL;
6123 uint32_t len;
6125 if(di->conformant_run){
6126 return offset;
6129 if(tree){
6130 subtree = proto_tree_add_subtree(tree, tvb, offset, 0,
6131 ett_LSA_POLICY_INFO, &item, "LSA Policy");
6133 offset = dissect_ndr_uint32(tvb, offset, pinfo, subtree, di, drep,
6134 hf_netlogon_lsapolicy_len, &len);
6136 offset = dissect_ndr_pointer(tvb, offset, pinfo, subtree, di, drep,
6137 netlogon_dissect_BLOB_array, NDR_POINTER_UNIQUE,
6138 "Pointer:", -1);
6140 return offset;
6146 static int
6147 netlogon_dissect_WORKSTATION_INFO(tvbuff_t *tvb , int offset ,
6148 packet_info *pinfo , proto_tree *tree ,
6149 dcerpc_info *di, uint8_t *drep )
6151 /* This is not the good way to do it ... it stinks ...
6152 * but after half of a day fighting against wireshark and ndr ...
6153 * I decided to keep this hack ...
6154 * At least data are correctly displayed without invented ints ...
6156 offset = netlogon_dissect_LSA_POLICY_INFO(tvb, offset,
6157 pinfo, tree, di, drep);
6159 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6160 NDR_POINTER_UNIQUE, "Workstation FQDN",
6161 hf_netlogon_workstation_fqdn, 0);
6163 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6164 NDR_POINTER_UNIQUE, "Workstation Site",
6165 hf_netlogon_workstation_site_name, 0);
6167 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6168 NDR_POINTER_UNIQUE, "Dummy 1", hf_netlogon_dummy_string, 0);
6170 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6171 NDR_POINTER_UNIQUE, "Dummy 2", hf_netlogon_dummy_string2, 0);
6173 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6174 NDR_POINTER_UNIQUE, "Dummy 3", hf_netlogon_dummy_string3, 0);
6176 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6177 NDR_POINTER_UNIQUE, "Dummy 4", hf_netlogon_dummy_string4, 0);
6179 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6180 hf_netlogon_os_version, 0);
6182 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6183 hf_netlogon_workstation_os, 0);
6185 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6186 hf_netlogon_dummy_string3, 0);
6188 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6189 hf_netlogon_dummy_string4, 0);
6191 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6192 hf_netlogon_workstation_flags, NULL);
6194 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6195 hf_netlogon_supportedenctypes, NULL);
6197 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6198 hf_netlogon_dummy3_long, NULL);
6200 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6201 hf_netlogon_dummy4_long, NULL);
6202 return offset;
6205 static int
6206 netlogon_dissect_WORKSTATION_INFORMATION(tvbuff_t *tvb , int offset ,
6207 packet_info *pinfo , proto_tree *tree ,
6208 dcerpc_info *di, uint8_t *drep ) {
6210 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6211 netlogon_dissect_WORKSTATION_INFO, NDR_POINTER_UNIQUE,
6212 "WORKSTATION INFO", -1);
6213 return offset;
6216 static int
6217 netlogon_dissect_DOMAIN_INFO(tvbuff_t *tvb, int offset,
6218 packet_info *pinfo, proto_tree *tree,
6219 dcerpc_info *di, uint8_t *drep)
6221 offset = netlogon_dissect_ONE_DOMAIN_INFO(tvb, offset, pinfo, tree, di, drep);
6223 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6224 hf_netlogon_num_trusts, NULL);
6226 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6227 netlogon_dissect_DOMAIN_TRUST_INFO, NDR_POINTER_UNIQUE,
6228 "DOMAIN_TRUST_ARRAY: Trusted domains", -1);
6230 offset = netlogon_dissect_LSA_POLICY_INFO(tvb,offset,pinfo, tree,di,drep);
6232 /* offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6233 hf_netlogon_num_trusts, NULL);
6235 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6236 netlogon_dissect_DOMAIN_TRUST_INFO, NDR_POINTER_UNIQUE,
6237 "LSA Policy", -1);
6239 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6240 hf_netlogon_ad_client_dns_name, 0);
6242 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6243 hf_netlogon_dummy_string2, 0);
6245 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6246 hf_netlogon_dummy_string3, 0);
6248 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6249 hf_netlogon_dummy_string4, 0);
6251 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6252 hf_netlogon_workstation_flags, NULL);
6254 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6255 hf_netlogon_supportedenctypes, NULL);
6257 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6258 hf_netlogon_dummy3_long, NULL);
6260 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6261 hf_netlogon_dummy4_long, NULL);
6263 return offset;
6267 static int
6268 netlogon_dissect_DOMAIN_INFORMATION(tvbuff_t *tvb, int offset,
6269 packet_info *pinfo, proto_tree *tree,
6270 dcerpc_info *di, uint8_t *drep)
6272 uint32_t level;
6274 UNION_ALIGN_TO_5_BYTES;
6275 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_netlogon_level, &level);
6276 UNION_ALIGN_TO_5_BYTES;
6278 switch (level) {
6279 case 1:
6280 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6281 netlogon_dissect_DOMAIN_INFO, NDR_POINTER_UNIQUE,
6282 "DOMAIN_INFO", -1);
6283 break;
6284 case 2:
6285 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6286 netlogon_dissect_LSA_POLICY_INFO, NDR_POINTER_UNIQUE,
6287 "LSA_POLICY_INFO", -1);
6288 break;
6291 return offset;
6294 static int
6295 netlogon_dissect_netr_CryptPassword(tvbuff_t *tvb, int offset,
6296 packet_info *pinfo, proto_tree *parent_tree,
6297 dcerpc_info *di, uint8_t *drep)
6299 int ret_offset = offset + 516;
6300 proto_item *item=NULL;
6301 proto_tree *tree=NULL;
6302 netlogon_auth_vars *vars = NULL;
6303 uint32_t pw_len;
6304 char *pw = NULL;
6305 uint32_t confounder_len;
6306 bool version_present = false;
6309 * We have
6310 * uint16 array[256];
6311 * uint32 length;
6313 * All these 516 bytes are potentially encrypted.
6315 * The unencrypted length is in bytes in
6316 * instead of uint16 units, so it's a multiple
6317 * of 2 and it should be smaller than 512 -
6318 * SIZEOF(NL_PASSWORD_VERSION), so it's 500
6319 * as SIZEOF(NL_PASSWORD_VERSION) is 12.
6320 * The confounder should also be there with
6321 * a few bytes.
6323 * Real clients typically use 28 or 240,
6324 * which means 14 or 120 uint16 characters.
6326 * So if the value is larger than 500 or
6327 * bit 1 is set it's very likely an
6328 * encrypted value.
6330 tvb_ensure_bytes_exist(tvb, offset, 516);
6332 if(parent_tree){
6333 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 516,
6334 ett_netr_CryptPassword, &item,
6335 "netr_CryptPassword:");
6338 vars = find_global_netlogon_auth_vars(pinfo, 0);
6339 pw_len = tvb_get_uint32(tvb, offset+512, DREP_ENC_INTEGER(drep));
6340 if (pw_len > 500 || pw_len & 0x1) {
6341 gcry_error_t err;
6342 gcry_cipher_hd_t cipher_hd = NULL;
6343 uint8_t *buffer = NULL;
6344 tvbuff_t *dectvb = NULL;
6346 proto_tree_add_bytes_format(tree, hf_netlogon_blob,
6347 tvb, offset, 516, NULL,
6348 "Encrypted netr_CryptPassword");
6350 if (vars == NULL) {
6351 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
6352 &ei_netlogon_session_key,
6353 "No session key found");
6354 return ret_offset;
6357 err = prepare_session_key_cipher(vars, &cipher_hd);
6358 if (err != 0) {
6359 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
6360 &ei_netlogon_session_key,
6361 "Decryption not possible (%s/%s) with "
6362 "session key learned in frame %d ("
6363 "%02x%02x%02x%02x"
6364 ") from %s",
6365 gcry_strsource(err),
6366 gcry_strerror(err),
6367 vars->auth_fd_num,
6368 vars->session_key[0] & 0xFF,
6369 vars->session_key[1] & 0xFF,
6370 vars->session_key[2] & 0xFF,
6371 vars->session_key[3] & 0xFF,
6372 vars->nthash.key_origin);
6373 ws_warning("GCRY: prepare_session_key_cipher %s/%s\n",
6374 gcry_strsource(err), gcry_strerror(err));
6375 return ret_offset;
6378 buffer = (uint8_t*)tvb_memdup(pinfo->pool, tvb, offset, 516);
6379 if (buffer == NULL) {
6380 gcry_cipher_close(cipher_hd);
6381 return ret_offset;
6384 err = gcry_cipher_decrypt(cipher_hd, buffer, 516, NULL, 0);
6385 gcry_cipher_close(cipher_hd);
6386 if (err != 0) {
6387 ws_warning("GCRY: gcry_cipher_decrypt %s/%s\n",
6388 gcry_strsource(err), gcry_strerror(err));
6389 return ret_offset;
6392 dectvb = tvb_new_child_real_data(tvb, buffer, 516, 516);
6393 if (dectvb == NULL) {
6394 return ret_offset;
6397 pw_len = tvb_get_uint32(dectvb, 512, DREP_ENC_INTEGER(drep));
6398 if (pw_len > 500 || pw_len & 0x1) {
6399 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
6400 &ei_netlogon_session_key,
6401 "Unusable session key learned in frame %d ("
6402 "%02x%02x%02x%02x"
6403 ") from %s",
6404 vars->auth_fd_num,
6405 vars->session_key[0] & 0xFF,
6406 vars->session_key[1] & 0xFF,
6407 vars->session_key[2] & 0xFF,
6408 vars->session_key[3] & 0xFF,
6409 vars->nthash.key_origin);
6410 return ret_offset;
6413 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
6414 &ei_netlogon_session_key,
6415 "Used session key learned in frame %d ("
6416 "%02x%02x%02x%02x"
6417 ") from %s",
6418 vars->auth_fd_num,
6419 vars->session_key[0] & 0xFF,
6420 vars->session_key[1] & 0xFF,
6421 vars->session_key[2] & 0xFF,
6422 vars->session_key[3] & 0xFF,
6423 vars->nthash.key_origin);
6424 add_new_data_source(pinfo, dectvb, "netr_CryptPassword (Decrypted)");
6425 tvb = dectvb;
6426 offset = 0;
6427 proto_tree_add_bytes_format(tree, hf_netlogon_blob,
6428 tvb, offset, 516, NULL,
6429 "Decrypted netr_CryptPassword");
6430 } else {
6431 proto_tree_add_bytes_format(tree, hf_netlogon_blob,
6432 tvb, offset, 516, NULL,
6433 "Unencryption netr_CryptPassword");
6434 if (vars != NULL) {
6435 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
6436 &ei_netlogon_session_key,
6437 "Not encrypted with session key learned in frame %d ("
6438 "%02x%02x%02x%02x"
6439 ") from %s",
6440 vars->auth_fd_num,
6441 vars->session_key[0] & 0xFF,
6442 vars->session_key[1] & 0xFF,
6443 vars->session_key[2] & 0xFF,
6444 vars->session_key[3] & 0xFF,
6445 vars->nthash.key_origin);
6446 } else {
6447 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
6448 &ei_netlogon_session_key,
6449 "Not encrypted and no session key found nor needed");
6453 confounder_len = 512 - pw_len;
6454 if (confounder_len >= 12) {
6455 uint32_t voffset = confounder_len - 12;
6456 uint32_t rf;
6457 uint32_t vp;
6459 rf = tvb_get_uint32(tvb, voffset+0, DREP_ENC_INTEGER(drep));
6460 vp = tvb_get_uint32(tvb, voffset+8, DREP_ENC_INTEGER(drep));
6461 if (rf == 0 && vp == 0x02231968) {
6462 confounder_len -= 12;
6463 version_present = true;
6467 if (confounder_len > 0) {
6468 proto_tree_add_bytes_format(tree, hf_netlogon_blob,
6469 tvb, offset, confounder_len,
6470 NULL, "Confounder: %"PRIu32" byte%s",
6471 confounder_len,
6472 plurality(confounder_len, "", "s"));
6473 offset += confounder_len;
6476 if (version_present) {
6477 proto_item *vitem=NULL;
6478 proto_tree *vtree=NULL;
6480 if (tree) {
6481 vtree = proto_tree_add_subtree(tree, tvb, offset, 12,
6482 ett_NL_PASSWORD_VERSION, &vitem,
6483 "NL_PASSWORD_VERSION:");
6486 offset = dissect_ndr_uint32(tvb, offset, pinfo, vtree, di, drep,
6487 hf_netlogon_password_version_reserved, NULL);
6488 offset = dissect_ndr_uint32(tvb, offset, pinfo, vtree, di, drep,
6489 hf_netlogon_password_version_number, NULL);
6490 offset = dissect_ndr_uint32(tvb, offset, pinfo, vtree, di, drep,
6491 hf_netlogon_password_version_present, NULL);
6494 proto_tree_add_bytes_format(tree, hf_netlogon_blob,
6495 tvb, offset, pw_len, NULL,
6496 "Raw Password Bytes: %"PRIu32" byte%s",
6497 pw_len,
6498 plurality(pw_len, "", "s"));
6499 pw = (char *)tvb_get_string_enc(pinfo->pool, tvb, offset, pw_len,
6500 ENC_UTF_16|DREP_ENC_INTEGER(drep));
6501 proto_tree_add_string(tree, hf_netlogon_new_password, tvb, offset,
6502 pw_len, pw);
6503 offset += pw_len;
6505 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6506 hf_netlogon_len, NULL);
6508 return ret_offset;
6511 static int
6512 netlogon_dissect_element_844_byte(tvbuff_t *tvb, int offset,
6513 packet_info *pinfo, proto_tree *tree,
6514 dcerpc_info *di, uint8_t *drep)
6516 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
6517 hf_netlogon_unknown_char, NULL);
6519 return offset;
6522 static int
6523 netlogon_dissect_element_844_array(tvbuff_t *tvb, int offset,
6524 packet_info *pinfo, proto_tree *tree,
6525 dcerpc_info *di, uint8_t *drep)
6527 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
6528 netlogon_dissect_element_844_byte);
6530 return offset;
6533 static int
6534 netlogon_dissect_TYPE_50(tvbuff_t *tvb, int offset,
6535 packet_info *pinfo, proto_tree *parent_tree,
6536 dcerpc_info *di, uint8_t *drep)
6538 proto_item *item=NULL;
6539 proto_tree *tree=NULL;
6540 int old_offset=offset;
6542 if(parent_tree){
6543 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
6544 ett_TYPE_50, &item, "TYPE_50:");
6547 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6548 hf_netlogon_unknown_long, NULL);
6550 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6551 netlogon_dissect_element_844_array, NDR_POINTER_UNIQUE,
6552 "unknown", hf_netlogon_unknown_string);
6554 proto_item_set_len(item, offset-old_offset);
6555 return offset;
6558 static int
6559 netlogon_dissect_TYPE_50_ptr(tvbuff_t *tvb, int offset,
6560 packet_info *pinfo, proto_tree *tree,
6561 dcerpc_info *di, uint8_t *drep)
6563 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6564 netlogon_dissect_TYPE_50, NDR_POINTER_UNIQUE,
6565 "TYPE_50 pointer: unknown_TYPE_50", -1);
6567 return offset;
6570 static int
6571 netlogon_dissect_DS_DOMAIN_TRUSTS(tvbuff_t *tvb, int offset,
6572 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, uint8_t *drep)
6574 uint32_t tmp;
6575 proto_item *item=NULL;
6576 proto_tree *tree=NULL;
6577 int old_offset=offset;
6579 if(parent_tree){
6580 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
6581 ett_DS_DOMAIN_TRUSTS, NULL, "DS_DOMAIN_TRUSTS");
6584 /* name */
6585 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6586 NDR_POINTER_UNIQUE, "NetBIOS Name",
6587 hf_netlogon_downlevel_domain_name, 0);
6589 /* domain */
6590 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6591 NDR_POINTER_UNIQUE, "DNS Domain Name",
6592 hf_netlogon_dns_domain_name, 0);
6594 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, di, drep);
6596 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6597 hf_netlogon_trust_parent_index, &tmp);
6599 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6600 hf_netlogon_trust_type, &tmp);
6602 offset = netlogon_dissect_DOMAIN_TRUST_ATTRIBS(tvb, offset, pinfo, tree, di, drep);
6604 /* SID pointer */
6605 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
6607 /* GUID */
6608 offset = dissect_nt_GUID(tvb, offset, pinfo, tree, di, drep);
6610 proto_item_set_len(item, offset-old_offset);
6611 return offset;
6614 static int
6615 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY(tvbuff_t *tvb, int offset,
6616 packet_info *pinfo, proto_tree *tree,
6617 dcerpc_info *di, uint8_t *drep)
6619 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
6620 netlogon_dissect_DS_DOMAIN_TRUSTS);
6622 return offset;
6625 static int
6626 netlogon_dissect_element_865_byte(tvbuff_t *tvb, int offset,
6627 packet_info *pinfo, proto_tree *tree,
6628 dcerpc_info *di, uint8_t *drep)
6630 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
6631 hf_netlogon_unknown_char, NULL);
6633 return offset;
6636 static int
6637 netlogon_dissect_element_865_array(tvbuff_t *tvb, int offset,
6638 packet_info *pinfo, proto_tree *tree,
6639 dcerpc_info *di, uint8_t *drep)
6641 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
6642 netlogon_dissect_element_865_byte);
6644 return offset;
6647 static int
6648 netlogon_dissect_element_866_byte(tvbuff_t *tvb, int offset,
6649 packet_info *pinfo, proto_tree *tree,
6650 dcerpc_info *di, uint8_t *drep)
6652 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
6653 hf_netlogon_unknown_char, NULL);
6655 return offset;
6658 static int
6659 netlogon_dissect_element_866_array(tvbuff_t *tvb, int offset,
6660 packet_info *pinfo, proto_tree *tree,
6661 dcerpc_info *di, uint8_t *drep)
6663 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
6664 netlogon_dissect_element_866_byte);
6666 return offset;
6669 static int
6670 netlogon_dissect_TYPE_52(tvbuff_t *tvb, int offset,
6671 packet_info *pinfo, proto_tree *parent_tree,
6672 dcerpc_info *di, uint8_t *drep)
6674 proto_item *item=NULL;
6675 proto_tree *tree=NULL;
6676 int old_offset=offset;
6678 if(parent_tree){
6679 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
6680 ett_TYPE_52, &item, "TYPE_52:");
6683 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6684 hf_netlogon_unknown_long, NULL);
6686 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6687 netlogon_dissect_element_865_array, NDR_POINTER_UNIQUE,
6688 "unknown", hf_netlogon_unknown_string);
6690 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6691 netlogon_dissect_element_866_array, NDR_POINTER_UNIQUE,
6692 "unknown", hf_netlogon_unknown_string);
6694 proto_item_set_len(item, offset-old_offset);
6695 return offset;
6698 static int
6699 netlogon_dissect_TYPE_52_ptr(tvbuff_t *tvb, int offset,
6700 packet_info *pinfo, proto_tree *tree,
6701 dcerpc_info *di, uint8_t *drep)
6703 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6704 netlogon_dissect_TYPE_52, NDR_POINTER_UNIQUE,
6705 "TYPE_52 pointer: unknown_TYPE_52", -1);
6706 return offset;
6710 static int
6711 netlogon_dissect_Capabilities(tvbuff_t *tvb, int offset,
6712 packet_info *pinfo, proto_tree *parent_tree,
6713 dcerpc_info *di, uint8_t *drep)
6715 proto_item *item=NULL;
6716 proto_tree *tree=NULL;
6717 proto_item *pitem=NULL;
6718 proto_item *nitem=NULL;
6719 int old_offset=offset;
6720 uint32_t level = 0;
6722 if(parent_tree){
6723 pitem = proto_tree_get_parent(parent_tree);
6724 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
6725 ett_CAPABILITIES, &item,
6726 "Capabilities");
6729 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6730 hf_netlogon_level, &level);
6732 ALIGN_TO_4_BYTES;
6733 switch(level){
6734 case 1: {
6735 uint32_t flags;
6736 dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, -1, &flags);
6737 nitem = netlogon_dissect_neg_options(tvb,tree,flags,offset);
6738 proto_item_set_text(nitem, "NegotiatedFlags: 0x%08x", flags);
6739 proto_item_set_text(item, "ServerCapabilities");
6740 proto_item_append_text(pitem, ": ServerCapabilities");
6741 offset +=4;
6743 break;
6744 case 2: {
6745 uint32_t flags;
6746 dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, -1, &flags);
6747 nitem = netlogon_dissect_neg_options(tvb,tree,flags,offset);
6748 proto_item_set_text(nitem, "RequestedFlags: 0x%08x", flags);
6749 proto_item_set_text(item, "RequestedFlags");
6750 proto_item_append_text(pitem, ": RequestedFlags");
6751 offset +=4;
6753 break;
6756 proto_item_set_len(item, offset-old_offset);
6757 return offset;
6760 static int
6761 netlogon_dissect_WORKSTATION_BUFFER(tvbuff_t *tvb, int offset,
6762 packet_info *pinfo, proto_tree *tree,
6763 dcerpc_info *di, uint8_t *drep)
6765 uint32_t level;
6767 UNION_ALIGN_TO_5_BYTES;
6768 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_netlogon_level, &level);
6769 UNION_ALIGN_TO_5_BYTES;
6771 switch (level) {
6772 case 1:
6773 case 2:
6774 offset = netlogon_dissect_WORKSTATION_INFORMATION(tvb, offset, pinfo, tree, di, drep);
6775 break;
6778 return offset;
6781 static int
6782 netlogon_dissect_netrenumeratetrusteddomains_rqst(tvbuff_t *tvb, int offset,
6783 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6785 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6786 pinfo, tree, di, drep);
6788 return offset;
6792 static int
6793 netlogon_dissect_netrenumeratetrusteddomains_reply(tvbuff_t *tvb, int offset,
6794 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6796 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6797 netlogon_dissect_UNICODE_MULTI, NDR_POINTER_REF,
6798 "UNICODE_MULTI pointer: trust_dom_name_list", -1);
6800 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6801 hf_netlogon_dos_rc, NULL);
6803 return offset;
6806 static int
6807 netlogon_dissect_dsrgetdcname_rqst(tvbuff_t *tvb, int offset,
6808 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6810 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6811 pinfo, tree, di, drep);
6813 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6814 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
6816 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6817 dissect_nt_GUID, NDR_POINTER_UNIQUE,
6818 "GUID pointer: domain_guid", -1);
6820 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6821 dissect_nt_GUID, NDR_POINTER_UNIQUE,
6822 "GUID pointer: site_guid", -1);
6824 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6825 hf_netlogon_flags, NULL);
6827 return offset;
6831 static int
6832 netlogon_dissect_dsrgetdcname_reply(tvbuff_t *tvb, int offset,
6833 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6835 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6836 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
6837 "DOMAIN_CONTROLLER_INFO:", -1);
6839 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6840 hf_netlogon_dos_rc, NULL);
6842 return offset;
6845 static int
6846 netlogon_dissect_netrlogondummyroutine1_rqst(tvbuff_t *tvb, int offset,
6847 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6849 uint32_t level = 0;
6850 proto_item *litem = NULL;
6852 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6853 NDR_POINTER_REF, "Server Handle",
6854 hf_netlogon_logonsrv_handle, 0);
6856 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6857 NDR_POINTER_UNIQUE, "Computer Name",
6858 hf_netlogon_computer_name, 0);
6860 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6861 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
6862 "AUTHENTICATOR: credential", -1);
6864 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6865 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
6866 "AUTHENTICATOR: return_authenticator", -1);
6868 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6869 -1, &level);
6870 litem = proto_tree_add_item(tree, hf_netlogon_level, tvb, offset-4, 4,
6871 DREP_ENC_INTEGER(drep));
6872 switch(level){
6873 case 1:
6874 proto_item_append_text(litem, " (ServerCapabilities)");
6875 break;
6876 case 2:
6877 proto_item_append_text(litem, " (RequestedFlags)");
6878 break;
6881 return offset;
6885 static int
6886 netlogon_dissect_netrlogondummyroutine1_reply(tvbuff_t *tvb, int offset,
6887 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6889 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6890 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
6891 "AUTHENTICATOR: return_authenticator", -1);
6893 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6894 netlogon_dissect_Capabilities, NDR_POINTER_REF,
6895 "Capabilities", -1);
6897 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6898 hf_netlogon_rc, NULL);
6900 return offset;
6903 static int
6904 netlogon_dissect_netrlogonsetservicebits_rqst(tvbuff_t *tvb, int offset,
6905 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6907 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6908 pinfo, tree, di, drep);
6910 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6911 hf_netlogon_unknown_long, NULL);
6913 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6914 hf_netlogon_unknown_long, NULL);
6916 return offset;
6920 static int
6921 netlogon_dissect_netrlogonsetservicebits_reply(tvbuff_t *tvb, int offset,
6922 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6924 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6925 hf_netlogon_rc, NULL);
6927 return offset;
6931 static int
6932 netlogon_dissect_netrlogongettrustrid_rqst(tvbuff_t *tvb, int offset,
6933 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6935 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6936 pinfo, tree, di, drep);
6938 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6939 NDR_POINTER_UNIQUE, "unknown string",
6940 hf_netlogon_unknown_string, 0);
6942 return offset;
6946 static int
6947 netlogon_dissect_netrlogongettrustrid_reply(tvbuff_t *tvb, int offset,
6948 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6950 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6951 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
6952 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
6954 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6955 hf_netlogon_rc, NULL);
6957 return offset;
6961 static int
6962 netlogon_dissect_netrlogoncomputeserverdigest_rqst(tvbuff_t *tvb, int offset,
6963 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6965 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6966 pinfo, tree, di, drep);
6968 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6969 hf_netlogon_unknown_long, NULL);
6971 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6972 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
6973 "BYTE pointer: unknown_BYTE", -1);
6975 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6976 hf_netlogon_unknown_long, NULL);
6978 return offset;
6981 static int
6982 netlogon_dissect_BYTE_16_array(tvbuff_t *tvb, int offset,
6983 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6985 int i;
6987 for(i=0;i<16;i++){
6988 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
6989 hf_netlogon_unknown_char, NULL);
6992 return offset;
6995 static int
6996 netlogon_dissect_netrlogoncomputeserverdigest_reply(tvbuff_t *tvb, int offset,
6997 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6999 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7000 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
7001 "BYTE pointer: unknown_BYTE", -1);
7003 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7004 hf_netlogon_rc, NULL);
7006 return offset;
7009 static int
7010 netlogon_dissect_netrlogoncomputeclientdigest_rqst(tvbuff_t *tvb, int offset,
7011 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7013 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7014 pinfo, tree, di, drep);
7016 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7017 NDR_POINTER_UNIQUE, "unknown string",
7018 hf_netlogon_unknown_string, 0);
7020 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7021 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
7022 "BYTE pointer: unknown_BYTE", -1);
7024 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7025 hf_netlogon_unknown_long, NULL);
7027 return offset;
7031 static int
7032 netlogon_dissect_netrlogoncomputeclientdigest_reply(tvbuff_t *tvb, int offset,
7033 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7035 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7036 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
7037 "BYTE pointer: unknown_BYTE", -1);
7039 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7040 hf_netlogon_rc, NULL);
7042 return offset;
7045 static proto_item *
7046 netlogon_dissect_neg_options(tvbuff_t *tvb,proto_tree *tree,uint32_t flags,int offset)
7048 static int * const hf_flags[] = {
7049 &hf_netlogon_neg_flags_80000000,
7050 &hf_netlogon_neg_flags_40000000,
7051 &hf_netlogon_neg_flags_20000000,
7052 #if 0
7053 &hf_netlogon_neg_flags_10000000,
7054 &hf_netlogon_neg_flags_8000000,
7055 &hf_netlogon_neg_flags_4000000,
7056 &hf_netlogon_neg_flags_2000000,
7057 &hf_netlogon_neg_flags_800000,
7058 &hf_netlogon_neg_flags_400000,
7059 #endif
7060 &hf_netlogon_neg_flags_1000000,
7061 &hf_netlogon_neg_flags_200000,
7062 &hf_netlogon_neg_flags_100000,
7063 &hf_netlogon_neg_flags_80000,
7064 &hf_netlogon_neg_flags_40000,
7065 &hf_netlogon_neg_flags_20000,
7066 &hf_netlogon_neg_flags_10000,
7067 &hf_netlogon_neg_flags_8000,
7068 &hf_netlogon_neg_flags_4000,
7069 &hf_netlogon_neg_flags_2000,
7070 &hf_netlogon_neg_flags_1000,
7071 &hf_netlogon_neg_flags_800,
7072 &hf_netlogon_neg_flags_400,
7073 &hf_netlogon_neg_flags_200,
7074 &hf_netlogon_neg_flags_100,
7075 &hf_netlogon_neg_flags_80,
7076 &hf_netlogon_neg_flags_40,
7077 &hf_netlogon_neg_flags_20,
7078 &hf_netlogon_neg_flags_10,
7079 &hf_netlogon_neg_flags_8,
7080 &hf_netlogon_neg_flags_4,
7081 &hf_netlogon_neg_flags_2,
7082 &hf_netlogon_neg_flags_1,
7083 NULL
7086 return proto_tree_add_bitmask_value_with_flags(tree, tvb, offset, hf_netlogon_neg_flags, ett_authenticate_flags, hf_flags, flags, BMT_NO_APPEND);
7089 static int
7090 netlogon_dissect_netrserverauthenticate3_rqst(tvbuff_t *tvb, int offset,
7091 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7093 uint32_t flags;
7094 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7095 pinfo, tree, di, drep);
7096 ALIGN_TO_5_BYTES
7098 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7099 NDR_POINTER_REF, "Acct Name", hf_netlogon_acct_name, 0);
7101 if (di->call_data->flags & DCERPC_IS_NDR64) {
7102 ALIGN_TO_4_BYTES
7103 } else {
7104 ALIGN_TO_2_BYTES
7107 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
7108 pinfo, tree, di, drep);
7110 ALIGN_TO_5_BYTES
7112 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7113 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
7115 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, tree, drep,
7116 hf_client_credential, NULL);
7117 #if 0
7118 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7119 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
7120 "Client Challenge", -1);
7121 #endif
7123 #if 0
7124 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7125 hf_netlogon_neg_flags, NULL);
7126 #endif
7127 ALIGN_TO_4_BYTES;
7129 flags = tvb_get_letohl (tvb, offset);
7130 netlogon_dissect_neg_options(tvb,tree,flags,offset);
7131 seen.isseen = false;
7132 seen.num = 0;
7133 offset +=4;
7134 return offset;
7137 static int
7138 netlogon_dissect_netrserverauthenticatekerberos_rqst(tvbuff_t *tvb, int offset,
7139 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7141 uint32_t flags;
7142 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7143 pinfo, tree, di, drep);
7144 ALIGN_TO_5_BYTES
7146 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7147 NDR_POINTER_REF, "Acct Name", hf_netlogon_acct_name, 0);
7149 if (di->call_data->flags & DCERPC_IS_NDR64) {
7150 ALIGN_TO_4_BYTES
7151 } else {
7152 ALIGN_TO_2_BYTES
7155 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
7156 pinfo, tree, di, drep);
7158 ALIGN_TO_5_BYTES
7160 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7161 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
7163 ALIGN_TO_4_BYTES;
7165 flags = tvb_get_letohl (tvb, offset);
7166 netlogon_dissect_neg_options(tvb,tree,flags,offset);
7167 seen.isseen = false;
7168 seen.num = 0;
7169 offset +=4;
7170 return offset;
7174 * IDL long NetrServerAuthenticate2(
7175 * IDL [in][string][unique] wchar_t *logonserver,
7176 * IDL [in][ref][string] wchar_t *username,
7177 * IDL [in] short secure_channel_type,
7178 * IDL [in][ref][string] wchar_t *computername,
7179 * IDL [in][ref] CREDENTIAL *client_chal,
7180 * IDL [out][ref] CREDENTIAL *server_chal,
7181 * IDL [in][out][ref] long *negotiate_flags,
7182 * IDL );
7184 static int
7185 netlogon_dissect_netrserverauthenticate2_rqst(tvbuff_t *tvb, int offset,
7186 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7188 return netlogon_dissect_netrserverauthenticate3_rqst(tvb,offset,pinfo,tree,di,drep);
7191 static int
7192 netlogon_dissect_netrserverauthenticate023_reply(tvbuff_t *tvb, int offset,
7193 packet_info *pinfo,
7194 proto_tree *tree,
7195 dcerpc_info *di,
7196 uint8_t *drep,
7197 int version)
7199 uint32_t flags = 0;
7200 netlogon_auth_vars *vars;
7201 netlogon_auth_key key;
7202 uint64_t server_cred;
7204 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, tree, drep,
7205 hf_server_credential, &server_cred);
7207 if (version >= 2) {
7208 flags = tvb_get_letohl (tvb, offset);
7209 netlogon_dissect_neg_options(tvb,tree,flags,offset);
7210 offset +=4;
7212 ALIGN_TO_4_BYTES;
7213 if (version >= 3) {
7214 offset = dissect_dcerpc_uint32(tvb, offset, pinfo, tree, drep,
7215 hf_server_rid, NULL);
7217 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7218 hf_netlogon_rc, NULL);
7220 generate_hash_key(pinfo, 1 , &key);
7222 vars = (netlogon_auth_vars *)wmem_map_lookup(netlogon_auths, &key);
7223 if(vars != NULL) {
7224 ws_debug("Found some vars (ie. server/client challenges), let's see if I can get a session key");
7225 while(vars != NULL && vars->next_start != -1 && vars->next_start < (int) pinfo->num ) {
7226 ws_debug("looping auth reply...");
7227 vars = vars->next;
7229 if(vars == NULL ) {
7230 ws_debug("Something strange happened while searching for authenticate_reply");
7232 else {
7233 md4_pass *pass_list=NULL;
7234 const md4_pass *used_md4 = NULL;
7235 const char *used_method = NULL;
7236 uint32_t list_size = 0;
7237 unsigned int i = 0;
7238 md4_pass password;
7239 uint8_t session_key[16];
7240 int found = 0;
7242 vars->flags = flags;
7243 vars->can_decrypt = false;
7244 list_size = get_md4pass_list(pinfo->pool, &pass_list);
7245 ws_debug("Found %d passwords ",list_size);
7246 if( flags & NETLOGON_FLAG_AES )
7248 uint8_t salt_buf[16] = { 0 };
7249 uint8_t sha256[HASH_SHA2_256_LENGTH];
7250 uint64_t calculated_cred;
7252 memcpy(&salt_buf[0], (uint8_t*)&vars->client_challenge, 8);
7253 memcpy(&salt_buf[8], (uint8_t*)&vars->server_challenge, 8);
7255 used_method = "AES";
7256 printnbyte(pinfo->pool, (uint8_t*)&vars->client_challenge, 8, "Client challenge:");
7257 printnbyte(pinfo->pool, (uint8_t*)&vars->server_challenge, 8, "Server challenge:");
7258 printnbyte(pinfo->pool, (uint8_t*)&server_cred, 8, "Server creds:");
7259 for(i=0;i<list_size;i++)
7261 used_md4 = &pass_list[i];
7262 password = pass_list[i];
7263 printnbyte(pinfo->pool, (uint8_t*)&password, 16, "NTHASH:");
7264 if (!ws_hmac_buffer(GCRY_MD_SHA256, sha256, salt_buf, sizeof(salt_buf), (uint8_t*) &password, 16)) {
7265 gcry_error_t err;
7266 gcry_cipher_hd_t cipher_hd = NULL;
7267 uint8_t iv[16] = { 0 };
7269 /* truncate the session key to 16 bytes */
7270 memcpy(session_key, sha256, 16);
7271 printnbyte(pinfo->pool, (uint8_t*)session_key, 16, "Session Key:");
7273 /* Open the cipher */
7274 err = gcry_cipher_open(&cipher_hd, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CFB8, 0);
7275 if (err != 0) {
7276 ws_warning("GCRY: cipher open %s/%s\n", gcry_strsource(err), gcry_strerror(err));
7277 break;
7280 /* Set the initial value */
7281 err = gcry_cipher_setiv(cipher_hd, iv, sizeof(iv));
7282 if (err != 0) {
7283 ws_warning("GCRY: setiv %s/%s\n", gcry_strsource(err), gcry_strerror(err));
7284 gcry_cipher_close(cipher_hd);
7285 break;
7288 /* Set the key */
7289 err = gcry_cipher_setkey(cipher_hd, session_key, 16);
7290 if (err != 0) {
7291 ws_warning("GCRY: setkey %s/%s\n", gcry_strsource(err), gcry_strerror(err));
7292 gcry_cipher_close(cipher_hd);
7293 break;
7296 calculated_cred = 0x1234567812345678;
7297 err = gcry_cipher_encrypt(cipher_hd,
7298 (uint8_t *)&calculated_cred, 8,
7299 (const uint8_t *)&vars->server_challenge, 8);
7300 if (err != 0) {
7301 ws_warning("GCRY: encrypt %s/%s\n", gcry_strsource(err), gcry_strerror(err));
7302 gcry_cipher_close(cipher_hd);
7303 break;
7306 /* Done with the cipher */
7307 gcry_cipher_close(cipher_hd);
7309 printnbyte(pinfo->pool, (uint8_t*)&calculated_cred, 8, "Calculated creds:");
7311 if(calculated_cred==server_cred) {
7312 found = 1;
7313 break;
7317 } else if ( flags & NETLOGON_FLAG_STRONGKEY ) {
7318 uint8_t zeros[4] = { 0 };
7319 uint8_t md5[HASH_MD5_LENGTH];
7320 gcry_md_hd_t md5_handle;
7321 uint8_t buf[8] = { 0 };
7322 uint64_t calculated_cred;
7324 used_method = "MD5";
7325 if (!gcry_md_open(&md5_handle, GCRY_MD_MD5, 0)) {
7326 gcry_md_write(md5_handle, zeros, 4);
7327 gcry_md_write(md5_handle, (uint8_t*)&vars->client_challenge, 8);
7328 gcry_md_write(md5_handle, (uint8_t*)&vars->server_challenge, 8);
7329 memcpy(md5, gcry_md_read(md5_handle, 0), 16);
7330 gcry_md_close(md5_handle);
7332 printnbyte(pinfo->pool, md5, 8, "MD5:");
7333 printnbyte(pinfo->pool, (uint8_t*)&vars->client_challenge, 8, "Client challenge:");
7334 printnbyte(pinfo->pool, (uint8_t*)&vars->server_challenge, 8, "Server challenge:");
7335 printnbyte(pinfo->pool, (uint8_t*)&server_cred, 8, "Server creds:");
7336 for(i=0;i<list_size;i++)
7338 used_md4 = &pass_list[i];
7339 password = pass_list[i];
7340 if (!ws_hmac_buffer(GCRY_MD_MD5, session_key, md5, HASH_MD5_LENGTH, (uint8_t*) &password, 16)) {
7341 crypt_des_ecb(buf,(unsigned char*)&vars->server_challenge,session_key);
7342 crypt_des_ecb((unsigned char*)&calculated_cred,buf,session_key+7);
7343 printnbyte(pinfo->pool, (uint8_t*)&calculated_cred, 8, "Calculated creds:");
7344 if(calculated_cred==server_cred) {
7345 found = 1;
7346 break;
7351 else
7353 /*Not implemented*/
7354 ws_debug("Else case not implemented");
7355 memset(session_key,0,16);
7357 if(found) {
7358 vars->nthash = *used_md4;
7359 vars->auth_fd_num = pinfo->num;
7360 memcpy(&vars->session_key,session_key,16);
7361 ws_debug("Found the good session key !");
7362 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
7363 &ei_netlogon_auth_nthash,
7364 "%s authenticated using %s (%02x%02x%02x%02x...)",
7365 used_method, used_md4->key_origin,
7366 used_md4->md4[0] & 0xFF, used_md4->md4[1] & 0xFF,
7367 used_md4->md4[2] & 0xFF, used_md4->md4[3] & 0xFF);
7368 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
7369 &ei_netlogon_session_key,
7370 "session key ("
7371 "%02x%02x%02x%02x"
7372 "%02x%02x%02x%02x"
7373 "%02x%02x%02x%02x"
7374 "%02x%02x%02x%02x"
7375 ")",
7376 session_key[0] & 0xFF, session_key[1] & 0xFF,
7377 session_key[2] & 0xFF, session_key[3] & 0xFF,
7378 session_key[4] & 0xFF, session_key[5] & 0xFF,
7379 session_key[6] & 0xFF, session_key[7] & 0xFF,
7380 session_key[8] & 0xFF, session_key[9] & 0xFF,
7381 session_key[10] & 0xFF, session_key[11] & 0xFF,
7382 session_key[12] & 0xFF, session_key[13] & 0xFF,
7383 session_key[14] & 0xFF, session_key[15] & 0xFF);
7385 else {
7386 ws_debug("Session key not found !");
7387 memset(&vars->session_key,0,16);
7392 return offset;
7395 static int
7396 netlogon_dissect_netrserverauthenticate3_reply(tvbuff_t *tvb, int offset,
7397 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7399 return netlogon_dissect_netrserverauthenticate023_reply(tvb,offset,pinfo,tree,di,drep,3);
7402 static int
7403 netlogon_dissect_netrserverauthenticate2_reply(tvbuff_t *tvb, int offset,
7404 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7406 return netlogon_dissect_netrserverauthenticate023_reply(tvb,offset,pinfo,tree,di,drep,2);
7409 static int
7410 netlogon_dissect_netrserverauthenticatekerberos_reply(tvbuff_t *tvb, int offset,
7411 packet_info *pinfo,
7412 proto_tree *tree,
7413 dcerpc_info *di,
7414 uint8_t *drep)
7416 uint32_t flags = 0;
7418 flags = tvb_get_letohl (tvb, offset);
7419 netlogon_dissect_neg_options(tvb,tree,flags,offset);
7420 offset +=4;
7421 ALIGN_TO_4_BYTES;
7422 offset = dissect_dcerpc_uint32(tvb, offset, pinfo, tree, drep,
7423 hf_server_rid, NULL);
7424 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7425 hf_netlogon_rc, NULL);
7427 return offset;
7431 static int
7432 netlogon_dissect_dsrgetdcnameex_rqst(tvbuff_t *tvb, int offset,
7433 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7435 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7436 pinfo, tree, di, drep);
7438 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7439 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
7441 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7442 dissect_nt_GUID, NDR_POINTER_UNIQUE,
7443 "GUID pointer: domain_guid", -1);
7445 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7446 NDR_POINTER_UNIQUE, "Site Name", hf_netlogon_site_name, 0);
7448 offset = netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvb, offset, pinfo, tree, di, drep);
7450 return offset;
7454 static int
7455 netlogon_dissect_dsrgetdcnameex_reply(tvbuff_t *tvb, int offset,
7456 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7458 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7459 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
7460 "DOMAIN_CONTROLLER_INFO:", -1);
7462 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7463 hf_netlogon_rc, NULL);
7465 return offset;
7468 static int
7469 netlogon_dissect_dsrgetsitename_rqst(tvbuff_t *tvb, int offset,
7470 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7472 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7473 pinfo, tree, di, drep);
7475 return offset;
7479 static int
7480 netlogon_dissect_dsrgetsitename_reply(tvbuff_t *tvb, int offset,
7481 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7484 /* XXX hmmm this does not really look like a UNIQUE pointer but
7485 will do for now. I think it is really a 32bit integer followed by
7486 a REF pointer to a unicode string */
7487 offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, tree, di, drep,
7488 dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE, "Site Name",
7489 hf_netlogon_site_name, cb_wstr_postprocess,
7490 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
7492 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7493 hf_netlogon_dos_rc, NULL);
7495 return offset;
7498 static int
7499 netlogon_dissect_netrlogongetdomaininfo_rqst(tvbuff_t *tvb, int offset,
7500 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7502 /* Unlike the other NETLOGON RPCs, this is not a unique pointer. */
7503 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7504 NDR_POINTER_REF, "Server Handle", hf_netlogon_computer_name, 0);
7505 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7506 NDR_POINTER_UNIQUE, "Computer Name",
7507 hf_netlogon_computer_name, 0);
7509 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7510 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7511 "AUTHENTICATOR: client", -1);
7513 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7514 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7515 "AUTHENTICATOR: return_authenticator", -1);
7516 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7517 hf_netlogon_level, NULL);
7518 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7519 netlogon_dissect_WORKSTATION_BUFFER, NDR_POINTER_REF,
7520 "WORKSTATION_BUFFER", -1);
7521 return offset;
7525 static int
7526 netlogon_dissect_netrlogongetdomaininfo_reply(tvbuff_t *tvb, int offset,
7527 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7529 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7530 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7531 "AUTHENTICATOR: return_authenticator", -1);
7533 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7534 netlogon_dissect_DOMAIN_INFORMATION, NDR_POINTER_REF,
7535 "DOMAIN_INFORMATION", -1);
7537 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7538 hf_netlogon_rc, NULL);
7540 return offset;
7543 static int
7544 netlogon_dissect_netrserverpasswordset2_rqst(tvbuff_t *tvb, int offset,
7545 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7547 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7548 pinfo, tree, di, drep);
7550 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7551 NDR_POINTER_REF, "Acct Name",
7552 hf_netlogon_acct_name, 0);
7554 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
7555 pinfo, tree, di, drep);
7557 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7558 NDR_POINTER_REF, "Computer Name",
7559 hf_netlogon_computer_name, 0);
7561 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7562 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7563 "AUTHENTICATOR: credential", -1);
7565 offset = netlogon_dissect_netr_CryptPassword(tvb, offset,
7566 pinfo, tree, di, drep);
7568 return offset;
7572 static int
7573 netlogon_dissect_netrserverpasswordset2_reply(tvbuff_t *tvb, int offset,
7574 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7576 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7577 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7578 "AUTHENTICATOR: return_authenticator", -1);
7580 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7581 hf_netlogon_rc, NULL);
7583 return offset;
7586 static int
7587 netlogon_dissect_netrserverpasswordget_rqst(tvbuff_t *tvb, int offset,
7588 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7590 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7591 pinfo, tree, di, drep);
7593 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7594 NDR_POINTER_UNIQUE, "Acct Name", hf_netlogon_acct_name, 0);
7596 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
7597 pinfo, tree, di, drep);
7599 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7600 NDR_POINTER_UNIQUE, "Computer Name",
7601 hf_netlogon_computer_name, 0);
7603 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7604 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7605 "AUTHENTICATOR: credential", -1);
7607 return offset;
7611 static int
7612 netlogon_dissect_netrserverpasswordget_reply(tvbuff_t *tvb, int offset,
7613 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7615 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7616 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7617 "AUTHENTICATOR: return_authenticator", -1);
7619 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7620 netlogon_dissect_LM_OWF_PASSWORD, NDR_POINTER_REF,
7621 "LM_OWF_PASSWORD pointer: server_pwd", -1);
7623 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7624 hf_netlogon_rc, NULL);
7626 return offset;
7629 #if GCRYPT_VERSION_NUMBER >= 0x010800 /* 1.8.0 */
7630 static gcry_error_t prepare_session_key_cipher_aes(netlogon_auth_vars *vars,
7631 gcry_cipher_hd_t *_cipher_hd)
7633 gcry_error_t err;
7634 gcry_cipher_hd_t cipher_hd = NULL;
7635 uint8_t iv[16] = { 0 };
7637 /* Open the cipher */
7638 err = gcry_cipher_open(&cipher_hd, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CFB8, 0);
7639 if (err != 0) {
7640 ws_warning("GCRY: cipher open %s/%s\n", gcry_strsource(err), gcry_strerror(err));
7641 return err;
7644 /* Set the initial value */
7645 err = gcry_cipher_setiv(cipher_hd, iv, sizeof(iv));
7646 if (err != 0) {
7647 ws_warning("GCRY: setiv %s/%s\n", gcry_strsource(err), gcry_strerror(err));
7648 gcry_cipher_close(cipher_hd);
7649 return err;
7652 /* Set the key */
7653 err = gcry_cipher_setkey(cipher_hd, vars->session_key, 16);
7654 if (err != 0) {
7655 ws_warning("GCRY: setkey %s/%s\n", gcry_strsource(err), gcry_strerror(err));
7656 gcry_cipher_close(cipher_hd);
7657 return err;
7660 *_cipher_hd = cipher_hd;
7661 return 0;
7663 #endif
7665 static gcry_error_t prepare_session_key_cipher_strong(netlogon_auth_vars *vars,
7666 gcry_cipher_hd_t *_cipher_hd)
7668 gcry_error_t err;
7669 gcry_cipher_hd_t cipher_hd = NULL;
7671 /* Open the cipher */
7672 err = gcry_cipher_open(&cipher_hd, GCRY_CIPHER_ARCFOUR, GCRY_CIPHER_MODE_STREAM, 0);
7673 if (err != 0) {
7674 ws_warning("GCRY: cipher open %s/%s\n", gcry_strsource(err), gcry_strerror(err));
7675 return err;
7678 /* Set the key */
7679 err = gcry_cipher_setkey(cipher_hd, vars->session_key, 16);
7680 if (err != 0) {
7681 ws_warning("GCRY: setkey %s/%s\n", gcry_strsource(err), gcry_strerror(err));
7682 gcry_cipher_close(cipher_hd);
7683 return err;
7686 *_cipher_hd = cipher_hd;
7687 return 0;
7690 static gcry_error_t prepare_session_key_cipher(netlogon_auth_vars *vars,
7691 gcry_cipher_hd_t *_cipher_hd)
7693 *_cipher_hd = NULL;
7695 #if GCRYPT_VERSION_NUMBER >= 0x010800 /* 1.8.0 */
7696 if (vars->flags & NETLOGON_FLAG_AES) {
7697 return prepare_session_key_cipher_aes(vars, _cipher_hd);
7699 #endif
7701 if (vars->flags & NETLOGON_FLAG_STRONGKEY) {
7702 return prepare_session_key_cipher_strong(vars, _cipher_hd);
7705 return GPG_ERR_UNSUPPORTED_ALGORITHM;
7708 static int
7709 netlogon_dissect_opaque_buffer_block(tvbuff_t *tvb, int offset, int length,
7710 packet_info *pinfo, proto_tree *tree,
7711 dcerpc_info *di, uint8_t *drep _U_)
7713 int orig_offset = offset;
7714 unsigned char is_server = 0;
7715 netlogon_auth_vars *vars;
7716 gcry_error_t err;
7717 gcry_cipher_hd_t cipher_hd = NULL;
7718 uint8_t *buffer = NULL;
7719 tvbuff_t *dectvb = NULL;
7720 uint32_t expected_len;
7721 uint32_t decrypted_len;
7723 proto_tree_add_item(tree, di->hf_index, tvb, offset, length, ENC_NA);
7724 offset += length;
7726 if (length < 8) {
7727 return offset;
7730 vars = find_global_netlogon_auth_vars(pinfo, is_server);
7731 if (vars == NULL ) {
7732 ws_debug("Vars not found %d (packet_data)",wmem_map_size(netlogon_auths));
7733 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
7734 &ei_netlogon_session_key,
7735 "No session key found");
7736 return offset;
7739 err = prepare_session_key_cipher(vars, &cipher_hd);
7740 if (err != 0) {
7741 ws_warning("GCRY: prepare_session_key_cipher %s/%s\n",
7742 gcry_strsource(err), gcry_strerror(err));
7743 return offset;
7746 buffer = (uint8_t*)tvb_memdup(pinfo->pool, tvb, orig_offset, length);
7747 if (buffer == NULL) {
7748 gcry_cipher_close(cipher_hd);
7749 return offset;
7752 err = gcry_cipher_decrypt(cipher_hd, buffer, length, NULL, 0);
7753 gcry_cipher_close(cipher_hd);
7754 if (err != 0) {
7755 ws_warning("GCRY: prepare_session_key_cipher %s/%s\n",
7756 gcry_strsource(err), gcry_strerror(err));
7757 return offset;
7760 dectvb = tvb_new_child_real_data(tvb, buffer, length, length);
7761 if (dectvb == NULL) {
7762 return offset;
7765 expected_len = length - 8;
7766 decrypted_len = tvb_get_letohl(dectvb, 4);
7767 if (decrypted_len != expected_len) {
7768 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
7769 &ei_netlogon_session_key,
7770 "Unusable session key learned in frame %d ("
7771 "%02x%02x%02x%02x"
7772 ") from %s",
7773 vars->auth_fd_num,
7774 vars->session_key[0] & 0xFF, vars->session_key[1] & 0xFF,
7775 vars->session_key[2] & 0xFF, vars->session_key[3] & 0xFF,
7776 vars->nthash.key_origin);
7777 return offset;
7780 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
7781 &ei_netlogon_session_key,
7782 "Using session key learned in frame %d ("
7783 "%02x%02x%02x%02x"
7784 ") from %s",
7785 vars->auth_fd_num,
7786 vars->session_key[0] & 0xFF, vars->session_key[1] & 0xFF,
7787 vars->session_key[2] & 0xFF, vars->session_key[3] & 0xFF,
7788 vars->nthash.key_origin);
7790 add_new_data_source(pinfo, dectvb, "OpaqueBuffer (Decrypted)");
7792 proto_tree_add_item(tree, hf_netlogon_opaque_buffer_dec, dectvb, 0, length, ENC_NA);
7793 return offset;
7796 static int
7797 netlogon_dissect_opaque_buffer(tvbuff_t *tvb, int offset,
7798 packet_info *pinfo, proto_tree *tree,
7799 dcerpc_info *di, uint8_t *drep)
7801 offset = dissect_ndr_ucarray_block(tvb, offset, pinfo, tree, di, drep,
7802 netlogon_dissect_opaque_buffer_block);
7804 return offset;
7808 * IDL long NetrLogonSendToSam(
7809 * IDL [in][unique][string] wchar_t *ServerName,
7810 * IDL [in][ref][string] wchar_t *Workstation,
7811 * IDL [in][ref] AUTHENTICATOR *credential,
7812 * IDL [in][out][ref] AUTHENTICATOR *returnauthenticator,
7813 * IDL [in, size_is(OpaqueBufferSize)][ref] UCHAR * OpaqueBuffer,
7814 * IDL [in] ULONG OpaqueBufferSize
7815 * IDL );
7817 static int
7818 netlogon_dissect_netrlogonsendtosam_rqst(tvbuff_t *tvb, int offset,
7819 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7821 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7822 pinfo, tree, di, drep);
7824 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7825 NDR_POINTER_REF, "Computer Name",
7826 hf_netlogon_computer_name, 0);
7828 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7829 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7830 "AUTHENTICATOR: credential", -1);
7832 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7833 netlogon_dissect_opaque_buffer, NDR_POINTER_REF,
7834 "OpaqueBuffer", hf_netlogon_opaque_buffer_enc);
7836 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7837 hf_netlogon_opaque_buffer_size, NULL);
7839 return offset;
7843 static int
7844 netlogon_dissect_netrlogonsendtosam_reply(tvbuff_t *tvb, int offset,
7845 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7847 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7848 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7849 "AUTHENTICATOR: return_authenticator", -1);
7851 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7852 hf_netlogon_rc, NULL);
7854 return offset;
7857 static int
7858 netlogon_dissect_dsraddresstositenamesw_rqst(tvbuff_t *tvb, int offset,
7859 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7861 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7862 pinfo, tree, di, drep);
7864 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7865 hf_netlogon_unknown_long, NULL);
7867 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7868 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
7869 "BYTE pointer: unknown_BYTE", -1);
7871 return offset;
7875 static int
7876 netlogon_dissect_dsraddresstositenamesw_reply(tvbuff_t *tvb, int offset,
7877 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7879 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7880 netlogon_dissect_TYPE_50_ptr, NDR_POINTER_UNIQUE,
7881 "TYPE_50** pointer: unknown_TYPE_50", -1);
7883 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7884 hf_netlogon_rc, NULL);
7886 return offset;
7889 static int
7890 netlogon_dissect_dsrgetdcnameex2_rqst(tvbuff_t *tvb, int offset,
7891 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7893 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7894 pinfo, tree, di, drep);
7896 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7897 NDR_POINTER_UNIQUE, "Client Account",
7898 hf_netlogon_acct_name, 0);
7900 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7901 hf_netlogon_unknown_long, NULL);
7903 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7904 NDR_POINTER_UNIQUE, "Client Account",
7905 hf_netlogon_logon_dom, 0);
7907 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7908 dissect_nt_GUID, NDR_POINTER_UNIQUE,
7909 "Domain GUID:", -1);
7911 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7912 NDR_POINTER_UNIQUE, "Client Site",
7913 hf_netlogon_site_name, 0);
7915 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7916 hf_netlogon_unknown_long, NULL);
7918 return offset;
7922 static int
7923 netlogon_dissect_dsrgetdcnameex2_reply(tvbuff_t *tvb, int offset,
7924 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7926 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7927 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
7928 "DOMAIN_CONTROLLER_INFO:", -1);
7930 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7931 hf_netlogon_dos_rc, NULL);
7933 return offset;
7936 static int
7937 netlogon_dissect_netrlogongettimeserviceparentdomain_rqst(tvbuff_t *tvb, int offset,
7938 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7940 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7941 pinfo, tree, di, drep);
7943 return offset;
7947 static int
7948 netlogon_dissect_netrlogongettimeserviceparentdomain_reply(tvbuff_t *tvb, int offset,
7949 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7951 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7952 NDR_POINTER_UNIQUE, "unknown string",
7953 hf_netlogon_unknown_string, 0);
7955 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7956 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
7957 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
7959 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7960 hf_netlogon_rc, NULL);
7962 return offset;
7965 static int
7966 netlogon_dissect_netrenumeratetrusteddomainsex_rqst(tvbuff_t *tvb, int offset,
7967 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7969 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7970 pinfo, tree, di, drep);
7972 return offset;
7975 static int
7976 netlogon_dissect_netrenumeratetrusteddomainsex_reply(tvbuff_t *tvb, int offset,
7977 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7979 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7980 hf_netlogon_entries, NULL);
7982 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7983 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
7984 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
7986 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7987 hf_netlogon_rc, NULL);
7989 return offset;
7992 static int
7993 netlogon_dissect_dsraddresstositenamesexw_rqst(tvbuff_t *tvb, int offset,
7994 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7996 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7997 pinfo, tree, di, drep);
7999 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8000 hf_netlogon_unknown_long, NULL);
8002 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8003 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
8004 "BYTE pointer: unknown_BYTE", -1);
8006 return offset;
8010 static int
8011 netlogon_dissect_dsraddresstositenamesexw_reply(tvbuff_t *tvb, int offset,
8012 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8014 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8015 netlogon_dissect_TYPE_52_ptr, NDR_POINTER_UNIQUE,
8016 "TYPE_52 pointer: unknown_TYPE_52", -1);
8018 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8019 hf_netlogon_rc, NULL);
8021 return offset;
8025 static int
8026 netlogon_dissect_site_name_item(tvbuff_t *tvb, int offset,
8027 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8029 offset = dissect_ndr_counted_string_cb(
8030 tvb, offset, pinfo, tree, di, drep, hf_netlogon_site_name,
8031 cb_wstr_postprocess,
8032 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
8034 return offset;
8036 static int
8037 netlogon_dissect_site_name_array(tvbuff_t *tvb, int offset,
8038 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8040 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
8041 netlogon_dissect_site_name_item);
8043 return offset;
8046 static int
8047 netlogon_dissect_site_names(tvbuff_t *tvb, int offset,
8048 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8050 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8051 hf_netlogon_count, NULL);
8053 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8054 netlogon_dissect_site_name_array, NDR_POINTER_UNIQUE,
8055 "Site name array", -1);
8057 return offset;
8060 static int
8061 netlogon_dissect_dsrgetdcsitecoveragew_rqst(tvbuff_t *tvb, int offset,
8062 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8064 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
8065 pinfo, tree, di, drep);
8067 return offset;
8071 static int
8072 netlogon_dissect_dsrgetdcsitecoveragew_reply(tvbuff_t *tvb, int offset,
8073 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8075 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8076 netlogon_dissect_site_names, NDR_POINTER_UNIQUE,
8077 "Site names", -1);
8079 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8080 hf_netlogon_rc, NULL);
8082 return offset;
8085 static int
8086 netlogon_dissect_netrlogonsamlogonex_rqst(tvbuff_t *tvb, int offset,
8087 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8090 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8091 NDR_POINTER_UNIQUE, "LogonServer",
8092 hf_netlogon_computer_name, 0);
8093 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8094 NDR_POINTER_UNIQUE, "Computer Name",
8095 hf_netlogon_computer_name, 0);
8096 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
8097 hf_netlogon_level16, NULL);
8098 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8099 netlogon_dissect_LEVEL, NDR_POINTER_REF,
8100 "LEVEL: LogonLevel", -1);
8102 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
8103 hf_netlogon_validation_level, NULL);
8105 offset = netlogon_dissect_EXTRA_FLAGS(tvb, offset, pinfo, tree, di, drep);
8107 #if 0
8108 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8109 NDR_POINTER_UNIQUE, "unknown string",
8110 hf_netlogon_unknown_string, 0);
8112 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8113 NDR_POINTER_UNIQUE, "unknown string",
8114 hf_netlogon_unknown_string, 0);
8116 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
8117 hf_netlogon_unknown_short, NULL);
8119 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8120 netlogon_dissect_LEVEL, NDR_POINTER_UNIQUE,
8121 "LEVEL pointer: unknown_NETLOGON_LEVEL", -1);
8123 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
8124 hf_netlogon_unknown_short, NULL);
8126 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8127 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
8128 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
8129 #endif
8130 return offset;
8134 static int
8135 netlogon_dissect_netrlogonsamlogonex_reply(tvbuff_t *tvb, int offset,
8136 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8138 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8139 netlogon_dissect_VALIDATION, NDR_POINTER_REF,
8140 "VALIDATION:", -1);
8142 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
8143 hf_netlogon_authoritative, NULL);
8145 offset = netlogon_dissect_EXTRA_FLAGS(tvb, offset, pinfo, tree, di, drep);
8147 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8148 hf_netlogon_rc, NULL);
8149 #if 0
8150 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8151 netlogon_dissect_VALIDATION, NDR_POINTER_UNIQUE,
8152 "VALIDATION: unknown_NETLOGON_VALIDATION", -1);
8154 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8155 netlogon_dissect_pointer_char, NDR_POINTER_UNIQUE,
8156 "BOOLEAN pointer: unknown_BOOLEAN", hf_netlogon_unknown_char);
8158 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8159 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
8160 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
8162 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8163 hf_netlogon_rc, NULL);
8164 #endif
8165 return offset;
8169 static int
8170 netlogon_dissect_netrservergettrustinfo_rqst(tvbuff_t *tvb,
8171 int offset,
8172 packet_info *pinfo,
8173 proto_tree *tree,
8174 dcerpc_info *di,
8175 uint8_t *drep)
8177 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
8178 pinfo, tree, di, drep);
8180 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8181 NDR_POINTER_REF, "Acct Name",
8182 hf_netlogon_acct_name, 0);
8184 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
8185 pinfo, tree, di, drep);
8187 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8188 NDR_POINTER_REF, "Computer Name",
8189 hf_netlogon_computer_name, 0);
8191 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8192 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
8193 "AUTHENTICATOR: credential", -1);
8195 return offset;
8198 static int
8199 netlogon_dissect_NL_GENERIC_RPC_DATA_UINT32_ARRAY(tvbuff_t *tvb, int offset,
8200 packet_info *pinfo _U_, proto_tree *tree,
8201 dcerpc_info *di, uint8_t *drep _U_)
8203 if(di->conformant_run){
8204 /*just a run to handle conformant arrays, nothing to dissect.*/
8205 return offset;
8208 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
8209 netlogon_dissect_DOMAIN_TRUST_ATTRIBS);
8211 return offset;
8214 static int
8215 netlogon_dissect_NL_GENERIC_RPC_DATA_STRING(tvbuff_t *tvb, int offset,
8216 packet_info *pinfo _U_, proto_tree *tree,
8217 dcerpc_info *di, uint8_t *drep _U_)
8219 if(di->conformant_run){
8220 /*just a run to handle conformant arrays, nothing to dissect.*/
8221 return offset;
8223 // TODO
8224 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
8225 hf_netlogon_package_name, 0|CB_STR_SAVE);
8227 return offset;
8230 static int
8231 netlogon_dissect_NL_GENERIC_RPC_DATA_STRING_ARRAY(tvbuff_t *tvb, int offset,
8232 packet_info *pinfo _U_, proto_tree *tree,
8233 dcerpc_info *di, uint8_t *drep _U_)
8235 if(di->conformant_run){
8236 /*just a run to handle conformant arrays, nothing to dissect.*/
8237 return offset;
8240 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
8241 netlogon_dissect_NL_GENERIC_RPC_DATA_STRING);
8243 return offset;
8246 static int
8247 netlogon_dissect_NL_GENERIC_RPC_DATA(tvbuff_t *tvb, int offset,
8248 packet_info *pinfo _U_, proto_tree *parent_tree,
8249 dcerpc_info *di, uint8_t *drep _U_)
8251 proto_item *item=NULL;
8252 proto_tree *tree=NULL;
8254 if(di->conformant_run){
8255 /*just a run to handle conformant arrays, nothing to dissect.*/
8256 return offset;
8259 if(parent_tree){
8260 tree = proto_tree_add_subtree(parent_tree, tvb, offset, -1,
8261 ett_NL_GENERIC_RPC_DATA, &item,
8262 "NL_GENERIC_RPC_DATA:");
8265 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8266 hf_netlogon_trust_len, NULL);
8268 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8269 netlogon_dissect_NL_GENERIC_RPC_DATA_UINT32_ARRAY,
8270 NDR_POINTER_UNIQUE,
8271 "UINT32 ARRAY pointer: ", -1);
8273 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8274 hf_netlogon_trust_len, NULL);
8276 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8277 netlogon_dissect_NL_GENERIC_RPC_DATA_STRING_ARRAY,
8278 NDR_POINTER_UNIQUE,
8279 "STRING ARRAY pointer: ", -1);
8281 return offset;
8284 static int
8285 netlogon_dissect_netrservergettrustinfo_reply(tvbuff_t *tvb,
8286 int offset,
8287 packet_info *pinfo,
8288 proto_tree *tree,
8289 dcerpc_info *di,
8290 uint8_t *drep)
8292 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8293 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
8294 "AUTHENTICATOR: return_authenticator", -1);
8296 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8297 netlogon_dissect_NT_OWF_PASSWORD, NDR_POINTER_REF,
8298 "NT_OWF_PASSWORD pointer: new_password", -1);
8300 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8301 netlogon_dissect_NT_OWF_PASSWORD, NDR_POINTER_REF,
8302 "NT_OWF_PASSWORD pointer: old_password", -1);
8304 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8305 netlogon_dissect_NL_GENERIC_RPC_DATA, NDR_POINTER_UNIQUE,
8306 "NL_GENERIC_RPC_DATA pointer: trust_info", -1);
8308 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8309 hf_netlogon_rc, NULL);
8311 return offset;
8314 static int
8315 netlogon_dissect_dsrenumeratedomaintrusts_rqst(tvbuff_t *tvb, int offset,
8316 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8318 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
8319 pinfo, tree, di, drep);
8321 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, di, drep);
8323 return offset;
8327 static int
8328 netlogon_dissect_dsrenumeratedomaintrusts_reply(tvbuff_t *tvb, int offset,
8329 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8331 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8332 hf_netlogon_entries, NULL);
8334 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8335 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
8336 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
8338 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8339 hf_netlogon_dos_rc, NULL);
8341 return offset;
8344 static int
8345 netlogon_dissect_dsrderegisterdnshostrecords_rqst(tvbuff_t *tvb, int offset,
8346 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8348 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
8349 pinfo, tree, di, drep);
8351 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8352 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
8354 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8355 dissect_nt_GUID, NDR_POINTER_UNIQUE,
8356 "GUID pointer: domain_guid", -1);
8358 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8359 dissect_nt_GUID, NDR_POINTER_UNIQUE,
8360 "GUID pointer: dsa_guid", -1);
8362 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8363 NDR_POINTER_REF, "dns_host", hf_netlogon_dns_host, 0);
8365 return offset;
8369 static int
8370 netlogon_dissect_dsrderegisterdnshostrecords_reply(tvbuff_t *tvb, int offset,
8371 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8373 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8374 hf_netlogon_rc, NULL);
8376 return offset;
8380 * TODO
8381 * IDL long NetrChainSetClientAttributes(
8382 * IDL );
8384 NetrChainSetClientAttributes(
8385 [in,string,ref] LOGONSRV_HANDLE PrimaryName,
8386 [in,string,ref] wchar_t * ChainedFromServerName,
8387 [in,string,ref] wchar_t * ChainedForClientName,
8388 [in,ref] PNETLOGON_AUTHENTICATOR Authenticator,
8389 [in,out,ref] PNETLOGON_AUTHENTICATOR ReturnAuthenticator,
8390 [in] DWORD dwInVersion,
8391 [in,ref] [switch_is(dwInVersion)]
8392 NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES *pmsgIn,
8393 [in,out,ref] DWORD * pdwOutVersion,
8394 [in,out,ref] [switch_is(*pdwOutVersion)]
8395 NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES *pmsgOut
8398 typedef struct _NL_OSVERSIONINFO_V1{
8399 DWORD dwOSVersionInfoSize;
8400 DWORD dwMajorVersion;
8401 DWORD dwMinorVersion;
8402 DWORD dwBuildNumber;
8403 DWORD dwPlatformId;
8404 wchar_t szCSDVersion[128];
8405 USHORT wServicePackMajor;
8406 USHORT wServicePackMinor;
8407 USHORT wSuiteMask;
8408 UCHAR wProductType;
8409 UCHAR wReserved;
8410 } NL_OSVERSIONINFO_V1;
8411 typedef struct _NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES_V1{
8412 [unique,string] wchar_t * ClientDnsHostName;
8413 [unique] NL_OSVERSIONINFO_V1 *OsVersionInfo_V1;
8414 [unique,string] wchar_t * OsName;
8415 } NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES_V1;
8416 typedef [switch_type(DWORD)] union{
8417 [case(1)] NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES_V1 V1;
8418 } NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES;
8419 typedef struct _NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES_V1{
8420 [unique,string] wchar_t *HubName;
8421 [unique,string] wchar_t **OldDnsHostName;
8422 [unique] ULONG * SupportedEncTypes;
8423 } NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES_V1;
8424 typedef [switch_type(DWORD)] union{
8425 [case(1)] NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES_V1 V1;
8426 } NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES;
8428 static int
8429 netlogon_dissect_NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES(tvbuff_t *tvb, int offset,
8430 packet_info *pinfo, proto_tree *tree,
8431 dcerpc_info *di, uint8_t *drep)
8433 uint32_t level;
8435 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8436 hf_netlogon_level, &level);
8437 switch (level) {
8438 case 1:
8439 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8440 netlogon_dissect_WORKSTATION_INFORMATION, NDR_POINTER_UNIQUE,
8441 "LSA POLICY INFO", -1);
8442 break;
8444 return offset;
8447 static int
8448 netlogon_dissect_netrchainsetclientattributes_rqst(tvbuff_t *tvb, int offset,
8449 packet_info *pinfo,
8450 proto_tree *tree,
8451 dcerpc_info *di,
8452 uint8_t *drep)
8454 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8455 NDR_POINTER_REF, "Server Handle",
8456 hf_netlogon_logonsrv_handle, 0);
8458 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8459 NDR_POINTER_REF, "ChainedFromServerName",
8460 hf_netlogon_computer_name, 0);
8462 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8463 NDR_POINTER_REF, "ChainedForClientName",
8464 hf_netlogon_computer_name, 0);
8466 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8467 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
8468 "AUTHENTICATOR: credential", -1);
8470 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8471 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
8472 "AUTHENTICATOR: return_authenticator", -1);
8474 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8475 hf_netlogon_level, NULL); // in_version
8477 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8478 NULL, NDR_POINTER_REF,
8479 "IN_CHAIN_SET_CLIENT_ATTRIBUTES", -1);
8481 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8482 hf_netlogon_level, NULL); // out_version
8484 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8485 NULL, NDR_POINTER_REF,
8486 "OUT_CHAIN_SET_CLIENT_ATTRIBUTES", -1);
8488 return offset;
8491 static int
8492 netlogon_dissect_netrchainsetclientattributes_reply(tvbuff_t *tvb, int offset,
8493 packet_info *pinfo,
8494 proto_tree *tree,
8495 dcerpc_info *di,
8496 uint8_t *drep)
8498 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8499 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
8500 "AUTHENTICATOR: return_authenticator", -1);
8502 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8503 hf_netlogon_level, NULL); // out_version
8505 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8506 NULL, NDR_POINTER_REF,
8507 "OUT_CHAIN_SET_CLIENT_ATTRIBUTES", -1);
8509 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8510 hf_netlogon_rc, NULL);
8512 return offset;
8515 /* Dissect secure channel stuff */
8517 static int hf_netlogon_secchan_nl_message_type;
8518 static int hf_netlogon_secchan_nl_message_flags;
8519 static int hf_netlogon_secchan_nl_message_flags_nb_domain;
8520 static int hf_netlogon_secchan_nl_message_flags_nb_host;
8521 static int hf_netlogon_secchan_nl_message_flags_dns_domain;
8522 static int hf_netlogon_secchan_nl_message_flags_dns_host;
8523 static int hf_netlogon_secchan_nl_message_flags_nb_host_utf8;
8524 static int hf_netlogon_secchan_nl_nb_domain;
8525 static int hf_netlogon_secchan_nl_nb_host;
8526 static int hf_netlogon_secchan_nl_dns_domain;
8527 static int hf_netlogon_secchan_nl_dns_host;
8528 static int hf_netlogon_secchan_nl_nb_host_utf8;
8530 static int ett_secchan_verf;
8531 static int ett_secchan_nl_auth_message;
8532 static int ett_secchan_nl_auth_message_flags;
8534 static const value_string nl_auth_types[] = {
8535 { 0x00000000, "Request"},
8536 { 0x00000001, "Response"},
8537 { 0, NULL }
8541 /* MS-NRPC : 2.2.1.3.1 NL_AUTH_MESSAGE */
8542 static int dissect_secchan_nl_auth_message(tvbuff_t *tvb, int offset,
8543 packet_info *pinfo,
8544 proto_tree *tree, dcerpc_info *di _U_, uint8_t *drep)
8546 dcerpc_auth_info *auth_info = di->auth_info;
8547 proto_item *item = NULL;
8548 proto_tree *subtree = NULL;
8549 uint32_t messagetype;
8550 uint64_t messageflags;
8551 static int * const flag_fields[] = {
8552 &hf_netlogon_secchan_nl_message_flags_nb_domain,
8553 &hf_netlogon_secchan_nl_message_flags_nb_host,
8554 &hf_netlogon_secchan_nl_message_flags_dns_domain,
8555 &hf_netlogon_secchan_nl_message_flags_dns_host,
8556 &hf_netlogon_secchan_nl_message_flags_nb_host_utf8,
8557 NULL
8559 int len;
8560 netlogon_auth_vars *vars = NULL;
8561 unsigned char is_server;
8563 if (tree) {
8564 subtree = proto_tree_add_subtree(
8565 tree, tvb, offset, -1, ett_secchan_nl_auth_message, &item,
8566 "Secure Channel NL_AUTH_MESSAGE");
8569 /* We can't use the NDR routines as the DCERPC call data hasn't
8570 been initialised since we haven't made a DCERPC call yet, just
8571 a bind request. */
8573 /* Type */
8574 offset = dissect_dcerpc_uint32(
8575 tvb, offset, pinfo, subtree, drep,
8576 hf_netlogon_secchan_nl_message_type, &messagetype);
8578 /* Flags */
8579 proto_tree_add_bitmask_ret_uint64(subtree, tvb, offset,
8580 hf_netlogon_secchan_nl_message_flags,
8581 ett_secchan_nl_auth_message_flags,
8582 flag_fields,
8583 (drep[0] & DREP_LITTLE_ENDIAN) ?
8584 ENC_LITTLE_ENDIAN :
8585 ENC_BIG_ENDIAN,
8586 &messageflags);
8587 offset += 4;
8590 /* Buffer */
8591 /* netbios domain name */
8592 if (messageflags&0x00000001) {
8593 len = tvb_strsize(tvb, offset);
8594 proto_tree_add_item(subtree, hf_netlogon_secchan_nl_nb_domain, tvb, offset, len, ENC_ASCII);
8595 offset += len;
8598 /* netbios host name */
8599 if (messageflags&0x00000002) {
8600 len = tvb_strsize(tvb, offset);
8601 proto_tree_add_item(subtree, hf_netlogon_secchan_nl_nb_host, tvb, offset, len, ENC_ASCII);
8602 offset += len;
8605 /* DNS domain name */
8606 if (messageflags&0x00000004) {
8607 int old_offset=offset;
8608 char *str;
8610 offset=dissect_mscldap_string(pinfo->pool, tvb, offset, 255, &str);
8611 proto_tree_add_string(subtree, hf_netlogon_secchan_nl_dns_domain, tvb, old_offset, offset-old_offset, str);
8614 /* DNS host name */
8615 if (messageflags&0x00000008) {
8616 int old_offset=offset;
8617 char *str;
8619 offset=dissect_mscldap_string(pinfo->pool, tvb, offset, 255, &str);
8620 proto_tree_add_string(subtree, hf_netlogon_secchan_nl_dns_host, tvb, old_offset, offset-old_offset, str);
8623 /* NetBios host name (UTF8) */
8624 if (messageflags&0x00000010) {
8625 int old_offset=offset;
8626 char *str;
8628 offset=dissect_mscldap_string(pinfo->pool, tvb, offset, 255, &str);
8629 proto_tree_add_string(subtree, hf_netlogon_secchan_nl_nb_host_utf8, tvb, old_offset, offset-old_offset, str);
8632 switch (di->ptype) {
8633 case PDU_BIND:
8634 case PDU_ALTER:
8635 case PDU_AUTH3:
8636 is_server = 0;
8637 break;
8638 case PDU_BIND_ACK:
8639 case PDU_BIND_NAK:
8640 case PDU_ALTER_ACK:
8641 case PDU_FAULT:
8642 is_server = 1;
8643 break;
8644 default:
8645 return offset;
8648 vars = find_or_create_schannel_netlogon_auth_vars(pinfo, auth_info, is_server);
8649 if (vars != NULL) {
8650 expert_add_info_format(pinfo, proto_tree_get_parent(subtree),
8651 &ei_netlogon_session_key,
8652 "Using session key learned in frame %d ("
8653 "%02x%02x%02x%02x"
8654 ") from %s",
8655 vars->auth_fd_num,
8656 vars->session_key[0] & 0xFF,
8657 vars->session_key[1] & 0xFF,
8658 vars->session_key[2] & 0xFF,
8659 vars->session_key[3] & 0xFF,
8660 vars->nthash.key_origin);
8662 else
8664 ws_debug("Vars not found (is null %d) %d (dissect_verf)",vars==NULL,wmem_map_size(netlogon_auths));
8667 return offset;
8670 /* Subdissectors */
8672 static const dcerpc_sub_dissector dcerpc_netlogon_dissectors[] = {
8673 { NETLOGON_NETRLOGONUASLOGON, "NetrLogonUasLogon",
8674 netlogon_dissect_netrlogonuaslogon_rqst,
8675 netlogon_dissect_netrlogonuaslogon_reply },
8676 { NETLOGON_NETRLOGONUASLOGOFF, "NetrLogonUasLogoff",
8677 netlogon_dissect_netrlogonuaslogoff_rqst,
8678 netlogon_dissect_netrlogonuaslogoff_reply },
8679 { NETLOGON_NETRLOGONSAMLOGON, "NetrLogonSamLogon",
8680 netlogon_dissect_netrlogonsamlogon_rqst,
8681 netlogon_dissect_netrlogonsamlogon_reply },
8682 { NETLOGON_NETRLOGONSAMLOGOFF, "NetrLogonSamLogoff",
8683 netlogon_dissect_netrlogonsamlogoff_rqst,
8684 netlogon_dissect_netrlogonsamlogoff_reply },
8685 { NETLOGON_NETRSERVERREQCHALLENGE, "NetrServerReqChallenge",
8686 netlogon_dissect_netrserverreqchallenge_rqst,
8687 netlogon_dissect_netrserverreqchallenge_reply },
8688 { NETLOGON_NETRSERVERAUTHENTICATE, "NetrServerAuthenticate",
8689 netlogon_dissect_netrserverauthenticate_rqst,
8690 netlogon_dissect_netrserverauthenticate_reply },
8691 { NETLOGON_NETRSERVERPASSWORDSET, "NetrServerPasswordSet",
8692 netlogon_dissect_netrserverpasswordset_rqst,
8693 netlogon_dissect_netrserverpasswordset_reply },
8694 { NETLOGON_NETRDATABASEDELTAS, "NetrDatabaseDeltas",
8695 netlogon_dissect_netrdatabasedeltas_rqst,
8696 netlogon_dissect_netrdatabasedeltas_reply },
8697 { NETLOGON_NETRDATABASESYNC, "NetrDatabaseSync",
8698 netlogon_dissect_netrdatabasesync_rqst,
8699 netlogon_dissect_netrdatabasesync_reply },
8700 { NETLOGON_NETRACCOUNTDELTAS, "NetrAccountDeltas",
8701 netlogon_dissect_netraccountdeltas_rqst,
8702 netlogon_dissect_netraccountdeltas_reply },
8703 { NETLOGON_NETRACCOUNTSYNC, "NetrAccountSync",
8704 netlogon_dissect_netraccountsync_rqst,
8705 netlogon_dissect_netraccountsync_reply },
8706 { NETLOGON_NETRGETDCNAME, "NetrGetDCName",
8707 netlogon_dissect_netrgetdcname_rqst,
8708 netlogon_dissect_netrgetdcname_reply },
8709 { NETLOGON_NETRLOGONCONTROL, "NetrLogonControl",
8710 netlogon_dissect_netrlogoncontrol_rqst,
8711 netlogon_dissect_netrlogoncontrol_reply },
8712 { NETLOGON_NETRGETANYDCNAME, "NetrGetAnyDCName",
8713 netlogon_dissect_netrgetanydcname_rqst,
8714 netlogon_dissect_netrgetanydcname_reply },
8715 { NETLOGON_NETRLOGONCONTROL2, "NetrLogonControl2",
8716 netlogon_dissect_netrlogoncontrol2_rqst,
8717 netlogon_dissect_netrlogoncontrol2_reply },
8718 { NETLOGON_NETRSERVERAUTHENTICATE2, "NetrServerAuthenticate2",
8719 netlogon_dissect_netrserverauthenticate2_rqst,
8720 netlogon_dissect_netrserverauthenticate2_reply },
8721 { NETLOGON_NETRDATABASESYNC2, "NetrDatabaseSync2",
8722 netlogon_dissect_netrdatabasesync2_rqst,
8723 netlogon_dissect_netrdatabasesync2_reply },
8724 { NETLOGON_NETRDATABASEREDO, "NetrDatabaseRedo",
8725 netlogon_dissect_netrdatabaseredo_rqst,
8726 netlogon_dissect_netrdatabaseredo_reply },
8727 { NETLOGON_NETRLOGONCONTROL2EX, "NetrLogonControl2Ex",
8728 netlogon_dissect_netrlogoncontrol2ex_rqst,
8729 netlogon_dissect_netrlogoncontrol2ex_reply },
8730 { NETLOGON_NETRENUMERATETRUSTEDDOMAINS, "NetrEnumerateTrustedDomains",
8731 netlogon_dissect_netrenumeratetrusteddomains_rqst,
8732 netlogon_dissect_netrenumeratetrusteddomains_reply },
8733 { NETLOGON_DSRGETDCNAME, "DsrGetDcName",
8734 netlogon_dissect_dsrgetdcname_rqst,
8735 netlogon_dissect_dsrgetdcname_reply },
8736 { NETLOGON_NETRLOGONDUMMYROUTINE1, "NetrLogonGetCapabilities",
8737 netlogon_dissect_netrlogondummyroutine1_rqst,
8738 netlogon_dissect_netrlogondummyroutine1_reply },
8739 { NETLOGON_NETRLOGONSETSERVICEBITS, "NetrLogonSetServiceBits",
8740 netlogon_dissect_netrlogonsetservicebits_rqst,
8741 netlogon_dissect_netrlogonsetservicebits_reply },
8742 { NETLOGON_NETRLOGONGETTRUSTRID, "NetrLogonGetTrustRid",
8743 netlogon_dissect_netrlogongettrustrid_rqst,
8744 netlogon_dissect_netrlogongettrustrid_reply },
8745 { NETLOGON_NETRLOGONCOMPUTESERVERDIGEST, "NetrLogonComputeServerDigest",
8746 netlogon_dissect_netrlogoncomputeserverdigest_rqst,
8747 netlogon_dissect_netrlogoncomputeserverdigest_reply },
8748 { NETLOGON_NETRLOGONCOMPUTECLIENTDIGEST, "NetrLogonComputeClientDigest",
8749 netlogon_dissect_netrlogoncomputeclientdigest_rqst,
8750 netlogon_dissect_netrlogoncomputeclientdigest_reply },
8751 { NETLOGON_NETRSERVERAUTHENTICATE3, "NetrServerAuthenticate3",
8752 netlogon_dissect_netrserverauthenticate3_rqst,
8753 netlogon_dissect_netrserverauthenticate3_reply },
8754 { NETLOGON_DSRGETDCNAMEX, "DsrGetDcNameEx",
8755 netlogon_dissect_dsrgetdcnameex_rqst,
8756 netlogon_dissect_dsrgetdcnameex_reply },
8757 { NETLOGON_DSRGETSITENAME, "DsrGetSiteName",
8758 netlogon_dissect_dsrgetsitename_rqst,
8759 netlogon_dissect_dsrgetsitename_reply },
8760 { NETLOGON_NETRLOGONGETDOMAININFO, "NetrLogonGetDomainInfo",
8761 netlogon_dissect_netrlogongetdomaininfo_rqst,
8762 netlogon_dissect_netrlogongetdomaininfo_reply },
8763 { NETLOGON_NETRSERVERPASSWORDSET2, "NetrServerPasswordSet2",
8764 netlogon_dissect_netrserverpasswordset2_rqst,
8765 netlogon_dissect_netrserverpasswordset2_reply },
8766 { NETLOGON_NETRSERVERPASSWORDGET, "NetrServerPasswordGet",
8767 netlogon_dissect_netrserverpasswordget_rqst,
8768 netlogon_dissect_netrserverpasswordget_reply },
8769 { NETLOGON_NETRLOGONSENDTOSAM, "NetrLogonSendToSam",
8770 netlogon_dissect_netrlogonsendtosam_rqst,
8771 netlogon_dissect_netrlogonsendtosam_reply },
8772 { NETLOGON_DSRADDRESSTOSITENAMESW, "DsrAddressToSiteNamesW",
8773 netlogon_dissect_dsraddresstositenamesw_rqst,
8774 netlogon_dissect_dsraddresstositenamesw_reply },
8775 { NETLOGON_DSRGETDCNAMEEX2, "DsrGetDcNameEx2",
8776 netlogon_dissect_dsrgetdcnameex2_rqst,
8777 netlogon_dissect_dsrgetdcnameex2_reply },
8778 { NETLOGON_NETRLOGONGETTIMESERVICEPARENTDOMAIN,
8779 "NetrLogonGetTimeServiceParentDomain",
8780 netlogon_dissect_netrlogongettimeserviceparentdomain_rqst,
8781 netlogon_dissect_netrlogongettimeserviceparentdomain_reply },
8782 { NETLOGON_NETRENUMERATETRUSTEDDOMAINSEX, "NetrEnumerateTrustedDomainsEx",
8783 netlogon_dissect_netrenumeratetrusteddomainsex_rqst,
8784 netlogon_dissect_netrenumeratetrusteddomainsex_reply },
8785 { NETLOGON_DSRADDRESSTOSITENAMESEXW, "DsrAddressToSiteNamesExW",
8786 netlogon_dissect_dsraddresstositenamesexw_rqst,
8787 netlogon_dissect_dsraddresstositenamesexw_reply },
8788 { NETLOGON_DSRGETDCSITECOVERAGEW, "DsrGetDcSiteCoverageW",
8789 netlogon_dissect_dsrgetdcsitecoveragew_rqst,
8790 netlogon_dissect_dsrgetdcsitecoveragew_reply },
8791 { NETLOGON_NETRLOGONSAMLOGONEX, "NetrLogonSamLogonEx",
8792 netlogon_dissect_netrlogonsamlogonex_rqst,
8793 netlogon_dissect_netrlogonsamlogonex_reply },
8794 { NETLOGON_DSRENUMERATEDOMAINTRUSTS, "DsrEnumerateDomainTrusts",
8795 netlogon_dissect_dsrenumeratedomaintrusts_rqst,
8796 netlogon_dissect_dsrenumeratedomaintrusts_reply },
8797 { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DsrDeregisterDnsHostRecords",
8798 netlogon_dissect_dsrderegisterdnshostrecords_rqst,
8799 netlogon_dissect_dsrderegisterdnshostrecords_reply },
8800 { NETLOGON_NETRSERVERTRUSTPASSWORDSGET, "NetrServerTrustPasswordsGet",
8801 NULL, NULL },
8802 { NETLOGON_DSRGETFORESTTRUSTINFORMATION, "DsrGetForestTrustInformation",
8803 NULL, NULL },
8804 { NETLOGON_NETRGETFORESTTRUSTINFORMATION, "NetrGetForestTrustInformation",
8805 NULL, NULL },
8806 { NETLOGON_NETRLOGONSAMLOGONWITHFLAGS, "NetrLogonSamLogonWithFlags",
8807 netlogon_dissect_netrlogonsamlogonflags_rqst,
8808 netlogon_dissect_netrlogonsamlogonflags_reply },
8809 { NETLOGON_NETRSERVERGETTRUSTINFO, "NetrServerGetTrustInfo",
8810 netlogon_dissect_netrservergettrustinfo_rqst,
8811 netlogon_dissect_netrservergettrustinfo_reply },
8812 { NETLOGON_DSRUPDATEREADONLYSERVERDNSRECORDS, "DsrUpdateReadOnlyServerDnsRecords",
8813 NULL, NULL },
8814 { NETLOGON_NETRCHAINSETCLIENTATTRIBUTES, "NetrChainSetClientAttributes",
8815 netlogon_dissect_netrchainsetclientattributes_rqst,
8816 netlogon_dissect_netrchainsetclientattributes_reply },
8817 { NETLOGON_NETRSERVERAUTHENTICATEKERBEROS, "NetrServerAuthenticateKerberos",
8818 netlogon_dissect_netrserverauthenticatekerberos_rqst,
8819 netlogon_dissect_netrserverauthenticatekerberos_reply },
8820 {0, NULL, NULL, NULL }
8823 static int hf_netlogon_secchan_verf;
8824 static int hf_netlogon_secchan_verf_signalg;
8825 static int hf_netlogon_secchan_verf_sealalg;
8826 static int hf_netlogon_secchan_verf_flag;
8827 static int hf_netlogon_secchan_verf_digest;
8828 static int hf_netlogon_secchan_verf_seq;
8829 static int hf_netlogon_secchan_verf_nonce;
8831 static const value_string sign_algs[] = {
8832 { 0x0077, "HMAC-MD5"},
8833 { 0x0013, "HMAC-SHA256"},
8834 { 0, NULL}
8837 static const value_string seal_algs[] = {
8838 { 0xFFFF, "Not Encrypted"},
8839 { 0x007A, "RC4"},
8840 { 0x001A, "AES-128"},
8841 { 0, NULL}
8844 static int get_seal_key(const uint8_t *session_key,int key_len,uint8_t* seal_key)
8846 uint8_t zero_sk[16] = { 0 };
8847 int i = 0;
8849 memset(seal_key,0,16);
8850 if(memcmp(session_key,zero_sk,16)) {
8851 for(i=0;i<key_len;i++) {
8852 seal_key[i] = session_key[i] ^ 0xF0;
8854 return 1;
8855 } else {
8856 return 0;
8861 static uint64_t uncrypt_sequence_aes(uint8_t* session_key,uint64_t checksum,uint64_t enc_seq,unsigned char is_server _U_)
8863 gcry_error_t err;
8864 gcry_cipher_hd_t cipher_hd = NULL;
8865 uint8_t iv[16] = { 0 };
8867 memcpy(&iv[0], (uint8_t*)&checksum, 8);
8868 memcpy(&iv[8], (uint8_t*)&checksum, 8);
8870 /* Open the cipher */
8871 err = gcry_cipher_open(&cipher_hd, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CFB8, 0);
8872 if (err != 0) {
8873 ws_warning("GCRY: cipher open %s/%s\n", gcry_strsource(err), gcry_strerror(err));
8874 return 0;
8877 /* Set the initial value */
8878 err = gcry_cipher_setiv(cipher_hd, iv, sizeof(iv));
8879 if (err != 0) {
8880 ws_warning("GCRY: setiv %s/%s\n", gcry_strsource(err), gcry_strerror(err));
8881 gcry_cipher_close(cipher_hd);
8882 return 0;
8885 /* Set the key */
8886 err = gcry_cipher_setkey(cipher_hd, session_key, 16);
8887 if (err != 0) {
8888 ws_warning("GCRY: setkey %s/%s\n", gcry_strsource(err), gcry_strerror(err));
8889 gcry_cipher_close(cipher_hd);
8890 return 0;
8893 err = gcry_cipher_decrypt(cipher_hd, (uint8_t*) &enc_seq, 8, NULL, 0);
8894 if (err != 0) {
8895 ws_warning("GCRY: encrypt %s/%s\n", gcry_strsource(err), gcry_strerror(err));
8896 gcry_cipher_close(cipher_hd);
8897 return 0;
8899 /* Done with the cipher */
8900 gcry_cipher_close(cipher_hd);
8901 return enc_seq;
8904 static uint64_t uncrypt_sequence_strong(uint8_t* session_key,uint64_t checksum,uint64_t enc_seq,unsigned char is_server _U_)
8906 uint8_t zeros[4] = { 0 };
8907 uint8_t buf[HASH_MD5_LENGTH];
8908 uint8_t key[HASH_MD5_LENGTH];
8909 gcry_cipher_hd_t rc4_handle;
8910 uint8_t *p_seq = (uint8_t*) &enc_seq;
8911 /*uint32_t temp;*/
8913 if (ws_hmac_buffer(GCRY_MD_MD5, buf, zeros, 4, session_key, 16)) {
8914 return 0;
8917 if (ws_hmac_buffer(GCRY_MD_MD5, key, (uint8_t*)&checksum, 8, buf, HASH_MD5_LENGTH)) {
8918 return 0;
8921 if (!gcry_cipher_open (&rc4_handle, GCRY_CIPHER_ARCFOUR, GCRY_CIPHER_MODE_STREAM, 0)) {
8922 if (!gcry_cipher_setkey(rc4_handle, key, HASH_MD5_LENGTH)) {
8923 gcry_cipher_decrypt(rc4_handle, p_seq, 8, NULL, 0);
8925 gcry_cipher_close(rc4_handle);
8927 /*temp = *((uint32_t*)p_seq);
8928 *((uint32_t*)p_seq) = *((uint32_t*)p_seq+1);
8929 *((uint32_t*)p_seq+1) = temp;
8931 if(!is_server) {
8932 *p_seq = *p_seq & 0x7F;
8935 return enc_seq;
8938 static uint64_t uncrypt_sequence(uint32_t flags, uint8_t* session_key,uint64_t checksum,uint64_t enc_seq,unsigned char is_server _U_)
8940 if (flags & NETLOGON_FLAG_AES) {
8941 return uncrypt_sequence_aes(session_key, checksum, enc_seq, is_server);
8944 if (flags & NETLOGON_FLAG_STRONGKEY) {
8945 return uncrypt_sequence_strong(session_key, checksum, enc_seq, is_server);
8948 return 0;
8951 static gcry_error_t prepare_decryption_cipher_aes(netlogon_auth_vars *vars,
8952 gcry_cipher_hd_t *_cipher_hd)
8954 gcry_error_t err;
8955 gcry_cipher_hd_t cipher_hd = NULL;
8956 uint64_t sequence = vars->seq;
8958 uint8_t iv[16] = { 0 };
8960 memcpy(&iv[0], (uint8_t*)&sequence, 8);
8961 memcpy(&iv[8], (uint8_t*)&sequence, 8);
8963 /* Open the cipher */
8964 err = gcry_cipher_open(&cipher_hd, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CFB8, 0);
8965 if (err != 0) {
8966 ws_warning("GCRY: cipher open %s/%s\n", gcry_strsource(err), gcry_strerror(err));
8967 return 0;
8970 /* Set the initial value */
8971 err = gcry_cipher_setiv(cipher_hd, iv, sizeof(iv));
8972 if (err != 0) {
8973 ws_warning("GCRY: setiv %s/%s\n", gcry_strsource(err), gcry_strerror(err));
8974 gcry_cipher_close(cipher_hd);
8975 return 0;
8978 /* Set the key */
8979 err = gcry_cipher_setkey(cipher_hd, vars->encryption_key, 16);
8980 if (err != 0) {
8981 ws_warning("GCRY: setkey %s/%s\n", gcry_strsource(err), gcry_strerror(err));
8982 gcry_cipher_close(cipher_hd);
8983 return 0;
8986 *_cipher_hd = cipher_hd;
8987 return 0;
8990 static gcry_error_t prepare_decryption_cipher_strong(netlogon_auth_vars *vars,
8991 gcry_cipher_hd_t *_cipher_hd)
8993 gcry_error_t err;
8994 gcry_cipher_hd_t cipher_hd = NULL;
8995 uint8_t zeros[4] = { 0 };
8996 uint64_t sequence = vars->seq;
8997 uint8_t tmp[HASH_MD5_LENGTH] = { 0 };
8998 uint8_t seal_key[16] = { 0 };
9000 err = ws_hmac_buffer(GCRY_MD_MD5, tmp, zeros, 4, vars->encryption_key, 16);
9001 if (err != 0) {
9002 ws_warning("GCRY: GCRY_MD_MD5 %s/%s\n", gcry_strsource(err), gcry_strerror(err));
9003 return err;
9005 err = ws_hmac_buffer(GCRY_MD_MD5, seal_key, (uint8_t*)&sequence, 8, tmp, HASH_MD5_LENGTH);
9006 if (err != 0) {
9007 ws_warning("GCRY: GCRY_MD_MD5 %s/%s\n", gcry_strsource(err), gcry_strerror(err));
9008 return err;
9011 /* Open the cipher */
9012 err = gcry_cipher_open(&cipher_hd, GCRY_CIPHER_ARCFOUR, GCRY_CIPHER_MODE_STREAM, 0);
9013 if (err != 0) {
9014 ws_warning("GCRY: cipher open %s/%s\n", gcry_strsource(err), gcry_strerror(err));
9015 return err;
9018 /* Set the key */
9019 err = gcry_cipher_setkey(cipher_hd, seal_key, 16);
9020 if (err != 0) {
9021 ws_warning("GCRY: setkey %s/%s\n", gcry_strsource(err), gcry_strerror(err));
9022 gcry_cipher_close(cipher_hd);
9023 return err;
9026 *_cipher_hd = cipher_hd;
9027 return 0;
9030 static gcry_error_t prepare_decryption_cipher(netlogon_auth_vars *vars,
9031 gcry_cipher_hd_t *_cipher_hd)
9033 *_cipher_hd = NULL;
9035 if (vars->flags & NETLOGON_FLAG_AES) {
9036 return prepare_decryption_cipher_aes(vars, _cipher_hd);
9039 if (vars->flags & NETLOGON_FLAG_STRONGKEY) {
9040 return prepare_decryption_cipher_strong(vars, _cipher_hd);
9043 return GPG_ERR_UNSUPPORTED_ALGORITHM;
9046 static tvbuff_t *
9047 dissect_packet_data(tvbuff_t *tvb ,tvbuff_t *auth_tvb _U_,
9048 int offset , packet_info *pinfo ,dcerpc_auth_info *auth_info _U_,unsigned char is_server)
9051 tvbuff_t *buf = NULL;
9052 uint8_t* decrypted;
9053 netlogon_auth_vars *vars;
9054 /*ws_debug("Dissection of request data offset %d len=%d on packet %d",offset,tvb_length_remaining(tvb,offset),pinfo->num);*/
9056 vars = find_or_create_schannel_netlogon_auth_vars(pinfo, auth_info, is_server);
9057 if (vars == NULL) {
9058 ws_debug("Vars not found %d (packet_data)",wmem_map_size(netlogon_auths));
9059 return(buf);
9062 if (vars->can_decrypt == true) {
9063 gcry_error_t err;
9064 gcry_cipher_hd_t cipher_hd = NULL;
9065 int data_len;
9066 uint64_t copyconfounder = vars->confounder;
9068 data_len = tvb_captured_length_remaining(tvb,offset);
9069 if (data_len < 0) {
9070 return NULL;
9072 err = prepare_decryption_cipher(vars, &cipher_hd);
9073 if (err != 0) {
9074 ws_warning("GCRY: prepare_decryption_cipher %s/%s",
9075 gcry_strsource(err), gcry_strerror(err));
9076 return NULL;
9078 gcry_cipher_decrypt(cipher_hd, (uint8_t*)&copyconfounder, 8, NULL, 0);
9079 decrypted = (uint8_t*)tvb_memdup(pinfo->pool, tvb, offset,data_len);
9080 if (!(vars->flags & NETLOGON_FLAG_AES)) {
9081 gcry_cipher_reset(cipher_hd);
9083 gcry_cipher_decrypt(cipher_hd, decrypted, data_len, NULL, 0);
9084 gcry_cipher_close(cipher_hd);
9085 buf = tvb_new_child_real_data(tvb, decrypted, data_len, data_len);
9086 /* Note: caller does add_new_data_source(...) */
9087 } else {
9088 ws_debug("Session key not found can't decrypt ...");
9091 return(buf);
9094 static tvbuff_t* dissect_request_data(tvbuff_t *header_tvb _U_,
9095 tvbuff_t *payload_tvb,
9096 tvbuff_t *trailer_tvb _U_,
9097 tvbuff_t *auth_tvb,
9098 packet_info *pinfo,
9099 dcerpc_auth_info *auth_info)
9101 return dissect_packet_data(payload_tvb,auth_tvb,0,pinfo,auth_info,0);
9104 static tvbuff_t* dissect_response_data(tvbuff_t *header_tvb _U_,
9105 tvbuff_t *payload_tvb,
9106 tvbuff_t *trailer_tvb _U_,
9107 tvbuff_t *auth_tvb,
9108 packet_info *pinfo,
9109 dcerpc_auth_info *auth_info)
9111 return dissect_packet_data(payload_tvb,auth_tvb,0,pinfo,auth_info,1);
9114 /* MS-NRPC 2.2.1.3.2 */
9115 static int
9116 dissect_secchan_verf(tvbuff_t *tvb, int offset, packet_info *pinfo,
9117 proto_tree *tree, uint8_t *drep,
9118 dcerpc_auth_info *auth_info,
9119 unsigned char is_server)
9121 netlogon_auth_vars *vars;
9122 proto_item *vf = NULL;
9123 proto_tree *subtree = NULL;
9124 uint64_t encrypted_seq;
9125 uint64_t digest = 0;
9126 uint64_t confounder = 0;
9127 int update_vars = 0;
9129 if( ! (seen.isseen && seen.num == pinfo->num) ) {
9131 * Create a new tree, and split into x components ...
9133 vf = proto_tree_add_item(tree, hf_netlogon_secchan_verf, tvb,
9134 offset, -1, ENC_NA);
9135 subtree = proto_item_add_subtree(vf, ett_secchan_verf);
9137 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_signalg, tvb,
9138 offset, 2, ENC_LITTLE_ENDIAN);
9139 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_sealalg, tvb,
9140 offset+2, 2, ENC_LITTLE_ENDIAN);
9141 /* 2 pad bytes */
9142 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_flag, tvb,
9143 offset+6, 2, ENC_NA);
9144 offset += 8;
9146 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, subtree, drep,
9147 hf_netlogon_secchan_verf_seq, &encrypted_seq);
9149 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, subtree, drep,
9150 hf_netlogon_secchan_verf_digest, &digest);
9152 /* In some cases the nonce if the data/signture are encrypted ("integrity/seal in MS language")*/
9154 if (tvb_bytes_exist(tvb, offset, 8)) {
9155 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, subtree, drep,
9156 hf_netlogon_secchan_verf_nonce, &confounder);
9158 update_vars = 1;
9161 /*ws_debug("Setting isseen to true, old packet %d new %d",seen.num,pinfo->num);*/
9162 seen.isseen = true;
9163 seen.num = pinfo->num;
9165 vars = find_or_create_schannel_netlogon_auth_vars(pinfo, auth_info, is_server);
9166 if (vars == NULL) {
9167 ws_debug("Vars not found %d (packet_data)",wmem_map_size(netlogon_auths));
9168 return(offset);
9170 if(update_vars) {
9171 vars->confounder = confounder;
9172 vars->seq = uncrypt_sequence(vars->flags,vars->session_key,digest,encrypted_seq,is_server);
9175 if(get_seal_key(vars->session_key,16,vars->encryption_key))
9177 vars->can_decrypt = true;
9179 else
9181 ws_debug("get seal key returned 0");
9184 if (vars->can_decrypt) {
9185 expert_add_info_format(pinfo, proto_tree_get_parent(subtree),
9186 &ei_netlogon_session_key,
9187 "Using session key learned in frame %d ("
9188 "%02x%02x%02x%02x"
9189 ") from %s",
9190 vars->auth_fd_num,
9191 vars->session_key[0] & 0xFF, vars->session_key[1] & 0xFF,
9192 vars->session_key[2] & 0xFF, vars->session_key[3] & 0xFF,
9193 vars->nthash.key_origin);
9196 return offset;
9198 static int
9199 dissect_request_secchan_verf(tvbuff_t *tvb, int offset, packet_info *pinfo ,
9200 proto_tree *tree, dcerpc_info *di _U_, uint8_t *drep )
9202 return dissect_secchan_verf(tvb,offset,pinfo,tree,drep, di->auth_info, 0);
9204 static int
9205 dissect_response_secchan_verf(tvbuff_t *tvb, int offset, packet_info *pinfo ,
9206 proto_tree *tree, dcerpc_info *di _U_, uint8_t *drep )
9208 return dissect_secchan_verf(tvb,offset,pinfo,tree,drep, di->auth_info, 1);
9211 void
9212 proto_register_dcerpc_netlogon(void)
9215 static hf_register_info hf[] = {
9216 { &hf_netlogon_opnum,
9217 { "Operation", "netlogon.opnum", FT_UINT16, BASE_DEC,
9218 NULL, 0x0, NULL, HFILL }},
9220 { &hf_netlogon_rc, {
9221 "Return code", "netlogon.rc", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
9222 &NT_errors_ext, 0x0, "Netlogon return code", HFILL }},
9224 { &hf_netlogon_dos_rc,
9225 { "DOS error code", "netlogon.dos.rc", FT_UINT32,
9226 BASE_HEX | BASE_EXT_STRING, &DOS_errors_ext, 0x0, NULL, HFILL}},
9228 { &hf_netlogon_werr_rc,
9229 { "WERR error code", "netlogon.werr.rc", FT_UINT32,
9230 BASE_HEX | BASE_EXT_STRING, &WERR_errors_ext, 0x0, NULL, HFILL}},
9232 { &hf_netlogon_param_ctrl, {
9233 "Param Ctrl", "netlogon.param_ctrl", FT_UINT32, BASE_HEX,
9234 NULL, 0x0, NULL, HFILL }},
9236 { &hf_netlogon_logon_id, {
9237 "Logon ID", "netlogon.logon_id", FT_UINT64, BASE_DEC,
9238 NULL, 0x0, NULL, HFILL }},
9240 { &hf_netlogon_modify_count, {
9241 "Modify Count", "netlogon.modify_count", FT_UINT64, BASE_DEC,
9242 NULL, 0x0, "How many times the object has been modified", HFILL }},
9244 { &hf_netlogon_security_information, {
9245 "Security Information", "netlogon.security_information", FT_UINT32, BASE_DEC,
9246 NULL, 0x0, NULL, HFILL }},
9248 { &hf_netlogon_count, {
9249 "Count", "netlogon.count", FT_UINT32, BASE_DEC,
9250 NULL, 0x0, NULL, HFILL }},
9252 { &hf_netlogon_entries, {
9253 "Entries", "netlogon.entries", FT_UINT32, BASE_DEC,
9254 NULL, 0x0, NULL, HFILL }},
9256 { &hf_netlogon_credential, {
9257 "Credential", "netlogon.credential", FT_BYTES, BASE_NONE,
9258 NULL, 0x0, "Netlogon Credential", HFILL }},
9260 { &hf_netlogon_challenge, {
9261 "Challenge", "netlogon.challenge", FT_BYTES, BASE_NONE,
9262 NULL, 0x0, "Netlogon challenge", HFILL }},
9264 { &hf_netlogon_lm_owf_password, {
9265 "LM Pwd", "netlogon.lm_owf_pwd", FT_BYTES, BASE_NONE,
9266 NULL, 0x0, "LanManager OWF Password", HFILL }},
9268 { &hf_netlogon_user_session_key, {
9269 "User Session Key", "netlogon.user_session_key", FT_BYTES, BASE_NONE,
9270 NULL, 0x0, NULL, HFILL }},
9272 { &hf_netlogon_encrypted_lm_owf_password, {
9273 "Encrypted LM Pwd", "netlogon.lm_owf_pwd.encrypted", FT_BYTES, BASE_NONE,
9274 NULL, 0x0, "Encrypted LanManager OWF Password", HFILL }},
9276 { &hf_netlogon_nt_owf_password, {
9277 "NT Pwd", "netlogon.nt_owf_pwd", FT_BYTES, BASE_NONE,
9278 NULL, 0x0, "NT OWF Password", HFILL }},
9280 { &hf_netlogon_blob, {
9281 "BLOB", "netlogon.blob", FT_BYTES, BASE_NONE,
9282 NULL, 0x0, NULL, HFILL }},
9284 { &hf_netlogon_len, {
9285 "Len", "netlogon.len", FT_UINT32, BASE_DEC,
9286 NULL, 0, "Length", HFILL }},
9288 { &hf_netlogon_password_version_reserved, {
9289 "ReservedField", "netlogon.password_version.reservedfield", FT_UINT32, BASE_HEX,
9290 NULL, 0, "ReservedField zero", HFILL }},
9292 { &hf_netlogon_password_version_number, {
9293 "PasswordVersionNumber", "netlogon.password_version.reservedfield", FT_UINT32, BASE_HEX,
9294 NULL, 0, "PasswordVersionNumber trust", HFILL }},
9296 { &hf_netlogon_password_version_present, {
9297 "PasswordVersionPresent", "netlogon.password_version.reservedfield", FT_UINT32, BASE_HEX,
9298 NULL, 0, "PasswordVersionPresent magic", HFILL }},
9300 { &hf_netlogon_priv, {
9301 "Priv", "netlogon.priv", FT_UINT32, BASE_DEC,
9302 NULL, 0, NULL, HFILL }},
9304 { &hf_netlogon_privilege_entries, {
9305 "Privilege Entries", "netlogon.privilege_entries", FT_UINT32, BASE_DEC,
9306 NULL, 0, NULL, HFILL }},
9308 { &hf_netlogon_privilege_control, {
9309 "Privilege Control", "netlogon.privilege_control", FT_UINT32, BASE_HEX,
9310 NULL, 0, NULL, HFILL }},
9312 { &hf_netlogon_privilege_name, {
9313 "Privilege Name", "netlogon.privilege_name", FT_STRING, BASE_NONE,
9314 NULL, 0, NULL, HFILL }},
9316 { &hf_netlogon_pdc_connection_status, {
9317 "PDC Connection Status", "netlogon.pdc_connection_status", FT_UINT32, BASE_DEC,
9318 NULL, 0, NULL, HFILL }},
9320 { &hf_netlogon_tc_connection_status, {
9321 "TC Connection Status", "netlogon.tc_connection_status", FT_UINT32, BASE_DEC,
9322 NULL, 0, NULL, HFILL }},
9324 { &hf_netlogon_attrs, {
9325 "Attributes", "netlogon.attrs", FT_UINT32, BASE_HEX,
9326 NULL, 0, NULL, HFILL }},
9328 #if 0
9329 { &hf_netlogon_lsapolicy_referentid,
9330 { "Referent ID", "netlogon.lsapolicy.referentID", FT_UINT32, BASE_HEX,
9331 NULL, 0x0, NULL, HFILL }},
9332 #endif
9334 { &hf_netlogon_lsapolicy_len,
9335 { "Length", "netlogon.lsapolicy.length", FT_UINT32, BASE_DEC,
9336 NULL, 0x0, "Length of the policy buffer", HFILL }},
9338 #if 0
9339 { &hf_netlogon_lsapolicy_pointer,
9340 { "Pointer", "netlogon.lsapolicy.pointer", FT_BYTES, BASE_NONE,
9341 NULL, 0x0, "Pointer to LSA POLICY", HFILL }},
9342 #endif
9344 { &hf_netlogon_unknown_string,
9345 { "Unknown string", "netlogon.unknown_string", FT_STRING, BASE_NONE,
9346 NULL, 0, "Unknown string. If you know what this is, contact wireshark developers.", HFILL }},
9348 { &hf_netlogon_new_password,
9349 { "New Password", "netlogon.new_password", FT_STRING, BASE_NONE,
9350 NULL, 0, "New Password for Computer or Trust", HFILL }},
9352 { &hf_netlogon_TrustedDomainName_string,
9353 { "TrustedDomainName", "netlogon.TrustedDomainName", FT_STRING, BASE_NONE,
9354 NULL, 0, "TrustedDomainName string.", HFILL }},
9356 { &hf_netlogon_UserName_string,
9357 { "UserName", "netlogon.UserName", FT_STRING, BASE_NONE,
9358 NULL, 0, "UserName string.", HFILL }},
9360 { &hf_netlogon_dummy_string,
9361 { "Dummy String", "netlogon.dummy_string", FT_STRING, BASE_NONE,
9362 NULL, 0, "Dummy String. Used is reserved for next evolutions.", HFILL }},
9364 { &hf_netlogon_trust_extension,
9365 { "Trust extension", "netlogon.trust.extension", FT_STRING, BASE_NONE,
9366 NULL, 0, "Trusts extension.", HFILL }},
9368 { &hf_netlogon_trust_offset,
9369 { "Offset", "netlogon.trust.extension_offset", FT_UINT32, BASE_DEC,
9370 NULL, 0, "Trusts extension.", HFILL }},
9372 { &hf_netlogon_trust_len,
9373 { "Length", "netlogon.trust.extension_length", FT_UINT32, BASE_DEC,
9374 NULL, 0, NULL, HFILL }},
9376 { &hf_netlogon_trust_max,
9377 { "Max Count", "netlogon.trust.extension.maxcount", FT_UINT32, BASE_DEC,
9378 NULL, 0, NULL, HFILL }},
9380 { &hf_netlogon_opaque_buffer_enc,
9381 { "Encrypted", "netlogon.sendtosam.opaquebuffer.enc", FT_BYTES, BASE_NONE,
9382 NULL, 0x0, "OpaqueBuffer (Encrypted)", HFILL }},
9384 { &hf_netlogon_opaque_buffer_dec,
9385 { "Decrypted", "netlogon.sendtosam.opaquebuffer.dec", FT_BYTES, BASE_NONE,
9386 NULL, 0x0, "OpaqueBuffer (Decrypted)", HFILL }},
9388 { &hf_netlogon_opaque_buffer_size,
9389 { "OpaqueBufferSize", "netlogon.sendtosam.opaquebuffer.size", FT_UINT32, BASE_HEX,
9390 NULL, 0x0, "Size of the OpaqueBuffer", HFILL }},
9392 { &hf_netlogon_dummy_string2,
9393 { "Dummy String2", "netlogon.dummy_string", FT_STRING, BASE_NONE,
9394 NULL, 0, "Dummy String 2. Used is reserved for next evolutions.", HFILL }},
9396 { &hf_netlogon_dummy_string3,
9397 { "Dummy String3", "netlogon.dummy_string", FT_STRING, BASE_NONE,
9398 NULL, 0, "Dummy String 3. Used is reserved for next evolutions.", HFILL }},
9400 { &hf_netlogon_dummy_string4,
9401 { "Dummy String4", "netlogon.dummy_string", FT_STRING, BASE_NONE,
9402 NULL, 0, "Dummy String 4. Used is reserved for next evolutions.", HFILL }},
9404 { &hf_netlogon_dummy_string5,
9405 { "Dummy String5", "netlogon.dummy_string", FT_STRING, BASE_NONE,
9406 NULL, 0, "Dummy String 5. Used is reserved for next evolutions.", HFILL }},
9408 { &hf_netlogon_dummy_string6,
9409 { "Dummy String6", "netlogon.dummy_string", FT_STRING, BASE_NONE,
9410 NULL, 0, "Dummy String 6. Used is reserved for next evolutions.", HFILL }},
9412 { &hf_netlogon_dummy_string7,
9413 { "Dummy String7", "netlogon.dummy_string", FT_STRING, BASE_NONE,
9414 NULL, 0, "Dummy String 7. Used is reserved for next evolutions.", HFILL }},
9416 { &hf_netlogon_dummy_string8,
9417 { "Dummy String8", "netlogon.dummy_string", FT_STRING, BASE_NONE,
9418 NULL, 0, "Dummy String 8. Used is reserved for next evolutions.", HFILL }},
9420 { &hf_netlogon_dummy_string9,
9421 { "Dummy String9", "netlogon.dummy_string", FT_STRING, BASE_NONE,
9422 NULL, 0, "Dummy String 9. Used is reserved for next evolutions.", HFILL }},
9424 { &hf_netlogon_dummy_string10,
9425 { "Dummy String10", "netlogon.dummy_string", FT_STRING, BASE_NONE,
9426 NULL, 0, "Dummy String 10. Used is reserved for next evolutions.", HFILL }},
9428 { &hf_netlogon_unknown_long,
9429 { "Unknown long", "netlogon.unknown.long", FT_UINT32, BASE_HEX,
9430 NULL, 0x0, "Unknown long. If you know what this is, contact wireshark developers.", HFILL }},
9432 { &hf_netlogon_dummy1_long,
9433 { "Dummy1 Long", "netlogon.dummy.long1", FT_UINT32, BASE_HEX,
9434 NULL, 0x0, "Dummy long 1. Used is reserved for next evolutions.", HFILL }},
9436 { &hf_netlogon_dummy2_long,
9437 { "Dummy2 Long", "netlogon.dummy.long2", FT_UINT32, BASE_HEX,
9438 NULL, 0x0, "Dummy long 2. Used is reserved for next evolutions.", HFILL }},
9440 { &hf_netlogon_dummy3_long,
9441 { "Dummy3 Long", "netlogon.dummy.long3", FT_UINT32, BASE_HEX,
9442 NULL, 0x0, "Dummy long 3. Used is reserved for next evolutions.", HFILL }},
9444 { &hf_netlogon_dummy4_long,
9445 { "Dummy4 Long", "netlogon.dummy.long4", FT_UINT32, BASE_HEX,
9446 NULL, 0x0, "Dummy long 4. Used is reserved for next evolutions.", HFILL }},
9448 { &hf_netlogon_dummy5_long,
9449 { "Dummy5 Long", "netlogon.dummy.long5", FT_UINT32, BASE_HEX,
9450 NULL, 0x0, "Dummy long 5. Used is reserved for next evolutions.", HFILL }},
9452 { &hf_netlogon_dummy6_long,
9453 { "Dummy6 Long", "netlogon.dummy.long6", FT_UINT32, BASE_HEX,
9454 NULL, 0x0, "Dummy long 6. Used is reserved for next evolutions.", HFILL }},
9456 { &hf_netlogon_dummy7_long,
9457 { "Dummy7 Long", "netlogon.dummy.long7", FT_UINT32, BASE_HEX,
9458 NULL, 0x0, "Dummy long 7. Used is reserved for next evolutions.", HFILL }},
9460 { &hf_netlogon_dummy8_long,
9461 { "Dummy8 Long", "netlogon.dummy.long8", FT_UINT32, BASE_HEX,
9462 NULL, 0x0, "Dummy long 8. Used is reserved for next evolutions.", HFILL }},
9464 { &hf_netlogon_dummy9_long,
9465 { "Dummy9 Long", "netlogon.dummy.long9", FT_UINT32, BASE_HEX,
9466 NULL, 0x0, "Dummy long 9. Used is reserved for next evolutions.", HFILL }},
9468 { &hf_netlogon_dummy10_long,
9469 { "Dummy10 Long", "netlogon.dummy.long10", FT_UINT32, BASE_HEX,
9470 NULL, 0x0, "Dummy long 10. Used is reserved for next evolutions.", HFILL }},
9473 { &hf_netlogon_supportedenctypes,
9474 { "Supported Encryption Types", "netlogon.encryption.types", FT_UINT32, BASE_HEX,
9475 NULL, 0x0, NULL, HFILL }},
9477 { &hf_netlogon_workstation_flags,
9478 { "Workstation Flags", "netlogon.workstation.flags", FT_UINT32, BASE_HEX,
9479 NULL, 0x0, NULL, HFILL }},
9481 { &hf_netlogon_reserved,
9482 { "Reserved", "netlogon.reserved", FT_UINT32, BASE_HEX,
9483 NULL, 0x0, NULL, HFILL }},
9484 { &hf_netlogon_unknown_short,
9485 { "Unknown short", "netlogon.unknown.short", FT_UINT16, BASE_HEX,
9486 NULL, 0x0, "Unknown short. If you know what this is, contact wireshark developers.", HFILL }},
9488 { &hf_netlogon_unknown_char,
9489 { "Unknown char", "netlogon.unknown.char", FT_UINT8, BASE_HEX,
9490 NULL, 0x0, "Unknown char. If you know what this is, contact wireshark developers.", HFILL }},
9492 { &hf_netlogon_acct_expiry_time,
9493 { "Acct Expiry Time", "netlogon.acct.expiry_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9494 NULL, 0x0, "When this account will expire", HFILL }},
9496 { &hf_netlogon_nt_pwd_present,
9497 { "NT PWD Present", "netlogon.nt_pwd_present", FT_UINT8, BASE_HEX,
9498 NULL, 0x0, "Is NT password present for this account?", HFILL }},
9500 { &hf_netlogon_lm_pwd_present,
9501 { "LM PWD Present", "netlogon.lm_pwd_present", FT_UINT8, BASE_HEX,
9502 NULL, 0x0, "Is LanManager password present for this account?", HFILL }},
9504 { &hf_netlogon_pwd_expired,
9505 { "PWD Expired", "netlogon.pwd_expired", FT_UINT8, BASE_HEX,
9506 NULL, 0x0, "Whether this password has expired or not", HFILL }},
9508 { &hf_netlogon_authoritative,
9509 { "Authoritative", "netlogon.authoritative", FT_UINT8, BASE_DEC,
9510 NULL, 0x0, NULL, HFILL }},
9512 { &hf_netlogon_sensitive_data_flag,
9513 { "Sensitive Data", "netlogon.sensitive_data_flag", FT_UINT8, BASE_DEC,
9514 NULL, 0x0, "Sensitive data flag", HFILL }},
9516 { &hf_netlogon_auditing_mode,
9517 { "Auditing Mode", "netlogon.auditing_mode", FT_UINT8, BASE_DEC,
9518 NULL, 0x0, NULL, HFILL }},
9520 { &hf_netlogon_max_audit_event_count,
9521 { "Max Audit Event Count", "netlogon.max_audit_event_count", FT_UINT32, BASE_DEC,
9522 NULL, 0x0, NULL, HFILL }},
9524 { &hf_netlogon_event_audit_option,
9525 { "Event Audit Option", "netlogon.event_audit_option", FT_UINT32, BASE_HEX,
9526 NULL, 0x0, NULL, HFILL }},
9528 { &hf_netlogon_sensitive_data_len,
9529 { "Length", "netlogon.sensitive_data_len", FT_UINT32, BASE_DEC,
9530 NULL, 0x0, "Length of sensitive data", HFILL }},
9532 { &hf_netlogon_nt_chal_resp,
9533 { "NT Chal resp", "netlogon.nt_chal_resp", FT_BYTES, BASE_NONE,
9534 NULL, 0, "Challenge response for NT authentication", HFILL }},
9536 { &hf_netlogon_lm_chal_resp,
9537 { "LM Chal resp", "netlogon.lm_chal_resp", FT_BYTES, BASE_NONE,
9538 NULL, 0, "Challenge response for LM authentication", HFILL }},
9540 { &hf_netlogon_cipher_len,
9541 { "Cipher Len", "netlogon.cipher_len", FT_UINT32, BASE_DEC,
9542 NULL, 0, NULL, HFILL }},
9544 { &hf_netlogon_cipher_maxlen,
9545 { "Cipher Max Len", "netlogon.cipher_maxlen", FT_UINT32, BASE_DEC,
9546 NULL, 0, NULL, HFILL }},
9548 #if 0
9549 { &hf_netlogon_pac_data,
9550 { "Pac Data", "netlogon.pac.data", FT_BYTES, BASE_NONE,
9551 NULL, 0, NULL, HFILL }},
9552 #endif
9554 { &hf_netlogon_sensitive_data,
9555 { "Data", "netlogon.sensitive_data", FT_BYTES, BASE_NONE,
9556 NULL, 0, "Sensitive Data", HFILL }},
9558 #if 0
9559 { &hf_netlogon_auth_data,
9560 { "Auth Data", "netlogon.auth.data", FT_BYTES, BASE_NONE,
9561 NULL, 0, NULL, HFILL }},
9562 #endif
9564 { &hf_netlogon_cipher_current_data,
9565 { "Cipher Current Data", "netlogon.cipher_current_data", FT_BYTES, BASE_NONE,
9566 NULL, 0, NULL, HFILL }},
9568 { &hf_netlogon_cipher_old_data,
9569 { "Cipher Old Data", "netlogon.cipher_old_data", FT_BYTES, BASE_NONE,
9570 NULL, 0, NULL, HFILL }},
9572 { &hf_netlogon_acct_name,
9573 { "Acct Name", "netlogon.acct_name", FT_STRING, BASE_NONE,
9574 NULL, 0, "Account Name", HFILL }},
9576 { &hf_netlogon_acct_desc,
9577 { "Acct Desc", "netlogon.acct_desc", FT_STRING, BASE_NONE,
9578 NULL, 0, "Account Description", HFILL }},
9580 { &hf_netlogon_group_desc,
9581 { "Group Desc", "netlogon.group_desc", FT_STRING, BASE_NONE,
9582 NULL, 0, "Group Description", HFILL }},
9584 { &hf_netlogon_full_name,
9585 { "Full Name", "netlogon.full_name", FT_STRING, BASE_NONE,
9586 NULL, 0, NULL, HFILL }},
9588 { &hf_netlogon_comment,
9589 { "Comment", "netlogon.comment", FT_STRING, BASE_NONE,
9590 NULL, 0, NULL, HFILL }},
9592 { &hf_netlogon_parameters,
9593 { "Parameters", "netlogon.parameters", FT_STRING, BASE_NONE,
9594 NULL, 0, NULL, HFILL }},
9596 { &hf_netlogon_logon_script,
9597 { "Logon Script", "netlogon.logon_script", FT_STRING, BASE_NONE,
9598 NULL, 0, NULL, HFILL }},
9600 { &hf_netlogon_profile_path,
9601 { "Profile Path", "netlogon.profile_path", FT_STRING, BASE_NONE,
9602 NULL, 0, NULL, HFILL }},
9604 { &hf_netlogon_home_dir,
9605 { "Home Dir", "netlogon.home_dir", FT_STRING, BASE_NONE,
9606 NULL, 0, "Home Directory", HFILL }},
9608 { &hf_netlogon_dir_drive,
9609 { "Dir Drive", "netlogon.dir_drive", FT_STRING, BASE_NONE,
9610 NULL, 0, "Drive letter for home directory", HFILL }},
9612 { &hf_netlogon_logon_srv,
9613 { "Server", "netlogon.server", FT_STRING, BASE_NONE,
9614 NULL, 0, NULL, HFILL }},
9616 #if 0
9617 { &hf_netlogon_principal,
9618 { "Principal", "netlogon.principal", FT_STRING, BASE_NONE,
9619 NULL, 0, NULL, HFILL }},
9620 #endif
9622 { &hf_netlogon_logon_dom,
9623 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
9624 NULL, 0, NULL, HFILL }},
9626 { &hf_netlogon_resourcegroupcount,
9627 { "ResourceGroup count", "netlogon.resourcegroupcount", FT_UINT32, BASE_DEC,
9628 NULL, 0, "Number of Resource Groups", HFILL }},
9630 { &hf_netlogon_accountdomaingroupcount,
9631 { "AccountDomainGroup count", "netlogon.accountdomaingroupcount", FT_UINT32, BASE_DEC,
9632 NULL, 0, "Number of Account Domain Groups", HFILL }},
9634 { &hf_netlogon_domaingroupcount,
9635 { "DomainGroup count", "netlogon.domaingroupcount", FT_UINT32, BASE_DEC,
9636 NULL, 0, "Number of Domain Groups", HFILL }},
9638 { &hf_netlogon_membership_domains_count,
9639 { "Membership Domains count", "netlogon.membershipsdomainscount", FT_UINT32, BASE_DEC,
9640 NULL, 0, "Number of ExtraDomain Membership Arrays", HFILL }},
9642 { &hf_netlogon_computer_name,
9643 { "Computer Name", "netlogon.computer_name", FT_STRING, BASE_NONE,
9644 NULL, 0, NULL, HFILL }},
9646 { &hf_netlogon_site_name,
9647 { "Site Name", "netlogon.site_name", FT_STRING, BASE_NONE,
9648 NULL, 0, NULL, HFILL }},
9650 { &hf_netlogon_dc_name,
9651 { "DC Name", "netlogon.dc.name", FT_STRING, BASE_NONE,
9652 NULL, 0, NULL, HFILL }},
9654 { &hf_netlogon_dc_site_name,
9655 { "DC Site Name", "netlogon.dc.site_name", FT_STRING, BASE_NONE,
9656 NULL, 0, NULL, HFILL }},
9658 { &hf_netlogon_dns_forest_name,
9659 { "DNS Forest Name", "netlogon.dns.forest_name", FT_STRING, BASE_NONE,
9660 NULL, 0, NULL, HFILL }},
9662 { &hf_netlogon_dc_address,
9663 { "DC Address", "netlogon.dc.address", FT_STRING, BASE_NONE,
9664 NULL, 0, NULL, HFILL }},
9666 { &hf_netlogon_dc_address_type,
9667 { "DC Address Type", "netlogon.dc.address_type", FT_UINT32, BASE_DEC,
9668 VALS(dc_address_types), 0, NULL, HFILL }},
9670 { &hf_netlogon_client_site_name,
9671 { "Client Site Name", "netlogon.client.site_name", FT_STRING, BASE_NONE,
9672 NULL, 0, NULL, HFILL }},
9674 { &hf_netlogon_workstation_site_name,
9675 { "Wkst Site Name", "netlogon.wkst.site_name", FT_STRING, BASE_NONE,
9676 NULL, 0, "Workstation Site Name", HFILL }},
9678 { &hf_netlogon_workstation,
9679 { "Wkst Name", "netlogon.wkst.name", FT_STRING, BASE_NONE,
9680 NULL, 0, "Workstation Name", HFILL }},
9682 { &hf_netlogon_os_version,
9683 { "OS version", "netlogon.os.version", FT_STRING, BASE_NONE,
9684 NULL, 0, NULL, HFILL }},
9686 { &hf_netlogon_workstation_os,
9687 { "Wkst OS", "netlogon.wkst.os", FT_STRING, BASE_NONE,
9688 NULL, 0, "Workstation OS", HFILL }},
9690 { &hf_netlogon_workstations,
9691 { "Workstations", "netlogon.wksts", FT_STRING, BASE_NONE,
9692 NULL, 0, NULL, HFILL }},
9694 { &hf_netlogon_workstation_fqdn,
9695 { "Wkst FQDN", "netlogon.wkst.fqdn", FT_STRING, BASE_NONE,
9696 NULL, 0, "Workstation FQDN", HFILL }},
9698 { &hf_netlogon_group_name,
9699 { "Group Name", "netlogon.group_name", FT_STRING, BASE_NONE,
9700 NULL, 0, NULL, HFILL }},
9702 { &hf_netlogon_alias_name,
9703 { "Alias Name", "netlogon.alias_name", FT_STRING, BASE_NONE,
9704 NULL, 0, NULL, HFILL }},
9706 { &hf_netlogon_dns_host,
9707 { "DNS Host", "netlogon.dns_host", FT_STRING, BASE_NONE,
9708 NULL, 0, NULL, HFILL }},
9710 { &hf_netlogon_downlevel_domain_name,
9711 { "Downlevel Domain", "netlogon.downlevel_domain", FT_STRING, BASE_NONE,
9712 NULL, 0, "Downlevel Domain Name", HFILL }},
9714 { &hf_netlogon_dns_domain_name,
9715 { "DNS Domain", "netlogon.dns_domain", FT_STRING, BASE_NONE,
9716 NULL, 0, "DNS Domain Name", HFILL }},
9718 { &hf_netlogon_ad_client_dns_name,
9719 { "Client DNS Name", "netlogon.client_dns_name", FT_STRING, BASE_NONE,
9720 NULL, 0, NULL, HFILL }},
9722 { &hf_netlogon_domain_name,
9723 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
9724 NULL, 0, "Domain Name", HFILL }},
9726 { &hf_netlogon_oem_info,
9727 { "OEM Info", "netlogon.oem_info", FT_STRING, BASE_NONE,
9728 NULL, 0, NULL, HFILL }},
9730 { &hf_netlogon_trusted_dc_name,
9731 { "Trusted DC", "netlogon.trusted_dc", FT_STRING, BASE_NONE,
9732 NULL, 0, NULL, HFILL }},
9734 { &hf_netlogon_logon_dnslogondomainname,
9735 { "DNS Logon Domain name", "netlogon.logon.dnslogondomainname", FT_STRING, BASE_NONE,
9736 NULL, 0, "DNS Name of the logon domain", HFILL }},
9738 { &hf_netlogon_logon_upn,
9739 { "UPN", "netlogon.logon.upn", FT_STRING, BASE_NONE,
9740 NULL, 0, "User Principal Name", HFILL }},
9742 { &hf_netlogon_logonsrv_handle,
9743 { "Handle", "netlogon.handle", FT_STRING, BASE_NONE,
9744 NULL, 0, "Logon Srv Handle", HFILL }},
9746 { &hf_netlogon_dummy,
9747 { "Dummy", "netlogon.dummy", FT_STRING, BASE_NONE,
9748 NULL, 0, "Dummy string", HFILL }},
9750 { &hf_netlogon_logon_count16,
9751 { "Logon Count", "netlogon.logon_count16", FT_UINT16, BASE_DEC,
9752 NULL, 0x0, "Number of successful logins", HFILL }},
9754 { &hf_netlogon_logon_count,
9755 { "Logon Count", "netlogon.logon_count", FT_UINT32, BASE_DEC,
9756 NULL, 0x0, "Number of successful logins", HFILL }},
9758 { &hf_netlogon_bad_pw_count16,
9759 { "Bad PW Count", "netlogon.bad_pw_count16", FT_UINT16, BASE_DEC,
9760 NULL, 0x0, "Number of failed logins", HFILL }},
9762 { &hf_netlogon_bad_pw_count,
9763 { "Bad PW Count", "netlogon.bad_pw_count", FT_UINT32, BASE_DEC,
9764 NULL, 0x0, "Number of failed logins", HFILL }},
9766 { &hf_netlogon_country,
9767 { "Country", "netlogon.country", FT_UINT16, BASE_DEC | BASE_EXT_STRING,
9768 &ms_country_codes_ext, 0x0, "Country setting for this account", HFILL }},
9770 { &hf_netlogon_codepage,
9771 { "Codepage", "netlogon.codepage", FT_UINT16, BASE_DEC,
9772 NULL, 0x0, "Codepage setting for this account", HFILL }},
9774 { &hf_netlogon_level16,
9775 { "Level", "netlogon.level16", FT_UINT16, BASE_DEC,
9776 NULL, 0x0, "Which option of the union is represented here", HFILL }},
9778 { &hf_netlogon_validation_level,
9779 { "Validation Level", "netlogon.validation_level", FT_UINT16, BASE_DEC,
9780 NULL, 0x0, "Requested level of validation", HFILL }},
9782 { &hf_netlogon_minpasswdlen,
9783 { "Min Password Len", "netlogon.min_passwd_len", FT_UINT16, BASE_DEC,
9784 NULL, 0x0, "Minimum length of password", HFILL }},
9786 { &hf_netlogon_passwdhistorylen,
9787 { "Passwd History Len", "netlogon.passwd_history_len", FT_UINT16, BASE_DEC,
9788 NULL, 0x0, "Length of password history", HFILL }},
9790 { &hf_netlogon_secure_channel_type,
9791 { "Sec Chan Type", "netlogon.sec_chan_type", FT_UINT16, BASE_DEC,
9792 VALS(misc_netr_SchannelType_vals), 0x0, "Secure Channel Type", HFILL }},
9794 { &hf_netlogon_restart_state,
9795 { "Restart State", "netlogon.restart_state", FT_UINT16, BASE_DEC,
9796 NULL, 0x0, NULL, HFILL }},
9798 { &hf_netlogon_delta_type,
9799 { "Delta Type", "netlogon.delta_type", FT_UINT16, BASE_DEC,
9800 VALS(delta_type_vals), 0x0, NULL, HFILL }},
9802 { &hf_netlogon_blob_size,
9803 { "Size", "netlogon.blob.size", FT_UINT32, BASE_DEC,
9804 NULL, 0x0, "Size in bytes of BLOB", HFILL }},
9806 { &hf_netlogon_code,
9807 { "Code", "netlogon.code", FT_UINT32, BASE_HEX,
9808 NULL, 0x0, NULL, HFILL }},
9810 { &hf_netlogon_level,
9811 { "Level", "netlogon.level", FT_UINT32, BASE_DEC,
9812 NULL, 0x0, "Which option of the union is represented here", HFILL }},
9814 { &hf_netlogon_reference,
9815 { "Reference", "netlogon.reference", FT_UINT32, BASE_DEC,
9816 NULL, 0x0, NULL, HFILL }},
9818 { &hf_netlogon_next_reference,
9819 { "Next Reference", "netlogon.next_reference", FT_UINT32, BASE_DEC,
9820 NULL, 0x0, NULL, HFILL }},
9822 { &hf_netlogon_timestamp,
9823 { "Timestamp", "netlogon.timestamp", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9824 NULL, 0, NULL, HFILL }},
9826 { &hf_netlogon_user_rid,
9827 { "User RID", "netlogon.rid", FT_UINT32, BASE_DEC,
9828 NULL, 0x0, NULL, HFILL }},
9830 { &hf_netlogon_alias_rid,
9831 { "Alias RID", "netlogon.alias_rid", FT_UINT32, BASE_DEC,
9832 NULL, 0x0, NULL, HFILL }},
9834 { &hf_netlogon_group_rid,
9835 { "Group RID", "netlogon.group_rid", FT_UINT32, BASE_DEC,
9836 NULL, 0x0, NULL, HFILL }},
9838 { &hf_netlogon_num_rids,
9839 { "Num RIDs", "netlogon.num_rids", FT_UINT32, BASE_DEC,
9840 NULL, 0x0, "Number of RIDs", HFILL }},
9842 { &hf_netlogon_num_controllers,
9843 { "Num DCs", "netlogon.num_dc", FT_UINT32, BASE_DEC,
9844 NULL, 0x0, "Number of domain controllers", HFILL }},
9846 { &hf_netlogon_num_sid,
9847 { "Num Extra SID", "netlogon.num_sid", FT_UINT32, BASE_DEC,
9848 NULL, 0x0, NULL, HFILL }},
9850 { &hf_netlogon_flags,
9851 { "Flags", "netlogon.flags", FT_UINT32, BASE_HEX,
9852 NULL, 0x0, NULL, HFILL }},
9854 { &hf_netlogon_user_account_control,
9855 { "User Account Control", "netlogon.user_account_control", FT_UINT32, BASE_HEX,
9856 NULL, 0x0, NULL, HFILL }},
9858 { &hf_netlogon_user_flags,
9859 { "User Flags", "netlogon.user_flags", FT_UINT32, BASE_HEX,
9860 NULL, 0x0, NULL, HFILL }},
9862 { &hf_netlogon_auth_flags,
9863 { "Auth Flags", "netlogon.auth_flags", FT_UINT32, BASE_HEX,
9864 NULL, 0x0, NULL, HFILL }},
9866 { &hf_netlogon_systemflags,
9867 { "System Flags", "netlogon.system_flags", FT_UINT32, BASE_HEX,
9868 NULL, 0x0, NULL, HFILL }},
9870 { &hf_netlogon_database_id,
9871 { "Database Id", "netlogon.database_id", FT_UINT32, BASE_DEC,
9872 NULL, 0x0, NULL, HFILL }},
9874 { &hf_netlogon_sync_context,
9875 { "Sync Context", "netlogon.sync_context", FT_UINT32, BASE_DEC,
9876 NULL, 0x0, NULL, HFILL }},
9878 { &hf_netlogon_max_size,
9879 { "Max Size", "netlogon.max_size", FT_UINT32, BASE_DEC,
9880 NULL, 0x0, "Max Size of database", HFILL }},
9882 { &hf_netlogon_max_log_size,
9883 { "Max Log Size", "netlogon.max_log_size", FT_UINT32, BASE_DEC,
9884 NULL, 0x0, "Max Size of log", HFILL }},
9886 #if 0
9887 { &hf_netlogon_pac_size,
9888 { "Pac Size", "netlogon.pac.size", FT_UINT32, BASE_DEC,
9889 NULL, 0x0, "Size of PacData in bytes", HFILL }},
9890 #endif
9892 #if 0
9893 { &hf_netlogon_auth_size,
9894 { "Auth Size", "netlogon.auth.size", FT_UINT32, BASE_DEC,
9895 NULL, 0x0, "Size of AuthData in bytes", HFILL }},
9896 #endif
9898 { &hf_netlogon_num_deltas,
9899 { "Num Deltas", "netlogon.num_deltas", FT_UINT32, BASE_DEC,
9900 NULL, 0x0, "Number of SAM Deltas in array", HFILL }},
9902 { &hf_netlogon_num_trusts,
9903 { "Num Trusts", "netlogon.num_trusts", FT_UINT32, BASE_DEC,
9904 NULL, 0x0, NULL, HFILL }},
9906 { &hf_netlogon_logon_attempts,
9907 { "Logon Attempts", "netlogon.logon_attempts", FT_UINT32, BASE_DEC,
9908 NULL, 0x0, "Number of logon attempts", HFILL }},
9910 { &hf_netlogon_pagefilelimit,
9911 { "Page File Limit", "netlogon.page_file_limit", FT_UINT32, BASE_DEC,
9912 NULL, 0x0, NULL, HFILL }},
9914 { &hf_netlogon_pagedpoollimit,
9915 { "Paged Pool Limit", "netlogon.paged_pool_limit", FT_UINT32, BASE_DEC,
9916 NULL, 0x0, NULL, HFILL }},
9918 { &hf_netlogon_nonpagedpoollimit,
9919 { "Non-Paged Pool Limit", "netlogon.nonpaged_pool_limit", FT_UINT32, BASE_DEC,
9920 NULL, 0x0, NULL, HFILL }},
9922 { &hf_netlogon_minworkingsetsize,
9923 { "Min Working Set Size", "netlogon.min_working_set_size", FT_UINT32, BASE_DEC,
9924 NULL, 0x0, NULL, HFILL }},
9926 { &hf_netlogon_maxworkingsetsize,
9927 { "Max Working Set Size", "netlogon.max_working_set_size", FT_UINT32, BASE_DEC,
9928 NULL, 0x0, NULL, HFILL }},
9930 { &hf_netlogon_serial_number,
9931 { "Serial Number", "netlogon.serial_number", FT_UINT32, BASE_DEC,
9932 NULL, 0x0, NULL, HFILL }},
9934 { &hf_netlogon_neg_flags,
9935 { "Negotiation options", "netlogon.neg_flags", FT_UINT32, BASE_HEX,
9936 NULL, 0x0, "Negotiation Flags", HFILL }},
9938 { &hf_netlogon_neg_flags_80000000,
9939 { "Supports Kerberos Auth", "ntlmssp.neg_flags.supports_kerberos_auth", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_80000000, NULL, HFILL }},
9941 { &hf_netlogon_neg_flags_40000000,
9942 { "Authenticated RPC supported", "ntlmssp.neg_flags.na4000000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_40000000, NULL, HFILL }},
9944 { &hf_netlogon_neg_flags_20000000,
9945 { "Authenticated RPC via lsass supported", "ntlmssp.neg_flags.na2000000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_20000000, NULL, HFILL }},
9947 #if 0
9948 { &hf_netlogon_neg_flags_10000000,
9949 { "Not used 10000000", "ntlmssp.neg_flags.na1000000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_10000000, NULL, HFILL }},
9950 #endif
9952 #if 0
9953 { &hf_netlogon_neg_flags_8000000,
9954 { "Not used 8000000", "ntlmssp.neg_flags.na800000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_8000000, NULL, HFILL }},
9955 #endif
9957 #if 0
9958 { &hf_netlogon_neg_flags_4000000,
9959 { "Not used 4000000", "ntlmssp.neg_flags.na400000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_4000000, NULL, HFILL }},
9960 #endif
9962 #if 0
9963 { &hf_netlogon_neg_flags_2000000,
9964 { "Not used 2000000", "ntlmssp.neg_flags.na200000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_2000000, NULL, HFILL }},
9965 #endif
9967 { &hf_netlogon_neg_flags_1000000,
9968 { "AES supported", "ntlmssp.neg_flags.na100000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_AES, NULL, HFILL }},
9970 #if 0
9971 { &hf_netlogon_neg_flags_800000,
9972 { "Not used 800000", "ntlmssp.neg_flags.na800000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_800000, "Not used", HFILL }},
9973 #endif
9975 #if 0
9976 { &hf_netlogon_neg_flags_400000,
9977 { "Not used 400000", "ntlmssp.neg_flags.na400000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_400000, "AES&SHA2", HFILL }},
9978 #endif
9980 { &hf_netlogon_neg_flags_200000,
9981 { "RODC pass-through", "ntlmssp.neg_flags.na200000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_200000, "rodc pt", HFILL }},
9983 { &hf_netlogon_neg_flags_100000,
9984 { "NO NT4 emulation", "ntlmssp.neg_flags.na100000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_100000, "No NT4 emu", HFILL }},
9986 { &hf_netlogon_neg_flags_80000,
9987 { "Cross forest trust", "ntlmssp.neg_flags.na80000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_80000, NULL, HFILL }},
9989 { &hf_netlogon_neg_flags_40000,
9990 { "GetDomainInfo supported", "ntlmssp.neg_flags.na40000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_40000, NULL, HFILL }},
9992 { &hf_netlogon_neg_flags_20000,
9993 { "ServerPasswordSet2 supported", "ntlmssp.neg_flags.na20000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_20000, "PasswordSet2", HFILL }},
9995 { &hf_netlogon_neg_flags_10000,
9996 { "DNS trusts supported", "ntlmssp.neg_flags.na10000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_10000, NULL, HFILL }},
9998 { &hf_netlogon_neg_flags_8000,
9999 { "Transitive trusts", "ntlmssp.neg_flags.na8000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_8000, NULL, HFILL }},
10001 { &hf_netlogon_neg_flags_4000,
10002 { "Strong key", "ntlmssp.neg_flags.na4000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_STRONGKEY, NULL, HFILL }},
10004 { &hf_netlogon_neg_flags_2000,
10005 { "Avoid replication Auth database", "ntlmssp.neg_flags.na2000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_2000, NULL, HFILL }},
10007 { &hf_netlogon_neg_flags_1000,
10008 { "Avoid replication account database", "ntlmssp.neg_flags.na1000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_1000, NULL, HFILL }},
10010 { &hf_netlogon_neg_flags_800,
10011 { "Concurrent RPC", "ntlmssp.neg_flags.na800", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_800, NULL, HFILL }},
10013 { &hf_netlogon_neg_flags_400,
10014 { "Generic pass-through", "ntlmssp.neg_flags.na400", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_400, NULL, HFILL }},
10016 { &hf_netlogon_neg_flags_200,
10017 { "SendToSam", "ntlmssp.neg_flags.na200", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_200, NULL, HFILL }},
10019 { &hf_netlogon_neg_flags_100,
10020 { "Refusal of password change", "ntlmssp.neg_flags.na100", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_100, "PWD change refusal", HFILL }},
10022 { &hf_netlogon_neg_flags_80,
10023 { "DatabaseRedo call", "ntlmssp.neg_flags.na80", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_80, NULL, HFILL }},
10025 { &hf_netlogon_neg_flags_40,
10026 { "Handle multiple SIDs", "ntlmssp.neg_flags.na40", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_40, NULL, HFILL }},
10028 { &hf_netlogon_neg_flags_20,
10029 { "Restarting full DC sync", "ntlmssp.neg_flags.na20", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_20, NULL, HFILL }},
10031 { &hf_netlogon_neg_flags_10,
10032 { "BDC handling Changelogs", "ntlmssp.neg_flags.na10", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_10, NULL, HFILL }},
10034 { &hf_netlogon_neg_flags_8,
10035 { "Promotion count(deprecated)", "ntlmssp.neg_flags.na8", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_8, NULL, HFILL }},
10037 { &hf_netlogon_neg_flags_4,
10038 { "RC4 encryption", "ntlmssp.neg_flags.na4", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_4, NULL, HFILL }},
10040 { &hf_netlogon_neg_flags_2,
10041 { "NT3.5 BDC continuous update", "ntlmssp.neg_flags.na2", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_2, NULL, HFILL }},
10043 { &hf_netlogon_neg_flags_1,
10044 { "Account lockout", "ntlmssp.neg_flags.na1", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_1, NULL, HFILL }},
10046 { &hf_netlogon_dc_flags,
10047 { "Domain Controller Flags", "netlogon.dc.flags", FT_UINT32, BASE_HEX,
10048 NULL, 0x0, NULL, HFILL }},
10050 { &hf_netlogon_dc_flags_pdc_flag,
10051 { "PDC", "netlogon.dc.flags.pdc",
10052 FT_BOOLEAN, 32, TFS(&dc_flags_pdc_flag), DS_PDC_FLAG,
10053 "If this server is a PDC", HFILL }},
10055 { &hf_netlogon_dc_flags_gc_flag,
10056 { "GC", "netlogon.dc.flags.gc",
10057 FT_BOOLEAN, 32, TFS(&dc_flags_gc_flag), DS_GC_FLAG,
10058 "If this server is a GC", HFILL }},
10060 { &hf_netlogon_dc_flags_ldap_flag,
10061 { "LDAP", "netlogon.dc.flags.ldap",
10062 FT_BOOLEAN, 32, TFS(&dc_flags_ldap_flag), DS_LDAP_FLAG,
10063 "If this is an LDAP server", HFILL }},
10065 { &hf_netlogon_dc_flags_ds_flag,
10066 { "DS", "netlogon.dc.flags.ds",
10067 FT_BOOLEAN, 32, TFS(&dc_flags_ds_flag), DS_DS_FLAG,
10068 "If this server is a DS", HFILL }},
10070 { &hf_netlogon_dc_flags_kdc_flag,
10071 { "KDC", "netlogon.dc.flags.kdc",
10072 FT_BOOLEAN, 32, TFS(&dc_flags_kdc_flag), DS_KDC_FLAG,
10073 "If this is a KDC", HFILL }},
10075 { &hf_netlogon_dc_flags_timeserv_flag,
10076 { "Timeserv", "netlogon.dc.flags.timeserv",
10077 FT_BOOLEAN, 32, TFS(&dc_flags_timeserv_flag), DS_TIMESERV_FLAG,
10078 "If this server is a TimeServer", HFILL }},
10080 { &hf_netlogon_dc_flags_closest_flag,
10081 { "Closest", "netlogon.dc.flags.closest",
10082 FT_BOOLEAN, 32, TFS(&dc_flags_closest_flag), DS_CLOSEST_FLAG,
10083 "If this is the closest server", HFILL }},
10085 { &hf_netlogon_dc_flags_writable_flag,
10086 { "Writable", "netlogon.dc.flags.writable",
10087 FT_BOOLEAN, 32, TFS(&dc_flags_writable_flag), DS_WRITABLE_FLAG,
10088 "If this server can do updates to the database", HFILL }},
10090 { &hf_netlogon_dc_flags_good_timeserv_flag,
10091 { "Good Timeserv", "netlogon.dc.flags.good_timeserv",
10092 FT_BOOLEAN, 32, TFS(&dc_flags_good_timeserv_flag), DS_GOOD_TIMESERV_FLAG,
10093 "If this is a Good TimeServer", HFILL }},
10095 { &hf_netlogon_dc_flags_ndnc_flag,
10096 { "NDNC", "netlogon.dc.flags.ndnc",
10097 FT_BOOLEAN, 32, TFS(&dc_flags_ndnc_flag), DS_NDNC_FLAG,
10098 "If this is an NDNC server", HFILL }},
10100 { &hf_netlogon_dc_flags_dns_controller_flag,
10101 { "DNS Controller", "netlogon.dc.flags.dns_controller",
10102 FT_BOOLEAN, 32, TFS(&dc_flags_dns_controller_flag), DS_DNS_CONTROLLER_FLAG,
10103 "If this server is a DNS Controller", HFILL }},
10105 { &hf_netlogon_dc_flags_dns_domain_flag,
10106 { "DNS Domain", "netlogon.dc.flags.dns_domain",
10107 FT_BOOLEAN, 32, TFS(&dc_flags_dns_domain_flag), DS_DNS_DOMAIN_FLAG,
10108 NULL, HFILL }},
10110 { &hf_netlogon_dc_flags_dns_forest_flag,
10111 { "DNS Forest", "netlogon.dc.flags.dns_forest",
10112 FT_BOOLEAN, 32, TFS(&dc_flags_dns_forest_flag), DS_DNS_FOREST_FLAG,
10113 NULL, HFILL }},
10115 { &hf_netlogon_get_dcname_request_flags,
10116 { "Flags", "netlogon.get_dcname.request.flags", FT_UINT32, BASE_HEX,
10117 NULL, 0x0, "Flags for DSGetDCName request", HFILL }},
10119 { &hf_netlogon_get_dcname_request_flags_force_rediscovery,
10120 { "Force Rediscovery", "netlogon.get_dcname.request.flags.force_rediscovery",
10121 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_force_rediscovery), DS_FORCE_REDISCOVERY,
10122 "Whether to allow the server to returned cached information or not", HFILL }},
10124 { &hf_netlogon_get_dcname_request_flags_directory_service_required,
10125 { "DS Required", "netlogon.get_dcname.request.flags.ds_required",
10126 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_required), DS_DIRECTORY_SERVICE_REQUIRED,
10127 "Whether we require that the returned DC supports w2k or not", HFILL }},
10129 { &hf_netlogon_get_dcname_request_flags_directory_service_preferred,
10130 { "DS Preferred", "netlogon.get_dcname.request.flags.ds_preferred",
10131 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_preferred), DS_DIRECTORY_SERVICE_PREFERRED,
10132 "Whether we prefer the call to return a w2k server (if available)", HFILL }},
10134 { &hf_netlogon_get_dcname_request_flags_gc_server_required,
10135 { "GC Required", "netlogon.get_dcname.request.flags.gc_server_required",
10136 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_gc_server_required), DS_GC_SERVER_REQUIRED,
10137 "Whether we require that the returned DC is a Global Catalog server", HFILL }},
10139 { &hf_netlogon_get_dcname_request_flags_pdc_required,
10140 { "PDC Required", "netlogon.get_dcname.request.flags.pdc_required",
10141 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_pdc_required), DS_PDC_REQUIRED,
10142 "Whether we require the returned DC to be the PDC", HFILL }},
10144 { &hf_netlogon_get_dcname_request_flags_background_only,
10145 { "Background Only", "netlogon.get_dcname.request.flags.background_only",
10146 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_background_only), DS_BACKGROUND_ONLY,
10147 "If we want cached data, even if it may have expired", HFILL }},
10149 { &hf_netlogon_get_dcname_request_flags_ip_required,
10150 { "IP Required", "netlogon.get_dcname.request.flags.ip_required",
10151 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_ip_required), DS_IP_REQUIRED,
10152 "If we require the IP of the DC in the reply", HFILL }},
10154 { &hf_netlogon_get_dcname_request_flags_kdc_required,
10155 { "KDC Required", "netlogon.get_dcname.request.flags.kdc_required",
10156 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_kdc_required), DS_KDC_REQUIRED,
10157 "If we require that the returned server is a KDC", HFILL }},
10159 { &hf_netlogon_get_dcname_request_flags_timeserv_required,
10160 { "Timeserv Required", "netlogon.get_dcname.request.flags.timeserv_required",
10161 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_timeserv_required), DS_TIMESERV_REQUIRED,
10162 "If we require the returned server to be a WindowsTimeServ server", HFILL }},
10164 { &hf_netlogon_get_dcname_request_flags_writable_required,
10165 { "Writable Required", "netlogon.get_dcname.request.flags.writable_required",
10166 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_writable_required), DS_WRITABLE_REQUIRED,
10167 "If we require that the returned server is writable", HFILL }},
10169 { &hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
10170 { "Timeserv Preferred", "netlogon.get_dcname.request.flags.good_timeserv_preferred",
10171 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_good_timeserv_preferred), DS_GOOD_TIMESERV_PREFERRED,
10172 "If we prefer Windows Time Servers", HFILL }},
10174 { &hf_netlogon_get_dcname_request_flags_avoid_self,
10175 { "Avoid Self", "netlogon.get_dcname.request.flags.avoid_self",
10176 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_avoid_self), DS_AVOID_SELF,
10177 "Return another DC than the one we ask", HFILL }},
10179 { &hf_netlogon_get_dcname_request_flags_only_ldap_needed,
10180 { "Only LDAP Needed", "netlogon.get_dcname.request.flags.only_ldap_needed",
10181 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_only_ldap_needed), DS_ONLY_LDAP_NEEDED,
10182 "We just want an LDAP server, it does not have to be a DC", HFILL }},
10184 { &hf_netlogon_get_dcname_request_flags_is_flat_name,
10185 { "Is Flat Name", "netlogon.get_dcname.request.flags.is_flat_name",
10186 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_flat_name), DS_IS_FLAT_NAME,
10187 "If the specified domain name is a NetBIOS name", HFILL }},
10189 { &hf_netlogon_get_dcname_request_flags_is_dns_name,
10190 { "Is DNS Name", "netlogon.get_dcname.request.flags.is_dns_name",
10191 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_dns_name), DS_IS_DNS_NAME,
10192 "If the specified domain name is a DNS name", HFILL }},
10194 { &hf_netlogon_get_dcname_request_flags_return_dns_name,
10195 { "Return DNS Name", "netlogon.get_dcname.request.flags.return_dns_name",
10196 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_dns_name), DS_RETURN_DNS_NAME,
10197 "Only return a DNS name (or an error)", HFILL }},
10199 { &hf_netlogon_get_dcname_request_flags_return_flat_name,
10200 { "Return Flat Name", "netlogon.get_dcname.request.flags.return_flat_name",
10201 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_flat_name), DS_RETURN_FLAT_NAME,
10202 "Only return a NetBIOS name (or an error)", HFILL }},
10204 { &hf_netlogon_trust_attribs,
10205 { "Trust Attributes", "netlogon.trust_attribs", FT_UINT32, BASE_HEX,
10206 NULL, 0x0, NULL, HFILL }},
10208 { &hf_netlogon_trust_attribs_non_transitive,
10209 { "Non Transitive", "netlogon.trust.attribs.non_transitive", FT_BOOLEAN, 32,
10210 TFS(&trust_attribs_non_transitive), 0x00000001, NULL, HFILL }},
10212 { &hf_netlogon_trust_attribs_uplevel_only,
10213 { "Uplevel Only", "netlogon.trust.attribs.uplevel_only", FT_BOOLEAN, 32,
10214 TFS(&trust_attribs_uplevel_only), 0x00000002, NULL, HFILL }},
10216 { &hf_netlogon_trust_attribs_quarantined_domain,
10217 { "Quarantined Domain", "netlogon.trust.attribs.quarantined_domain", FT_BOOLEAN, 32,
10218 TFS(&trust_attribs_quarantined_domain), 0x00000004, NULL, HFILL }},
10220 { &hf_netlogon_trust_attribs_forest_transitive,
10221 { "Forest Transitive", "netlogon.trust.attribs.forest_transitive", FT_BOOLEAN, 32,
10222 TFS(&trust_attribs_forest_transitive), 0x00000008, NULL, HFILL }},
10224 { &hf_netlogon_trust_attribs_cross_organization,
10225 { "Cross Organization", "netlogon.trust.attribs.cross_organization", FT_BOOLEAN, 32,
10226 TFS(&trust_attribs_cross_organization), 0x00000010, NULL, HFILL }},
10228 { &hf_netlogon_trust_attribs_within_forest,
10229 { "Within Forest", "netlogon.trust.attribs.within_forest", FT_BOOLEAN, 32,
10230 TFS(&trust_attribs_within_forest), 0x00000020, NULL, HFILL }},
10232 { &hf_netlogon_trust_attribs_treat_as_external,
10233 { "Treat As External", "netlogon.trust.attribs.treat_as_external", FT_BOOLEAN, 32,
10234 TFS(&trust_attribs_treat_as_external), 0x00000040, NULL, HFILL }},
10236 { &hf_netlogon_trust_type,
10237 { "Trust Type", "netlogon.trust_type", FT_UINT32, BASE_DEC,
10238 VALS(trust_type_vals), 0x0, NULL, HFILL }},
10240 { &hf_netlogon_extraflags,
10241 { "Extra Flags", "netlogon.extra_flags", FT_UINT32, BASE_HEX,
10242 NULL, 0x0, NULL, HFILL }},
10244 { &hf_netlogon_extra_flags_root_forest,
10245 { "Request passed to DC of root forest", "netlogon.extra.flags.rootdc",
10246 FT_BOOLEAN, 32, TFS(&tfs_set_notset), RQ_ROOT_FOREST,
10247 NULL, HFILL }},
10249 { &hf_netlogon_trust_flags_dc_firsthop,
10250 { "DC at the end of the first hop of cross forest", "netlogon.extra.flags.dc_firsthop",
10251 FT_BOOLEAN, 32, TFS(&tfs_set_notset), RQ_DC_XFOREST,
10252 NULL, HFILL }},
10254 { &hf_netlogon_trust_flags_rodc_to_dc,
10255 { "Request from a RODC to a DC from another domain", "netlogon.extra.flags.rodc_to_dc",
10256 FT_BOOLEAN, 32, TFS(&tfs_set_notset), RQ_RODC_DIF_DOMAIN,
10257 NULL, HFILL }},
10259 { &hf_netlogon_trust_flags_rodc_ntlm,
10260 { "Request is a NTLM auth passed by a RODC", "netlogon.extra.flags.rodc_ntlm",
10261 FT_BOOLEAN, 32, TFS(&tfs_set_notset), RQ_NTLM_FROM_RODC,
10262 NULL, HFILL }},
10264 { &hf_netlogon_trust_flags,
10265 { "Trust Flags", "netlogon.trust_flags", FT_UINT32, BASE_HEX,
10266 NULL, 0x0, NULL, HFILL }},
10268 { &hf_netlogon_trust_flags_inbound,
10269 { "Inbound Trust", "netlogon.trust.flags.inbound",
10270 FT_BOOLEAN, 32, TFS(&trust_inbound), DS_DOMAIN_DIRECT_INBOUND,
10271 "Inbound trust. Whether the domain directly trusts the queried servers domain", HFILL }},
10273 { &hf_netlogon_trust_flags_outbound,
10274 { "Outbound Trust", "netlogon.trust.flags.outbound",
10275 FT_BOOLEAN, 32, TFS(&trust_outbound), DS_DOMAIN_DIRECT_OUTBOUND,
10276 "Outbound Trust. Whether the domain is directly trusted by the servers domain", HFILL }},
10278 { &hf_netlogon_trust_flags_in_forest,
10279 { "In Forest", "netlogon.trust.flags.in_forest",
10280 FT_BOOLEAN, 32, TFS(&trust_in_forest), DS_DOMAIN_IN_FOREST,
10281 "Whether this domain is a member of the same forest as the servers domain", HFILL }},
10283 { &hf_netlogon_trust_flags_native_mode,
10284 { "Native Mode", "netlogon.trust.flags.native_mode",
10285 FT_BOOLEAN, 32, TFS(&trust_native_mode), DS_DOMAIN_NATIVE_MODE,
10286 "Whether the domain is a w2k native mode domain or not", HFILL }},
10288 { &hf_netlogon_trust_flags_primary,
10289 { "Primary", "netlogon.trust.flags.primary",
10290 FT_BOOLEAN, 32, TFS(&trust_primary), DS_DOMAIN_PRIMARY,
10291 "Whether the domain is the primary domain for the queried server or not", HFILL }},
10293 { &hf_netlogon_trust_flags_tree_root,
10294 { "Tree Root", "netlogon.trust.flags.tree_root",
10295 FT_BOOLEAN, 32, TFS(&trust_tree_root), DS_DOMAIN_TREE_ROOT,
10296 "Whether the domain is the root of the tree for the queried server", HFILL }},
10298 { &hf_netlogon_trust_parent_index,
10299 { "Parent Index", "netlogon.parent_index", FT_UINT32, BASE_HEX,
10300 NULL, 0x0, NULL, HFILL }},
10302 { &hf_netlogon_logon_time,
10303 { "Logon Time", "netlogon.logon_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10304 NULL, 0, "Time for last time this user logged on", HFILL }},
10306 { &hf_netlogon_kickoff_time,
10307 { "Kickoff Time", "netlogon.kickoff_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10308 NULL, 0, "Time when this user will be kicked off", HFILL }},
10310 { &hf_netlogon_logoff_time,
10311 { "Logoff Time", "netlogon.logoff_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10312 NULL, 0, "Time for last time this user logged off", HFILL }},
10314 { &hf_netlogon_last_logoff_time,
10315 { "Last Logoff Time", "netlogon.last_logoff_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10316 NULL, 0, "Time for last time this user logged off", HFILL }},
10318 { &hf_netlogon_pwd_last_set_time,
10319 { "PWD Last Set", "netlogon.pwd_last_set_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10320 NULL, 0, "Last time this users password was changed", HFILL }},
10322 { &hf_netlogon_pwd_age,
10323 { "PWD Age", "netlogon.pwd_age", FT_RELATIVE_TIME, BASE_NONE,
10324 NULL, 0, "Time since this users password was changed", HFILL }},
10326 { &hf_netlogon_pwd_can_change_time,
10327 { "PWD Can Change", "netlogon.pwd_can_change_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10328 NULL, 0, "When this users password may be changed", HFILL }},
10330 { &hf_netlogon_pwd_must_change_time,
10331 { "PWD Must Change", "netlogon.pwd_must_change_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10332 NULL, 0, "When this users password must be changed", HFILL }},
10334 { &hf_netlogon_domain_create_time,
10335 { "Domain Create Time", "netlogon.domain_create_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10336 NULL, 0, "Time when this domain was created", HFILL }},
10338 { &hf_netlogon_domain_modify_time,
10339 { "Domain Modify Time", "netlogon.domain_modify_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10340 NULL, 0, "Time when this domain was last modified", HFILL }},
10342 { &hf_netlogon_db_modify_time,
10343 { "DB Modify Time", "netlogon.db_modify_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10344 NULL, 0, "Time when last modified", HFILL }},
10346 { &hf_netlogon_db_create_time,
10347 { "DB Create Time", "netlogon.db_create_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10348 NULL, 0, "Time when created", HFILL }},
10350 { &hf_netlogon_cipher_current_set_time,
10351 { "Cipher Current Set Time", "netlogon.cipher_current_set_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10352 NULL, 0, "Time when current cipher was initiated", HFILL }},
10354 { &hf_netlogon_cipher_old_set_time,
10355 { "Cipher Old Set Time", "netlogon.cipher_old_set_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10356 NULL, 0, "Time when previous cipher was initiated", HFILL }},
10358 { &hf_netlogon_audit_retention_period,
10359 { "Audit Retention Period", "netlogon.audit_retention_period", FT_RELATIVE_TIME, BASE_NONE,
10360 NULL, 0, NULL, HFILL }},
10362 { &hf_netlogon_timelimit,
10363 { "Time Limit", "netlogon.time_limit", FT_RELATIVE_TIME, BASE_NONE,
10364 NULL, 0, NULL, HFILL }},
10367 { &hf_client_credential,
10368 { "Client Credential", "netlogon.clientcred", FT_BYTES, BASE_NONE,
10369 NULL, 0x0, NULL, HFILL }},
10371 { &hf_server_credential,
10372 { "Server Credential", "netlogon.servercred", FT_BYTES, BASE_NONE,
10373 NULL, 0x0, NULL, HFILL }},
10375 { &hf_server_rid,
10376 { "Account RID", "netlogon.serverrid", FT_UINT32, BASE_DEC,
10377 NULL, 0x0, NULL, HFILL }},
10379 { &hf_client_challenge,
10380 { "Client Challenge", "netlogon.clientchallenge", FT_BYTES, BASE_NONE,
10381 NULL, 0x0, NULL, HFILL }},
10383 { &hf_server_challenge,
10384 { "Server Challenge", "netlogon.serverchallenge", FT_BYTES, BASE_NONE,
10385 NULL, 0x0, NULL, HFILL }},
10387 { &hf_netlogon_secchan_nl_message_type,
10388 { "Message Type", "netlogon.secchan.nl_auth_message.message_type", FT_UINT32, BASE_HEX,
10389 VALS(nl_auth_types), 0x0, NULL, HFILL }},
10391 { &hf_netlogon_secchan_nl_message_flags,
10392 { "Message Flags", "netlogon.secchan.nl_auth_message.message_flags", FT_UINT32, BASE_HEX,
10393 NULL, 0x0, NULL, HFILL }},
10395 { &hf_netlogon_secchan_nl_message_flags_nb_domain,
10396 { "NetBios Domain", "netlogon.secchan.nl_auth_message.message_flags.nb_domain", FT_BOOLEAN, 32,
10397 NULL, 0x00000001, NULL, HFILL }},
10399 { &hf_netlogon_secchan_nl_message_flags_nb_host,
10400 { "NetBios Host", "netlogon.secchan.nl_auth_message.message_flags.nb_host", FT_BOOLEAN, 32,
10401 NULL, 0x00000002, NULL, HFILL }},
10403 { &hf_netlogon_secchan_nl_message_flags_dns_domain,
10404 { "DNS Domain", "netlogon.secchan.nl_auth_message.message_flags.dns_domain", FT_BOOLEAN, 32,
10405 NULL, 0x00000004, NULL, HFILL }},
10407 { &hf_netlogon_secchan_nl_message_flags_dns_host,
10408 { "DNS Host", "netlogon.secchan.nl_auth_message.message_flags.dns_host", FT_BOOLEAN, 32,
10409 NULL, 0x00000008, NULL, HFILL }},
10411 { &hf_netlogon_secchan_nl_message_flags_nb_host_utf8,
10412 { "NetBios Host(UTF8)", "netlogon.secchan.nl_auth_message.message_flags.nb_host_utf8", FT_BOOLEAN, 32,
10413 NULL, 0x00000010, NULL, HFILL }},
10415 { &hf_netlogon_secchan_nl_nb_domain,
10416 { "NetBios Domain", "netlogon.secchan.nl_auth_message.nb_domain", FT_STRING, BASE_NONE,
10417 NULL, 0, NULL, HFILL }},
10419 { &hf_netlogon_secchan_nl_nb_host,
10420 { "NetBios Host", "netlogon.secchan.nl_auth_message.nb_host", FT_STRING, BASE_NONE,
10421 NULL, 0, NULL, HFILL }},
10423 { &hf_netlogon_secchan_nl_nb_host_utf8,
10424 { "NetBios Host(UTF8)", "netlogon.secchan.nl_auth_message.nb_host_utf8", FT_STRING, BASE_NONE,
10425 NULL, 0, NULL, HFILL }},
10427 { &hf_netlogon_secchan_nl_dns_domain,
10428 { "DNS Domain", "netlogon.secchan.nl_auth_message.dns_domain", FT_STRING, BASE_NONE,
10429 NULL, 0, NULL, HFILL }},
10431 { &hf_netlogon_secchan_nl_dns_host,
10432 { "DNS Host", "netlogon.secchan.nl_auth_message.dns_host", FT_STRING, BASE_NONE,
10433 NULL, 0, NULL, HFILL }},
10435 { &hf_netlogon_data_length,
10436 { "Length of Data", "netlogon.data.length", FT_UINT32, BASE_DEC,
10437 NULL, 0, NULL, HFILL }},
10439 { &hf_netlogon_package_name,
10440 { "SSP Package Name", "netlogon.data.package_name", FT_STRING, BASE_NONE,
10441 NULL, 0, NULL, HFILL }},
10443 { &hf_netlogon_secchan_verf,
10444 { "Secure Channel Verifier", "netlogon.secchan.verifier", FT_NONE, BASE_NONE,
10445 NULL, 0x0, NULL, HFILL }},
10447 { &hf_netlogon_secchan_verf_signalg,
10448 { "Sign algorithm", "netlogon.secchan.signalg", FT_UINT16, BASE_HEX,
10449 VALS(sign_algs), 0, NULL, HFILL }},
10451 { &hf_netlogon_secchan_verf_sealalg,
10452 { "Seal algorithm", "netlogon.secchan.sealalg", FT_UINT16, BASE_HEX,
10453 VALS(seal_algs), 0, NULL, HFILL }},
10455 { &hf_netlogon_secchan_verf_flag,
10456 { "Flags", "netlogon.secchan.flags", FT_BYTES, BASE_NONE, NULL,
10457 0x0, NULL, HFILL }},
10459 { &hf_netlogon_secchan_verf_digest,
10460 { "Packet Digest", "netlogon.secchan.digest", FT_BYTES, BASE_NONE, NULL,
10461 0x0, NULL, HFILL }},
10463 { &hf_netlogon_secchan_verf_seq,
10464 { "Sequence No", "netlogon.secchan.seq", FT_BYTES, BASE_NONE, NULL,
10465 0x0, NULL, HFILL }},
10467 { &hf_netlogon_secchan_verf_nonce,
10468 { "Nonce", "netlogon.secchan.nonce", FT_BYTES, BASE_NONE, NULL,
10469 0x0, NULL, HFILL }},
10471 { &hf_netlogon_user_flags_extra_sids,
10472 { "Extra SIDs", "netlogon.user.flags.extra_sids",
10473 FT_BOOLEAN, 32, TFS(&user_flags_extra_sids), 0x00000020,
10474 "The user flags EXTRA_SIDS", HFILL }},
10476 { &hf_netlogon_user_flags_resource_groups,
10477 { "Resource Groups", "netlogon.user.flags.resource_groups",
10478 FT_BOOLEAN, 32, TFS(&user_flags_resource_groups), 0x00000200,
10479 "The user flags RESOURCE_GROUPS", HFILL }},
10481 { &hf_netlogon_user_account_control_dont_require_preauth,
10482 { "Don't Require PreAuth", "netlogon.user.account_control.dont_require_preauth",
10483 FT_BOOLEAN, 32, TFS(&user_account_control_dont_require_preauth), 0x00010000,
10484 "The user account control DONT_REQUIRE_PREAUTH flag", HFILL }},
10486 { &hf_netlogon_user_account_control_use_des_key_only,
10487 { "Use DES Key Only", "netlogon.user.account_control.use_des_key_only",
10488 FT_BOOLEAN, 32, TFS(&user_account_control_use_des_key_only), 0x00008000,
10489 "The user account control use_des_key_only flag", HFILL }},
10491 { &hf_netlogon_user_account_control_not_delegated,
10492 { "Not Delegated", "netlogon.user.account_control.not_delegated",
10493 FT_BOOLEAN, 32, TFS(&user_account_control_not_delegated), 0x00004000,
10494 "The user account control not_delegated flag", HFILL }},
10496 { &hf_netlogon_user_account_control_trusted_for_delegation,
10497 { "Trusted For Delegation", "netlogon.user.account_control.trusted_for_delegation",
10498 FT_BOOLEAN, 32, TFS(&user_account_control_trusted_for_delegation), 0x00002000,
10499 "The user account control trusted_for_delegation flag", HFILL }},
10501 { &hf_netlogon_user_account_control_smartcard_required,
10502 { "SmartCard Required", "netlogon.user.account_control.smartcard_required",
10503 FT_BOOLEAN, 32, TFS(&user_account_control_smartcard_required), 0x00001000,
10504 "The user account control smartcard_required flag", HFILL }},
10506 { &hf_netlogon_user_account_control_encrypted_text_password_allowed,
10507 { "Encrypted Text Password Allowed", "netlogon.user.account_control.encrypted_text_password_allowed",
10508 FT_BOOLEAN, 32, TFS(&user_account_control_encrypted_text_password_allowed), 0x00000800,
10509 "The user account control encrypted_text_password_allowed flag", HFILL }},
10511 { &hf_netlogon_user_account_control_account_auto_locked,
10512 { "Account Auto Locked", "netlogon.user.account_control.account_auto_locked",
10513 FT_BOOLEAN, 32, TFS(&user_account_control_account_auto_locked), 0x00000400,
10514 "The user account control account_auto_locked flag", HFILL }},
10516 { &hf_netlogon_user_account_control_dont_expire_password,
10517 { "Don't Expire Password", "netlogon.user.account_control.dont_expire_password",
10518 FT_BOOLEAN, 32, TFS(&user_account_control_dont_expire_password), 0x00000200,
10519 "The user account control dont_expire_password flag", HFILL }},
10521 { &hf_netlogon_user_account_control_server_trust_account,
10522 { "Server Trust Account", "netlogon.user.account_control.server_trust_account",
10523 FT_BOOLEAN, 32, TFS(&user_account_control_server_trust_account), 0x00000100,
10524 "The user account control server_trust_account flag", HFILL }},
10526 { &hf_netlogon_user_account_control_workstation_trust_account,
10527 { "Workstation Trust Account", "netlogon.user.account_control.workstation_trust_account",
10528 FT_BOOLEAN, 32, TFS(&user_account_control_workstation_trust_account), 0x00000080,
10529 "The user account control workstation_trust_account flag", HFILL }},
10531 { &hf_netlogon_user_account_control_interdomain_trust_account,
10532 { "Interdomain trust Account", "netlogon.user.account_control.interdomain_trust_account",
10533 FT_BOOLEAN, 32, TFS(&user_account_control_interdomain_trust_account), 0x00000040,
10534 "The user account control interdomain_trust_account flag", HFILL }},
10536 { &hf_netlogon_user_account_control_mns_logon_account,
10537 { "MNS Logon Account", "netlogon.user.account_control.mns_logon_account",
10538 FT_BOOLEAN, 32, TFS(&user_account_control_mns_logon_account), 0x00000020,
10539 "The user account control mns_logon_account flag", HFILL }},
10541 { &hf_netlogon_user_account_control_normal_account,
10542 { "Normal Account", "netlogon.user.account_control.normal_account",
10543 FT_BOOLEAN, 32, TFS(&user_account_control_normal_account), 0x00000010,
10544 "The user account control normal_account flag", HFILL }},
10546 { &hf_netlogon_user_account_control_temp_duplicate_account,
10547 { "Temp Duplicate Account", "netlogon.user.account_control.temp_duplicate_account",
10548 FT_BOOLEAN, 32, TFS(&user_account_control_temp_duplicate_account), 0x00000008,
10549 "The user account control temp_duplicate_account flag", HFILL }},
10551 { &hf_netlogon_user_account_control_password_not_required,
10552 { "Password Not Required", "netlogon.user.account_control.password_not_required",
10553 FT_BOOLEAN, 32, TFS(&user_account_control_password_not_required), 0x00000004,
10554 "The user account control password_not_required flag", HFILL }},
10556 { &hf_netlogon_user_account_control_home_directory_required,
10557 { "Home Directory Required", "netlogon.user.account_control.home_directory_required",
10558 FT_BOOLEAN, 32, TFS(&user_account_control_home_directory_required), 0x00000002,
10559 "The user account control home_directory_required flag", HFILL }},
10561 { &hf_netlogon_user_account_control_account_disabled,
10562 { "Account Disabled", "netlogon.user.account_control.account_disabled",
10563 FT_BOOLEAN, 32, TFS(&user_account_control_account_disabled), 0x00000001,
10564 "The user account control account_disabled flag", HFILL }},
10566 #if 0
10567 { &hf_netlogon_dnsdomaininfo,
10568 { "DnsDomainInfo", "netlogon.dnsdomaininfo", FT_NONE, BASE_NONE,
10569 NULL, 0x0, NULL, HFILL }},
10570 #endif
10572 { &hf_dns_domain_info_sid,
10573 { "Sid", "netlogon.lsa_DnsDomainInfo.sid", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
10574 { &hf_domain_info_sid,
10575 { "Sid", "netlogon.lsa_DomainInfo.sid", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
10576 { &hf_dns_domain_info_domain_guid,
10577 { "Domain Guid", "netlogon.lsa_DnsDomainInfo.domain_guid", FT_GUID, BASE_NONE, NULL, 0, NULL, HFILL }},
10578 { &hf_dns_domain_info_dns_forest,
10579 { "Dns Forest", "netlogon.lsa_DnsDomainInfo.dns_forest", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
10580 { &hf_dns_domain_info_dns_domain,
10581 { "Dns Domain", "netlogon.lsa_DnsDomainInfo.dns_domain", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
10582 { &hf_dns_domain_info_name,
10583 { "Name", "netlogon.lsa_DnsDomainInfo.name", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
10584 { &hf_netlogon_s4u2proxytarget,
10585 { "S4U2proxyTarget", "netlogon.s4u2proxytarget", FT_STRING, BASE_NONE,
10586 NULL, 0, "Target for constrained delegation using s4u2proxy", HFILL }},
10587 { &hf_netlogon_transitedlistsize,
10588 { "TransitedListSize", "netlogon.transited_list_size", FT_UINT32, BASE_HEX,
10589 NULL, 0x0, "Number of elements in the TransitedServices array.", HFILL }},
10590 { &hf_netlogon_transited_service,
10591 { "Transited Service", "netlogon.transited_service", FT_STRING, BASE_NONE,
10592 NULL, 0, "S4U2 Transited Service name", HFILL }},
10593 { &hf_netlogon_logon_duration,
10594 { "Duration", "netlogon.logon_duration", FT_UINT32, BASE_DEC,
10595 NULL, 0x0, NULL, HFILL }},
10596 { &hf_netlogon_time_created,
10597 { "Time Created", "netlogon.time_created", FT_UINT32, BASE_DEC,
10598 NULL, 0x0, NULL, HFILL }},
10601 static int *ett[] = {
10602 &ett_dcerpc_netlogon,
10603 &ett_authenticate_flags,
10604 &ett_CYPHER_VALUE,
10605 &ett_QUOTA_LIMITS,
10606 &ett_IDENTITY_INFO,
10607 &ett_DELTA_ENUM,
10608 &ett_UNICODE_MULTI,
10609 &ett_DOMAIN_CONTROLLER_INFO,
10610 &ett_netr_CryptPassword,
10611 &ett_NL_PASSWORD_VERSION,
10612 &ett_NL_GENERIC_RPC_DATA,
10613 &ett_TYPE_50,
10614 &ett_TYPE_52,
10615 &ett_DELTA_ID_UNION,
10616 &ett_CAPABILITIES,
10617 &ett_DELTA_UNION,
10618 &ett_LM_OWF_PASSWORD,
10619 &ett_NT_OWF_PASSWORD,
10620 &ett_GROUP_MEMBERSHIP,
10621 &ett_DS_DOMAIN_TRUSTS,
10622 &ett_BLOB,
10623 &ett_DOMAIN_TRUST_INFO,
10624 &ett_LSA_POLICY_INFO,
10625 &ett_trust_flags,
10626 &ett_trust_attribs,
10627 &ett_get_dcname_request_flags,
10628 &ett_dc_flags,
10629 &ett_secchan_nl_auth_message,
10630 &ett_secchan_nl_auth_message_flags,
10631 &ett_secchan_verf,
10632 &ett_group_attrs,
10633 &ett_user_flags,
10634 &ett_nt_counted_longs_as_string,
10635 &ett_user_account_control,
10636 &ett_wstr_LOGON_IDENTITY_INFO_string,
10637 &ett_domain_group_memberships,
10638 &ett_domains_group_memberships,
10640 static ei_register_info ei[] = {
10641 { &ei_netlogon_auth_nthash, {
10642 "netlogon.authenticated", PI_SECURITY, PI_CHAT,
10643 "Authenticated NTHASH", EXPFILL
10645 { &ei_netlogon_session_key, {
10646 "netlogon.sessionkey", PI_SECURITY, PI_CHAT,
10647 "SessionKey", EXPFILL
10650 expert_module_t* expert_netlogon;
10652 proto_dcerpc_netlogon = proto_register_protocol("Microsoft Network Logon", "RPC_NETLOGON", "rpc_netlogon");
10654 proto_register_field_array(proto_dcerpc_netlogon, hf, array_length(hf));
10655 proto_register_subtree_array(ett, array_length(ett));
10656 expert_netlogon = expert_register_protocol(proto_dcerpc_netlogon);
10657 expert_register_field_array(expert_netlogon, ei, array_length(ei));
10659 netlogon_auths = wmem_map_new_autoreset(wmem_epan_scope(), wmem_file_scope(), netlogon_auth_hash, netlogon_auth_equal);
10660 schannel_auths = wmem_map_new_autoreset(wmem_epan_scope(), wmem_file_scope(), dcerpc_auth_schannel_key_hash, dcerpc_auth_schannel_key_equal);
10663 static dcerpc_auth_subdissector_fns secchan_auth_fns = {
10664 dissect_secchan_nl_auth_message, /* Bind */
10665 dissect_secchan_nl_auth_message, /* Bind ACK */
10666 NULL, /* AUTH3 */
10667 dissect_request_secchan_verf, /* Request verifier */
10668 dissect_response_secchan_verf, /* Response verifier */
10669 dissect_request_data, /* Request data */
10670 dissect_response_data /* Response data */
10673 void
10674 proto_reg_handoff_dcerpc_netlogon(void)
10676 /* Register protocol as dcerpc */
10677 seen.isseen = false;
10678 seen.num = 0;
10679 dcerpc_init_uuid(proto_dcerpc_netlogon, ett_dcerpc_netlogon,
10680 &uuid_dcerpc_netlogon, ver_dcerpc_netlogon,
10681 dcerpc_netlogon_dissectors, hf_netlogon_opnum);
10684 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_INTEGRITY,
10685 DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,
10686 &secchan_auth_fns);
10687 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_PRIVACY,
10688 DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,
10689 &secchan_auth_fns);
10693 * Editor modelines - https://www.wireshark.org/tools/modelines.html
10695 * Local variables:
10696 * c-basic-offset: 4
10697 * tab-width: 8
10698 * indent-tabs-mode: nil
10699 * End:
10701 * vi: set shiftwidth=4 tabstop=8 expandtab:
10702 * :indentSize=4:tabSize=8:noTabs=true: