1 /* packet-dcerpc-netlogon.c
2 * Routines for SMB \PIPE\NETLOGON packet disassembly
3 * Copyright 2001,2003 Tim Potter <tpot@samba.org>
4 * 2002 structure and command dissectors by Ronnie Sahlberg
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * SPDX-License-Identifier: GPL-2.0-or-later
15 #define WS_LOG_DOMAIN "packet-dcerpc-netlogon"
17 #include <epan/packet.h>
18 #include <epan/expert.h>
21 #include <wsutil/wsgcrypt.h>
22 #include <wsutil/wslog.h>
23 #include <wsutil/str_util.h>
25 /* for dissect_mscldap_string */
26 #include "packet-ldap.h"
27 #include "packet-dcerpc.h"
28 #include "packet-dcerpc-nt.h"
29 #include "packet-dcerpc-netlogon.h"
30 #include "packet-windows-common.h"
31 #include "packet-dcerpc-lsa.h"
32 #include "packet-ntlmssp.h"
33 #include "packet-dcerpc-misc.h"
34 /* for keytab format */
35 #include <epan/asn1.h>
36 #include "packet-kerberos.h"
37 /* for routines to read the keytab file */
38 #include "read_keytab_file.h"
41 void proto_register_dcerpc_netlogon(void);
42 void proto_reg_handoff_dcerpc_netlogon(void);
45 netlogon_dissect_neg_options(tvbuff_t
*tvb
,proto_tree
*tree
,uint32_t flags
,int offset
);
47 /* Debug function, log a hexdump of interesting memory */
48 static void printnbyte(wmem_allocator_t
*scratch
, const uint8_t* tab
,int nb
,const char* txt
)
50 if (!ws_log_msg_is_active(WS_LOG_DOMAIN
, LOG_LEVEL_DEBUG
))
55 char *hexdump
= wmem_alloc0(scratch
, nb
*3 + 1);
60 snprintf(hexdump
+(i
*3), 3, "%02X ", *(tab
+i
));
64 ws_debug("%s %s", txt
, hexdump
);
67 #define NETLOGON_FLAG_80000000 0x80000000
68 #define NETLOGON_FLAG_40000000 0x40000000
69 #define NETLOGON_FLAG_20000000 0x20000000
70 #define NETLOGON_FLAG_10000000 0x10000000
71 #define NETLOGON_FLAG_8000000 0x8000000
72 #define NETLOGON_FLAG_4000000 0x4000000
73 #define NETLOGON_FLAG_2000000 0x2000000
74 #define NETLOGON_FLAG_AES 0x1000000
75 #define NETLOGON_FLAG_800000 0x800000
76 #define NETLOGON_FLAG_400000 0x400000
77 #define NETLOGON_FLAG_200000 0x200000
78 #define NETLOGON_FLAG_100000 0x100000
79 #define NETLOGON_FLAG_80000 0x80000
80 #define NETLOGON_FLAG_40000 0x40000
81 #define NETLOGON_FLAG_20000 0x20000
82 #define NETLOGON_FLAG_10000 0x10000
83 #define NETLOGON_FLAG_8000 0x8000
84 #define NETLOGON_FLAG_STRONGKEY 0x4000
85 #define NETLOGON_FLAG_2000 0x2000
86 #define NETLOGON_FLAG_1000 0x1000
87 #define NETLOGON_FLAG_800 0x800
88 #define NETLOGON_FLAG_400 0x400
89 #define NETLOGON_FLAG_200 0x200
90 #define NETLOGON_FLAG_100 0x100
91 #define NETLOGON_FLAG_80 0x80
92 #define NETLOGON_FLAG_40 0x40
93 #define NETLOGON_FLAG_20 0x20
94 #define NETLOGON_FLAG_10 0x10
95 #define NETLOGON_FLAG_8 0x8
96 #define NETLOGON_FLAG_4 0x4
97 #define NETLOGON_FLAG_2 0x2
98 #define NETLOGON_FLAG_1 0x1
100 static wmem_map_t
*netlogon_auths
;
101 static wmem_map_t
*schannel_auths
;
102 static int proto_dcerpc_netlogon
;
104 static int hf_netlogon_TrustedDomainName_string
;
105 static int hf_netlogon_UserName_string
;
106 static int hf_domain_info_sid
;
107 static int hf_dns_domain_info_sid
;
108 static int hf_dns_domain_info_domain_guid
;
109 static int hf_dns_domain_info_dns_domain
;
110 static int hf_dns_domain_info_dns_forest
;
111 static int hf_dns_domain_info_name
;
112 static int hf_client_challenge
;
113 static int hf_server_rid
;
114 static int hf_server_challenge
;
115 static int hf_client_credential
;
116 static int hf_server_credential
;
117 static int hf_netlogon_logon_dnslogondomainname
;
118 static int hf_netlogon_logon_upn
;
119 static int hf_netlogon_opnum
;
120 static int hf_netlogon_data_length
;
121 static int hf_netlogon_extraflags
;
122 static int hf_netlogon_extra_flags_root_forest
;
123 static int hf_netlogon_trust_flags_dc_firsthop
;
124 static int hf_netlogon_trust_flags_rodc_to_dc
;
125 static int hf_netlogon_trust_flags_rodc_ntlm
;
126 static int hf_netlogon_package_name
;
127 static int hf_netlogon_rc
;
128 static int hf_netlogon_dos_rc
;
129 static int hf_netlogon_werr_rc
;
130 static int hf_netlogon_len
;
131 static int hf_netlogon_password_version_reserved
;
132 static int hf_netlogon_password_version_number
;
133 static int hf_netlogon_password_version_present
;
134 static int hf_netlogon_sensitive_data_flag
;
135 static int hf_netlogon_sensitive_data_len
;
136 static int hf_netlogon_sensitive_data
;
137 static int hf_netlogon_security_information
;
138 static int hf_netlogon_dummy
;
139 static int hf_netlogon_neg_flags
;
140 static int hf_netlogon_neg_flags_80000000
;
141 static int hf_netlogon_neg_flags_40000000
;
142 static int hf_netlogon_neg_flags_20000000
;
143 /* static int hf_netlogon_neg_flags_10000000; */
144 /* static int hf_netlogon_neg_flags_8000000; */
145 /* static int hf_netlogon_neg_flags_4000000; */
146 /* static int hf_netlogon_neg_flags_2000000; */
147 static int hf_netlogon_neg_flags_1000000
;
148 /* static int hf_netlogon_neg_flags_800000; */
149 /* static int hf_netlogon_neg_flags_400000; */
150 static int hf_netlogon_neg_flags_200000
;
151 static int hf_netlogon_neg_flags_100000
;
152 static int hf_netlogon_neg_flags_80000
;
153 static int hf_netlogon_neg_flags_40000
;
154 static int hf_netlogon_neg_flags_20000
;
155 static int hf_netlogon_neg_flags_10000
;
156 static int hf_netlogon_neg_flags_8000
;
157 static int hf_netlogon_neg_flags_4000
;
158 static int hf_netlogon_neg_flags_2000
;
159 static int hf_netlogon_neg_flags_1000
;
160 static int hf_netlogon_neg_flags_800
;
161 static int hf_netlogon_neg_flags_400
;
162 static int hf_netlogon_neg_flags_200
;
163 static int hf_netlogon_neg_flags_100
;
164 static int hf_netlogon_neg_flags_80
;
165 static int hf_netlogon_neg_flags_40
;
166 static int hf_netlogon_neg_flags_20
;
167 static int hf_netlogon_neg_flags_10
;
168 static int hf_netlogon_neg_flags_8
;
169 static int hf_netlogon_neg_flags_4
;
170 static int hf_netlogon_neg_flags_2
;
171 static int hf_netlogon_neg_flags_1
;
172 static int hf_netlogon_minworkingsetsize
;
173 static int hf_netlogon_maxworkingsetsize
;
174 static int hf_netlogon_pagedpoollimit
;
175 static int hf_netlogon_pagefilelimit
;
176 static int hf_netlogon_timelimit
;
177 static int hf_netlogon_nonpagedpoollimit
;
178 /* static int hf_netlogon_pac_size; */
179 /* static int hf_netlogon_pac_data; */
180 /* static int hf_netlogon_auth_size; */
181 /* static int hf_netlogon_auth_data; */
182 static int hf_netlogon_cipher_len
;
183 static int hf_netlogon_cipher_maxlen
;
184 static int hf_netlogon_cipher_current_data
;
185 static int hf_netlogon_cipher_current_set_time
;
186 static int hf_netlogon_cipher_old_data
;
187 static int hf_netlogon_cipher_old_set_time
;
188 static int hf_netlogon_priv
;
189 static int hf_netlogon_privilege_entries
;
190 static int hf_netlogon_privilege_control
;
191 static int hf_netlogon_privilege_name
;
192 static int hf_netlogon_systemflags
;
193 static int hf_netlogon_pdc_connection_status
;
194 static int hf_netlogon_tc_connection_status
;
195 static int hf_netlogon_restart_state
;
196 static int hf_netlogon_attrs
;
197 static int hf_netlogon_lsapolicy_len
;
198 /* static int hf_netlogon_lsapolicy_referentid; */
199 /* static int hf_netlogon_lsapolicy_pointer; */
200 static int hf_netlogon_count
;
201 static int hf_netlogon_entries
;
202 static int hf_netlogon_minpasswdlen
;
203 static int hf_netlogon_passwdhistorylen
;
204 static int hf_netlogon_level16
;
205 static int hf_netlogon_validation_level
;
206 static int hf_netlogon_reference
;
207 static int hf_netlogon_next_reference
;
208 static int hf_netlogon_timestamp
;
209 static int hf_netlogon_level
;
210 static int hf_netlogon_challenge
;
211 static int hf_netlogon_reserved
;
212 static int hf_netlogon_audit_retention_period
;
213 static int hf_netlogon_auditing_mode
;
214 static int hf_netlogon_max_audit_event_count
;
215 static int hf_netlogon_event_audit_option
;
216 static int hf_netlogon_unknown_string
;
217 static int hf_netlogon_new_password
;
218 static int hf_netlogon_trust_extension
;
219 static int hf_netlogon_trust_max
;
220 static int hf_netlogon_trust_offset
;
221 static int hf_netlogon_trust_len
;
222 static int hf_netlogon_opaque_buffer_enc
;
223 static int hf_netlogon_opaque_buffer_dec
;
224 static int hf_netlogon_opaque_buffer_size
;
225 static int hf_netlogon_dummy_string
;
226 static int hf_netlogon_dummy_string2
;
227 static int hf_netlogon_dummy_string3
;
228 static int hf_netlogon_dummy_string4
;
229 static int hf_netlogon_dummy_string5
;
230 static int hf_netlogon_dummy_string6
;
231 static int hf_netlogon_dummy_string7
;
232 static int hf_netlogon_dummy_string8
;
233 static int hf_netlogon_dummy_string9
;
234 static int hf_netlogon_dummy_string10
;
235 static int hf_netlogon_unknown_short
;
236 static int hf_netlogon_unknown_long
;
237 static int hf_netlogon_dummy1_long
;
238 static int hf_netlogon_dummy2_long
;
239 static int hf_netlogon_dummy3_long
;
240 static int hf_netlogon_dummy4_long
;
241 static int hf_netlogon_dummy5_long
;
242 static int hf_netlogon_dummy6_long
;
243 static int hf_netlogon_dummy7_long
;
244 static int hf_netlogon_dummy8_long
;
245 static int hf_netlogon_dummy9_long
;
246 static int hf_netlogon_dummy10_long
;
247 static int hf_netlogon_unknown_char
;
248 static int hf_netlogon_logon_time
;
249 static int hf_netlogon_logoff_time
;
250 static int hf_netlogon_last_logoff_time
;
251 static int hf_netlogon_kickoff_time
;
252 static int hf_netlogon_pwd_age
;
253 static int hf_netlogon_pwd_last_set_time
;
254 static int hf_netlogon_pwd_can_change_time
;
255 static int hf_netlogon_pwd_must_change_time
;
256 static int hf_netlogon_nt_chal_resp
;
257 static int hf_netlogon_lm_chal_resp
;
258 static int hf_netlogon_credential
;
259 static int hf_netlogon_acct_name
;
260 static int hf_netlogon_acct_desc
;
261 static int hf_netlogon_group_desc
;
262 static int hf_netlogon_full_name
;
263 static int hf_netlogon_comment
;
264 static int hf_netlogon_parameters
;
265 static int hf_netlogon_logon_script
;
266 static int hf_netlogon_profile_path
;
267 static int hf_netlogon_home_dir
;
268 static int hf_netlogon_dir_drive
;
269 static int hf_netlogon_logon_count
;
270 static int hf_netlogon_logon_count16
;
271 static int hf_netlogon_bad_pw_count
;
272 static int hf_netlogon_bad_pw_count16
;
273 static int hf_netlogon_user_rid
;
274 static int hf_netlogon_alias_rid
;
275 static int hf_netlogon_group_rid
;
276 static int hf_netlogon_logon_srv
;
277 /* static int hf_netlogon_principal; */
278 static int hf_netlogon_logon_dom
;
279 static int hf_netlogon_resourcegroupcount
;
280 static int hf_netlogon_accountdomaingroupcount
;
281 static int hf_netlogon_domaingroupcount
;
282 static int hf_netlogon_membership_domains_count
;
283 static int hf_netlogon_downlevel_domain_name
;
284 static int hf_netlogon_dns_domain_name
;
285 static int hf_netlogon_ad_client_dns_name
;
286 static int hf_netlogon_domain_name
;
287 static int hf_netlogon_domain_create_time
;
288 static int hf_netlogon_domain_modify_time
;
289 static int hf_netlogon_modify_count
;
290 static int hf_netlogon_db_modify_time
;
291 static int hf_netlogon_db_create_time
;
292 static int hf_netlogon_oem_info
;
293 static int hf_netlogon_serial_number
;
294 static int hf_netlogon_num_rids
;
295 static int hf_netlogon_num_trusts
;
296 static int hf_netlogon_num_controllers
;
297 static int hf_netlogon_num_sid
;
298 static int hf_netlogon_computer_name
;
299 static int hf_netlogon_site_name
;
300 static int hf_netlogon_trusted_dc_name
;
301 static int hf_netlogon_dc_name
;
302 static int hf_netlogon_dc_site_name
;
303 static int hf_netlogon_dns_forest_name
;
304 static int hf_netlogon_dc_address
;
305 static int hf_netlogon_dc_address_type
;
306 static int hf_netlogon_client_site_name
;
307 static int hf_netlogon_workstation
;
308 static int hf_netlogon_workstation_site_name
;
309 static int hf_netlogon_os_version
;
310 static int hf_netlogon_workstation_os
;
311 static int hf_netlogon_workstation_flags
;
312 static int hf_netlogon_supportedenctypes
;
314 static int hf_netlogon_workstations
;
315 static int hf_netlogon_workstation_fqdn
;
316 static int hf_netlogon_group_name
;
317 static int hf_netlogon_alias_name
;
318 static int hf_netlogon_country
;
319 static int hf_netlogon_codepage
;
320 static int hf_netlogon_flags
;
321 static int hf_netlogon_trust_attribs
;
322 static int hf_netlogon_trust_attribs_non_transitive
;
323 static int hf_netlogon_trust_attribs_uplevel_only
;
324 static int hf_netlogon_trust_attribs_quarantined_domain
;
325 static int hf_netlogon_trust_attribs_forest_transitive
;
326 static int hf_netlogon_trust_attribs_cross_organization
;
327 static int hf_netlogon_trust_attribs_within_forest
;
328 static int hf_netlogon_trust_attribs_treat_as_external
;
329 static int hf_netlogon_trust_type
;
330 static int hf_netlogon_trust_flags
;
331 static int hf_netlogon_trust_flags_inbound
;
332 static int hf_netlogon_trust_flags_outbound
;
333 static int hf_netlogon_trust_flags_in_forest
;
334 static int hf_netlogon_trust_flags_native_mode
;
335 static int hf_netlogon_trust_flags_primary
;
336 static int hf_netlogon_trust_flags_tree_root
;
337 static int hf_netlogon_trust_parent_index
;
338 static int hf_netlogon_user_account_control
;
339 static int hf_netlogon_user_account_control_dont_require_preauth
;
340 static int hf_netlogon_user_account_control_use_des_key_only
;
341 static int hf_netlogon_user_account_control_not_delegated
;
342 static int hf_netlogon_user_account_control_trusted_for_delegation
;
343 static int hf_netlogon_user_account_control_smartcard_required
;
344 static int hf_netlogon_user_account_control_encrypted_text_password_allowed
;
345 static int hf_netlogon_user_account_control_account_auto_locked
;
346 static int hf_netlogon_user_account_control_dont_expire_password
;
347 static int hf_netlogon_user_account_control_server_trust_account
;
348 static int hf_netlogon_user_account_control_workstation_trust_account
;
349 static int hf_netlogon_user_account_control_interdomain_trust_account
;
350 static int hf_netlogon_user_account_control_mns_logon_account
;
351 static int hf_netlogon_user_account_control_normal_account
;
352 static int hf_netlogon_user_account_control_temp_duplicate_account
;
353 static int hf_netlogon_user_account_control_password_not_required
;
354 static int hf_netlogon_user_account_control_home_directory_required
;
355 static int hf_netlogon_user_account_control_account_disabled
;
356 static int hf_netlogon_user_flags
;
357 static int hf_netlogon_user_flags_extra_sids
;
358 static int hf_netlogon_user_flags_resource_groups
;
359 static int hf_netlogon_auth_flags
;
360 static int hf_netlogon_pwd_expired
;
361 static int hf_netlogon_nt_pwd_present
;
362 static int hf_netlogon_lm_pwd_present
;
363 static int hf_netlogon_code
;
364 static int hf_netlogon_database_id
;
365 static int hf_netlogon_sync_context
;
366 static int hf_netlogon_max_size
;
367 static int hf_netlogon_max_log_size
;
368 static int hf_netlogon_dns_host
;
369 static int hf_netlogon_acct_expiry_time
;
370 static int hf_netlogon_encrypted_lm_owf_password
;
371 static int hf_netlogon_lm_owf_password
;
372 static int hf_netlogon_nt_owf_password
;
373 static int hf_netlogon_param_ctrl
;
374 static int hf_netlogon_logon_id
;
375 static int hf_netlogon_num_deltas
;
376 static int hf_netlogon_user_session_key
;
377 static int hf_netlogon_blob_size
;
378 static int hf_netlogon_blob
;
379 static int hf_netlogon_logon_attempts
;
380 static int hf_netlogon_authoritative
;
381 static int hf_netlogon_secure_channel_type
;
382 static int hf_netlogon_logonsrv_handle
;
383 static int hf_netlogon_delta_type
;
384 static int hf_netlogon_get_dcname_request_flags
;
385 static int hf_netlogon_get_dcname_request_flags_force_rediscovery
;
386 static int hf_netlogon_get_dcname_request_flags_directory_service_required
;
387 static int hf_netlogon_get_dcname_request_flags_directory_service_preferred
;
388 static int hf_netlogon_get_dcname_request_flags_gc_server_required
;
389 static int hf_netlogon_get_dcname_request_flags_pdc_required
;
390 static int hf_netlogon_get_dcname_request_flags_background_only
;
391 static int hf_netlogon_get_dcname_request_flags_ip_required
;
392 static int hf_netlogon_get_dcname_request_flags_kdc_required
;
393 static int hf_netlogon_get_dcname_request_flags_timeserv_required
;
394 static int hf_netlogon_get_dcname_request_flags_writable_required
;
395 static int hf_netlogon_get_dcname_request_flags_good_timeserv_preferred
;
396 static int hf_netlogon_get_dcname_request_flags_avoid_self
;
397 static int hf_netlogon_get_dcname_request_flags_only_ldap_needed
;
398 static int hf_netlogon_get_dcname_request_flags_is_flat_name
;
399 static int hf_netlogon_get_dcname_request_flags_is_dns_name
;
400 static int hf_netlogon_get_dcname_request_flags_return_dns_name
;
401 static int hf_netlogon_get_dcname_request_flags_return_flat_name
;
402 static int hf_netlogon_dc_flags
;
403 static int hf_netlogon_dc_flags_pdc_flag
;
404 static int hf_netlogon_dc_flags_gc_flag
;
405 static int hf_netlogon_dc_flags_ldap_flag
;
406 static int hf_netlogon_dc_flags_ds_flag
;
407 static int hf_netlogon_dc_flags_kdc_flag
;
408 static int hf_netlogon_dc_flags_timeserv_flag
;
409 static int hf_netlogon_dc_flags_closest_flag
;
410 static int hf_netlogon_dc_flags_writable_flag
;
411 static int hf_netlogon_dc_flags_good_timeserv_flag
;
412 static int hf_netlogon_dc_flags_ndnc_flag
;
413 static int hf_netlogon_dc_flags_dns_controller_flag
;
414 static int hf_netlogon_dc_flags_dns_domain_flag
;
415 static int hf_netlogon_dc_flags_dns_forest_flag
;
416 /* static int hf_netlogon_dnsdomaininfo; */
417 static int hf_netlogon_s4u2proxytarget
;
418 static int hf_netlogon_transitedlistsize
;
419 static int hf_netlogon_transited_service
;
420 static int hf_netlogon_logon_duration
;
421 static int hf_netlogon_time_created
;
423 static int ett_nt_counted_longs_as_string
;
424 static int ett_dcerpc_netlogon
;
425 static int ett_group_attrs
;
426 static int ett_user_flags
;
427 static int ett_user_account_control
;
428 static int ett_QUOTA_LIMITS
;
429 static int ett_IDENTITY_INFO
;
430 static int ett_DELTA_ENUM
;
431 static int ett_authenticate_flags
;
432 static int ett_CYPHER_VALUE
;
433 static int ett_UNICODE_MULTI
;
434 static int ett_DOMAIN_CONTROLLER_INFO
;
435 static int ett_netr_CryptPassword
;
436 static int ett_NL_PASSWORD_VERSION
;
437 static int ett_NL_GENERIC_RPC_DATA
;
438 static int ett_TYPE_50
;
439 static int ett_TYPE_52
;
440 static int ett_DELTA_ID_UNION
;
441 static int ett_CAPABILITIES
;
442 static int ett_DELTA_UNION
;
443 static int ett_LM_OWF_PASSWORD
;
444 static int ett_NT_OWF_PASSWORD
;
445 static int ett_GROUP_MEMBERSHIP
;
447 static int ett_DS_DOMAIN_TRUSTS
;
448 static int ett_LSA_POLICY_INFO
;
449 static int ett_DOMAIN_TRUST_INFO
;
450 static int ett_trust_flags
;
451 static int ett_trust_attribs
;
452 static int ett_get_dcname_request_flags
;
453 static int ett_dc_flags
;
454 static int ett_wstr_LOGON_IDENTITY_INFO_string
;
455 static int ett_domain_group_memberships
;
456 static int ett_domains_group_memberships
;
458 static expert_field ei_netlogon_auth_nthash
;
459 static expert_field ei_netlogon_session_key
;
461 typedef struct _netlogon_auth_vars
{
462 uint64_t client_challenge
;
463 uint64_t server_challenge
;
466 uint8_t session_key
[16];
467 uint8_t encryption_key
[16];
468 uint8_t sequence
[16];
472 uint8_t private_type
;
477 struct _netlogon_auth_vars
*next
;
478 } netlogon_auth_vars
;
480 static gcry_error_t
prepare_session_key_cipher(netlogon_auth_vars
*vars
,
481 gcry_cipher_hd_t
*_cipher_hd
);
483 typedef struct _seen_packet
{
488 static seen_packet seen
;
490 static e_guid_t uuid_dcerpc_netlogon
= {
491 0x12345678, 0x1234, 0xabcd,
492 { 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0xcf, 0xfb }
495 static uint16_t ver_dcerpc_netlogon
= 1;
497 static int dissect_dcerpc_8bytes (tvbuff_t
*tvb
, int offset
, packet_info
*pinfo _U_
,
498 proto_tree
*tree
, uint8_t *drep
,
499 int hfindex
, uint64_t *pdata
)
503 data
= ((drep
[0] & DREP_LITTLE_ENDIAN
)
504 ? tvb_get_letoh64 (tvb
, offset
)
505 : tvb_get_ntoh64 (tvb
, offset
));
507 /* These fields are FT_BYTES, hence the byte order doesn't matter */
509 proto_tree_add_item(tree
, hfindex
, tvb
, offset
, 8, ENC_NA
);
516 static const true_false_string user_account_control_dont_require_preauth
= {
517 "This account DOESN'T_REQUIRE_PREAUTHENTICATION",
518 "This account REQUIRES preauthentication",
520 static const true_false_string user_account_control_use_des_key_only
= {
521 "This account must USE_DES_KEY_ONLY for passwords",
522 "This account does NOT have to use_des_key_only",
524 static const true_false_string user_account_control_not_delegated
= {
525 "This account is NOT_DELEGATED",
526 "This might have been delegated",
528 static const true_false_string user_account_control_trusted_for_delegation
= {
529 "This account is TRUSTED_FOR_DELEGATION",
530 "This account is NOT trusted_for_delegation",
532 static const true_false_string user_account_control_smartcard_required
= {
533 "This account REQUIRES_SMARTCARD to authenticate",
534 "This account does NOT require_smartcard to authenticate",
536 static const true_false_string user_account_control_encrypted_text_password_allowed
= {
537 "This account allows ENCRYPTED_TEXT_PASSWORD",
538 "This account does NOT allow encrypted_text_password",
540 static const true_false_string user_account_control_account_auto_locked
= {
541 "This account is AUTO_LOCKED",
542 "This account is NOT auto_locked",
544 static const true_false_string user_account_control_dont_expire_password
= {
545 "This account DOESN'T_EXPIRE_PASSWORDs",
546 "This account might expire_passwords",
548 static const true_false_string user_account_control_server_trust_account
= {
549 "This account is a SERVER_TRUST_ACCOUNT",
550 "This account is NOT a server_trust_account",
552 static const true_false_string user_account_control_workstation_trust_account
= {
553 "This account is a WORKSTATION_TRUST_ACCOUNT",
554 "This account is NOT a workstation_trust_account",
556 static const true_false_string user_account_control_interdomain_trust_account
= {
557 "This account is an INTERDOMAIN_TRUST_ACCOUNT",
558 "This account is NOT an interdomain_trust_account",
560 static const true_false_string user_account_control_mns_logon_account
= {
561 "This account is a MNS_LOGON_ACCOUNT",
562 "This account is NOT a mns_logon_account",
564 static const true_false_string user_account_control_normal_account
= {
565 "This account is a NORMAL_ACCOUNT",
566 "This account is NOT a normal_account",
568 static const true_false_string user_account_control_temp_duplicate_account
= {
569 "This account is a TEMP_DUPLICATE_ACCOUNT",
570 "This account is NOT a temp_duplicate_account",
572 static const true_false_string user_account_control_password_not_required
= {
573 "This account REQUIRES_NO_PASSWORD",
574 "This account REQUIRES a password",
576 static const true_false_string user_account_control_home_directory_required
= {
577 "This account REQUIRES_HOME_DIRECTORY",
578 "This account does NOT require_home_directory",
580 static const true_false_string user_account_control_account_disabled
= {
581 "This account is DISABLED",
582 "This account is NOT disabled",
585 typedef struct _netlogon_auth_key
{
587 * For now we only match the client and server ip
588 * addresses, as keys can be used across tcp connections.
590 * Also note that ServerChallenge and ServerAuthenticate
591 * can be on different tcp connections!
594 * * We could have a challenge table indexed by client, server
596 * * A good ServerAuthenticate could fill a session key table
597 * indexed by computer name.
598 * * A DCERPC bind/alter context could lookup the session key table
599 * and copy the session key to the DCERPC connection/auth_context.
606 netlogon_auth_equal (const void *k1
, const void *k2
)
608 const netlogon_auth_key
*key1
= (const netlogon_auth_key
*)k1
;
609 const netlogon_auth_key
*key2
= (const netlogon_auth_key
*)k2
;
611 return (addresses_equal(&key1
->client
,&key2
->client
) && addresses_equal(&key1
->server
,&key2
->server
));
615 netlogon_auth_hash (const void *k
)
617 const netlogon_auth_key
*key1
= (const netlogon_auth_key
*)k
;
618 unsigned hash_val1
= 0;
620 hash_val1
= add_address_to_hash(hash_val1
, &key1
->client
);
621 hash_val1
= add_address_to_hash(hash_val1
, &key1
->server
);
625 typedef struct _dcerpc_auth_schannel_key
{
626 conversation_t
*conv
;
627 uint64_t transport_salt
;
628 uint32_t auth_context_id
;
629 } dcerpc_auth_schannel_key
;
632 dcerpc_auth_schannel_key_hash(const void *k
)
634 const dcerpc_auth_schannel_key
*key
= (const dcerpc_auth_schannel_key
*)k
;
637 hash
= GPOINTER_TO_UINT(key
->conv
);
638 /* sizeof(unsigned) might be smaller than sizeof(uint64_t) */
639 hash
+= (unsigned)key
->transport_salt
;
640 hash
+= (unsigned)(key
->transport_salt
<< sizeof(unsigned));
641 hash
+= key
->auth_context_id
;
647 dcerpc_auth_schannel_key_equal(const void *k1
, const void *k2
)
649 const dcerpc_auth_schannel_key
*key1
= (const dcerpc_auth_schannel_key
*)k1
;
650 const dcerpc_auth_schannel_key
*key2
= (const dcerpc_auth_schannel_key
*)k2
;
652 return ((key1
->conv
== key2
->conv
)
653 && (key1
->transport_salt
== key2
->transport_salt
)
654 && (key1
->auth_context_id
== key2
->auth_context_id
));
658 netlogon_dissect_EXTRA_FLAGS(tvbuff_t
*tvb
, int offset
,
659 packet_info
*pinfo
, proto_tree
*parent_tree
, dcerpc_info
*di
, uint8_t *drep
)
662 static int * const extraflags
[] = {
663 &hf_netlogon_extra_flags_root_forest
,
664 &hf_netlogon_trust_flags_dc_firsthop
,
665 &hf_netlogon_trust_flags_rodc_to_dc
,
666 &hf_netlogon_trust_flags_rodc_ntlm
,
670 if(di
->conformant_run
){
671 /*just a run to handle conformant arrays, nothing to dissect */
675 offset
=dissect_ndr_uint32(tvb
, offset
, pinfo
, NULL
, di
, drep
,
678 proto_tree_add_bitmask_value_with_flags(parent_tree
, tvb
, offset
-4, hf_netlogon_extraflags
, ett_trust_flags
, extraflags
, mask
, BMT_NO_APPEND
);
682 struct LOGON_INFO_STATE
;
684 struct LOGON_INFO_STATE_CB
{
685 struct LOGON_INFO_STATE
*state
;
686 ntlmssp_blob
*response
;
687 const uint8_t **name_ptr
;
691 struct LOGON_INFO_STATE
{
694 uint8_t server_challenge
[8];
695 ntlmssp_blob nt_response
;
696 ntlmssp_blob lm_response
;
697 ntlmssp_header_t ntlmssph
;
698 struct LOGON_INFO_STATE_CB domain_cb
, acct_cb
, host_cb
, nt_cb
, lm_cb
;
701 static void dissect_LOGON_INFO_STATE_finish(struct LOGON_INFO_STATE
*state
)
703 if (state
->ntlmssph
.acct_name
!= NULL
&&
704 state
->nt_response
.length
>= 24 &&
705 state
->lm_response
.length
>= 24)
707 if (state
->ntlmssph
.domain_name
== NULL
) {
708 state
->ntlmssph
.domain_name
= (const uint8_t *)"";
710 if (state
->ntlmssph
.host_name
== NULL
) {
711 state
->ntlmssph
.host_name
= (const uint8_t *)"";
714 ntlmssp_create_session_key(state
->pinfo
,
717 0, /* NTLMSSP_ flags */
718 state
->server_challenge
,
719 NULL
, /* encryptedsessionkey */
721 &state
->lm_response
);
725 static void dissect_ndr_lm_nt_byte_array(packet_info
*pinfo
,
727 proto_item
*item _U_
,
734 struct LOGON_INFO_STATE_CB
*cb_ref
= (struct LOGON_INFO_STATE_CB
*)callback_args
;
735 struct LOGON_INFO_STATE
*state
= NULL
;
736 int offset
= start_offset
;
740 if (cb_ref
== NULL
) {
743 state
= cb_ref
->state
;
745 if (di
->conformant_run
) {
746 /* just a run to handle conformant arrays, no scalars to dissect */
750 /* NDR array header */
752 if (di
->call_data
->flags
& DCERPC_IS_NDR64
) {
758 tmp
= end_offset
- offset
;
759 if (tmp
> NTLMSSP_BLOB_MAX_SIZE
) {
760 tmp
= NTLMSSP_BLOB_MAX_SIZE
;
763 cb_ref
->response
->length
= len
;
764 cb_ref
->response
->contents
= (uint8_t *)tvb_memdup(pinfo
->pool
, tvb
, offset
, len
);
766 dissect_ntlmv2_response(tvb
, pinfo
, tree
, offset
, len
);
769 dissect_LOGON_INFO_STATE_finish(state
);
773 dissect_ndr_lm_nt_hash_cb(tvbuff_t
*tvb
, int offset
,
774 packet_info
*pinfo
, proto_tree
*tree
,
775 dcerpc_info
*di
, uint8_t *drep
, int hf_index
,
776 dcerpc_callback_fnct_t
*callback
,
781 /* Structure starts with short, but is aligned for longs */
785 if (di
->conformant_run
)
792 [size_is(size
/2), length_is(len
/2), ptr
] unsigned short *string
;
797 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, tree
, di
, drep
,
800 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, tree
, di
, drep
,
801 hf_nt_cs_size
, &size
);
803 offset
= dissect_ndr_pointer_cb(tvb
, offset
, pinfo
, tree
, di
, drep
,
804 dissect_ndr_byte_array
, NDR_POINTER_UNIQUE
,
805 "Bytes Array", hf_index
, callback
, callback_args
);
811 dissect_ndr_lm_nt_hash_helper(tvbuff_t
*tvb
, int offset
,
812 packet_info
*pinfo
, proto_tree
*tree
,
813 dcerpc_info
*di
, uint8_t *drep
, int hf_index
,
814 struct LOGON_INFO_STATE_CB
*cb_ref
)
818 subtree
= proto_tree_add_subtree(
819 tree
, tvb
, offset
, 0, ett_LM_OWF_PASSWORD
, NULL
,
820 proto_registrar_get_name(hf_index
));
822 return dissect_ndr_lm_nt_hash_cb(
823 tvb
, offset
, pinfo
, subtree
, di
, drep
, hf_index
,
824 dissect_ndr_lm_nt_byte_array
, cb_ref
);
828 netlogon_dissect_USER_ACCOUNT_CONTROL(tvbuff_t
*tvb
, int offset
,
829 packet_info
*pinfo
, proto_tree
*parent_tree
, dcerpc_info
*di
, uint8_t *drep
)
832 static int * const uac
[] = {
833 &hf_netlogon_user_account_control_dont_require_preauth
,
834 &hf_netlogon_user_account_control_use_des_key_only
,
835 &hf_netlogon_user_account_control_not_delegated
,
836 &hf_netlogon_user_account_control_trusted_for_delegation
,
837 &hf_netlogon_user_account_control_smartcard_required
,
838 &hf_netlogon_user_account_control_encrypted_text_password_allowed
,
839 &hf_netlogon_user_account_control_account_auto_locked
,
840 &hf_netlogon_user_account_control_dont_expire_password
,
841 &hf_netlogon_user_account_control_server_trust_account
,
842 &hf_netlogon_user_account_control_workstation_trust_account
,
843 &hf_netlogon_user_account_control_interdomain_trust_account
,
844 &hf_netlogon_user_account_control_mns_logon_account
,
845 &hf_netlogon_user_account_control_normal_account
,
846 &hf_netlogon_user_account_control_temp_duplicate_account
,
847 &hf_netlogon_user_account_control_password_not_required
,
848 &hf_netlogon_user_account_control_home_directory_required
,
849 &hf_netlogon_user_account_control_account_disabled
,
853 if(di
->conformant_run
){
854 /*just a run to handle conformant arrays, nothing to dissect */
858 offset
=dissect_ndr_uint32(tvb
, offset
, pinfo
, NULL
, di
, drep
,
861 proto_tree_add_bitmask_value_with_flags(parent_tree
, tvb
, offset
-4, hf_netlogon_user_account_control
, ett_user_account_control
, uac
, mask
, BMT_NO_APPEND
);
868 netlogon_dissect_LOGONSRV_HANDLE(tvbuff_t
*tvb
, int offset
,
869 packet_info
*pinfo
, proto_tree
*tree
,
870 dcerpc_info
*di
, uint8_t *drep
)
872 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
873 NDR_POINTER_UNIQUE
, "Server Handle",
874 hf_netlogon_logonsrv_handle
, 0);
880 * IDL typedef struct {
881 * IDL [unique][string] wchar_t *effective_name;
883 * IDL long auth_flags;
884 * IDL long logon_count;
885 * IDL long bad_pw_count;
886 * IDL long last_logon;
887 * IDL long last_logoff;
888 * IDL long logoff_time;
889 * IDL long kickoff_time;
890 * IDL long password_age;
891 * IDL long pw_can_change;
892 * IDL long pw_must_change;
893 * IDL [unique][string] wchar_t *computer;
894 * IDL [unique][string] wchar_t *domain;
895 * IDL [unique][string] wchar_t *script_path;
899 netlogon_dissect_VALIDATION_UAS_INFO(tvbuff_t
*tvb
, int offset
,
900 packet_info
*pinfo
, proto_tree
*tree
,
901 dcerpc_info
*di
, uint8_t *drep
)
903 if(di
->conformant_run
){
904 /*just a run to handle conformant arrays, nothing to dissect */
908 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
909 NDR_POINTER_UNIQUE
, "Effective Account",
910 hf_netlogon_acct_name
, 0);
912 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
913 hf_netlogon_priv
, NULL
);
915 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
916 hf_netlogon_auth_flags
, NULL
);
918 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
919 hf_netlogon_logon_count
, NULL
);
921 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
922 hf_netlogon_bad_pw_count
, NULL
);
925 offset
= dissect_ndr_time_t(tvb
, offset
, pinfo
, tree
, di
, drep
, hf_netlogon_logon_time
, NULL
);
927 offset
= dissect_ndr_time_t(tvb
, offset
, pinfo
, tree
, di
, drep
, hf_netlogon_last_logoff_time
, NULL
);
929 offset
= dissect_ndr_time_t(tvb
, offset
, pinfo
, tree
, di
, drep
, hf_netlogon_logoff_time
, NULL
);
931 offset
= dissect_ndr_time_t(tvb
, offset
, pinfo
, tree
, di
, drep
, hf_netlogon_kickoff_time
, NULL
);
933 offset
= dissect_ndr_time_t(tvb
, offset
, pinfo
, tree
, di
, drep
, hf_netlogon_pwd_age
, NULL
);
935 offset
= dissect_ndr_time_t(tvb
, offset
, pinfo
, tree
, di
, drep
, hf_netlogon_pwd_can_change_time
, NULL
);
937 offset
= dissect_ndr_time_t(tvb
, offset
, pinfo
, tree
, di
, drep
, hf_netlogon_pwd_must_change_time
, NULL
);
939 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
940 NDR_POINTER_UNIQUE
, "Computer", hf_netlogon_computer_name
, 0);
942 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
943 NDR_POINTER_UNIQUE
, "Domain", hf_netlogon_domain_name
, 0);
945 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
946 NDR_POINTER_UNIQUE
, "Script", hf_netlogon_logon_script
, 0);
948 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
949 hf_netlogon_reserved
, NULL
);
955 * IDL long NetrLogonUasLogon(
956 * IDL [in][unique][string] wchar_t *ServerName,
957 * IDL [in][ref][string] wchar_t *UserName,
958 * IDL [in][ref][string] wchar_t *Workstation,
959 * IDL [out][unique] VALIDATION_UAS_INFO *info
963 netlogon_dissect_netrlogonuaslogon_rqst(tvbuff_t
*tvb
, int offset
,
964 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
966 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
967 pinfo
, tree
, di
, drep
);
969 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
970 NDR_POINTER_REF
, "Account", hf_netlogon_acct_name
, CB_STR_COL_INFO
);
972 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
973 NDR_POINTER_REF
, "Workstation", hf_netlogon_workstation
, 0);
980 netlogon_dissect_netrlogonuaslogon_reply(tvbuff_t
*tvb
, int offset
,
981 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
983 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
984 netlogon_dissect_VALIDATION_UAS_INFO
, NDR_POINTER_UNIQUE
,
985 "VALIDATION_UAS_INFO", -1);
987 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
988 hf_netlogon_dos_rc
, NULL
);
994 * IDL typedef struct {
996 * IDL short logon_count;
997 * IDL } LOGOFF_UAS_INFO;
1000 netlogon_dissect_LOGOFF_UAS_INFO(tvbuff_t
*tvb
, int offset
,
1001 packet_info
*pinfo
, proto_tree
*tree
,
1002 dcerpc_info
*di
, uint8_t *drep
)
1006 if(di
->conformant_run
){
1007 /*just a run to handle conformant arrays, nothing to dissect */
1011 duration
= tvb_get_uint32(tvb
, offset
, DREP_ENC_INTEGER(drep
));
1012 proto_tree_add_uint_format_value(tree
, hf_netlogon_logon_duration
, tvb
, offset
, 4, duration
, "unknown time format");
1015 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, tree
, di
, drep
,
1016 hf_netlogon_logon_count16
, NULL
);
1022 * IDL long NetrLogonUasLogoff(
1023 * IDL [in][unique][string] wchar_t *ServerName,
1024 * IDL [in][ref][string] wchar_t *UserName,
1025 * IDL [in][ref][string] wchar_t *Workstation,
1026 * IDL [out][ref] LOGOFF_UAS_INFO *info
1030 netlogon_dissect_netrlogonuaslogoff_rqst(tvbuff_t
*tvb
, int offset
,
1031 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
1033 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
1034 pinfo
, tree
, di
, drep
);
1036 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
1037 NDR_POINTER_REF
, "Account", hf_netlogon_acct_name
, CB_STR_COL_INFO
);
1039 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
1040 NDR_POINTER_REF
, "Workstation", hf_netlogon_workstation
, 0);
1047 netlogon_dissect_netrlogonuaslogoff_reply(tvbuff_t
*tvb
, int offset
,
1048 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
1050 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
1051 netlogon_dissect_LOGOFF_UAS_INFO
, NDR_POINTER_REF
,
1052 "LOGOFF_UAS_INFO", -1);
1054 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
1055 hf_netlogon_dos_rc
, NULL
);
1061 netlogon_dissect_BYTE_byte(tvbuff_t
*tvb
, int offset
,
1062 packet_info
*pinfo
, proto_tree
*tree
,
1063 dcerpc_info
*di
, uint8_t *drep
)
1065 offset
= dissect_ndr_uint8(tvb
, offset
, pinfo
, tree
, di
, drep
,
1066 hf_netlogon_unknown_char
, NULL
);
1072 netlogon_dissect_BYTE_array(tvbuff_t
*tvb
, int offset
,
1073 packet_info
*pinfo
, proto_tree
*tree
,
1074 dcerpc_info
*di
, uint8_t *drep
)
1076 offset
= dissect_ndr_ucarray(tvb
, offset
, pinfo
, tree
, di
, drep
,
1077 netlogon_dissect_BYTE_byte
);
1083 static void cb_wstr_LOGON_IDENTITY_INFO(packet_info
*pinfo
, proto_tree
*tree
,
1084 proto_item
*item
, dcerpc_info
*di
,
1086 int start_offset
, int end_offset
,
1087 void *callback_args
)
1089 dcerpc_call_value
*dcv
= (dcerpc_call_value
*)di
->call_data
;
1090 struct LOGON_INFO_STATE_CB
*cb_ref
=
1091 (struct LOGON_INFO_STATE_CB
*)callback_args
;
1092 struct LOGON_INFO_STATE
*state
= cb_ref
->state
;
1094 cb_wstr_postprocess(pinfo
, tree
, item
, di
, tvb
, start_offset
, end_offset
,
1095 GINT_TO_POINTER(cb_ref
->name_levels
));
1097 if (*cb_ref
->name_ptr
== NULL
) {
1098 *cb_ref
->name_ptr
= (const uint8_t *)dcv
->private_data
;
1101 dissect_LOGON_INFO_STATE_finish(state
);
1105 dissect_ndr_wstr_LOGON_IDENTITY_INFO(tvbuff_t
*tvb
, int offset
,
1106 packet_info
*pinfo
, proto_tree
*tree
,
1107 dcerpc_info
*di
, uint8_t *drep
,
1108 int hf_index
, int levels
,
1109 struct LOGON_INFO_STATE_CB
*cb_ref
)
1111 proto_item
*item
= NULL
;
1112 proto_tree
*subtree
= NULL
;
1114 if (cb_ref
== NULL
) {
1115 return dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
1119 subtree
= proto_tree_add_subtree(tree
, tvb
, offset
, 0,
1120 ett_wstr_LOGON_IDENTITY_INFO_string
, &item
,
1121 proto_registrar_get_name(hf_index
));
1124 * Add 2 levels, so that the string gets attached to the
1125 * "Character Array" top-level item and to the top-level item
1128 cb_ref
->name_levels
= 2 + levels
;
1129 cb_ref
->name_levels
|= CB_STR_SAVE
;
1130 return dissect_ndr_counted_string_cb(tvb
, offset
, pinfo
, subtree
, di
, drep
,
1131 hf_index
, cb_wstr_LOGON_IDENTITY_INFO
, cb_ref
);
1135 * IDL typedef struct {
1136 * IDL UNICODESTRING LogonDomainName;
1137 * IDL long ParameterControl;
1138 * IDL uint64 LogonID;
1139 * IDL UNICODESTRING UserName;
1140 * IDL UNICODESTRING Workstation;
1141 * IDL } LOGON_IDENTITY_INFO;
1144 netlogon_dissect_LOGON_IDENTITY_INFO(tvbuff_t
*tvb
, int offset
,
1145 packet_info
*pinfo
, proto_tree
*parent_tree
,
1146 dcerpc_info
*di
, uint8_t *drep
,
1147 struct LOGON_INFO_STATE
*state
)
1149 struct LOGON_INFO_STATE_CB
*domain_cb
= NULL
;
1150 struct LOGON_INFO_STATE_CB
*acct_cb
= NULL
;
1151 struct LOGON_INFO_STATE_CB
*host_cb
= NULL
;
1152 proto_item
*item
=NULL
;
1153 proto_tree
*tree
=NULL
;
1154 int old_offset
=offset
;
1156 if (state
!= NULL
) {
1157 domain_cb
= &state
->domain_cb
;
1158 acct_cb
= &state
->acct_cb
;
1159 host_cb
= &state
->host_cb
;
1163 tree
= proto_tree_add_subtree(parent_tree
, tvb
, offset
, 0,
1164 ett_IDENTITY_INFO
, &item
, "IDENTITY_INFO:");
1167 /* XXX: It would be nice to get the domain and account name
1168 displayed in COL_INFO. */
1170 offset
= dissect_ndr_wstr_LOGON_IDENTITY_INFO(tvb
, offset
, pinfo
, tree
, di
, drep
,
1171 hf_netlogon_logon_dom
, 0, domain_cb
);
1173 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
1174 hf_netlogon_param_ctrl
, NULL
);
1176 offset
= dissect_ndr_duint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
1177 hf_netlogon_logon_id
, NULL
);
1179 offset
= dissect_ndr_wstr_LOGON_IDENTITY_INFO(tvb
, offset
, pinfo
, tree
, di
, drep
,
1180 hf_netlogon_acct_name
, 1, acct_cb
);
1182 offset
= dissect_ndr_wstr_LOGON_IDENTITY_INFO(tvb
, offset
, pinfo
, tree
, di
, drep
,
1183 hf_netlogon_workstation
, 0, host_cb
);
1186 /* NetMon does not recognize these bytes. I'll comment them out until someone complains */
1187 /* XXX 8 extra bytes here */
1188 /* there were 8 extra bytes, either here or in NETWORK_INFO that does not match
1189 the idl file. Could be a bug in either the NETLOGON implementation or in the
1192 offset
= netlogon_dissect_8_unknown_bytes(tvb
, offset
, pinfo
, tree
, di
, drep
);
1195 proto_item_set_len(item
, offset
-old_offset
);
1201 * IDL typedef struct {
1202 * IDL char password[16];
1203 * IDL } LM_OWF_PASSWORD;
1206 netlogon_dissect_LM_OWF_PASSWORD(tvbuff_t
*tvb
, int offset
,
1207 packet_info
*pinfo _U_
, proto_tree
*parent_tree
,
1208 dcerpc_info
*di
, uint8_t *drep _U_
)
1210 proto_item
*item
=NULL
;
1211 proto_tree
*tree
=NULL
;
1213 if(di
->conformant_run
){
1214 /*just a run to handle conformant arrays, nothing to dissect.*/
1219 tree
= proto_tree_add_subtree(parent_tree
, tvb
, offset
, 16,
1220 ett_LM_OWF_PASSWORD
, &item
, "LM_OWF_PASSWORD:");
1223 proto_tree_add_item(tree
, hf_netlogon_lm_owf_password
, tvb
, offset
, 16,
1231 * IDL typedef struct {
1232 * IDL char password[16];
1233 * IDL } NT_OWF_PASSWORD;
1236 netlogon_dissect_NT_OWF_PASSWORD(tvbuff_t
*tvb
, int offset
,
1237 packet_info
*pinfo _U_
, proto_tree
*parent_tree
,
1238 dcerpc_info
*di
, uint8_t *drep _U_
)
1240 proto_item
*item
=NULL
;
1241 proto_tree
*tree
=NULL
;
1243 if(di
->conformant_run
){
1244 /*just a run to handle conformant arrays, nothing to dissect.*/
1249 tree
= proto_tree_add_subtree(parent_tree
, tvb
, offset
, 16,
1250 ett_NT_OWF_PASSWORD
, &item
, "NT_OWF_PASSWORD:");
1253 proto_tree_add_item(tree
, hf_netlogon_nt_owf_password
, tvb
, offset
, 16,
1262 * IDL typedef struct {
1263 * IDL LOGON_IDENTITY_INFO identity_info;
1264 * IDL LM_OWF_PASSWORD lmpassword;
1265 * IDL NT_OWF_PASSWORD ntpassword;
1266 * IDL } INTERACTIVE_INFO;
1269 netlogon_dissect_INTERACTIVE_INFO(tvbuff_t
*tvb
, int offset
,
1270 packet_info
*pinfo
, proto_tree
*tree
,
1271 dcerpc_info
*di
, uint8_t *drep
)
1273 offset
= netlogon_dissect_LOGON_IDENTITY_INFO(tvb
, offset
,
1274 pinfo
, tree
, di
, drep
,
1277 offset
= netlogon_dissect_LM_OWF_PASSWORD(tvb
, offset
,
1278 pinfo
, tree
, di
, drep
);
1280 offset
= netlogon_dissect_NT_OWF_PASSWORD(tvb
, offset
,
1281 pinfo
, tree
, di
, drep
);
1287 * IDL typedef struct {
1292 netlogon_dissect_CHALLENGE(tvbuff_t
*tvb
, int offset
,
1293 packet_info
*pinfo _U_
, proto_tree
*tree
,
1294 dcerpc_info
*di
, uint8_t *drep _U_
)
1296 if(di
->conformant_run
){
1297 /*just a run to handle conformant arrays, nothing to dissect.*/
1301 proto_tree_add_item(tree
, hf_netlogon_challenge
, tvb
, offset
, 8,
1309 netlogon_dissect_NETWORK_INFO(tvbuff_t
*tvb
, int offset
,
1310 packet_info
*pinfo
, proto_tree
*tree
,
1311 dcerpc_info
*di
, uint8_t *drep
)
1313 struct LOGON_INFO_STATE
*state
=
1314 (struct LOGON_INFO_STATE
*)di
->private_data
;
1316 struct LOGON_INFO_STATE_CB
*nt_cb
= NULL
;
1317 struct LOGON_INFO_STATE_CB
*lm_cb
= NULL
;
1319 if (state
== NULL
) {
1320 state
= wmem_new0(pinfo
->pool
, struct LOGON_INFO_STATE
);
1321 state
->ntlmssph
= (ntlmssp_header_t
) { .type
= NTLMSSP_AUTH
, };
1322 state
->domain_cb
.state
= state
;
1323 state
->domain_cb
.name_ptr
= &state
->ntlmssph
.domain_name
;
1324 state
->acct_cb
.state
= state
;
1325 state
->acct_cb
.name_ptr
= &state
->ntlmssph
.acct_name
;
1326 state
->host_cb
.state
= state
;
1327 state
->host_cb
.name_ptr
= &state
->ntlmssph
.host_name
;
1328 state
->nt_cb
.state
= state
;
1329 state
->nt_cb
.response
= &state
->nt_response
;
1330 state
->lm_cb
.state
= state
;
1331 state
->lm_cb
.response
= &state
->lm_response
;
1332 di
->private_data
= state
;
1334 state
->pinfo
= pinfo
;
1337 offset
= netlogon_dissect_LOGON_IDENTITY_INFO(tvb
, offset
,
1338 pinfo
, tree
, di
, drep
,
1340 last_offset
= offset
;
1341 offset
= netlogon_dissect_CHALLENGE(tvb
, offset
,
1342 pinfo
, tree
, di
, drep
);
1343 if (offset
== (last_offset
+ 8)) {
1344 tvb_memcpy(tvb
, state
->server_challenge
, last_offset
, 8);
1345 nt_cb
= &state
->nt_cb
;
1346 lm_cb
= &state
->lm_cb
;
1348 offset
= dissect_ndr_lm_nt_hash_helper(tvb
,offset
,pinfo
, tree
, di
, drep
,
1349 hf_netlogon_nt_chal_resp
,
1351 offset
= dissect_ndr_lm_nt_hash_helper(tvb
,offset
,pinfo
, tree
, di
, drep
,
1352 hf_netlogon_lm_chal_resp
,
1359 * IDL typedef struct {
1360 * IDL LOGON_IDENTITY_INFO logon_info;
1361 * IDL LM_OWF_PASSWORD lmpassword;
1362 * IDL NT_OWF_PASSWORD ntpassword;
1363 * IDL } SERVICE_INFO;
1366 netlogon_dissect_SERVICE_INFO(tvbuff_t
*tvb
, int offset
,
1367 packet_info
*pinfo
, proto_tree
*tree
,
1368 dcerpc_info
*di
, uint8_t *drep
)
1370 offset
= netlogon_dissect_LOGON_IDENTITY_INFO(tvb
, offset
,
1371 pinfo
, tree
, di
, drep
,
1374 offset
= netlogon_dissect_LM_OWF_PASSWORD(tvb
, offset
,
1375 pinfo
, tree
, di
, drep
);
1377 offset
= netlogon_dissect_NT_OWF_PASSWORD(tvb
, offset
,
1378 pinfo
, tree
, di
, drep
);
1384 netlogon_dissect_GENERIC_INFO(tvbuff_t
*tvb
, int offset
,
1385 packet_info
*pinfo
, proto_tree
*tree
,
1386 dcerpc_info
*di
, uint8_t *drep
)
1388 offset
= netlogon_dissect_LOGON_IDENTITY_INFO(tvb
, offset
,
1389 pinfo
, tree
, di
, drep
,
1392 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
1393 hf_netlogon_package_name
, 0|CB_STR_SAVE
);
1395 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
1396 hf_netlogon_data_length
, NULL
);
1398 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
1399 netlogon_dissect_BYTE_array
, NDR_POINTER_REF
,
1404 * IDL typedef [switch_type(short)] union {
1405 * IDL [case(1)][unique] INTERACTIVE_INFO *iinfo;
1406 * IDL [case(2)][unique] NETWORK_INFO *ninfo;
1407 * IDL [case(3)][unique] SERVICE_INFO *sinfo;
1411 netlogon_dissect_LEVEL(tvbuff_t
*tvb
, int offset
,
1412 packet_info
*pinfo
, proto_tree
*tree
,
1413 dcerpc_info
*di
, uint8_t *drep
)
1417 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, tree
, di
, drep
,
1418 hf_netlogon_level16
, &level
);
1422 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
1423 netlogon_dissect_INTERACTIVE_INFO
, NDR_POINTER_UNIQUE
,
1424 "INTERACTIVE_INFO:", -1);
1427 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
1428 netlogon_dissect_NETWORK_INFO
, NDR_POINTER_UNIQUE
,
1429 "NETWORK_INFO:", -1);
1432 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
1433 netlogon_dissect_SERVICE_INFO
, NDR_POINTER_UNIQUE
,
1434 "SERVICE_INFO:", -1);
1437 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
1438 netlogon_dissect_GENERIC_INFO
, NDR_POINTER_UNIQUE
,
1439 "GENERIC_INFO:", -1);
1442 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
1443 netlogon_dissect_INTERACTIVE_INFO
, NDR_POINTER_UNIQUE
,
1444 "INTERACTIVE_TRANSITIVE_INFO:", -1);
1447 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
1448 netlogon_dissect_NETWORK_INFO
, NDR_POINTER_UNIQUE
,
1449 "NETWORK_TRANSITIVE_INFO", -1);
1452 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
1453 netlogon_dissect_SERVICE_INFO
, NDR_POINTER_UNIQUE
,
1454 "SERVICE_TRANSITIVE_INFO", -1);
1461 * IDL typedef struct {
1466 netlogon_dissect_CREDENTIAL(tvbuff_t
*tvb
, int offset
,
1467 packet_info
*pinfo _U_
, proto_tree
*tree
,
1468 dcerpc_info
*di
, uint8_t *drep _U_
)
1470 if(di
->conformant_run
){
1471 /*just a run to handle conformant arrays, nothing to dissect.*/
1475 proto_tree_add_item(tree
, hf_netlogon_credential
, tvb
, offset
, 8,
1484 * IDL typedef struct {
1485 * IDL CREDENTIAL cred;
1486 * IDL long timestamp;
1487 * IDL } AUTHENTICATOR;
1490 netlogon_dissect_AUTHENTICATOR(tvbuff_t
*tvb
, int offset
,
1491 packet_info
*pinfo
, proto_tree
*tree
,
1492 dcerpc_info
*di
, uint8_t *drep
)
1494 if(di
->conformant_run
){
1495 /*just a run to handle conformant arrays, nothing to dissect */
1501 offset
= netlogon_dissect_CREDENTIAL(tvb
, offset
,
1502 pinfo
, tree
, di
, drep
);
1505 * XXX - this appears to be a UNIX time_t in some credentials, but
1506 * appears to be random junk in other credentials.
1507 * For example, it looks like a UNIX time_t in "credential"
1508 * AUTHENTICATORs, but like random junk in "return_authenticator"
1511 proto_tree_add_item(tree
, hf_netlogon_timestamp
, tvb
, offset
, 4, ENC_TIME_SECS
|ENC_LITTLE_ENDIAN
);
1519 * IDL typedef struct {
1521 * IDL long attributes;
1522 * IDL } GROUP_MEMBERSHIP;
1525 netlogon_dissect_GROUP_MEMBERSHIP(tvbuff_t
*tvb
, int offset
,
1526 packet_info
*pinfo
, proto_tree
*parent_tree
,
1527 dcerpc_info
*di
, uint8_t *drep
)
1529 proto_item
*item
=NULL
;
1530 proto_tree
*tree
=NULL
;
1533 tree
= proto_tree_add_subtree(parent_tree
, tvb
, offset
, 0,
1534 ett_GROUP_MEMBERSHIP
, &item
, "GROUP_MEMBERSHIP:");
1537 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
1538 hf_netlogon_group_rid
, NULL
);
1540 offset
= dissect_ndr_nt_SE_GROUP_ATTRIBUTES(tvb
, offset
, pinfo
, tree
, di
, drep
);
1546 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY(tvbuff_t
*tvb
, int offset
,
1547 packet_info
*pinfo
, proto_tree
*tree
,
1548 dcerpc_info
*di
, uint8_t *drep
)
1550 offset
= dissect_ndr_ucarray(tvb
, offset
, pinfo
, tree
, di
, drep
,
1551 netlogon_dissect_GROUP_MEMBERSHIP
);
1557 * IDL typedef struct {
1558 * IDL char user_session_key[16];
1559 * IDL } USER_SESSION_KEY;
1562 netlogon_dissect_USER_SESSION_KEY(tvbuff_t
*tvb
, int offset
,
1563 packet_info
*pinfo _U_
, proto_tree
*tree
,
1564 dcerpc_info
*di
, uint8_t *drep _U_
)
1566 if(di
->conformant_run
){
1567 /*just a run to handle conformant arrays, nothing to dissect.*/
1571 proto_tree_add_item(tree
, hf_netlogon_user_session_key
, tvb
, offset
, 16,
1580 static const true_false_string user_flags_extra_sids
= {
1581 "The EXTRA_SIDS bit is SET",
1582 "The extra_sids is NOT set",
1584 static const true_false_string user_flags_resource_groups
= {
1585 "The RESOURCE_GROUPS bit is SET",
1586 "The resource_groups is NOT set",
1589 netlogon_dissect_USER_FLAGS(tvbuff_t
*tvb
, int offset
,
1590 packet_info
*pinfo
, proto_tree
*parent_tree
, dcerpc_info
*di
, uint8_t *drep
)
1593 static int * const flags
[] = {
1594 &hf_netlogon_user_flags_resource_groups
,
1595 &hf_netlogon_user_flags_extra_sids
,
1599 if(di
->conformant_run
){
1600 /*just a run to handle conformant arrays, nothing to dissect */
1604 offset
=dissect_ndr_uint32(tvb
, offset
, pinfo
, NULL
, di
, drep
,
1607 proto_tree_add_bitmask_value_with_flags(parent_tree
, tvb
, offset
-4, hf_netlogon_user_flags
, ett_user_flags
, flags
, mask
, BMT_NO_APPEND
);
1612 netlogon_dissect_GROUP_MEMBERSHIPS(tvbuff_t
*tvb
, int offset
,
1613 packet_info
*pinfo
, proto_tree
*tree
,
1614 dcerpc_info
*di
, uint8_t *drep
,
1615 int hf_count
, const char *array_name
)
1619 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
1622 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
1623 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY
, NDR_POINTER_UNIQUE
,
1630 netlogon_dissect_DOMAIN_GROUP_MEMBERSHIPS(tvbuff_t
*tvb
, int offset
,
1631 packet_info
*pinfo
, proto_tree
*parent_tree
,
1632 dcerpc_info
*di
, uint8_t *drep
,
1633 int hf_count
, const char *name
)
1635 proto_item
*item
=NULL
;
1636 proto_tree
*tree
=NULL
;
1637 int old_offset
=offset
;
1640 tree
= proto_tree_add_subtree(parent_tree
, tvb
, offset
, 0,
1641 ett_domain_group_memberships
,
1645 offset
= dissect_ndr_nt_PSID(tvb
, offset
, pinfo
, tree
, di
, drep
);
1647 offset
= netlogon_dissect_GROUP_MEMBERSHIPS(tvb
, offset
,
1653 proto_item_set_len(item
, offset
-old_offset
);
1658 netlogon_dissect_DOMAIN_GROUP_MEMBERSHIPS_WRAPPER(tvbuff_t
*tvb
, int offset
,
1659 packet_info
*pinfo
, proto_tree
*tree
,
1660 dcerpc_info
*di
, uint8_t *drep
)
1662 return netlogon_dissect_DOMAIN_GROUP_MEMBERSHIPS(tvb
, offset
,
1665 hf_netlogon_domaingroupcount
,
1670 netlogon_dissect_DOMAIN_GROUP_MEMBERSHIP_ARRAY(tvbuff_t
*tvb
, int offset
,
1671 packet_info
*pinfo
, proto_tree
*tree
,
1672 dcerpc_info
*di
, uint8_t *drep
)
1674 offset
= dissect_ndr_ucarray(tvb
, offset
, pinfo
, tree
, di
, drep
,
1675 netlogon_dissect_DOMAIN_GROUP_MEMBERSHIPS_WRAPPER
);
1681 netlogon_dissect_DOMAINS_GROUP_MEMBERSHIPS(tvbuff_t
*tvb
, int offset
,
1682 packet_info
*pinfo
, proto_tree
*parent_tree
,
1683 dcerpc_info
*di
, uint8_t *drep
,
1684 int hf_count
, const char *name
)
1686 proto_item
*item
=NULL
;
1687 proto_tree
*tree
=NULL
;
1688 int old_offset
=offset
;
1692 tree
= proto_tree_add_subtree(parent_tree
, tvb
, offset
, 0,
1693 ett_domains_group_memberships
,
1697 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
1700 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
1701 netlogon_dissect_DOMAIN_GROUP_MEMBERSHIP_ARRAY
,
1705 proto_item_set_len(item
, offset
-old_offset
);
1710 * IDL typedef struct {
1711 * IDL uint64 LogonTime;
1712 * IDL uint64 LogoffTime;
1713 * IDL uint64 KickOffTime;
1714 * IDL uint64 PasswdLastSet;
1715 * IDL uint64 PasswdCanChange;
1716 * IDL uint64 PasswdMustChange;
1717 * IDL unicodestring effectivename;
1718 * IDL unicodestring fullname;
1719 * IDL unicodestring logonscript;
1720 * IDL unicodestring profilepath;
1721 * IDL unicodestring homedirectory;
1722 * IDL unicodestring homedirectorydrive;
1723 * IDL short LogonCount;
1724 * IDL short BadPasswdCount;
1726 * IDL long primarygroup;
1727 * IDL long groupcount;
1728 * IDL [unique][size_is(groupcount)] GROUP_MEMBERSHIP *groupids;
1729 * IDL long userflags;
1730 * IDL USER_SESSION_KEY key;
1731 * IDL unicodestring logonserver;
1732 * IDL unicodestring domainname;
1733 * IDL [unique] SID logondomainid;
1734 * IDL long expansionroom[2];
1735 * IDL long useraccountcontrol;
1736 * IDL long expansionroom[7];
1737 * IDL } VALIDATION_SAM_INFO;
1740 netlogon_dissect_VALIDATION_SAM_INFO(tvbuff_t
*tvb
, int offset
,
1741 packet_info
*pinfo
, proto_tree
*tree
,
1742 dcerpc_info
*di
, uint8_t *drep
)
1745 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
1746 hf_netlogon_logon_time
);
1748 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
1749 hf_netlogon_logoff_time
);
1751 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
1752 hf_netlogon_kickoff_time
);
1754 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
1755 hf_netlogon_pwd_last_set_time
);
1757 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
1758 hf_netlogon_pwd_can_change_time
);
1760 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
1761 hf_netlogon_pwd_must_change_time
);
1763 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
1764 hf_netlogon_acct_name
, 0);
1766 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
1767 hf_netlogon_full_name
, 0);
1769 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
1770 hf_netlogon_logon_script
, 0);
1772 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
1773 hf_netlogon_profile_path
, 0);
1775 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
1776 hf_netlogon_home_dir
, 0);
1778 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
1779 hf_netlogon_dir_drive
, 0);
1781 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, tree
, di
, drep
,
1782 hf_netlogon_logon_count16
, NULL
);
1784 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, tree
, di
, drep
,
1785 hf_netlogon_bad_pw_count16
, NULL
);
1787 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
1788 hf_netlogon_user_rid
, NULL
);
1790 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
1791 hf_netlogon_group_rid
, NULL
);
1793 offset
= netlogon_dissect_GROUP_MEMBERSHIPS(tvb
, offset
,
1794 pinfo
, tree
, di
, drep
,
1795 hf_netlogon_num_rids
,
1798 offset
= netlogon_dissect_USER_FLAGS(tvb
, offset
,
1799 pinfo
, tree
, di
, drep
);
1801 offset
= netlogon_dissect_USER_SESSION_KEY(tvb
, offset
,
1802 pinfo
, tree
, di
, drep
);
1804 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
1805 hf_netlogon_logon_srv
, 0);
1807 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
1808 hf_netlogon_logon_dom
, 0);
1810 offset
= dissect_ndr_nt_PSID(tvb
, offset
, pinfo
, tree
, di
, drep
);
1812 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
1813 hf_netlogon_dummy1_long
, NULL
);
1815 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
1816 hf_netlogon_dummy2_long
, NULL
);
1818 offset
= netlogon_dissect_USER_ACCOUNT_CONTROL(tvb
, offset
,
1819 pinfo
, tree
, di
, drep
);
1821 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
1822 hf_netlogon_dummy4_long
, NULL
);
1824 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
1825 hf_netlogon_dummy5_long
, NULL
);
1827 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
1828 hf_netlogon_dummy6_long
, NULL
);
1830 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
1831 hf_netlogon_dummy7_long
, NULL
);
1833 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
1834 hf_netlogon_dummy8_long
, NULL
);
1836 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
1837 hf_netlogon_dummy9_long
, NULL
);
1839 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
1840 hf_netlogon_dummy10_long
, NULL
);
1848 * IDL typedef struct {
1849 * IDL uint64 LogonTime;
1850 * IDL uint64 LogoffTime;
1851 * IDL uint64 KickOffTime;
1852 * IDL uint64 PasswdLastSet;
1853 * IDL uint64 PasswdCanChange;
1854 * IDL uint64 PasswdMustChange;
1855 * IDL unicodestring effectivename;
1856 * IDL unicodestring fullname;
1857 * IDL unicodestring logonscript;
1858 * IDL unicodestring profilepath;
1859 * IDL unicodestring homedirectory;
1860 * IDL unicodestring homedirectorydrive;
1861 * IDL short LogonCount;
1862 * IDL short BadPasswdCount;
1864 * IDL long primarygroup;
1865 * IDL long groupcount;
1866 * IDL [unique] GROUP_MEMBERSHIP *groupids;
1867 * IDL long userflags;
1868 * IDL USER_SESSION_KEY key;
1869 * IDL unicodestring logonserver;
1870 * IDL unicodestring domainname;
1871 * IDL [unique] SID logondomainid;
1872 * IDL long expansionroom[2];
1873 * IDL long useraccountcontrol;
1874 * IDL long expansionroom[7];
1875 * IDL long sidcount;
1876 * IDL [unique] SID_AND_ATTRIBS;
1877 * IDL } VALIDATION_SAM_INFO2;
1880 netlogon_dissect_VALIDATION_SAM_INFO2(tvbuff_t
*tvb
, int offset
,
1881 packet_info
*pinfo
, proto_tree
*tree
,
1882 dcerpc_info
*di
, uint8_t *drep
)
1884 offset
= netlogon_dissect_VALIDATION_SAM_INFO(tvb
,offset
,pinfo
,tree
,di
,drep
);
1888 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
1889 hf_netlogon_logon_time
);
1891 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
1892 hf_netlogon_logoff_time
);
1894 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
1895 hf_netlogon_kickoff_time
);
1897 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
1898 hf_netlogon_pwd_last_set_time
);
1900 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
1901 hf_netlogon_pwd_can_change_time
);
1903 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
1904 hf_netlogon_pwd_must_change_time
);
1906 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
1907 hf_netlogon_acct_name
, 0);
1909 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
1910 hf_netlogon_full_name
, 0);
1912 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
1913 hf_netlogon_logon_script
, 0);
1915 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
1916 hf_netlogon_profile_path
, 0);
1918 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
1919 hf_netlogon_home_dir
, 0);
1921 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
1922 hf_netlogon_dir_drive
, 0);
1924 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, tree
, di
, drep
,
1925 hf_netlogon_logon_count16
, NULL
);
1927 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, tree
, di
, drep
,
1928 hf_netlogon_bad_pw_count16
, NULL
);
1930 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
1931 hf_netlogon_user_rid
, NULL
);
1933 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
1934 hf_netlogon_group_rid
, NULL
);
1936 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
1937 hf_netlogon_num_rids
, NULL
);
1939 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
1940 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY
, NDR_POINTER_UNIQUE
,
1941 "GROUP_MEMBERSHIP_ARRAY", -1);
1943 offset
= netlogon_dissect_USER_FLAGS(tvb
, offset
,
1944 pinfo
, tree
, di
, drep
);
1946 offset
= netlogon_dissect_USER_SESSION_KEY(tvb
, offset
,
1947 pinfo
, tree
, di
, drep
);
1949 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
1950 hf_netlogon_logon_srv
, 0);
1952 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
1953 hf_netlogon_logon_dom
, 0);
1955 offset
= dissect_ndr_nt_PSID(tvb
, offset
, pinfo
, tree
, di
, drep
);
1958 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
1959 hf_netlogon_unknown_long
, NULL
);
1961 offset
= netlogon_dissect_USER_ACCOUNT_CONTROL(tvb
, offset
,
1962 pinfo
, tree
, di
, drep
);
1965 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
1966 hf_netlogon_unknown_long
, NULL
);
1969 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
1970 hf_netlogon_num_sid
, NULL
);
1972 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
1973 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY
, NDR_POINTER_UNIQUE
,
1974 "SID_AND_ATTRIBUTES_ARRAY:", -1);
1981 netlogon_dissect_VALIDATION_SAM_INFO4(tvbuff_t
*tvb
, int offset
,
1982 packet_info
*pinfo
, proto_tree
*tree
,
1983 dcerpc_info
*di
, uint8_t *drep
)
1985 offset
= netlogon_dissect_VALIDATION_SAM_INFO2(tvb
,offset
,pinfo
,tree
,di
,drep
);
1987 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
1988 hf_netlogon_logon_dnslogondomainname
, 0);
1990 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
1991 hf_netlogon_logon_upn
, 0);
1993 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
1994 hf_netlogon_dummy_string
, 0);
1996 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
1997 hf_netlogon_dummy_string2
, 0);
1999 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
2000 hf_netlogon_dummy_string3
, 0);
2002 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
2003 hf_netlogon_dummy_string4
, 0);
2005 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
2006 hf_netlogon_dummy_string5
, 0);
2008 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
2009 hf_netlogon_dummy_string6
, 0);
2011 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
2012 hf_netlogon_dummy_string7
, 0);
2014 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
2015 hf_netlogon_dummy_string8
, 0);
2017 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
2018 hf_netlogon_dummy_string9
, 0);
2020 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
2021 hf_netlogon_dummy_string10
, 0);
2026 * IDL typedef struct {
2027 * IDL uint64 LogonTime;
2028 * IDL uint64 LogoffTime;
2029 * IDL uint64 KickOffTime;
2030 * IDL uint64 PasswdLastSet;
2031 * IDL uint64 PasswdCanChange;
2032 * IDL uint64 PasswdMustChange;
2033 * IDL unicodestring effectivename;
2034 * IDL unicodestring fullname;
2035 * IDL unicodestring logonscript;
2036 * IDL unicodestring profilepath;
2037 * IDL unicodestring homedirectory;
2038 * IDL unicodestring homedirectorydrive;
2039 * IDL short LogonCount;
2040 * IDL short BadPasswdCount;
2042 * IDL long primarygroup;
2043 * IDL long groupcount;
2044 * IDL [unique] GROUP_MEMBERSHIP *groupids;
2045 * IDL long userflags;
2046 * IDL USER_SESSION_KEY key;
2047 * IDL unicodestring logonserver;
2048 * IDL unicodestring domainname;
2049 * IDL [unique] SID logondomainid;
2050 * IDL long expansionroom[2];
2051 * IDL long useraccountcontrol;
2052 * IDL long expansionroom[7];
2053 * IDL long sidcount;
2054 * IDL [unique] SID_AND_ATTRIBS;
2055 * IDL [unique] SID resourcegroupdomainsid;
2056 * IDL long resourcegroupcount;
2058 * IDL } PAC_LOGON_INFO;
2061 netlogon_dissect_PAC_LOGON_INFO(tvbuff_t
*tvb
, int offset
,
2062 packet_info
*pinfo
, proto_tree
*tree
,
2063 dcerpc_info
*di
, uint8_t *drep
)
2065 offset
= netlogon_dissect_VALIDATION_SAM_INFO(tvb
,offset
,pinfo
,tree
,di
, drep
);
2069 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
2070 hf_netlogon_logon_time
);
2072 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
2073 hf_netlogon_logoff_time
);
2075 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
2076 hf_netlogon_kickoff_time
);
2078 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
2079 hf_netlogon_pwd_last_set_time
);
2081 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
2082 hf_netlogon_pwd_can_change_time
);
2084 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
2085 hf_netlogon_pwd_must_change_time
);
2087 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
2088 hf_netlogon_acct_name
, 0);
2090 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
2091 hf_netlogon_full_name
, 0);
2093 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
2094 hf_netlogon_logon_script
, 0);
2096 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
2097 hf_netlogon_profile_path
, 0);
2099 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
2100 hf_netlogon_home_dir
, 0);
2102 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
2103 hf_netlogon_dir_drive
, 0);
2105 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, tree
, di
, drep
,
2106 hf_netlogon_logon_count16
, NULL
);
2108 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, tree
, di
, drep
,
2109 hf_netlogon_bad_pw_count16
, NULL
);
2111 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
2112 hf_netlogon_user_rid
, NULL
);
2114 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
2115 hf_netlogon_group_rid
, NULL
);
2117 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
2118 hf_netlogon_num_rids
, NULL
);
2120 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
2121 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY
, NDR_POINTER_UNIQUE
,
2122 "GROUP_MEMBERSHIP_ARRAY", -1);
2124 offset
= netlogon_dissect_USER_FLAGS(tvb
, offset
,
2125 pinfo
, tree
, di
, drep
);
2127 offset
= netlogon_dissect_USER_SESSION_KEY(tvb
, offset
,
2128 pinfo
, tree
, di
, drep
);
2130 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
2131 hf_netlogon_logon_srv
, 0);
2133 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
2134 hf_netlogon_logon_dom
, 0);
2136 offset
= dissect_ndr_nt_PSID(tvb
, offset
, pinfo
, tree
, di
, drep
);
2139 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
2140 hf_netlogon_unknown_long
, NULL
);
2142 offset
= netlogon_dissect_USER_ACCOUNT_CONTROL(tvb
, offset
,
2143 pinfo
, tree
, di
, drep
);
2146 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
2147 hf_netlogon_unknown_long
, NULL
);
2151 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
2152 hf_netlogon_num_sid
, NULL
);
2154 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
2155 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY
, NDR_POINTER_UNIQUE
,
2156 "SID_AND_ATTRIBUTES_ARRAY:", -1);
2158 offset
= netlogon_dissect_DOMAIN_GROUP_MEMBERSHIPS(tvb
, offset
,
2159 pinfo
, tree
, di
, drep
,
2160 hf_netlogon_resourcegroupcount
,
2161 "ResourceGroupIDs");
2167 netlogon_dissect_S4U_Transited_Service_name(tvbuff_t
*tvb
, int offset
,
2168 packet_info
*pinfo
, proto_tree
*tree
,
2169 dcerpc_info
*di
, uint8_t *drep
)
2171 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
2172 hf_netlogon_transited_service
, 1);
2178 netlogon_dissect_S4U_Transited_Services_array(tvbuff_t
*tvb
, int offset
,
2179 packet_info
*pinfo
, proto_tree
*tree
,
2180 dcerpc_info
*di
, uint8_t *drep
)
2182 offset
= dissect_ndr_ucarray(tvb
, offset
, pinfo
, tree
, di
, drep
,
2183 netlogon_dissect_S4U_Transited_Service_name
);
2189 netlogon_dissect_PAC_S4U_DELEGATION_INFO(tvbuff_t
*tvb
, int offset
,
2190 packet_info
*pinfo
, proto_tree
*tree
,
2191 dcerpc_info
*di
, uint8_t *drep
)
2193 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
2194 hf_netlogon_s4u2proxytarget
, 0);
2196 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
2197 hf_netlogon_transitedlistsize
, NULL
);
2199 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
2200 netlogon_dissect_S4U_Transited_Services_array
, NDR_POINTER_UNIQUE
,
2201 "S4UTransitedServices", -1);
2206 struct device_sid_callback_args
{
2207 const char **device_sid_ptr
;
2209 const char *domain_sid
;
2210 const char *device_sid
;
2213 static void device_sid_callback_fnct(packet_info
*pinfo _U_
,
2214 proto_tree
*tree _U_
,
2215 proto_item
*item _U_
,
2218 int start_offset _U_
,
2220 void *callback_args
)
2222 struct device_sid_callback_args
*args
=
2223 (struct device_sid_callback_args
*)callback_args
;
2224 dcerpc_call_value
*dcv
= (dcerpc_call_value
*)di
->call_data
;
2225 const char *p
= NULL
;
2228 if (di
->ptype
!= UINT8_MAX
) {
2240 args
->domain_sid
= (const char *)dcv
->private_data
;
2241 if (args
->domain_sid
== NULL
) {
2242 /* this should not happen... */
2246 len
= strnlen(args
->domain_sid
, 64);
2248 /* remove any debug info after the sid */
2249 p
= memchr(args
->domain_sid
, ' ', len
);
2251 ptrdiff_t mlen
= p
- args
->domain_sid
;
2256 p
= memchr(args
->domain_sid
, '(', len
);
2258 ptrdiff_t mlen
= p
- args
->domain_sid
;
2265 * we know we're called dissect_krb5_PAC_DEVICE_INFO
2266 * so we should allocate the device_sid on wmem_epan_scope()
2268 args
->device_sid
= wmem_strdup_printf(wmem_epan_scope(),
2273 *args
->device_sid_ptr
= args
->device_sid
;
2277 * IDL typedef struct {
2279 * IDL long PrimaryGroupId;
2280 * IDL SID AccountDomainId;
2281 * IDL long AccountGroupCount;
2282 * IDL [size_is(AccountGroupCount)] PGROUP_MEMBERSHIP AccountGroupIds;
2283 * IDL ULONG SidCount;
2284 * IDL [size_is(SidCount)] PKERB_SID_AND_ATTRIBUTES ExtraSids;
2285 * IDL ULONG DomainGroupCount;
2286 * IDL [size_is(DomainGroupCount)] PDOMAIN_GROUP_MEMBERSHIP DomainGroup;
2287 * IDL } PAC_DEVICE_INFO;
2290 netlogon_dissect_PAC_DEVICE_INFO(tvbuff_t
*tvb
, int offset
,
2291 packet_info
*pinfo
, proto_tree
*tree
,
2292 dcerpc_info
*di
, uint8_t *drep
)
2294 dcerpc_call_value
*dcv
= (dcerpc_call_value
*)di
->call_data
;
2295 struct device_sid_callback_args
*args
= NULL
;
2296 uint32_t *user_rid_ptr
= NULL
;
2298 if (dcv
&& di
->ptype
== UINT8_MAX
&& dcv
->private_data
) {
2299 args
= wmem_new0(pinfo
->pool
, struct device_sid_callback_args
);
2301 * dissect_krb5_PAC_DEVICE_INFO passes
2302 * a pointer to const char *device_sid
2304 args
->device_sid_ptr
= dcv
->private_data
;
2305 user_rid_ptr
= &args
->user_rid
;
2308 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
2309 hf_netlogon_user_rid
, user_rid_ptr
);
2311 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
2312 hf_netlogon_group_rid
, NULL
);
2314 offset
= dissect_ndr_nt_PSID_cb(tvb
, offset
, pinfo
, tree
, di
, drep
,
2315 device_sid_callback_fnct
, args
);
2317 offset
= netlogon_dissect_GROUP_MEMBERSHIPS(tvb
, offset
,
2318 pinfo
, tree
, di
, drep
,
2319 hf_netlogon_accountdomaingroupcount
,
2320 "AccountDomainGroupIds");
2322 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
2323 hf_netlogon_num_sid
, NULL
);
2325 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
2326 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY
, NDR_POINTER_UNIQUE
,
2327 "ExtraSids:SID_AND_ATTRIBUTES_ARRAY:", -1);
2329 offset
= netlogon_dissect_DOMAINS_GROUP_MEMBERSHIPS(tvb
, offset
,
2330 pinfo
, tree
, di
, drep
,
2331 hf_netlogon_membership_domains_count
,
2332 "ExtraDomain Membership Array");
2339 netlogon_dissect_PAC(tvbuff_t
*tvb
, int offset
,
2340 packet_info
*pinfo
, proto_tree
*tree
,
2341 dcerpc_info
*di
, uint8_t *drep _U_
)
2345 if(di
->conformant_run
){
2349 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
2350 hf_netlogon_pac_size
, &pac_size
);
2352 proto_tree_add_item(tree
, hf_netlogon_pac_data
, tvb
, offset
, pac_size
,
2360 netlogon_dissect_AUTH(tvbuff_t
*tvb
, int offset
,
2361 packet_info
*pinfo
, proto_tree
*tree
,
2362 dcerpc_info
*di
, uint8_t *drep _U_
)
2366 if(di
->conformant_run
){
2370 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
2371 hf_netlogon_auth_size
, &auth_size
);
2373 proto_tree_add_item(tree
, hf_netlogon_auth_data
, tvb
, offset
, auth_size
,
2375 offset
+= auth_size
;
2382 netlogon_dissect_VALIDATION_GENERIC_INFO2 (tvbuff_t
*tvb
, int offset
,
2383 packet_info
*pinfo
, proto_tree
*tree
,
2384 dcerpc_info
*di
, uint8_t *drep
)
2386 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
2387 hf_netlogon_data_length
, NULL
);
2389 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
2390 netlogon_dissect_BYTE_array
, NDR_POINTER_REF
,
2391 "Validation Data", -1);
2396 * IDL typedef struct {
2398 * IDL [unique][size_is(pac_size)] char *pac;
2399 * IDL UNICODESTRING logondomain;
2400 * IDL UNICODESTRING logonserver;
2401 * IDL UNICODESTRING principalname;
2402 * IDL long auth_size;
2403 * IDL [unique][size_is(auth_size)] char *auth;
2404 * IDL USER_SESSION_KEY user_session_key;
2405 * IDL long expansionroom[2];
2406 * IDL long useraccountcontrol;
2407 * IDL long expansionroom[7];
2408 * IDL UNICODESTRING dummy1;
2409 * IDL UNICODESTRING dummy2;
2410 * IDL UNICODESTRING dummy3;
2411 * IDL UNICODESTRING dummy4;
2412 * IDL } VALIDATION_PAC_INFO;
2414 #if 0 /* Not used (anymore ?) */
2416 netlogon_dissect_VALIDATION_PAC_INFO(tvbuff_t
*tvb
, int offset
,
2417 packet_info
*pinfo
, proto_tree
*tree
,
2418 dcerpc_info
*di
, uint8_t *drep
)
2422 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
2423 hf_netlogon_pac_size
, NULL
);
2425 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
2426 netlogon_dissect_PAC
, NDR_POINTER_UNIQUE
, "PAC:", -1);
2428 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
2429 hf_netlogon_logon_dom
, 0);
2431 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
2432 hf_netlogon_logon_srv
, 0);
2434 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
2435 hf_netlogon_principal
, 0);
2437 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
2438 hf_netlogon_auth_size
, NULL
);
2440 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
2441 netlogon_dissect_AUTH
, NDR_POINTER_UNIQUE
, "AUTH:", -1);
2443 offset
= netlogon_dissect_USER_SESSION_KEY(tvb
, offset
,
2444 pinfo
, tree
, di
, drep
);
2447 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
2448 hf_netlogon_unknown_long
, NULL
);
2450 offset
= netlogon_dissect_USER_ACCOUNT_CONTROL(tvb
, offset
,
2451 pinfo
, tree
, di
, drep
);
2454 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
2455 hf_netlogon_unknown_long
, NULL
);
2458 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
2459 hf_netlogon_dummy
, 0);
2461 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
2462 hf_netlogon_dummy
, 0);
2464 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
2465 hf_netlogon_dummy
, 0);
2467 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
2468 hf_netlogon_dummy
, 0);
2475 * IDL typedef [switch_type(short)] union {
2476 * IDL [case(1)][unique] VALIDATION_UAS *uas;
2477 * IDL [case(2)][unique] VALIDATION_SAM_INFO *sam;
2478 * IDL [case(3)][unique] VALIDATION_SAM_INFO2 *sam2;
2479 * IDL [case(4)][unique] VALIDATION_GENERIC_INFO *generic;
2480 * IDL [case(5)][unique] VALIDATION_GENERIC_INFO *generic2;
2481 * IDL [case(5)][unique] VALIDATION_GENERIC_INFO *generic2;
2482 * IDL [case(6)][unique] VALIDATION_SAM_INFO4 *sam4;
2486 netlogon_dissect_VALIDATION(tvbuff_t
*tvb
, int offset
,
2487 packet_info
*pinfo
, proto_tree
*tree
,
2488 dcerpc_info
*di
, uint8_t *drep
)
2492 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, tree
, di
, drep
,
2493 hf_netlogon_validation_level
, &level
);
2498 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
2499 netlogon_dissect_VALIDATION_UAS_INFO
, NDR_POINTER_UNIQUE
,
2500 "VALIDATION_UAS_INFO:", -1);
2503 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
2504 netlogon_dissect_VALIDATION_SAM_INFO
, NDR_POINTER_UNIQUE
,
2505 "VALIDATION_SAM_INFO:", -1);
2508 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
2509 netlogon_dissect_VALIDATION_SAM_INFO2
, NDR_POINTER_UNIQUE
,
2510 "VALIDATION_SAM_INFO2:", -1);
2513 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
2514 netlogon_dissect_VALIDATION_GENERIC_INFO2
, NDR_POINTER_UNIQUE
,
2515 "VALIDATION_INFO:", -1);
2518 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
2519 netlogon_dissect_VALIDATION_GENERIC_INFO2
, NDR_POINTER_UNIQUE
,
2520 "VALIDATION_INFO2:", -1);
2523 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
2524 netlogon_dissect_VALIDATION_SAM_INFO4
, NDR_POINTER_UNIQUE
,
2525 "VALIDATION_SAM_INFO4:", -1);
2531 * IDL long NetrLogonSamLogonWithFlags(
2532 * IDL [in][unique][string] wchar_t *ServerName,
2533 * IDL [in][unique][string] wchar_t *Workstation,
2534 * IDL [in][unique] AUTHENTICATOR *credential,
2535 * IDL [in][out][unique] AUTHENTICATOR *returnauthenticator,
2536 * IDL [in] short LogonLevel,
2537 * IDL [in][ref] LOGON_LEVEL *logonlevel,
2538 * IDL [in] short ValidationLevel,
2539 * IDL [out][ref] VALIDATION *validation,
2540 * IDL [out][ref] boolean Authoritative
2541 * IDL [in][out] unsigned long ExtraFlags
2545 netlogon_dissect_netrlogonsamlogonflags_rqst(tvbuff_t
*tvb
, int offset
,
2546 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
2548 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
2549 pinfo
, tree
, di
, drep
);
2551 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
2552 NDR_POINTER_UNIQUE
, "Computer Name",
2553 hf_netlogon_computer_name
, 0);
2555 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
2556 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_UNIQUE
,
2557 "AUTHENTICATOR: credential", -1);
2559 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
2560 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_UNIQUE
,
2561 "AUTHENTICATOR: return_authenticator", -1);
2563 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, tree
, di
, drep
,
2564 hf_netlogon_level16
, NULL
);
2566 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
2567 netlogon_dissect_LEVEL
, NDR_POINTER_REF
,
2568 "LEVEL: LogonLevel", -1);
2570 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, tree
, di
, drep
,
2571 hf_netlogon_validation_level
, NULL
);
2573 offset
= netlogon_dissect_EXTRA_FLAGS(tvb
, offset
, pinfo
, tree
, di
, drep
);
2579 netlogon_dissect_netrlogonsamlogonflags_reply(tvbuff_t
*tvb
, int offset
,
2580 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
2582 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
2583 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_UNIQUE
,
2584 "AUTHENTICATOR: return_authenticator", -1);
2586 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
2587 netlogon_dissect_VALIDATION
, NDR_POINTER_REF
,
2590 offset
= dissect_ndr_uint8(tvb
, offset
, pinfo
, tree
, di
, drep
,
2591 hf_netlogon_authoritative
, NULL
);
2593 offset
= netlogon_dissect_EXTRA_FLAGS(tvb
, offset
, pinfo
, tree
, di
, drep
);
2595 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
2596 hf_netlogon_rc
, NULL
);
2604 * IDL long NetrLogonSamLogon(
2605 * IDL [in][unique][string] wchar_t *ServerName,
2606 * IDL [in][unique][string] wchar_t *Workstation,
2607 * IDL [in][unique] AUTHENTICATOR *credential,
2608 * IDL [in][out][unique] AUTHENTICATOR *returnauthenticator,
2609 * IDL [in] short LogonLevel,
2610 * IDL [in][ref] LOGON_LEVEL *logonlevel,
2611 * IDL [in] short ValidationLevel,
2612 * IDL [out][ref] VALIDATION *validation,
2613 * IDL [out][ref] boolean Authoritative
2617 netlogon_dissect_netrlogonsamlogon_rqst(tvbuff_t
*tvb
, int offset
,
2618 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
2620 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
2621 pinfo
, tree
, di
, drep
);
2623 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
2624 NDR_POINTER_UNIQUE
, "Computer Name",
2625 hf_netlogon_computer_name
, 0);
2627 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
2628 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_UNIQUE
,
2629 "AUTHENTICATOR: credential", -1);
2631 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
2632 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_UNIQUE
,
2633 "AUTHENTICATOR: return_authenticator", -1);
2635 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, tree
, di
, drep
,
2636 hf_netlogon_level16
, NULL
);
2638 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
2639 netlogon_dissect_LEVEL
, NDR_POINTER_REF
,
2640 "LEVEL: LogonLevel", -1);
2642 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, tree
, di
, drep
,
2643 hf_netlogon_validation_level
, NULL
);
2649 netlogon_dissect_netrlogonsamlogon_reply(tvbuff_t
*tvb
, int offset
,
2650 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
2652 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
2653 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_UNIQUE
,
2654 "AUTHENTICATOR: return_authenticator", -1);
2656 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
2657 netlogon_dissect_VALIDATION
, NDR_POINTER_REF
,
2660 offset
= dissect_ndr_uint8(tvb
, offset
, pinfo
, tree
, di
, drep
,
2661 hf_netlogon_authoritative
, NULL
);
2663 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
2664 hf_netlogon_rc
, NULL
);
2671 * IDL long NetrLogonSamLogoff(
2672 * IDL [in][unique][string] wchar_t *ServerName,
2673 * IDL [in][unique][string] wchar_t *ComputerName,
2674 * IDL [in][unique] AUTHENTICATOR credential,
2675 * IDL [in][unique] AUTHENTICATOR return_authenticator,
2676 * IDL [in] short logon_level,
2677 * IDL [in][ref] LEVEL logoninformation
2681 netlogon_dissect_netrlogonsamlogoff_rqst(tvbuff_t
*tvb
, int offset
,
2682 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
2684 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
2685 pinfo
, tree
, di
, drep
);
2687 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
2688 NDR_POINTER_UNIQUE
, "Computer Name",
2689 hf_netlogon_computer_name
, 0);
2691 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
2692 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_UNIQUE
,
2693 "AUTHENTICATOR: credential", -1);
2695 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
2696 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_UNIQUE
,
2697 "AUTHENTICATOR: return_authenticator", -1);
2699 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, tree
, di
, drep
,
2700 hf_netlogon_level16
, NULL
);
2702 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
2703 netlogon_dissect_LEVEL
, NDR_POINTER_REF
,
2704 "LEVEL: logoninformation", -1);
2709 netlogon_dissect_netrlogonsamlogoff_reply(tvbuff_t
*tvb
, int offset
,
2710 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
2713 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
2714 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_UNIQUE
,
2715 "AUTHENTICATOR: return_authenticator", -1);
2717 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
2718 hf_netlogon_rc
, NULL
);
2723 static void generate_hash_key(packet_info
*pinfo
,unsigned char is_server
,netlogon_auth_key
*key
)
2726 copy_address_shallow(&key
->server
,&pinfo
->src
);
2727 copy_address_shallow(&key
->client
,&pinfo
->dst
);
2730 copy_address_shallow(&key
->server
,&pinfo
->dst
);
2731 copy_address_shallow(&key
->client
,&pinfo
->src
);
2736 static netlogon_auth_vars
*find_global_netlogon_auth_vars(packet_info
*pinfo
, unsigned char is_server
)
2738 netlogon_auth_vars
*lvars
= NULL
;
2739 netlogon_auth_vars
*avars
= NULL
;
2740 netlogon_auth_key akey
;
2742 generate_hash_key(pinfo
, is_server
, &akey
);
2743 lvars
= (netlogon_auth_vars
*)wmem_map_lookup(netlogon_auths
, &akey
);
2745 for (; lvars
!= NULL
; lvars
= lvars
->next
) {
2746 int fd_num
= (int) pinfo
->num
;
2748 if (fd_num
<= lvars
->start
) {
2750 * Before it even started,
2751 * can't be used..., keep
2752 * avars if we already found
2757 if (lvars
->auth_fd_num
== -1) {
2759 * No ServerAuthenticate{,1,3},
2760 * no session key available,
2765 if (fd_num
<= lvars
->auth_fd_num
) {
2767 * Before ServerAuthenticate{,1,3}
2768 * can't be used..., keep
2769 * avars if we already found
2775 * remember the current match,
2776 * but try to find a better one...
2784 static netlogon_auth_vars
*find_or_create_schannel_netlogon_auth_vars(packet_info
*pinfo
,
2785 dcerpc_auth_info
*auth_info
,
2786 unsigned char is_server
)
2788 dcerpc_auth_schannel_key skey
= {
2789 .conv
= find_or_create_conversation(pinfo
),
2790 .transport_salt
= dcerpc_get_transport_salt(pinfo
),
2791 .auth_context_id
= auth_info
->auth_context_id
,
2793 dcerpc_auth_schannel_key
*sk
= NULL
;
2794 netlogon_auth_vars
*svars
= NULL
;
2795 netlogon_auth_vars
*avars
= NULL
;
2797 svars
= (netlogon_auth_vars
*)wmem_map_lookup(schannel_auths
, &skey
);
2798 if (svars
!= NULL
) {
2802 avars
= find_global_netlogon_auth_vars(pinfo
, is_server
);
2803 if (avars
== NULL
) {
2807 sk
= wmem_memdup(wmem_file_scope(), &skey
, sizeof(dcerpc_auth_schannel_key
));
2812 svars
= wmem_memdup(wmem_file_scope(), avars
, sizeof(netlogon_auth_vars
));
2813 if (svars
== NULL
) {
2816 svars
->client_name
= wmem_strdup(wmem_file_scope(), avars
->client_name
);
2817 if (svars
->client_name
== NULL
) {
2820 svars
->next_start
= -1;
2823 wmem_map_insert(schannel_auths
, sk
, svars
);
2829 * IDL long NetrServerReqChallenge(
2830 * IDL [in][unique][string] wchar_t *ServerName,
2831 * IDL [in][ref][string] wchar_t *ComputerName,
2832 * IDL [in][ref] CREDENTIAL client_credential,
2833 * IDL [out][ref] CREDENTIAL server_credential
2837 netlogon_dissect_netrserverreqchallenge_rqst(tvbuff_t
*tvb
, int offset
,
2838 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
2840 /*int oldoffset = offset;*/
2841 netlogon_auth_vars
*vars
;
2842 netlogon_auth_vars
*existing_vars
;
2843 netlogon_auth_key key
;
2844 uint8_t tab
[8] = { 0,0,0,0,0,0,0,0};
2845 dcerpc_call_value
*dcv
= (dcerpc_call_value
*)di
->call_data
;
2847 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
, pinfo
, tree
, di
, drep
);
2848 offset
= dissect_ndr_pointer_cb(
2849 tvb
, offset
, pinfo
, tree
, di
, drep
,
2850 dissect_ndr_wchar_cvstring
, NDR_POINTER_REF
,
2851 "Computer Name", hf_netlogon_computer_name
,
2852 cb_wstr_postprocess
,
2853 GINT_TO_POINTER(CB_STR_COL_INFO
|CB_STR_SAVE
| 1));
2855 ws_debug("1)Len %d offset %d txt %s",(int) strlen((char *)dcv
->private_data
),offset
,(char*)dcv
->private_data
);
2856 vars
= wmem_new0(wmem_file_scope(), netlogon_auth_vars
);
2857 vars
->client_name
= wmem_strdup(wmem_file_scope(), (char *)dcv
->private_data
);
2858 ws_debug("2)Len %d offset %d txt %s",(int) strlen((char *)dcv
->private_data
),offset
,vars
->client_name
);
2860 offset
= dissect_dcerpc_8bytes(tvb
, offset
, pinfo
, tree
, drep
,
2861 hf_client_challenge
,&vars
->client_challenge
);
2862 memcpy(tab
,&vars
->client_challenge
,8);
2864 vars
->start
= pinfo
->num
;
2865 vars
->auth_fd_num
= -1;
2866 vars
->next_start
= -1;
2869 generate_hash_key(pinfo
,0,&key
);
2870 existing_vars
= (netlogon_auth_vars
*)wmem_map_lookup(netlogon_auths
, &key
);
2871 if (!existing_vars
) {
2872 netlogon_auth_key
*k
= (netlogon_auth_key
*)wmem_memdup(wmem_file_scope(), &key
, sizeof(netlogon_auth_key
));
2873 copy_address_wmem(wmem_file_scope(), &k
->client
, &key
.client
);
2874 copy_address_wmem(wmem_file_scope(), &k
->server
, &key
.server
);
2875 ws_debug("Adding initial vars with this start packet = %d",vars
->start
);
2876 wmem_map_insert(netlogon_auths
, k
, vars
);
2879 while(existing_vars
->next
!= NULL
&& existing_vars
->start
< vars
->start
) {
2880 ws_debug("Looping to find existing vars ...");
2881 existing_vars
= existing_vars
->next
;
2883 if(existing_vars
->next
!= NULL
|| existing_vars
->start
== vars
->start
) {
2884 ws_debug("It seems that I already record this vars start packet = %d",vars
->start
);
2885 wmem_free(wmem_file_scope(), vars
);
2888 ws_debug("Adding a new entry with this start packet = %d",vars
->start
);
2889 existing_vars
->next_start
= pinfo
->num
;
2890 existing_vars
->next
= vars
;
2897 netlogon_dissect_netrserverreqchallenge_reply(tvbuff_t
*tvb
, int offset
,
2898 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
2900 netlogon_auth_vars
*vars
;
2901 netlogon_auth_key key
;
2902 uint64_t server_challenge
;
2904 generate_hash_key(pinfo
,1,&key
);
2905 vars
= (netlogon_auth_vars
*)wmem_map_lookup(netlogon_auths
,(const void **) &key
);
2907 offset
= dissect_dcerpc_8bytes(tvb
, offset
, pinfo
, tree
, drep
,
2908 hf_server_challenge
, &server_challenge
);
2909 /*offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2910 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
2911 "CREDENTIAL: server credential", -1);*/
2913 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
2914 hf_netlogon_rc
, NULL
);
2916 while(vars
!=NULL
&& vars
->next_start
!= -1 && vars
->next_start
< (int)pinfo
->num
)
2919 ws_debug("looping challenge reply... %d %d ", vars
->next_start
, pinfo
->num
);
2923 ws_debug("Something strange happened while searching for challenge_reply");
2927 vars
->server_challenge
= server_challenge
;
2933 ws_debug("Vars not found in challenge reply");
2941 netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvbuff_t
*tvb
, int offset
,
2942 packet_info
*pinfo
, proto_tree
*tree
,
2943 dcerpc_info
*di
, uint8_t *drep
)
2945 offset
= dissect_ndr_uint1632(tvb
, offset
, pinfo
, tree
, di
, drep
,
2946 hf_netlogon_secure_channel_type
, NULL
);
2953 * IDL long NetrServerAuthenticate(
2954 * IDL [in][unique][string] wchar_t *ServerName,
2955 * IDL [in][ref][string] wchar_t *UserName,
2956 * IDL [in] short secure_challenge_type,
2957 * IDL [in][ref][string] wchar_t *ComputerName,
2958 * IDL [in][ref] CREDENTIAL client_challenge,
2959 * IDL [out][ref] CREDENTIAL server_challenge
2963 netlogon_dissect_netrserverauthenticate_rqst(tvbuff_t
*tvb
, int offset
,
2964 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
2966 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
2967 pinfo
, tree
, di
, drep
);
2969 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
2970 NDR_POINTER_REF
, "User Name", hf_netlogon_acct_name
, CB_STR_COL_INFO
);
2972 offset
= netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb
, offset
,
2973 pinfo
, tree
, di
, drep
);
2975 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
2976 NDR_POINTER_REF
, "Computer Name", hf_netlogon_computer_name
, CB_STR_COL_INFO
);
2978 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
2979 netlogon_dissect_CREDENTIAL
, NDR_POINTER_REF
,
2980 "CREDENTIAL: client challenge", -1);
2985 netlogon_dissect_netrserverauthenticate023_reply(tvbuff_t
*tvb
, int offset
,
2992 netlogon_dissect_netrserverauthenticate_reply(tvbuff_t
*tvb
, int offset
,
2993 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
2995 return netlogon_dissect_netrserverauthenticate023_reply(tvb
,offset
,pinfo
,tree
,di
,drep
,0);
3001 * IDL typedef struct {
3002 * IDL char encrypted_password[16];
3003 * IDL } ENCRYPTED_LM_OWF_PASSWORD;
3006 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD(tvbuff_t
*tvb
, int offset
,
3007 packet_info
*pinfo _U_
, proto_tree
*tree
,
3008 dcerpc_info
*di
, uint8_t *drep _U_
)
3010 if(di
->conformant_run
){
3011 /*just a run to handle conformant arrays, nothing to dissect.*/
3015 proto_tree_add_item(tree
, hf_netlogon_encrypted_lm_owf_password
, tvb
, offset
, 16,
3023 * IDL long NetrServerPasswordSet(
3024 * IDL [in][unique][string] wchar_t *ServerName,
3025 * IDL [in][ref][string] wchar_t *UserName,
3026 * IDL [in] short secure_challenge_type,
3027 * IDL [in][ref][string] wchar_t *ComputerName,
3028 * IDL [in][ref] AUTHENTICATOR credential,
3029 * IDL [in][ref] LM_OWF_PASSWORD UasNewPassword,
3030 * IDL [out][ref] AUTHENTICATOR return_authenticator
3034 netlogon_dissect_netrserverpasswordset_rqst(tvbuff_t
*tvb
, int offset
,
3035 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
3037 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
3038 pinfo
, tree
, di
, drep
);
3040 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
3041 NDR_POINTER_REF
, "User Name", hf_netlogon_acct_name
, 0);
3043 offset
= netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb
, offset
,
3044 pinfo
, tree
, di
, drep
);
3046 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
3047 NDR_POINTER_REF
, "Computer Name", hf_netlogon_computer_name
, 0);
3049 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
3050 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
3051 "AUTHENTICATOR: credential", -1);
3053 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
3054 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD
, NDR_POINTER_REF
,
3055 "ENCRYPTED_LM_OWF_PASSWORD: hashed_pwd", -1);
3060 netlogon_dissect_netrserverpasswordset_reply(tvbuff_t
*tvb
, int offset
,
3061 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
3063 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
3064 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
3065 "AUTHENTICATOR: return_authenticator", -1);
3067 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
3068 hf_netlogon_rc
, NULL
);
3075 * IDL typedef struct {
3076 * IDL [unique][string] wchar_t *UserName;
3077 * IDL UNICODESTRING dummy1;
3078 * IDL UNICODESTRING dummy2;
3079 * IDL UNICODESTRING dummy3;
3080 * IDL UNICODESTRING dummy4;
3085 * IDL } DELTA_DELETE_USER;
3088 netlogon_dissect_DELTA_DELETE_USER(tvbuff_t
*tvb
, int offset
,
3089 packet_info
*pinfo
, proto_tree
*tree
,
3090 dcerpc_info
*di
, uint8_t *drep
)
3092 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
3093 NDR_POINTER_UNIQUE
, "Account Name", hf_netlogon_acct_name
, 0);
3095 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3096 hf_netlogon_dummy
, 0);
3098 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3099 hf_netlogon_dummy
, 0);
3101 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3102 hf_netlogon_dummy
, 0);
3104 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3105 hf_netlogon_dummy
, 0);
3107 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3108 hf_netlogon_reserved
, NULL
);
3110 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3111 hf_netlogon_reserved
, NULL
);
3113 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3114 hf_netlogon_reserved
, NULL
);
3116 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3117 hf_netlogon_reserved
, NULL
);
3124 * IDL typedef struct {
3125 * IDL bool SensitiveDataFlag;
3126 * IDL long DataLength;
3127 * IDL [unique][size_is(DataLength)] char *SensitiveData;
3128 * IDL } USER_PRIVATE_INFO;
3131 netlogon_dissect_SENSITIVE_DATA(tvbuff_t
*tvb
, int offset
,
3132 packet_info
*pinfo
, proto_tree
*tree
,
3133 dcerpc_info
*di
, uint8_t *drep
)
3137 if(di
->conformant_run
){
3138 /*just a run to handle conformant arrays, nothing to dissect */
3142 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3143 hf_netlogon_sensitive_data_len
, &data_len
);
3145 proto_tree_add_item(tree
, hf_netlogon_sensitive_data
, tvb
, offset
,
3152 netlogon_dissect_USER_PRIVATE_INFO(tvbuff_t
*tvb
, int offset
,
3153 packet_info
*pinfo
, proto_tree
*tree
,
3154 dcerpc_info
*di
, uint8_t *drep
)
3156 offset
= dissect_ndr_uint8(tvb
, offset
, pinfo
, tree
, di
, drep
,
3157 hf_netlogon_sensitive_data_flag
, NULL
);
3159 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3160 hf_netlogon_sensitive_data_len
, NULL
);
3162 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
3163 netlogon_dissect_SENSITIVE_DATA
, NDR_POINTER_UNIQUE
,
3164 "SENSITIVE_DATA", -1);
3170 * IDL typedef struct {
3171 * IDL UNICODESTRING UserName;
3172 * IDL UNICODESTRING FullName;
3174 * IDL long PrimaryGroupID;
3175 * IDL UNICODESTRING HomeDir;
3176 * IDL UNICODESTRING HomeDirDrive;
3177 * IDL UNICODESTRING LogonScript;
3178 * IDL UNICODESTRING Comment;
3179 * IDL UNICODESTRING Workstations;
3180 * IDL NTTIME LastLogon;
3181 * IDL NTTIME LastLogoff;
3182 * IDL LOGON_HOURS logonhours;
3183 * IDL short BadPwCount;
3184 * IDL short LogonCount;
3185 * IDL NTTIME PwLastSet;
3186 * IDL NTTIME AccountExpires;
3187 * IDL long AccountControl;
3188 * IDL LM_OWF_PASSWORD lmpw;
3189 * IDL NT_OWF_PASSWORD ntpw;
3190 * IDL bool NTPwPresent;
3191 * IDL bool LMPwPresent;
3192 * IDL bool PwExpired;
3193 * IDL UNICODESTRING UserComment;
3194 * IDL UNICODESTRING Parameters;
3195 * IDL short CountryCode;
3196 * IDL short CodePage;
3197 * IDL USER_PRIVATE_INFO user_private_info;
3198 * IDL long SecurityInformation;
3199 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3200 * IDL UNICODESTRING dummy1;
3201 * IDL UNICODESTRING dummy2;
3202 * IDL UNICODESTRING dummy3;
3203 * IDL UNICODESTRING dummy4;
3211 netlogon_dissect_DELTA_USER(tvbuff_t
*tvb
, int offset
,
3212 packet_info
*pinfo
, proto_tree
*tree
,
3213 dcerpc_info
*di
, uint8_t *drep
)
3215 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3216 hf_netlogon_acct_name
, 3);
3218 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3219 hf_netlogon_full_name
, 0);
3221 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3222 hf_netlogon_user_rid
, NULL
);
3224 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3225 hf_netlogon_group_rid
, NULL
);
3227 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3228 hf_netlogon_home_dir
, 0);
3230 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3231 hf_netlogon_dir_drive
, 0);
3233 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3234 hf_netlogon_logon_script
, 0);
3236 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3237 hf_netlogon_acct_desc
, 0);
3239 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3240 hf_netlogon_workstations
, 0);
3242 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
3243 hf_netlogon_logon_time
);
3245 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
3246 hf_netlogon_logoff_time
);
3248 offset
= dissect_ndr_nt_LOGON_HOURS(tvb
, offset
, pinfo
, tree
, di
, drep
);
3250 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, tree
, di
, drep
,
3251 hf_netlogon_bad_pw_count16
, NULL
);
3253 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, tree
, di
, drep
,
3254 hf_netlogon_logon_count16
, NULL
);
3256 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
3257 hf_netlogon_pwd_last_set_time
);
3259 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
3260 hf_netlogon_acct_expiry_time
);
3262 offset
= dissect_ndr_nt_acct_ctrl(tvb
, offset
, pinfo
, tree
, di
, drep
);
3264 offset
= netlogon_dissect_LM_OWF_PASSWORD(tvb
, offset
,
3265 pinfo
, tree
, di
, drep
);
3267 offset
= netlogon_dissect_NT_OWF_PASSWORD(tvb
, offset
,
3268 pinfo
, tree
, di
, drep
);
3270 offset
= dissect_ndr_uint8(tvb
, offset
, pinfo
, tree
, di
, drep
,
3271 hf_netlogon_nt_pwd_present
, NULL
);
3273 offset
= dissect_ndr_uint8(tvb
, offset
, pinfo
, tree
, di
, drep
,
3274 hf_netlogon_lm_pwd_present
, NULL
);
3276 offset
= dissect_ndr_uint8(tvb
, offset
, pinfo
, tree
, di
, drep
,
3277 hf_netlogon_pwd_expired
, NULL
);
3279 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3280 hf_netlogon_comment
, 0);
3282 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3283 hf_netlogon_parameters
, 0);
3285 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, tree
, di
, drep
,
3286 hf_netlogon_country
, NULL
);
3288 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, tree
, di
, drep
,
3289 hf_netlogon_codepage
, NULL
);
3291 offset
= netlogon_dissect_USER_PRIVATE_INFO(tvb
, offset
, pinfo
, tree
,
3294 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3295 hf_netlogon_security_information
, NULL
);
3297 offset
= lsarpc_dissect_sec_desc_buf(tvb
, offset
, pinfo
, tree
, di
, drep
);
3299 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3300 hf_netlogon_dummy
, 0);
3302 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3303 hf_netlogon_dummy
, 0);
3305 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3306 hf_netlogon_dummy
, 0);
3308 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3309 hf_netlogon_dummy
, 0);
3311 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3312 hf_netlogon_reserved
, NULL
);
3314 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3315 hf_netlogon_reserved
, NULL
);
3317 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3318 hf_netlogon_reserved
, NULL
);
3320 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3321 hf_netlogon_reserved
, NULL
);
3328 * IDL typedef struct {
3329 * IDL UNICODESTRING DomainName;
3330 * IDL UNICODESTRING OEMInfo;
3331 * IDL NTTIME forcedlogoff;
3332 * IDL short minpasswdlen;
3333 * IDL short passwdhistorylen;
3334 * IDL NTTIME pwd_must_change_time;
3335 * IDL NTTIME pwd_can_change_time;
3336 * IDL NTTIME domain_modify_time;
3337 * IDL NTTIME domain_create_time;
3338 * IDL long SecurityInformation;
3339 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3340 * IDL UNICODESTRING dummy1;
3341 * IDL UNICODESTRING dummy2;
3342 * IDL UNICODESTRING dummy3;
3343 * IDL UNICODESTRING dummy4;
3348 * IDL } DELTA_DOMAIN;
3351 netlogon_dissect_DELTA_DOMAIN(tvbuff_t
*tvb
, int offset
,
3352 packet_info
*pinfo
, proto_tree
*tree
,
3353 dcerpc_info
*di
, uint8_t *drep
)
3355 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3356 hf_netlogon_domain_name
, 3);
3358 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3359 hf_netlogon_oem_info
, 0);
3361 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
3362 hf_netlogon_kickoff_time
);
3364 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, tree
, di
, drep
,
3365 hf_netlogon_minpasswdlen
, NULL
);
3367 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, tree
, di
, drep
,
3368 hf_netlogon_passwdhistorylen
, NULL
);
3370 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
3371 hf_netlogon_pwd_must_change_time
);
3373 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
3374 hf_netlogon_pwd_can_change_time
);
3376 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
3377 hf_netlogon_domain_modify_time
);
3379 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
3380 hf_netlogon_domain_create_time
);
3382 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3383 hf_netlogon_security_information
, NULL
);
3385 offset
= lsarpc_dissect_sec_desc_buf(tvb
, offset
, pinfo
, tree
, di
, drep
);
3387 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3388 hf_netlogon_dummy
, 0);
3390 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3391 hf_netlogon_dummy
, 0);
3393 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3394 hf_netlogon_dummy
, 0);
3396 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3397 hf_netlogon_dummy
, 0);
3399 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3400 hf_netlogon_reserved
, NULL
);
3402 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3403 hf_netlogon_reserved
, NULL
);
3405 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3406 hf_netlogon_reserved
, NULL
);
3408 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3409 hf_netlogon_reserved
, NULL
);
3416 * IDL typedef struct {
3417 * IDL UNICODESTRING groupname;
3418 * IDL GROUP_MEMBERSHIP group_membership;
3419 * IDL UNICODESTRING comment;
3420 * IDL long SecurityInformation;
3421 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3422 * IDL UNICODESTRING dummy1;
3423 * IDL UNICODESTRING dummy2;
3424 * IDL UNICODESTRING dummy3;
3425 * IDL UNICODESTRING dummy4;
3430 * IDL } DELTA_GROUP;
3433 netlogon_dissect_DELTA_GROUP(tvbuff_t
*tvb
, int offset
,
3434 packet_info
*pinfo
, proto_tree
*tree
,
3435 dcerpc_info
*di
, uint8_t *drep
)
3437 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3438 hf_netlogon_group_name
, 3);
3440 offset
= netlogon_dissect_GROUP_MEMBERSHIP(tvb
, offset
,
3441 pinfo
, tree
, di
, drep
);
3443 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3444 hf_netlogon_group_desc
, 0);
3446 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3447 hf_netlogon_security_information
, NULL
);
3449 offset
= lsarpc_dissect_sec_desc_buf(tvb
, offset
, pinfo
, tree
, di
, drep
);
3451 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3452 hf_netlogon_dummy
, 0);
3454 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3455 hf_netlogon_dummy
, 0);
3457 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3458 hf_netlogon_dummy
, 0);
3460 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3461 hf_netlogon_dummy
, 0);
3463 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3464 hf_netlogon_reserved
, NULL
);
3466 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3467 hf_netlogon_reserved
, NULL
);
3469 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3470 hf_netlogon_reserved
, NULL
);
3472 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3473 hf_netlogon_reserved
, NULL
);
3480 * IDL typedef struct {
3481 * IDL UNICODESTRING OldName;
3482 * IDL UNICODESTRING NewName;
3483 * IDL UNICODESTRING dummy1;
3484 * IDL UNICODESTRING dummy2;
3485 * IDL UNICODESTRING dummy3;
3486 * IDL UNICODESTRING dummy4;
3491 * IDL } DELTA_RENAME;
3494 netlogon_dissect_DELTA_RENAME(tvbuff_t
*tvb
, int offset
,
3495 packet_info
*pinfo
, proto_tree
*tree
,
3496 dcerpc_info
*di
, uint8_t *drep
)
3498 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3501 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3504 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3505 hf_netlogon_dummy
, 0);
3507 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3508 hf_netlogon_dummy
, 0);
3510 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3511 hf_netlogon_dummy
, 0);
3513 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3514 hf_netlogon_dummy
, 0);
3516 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3517 hf_netlogon_reserved
, NULL
);
3519 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3520 hf_netlogon_reserved
, NULL
);
3522 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3523 hf_netlogon_reserved
, NULL
);
3525 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3526 hf_netlogon_reserved
, NULL
);
3533 netlogon_dissect_RID(tvbuff_t
*tvb
, int offset
,
3534 packet_info
*pinfo
, proto_tree
*tree
,
3535 dcerpc_info
*di
, uint8_t *drep
)
3537 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3538 hf_netlogon_user_rid
, NULL
);
3544 netlogon_dissect_RID_array(tvbuff_t
*tvb
, int offset
,
3545 packet_info
*pinfo
, proto_tree
*tree
,
3546 dcerpc_info
*di
, uint8_t *drep
)
3548 offset
= dissect_ndr_ucarray(tvb
, offset
, pinfo
, tree
, di
, drep
,
3549 netlogon_dissect_RID
);
3555 netlogon_dissect_ATTRIB(tvbuff_t
*tvb
, int offset
,
3556 packet_info
*pinfo
, proto_tree
*tree
,
3557 dcerpc_info
*di
, uint8_t *drep
)
3559 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3560 hf_netlogon_attrs
, NULL
);
3566 netlogon_dissect_ATTRIB_array(tvbuff_t
*tvb
, int offset
,
3567 packet_info
*pinfo
, proto_tree
*tree
,
3568 dcerpc_info
*di
, uint8_t *drep
)
3570 offset
= dissect_ndr_ucarray(tvb
, offset
, pinfo
, tree
, di
, drep
,
3571 netlogon_dissect_ATTRIB
);
3577 * IDL typedef struct {
3578 * IDL [unique][size_is(num_rids)] long *rids;
3579 * IDL [unique][size_is(num_rids)] long *attribs;
3580 * IDL long num_rids;
3585 * IDL } DELTA_GROUP_MEMBER;
3588 netlogon_dissect_DELTA_GROUP_MEMBER(tvbuff_t
*tvb
, int offset
,
3589 packet_info
*pinfo
, proto_tree
*tree
,
3590 dcerpc_info
*di
, uint8_t *drep
)
3592 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
3593 netlogon_dissect_RID_array
, NDR_POINTER_UNIQUE
,
3596 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
3597 netlogon_dissect_ATTRIB_array
, NDR_POINTER_UNIQUE
,
3600 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3601 hf_netlogon_num_rids
, NULL
);
3603 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3604 hf_netlogon_reserved
, NULL
);
3606 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3607 hf_netlogon_reserved
, NULL
);
3609 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3610 hf_netlogon_reserved
, NULL
);
3612 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3613 hf_netlogon_reserved
, NULL
);
3620 * IDL typedef struct {
3621 * IDL UNICODESTRING alias_name;
3623 * IDL long SecurityInformation;
3624 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3625 * IDL UNICODESTRING dummy1;
3626 * IDL UNICODESTRING dummy2;
3627 * IDL UNICODESTRING dummy3;
3628 * IDL UNICODESTRING dummy4;
3633 * IDL } DELTA_ALIAS;
3636 netlogon_dissect_DELTA_ALIAS(tvbuff_t
*tvb
, int offset
,
3637 packet_info
*pinfo
, proto_tree
*tree
,
3638 dcerpc_info
*di
, uint8_t *drep
)
3640 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3641 hf_netlogon_alias_name
, 0);
3643 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3644 hf_netlogon_alias_rid
, NULL
);
3646 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3647 hf_netlogon_security_information
, NULL
);
3649 offset
= lsarpc_dissect_sec_desc_buf(tvb
, offset
, pinfo
, tree
, di
, drep
);
3651 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3652 hf_netlogon_dummy
, 0);
3654 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3655 hf_netlogon_dummy
, 0);
3657 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3658 hf_netlogon_dummy
, 0);
3660 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3661 hf_netlogon_dummy
, 0);
3663 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3664 hf_netlogon_reserved
, NULL
);
3666 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3667 hf_netlogon_reserved
, NULL
);
3669 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3670 hf_netlogon_reserved
, NULL
);
3672 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3673 hf_netlogon_reserved
, NULL
);
3680 * IDL typedef struct {
3681 * IDL [unique] SID_ARRAY sids;
3686 * IDL } DELTA_ALIAS_MEMBER;
3689 netlogon_dissect_DELTA_ALIAS_MEMBER(tvbuff_t
*tvb
, int offset
,
3690 packet_info
*pinfo
, proto_tree
*tree
,
3691 dcerpc_info
*di
, uint8_t *drep
)
3693 offset
= dissect_ndr_nt_PSID_ARRAY(tvb
, offset
, pinfo
, tree
, di
, drep
);
3695 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3696 hf_netlogon_reserved
, NULL
);
3698 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3699 hf_netlogon_reserved
, NULL
);
3701 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3702 hf_netlogon_reserved
, NULL
);
3704 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3705 hf_netlogon_reserved
, NULL
);
3712 netlogon_dissect_EVENT_AUDIT_OPTION(tvbuff_t
*tvb
, int offset
,
3713 packet_info
*pinfo
, proto_tree
*tree
,
3714 dcerpc_info
*di
, uint8_t *drep
)
3716 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3717 hf_netlogon_event_audit_option
, NULL
);
3723 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY(tvbuff_t
*tvb
, int offset
,
3724 packet_info
*pinfo
, proto_tree
*tree
,
3725 dcerpc_info
*di
, uint8_t *drep
)
3727 offset
= dissect_ndr_ucarray(tvb
, offset
, pinfo
, tree
, di
, drep
,
3728 netlogon_dissect_EVENT_AUDIT_OPTION
);
3735 * IDL typedef struct {
3736 * IDL long pagedpoollimit;
3737 * IDL long nonpagedpoollimit;
3738 * IDL long minimumworkingsetsize;
3739 * IDL long maximumworkingsetsize;
3740 * IDL long pagefilelimit;
3741 * IDL NTTIME timelimit;
3742 * IDL } QUOTA_LIMITS;
3745 netlogon_dissect_QUOTA_LIMITS(tvbuff_t
*tvb
, int offset
,
3746 packet_info
*pinfo
, proto_tree
*parent_tree
,
3747 dcerpc_info
*di
, uint8_t *drep
)
3749 proto_item
*item
=NULL
;
3750 proto_tree
*tree
=NULL
;
3751 int old_offset
=offset
;
3754 tree
= proto_tree_add_subtree(parent_tree
, tvb
, offset
, 0,
3755 ett_QUOTA_LIMITS
, &item
, "QUOTA_LIMTS:");
3758 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3759 hf_netlogon_pagedpoollimit
, NULL
);
3761 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3762 hf_netlogon_nonpagedpoollimit
, NULL
);
3764 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3765 hf_netlogon_minworkingsetsize
, NULL
);
3767 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3768 hf_netlogon_maxworkingsetsize
, NULL
);
3770 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3771 hf_netlogon_pagefilelimit
, NULL
);
3773 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
3774 hf_netlogon_timelimit
);
3776 proto_item_set_len(item
, offset
-old_offset
);
3782 * IDL typedef struct {
3783 * IDL long maxlogsize;
3784 * IDL NTTIME auditretentionperiod;
3785 * IDL bool auditingmode;
3786 * IDL long maxauditeventcount;
3787 * IDL [unique][size_is(maxauditeventcount)] long *eventauditoptions;
3788 * IDL UNICODESTRING primarydomainname;
3789 * IDL [unique] SID *sid;
3790 * IDL QUOTA_LIMITS quota_limits;
3791 * IDL NTTIME db_modify_time;
3792 * IDL NTTIME db_create_time;
3793 * IDL long SecurityInformation;
3794 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3795 * IDL UNICODESTRING dummy1;
3796 * IDL UNICODESTRING dummy2;
3797 * IDL UNICODESTRING dummy3;
3798 * IDL UNICODESTRING dummy4;
3803 * IDL } DELTA_POLICY;
3806 netlogon_dissect_DELTA_POLICY(tvbuff_t
*tvb
, int offset
,
3807 packet_info
*pinfo
, proto_tree
*tree
,
3808 dcerpc_info
*di
, uint8_t *drep
)
3810 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3811 hf_netlogon_max_log_size
, NULL
);
3813 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
3814 hf_netlogon_audit_retention_period
);
3816 offset
= dissect_ndr_uint8(tvb
, offset
, pinfo
, tree
, di
, drep
,
3817 hf_netlogon_auditing_mode
, NULL
);
3819 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3820 hf_netlogon_max_audit_event_count
, NULL
);
3822 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
3823 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY
, NDR_POINTER_UNIQUE
,
3824 "Event Audit Options:", -1);
3826 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3827 hf_netlogon_domain_name
, 0);
3829 offset
= dissect_ndr_nt_PSID(tvb
, offset
, pinfo
, tree
, di
, drep
);
3831 offset
= netlogon_dissect_QUOTA_LIMITS(tvb
, offset
,
3832 pinfo
, tree
, di
, drep
);
3834 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
3835 hf_netlogon_db_modify_time
);
3837 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
3838 hf_netlogon_db_create_time
);
3840 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3841 hf_netlogon_security_information
, NULL
);
3843 offset
= lsarpc_dissect_sec_desc_buf(tvb
, offset
, pinfo
, tree
, di
, drep
);
3845 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3846 hf_netlogon_dummy
, 0);
3848 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3849 hf_netlogon_dummy
, 0);
3851 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3852 hf_netlogon_dummy
, 0);
3854 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3855 hf_netlogon_dummy
, 0);
3857 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3858 hf_netlogon_reserved
, NULL
);
3860 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3861 hf_netlogon_reserved
, NULL
);
3863 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3864 hf_netlogon_reserved
, NULL
);
3866 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3867 hf_netlogon_reserved
, NULL
);
3874 netlogon_dissect_CONTROLLER(tvbuff_t
*tvb
, int offset
,
3875 packet_info
*pinfo
, proto_tree
*tree
,
3876 dcerpc_info
*di
, uint8_t *drep
)
3878 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3879 hf_netlogon_dc_name
, 0);
3885 netlogon_dissect_CONTROLLER_ARRAY(tvbuff_t
*tvb
, int offset
,
3886 packet_info
*pinfo
, proto_tree
*tree
,
3887 dcerpc_info
*di
, uint8_t *drep
)
3889 offset
= dissect_ndr_ucarray(tvb
, offset
, pinfo
, tree
, di
, drep
,
3890 netlogon_dissect_CONTROLLER
);
3897 * IDL typedef struct {
3898 * IDL UNICODESTRING DomainName;
3899 * IDL long num_controllers;
3900 * IDL [unique][size_is(num_controllers)] UNICODESTRING *controller_names;
3901 * IDL long SecurityInformation;
3902 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3903 * IDL UNICODESTRING dummy1;
3904 * IDL UNICODESTRING dummy2;
3905 * IDL UNICODESTRING dummy3;
3906 * IDL UNICODESTRING dummy4;
3911 * IDL } DELTA_TRUSTED_DOMAINS;
3914 netlogon_dissect_DELTA_TRUSTED_DOMAINS(tvbuff_t
*tvb
, int offset
,
3915 packet_info
*pinfo
, proto_tree
*tree
,
3916 dcerpc_info
*di
, uint8_t *drep
)
3918 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3919 hf_netlogon_domain_name
, 0);
3921 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3922 hf_netlogon_num_controllers
, NULL
);
3924 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
3925 netlogon_dissect_CONTROLLER_ARRAY
, NDR_POINTER_UNIQUE
,
3926 "Domain Controllers:", -1);
3928 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3929 hf_netlogon_security_information
, NULL
);
3931 offset
= lsarpc_dissect_sec_desc_buf(tvb
, offset
, pinfo
, tree
, di
, drep
);
3933 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3934 hf_netlogon_dummy
, 0);
3936 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3937 hf_netlogon_dummy
, 0);
3939 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3940 hf_netlogon_dummy
, 0);
3942 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3943 hf_netlogon_dummy
, 0);
3945 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3946 hf_netlogon_reserved
, NULL
);
3948 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3949 hf_netlogon_reserved
, NULL
);
3951 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3952 hf_netlogon_reserved
, NULL
);
3954 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3955 hf_netlogon_reserved
, NULL
);
3962 netlogon_dissect_PRIV_ATTR(tvbuff_t
*tvb
, int offset
,
3963 packet_info
*pinfo
, proto_tree
*tree
,
3964 dcerpc_info
*di
, uint8_t *drep
)
3966 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
3967 hf_netlogon_attrs
, NULL
);
3973 netlogon_dissect_PRIV_ATTR_ARRAY(tvbuff_t
*tvb
, int offset
,
3974 packet_info
*pinfo
, proto_tree
*tree
,
3975 dcerpc_info
*di
, uint8_t *drep
)
3977 offset
= dissect_ndr_ucarray(tvb
, offset
, pinfo
, tree
, di
, drep
,
3978 netlogon_dissect_PRIV_ATTR
);
3984 netlogon_dissect_PRIV_NAME(tvbuff_t
*tvb
, int offset
,
3985 packet_info
*pinfo
, proto_tree
*tree
,
3986 dcerpc_info
*di
, uint8_t *drep
)
3988 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
3989 hf_netlogon_privilege_name
, 1);
3995 netlogon_dissect_PRIV_NAME_ARRAY(tvbuff_t
*tvb
, int offset
,
3996 packet_info
*pinfo
, proto_tree
*tree
,
3997 dcerpc_info
*di
, uint8_t *drep
)
3999 offset
= dissect_ndr_ucarray(tvb
, offset
, pinfo
, tree
, di
, drep
,
4000 netlogon_dissect_PRIV_NAME
);
4008 * IDL typedef struct {
4009 * IDL long privilegeentries;
4010 * IDL long provolegecontrol;
4011 * IDL [unique][size_is(privilege_entries)] long *privilege_attrib;
4012 * IDL [unique][size_is(privilege_entries)] UNICODESTRING *privilege_name;
4013 * IDL QUOTALIMITS quotalimits;
4014 * IDL long SecurityInformation;
4015 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
4016 * IDL UNICODESTRING dummy1;
4017 * IDL UNICODESTRING dummy2;
4018 * IDL UNICODESTRING dummy3;
4019 * IDL UNICODESTRING dummy4;
4024 * IDL } DELTA_ACCOUNTS;
4027 netlogon_dissect_DELTA_ACCOUNTS(tvbuff_t
*tvb
, int offset
,
4028 packet_info
*pinfo
, proto_tree
*tree
,
4029 dcerpc_info
*di
, uint8_t *drep
)
4031 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4032 hf_netlogon_privilege_entries
, NULL
);
4034 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4035 hf_netlogon_privilege_control
, NULL
);
4037 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4038 netlogon_dissect_PRIV_ATTR_ARRAY
, NDR_POINTER_UNIQUE
,
4039 "PRIV_ATTR_ARRAY:", -1);
4041 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4042 netlogon_dissect_PRIV_NAME_ARRAY
, NDR_POINTER_UNIQUE
,
4043 "PRIV_NAME_ARRAY:", -1);
4045 offset
= netlogon_dissect_QUOTA_LIMITS(tvb
, offset
,
4046 pinfo
, tree
, di
, drep
);
4048 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4049 hf_netlogon_systemflags
, NULL
);
4051 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4052 hf_netlogon_security_information
, NULL
);
4054 offset
= lsarpc_dissect_sec_desc_buf(tvb
, offset
, pinfo
, tree
, di
, drep
);
4056 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
4057 hf_netlogon_dummy
, 0);
4059 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
4060 hf_netlogon_dummy
, 0);
4062 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
4063 hf_netlogon_dummy
, 0);
4065 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
4066 hf_netlogon_dummy
, 0);
4068 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4069 hf_netlogon_reserved
, NULL
);
4071 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4072 hf_netlogon_reserved
, NULL
);
4074 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4075 hf_netlogon_reserved
, NULL
);
4077 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4078 hf_netlogon_reserved
, NULL
);
4084 * IDL typedef struct {
4087 * IDL [unique][size_is(maxlen)][length_is(len)] char *cipher_data;
4088 * IDL } CIPHER_VALUE;
4091 netlogon_dissect_CIPHER_VALUE_DATA(tvbuff_t
*tvb
, int offset
,
4092 packet_info
*pinfo
, proto_tree
*tree
,
4093 dcerpc_info
*di
, uint8_t *drep
)
4097 if(di
->conformant_run
){
4098 /*just a run to handle conformant arrays, nothing to dissect */
4102 offset
= dissect_ndr_uint32 (tvb
, offset
, pinfo
, tree
, di
, drep
,
4103 hf_netlogon_cipher_maxlen
, NULL
);
4108 offset
= dissect_ndr_uint32 (tvb
, offset
, pinfo
, tree
, di
, drep
,
4109 hf_netlogon_cipher_len
, &data_len
);
4111 proto_tree_add_item(tree
, di
->hf_index
, tvb
, offset
,
4118 netlogon_dissect_CIPHER_VALUE(tvbuff_t
*tvb
, int offset
,
4119 packet_info
*pinfo
, proto_tree
*parent_tree
,
4120 dcerpc_info
*di
, uint8_t *drep
, const char *name
, int hf_index
)
4122 proto_item
*item
=NULL
;
4123 proto_tree
*tree
=NULL
;
4124 int old_offset
=offset
;
4127 tree
= proto_tree_add_subtree(parent_tree
, tvb
, offset
, 0,
4128 ett_CYPHER_VALUE
, &item
, name
);
4131 offset
= dissect_ndr_uint32 (tvb
, offset
, pinfo
, tree
, di
, drep
,
4132 hf_netlogon_cipher_len
, NULL
);
4134 offset
= dissect_ndr_uint32 (tvb
, offset
, pinfo
, tree
, di
, drep
,
4135 hf_netlogon_cipher_maxlen
, NULL
);
4137 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4138 netlogon_dissect_CIPHER_VALUE_DATA
, NDR_POINTER_UNIQUE
,
4141 proto_item_set_len(item
, offset
-old_offset
);
4146 * IDL typedef struct {
4147 * IDL CIPHER_VALUE current_cipher;
4148 * IDL NTTIME current_cipher_set_time;
4149 * IDL CIPHER_VALUE old_cipher;
4150 * IDL NTTIME old_cipher_set_time;
4151 * IDL long SecurityInformation;
4152 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
4153 * IDL UNICODESTRING dummy1;
4154 * IDL UNICODESTRING dummy2;
4155 * IDL UNICODESTRING dummy3;
4156 * IDL UNICODESTRING dummy4;
4161 * IDL } DELTA_SECRET;
4164 netlogon_dissect_DELTA_SECRET(tvbuff_t
*tvb
, int offset
,
4165 packet_info
*pinfo
, proto_tree
*tree
,
4166 dcerpc_info
*di
, uint8_t *drep
)
4168 offset
= netlogon_dissect_CIPHER_VALUE(tvb
, offset
,
4169 pinfo
, tree
, di
, drep
,
4170 "CIPHER_VALUE: current cipher value",
4171 hf_netlogon_cipher_current_data
);
4173 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
4174 hf_netlogon_cipher_current_set_time
);
4176 offset
= netlogon_dissect_CIPHER_VALUE(tvb
, offset
,
4177 pinfo
, tree
, di
, drep
,
4178 "CIPHER_VALUE: old cipher value",
4179 hf_netlogon_cipher_old_data
);
4181 offset
= dissect_ndr_nt_NTTIME(tvb
, offset
, pinfo
, tree
, di
, drep
,
4182 hf_netlogon_cipher_old_set_time
);
4184 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4185 hf_netlogon_security_information
, NULL
);
4187 offset
= lsarpc_dissect_sec_desc_buf(tvb
, offset
, pinfo
, tree
, di
, drep
);
4189 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
4190 hf_netlogon_dummy
, 0);
4192 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
4193 hf_netlogon_dummy
, 0);
4195 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
4196 hf_netlogon_dummy
, 0);
4198 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
4199 hf_netlogon_dummy
, 0);
4201 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4202 hf_netlogon_reserved
, NULL
);
4204 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4205 hf_netlogon_reserved
, NULL
);
4207 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4208 hf_netlogon_reserved
, NULL
);
4210 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4211 hf_netlogon_reserved
, NULL
);
4217 * IDL typedef struct {
4218 * IDL long low_value;
4219 * IDL long high_value;
4223 netlogon_dissect_MODIFIED_COUNT(tvbuff_t
*tvb
, int offset
,
4224 packet_info
*pinfo
, proto_tree
*tree
,
4225 dcerpc_info
*di
, uint8_t *drep
)
4227 offset
= dissect_ndr_duint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4228 hf_netlogon_modify_count
, NULL
);
4234 #define DT_DELTA_DOMAIN 1
4235 #define DT_DELTA_GROUP 2
4236 #define DT_DELTA_DELETE_GROUP 3
4237 #define DT_DELTA_RENAME_GROUP 4
4238 #define DT_DELTA_USER 5
4239 #define DT_DELTA_DELETE_USER 6
4240 #define DT_DELTA_RENAME_USER 7
4241 #define DT_DELTA_GROUP_MEMBER 8
4242 #define DT_DELTA_ALIAS 9
4243 #define DT_DELTA_DELETE_ALIAS 10
4244 #define DT_DELTA_RENAME_ALIAS 11
4245 #define DT_DELTA_ALIAS_MEMBER 12
4246 #define DT_DELTA_POLICY 13
4247 #define DT_DELTA_TRUSTED_DOMAINS 14
4248 #define DT_DELTA_DELETE_TRUST 15
4249 #define DT_DELTA_ACCOUNTS 16
4250 #define DT_DELTA_DELETE_ACCOUNT 17
4251 #define DT_DELTA_SECRET 18
4252 #define DT_DELTA_DELETE_SECRET 19
4253 #define DT_DELTA_DELETE_GROUP2 20
4254 #define DT_DELTA_DELETE_USER2 21
4255 #define DT_MODIFIED_COUNT 22
4257 static const value_string delta_type_vals
[] = {
4258 { DT_DELTA_DOMAIN
, "Domain" },
4259 { DT_DELTA_GROUP
, "Group" },
4260 { DT_DELTA_DELETE_GROUP
, "Delete Group" },
4261 { DT_DELTA_RENAME_GROUP
, "Rename Group" },
4262 { DT_DELTA_USER
, "User" },
4263 { DT_DELTA_DELETE_USER
, "Delete User" },
4264 { DT_DELTA_RENAME_USER
, "Rename User" },
4265 { DT_DELTA_GROUP_MEMBER
, "Group Member" },
4266 { DT_DELTA_ALIAS
, "Alias" },
4267 { DT_DELTA_DELETE_ALIAS
, "Delete Alias" },
4268 { DT_DELTA_RENAME_ALIAS
, "Rename Alias" },
4269 { DT_DELTA_ALIAS_MEMBER
, "Alias Member" },
4270 { DT_DELTA_POLICY
, "Policy" },
4271 { DT_DELTA_TRUSTED_DOMAINS
, "Trusted Domains" },
4272 { DT_DELTA_DELETE_TRUST
, "Delete Trust" },
4273 { DT_DELTA_ACCOUNTS
, "Accounts" },
4274 { DT_DELTA_DELETE_ACCOUNT
, "Delete Account" },
4275 { DT_DELTA_SECRET
, "Secret" },
4276 { DT_DELTA_DELETE_SECRET
, "Delete Secret" },
4277 { DT_DELTA_DELETE_GROUP2
, "Delete Group2" },
4278 { DT_DELTA_DELETE_USER2
, "Delete User2" },
4279 { DT_MODIFIED_COUNT
, "Modified Count" },
4283 * IDL typedef [switch_type(short)] union {
4284 * IDL [case(1)][unique] DELTA_DOMAIN *domain;
4285 * IDL [case(2)][unique] DELTA_GROUP *group;
4286 * IDL [case(3)][unique] rid only ;
4287 * IDL [case(4)][unique] DELTA_RENAME_GROUP *rename_group;
4288 * IDL [case(5)][unique] DELTA_USER *user;
4289 * IDL [case(6)][unique] rid only ;
4290 * IDL [case(7)][unique] DELTA_RENAME_USER *rename_user;
4291 * IDL [case(8)][unique] DELTA_GROUP_MEMBER *group_member;
4292 * IDL [case(9)][unique] DELTA_ALIAS *alias;
4293 * IDL [case(10)][unique] rid only ;
4294 * IDL [case(11)][unique] DELTA_RENAME_ALIAS *alias;
4295 * IDL [case(12)][unique] DELTA_ALIAS_MEMBER *alias_member;
4296 * IDL [case(13)][unique] DELTA_POLICY *policy;
4297 * IDL [case(14)][unique] DELTA_TRUSTED_DOMAINS *trusted_domains;
4298 * IDL [case(15)][unique] PSID ;
4299 * IDL [case(16)][unique] DELTA_ACCOUNTS *accounts;
4300 * IDL [case(17)][unique] PSID ;
4301 * IDL [case(18)][unique] DELTA_SECRET *secret;
4302 * IDL [case(19)][unique] string;
4303 * IDL [case(20)][unique] DELTA_DELETE_GROUP2 *delete_group;
4304 * IDL [case(21)][unique] DELTA_DELETE_USER2 *delete_user;
4305 * IDL [case(22)][unique] MODIFIED_COUNT *modified_count;
4306 * IDL } DELTA_UNION;
4309 netlogon_dissect_DELTA_UNION(tvbuff_t
*tvb
, int offset
,
4310 packet_info
*pinfo
, proto_tree
*parent_tree
,
4311 dcerpc_info
*di
, uint8_t *drep
)
4313 proto_item
*item
=NULL
;
4314 proto_tree
*tree
=NULL
;
4315 int old_offset
=offset
;
4319 tree
= proto_tree_add_subtree(parent_tree
, tvb
, offset
, 0,
4320 ett_DELTA_UNION
, &item
, "DELTA_UNION:");
4323 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, tree
, di
, drep
,
4324 hf_netlogon_delta_type
, &level
);
4329 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4330 netlogon_dissect_DELTA_DOMAIN
, NDR_POINTER_UNIQUE
,
4331 "DELTA_DOMAIN:", -1);
4334 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4335 netlogon_dissect_DELTA_GROUP
, NDR_POINTER_UNIQUE
,
4336 "DELTA_GROUP:", -1);
4339 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4340 netlogon_dissect_DELTA_RENAME
, NDR_POINTER_UNIQUE
,
4341 "DELTA_RENAME_GROUP:", hf_netlogon_group_name
);
4344 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4345 netlogon_dissect_DELTA_USER
, NDR_POINTER_UNIQUE
,
4349 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4350 netlogon_dissect_DELTA_RENAME
, NDR_POINTER_UNIQUE
,
4351 "DELTA_RENAME_USER:", hf_netlogon_acct_name
);
4354 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4355 netlogon_dissect_DELTA_GROUP_MEMBER
, NDR_POINTER_UNIQUE
,
4356 "DELTA_GROUP_MEMBER:", -1);
4359 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4360 netlogon_dissect_DELTA_ALIAS
, NDR_POINTER_UNIQUE
,
4361 "DELTA_ALIAS:", -1);
4364 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4365 netlogon_dissect_DELTA_RENAME
, NDR_POINTER_UNIQUE
,
4366 "DELTA_RENAME_ALIAS:", hf_netlogon_alias_name
);
4369 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4370 netlogon_dissect_DELTA_ALIAS_MEMBER
, NDR_POINTER_UNIQUE
,
4371 "DELTA_ALIAS_MEMBER:", -1);
4374 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4375 netlogon_dissect_DELTA_POLICY
, NDR_POINTER_UNIQUE
,
4376 "DELTA_POLICY:", -1);
4379 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4380 netlogon_dissect_DELTA_TRUSTED_DOMAINS
, NDR_POINTER_UNIQUE
,
4381 "DELTA_TRUSTED_DOMAINS:", -1);
4384 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4385 netlogon_dissect_DELTA_ACCOUNTS
, NDR_POINTER_UNIQUE
,
4386 "DELTA_ACCOUNTS:", -1);
4389 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4390 netlogon_dissect_DELTA_SECRET
, NDR_POINTER_UNIQUE
,
4391 "DELTA_SECRET:", -1);
4394 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4395 netlogon_dissect_DELTA_DELETE_USER
, NDR_POINTER_UNIQUE
,
4396 "DELTA_DELETE_GROUP:", -1);
4399 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4400 netlogon_dissect_DELTA_DELETE_USER
, NDR_POINTER_UNIQUE
,
4401 "DELTA_DELETE_USER:", -1);
4404 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4405 netlogon_dissect_MODIFIED_COUNT
, NDR_POINTER_UNIQUE
,
4406 "MODIFIED_COUNT:", -1);
4410 proto_item_set_len(item
, offset
-old_offset
);
4416 /* IDL XXX must verify this one, especially 13-19
4417 * IDL typedef [switch_type(short)] union {
4418 * IDL [case(1)] long rid;
4419 * IDL [case(2)] long rid;
4420 * IDL [case(3)] long rid;
4421 * IDL [case(4)] long rid;
4422 * IDL [case(5)] long rid;
4423 * IDL [case(6)] long rid;
4424 * IDL [case(7)] long rid;
4425 * IDL [case(8)] long rid;
4426 * IDL [case(9)] long rid;
4427 * IDL [case(10)] long rid;
4428 * IDL [case(11)] long rid;
4429 * IDL [case(12)] long rid;
4430 * IDL [case(13)] [unique] SID *sid;
4431 * IDL [case(14)] [unique] SID *sid;
4432 * IDL [case(15)] [unique] SID *sid;
4433 * IDL [case(16)] [unique] SID *sid;
4434 * IDL [case(17)] [unique] SID *sid;
4435 * IDL [case(18)] [unique][string] wchar_t *Name ;
4436 * IDL [case(19)] [unique][string] wchar_t *Name ;
4437 * IDL [case(20)] long rid;
4438 * IDL [case(21)] long rid;
4439 * IDL } DELTA_ID_UNION;
4442 netlogon_dissect_DELTA_ID_UNION(tvbuff_t
*tvb
, int offset
,
4443 packet_info
*pinfo
, proto_tree
*parent_tree
,
4444 dcerpc_info
*di
, uint8_t *drep
)
4446 proto_item
*item
=NULL
;
4447 proto_tree
*tree
=NULL
;
4448 int old_offset
=offset
;
4452 tree
= proto_tree_add_subtree(parent_tree
, tvb
, offset
, 0,
4453 ett_DELTA_ID_UNION
, &item
, "DELTA_ID_UNION:");
4456 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, tree
, di
, drep
,
4457 hf_netlogon_delta_type
, &level
);
4462 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4463 hf_netlogon_group_rid
, NULL
);
4466 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4467 hf_netlogon_user_rid
, NULL
);
4470 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4471 hf_netlogon_user_rid
, NULL
);
4474 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4475 hf_netlogon_user_rid
, NULL
);
4478 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4479 hf_netlogon_user_rid
, NULL
);
4482 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4483 hf_netlogon_user_rid
, NULL
);
4486 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4487 hf_netlogon_user_rid
, NULL
);
4490 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4491 hf_netlogon_user_rid
, NULL
);
4494 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4495 hf_netlogon_user_rid
, NULL
);
4498 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4499 hf_netlogon_user_rid
, NULL
);
4502 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4503 hf_netlogon_user_rid
, NULL
);
4506 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4507 hf_netlogon_user_rid
, NULL
);
4510 offset
= dissect_ndr_nt_PSID(tvb
, offset
, pinfo
, tree
, di
, drep
);
4513 offset
= dissect_ndr_nt_PSID(tvb
, offset
, pinfo
, tree
, di
, drep
);
4516 offset
= dissect_ndr_nt_PSID(tvb
, offset
, pinfo
, tree
, di
, drep
);
4519 offset
= dissect_ndr_nt_PSID(tvb
, offset
, pinfo
, tree
, di
, drep
);
4522 offset
= dissect_ndr_nt_PSID(tvb
, offset
, pinfo
, tree
, di
, drep
);
4525 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
,
4526 tree
, di
, drep
, NDR_POINTER_UNIQUE
, "unknown",
4527 hf_netlogon_unknown_string
, 0);
4530 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
,
4531 tree
, di
, drep
, NDR_POINTER_UNIQUE
, "unknown",
4532 hf_netlogon_unknown_string
, 0);
4535 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4536 hf_netlogon_user_rid
, NULL
);
4539 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4540 hf_netlogon_user_rid
, NULL
);
4544 proto_item_set_len(item
, offset
-old_offset
);
4549 * IDL typedef struct {
4550 * IDL short delta_type;
4551 * IDL DELTA_ID_UNION delta_id_union;
4552 * IDL DELTA_UNION delta_union;
4556 netlogon_dissect_DELTA_ENUM(tvbuff_t
*tvb
, int offset
,
4557 packet_info
*pinfo
, proto_tree
*parent_tree
,
4558 dcerpc_info
*di
, uint8_t *drep
)
4560 proto_item
*item
=NULL
;
4561 proto_tree
*tree
=NULL
;
4562 int old_offset
=offset
;
4566 tree
= proto_tree_add_subtree(parent_tree
, tvb
, offset
, 0,
4567 ett_DELTA_ENUM
, &item
, "DELTA_ENUM:");
4570 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, tree
, di
, drep
,
4571 hf_netlogon_delta_type
, &type
);
4573 proto_item_append_text(item
, "%s", val_to_str(
4574 type
, delta_type_vals
, "Unknown"));
4576 offset
= netlogon_dissect_DELTA_ID_UNION(tvb
, offset
,
4577 pinfo
, tree
, di
, drep
);
4579 offset
= netlogon_dissect_DELTA_UNION(tvb
, offset
,
4580 pinfo
, tree
, di
, drep
);
4582 proto_item_set_len(item
, offset
-old_offset
);
4587 netlogon_dissect_DELTA_ENUM_array(tvbuff_t
*tvb
, int offset
,
4588 packet_info
*pinfo
, proto_tree
*tree
,
4589 dcerpc_info
*di
, uint8_t *drep
)
4591 offset
= dissect_ndr_ucarray(tvb
, offset
, pinfo
, tree
, di
, drep
,
4592 netlogon_dissect_DELTA_ENUM
);
4598 * IDL typedef struct {
4599 * IDL long num_deltas;
4600 * IDL [unique][size_is(num_deltas)] DELTA_ENUM *delta_enum;
4601 * IDL } DELTA_ENUM_ARRAY;
4604 netlogon_dissect_DELTA_ENUM_ARRAY(tvbuff_t
*tvb
, int offset
,
4605 packet_info
*pinfo
, proto_tree
*tree
,
4606 dcerpc_info
*di
, uint8_t *drep
)
4608 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4609 hf_netlogon_num_deltas
, NULL
);
4611 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4612 netlogon_dissect_DELTA_ENUM_array
, NDR_POINTER_UNIQUE
,
4613 "DELTA_ENUM: deltas", -1);
4620 * IDL long NetrDatabaseDeltas(
4621 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
4622 * IDL [in][string][ref] wchar_t *computername,
4623 * IDL [in][ref] AUTHENTICATOR credential,
4624 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4625 * IDL [in] long database_id,
4626 * IDL [in][out][ref] MODIFIED_COUNT domain_modify_count,
4627 * IDL [in] long preferredmaximumlength,
4628 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
4632 netlogon_dissect_netrdatabasedeltas_rqst(tvbuff_t
*tvb
, int offset
,
4633 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
4635 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
4636 NDR_POINTER_REF
, "Server Handle", hf_netlogon_logonsrv_handle
, 0);
4638 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
4639 NDR_POINTER_REF
, "Computer Name", hf_netlogon_computer_name
, 0);
4641 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4642 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
4643 "AUTHENTICATOR: credential", -1);
4645 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4646 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
4647 "AUTHENTICATOR: return_authenticator", -1);
4649 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4650 hf_netlogon_database_id
, NULL
);
4652 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4653 netlogon_dissect_MODIFIED_COUNT
, NDR_POINTER_REF
,
4654 "MODIFIED_COUNT: domain modified count", -1);
4656 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4657 hf_netlogon_max_size
, NULL
);
4662 netlogon_dissect_netrdatabasedeltas_reply(tvbuff_t
*tvb
, int offset
,
4663 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
4665 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4666 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
4667 "AUTHENTICATOR: return_authenticator", -1);
4669 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4670 netlogon_dissect_MODIFIED_COUNT
, NDR_POINTER_REF
,
4671 "MODIFIED_COUNT: domain modified count", -1);
4673 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4674 netlogon_dissect_DELTA_ENUM_ARRAY
, NDR_POINTER_UNIQUE
,
4675 "DELTA_ENUM_ARRAY: deltas", -1);
4677 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
4678 hf_netlogon_rc
, NULL
);
4685 * IDL long NetrDatabaseSync(
4686 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
4687 * IDL [in][string][ref] wchar_t *computername,
4688 * IDL [in][ref] AUTHENTICATOR credential,
4689 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4690 * IDL [in] long database_id,
4691 * IDL [in][out][ref] long sync_context,
4692 * IDL [in] long preferredmaximumlength,
4693 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
4697 netlogon_dissect_netrdatabasesync_rqst(tvbuff_t
*tvb
, int offset
,
4698 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
4700 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
4701 NDR_POINTER_REF
, "Server Handle", hf_netlogon_logonsrv_handle
, 0);
4703 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
4704 NDR_POINTER_REF
, "Computer Name", hf_netlogon_computer_name
, 0);
4706 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4707 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
4708 "AUTHENTICATOR: credential", -1);
4710 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4711 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
4712 "AUTHENTICATOR: return_authenticator", -1);
4714 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4715 hf_netlogon_database_id
, NULL
);
4717 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4718 hf_netlogon_sync_context
, NULL
);
4720 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4721 hf_netlogon_max_size
, NULL
);
4728 netlogon_dissect_netrdatabasesync_reply(tvbuff_t
*tvb
, int offset
,
4729 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
4731 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4732 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
4733 "AUTHENTICATOR: return_authenticator", -1);
4735 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4736 hf_netlogon_sync_context
, NULL
);
4738 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4739 netlogon_dissect_DELTA_ENUM_ARRAY
, NDR_POINTER_UNIQUE
,
4740 "DELTA_ENUM_ARRAY: deltas", -1);
4742 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
4743 hf_netlogon_rc
, NULL
);
4749 * IDL typedef struct {
4750 * IDL char computer_name[16];
4751 * IDL long timecreated;
4752 * IDL long serial_number;
4756 netlogon_dissect_UAS_INFO_0(tvbuff_t
*tvb
, int offset
,
4757 packet_info
*pinfo
, proto_tree
*tree
,
4758 dcerpc_info
*di
, uint8_t *drep
)
4760 uint32_t time_created
;
4761 if(di
->conformant_run
){
4762 /*just a run to handle conformant arrays, nothing to dissect */
4766 proto_tree_add_item(tree
, hf_netlogon_computer_name
, tvb
, offset
, 16, ENC_ASCII
);
4769 time_created
= tvb_get_uint32(tvb
, offset
, DREP_ENC_INTEGER(drep
));
4770 proto_tree_add_uint_format_value(tree
, hf_netlogon_time_created
, tvb
, offset
, 4, time_created
, "unknown time format");
4773 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4774 hf_netlogon_serial_number
, NULL
);
4781 * IDL long NetrAccountDeltas(
4782 * IDL [in][string][unique] wchar_t *logonserver,
4783 * IDL [in][string][ref] wchar_t *computername,
4784 * IDL [in][ref] AUTHENTICATOR credential,
4785 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4786 * IDL [out][ref][size_is(count_returned)] char *Buffer,
4787 * IDL [out][ref] long count_returned,
4788 * IDL [out][ref] long total_entries,
4789 * IDL [in][out][ref] UAS_INFO_0 recordid,
4790 * IDL [in][long] count,
4791 * IDL [in][long] level,
4792 * IDL [in][long] buffersize,
4796 netlogon_dissect_netraccountdeltas_rqst(tvbuff_t
*tvb
, int offset
,
4797 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
4799 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
4800 pinfo
, tree
, di
, drep
);
4802 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
4803 NDR_POINTER_REF
, "Computer Name", hf_netlogon_computer_name
, 0);
4805 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4806 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
4807 "AUTHENTICATOR: credential", -1);
4809 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4810 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
4811 "AUTHENTICATOR: return_authenticator", -1);
4813 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4814 netlogon_dissect_UAS_INFO_0
, NDR_POINTER_REF
,
4815 "UAS_INFO_0: RecordID", -1);
4817 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4818 hf_netlogon_count
, NULL
);
4820 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4821 hf_netlogon_level
, NULL
);
4823 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4824 hf_netlogon_max_size
, NULL
);
4829 netlogon_dissect_netraccountdeltas_reply(tvbuff_t
*tvb
, int offset
,
4830 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
4832 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4833 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
4834 "AUTHENTICATOR: return_authenticator", -1);
4836 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4837 netlogon_dissect_BYTE_array
, NDR_POINTER_REF
,
4838 "BYTE_array: Buffer", -1);
4840 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4841 hf_netlogon_count
, NULL
);
4843 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4844 hf_netlogon_entries
, NULL
);
4846 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4847 netlogon_dissect_UAS_INFO_0
, NDR_POINTER_REF
,
4848 "UAS_INFO_0: RecordID", -1);
4850 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
4851 hf_netlogon_rc
, NULL
);
4858 * IDL long NetrAccountSync(
4859 * IDL [in][string][unique] wchar_t *logonserver,
4860 * IDL [in][string][ref] wchar_t *computername,
4861 * IDL [in][ref] AUTHENTICATOR credential,
4862 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4863 * IDL [out][ref][size_is(count_returned)] char *Buffer,
4864 * IDL [out][ref] long count_returned,
4865 * IDL [out][ref] long total_entries,
4866 * IDL [out][ref] long next_reference,
4867 * IDL [in][long] reference,
4868 * IDL [in][long] level,
4869 * IDL [in][long] buffersize,
4870 * IDL [in][out][ref] UAS_INFO_0 recordid,
4874 netlogon_dissect_netraccountsync_rqst(tvbuff_t
*tvb
, int offset
,
4875 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
4877 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
4878 pinfo
, tree
, di
, drep
);
4880 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
4881 NDR_POINTER_REF
, "Computer Name", hf_netlogon_computer_name
, 0);
4883 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4884 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
4885 "AUTHENTICATOR: credential", -1);
4887 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4888 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
4889 "AUTHENTICATOR: return_authenticator", -1);
4891 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4892 hf_netlogon_reference
, NULL
);
4894 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4895 hf_netlogon_level
, NULL
);
4897 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4898 hf_netlogon_max_size
, NULL
);
4903 netlogon_dissect_netraccountsync_reply(tvbuff_t
*tvb
, int offset
,
4904 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
4906 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4907 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
4908 "AUTHENTICATOR: return_authenticator", -1);
4910 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4911 netlogon_dissect_BYTE_array
, NDR_POINTER_REF
,
4912 "BYTE_array: Buffer", -1);
4914 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4915 hf_netlogon_count
, NULL
);
4917 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4918 hf_netlogon_entries
, NULL
);
4920 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4921 hf_netlogon_next_reference
, NULL
);
4923 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
4924 netlogon_dissect_UAS_INFO_0
, NDR_POINTER_REF
,
4925 "UAS_INFO_0: RecordID", -1);
4927 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
4928 hf_netlogon_rc
, NULL
);
4935 * IDL long NetrGetDcName(
4936 * IDL [in][ref][string] wchar_t *logon_server,
4937 * IDL [in][unique][string] wchar_t *domainname,
4938 * IDL [out][unique][string] wchar_t *dcname,
4942 netlogon_dissect_netrgetdcname_rqst(tvbuff_t
*tvb
, int offset
,
4943 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
4945 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
4946 NDR_POINTER_REF
, "Server Handle", hf_netlogon_logonsrv_handle
, 0);
4948 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
4949 NDR_POINTER_UNIQUE
, "Domain", hf_netlogon_domain_name
, 0);
4954 netlogon_dissect_netrgetdcname_reply(tvbuff_t
*tvb
, int offset
,
4955 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
4957 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
4958 NDR_POINTER_UNIQUE
, "Domain", hf_netlogon_dc_name
, 0);
4960 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
4961 hf_netlogon_rc
, NULL
);
4969 * IDL typedef struct {
4971 * IDL long pdc_connection_status;
4972 * IDL } NETLOGON_INFO_1;
4975 netlogon_dissect_NETLOGON_INFO_1(tvbuff_t
*tvb
, int offset
,
4976 packet_info
*pinfo
, proto_tree
*tree
,
4977 dcerpc_info
*di
, uint8_t *drep
)
4979 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4980 hf_netlogon_flags
, NULL
);
4982 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
4983 hf_netlogon_pdc_connection_status
, NULL
);
4990 * IDL typedef struct {
4992 * IDL long pdc_connection_status;
4993 * IDL [unique][string] wchar_t trusted_dc_name;
4994 * IDL long tc_connection_status;
4995 * IDL } NETLOGON_INFO_2;
4998 netlogon_dissect_NETLOGON_INFO_2(tvbuff_t
*tvb
, int offset
,
4999 packet_info
*pinfo
, proto_tree
*tree
,
5000 dcerpc_info
*di
, uint8_t *drep
)
5002 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
5003 hf_netlogon_flags
, NULL
);
5005 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
5006 hf_netlogon_pdc_connection_status
, NULL
);
5008 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
5009 NDR_POINTER_UNIQUE
, "Trusted DC Name",
5010 hf_netlogon_trusted_dc_name
, 0);
5012 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
5013 hf_netlogon_tc_connection_status
, NULL
);
5020 * IDL typedef struct {
5022 * IDL long logon_attempts;
5023 * IDL long reserved;
5024 * IDL long reserved;
5025 * IDL long reserved;
5026 * IDL long reserved;
5027 * IDL long reserved;
5028 * IDL } NETLOGON_INFO_3;
5031 netlogon_dissect_NETLOGON_INFO_3(tvbuff_t
*tvb
, int offset
,
5032 packet_info
*pinfo
, proto_tree
*tree
,
5033 dcerpc_info
*di
, uint8_t *drep
)
5035 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
5036 hf_netlogon_flags
, NULL
);
5038 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
5039 hf_netlogon_logon_attempts
, NULL
);
5041 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
5042 hf_netlogon_reserved
, NULL
);
5044 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
5045 hf_netlogon_reserved
, NULL
);
5047 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
5048 hf_netlogon_reserved
, NULL
);
5050 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
5051 hf_netlogon_reserved
, NULL
);
5053 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
5054 hf_netlogon_reserved
, NULL
);
5061 * IDL typedef [switch_type(long)] union {
5062 * IDL [case(1)] [unique] NETLOGON_INFO_1 *i1;
5063 * IDL [case(2)] [unique] NETLOGON_INFO_2 *i2;
5064 * IDL [case(3)] [unique] NETLOGON_INFO_3 *i3;
5065 * IDL } CONTROL_QUERY_INFORMATION;
5068 netlogon_dissect_CONTROL_QUERY_INFORMATION(tvbuff_t
*tvb
, int offset
,
5069 packet_info
*pinfo
, proto_tree
*tree
,
5070 dcerpc_info
*di
, uint8_t *drep
)
5074 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
5075 hf_netlogon_level
, &level
);
5080 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
5081 netlogon_dissect_NETLOGON_INFO_1
, NDR_POINTER_UNIQUE
,
5082 "NETLOGON_INFO_1:", -1);
5085 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
5086 netlogon_dissect_NETLOGON_INFO_2
, NDR_POINTER_UNIQUE
,
5087 "NETLOGON_INFO_2:", -1);
5090 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
5091 netlogon_dissect_NETLOGON_INFO_3
, NDR_POINTER_UNIQUE
,
5092 "NETLOGON_INFO_3:", -1);
5101 * IDL long NetrLogonControl(
5102 * IDL [in][string][unique] wchar_t *logonserver,
5103 * IDL [in] long function_code,
5104 * IDL [in] long level,
5105 * IDL [out][ref] CONTROL_QUERY_INFORMATION
5109 netlogon_dissect_netrlogoncontrol_rqst(tvbuff_t
*tvb
, int offset
,
5110 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
5112 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
5113 pinfo
, tree
, di
, drep
);
5115 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
5116 hf_netlogon_code
, NULL
);
5118 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
5119 hf_netlogon_level
, NULL
);
5124 netlogon_dissect_netrlogoncontrol_reply(tvbuff_t
*tvb
, int offset
,
5125 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
5129 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
5130 netlogon_dissect_CONTROL_QUERY_INFORMATION
, NDR_POINTER_REF
,
5131 "CONTROL_QUERY_INFORMATION:", -1);
5133 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
, hf_netlogon_werr_rc
, &status
);
5136 col_append_fstr(pinfo
->cinfo
, COL_INFO
, ", Error: %s", val_to_str_ext(status
, &WERR_errors_ext
, "Unknown WERR error 0x%08x"));
5143 * IDL long NetrGetAnyDCName(
5144 * IDL [in][unique][string] wchar_t *logon_server,
5145 * IDL [in][unique][string] wchar_t *domainname,
5146 * IDL [out][unique][string] wchar_t *dcname,
5150 netlogon_dissect_netrgetanydcname_rqst(tvbuff_t
*tvb
, int offset
,
5151 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
5153 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
5154 NDR_POINTER_UNIQUE
, "Server Handle",
5155 hf_netlogon_logonsrv_handle
, 0);
5157 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
5158 NDR_POINTER_UNIQUE
, "Domain", hf_netlogon_domain_name
, 0);
5163 netlogon_dissect_netrgetanydcname_reply(tvbuff_t
*tvb
, int offset
,
5164 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
5166 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
5167 NDR_POINTER_UNIQUE
, "Domain", hf_netlogon_dc_name
, 0);
5169 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
5170 hf_netlogon_dos_rc
, NULL
);
5177 * IDL typedef [switch_type(long)] union {
5178 * IDL [case(5)] [unique][string] wchar_t *unknown;
5179 * IDL [case(6)] [unique][string] wchar_t *unknown;
5180 * IDL [case(0xfffe)] long unknown;
5181 * IDL [case(7)] [unique][string] wchar_t *unknown;
5182 * IDL } CONTROL_DATA_INFORMATION;
5185 * According to muddle this is what CONTROL_DATA_INFORMATION is supposed
5186 * to look like. However NetMon does not recognize any such informationlevels.
5188 * I'll leave it as CONTROL_DATA_INFORMATION with no informationlevels
5189 * until someone has any source of better authority to call upon.
5192 netlogon_dissect_CONTROL_DATA_INFORMATION(tvbuff_t
*tvb
, int offset
,
5193 packet_info
*pinfo
, proto_tree
*tree
,
5194 dcerpc_info
*di
, uint8_t *drep
)
5198 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
5199 hf_netlogon_level
, &level
);
5204 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
,
5205 tree
, di
, drep
, NDR_POINTER_UNIQUE
, "Trusted Domain Name",
5206 hf_netlogon_TrustedDomainName_string
, 0);
5209 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
,
5210 tree
, di
, drep
, NDR_POINTER_UNIQUE
, "Trusted Domain Name",
5211 hf_netlogon_TrustedDomainName_string
, 0);
5214 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
5215 hf_netlogon_unknown_long
, NULL
);
5218 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
,
5219 tree
, di
, drep
, NDR_POINTER_UNIQUE
, "UserName",
5220 hf_netlogon_UserName_string
, 0);
5229 * IDL long NetrLogonControl2(
5230 * IDL [in][string][unique] wchar_t *logonserver,
5231 * IDL [in] long function_code,
5232 * IDL [in] long level,
5233 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
5234 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
5238 netlogon_dissect_netrlogoncontrol2_rqst(tvbuff_t
*tvb
, int offset
,
5239 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
5241 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
5242 pinfo
, tree
, di
, drep
);
5244 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
5245 hf_netlogon_code
, NULL
);
5247 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
5248 hf_netlogon_level
, NULL
);
5250 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
5251 netlogon_dissect_CONTROL_DATA_INFORMATION
, NDR_POINTER_REF
,
5252 "CONTROL_DATA_INFORMATION: ", -1);
5258 netlogon_dissect_netrlogoncontrol2_reply(tvbuff_t
*tvb
, int offset
,
5259 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
5261 return netlogon_dissect_netrlogoncontrol_reply(tvb
, offset
, pinfo
, tree
, di
, drep
);
5268 * IDL long NetrDatabaseSync2(
5269 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
5270 * IDL [in][string][ref] wchar_t *computername,
5271 * IDL [in][ref] AUTHENTICATOR credential,
5272 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
5273 * IDL [in] long database_id,
5274 * IDL [in] short restart_state,
5275 * IDL [in][out][ref] long *sync_context,
5276 * IDL [in] long preferredmaximumlength,
5277 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
5281 netlogon_dissect_netrdatabasesync2_rqst(tvbuff_t
*tvb
, int offset
,
5282 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
5284 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
5285 NDR_POINTER_REF
, "Server Handle", hf_netlogon_logonsrv_handle
, 0);
5287 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
5288 NDR_POINTER_REF
, "Computer Name", hf_netlogon_computer_name
, 0);
5290 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
5291 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
5292 "AUTHENTICATOR: credential", -1);
5294 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
5295 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
5296 "AUTHENTICATOR: return_authenticator", -1);
5298 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
5299 hf_netlogon_database_id
, NULL
);
5301 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, tree
, di
, drep
,
5302 hf_netlogon_restart_state
, NULL
);
5304 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
5305 hf_netlogon_sync_context
, NULL
);
5307 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
5308 hf_netlogon_max_size
, NULL
);
5314 netlogon_dissect_netrdatabasesync2_reply(tvbuff_t
*tvb
, int offset
,
5315 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
5317 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
5318 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
5319 "AUTHENTICATOR: return_authenticator", -1);
5321 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
5322 hf_netlogon_sync_context
, NULL
);
5324 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
5325 netlogon_dissect_DELTA_ENUM_ARRAY
, NDR_POINTER_UNIQUE
,
5326 "DELTA_ENUM_ARRAY: deltas", -1);
5328 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
5329 hf_netlogon_rc
, NULL
);
5336 * IDL long NetrDatabaseRedo(
5337 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
5338 * IDL [in][string][ref] wchar_t *computername,
5339 * IDL [in][ref] AUTHENTICATOR credential,
5340 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
5341 * IDL [in][ref][size_is(change_log_entry_size)] char *change_log_entry,
5342 * IDL [in] long change_log_entry_size,
5343 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
5347 netlogon_dissect_netrdatabaseredo_rqst(tvbuff_t
*tvb
, int offset
,
5348 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
5350 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
5351 NDR_POINTER_REF
, "Server Handle", hf_netlogon_logonsrv_handle
, 0);
5353 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
5354 NDR_POINTER_REF
, "Computer Name", hf_netlogon_computer_name
, 0);
5356 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
5357 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
5358 "AUTHENTICATOR: credential", -1);
5360 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
5361 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
5362 "AUTHENTICATOR: return_authenticator", -1);
5364 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
5365 netlogon_dissect_BYTE_array
, NDR_POINTER_REF
,
5366 "Change log entry: ", -1);
5368 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
5369 hf_netlogon_max_log_size
, NULL
);
5375 netlogon_dissect_netrdatabaseredo_reply(tvbuff_t
*tvb
, int offset
,
5376 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
5378 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
5379 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
5380 "AUTHENTICATOR: return_authenticator", -1);
5382 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
5383 netlogon_dissect_DELTA_ENUM_ARRAY
, NDR_POINTER_UNIQUE
,
5384 "DELTA_ENUM_ARRAY: deltas", -1);
5386 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
5387 hf_netlogon_rc
, NULL
);
5394 * IDL long NetrLogonControl2Ex(
5395 * IDL [in][string][unique] wchar_t *logonserver,
5396 * IDL [in] long function_code,
5397 * IDL [in] long level,
5398 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
5399 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
5403 netlogon_dissect_netrlogoncontrol2ex_rqst(tvbuff_t
*tvb
, int offset
,
5404 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
5406 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
5407 pinfo
, tree
, di
, drep
);
5409 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
5410 hf_netlogon_code
, NULL
);
5412 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
5413 hf_netlogon_level
, NULL
);
5415 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
5416 netlogon_dissect_CONTROL_DATA_INFORMATION
, NDR_POINTER_REF
,
5417 "CONTROL_DATA_INFORMATION: ", -1);
5422 netlogon_dissect_netrlogoncontrol2ex_reply(tvbuff_t
*tvb
, int offset
,
5423 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
5425 return netlogon_dissect_netrlogoncontrol_reply(tvb
, offset
, pinfo
, tree
, di
, drep
);
5431 static const value_string trust_type_vals
[] = {
5432 { 1, "NT4 Domain" },
5434 { 3, "MIT Kerberos realm" },
5439 #define DS_INET_ADDRESS 1
5440 #define DS_NETBIOS_ADDRESS 2
5442 static const value_string dc_address_types
[] = {
5443 { DS_INET_ADDRESS
, "IP/DNS name" },
5444 { DS_NETBIOS_ADDRESS
, "NetBIOS name" },
5449 #define RQ_ROOT_FOREST 0x0001
5450 #define RQ_DC_XFOREST 0x0002
5451 #define RQ_RODC_DIF_DOMAIN 0x0004
5452 #define RQ_NTLM_FROM_RODC 0x0008
5454 #define DS_DOMAIN_IN_FOREST 0x0001
5455 #define DS_DOMAIN_DIRECT_OUTBOUND 0x0002
5456 #define DS_DOMAIN_TREE_ROOT 0x0004
5457 #define DS_DOMAIN_PRIMARY 0x0008
5458 #define DS_DOMAIN_NATIVE_MODE 0x0010
5459 #define DS_DOMAIN_DIRECT_INBOUND 0x0020
5461 static const true_false_string trust_inbound
= {
5462 "There is a DIRECT INBOUND trust for the servers domain",
5463 "There is NO direct inbound trust for the servers domain"
5465 static const true_false_string trust_outbound
= {
5466 "There is a DIRECT OUTBOUND trust for this domain",
5467 "There is NO direct outbound trust for this domain"
5469 static const true_false_string trust_in_forest
= {
5470 "The domain is a member IN the same FOREST as the queried server",
5471 "The domain is NOT a member of the queried servers domain"
5473 static const true_false_string trust_native_mode
= {
5474 "The primary domain is a NATIVE MODE w2k domain",
5475 "The primary is NOT a native mode w2k domain"
5477 static const true_false_string trust_primary
= {
5478 "The domain is the PRIMARY domain of the queried server",
5479 "The domain is NOT the primary domain of the queried server"
5481 static const true_false_string trust_tree_root
= {
5482 "The domain is the ROOT of a domain TREE",
5483 "The domain is NOT a root of a domain tree"
5488 netlogon_dissect_DOMAIN_TRUST_FLAGS(tvbuff_t
*tvb
, int offset
,
5489 packet_info
*pinfo
, proto_tree
*parent_tree
, dcerpc_info
*di
, uint8_t *drep
)
5492 static int * const flags
[] = {
5493 &hf_netlogon_trust_flags_inbound
,
5494 &hf_netlogon_trust_flags_native_mode
,
5495 &hf_netlogon_trust_flags_primary
,
5496 &hf_netlogon_trust_flags_tree_root
,
5497 &hf_netlogon_trust_flags_outbound
,
5498 &hf_netlogon_trust_flags_in_forest
,
5502 if(di
->conformant_run
){
5503 /*just a run to handle conformant arrays, nothing to dissect */
5507 offset
=dissect_ndr_uint32(tvb
, offset
, pinfo
, NULL
, di
, drep
,
5510 proto_tree_add_bitmask_value_with_flags(parent_tree
, tvb
, offset
-4, hf_netlogon_trust_flags
, ett_trust_flags
, flags
, mask
, BMT_NO_APPEND
);
5516 static const true_false_string trust_attribs_non_transitive
= {
5517 "This is a NON TRANSITIVE trust relation",
5518 "This is a normal trust"
5520 static const true_false_string trust_attribs_uplevel_only
= {
5521 "This is an UPLEVEL ONLY trust relation",
5522 "This is a normal trust"
5524 static const true_false_string trust_attribs_quarantined_domain
= {
5525 "This is a QUARANTINED DOMAIN (so don't expect lookupsids to work)",
5526 "This is a normal trust"
5528 static const true_false_string trust_attribs_forest_transitive
= {
5529 "This is a FOREST TRANSITIVE trust",
5530 "This is a normal trust"
5532 static const true_false_string trust_attribs_cross_organization
= {
5533 "This is a CROSS ORGANIZATION trust",
5534 "This is a normal trust"
5536 static const true_false_string trust_attribs_within_forest
= {
5537 "This is a WITHIN FOREST trust",
5538 "This is a normal trust"
5540 static const true_false_string trust_attribs_treat_as_external
= {
5541 "TREAT this trust AS an EXTERNAL trust",
5542 "This is a normal trust"
5546 netlogon_dissect_DOMAIN_TRUST_ATTRIBS(tvbuff_t
*tvb
, int offset
,
5547 packet_info
*pinfo
, proto_tree
*parent_tree
, dcerpc_info
*di
, uint8_t *drep
)
5550 static int * const attr
[] = {
5551 &hf_netlogon_trust_attribs_treat_as_external
,
5552 &hf_netlogon_trust_attribs_within_forest
,
5553 &hf_netlogon_trust_attribs_cross_organization
,
5554 &hf_netlogon_trust_attribs_forest_transitive
,
5555 &hf_netlogon_trust_attribs_quarantined_domain
,
5556 &hf_netlogon_trust_attribs_uplevel_only
,
5557 &hf_netlogon_trust_attribs_non_transitive
,
5561 if(di
->conformant_run
){
5562 /*just a run to handle conformant arrays, nothing to dissect */
5566 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, NULL
, di
, drep
,
5569 proto_tree_add_bitmask_value_with_flags(parent_tree
, tvb
, offset
-4, hf_netlogon_trust_attribs
, ett_trust_attribs
, attr
, mask
, BMT_NO_APPEND
);
5574 #define DS_FORCE_REDISCOVERY 0x00000001
5575 #define DS_DIRECTORY_SERVICE_REQUIRED 0x00000010
5576 #define DS_DIRECTORY_SERVICE_PREFERRED 0x00000020
5577 #define DS_GC_SERVER_REQUIRED 0x00000040
5578 #define DS_PDC_REQUIRED 0x00000080
5579 #define DS_BACKGROUND_ONLY 0x00000100
5580 #define DS_IP_REQUIRED 0x00000200
5581 #define DS_KDC_REQUIRED 0x00000400
5582 #define DS_TIMESERV_REQUIRED 0x00000800
5583 #define DS_WRITABLE_REQUIRED 0x00001000
5584 #define DS_GOOD_TIMESERV_PREFERRED 0x00002000
5585 #define DS_AVOID_SELF 0x00004000
5586 #define DS_ONLY_LDAP_NEEDED 0x00008000
5587 #define DS_IS_FLAT_NAME 0x00010000
5588 #define DS_IS_DNS_NAME 0x00020000
5589 #define DS_RETURN_DNS_NAME 0x40000000
5590 #define DS_RETURN_FLAT_NAME 0x80000000
5592 static const true_false_string get_dcname_request_flags_force_rediscovery
= {
5593 "FORCE REDISCOVERY of any cached data",
5594 "You may return cached data"
5596 static const true_false_string get_dcname_request_flags_directory_service_required
= {
5597 "DIRECTORY SERVICE is REQUIRED on the server",
5598 "We do NOT require directory service servers"
5600 static const true_false_string get_dcname_request_flags_directory_service_preferred
= {
5601 "DIRECTORY SERVICE servers are PREFERRED",
5602 "We do NOT have a preference for directory service servers"
5604 static const true_false_string get_dcname_request_flags_gc_server_required
= {
5605 "GC SERVER is REQUIRED",
5606 "gc server is NOT required"
5608 static const true_false_string get_dcname_request_flags_pdc_required
= {
5609 "PDC SERVER is REQUIRED",
5610 "pdc server is NOT required"
5612 static const true_false_string get_dcname_request_flags_background_only
= {
5613 "Only return cached data, even if it has expired",
5614 "Return cached data unless it has expired"
5616 static const true_false_string get_dcname_request_flags_ip_required
= {
5617 "IP address is REQUIRED",
5618 "ip address is NOT required"
5620 static const true_false_string get_dcname_request_flags_kdc_required
= {
5621 "KDC server is REQUIRED",
5622 "kdc server is NOT required"
5624 static const true_false_string get_dcname_request_flags_timeserv_required
= {
5625 "TIMESERV service is REQUIRED",
5626 "timeserv service is NOT required"
5628 static const true_false_string get_dcname_request_flags_writable_required
= {
5629 "the returned dc MUST be WRITEABLE",
5630 "a read-only dc may be returned"
5632 static const true_false_string get_dcname_request_flags_good_timeserv_preferred
= {
5633 "GOOD TIMESERV servers are PREFERRED",
5634 "we do NOT have a preference for good timeserv servers"
5636 static const true_false_string get_dcname_request_flags_avoid_self
= {
5637 "do NOT return self as dc; return someone else",
5638 "you may return yourSELF as the dc"
5640 static const true_false_string get_dcname_request_flags_only_ldap_needed
= {
5641 "we ONLY NEED LDAP; you don't have to return a dc",
5642 "we need a normal dc; an ldap only server will not do"
5644 static const true_false_string get_dcname_request_flags_is_flat_name
= {
5645 "the name we specify is a NetBIOS name",
5646 "the name we specify is NOT a NetBIOS name"
5648 static const true_false_string get_dcname_request_flags_is_dns_name
= {
5649 "the name we specify is a DNS name",
5650 "the name we specify is NOT a dns name"
5652 static const true_false_string get_dcname_request_flags_return_dns_name
= {
5653 "return a DNS name",
5654 "you may return a NON-dns name"
5656 static const true_false_string get_dcname_request_flags_return_flat_name
= {
5657 "return a NetBIOS name",
5658 "you may return a NON-NetBIOS name"
5661 netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvbuff_t
*tvb
, int offset
,
5662 packet_info
*pinfo
, proto_tree
*parent_tree
, dcerpc_info
*di
, uint8_t *drep
)
5665 static int * const flags
[] = {
5666 &hf_netlogon_get_dcname_request_flags_return_flat_name
,
5667 &hf_netlogon_get_dcname_request_flags_return_dns_name
,
5668 &hf_netlogon_get_dcname_request_flags_is_flat_name
,
5669 &hf_netlogon_get_dcname_request_flags_is_dns_name
,
5670 &hf_netlogon_get_dcname_request_flags_only_ldap_needed
,
5671 &hf_netlogon_get_dcname_request_flags_avoid_self
,
5672 &hf_netlogon_get_dcname_request_flags_good_timeserv_preferred
,
5673 &hf_netlogon_get_dcname_request_flags_writable_required
,
5674 &hf_netlogon_get_dcname_request_flags_timeserv_required
,
5675 &hf_netlogon_get_dcname_request_flags_kdc_required
,
5676 &hf_netlogon_get_dcname_request_flags_ip_required
,
5677 &hf_netlogon_get_dcname_request_flags_background_only
,
5678 &hf_netlogon_get_dcname_request_flags_pdc_required
,
5679 &hf_netlogon_get_dcname_request_flags_gc_server_required
,
5680 &hf_netlogon_get_dcname_request_flags_directory_service_preferred
,
5681 &hf_netlogon_get_dcname_request_flags_directory_service_required
,
5682 &hf_netlogon_get_dcname_request_flags_force_rediscovery
,
5686 if(di
->conformant_run
){
5687 /*just a run to handle conformant arrays, nothing to dissect */
5691 offset
=dissect_ndr_uint32(tvb
, offset
, pinfo
, NULL
, di
, drep
, -1, &mask
);
5693 proto_tree_add_bitmask_value_with_flags(parent_tree
, tvb
, offset
-4, hf_netlogon_get_dcname_request_flags
, ett_get_dcname_request_flags
, flags
, mask
, BMT_NO_APPEND
);
5699 #define DS_PDC_FLAG 0x00000001
5700 #define DS_GC_FLAG 0x00000004
5701 #define DS_LDAP_FLAG 0x00000008
5702 #define DS_DS_FLAG 0x00000010
5703 #define DS_KDC_FLAG 0x00000020
5704 #define DS_TIMESERV_FLAG 0x00000040
5705 #define DS_CLOSEST_FLAG 0x00000080
5706 #define DS_WRITABLE_FLAG 0x00000100
5707 #define DS_GOOD_TIMESERV_FLAG 0x00000200
5708 #define DS_NDNC_FLAG 0x00000400
5709 #define DS_DNS_CONTROLLER_FLAG 0x20000000
5710 #define DS_DNS_DOMAIN_FLAG 0x40000000
5711 #define DS_DNS_FOREST_FLAG 0x80000000
5713 static const true_false_string dc_flags_pdc_flag
= {
5714 "this is the PDC of the domain",
5715 "this is NOT the pdc of the domain"
5717 static const true_false_string dc_flags_gc_flag
= {
5718 "this is the GC of the forest",
5719 "this is NOT the gc of the forest"
5721 static const true_false_string dc_flags_ldap_flag
= {
5722 "this is an LDAP server",
5723 "this is NOT an ldap server"
5725 static const true_false_string dc_flags_ds_flag
= {
5726 "this is a DS server",
5727 "this is NOT a ds server"
5729 static const true_false_string dc_flags_kdc_flag
= {
5730 "this is a KDC server",
5731 "this is NOT a kdc server"
5733 static const true_false_string dc_flags_timeserv_flag
= {
5734 "this is a TIMESERV server",
5735 "this is NOT a timeserv server"
5737 static const true_false_string dc_flags_closest_flag
= {
5738 "this is the CLOSEST server",
5739 "this is NOT the closest server"
5741 static const true_false_string dc_flags_writable_flag
= {
5742 "this server has a WRITABLE ds database",
5743 "this server has a READ-ONLY ds database"
5745 static const true_false_string dc_flags_good_timeserv_flag
= {
5746 "this server is a GOOD TIMESERV server",
5747 "this is NOT a good timeserv server"
5749 static const true_false_string dc_flags_ndnc_flag
= {
5753 static const true_false_string dc_flags_dns_controller_flag
= {
5754 "DomainControllerName is a DNS name",
5755 "DomainControllerName is NOT a dns name"
5757 static const true_false_string dc_flags_dns_domain_flag
= {
5758 "DomainName is a DNS name",
5759 "DomainName is NOT a dns name"
5761 static const true_false_string dc_flags_dns_forest_flag
= {
5762 "DnsForestName is a DNS name",
5763 "DnsForestName is NOT a dns name"
5766 netlogon_dissect_DC_FLAGS(tvbuff_t
*tvb
, int offset
,
5767 packet_info
*pinfo
, proto_tree
*parent_tree
, dcerpc_info
*di
, uint8_t *drep
)
5771 static int * const flags
[] = {
5772 &hf_netlogon_dc_flags_dns_forest_flag
,
5773 &hf_netlogon_dc_flags_dns_domain_flag
,
5774 &hf_netlogon_dc_flags_dns_controller_flag
,
5775 &hf_netlogon_dc_flags_ndnc_flag
,
5776 &hf_netlogon_dc_flags_good_timeserv_flag
,
5777 &hf_netlogon_dc_flags_writable_flag
,
5778 &hf_netlogon_dc_flags_closest_flag
,
5779 &hf_netlogon_dc_flags_timeserv_flag
,
5780 &hf_netlogon_dc_flags_kdc_flag
,
5781 &hf_netlogon_dc_flags_ds_flag
,
5782 &hf_netlogon_dc_flags_ldap_flag
,
5783 &hf_netlogon_dc_flags_gc_flag
,
5784 &hf_netlogon_dc_flags_pdc_flag
,
5788 if(di
->conformant_run
){
5789 /*just a run to handle conformant arrays, nothing to dissect */
5793 offset
=dissect_ndr_uint32(tvb
, offset
, pinfo
, NULL
, di
, drep
, -1, &mask
);
5795 item
= proto_tree_add_bitmask_value_with_flags(parent_tree
, tvb
, offset
-4, hf_netlogon_dc_flags
, ett_dc_flags
, flags
, mask
, BMT_NO_APPEND
);
5796 if (mask
==0x0000ffff)
5797 proto_item_append_text(item
, " PING (mask==0x0000ffff)");
5805 netlogon_dissect_pointer_long(tvbuff_t
*tvb
, int offset
,
5806 packet_info
*pinfo
, proto_tree
*tree
,
5807 dcerpc_info
*di
, uint8_t *drep
)
5809 offset
= dissect_ndr_uint32 (tvb
, offset
, pinfo
, tree
, di
, drep
,
5810 di
->hf_index
, NULL
);
5816 netlogon_dissect_pointer_char(tvbuff_t
*tvb
, int offset
,
5817 packet_info
*pinfo
, proto_tree
*tree
,
5818 dcerpc_info
*di
, uint8_t *drep
)
5820 offset
= dissect_ndr_uint8(tvb
, offset
, pinfo
, tree
, di
, drep
,
5821 di
->hf_index
, NULL
);
5827 netlogon_dissect_UNICODE_MULTI_byte(tvbuff_t
*tvb
, int offset
,
5828 packet_info
*pinfo
, proto_tree
*tree
,
5829 dcerpc_info
*di
, uint8_t *drep
)
5831 offset
= dissect_ndr_uint8(tvb
, offset
, pinfo
, tree
, di
, drep
,
5832 hf_netlogon_unknown_char
, NULL
);
5838 netlogon_dissect_UNICODE_MULTI_array(tvbuff_t
*tvb
, int offset
,
5839 packet_info
*pinfo
, proto_tree
*tree
,
5840 dcerpc_info
*di
, uint8_t *drep
)
5842 offset
= dissect_ndr_ucarray(tvb
, offset
, pinfo
, tree
, di
, drep
,
5843 netlogon_dissect_UNICODE_MULTI_byte
);
5849 netlogon_dissect_UNICODE_MULTI(tvbuff_t
*tvb
, int offset
,
5850 packet_info
*pinfo
, proto_tree
*parent_tree
,
5851 dcerpc_info
*di
, uint8_t *drep
)
5853 proto_item
*item
=NULL
;
5854 proto_tree
*tree
=NULL
;
5855 int old_offset
=offset
;
5858 tree
= proto_tree_add_subtree(parent_tree
, tvb
, offset
, 0,
5859 ett_UNICODE_MULTI
, &item
, "UNICODE_MULTI:");
5862 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
5863 hf_netlogon_len
, NULL
);
5865 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
5866 netlogon_dissect_UNICODE_MULTI_array
, NDR_POINTER_UNIQUE
,
5867 "unknown", hf_netlogon_unknown_string
);
5869 proto_item_set_len(item
, offset
-old_offset
);
5874 netlogon_dissect_DOMAIN_CONTROLLER_INFO(tvbuff_t
*tvb
, int offset
,
5875 packet_info
*pinfo
, proto_tree
*parent_tree
,
5876 dcerpc_info
*di
, uint8_t *drep
)
5878 proto_item
*item
=NULL
;
5879 proto_tree
*tree
=NULL
;
5880 int old_offset
=offset
;
5883 tree
= proto_tree_add_subtree(parent_tree
, tvb
, offset
, 0,
5884 ett_DOMAIN_CONTROLLER_INFO
, &item
, "DOMAIN_CONTROLLER_INFO:");
5887 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
5888 NDR_POINTER_UNIQUE
, "DC Name", hf_netlogon_dc_name
, 0);
5890 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
5891 NDR_POINTER_UNIQUE
, "DC Address", hf_netlogon_dc_address
, 0);
5893 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
5894 hf_netlogon_dc_address_type
, NULL
);
5896 offset
= dissect_nt_GUID(tvb
, offset
,
5897 pinfo
, tree
, di
, drep
);
5899 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
5900 NDR_POINTER_UNIQUE
, "Logon Domain", hf_netlogon_logon_dom
, 0);
5902 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
5903 NDR_POINTER_UNIQUE
, "DNS Forest", hf_netlogon_dns_forest_name
, 0);
5905 offset
= netlogon_dissect_DC_FLAGS(tvb
, offset
, pinfo
, tree
, di
, drep
);
5907 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
5908 NDR_POINTER_UNIQUE
, "DC Site", hf_netlogon_dc_site_name
, 0);
5910 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
5911 NDR_POINTER_UNIQUE
, "Client Site",
5912 hf_netlogon_client_site_name
, 0);
5914 proto_item_set_len(item
, offset
-old_offset
);
5921 dissect_ndr_trust_extension(tvbuff_t
*tvb
, int offset
,
5922 packet_info
*pinfo
, proto_tree
*tree
,
5923 dcerpc_info
*di
, uint8_t *drep
)
5927 if(di
->conformant_run
){
5930 offset
= dissect_ndr_uint3264(tvb
, offset
, pinfo
, tree
, di
, drep
,
5931 hf_netlogon_trust_max
, &max
);
5933 offset
= dissect_ndr_uint3264(tvb
, offset
, pinfo
, tree
, di
, drep
,
5934 hf_netlogon_trust_offset
, NULL
);
5936 offset
= dissect_ndr_uint3264(tvb
, offset
, pinfo
, tree
, di
, drep
,
5937 hf_netlogon_trust_len
, &len
);
5939 if( max
* 2 == 16 ) {
5940 offset
= netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb
, offset
, pinfo
, tree
, di
, drep
);
5942 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
5943 hf_netlogon_trust_parent_index
, NULL
);
5945 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
5946 hf_netlogon_trust_type
, NULL
);
5948 offset
= netlogon_dissect_DOMAIN_TRUST_ATTRIBS(tvb
, offset
, pinfo
, tree
, di
, drep
);
5950 /* else do something scream shout .... */
5956 netlogon_dissect_BLOB_array(tvbuff_t
*tvb
, int offset
,
5957 packet_info
*pinfo
, proto_tree
*tree
,
5958 dcerpc_info
*di
, uint8_t *drep
)
5962 if(di
->conformant_run
){
5966 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
5967 hf_netlogon_blob_size
, &len
);
5969 proto_tree_add_item(tree
, hf_netlogon_blob
, tvb
, offset
, len
,
5977 dissect_ndr_ulongs_as_counted_string(tvbuff_t
*tvb
, int offset
,
5978 packet_info
*pinfo
, proto_tree
*tree
,
5979 dcerpc_info
*di
, uint8_t *drep
, int hf_index
)
5982 bool add_subtree
= true; /* Manage room for evolution*/
5984 proto_tree
*subtree
= tree
;
5988 subtree
= proto_tree_add_subtree(
5989 tree
, tvb
, offset
, 0, ett_nt_counted_longs_as_string
, &item
,
5990 proto_registrar_get_name(hf_index
));
5992 /* Structure starts with short, but is aligned for longs */
5995 if (di
->conformant_run
)
6002 [size_is(size/2), length_is(len/2), ptr] unsigned short *string;
6007 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, subtree
, di
, drep
,
6008 hf_nt_cs_len
, &len
);
6009 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, subtree
, di
, drep
,
6010 hf_nt_cs_size
, &size
);
6011 offset
= dissect_ndr_pointer_cb(tvb
, offset
, pinfo
, subtree
, di
, drep
,
6012 dissect_ndr_trust_extension
, NDR_POINTER_UNIQUE
,
6013 "Buffer", hf_index
,NULL
,NULL
);
6018 DomainInfo_sid_(tvbuff_t
*tvb
, int offset
, packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
6020 offset
= lsarpc_dissect_struct_dom_sid2(tvb
, offset
, pinfo
, tree
, di
, drep
, hf_domain_info_sid
, 0);
6025 dissect_element_lsa_DnsDomainInfo_sid(tvbuff_t
*tvb
, int offset
, packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
6027 offset
= dissect_ndr_embedded_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
, DomainInfo_sid_
, NDR_POINTER_UNIQUE
, "Pointer to Sid (dom_sid2)", hf_dns_domain_info_sid
);
6032 dissect_element_lsa_DnsDomainInfo_domain_guid(tvbuff_t
*tvb
, int offset
, packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
6034 offset
= dissect_ndr_uuid_t(tvb
, offset
, pinfo
, tree
, di
, drep
, hf_dns_domain_info_domain_guid
, NULL
);
6040 static int dissect_part_DnsDomainInfo(tvbuff_t
*tvb
, int offset
, packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
, int hf_index _U_
, uint32_t param _U_
)
6043 offset
= lsarpc_dissect_struct_lsa_StringLarge(tvb
, offset
, pinfo
, tree
, di
, drep
, hf_dns_domain_info_name
, 0);
6045 offset
= lsarpc_dissect_struct_lsa_StringLarge(tvb
,offset
, pinfo
, tree
, di
, drep
, hf_dns_domain_info_dns_domain
, 0);
6047 offset
= lsarpc_dissect_struct_lsa_StringLarge(tvb
,offset
, pinfo
, tree
, di
, drep
, hf_dns_domain_info_dns_forest
, 0);
6049 offset
= dissect_element_lsa_DnsDomainInfo_domain_guid(tvb
, offset
, pinfo
, tree
, di
, drep
);
6051 offset
= dissect_element_lsa_DnsDomainInfo_sid(tvb
, offset
, pinfo
, tree
, di
, drep
);
6059 netlogon_dissect_ONE_DOMAIN_INFO(tvbuff_t
*tvb
, int offset
,
6060 packet_info
*pinfo
, proto_tree
*parent_tree
,
6061 dcerpc_info
*di
, uint8_t *drep
)
6063 proto_item
*item
=NULL
;
6064 proto_tree
*tree
=NULL
;
6065 int old_offset
=offset
;
6068 tree
= proto_tree_add_subtree(parent_tree
, tvb
, offset
, 0,
6069 ett_DOMAIN_TRUST_INFO
, &item
, "ONE_DOMAIN_INFO");
6071 /*hf_netlogon_dnsdomaininfo*/
6072 offset
= dissect_part_DnsDomainInfo(tvb
, offset
, pinfo
, tree
, di
, drep
, 0, 0);
6075 /* It is structed as a string but it's not ... it's 4 ulong */
6076 offset
= dissect_ndr_ulongs_as_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
6077 hf_netlogon_trust_extension
);
6079 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
6080 hf_netlogon_dummy_string2
, 0);
6082 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
6083 hf_netlogon_dummy_string3
, 0);
6085 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
6086 hf_netlogon_dummy_string4
, 0);
6088 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
6089 hf_netlogon_dummy1_long
, NULL
);
6091 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
6092 hf_netlogon_dummy2_long
, NULL
);
6094 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
6095 hf_netlogon_dummy3_long
, NULL
);
6097 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
6098 hf_netlogon_dummy4_long
, NULL
);
6100 proto_item_set_len(item
, offset
-old_offset
);
6105 netlogon_dissect_DOMAIN_TRUST_INFO(tvbuff_t
*tvb
, int offset
,
6106 packet_info
*pinfo
, proto_tree
*tree
,
6107 dcerpc_info
*di
, uint8_t *drep
)
6109 offset
= dissect_ndr_ucarray(tvb
, offset
, pinfo
, tree
, di
, drep
,
6110 netlogon_dissect_ONE_DOMAIN_INFO
);
6117 netlogon_dissect_LSA_POLICY_INFO(tvbuff_t
*tvb
, int offset
,
6118 packet_info
*pinfo
, proto_tree
*tree
,
6119 dcerpc_info
*di
, uint8_t *drep
)
6121 proto_item
*item
=NULL
;
6122 proto_tree
*subtree
=NULL
;
6125 if(di
->conformant_run
){
6130 subtree
= proto_tree_add_subtree(tree
, tvb
, offset
, 0,
6131 ett_LSA_POLICY_INFO
, &item
, "LSA Policy");
6133 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, subtree
, di
, drep
,
6134 hf_netlogon_lsapolicy_len
, &len
);
6136 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, subtree
, di
, drep
,
6137 netlogon_dissect_BLOB_array
, NDR_POINTER_UNIQUE
,
6147 netlogon_dissect_WORKSTATION_INFO(tvbuff_t
*tvb
, int offset
,
6148 packet_info
*pinfo
, proto_tree
*tree
,
6149 dcerpc_info
*di
, uint8_t *drep
)
6151 /* This is not the good way to do it ... it stinks ...
6152 * but after half of a day fighting against wireshark and ndr ...
6153 * I decided to keep this hack ...
6154 * At least data are correctly displayed without invented ints ...
6156 offset
= netlogon_dissect_LSA_POLICY_INFO(tvb
, offset
,
6157 pinfo
, tree
, di
, drep
);
6159 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
6160 NDR_POINTER_UNIQUE
, "Workstation FQDN",
6161 hf_netlogon_workstation_fqdn
, 0);
6163 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
6164 NDR_POINTER_UNIQUE
, "Workstation Site",
6165 hf_netlogon_workstation_site_name
, 0);
6167 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
6168 NDR_POINTER_UNIQUE
, "Dummy 1", hf_netlogon_dummy_string
, 0);
6170 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
6171 NDR_POINTER_UNIQUE
, "Dummy 2", hf_netlogon_dummy_string2
, 0);
6173 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
6174 NDR_POINTER_UNIQUE
, "Dummy 3", hf_netlogon_dummy_string3
, 0);
6176 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
6177 NDR_POINTER_UNIQUE
, "Dummy 4", hf_netlogon_dummy_string4
, 0);
6179 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
6180 hf_netlogon_os_version
, 0);
6182 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
6183 hf_netlogon_workstation_os
, 0);
6185 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
6186 hf_netlogon_dummy_string3
, 0);
6188 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
6189 hf_netlogon_dummy_string4
, 0);
6191 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
6192 hf_netlogon_workstation_flags
, NULL
);
6194 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
6195 hf_netlogon_supportedenctypes
, NULL
);
6197 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
6198 hf_netlogon_dummy3_long
, NULL
);
6200 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
6201 hf_netlogon_dummy4_long
, NULL
);
6206 netlogon_dissect_WORKSTATION_INFORMATION(tvbuff_t
*tvb
, int offset
,
6207 packet_info
*pinfo
, proto_tree
*tree
,
6208 dcerpc_info
*di
, uint8_t *drep
) {
6210 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
6211 netlogon_dissect_WORKSTATION_INFO
, NDR_POINTER_UNIQUE
,
6212 "WORKSTATION INFO", -1);
6217 netlogon_dissect_DOMAIN_INFO(tvbuff_t
*tvb
, int offset
,
6218 packet_info
*pinfo
, proto_tree
*tree
,
6219 dcerpc_info
*di
, uint8_t *drep
)
6221 offset
= netlogon_dissect_ONE_DOMAIN_INFO(tvb
, offset
, pinfo
, tree
, di
, drep
);
6223 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
6224 hf_netlogon_num_trusts
, NULL
);
6226 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
6227 netlogon_dissect_DOMAIN_TRUST_INFO
, NDR_POINTER_UNIQUE
,
6228 "DOMAIN_TRUST_ARRAY: Trusted domains", -1);
6230 offset
= netlogon_dissect_LSA_POLICY_INFO(tvb
,offset
,pinfo
, tree
,di
,drep
);
6232 /* offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6233 hf_netlogon_num_trusts, NULL);
6235 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6236 netlogon_dissect_DOMAIN_TRUST_INFO, NDR_POINTER_UNIQUE,
6239 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
6240 hf_netlogon_ad_client_dns_name
, 0);
6242 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
6243 hf_netlogon_dummy_string2
, 0);
6245 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
6246 hf_netlogon_dummy_string3
, 0);
6248 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
6249 hf_netlogon_dummy_string4
, 0);
6251 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
6252 hf_netlogon_workstation_flags
, NULL
);
6254 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
6255 hf_netlogon_supportedenctypes
, NULL
);
6257 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
6258 hf_netlogon_dummy3_long
, NULL
);
6260 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
6261 hf_netlogon_dummy4_long
, NULL
);
6268 netlogon_dissect_DOMAIN_INFORMATION(tvbuff_t
*tvb
, int offset
,
6269 packet_info
*pinfo
, proto_tree
*tree
,
6270 dcerpc_info
*di
, uint8_t *drep
)
6274 UNION_ALIGN_TO_5_BYTES
;
6275 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
, hf_netlogon_level
, &level
);
6276 UNION_ALIGN_TO_5_BYTES
;
6280 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
6281 netlogon_dissect_DOMAIN_INFO
, NDR_POINTER_UNIQUE
,
6285 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
6286 netlogon_dissect_LSA_POLICY_INFO
, NDR_POINTER_UNIQUE
,
6287 "LSA_POLICY_INFO", -1);
6295 netlogon_dissect_netr_CryptPassword(tvbuff_t
*tvb
, int offset
,
6296 packet_info
*pinfo
, proto_tree
*parent_tree
,
6297 dcerpc_info
*di
, uint8_t *drep
)
6299 int ret_offset
= offset
+ 516;
6300 proto_item
*item
=NULL
;
6301 proto_tree
*tree
=NULL
;
6302 netlogon_auth_vars
*vars
= NULL
;
6305 uint32_t confounder_len
;
6306 bool version_present
= false;
6310 * uint16 array[256];
6313 * All these 516 bytes are potentially encrypted.
6315 * The unencrypted length is in bytes in
6316 * instead of uint16 units, so it's a multiple
6317 * of 2 and it should be smaller than 512 -
6318 * SIZEOF(NL_PASSWORD_VERSION), so it's 500
6319 * as SIZEOF(NL_PASSWORD_VERSION) is 12.
6320 * The confounder should also be there with
6323 * Real clients typically use 28 or 240,
6324 * which means 14 or 120 uint16 characters.
6326 * So if the value is larger than 500 or
6327 * bit 1 is set it's very likely an
6330 tvb_ensure_bytes_exist(tvb
, offset
, 516);
6333 tree
= proto_tree_add_subtree(parent_tree
, tvb
, offset
, 516,
6334 ett_netr_CryptPassword
, &item
,
6335 "netr_CryptPassword:");
6338 vars
= find_global_netlogon_auth_vars(pinfo
, 0);
6339 pw_len
= tvb_get_uint32(tvb
, offset
+512, DREP_ENC_INTEGER(drep
));
6340 if (pw_len
> 500 || pw_len
& 0x1) {
6342 gcry_cipher_hd_t cipher_hd
= NULL
;
6343 uint8_t *buffer
= NULL
;
6344 tvbuff_t
*dectvb
= NULL
;
6346 proto_tree_add_bytes_format(tree
, hf_netlogon_blob
,
6347 tvb
, offset
, 516, NULL
,
6348 "Encrypted netr_CryptPassword");
6351 expert_add_info_format(pinfo
, proto_tree_get_parent(tree
),
6352 &ei_netlogon_session_key
,
6353 "No session key found");
6357 err
= prepare_session_key_cipher(vars
, &cipher_hd
);
6359 expert_add_info_format(pinfo
, proto_tree_get_parent(tree
),
6360 &ei_netlogon_session_key
,
6361 "Decryption not possible (%s/%s) with "
6362 "session key learned in frame %d ("
6365 gcry_strsource(err
),
6368 vars
->session_key
[0] & 0xFF,
6369 vars
->session_key
[1] & 0xFF,
6370 vars
->session_key
[2] & 0xFF,
6371 vars
->session_key
[3] & 0xFF,
6372 vars
->nthash
.key_origin
);
6373 ws_warning("GCRY: prepare_session_key_cipher %s/%s\n",
6374 gcry_strsource(err
), gcry_strerror(err
));
6378 buffer
= (uint8_t*)tvb_memdup(pinfo
->pool
, tvb
, offset
, 516);
6379 if (buffer
== NULL
) {
6380 gcry_cipher_close(cipher_hd
);
6384 err
= gcry_cipher_decrypt(cipher_hd
, buffer
, 516, NULL
, 0);
6385 gcry_cipher_close(cipher_hd
);
6387 ws_warning("GCRY: gcry_cipher_decrypt %s/%s\n",
6388 gcry_strsource(err
), gcry_strerror(err
));
6392 dectvb
= tvb_new_child_real_data(tvb
, buffer
, 516, 516);
6393 if (dectvb
== NULL
) {
6397 pw_len
= tvb_get_uint32(dectvb
, 512, DREP_ENC_INTEGER(drep
));
6398 if (pw_len
> 500 || pw_len
& 0x1) {
6399 expert_add_info_format(pinfo
, proto_tree_get_parent(tree
),
6400 &ei_netlogon_session_key
,
6401 "Unusable session key learned in frame %d ("
6405 vars
->session_key
[0] & 0xFF,
6406 vars
->session_key
[1] & 0xFF,
6407 vars
->session_key
[2] & 0xFF,
6408 vars
->session_key
[3] & 0xFF,
6409 vars
->nthash
.key_origin
);
6413 expert_add_info_format(pinfo
, proto_tree_get_parent(tree
),
6414 &ei_netlogon_session_key
,
6415 "Used session key learned in frame %d ("
6419 vars
->session_key
[0] & 0xFF,
6420 vars
->session_key
[1] & 0xFF,
6421 vars
->session_key
[2] & 0xFF,
6422 vars
->session_key
[3] & 0xFF,
6423 vars
->nthash
.key_origin
);
6424 add_new_data_source(pinfo
, dectvb
, "netr_CryptPassword (Decrypted)");
6427 proto_tree_add_bytes_format(tree
, hf_netlogon_blob
,
6428 tvb
, offset
, 516, NULL
,
6429 "Decrypted netr_CryptPassword");
6431 proto_tree_add_bytes_format(tree
, hf_netlogon_blob
,
6432 tvb
, offset
, 516, NULL
,
6433 "Unencryption netr_CryptPassword");
6435 expert_add_info_format(pinfo
, proto_tree_get_parent(tree
),
6436 &ei_netlogon_session_key
,
6437 "Not encrypted with session key learned in frame %d ("
6441 vars
->session_key
[0] & 0xFF,
6442 vars
->session_key
[1] & 0xFF,
6443 vars
->session_key
[2] & 0xFF,
6444 vars
->session_key
[3] & 0xFF,
6445 vars
->nthash
.key_origin
);
6447 expert_add_info_format(pinfo
, proto_tree_get_parent(tree
),
6448 &ei_netlogon_session_key
,
6449 "Not encrypted and no session key found nor needed");
6453 confounder_len
= 512 - pw_len
;
6454 if (confounder_len
>= 12) {
6455 uint32_t voffset
= confounder_len
- 12;
6459 rf
= tvb_get_uint32(tvb
, voffset
+0, DREP_ENC_INTEGER(drep
));
6460 vp
= tvb_get_uint32(tvb
, voffset
+8, DREP_ENC_INTEGER(drep
));
6461 if (rf
== 0 && vp
== 0x02231968) {
6462 confounder_len
-= 12;
6463 version_present
= true;
6467 if (confounder_len
> 0) {
6468 proto_tree_add_bytes_format(tree
, hf_netlogon_blob
,
6469 tvb
, offset
, confounder_len
,
6470 NULL
, "Confounder: %"PRIu32
" byte%s",
6472 plurality(confounder_len
, "", "s"));
6473 offset
+= confounder_len
;
6476 if (version_present
) {
6477 proto_item
*vitem
=NULL
;
6478 proto_tree
*vtree
=NULL
;
6481 vtree
= proto_tree_add_subtree(tree
, tvb
, offset
, 12,
6482 ett_NL_PASSWORD_VERSION
, &vitem
,
6483 "NL_PASSWORD_VERSION:");
6486 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, vtree
, di
, drep
,
6487 hf_netlogon_password_version_reserved
, NULL
);
6488 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, vtree
, di
, drep
,
6489 hf_netlogon_password_version_number
, NULL
);
6490 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, vtree
, di
, drep
,
6491 hf_netlogon_password_version_present
, NULL
);
6494 proto_tree_add_bytes_format(tree
, hf_netlogon_blob
,
6495 tvb
, offset
, pw_len
, NULL
,
6496 "Raw Password Bytes: %"PRIu32
" byte%s",
6498 plurality(pw_len
, "", "s"));
6499 pw
= (char *)tvb_get_string_enc(pinfo
->pool
, tvb
, offset
, pw_len
,
6500 ENC_UTF_16
|DREP_ENC_INTEGER(drep
));
6501 proto_tree_add_string(tree
, hf_netlogon_new_password
, tvb
, offset
,
6505 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
6506 hf_netlogon_len
, NULL
);
6512 netlogon_dissect_element_844_byte(tvbuff_t
*tvb
, int offset
,
6513 packet_info
*pinfo
, proto_tree
*tree
,
6514 dcerpc_info
*di
, uint8_t *drep
)
6516 offset
= dissect_ndr_uint8(tvb
, offset
, pinfo
, tree
, di
, drep
,
6517 hf_netlogon_unknown_char
, NULL
);
6523 netlogon_dissect_element_844_array(tvbuff_t
*tvb
, int offset
,
6524 packet_info
*pinfo
, proto_tree
*tree
,
6525 dcerpc_info
*di
, uint8_t *drep
)
6527 offset
= dissect_ndr_ucarray(tvb
, offset
, pinfo
, tree
, di
, drep
,
6528 netlogon_dissect_element_844_byte
);
6534 netlogon_dissect_TYPE_50(tvbuff_t
*tvb
, int offset
,
6535 packet_info
*pinfo
, proto_tree
*parent_tree
,
6536 dcerpc_info
*di
, uint8_t *drep
)
6538 proto_item
*item
=NULL
;
6539 proto_tree
*tree
=NULL
;
6540 int old_offset
=offset
;
6543 tree
= proto_tree_add_subtree(parent_tree
, tvb
, offset
, 0,
6544 ett_TYPE_50
, &item
, "TYPE_50:");
6547 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
6548 hf_netlogon_unknown_long
, NULL
);
6550 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
6551 netlogon_dissect_element_844_array
, NDR_POINTER_UNIQUE
,
6552 "unknown", hf_netlogon_unknown_string
);
6554 proto_item_set_len(item
, offset
-old_offset
);
6559 netlogon_dissect_TYPE_50_ptr(tvbuff_t
*tvb
, int offset
,
6560 packet_info
*pinfo
, proto_tree
*tree
,
6561 dcerpc_info
*di
, uint8_t *drep
)
6563 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
6564 netlogon_dissect_TYPE_50
, NDR_POINTER_UNIQUE
,
6565 "TYPE_50 pointer: unknown_TYPE_50", -1);
6571 netlogon_dissect_DS_DOMAIN_TRUSTS(tvbuff_t
*tvb
, int offset
,
6572 packet_info
*pinfo
, proto_tree
*parent_tree
, dcerpc_info
*di
, uint8_t *drep
)
6575 proto_item
*item
=NULL
;
6576 proto_tree
*tree
=NULL
;
6577 int old_offset
=offset
;
6580 tree
= proto_tree_add_subtree(parent_tree
, tvb
, offset
, 0,
6581 ett_DS_DOMAIN_TRUSTS
, NULL
, "DS_DOMAIN_TRUSTS");
6585 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
6586 NDR_POINTER_UNIQUE
, "NetBIOS Name",
6587 hf_netlogon_downlevel_domain_name
, 0);
6590 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
6591 NDR_POINTER_UNIQUE
, "DNS Domain Name",
6592 hf_netlogon_dns_domain_name
, 0);
6594 offset
= netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb
, offset
, pinfo
, tree
, di
, drep
);
6596 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
6597 hf_netlogon_trust_parent_index
, &tmp
);
6599 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
6600 hf_netlogon_trust_type
, &tmp
);
6602 offset
= netlogon_dissect_DOMAIN_TRUST_ATTRIBS(tvb
, offset
, pinfo
, tree
, di
, drep
);
6605 offset
= dissect_ndr_nt_PSID(tvb
, offset
, pinfo
, tree
, di
, drep
);
6608 offset
= dissect_nt_GUID(tvb
, offset
, pinfo
, tree
, di
, drep
);
6610 proto_item_set_len(item
, offset
-old_offset
);
6615 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY(tvbuff_t
*tvb
, int offset
,
6616 packet_info
*pinfo
, proto_tree
*tree
,
6617 dcerpc_info
*di
, uint8_t *drep
)
6619 offset
= dissect_ndr_ucarray(tvb
, offset
, pinfo
, tree
, di
, drep
,
6620 netlogon_dissect_DS_DOMAIN_TRUSTS
);
6626 netlogon_dissect_element_865_byte(tvbuff_t
*tvb
, int offset
,
6627 packet_info
*pinfo
, proto_tree
*tree
,
6628 dcerpc_info
*di
, uint8_t *drep
)
6630 offset
= dissect_ndr_uint8(tvb
, offset
, pinfo
, tree
, di
, drep
,
6631 hf_netlogon_unknown_char
, NULL
);
6637 netlogon_dissect_element_865_array(tvbuff_t
*tvb
, int offset
,
6638 packet_info
*pinfo
, proto_tree
*tree
,
6639 dcerpc_info
*di
, uint8_t *drep
)
6641 offset
= dissect_ndr_ucarray(tvb
, offset
, pinfo
, tree
, di
, drep
,
6642 netlogon_dissect_element_865_byte
);
6648 netlogon_dissect_element_866_byte(tvbuff_t
*tvb
, int offset
,
6649 packet_info
*pinfo
, proto_tree
*tree
,
6650 dcerpc_info
*di
, uint8_t *drep
)
6652 offset
= dissect_ndr_uint8(tvb
, offset
, pinfo
, tree
, di
, drep
,
6653 hf_netlogon_unknown_char
, NULL
);
6659 netlogon_dissect_element_866_array(tvbuff_t
*tvb
, int offset
,
6660 packet_info
*pinfo
, proto_tree
*tree
,
6661 dcerpc_info
*di
, uint8_t *drep
)
6663 offset
= dissect_ndr_ucarray(tvb
, offset
, pinfo
, tree
, di
, drep
,
6664 netlogon_dissect_element_866_byte
);
6670 netlogon_dissect_TYPE_52(tvbuff_t
*tvb
, int offset
,
6671 packet_info
*pinfo
, proto_tree
*parent_tree
,
6672 dcerpc_info
*di
, uint8_t *drep
)
6674 proto_item
*item
=NULL
;
6675 proto_tree
*tree
=NULL
;
6676 int old_offset
=offset
;
6679 tree
= proto_tree_add_subtree(parent_tree
, tvb
, offset
, 0,
6680 ett_TYPE_52
, &item
, "TYPE_52:");
6683 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
6684 hf_netlogon_unknown_long
, NULL
);
6686 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
6687 netlogon_dissect_element_865_array
, NDR_POINTER_UNIQUE
,
6688 "unknown", hf_netlogon_unknown_string
);
6690 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
6691 netlogon_dissect_element_866_array
, NDR_POINTER_UNIQUE
,
6692 "unknown", hf_netlogon_unknown_string
);
6694 proto_item_set_len(item
, offset
-old_offset
);
6699 netlogon_dissect_TYPE_52_ptr(tvbuff_t
*tvb
, int offset
,
6700 packet_info
*pinfo
, proto_tree
*tree
,
6701 dcerpc_info
*di
, uint8_t *drep
)
6703 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
6704 netlogon_dissect_TYPE_52
, NDR_POINTER_UNIQUE
,
6705 "TYPE_52 pointer: unknown_TYPE_52", -1);
6711 netlogon_dissect_Capabilities(tvbuff_t
*tvb
, int offset
,
6712 packet_info
*pinfo
, proto_tree
*parent_tree
,
6713 dcerpc_info
*di
, uint8_t *drep
)
6715 proto_item
*item
=NULL
;
6716 proto_tree
*tree
=NULL
;
6717 proto_item
*pitem
=NULL
;
6718 proto_item
*nitem
=NULL
;
6719 int old_offset
=offset
;
6723 pitem
= proto_tree_get_parent(parent_tree
);
6724 tree
= proto_tree_add_subtree(parent_tree
, tvb
, offset
, 0,
6725 ett_CAPABILITIES
, &item
,
6729 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
6730 hf_netlogon_level
, &level
);
6736 dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
, -1, &flags
);
6737 nitem
= netlogon_dissect_neg_options(tvb
,tree
,flags
,offset
);
6738 proto_item_set_text(nitem
, "NegotiatedFlags: 0x%08x", flags
);
6739 proto_item_set_text(item
, "ServerCapabilities");
6740 proto_item_append_text(pitem
, ": ServerCapabilities");
6746 dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
, -1, &flags
);
6747 nitem
= netlogon_dissect_neg_options(tvb
,tree
,flags
,offset
);
6748 proto_item_set_text(nitem
, "RequestedFlags: 0x%08x", flags
);
6749 proto_item_set_text(item
, "RequestedFlags");
6750 proto_item_append_text(pitem
, ": RequestedFlags");
6756 proto_item_set_len(item
, offset
-old_offset
);
6761 netlogon_dissect_WORKSTATION_BUFFER(tvbuff_t
*tvb
, int offset
,
6762 packet_info
*pinfo
, proto_tree
*tree
,
6763 dcerpc_info
*di
, uint8_t *drep
)
6767 UNION_ALIGN_TO_5_BYTES
;
6768 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
, hf_netlogon_level
, &level
);
6769 UNION_ALIGN_TO_5_BYTES
;
6774 offset
= netlogon_dissect_WORKSTATION_INFORMATION(tvb
, offset
, pinfo
, tree
, di
, drep
);
6782 netlogon_dissect_netrenumeratetrusteddomains_rqst(tvbuff_t
*tvb
, int offset
,
6783 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
6785 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
6786 pinfo
, tree
, di
, drep
);
6793 netlogon_dissect_netrenumeratetrusteddomains_reply(tvbuff_t
*tvb
, int offset
,
6794 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
6796 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
6797 netlogon_dissect_UNICODE_MULTI
, NDR_POINTER_REF
,
6798 "UNICODE_MULTI pointer: trust_dom_name_list", -1);
6800 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
6801 hf_netlogon_dos_rc
, NULL
);
6807 netlogon_dissect_dsrgetdcname_rqst(tvbuff_t
*tvb
, int offset
,
6808 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
6810 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
6811 pinfo
, tree
, di
, drep
);
6813 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
6814 NDR_POINTER_UNIQUE
, "Domain", hf_netlogon_logon_dom
, 0);
6816 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
6817 dissect_nt_GUID
, NDR_POINTER_UNIQUE
,
6818 "GUID pointer: domain_guid", -1);
6820 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
6821 dissect_nt_GUID
, NDR_POINTER_UNIQUE
,
6822 "GUID pointer: site_guid", -1);
6824 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
6825 hf_netlogon_flags
, NULL
);
6832 netlogon_dissect_dsrgetdcname_reply(tvbuff_t
*tvb
, int offset
,
6833 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
6835 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
6836 netlogon_dissect_DOMAIN_CONTROLLER_INFO
, NDR_POINTER_UNIQUE
,
6837 "DOMAIN_CONTROLLER_INFO:", -1);
6839 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
6840 hf_netlogon_dos_rc
, NULL
);
6846 netlogon_dissect_netrlogondummyroutine1_rqst(tvbuff_t
*tvb
, int offset
,
6847 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
6850 proto_item
*litem
= NULL
;
6852 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
6853 NDR_POINTER_REF
, "Server Handle",
6854 hf_netlogon_logonsrv_handle
, 0);
6856 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
6857 NDR_POINTER_UNIQUE
, "Computer Name",
6858 hf_netlogon_computer_name
, 0);
6860 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
6861 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
6862 "AUTHENTICATOR: credential", -1);
6864 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
6865 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
6866 "AUTHENTICATOR: return_authenticator", -1);
6868 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
6870 litem
= proto_tree_add_item(tree
, hf_netlogon_level
, tvb
, offset
-4, 4,
6871 DREP_ENC_INTEGER(drep
));
6874 proto_item_append_text(litem
, " (ServerCapabilities)");
6877 proto_item_append_text(litem
, " (RequestedFlags)");
6886 netlogon_dissect_netrlogondummyroutine1_reply(tvbuff_t
*tvb
, int offset
,
6887 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
6889 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
6890 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
6891 "AUTHENTICATOR: return_authenticator", -1);
6893 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
6894 netlogon_dissect_Capabilities
, NDR_POINTER_REF
,
6895 "Capabilities", -1);
6897 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
6898 hf_netlogon_rc
, NULL
);
6904 netlogon_dissect_netrlogonsetservicebits_rqst(tvbuff_t
*tvb
, int offset
,
6905 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
6907 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
6908 pinfo
, tree
, di
, drep
);
6910 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
6911 hf_netlogon_unknown_long
, NULL
);
6913 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
6914 hf_netlogon_unknown_long
, NULL
);
6921 netlogon_dissect_netrlogonsetservicebits_reply(tvbuff_t
*tvb
, int offset
,
6922 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
6924 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
6925 hf_netlogon_rc
, NULL
);
6932 netlogon_dissect_netrlogongettrustrid_rqst(tvbuff_t
*tvb
, int offset
,
6933 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
6935 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
6936 pinfo
, tree
, di
, drep
);
6938 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
6939 NDR_POINTER_UNIQUE
, "unknown string",
6940 hf_netlogon_unknown_string
, 0);
6947 netlogon_dissect_netrlogongettrustrid_reply(tvbuff_t
*tvb
, int offset
,
6948 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
6950 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
6951 netlogon_dissect_pointer_long
, NDR_POINTER_UNIQUE
,
6952 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long
);
6954 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
6955 hf_netlogon_rc
, NULL
);
6962 netlogon_dissect_netrlogoncomputeserverdigest_rqst(tvbuff_t
*tvb
, int offset
,
6963 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
6965 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
6966 pinfo
, tree
, di
, drep
);
6968 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
6969 hf_netlogon_unknown_long
, NULL
);
6971 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
6972 netlogon_dissect_BYTE_array
, NDR_POINTER_UNIQUE
,
6973 "BYTE pointer: unknown_BYTE", -1);
6975 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
6976 hf_netlogon_unknown_long
, NULL
);
6982 netlogon_dissect_BYTE_16_array(tvbuff_t
*tvb
, int offset
,
6983 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
6988 offset
= dissect_ndr_uint8(tvb
, offset
, pinfo
, tree
, di
, drep
,
6989 hf_netlogon_unknown_char
, NULL
);
6996 netlogon_dissect_netrlogoncomputeserverdigest_reply(tvbuff_t
*tvb
, int offset
,
6997 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
6999 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
7000 netlogon_dissect_BYTE_16_array
, NDR_POINTER_UNIQUE
,
7001 "BYTE pointer: unknown_BYTE", -1);
7003 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
7004 hf_netlogon_rc
, NULL
);
7010 netlogon_dissect_netrlogoncomputeclientdigest_rqst(tvbuff_t
*tvb
, int offset
,
7011 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
7013 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
7014 pinfo
, tree
, di
, drep
);
7016 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
7017 NDR_POINTER_UNIQUE
, "unknown string",
7018 hf_netlogon_unknown_string
, 0);
7020 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
7021 netlogon_dissect_BYTE_array
, NDR_POINTER_UNIQUE
,
7022 "BYTE pointer: unknown_BYTE", -1);
7024 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
7025 hf_netlogon_unknown_long
, NULL
);
7032 netlogon_dissect_netrlogoncomputeclientdigest_reply(tvbuff_t
*tvb
, int offset
,
7033 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
7035 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
7036 netlogon_dissect_BYTE_16_array
, NDR_POINTER_UNIQUE
,
7037 "BYTE pointer: unknown_BYTE", -1);
7039 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
7040 hf_netlogon_rc
, NULL
);
7046 netlogon_dissect_neg_options(tvbuff_t
*tvb
,proto_tree
*tree
,uint32_t flags
,int offset
)
7048 static int * const hf_flags
[] = {
7049 &hf_netlogon_neg_flags_80000000
,
7050 &hf_netlogon_neg_flags_40000000
,
7051 &hf_netlogon_neg_flags_20000000
,
7053 &hf_netlogon_neg_flags_10000000
,
7054 &hf_netlogon_neg_flags_8000000
,
7055 &hf_netlogon_neg_flags_4000000
,
7056 &hf_netlogon_neg_flags_2000000
,
7057 &hf_netlogon_neg_flags_800000
,
7058 &hf_netlogon_neg_flags_400000
,
7060 &hf_netlogon_neg_flags_1000000
,
7061 &hf_netlogon_neg_flags_200000
,
7062 &hf_netlogon_neg_flags_100000
,
7063 &hf_netlogon_neg_flags_80000
,
7064 &hf_netlogon_neg_flags_40000
,
7065 &hf_netlogon_neg_flags_20000
,
7066 &hf_netlogon_neg_flags_10000
,
7067 &hf_netlogon_neg_flags_8000
,
7068 &hf_netlogon_neg_flags_4000
,
7069 &hf_netlogon_neg_flags_2000
,
7070 &hf_netlogon_neg_flags_1000
,
7071 &hf_netlogon_neg_flags_800
,
7072 &hf_netlogon_neg_flags_400
,
7073 &hf_netlogon_neg_flags_200
,
7074 &hf_netlogon_neg_flags_100
,
7075 &hf_netlogon_neg_flags_80
,
7076 &hf_netlogon_neg_flags_40
,
7077 &hf_netlogon_neg_flags_20
,
7078 &hf_netlogon_neg_flags_10
,
7079 &hf_netlogon_neg_flags_8
,
7080 &hf_netlogon_neg_flags_4
,
7081 &hf_netlogon_neg_flags_2
,
7082 &hf_netlogon_neg_flags_1
,
7086 return proto_tree_add_bitmask_value_with_flags(tree
, tvb
, offset
, hf_netlogon_neg_flags
, ett_authenticate_flags
, hf_flags
, flags
, BMT_NO_APPEND
);
7090 netlogon_dissect_netrserverauthenticate3_rqst(tvbuff_t
*tvb
, int offset
,
7091 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
7094 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
7095 pinfo
, tree
, di
, drep
);
7098 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
7099 NDR_POINTER_REF
, "Acct Name", hf_netlogon_acct_name
, 0);
7101 if (di
->call_data
->flags
& DCERPC_IS_NDR64
) {
7107 offset
= netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb
, offset
,
7108 pinfo
, tree
, di
, drep
);
7112 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
7113 NDR_POINTER_REF
, "Computer Name", hf_netlogon_computer_name
, 0);
7115 offset
= dissect_dcerpc_8bytes(tvb
, offset
, pinfo
, tree
, drep
,
7116 hf_client_credential
, NULL
);
7118 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
7119 netlogon_dissect_CREDENTIAL
, NDR_POINTER_REF
,
7120 "Client Challenge", -1);
7124 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
7125 hf_netlogon_neg_flags
, NULL
);
7129 flags
= tvb_get_letohl (tvb
, offset
);
7130 netlogon_dissect_neg_options(tvb
,tree
,flags
,offset
);
7131 seen
.isseen
= false;
7138 netlogon_dissect_netrserverauthenticatekerberos_rqst(tvbuff_t
*tvb
, int offset
,
7139 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
7142 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
7143 pinfo
, tree
, di
, drep
);
7146 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
7147 NDR_POINTER_REF
, "Acct Name", hf_netlogon_acct_name
, 0);
7149 if (di
->call_data
->flags
& DCERPC_IS_NDR64
) {
7155 offset
= netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb
, offset
,
7156 pinfo
, tree
, di
, drep
);
7160 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
7161 NDR_POINTER_REF
, "Computer Name", hf_netlogon_computer_name
, 0);
7165 flags
= tvb_get_letohl (tvb
, offset
);
7166 netlogon_dissect_neg_options(tvb
,tree
,flags
,offset
);
7167 seen
.isseen
= false;
7174 * IDL long NetrServerAuthenticate2(
7175 * IDL [in][string][unique] wchar_t *logonserver,
7176 * IDL [in][ref][string] wchar_t *username,
7177 * IDL [in] short secure_channel_type,
7178 * IDL [in][ref][string] wchar_t *computername,
7179 * IDL [in][ref] CREDENTIAL *client_chal,
7180 * IDL [out][ref] CREDENTIAL *server_chal,
7181 * IDL [in][out][ref] long *negotiate_flags,
7185 netlogon_dissect_netrserverauthenticate2_rqst(tvbuff_t
*tvb
, int offset
,
7186 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
7188 return netlogon_dissect_netrserverauthenticate3_rqst(tvb
,offset
,pinfo
,tree
,di
,drep
);
7192 netlogon_dissect_netrserverauthenticate023_reply(tvbuff_t
*tvb
, int offset
,
7200 netlogon_auth_vars
*vars
;
7201 netlogon_auth_key key
;
7202 uint64_t server_cred
;
7204 offset
= dissect_dcerpc_8bytes(tvb
, offset
, pinfo
, tree
, drep
,
7205 hf_server_credential
, &server_cred
);
7208 flags
= tvb_get_letohl (tvb
, offset
);
7209 netlogon_dissect_neg_options(tvb
,tree
,flags
,offset
);
7214 offset
= dissect_dcerpc_uint32(tvb
, offset
, pinfo
, tree
, drep
,
7215 hf_server_rid
, NULL
);
7217 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
7218 hf_netlogon_rc
, NULL
);
7220 generate_hash_key(pinfo
, 1 , &key
);
7222 vars
= (netlogon_auth_vars
*)wmem_map_lookup(netlogon_auths
, &key
);
7224 ws_debug("Found some vars (ie. server/client challenges), let's see if I can get a session key");
7225 while(vars
!= NULL
&& vars
->next_start
!= -1 && vars
->next_start
< (int) pinfo
->num
) {
7226 ws_debug("looping auth reply...");
7230 ws_debug("Something strange happened while searching for authenticate_reply");
7233 md4_pass
*pass_list
=NULL
;
7234 const md4_pass
*used_md4
= NULL
;
7235 const char *used_method
= NULL
;
7236 uint32_t list_size
= 0;
7239 uint8_t session_key
[16];
7242 vars
->flags
= flags
;
7243 vars
->can_decrypt
= false;
7244 list_size
= get_md4pass_list(pinfo
->pool
, &pass_list
);
7245 ws_debug("Found %d passwords ",list_size
);
7246 if( flags
& NETLOGON_FLAG_AES
)
7248 uint8_t salt_buf
[16] = { 0 };
7249 uint8_t sha256
[HASH_SHA2_256_LENGTH
];
7250 uint64_t calculated_cred
;
7252 memcpy(&salt_buf
[0], (uint8_t*)&vars
->client_challenge
, 8);
7253 memcpy(&salt_buf
[8], (uint8_t*)&vars
->server_challenge
, 8);
7255 used_method
= "AES";
7256 printnbyte(pinfo
->pool
, (uint8_t*)&vars
->client_challenge
, 8, "Client challenge:");
7257 printnbyte(pinfo
->pool
, (uint8_t*)&vars
->server_challenge
, 8, "Server challenge:");
7258 printnbyte(pinfo
->pool
, (uint8_t*)&server_cred
, 8, "Server creds:");
7259 for(i
=0;i
<list_size
;i
++)
7261 used_md4
= &pass_list
[i
];
7262 password
= pass_list
[i
];
7263 printnbyte(pinfo
->pool
, (uint8_t*)&password
, 16, "NTHASH:");
7264 if (!ws_hmac_buffer(GCRY_MD_SHA256
, sha256
, salt_buf
, sizeof(salt_buf
), (uint8_t*) &password
, 16)) {
7266 gcry_cipher_hd_t cipher_hd
= NULL
;
7267 uint8_t iv
[16] = { 0 };
7269 /* truncate the session key to 16 bytes */
7270 memcpy(session_key
, sha256
, 16);
7271 printnbyte(pinfo
->pool
, (uint8_t*)session_key
, 16, "Session Key:");
7273 /* Open the cipher */
7274 err
= gcry_cipher_open(&cipher_hd
, GCRY_CIPHER_AES128
, GCRY_CIPHER_MODE_CFB8
, 0);
7276 ws_warning("GCRY: cipher open %s/%s\n", gcry_strsource(err
), gcry_strerror(err
));
7280 /* Set the initial value */
7281 err
= gcry_cipher_setiv(cipher_hd
, iv
, sizeof(iv
));
7283 ws_warning("GCRY: setiv %s/%s\n", gcry_strsource(err
), gcry_strerror(err
));
7284 gcry_cipher_close(cipher_hd
);
7289 err
= gcry_cipher_setkey(cipher_hd
, session_key
, 16);
7291 ws_warning("GCRY: setkey %s/%s\n", gcry_strsource(err
), gcry_strerror(err
));
7292 gcry_cipher_close(cipher_hd
);
7296 calculated_cred
= 0x1234567812345678;
7297 err
= gcry_cipher_encrypt(cipher_hd
,
7298 (uint8_t *)&calculated_cred
, 8,
7299 (const uint8_t *)&vars
->server_challenge
, 8);
7301 ws_warning("GCRY: encrypt %s/%s\n", gcry_strsource(err
), gcry_strerror(err
));
7302 gcry_cipher_close(cipher_hd
);
7306 /* Done with the cipher */
7307 gcry_cipher_close(cipher_hd
);
7309 printnbyte(pinfo
->pool
, (uint8_t*)&calculated_cred
, 8, "Calculated creds:");
7311 if(calculated_cred
==server_cred
) {
7317 } else if ( flags
& NETLOGON_FLAG_STRONGKEY
) {
7318 uint8_t zeros
[4] = { 0 };
7319 uint8_t md5
[HASH_MD5_LENGTH
];
7320 gcry_md_hd_t md5_handle
;
7321 uint8_t buf
[8] = { 0 };
7322 uint64_t calculated_cred
;
7324 used_method
= "MD5";
7325 if (!gcry_md_open(&md5_handle
, GCRY_MD_MD5
, 0)) {
7326 gcry_md_write(md5_handle
, zeros
, 4);
7327 gcry_md_write(md5_handle
, (uint8_t*)&vars
->client_challenge
, 8);
7328 gcry_md_write(md5_handle
, (uint8_t*)&vars
->server_challenge
, 8);
7329 memcpy(md5
, gcry_md_read(md5_handle
, 0), 16);
7330 gcry_md_close(md5_handle
);
7332 printnbyte(pinfo
->pool
, md5
, 8, "MD5:");
7333 printnbyte(pinfo
->pool
, (uint8_t*)&vars
->client_challenge
, 8, "Client challenge:");
7334 printnbyte(pinfo
->pool
, (uint8_t*)&vars
->server_challenge
, 8, "Server challenge:");
7335 printnbyte(pinfo
->pool
, (uint8_t*)&server_cred
, 8, "Server creds:");
7336 for(i
=0;i
<list_size
;i
++)
7338 used_md4
= &pass_list
[i
];
7339 password
= pass_list
[i
];
7340 if (!ws_hmac_buffer(GCRY_MD_MD5
, session_key
, md5
, HASH_MD5_LENGTH
, (uint8_t*) &password
, 16)) {
7341 crypt_des_ecb(buf
,(unsigned char*)&vars
->server_challenge
,session_key
);
7342 crypt_des_ecb((unsigned char*)&calculated_cred
,buf
,session_key
+7);
7343 printnbyte(pinfo
->pool
, (uint8_t*)&calculated_cred
, 8, "Calculated creds:");
7344 if(calculated_cred
==server_cred
) {
7354 ws_debug("Else case not implemented");
7355 memset(session_key
,0,16);
7358 vars
->nthash
= *used_md4
;
7359 vars
->auth_fd_num
= pinfo
->num
;
7360 memcpy(&vars
->session_key
,session_key
,16);
7361 ws_debug("Found the good session key !");
7362 expert_add_info_format(pinfo
, proto_tree_get_parent(tree
),
7363 &ei_netlogon_auth_nthash
,
7364 "%s authenticated using %s (%02x%02x%02x%02x...)",
7365 used_method
, used_md4
->key_origin
,
7366 used_md4
->md4
[0] & 0xFF, used_md4
->md4
[1] & 0xFF,
7367 used_md4
->md4
[2] & 0xFF, used_md4
->md4
[3] & 0xFF);
7368 expert_add_info_format(pinfo
, proto_tree_get_parent(tree
),
7369 &ei_netlogon_session_key
,
7376 session_key
[0] & 0xFF, session_key
[1] & 0xFF,
7377 session_key
[2] & 0xFF, session_key
[3] & 0xFF,
7378 session_key
[4] & 0xFF, session_key
[5] & 0xFF,
7379 session_key
[6] & 0xFF, session_key
[7] & 0xFF,
7380 session_key
[8] & 0xFF, session_key
[9] & 0xFF,
7381 session_key
[10] & 0xFF, session_key
[11] & 0xFF,
7382 session_key
[12] & 0xFF, session_key
[13] & 0xFF,
7383 session_key
[14] & 0xFF, session_key
[15] & 0xFF);
7386 ws_debug("Session key not found !");
7387 memset(&vars
->session_key
,0,16);
7396 netlogon_dissect_netrserverauthenticate3_reply(tvbuff_t
*tvb
, int offset
,
7397 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
7399 return netlogon_dissect_netrserverauthenticate023_reply(tvb
,offset
,pinfo
,tree
,di
,drep
,3);
7403 netlogon_dissect_netrserverauthenticate2_reply(tvbuff_t
*tvb
, int offset
,
7404 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
7406 return netlogon_dissect_netrserverauthenticate023_reply(tvb
,offset
,pinfo
,tree
,di
,drep
,2);
7410 netlogon_dissect_netrserverauthenticatekerberos_reply(tvbuff_t
*tvb
, int offset
,
7418 flags
= tvb_get_letohl (tvb
, offset
);
7419 netlogon_dissect_neg_options(tvb
,tree
,flags
,offset
);
7422 offset
= dissect_dcerpc_uint32(tvb
, offset
, pinfo
, tree
, drep
,
7423 hf_server_rid
, NULL
);
7424 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
7425 hf_netlogon_rc
, NULL
);
7432 netlogon_dissect_dsrgetdcnameex_rqst(tvbuff_t
*tvb
, int offset
,
7433 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
7435 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
7436 pinfo
, tree
, di
, drep
);
7438 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
7439 NDR_POINTER_UNIQUE
, "Domain", hf_netlogon_logon_dom
, 0);
7441 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
7442 dissect_nt_GUID
, NDR_POINTER_UNIQUE
,
7443 "GUID pointer: domain_guid", -1);
7445 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
7446 NDR_POINTER_UNIQUE
, "Site Name", hf_netlogon_site_name
, 0);
7448 offset
= netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvb
, offset
, pinfo
, tree
, di
, drep
);
7455 netlogon_dissect_dsrgetdcnameex_reply(tvbuff_t
*tvb
, int offset
,
7456 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
7458 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
7459 netlogon_dissect_DOMAIN_CONTROLLER_INFO
, NDR_POINTER_UNIQUE
,
7460 "DOMAIN_CONTROLLER_INFO:", -1);
7462 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
7463 hf_netlogon_rc
, NULL
);
7469 netlogon_dissect_dsrgetsitename_rqst(tvbuff_t
*tvb
, int offset
,
7470 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
7472 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
7473 pinfo
, tree
, di
, drep
);
7480 netlogon_dissect_dsrgetsitename_reply(tvbuff_t
*tvb
, int offset
,
7481 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
7484 /* XXX hmmm this does not really look like a UNIQUE pointer but
7485 will do for now. I think it is really a 32bit integer followed by
7486 a REF pointer to a unicode string */
7487 offset
= dissect_ndr_pointer_cb(tvb
, offset
, pinfo
, tree
, di
, drep
,
7488 dissect_ndr_wchar_cvstring
, NDR_POINTER_UNIQUE
, "Site Name",
7489 hf_netlogon_site_name
, cb_wstr_postprocess
,
7490 GINT_TO_POINTER(CB_STR_COL_INFO
| 1));
7492 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
7493 hf_netlogon_dos_rc
, NULL
);
7499 netlogon_dissect_netrlogongetdomaininfo_rqst(tvbuff_t
*tvb
, int offset
,
7500 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
7502 /* Unlike the other NETLOGON RPCs, this is not a unique pointer. */
7503 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
7504 NDR_POINTER_REF
, "Server Handle", hf_netlogon_computer_name
, 0);
7505 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
7506 NDR_POINTER_UNIQUE
, "Computer Name",
7507 hf_netlogon_computer_name
, 0);
7509 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
7510 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
7511 "AUTHENTICATOR: client", -1);
7513 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
7514 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
7515 "AUTHENTICATOR: return_authenticator", -1);
7516 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
7517 hf_netlogon_level
, NULL
);
7518 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
7519 netlogon_dissect_WORKSTATION_BUFFER
, NDR_POINTER_REF
,
7520 "WORKSTATION_BUFFER", -1);
7526 netlogon_dissect_netrlogongetdomaininfo_reply(tvbuff_t
*tvb
, int offset
,
7527 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
7529 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
7530 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
7531 "AUTHENTICATOR: return_authenticator", -1);
7533 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
7534 netlogon_dissect_DOMAIN_INFORMATION
, NDR_POINTER_REF
,
7535 "DOMAIN_INFORMATION", -1);
7537 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
7538 hf_netlogon_rc
, NULL
);
7544 netlogon_dissect_netrserverpasswordset2_rqst(tvbuff_t
*tvb
, int offset
,
7545 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
7547 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
7548 pinfo
, tree
, di
, drep
);
7550 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
7551 NDR_POINTER_REF
, "Acct Name",
7552 hf_netlogon_acct_name
, 0);
7554 offset
= netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb
, offset
,
7555 pinfo
, tree
, di
, drep
);
7557 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
7558 NDR_POINTER_REF
, "Computer Name",
7559 hf_netlogon_computer_name
, 0);
7561 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
7562 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
7563 "AUTHENTICATOR: credential", -1);
7565 offset
= netlogon_dissect_netr_CryptPassword(tvb
, offset
,
7566 pinfo
, tree
, di
, drep
);
7573 netlogon_dissect_netrserverpasswordset2_reply(tvbuff_t
*tvb
, int offset
,
7574 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
7576 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
7577 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
7578 "AUTHENTICATOR: return_authenticator", -1);
7580 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
7581 hf_netlogon_rc
, NULL
);
7587 netlogon_dissect_netrserverpasswordget_rqst(tvbuff_t
*tvb
, int offset
,
7588 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
7590 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
7591 pinfo
, tree
, di
, drep
);
7593 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
7594 NDR_POINTER_UNIQUE
, "Acct Name", hf_netlogon_acct_name
, 0);
7596 offset
= netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb
, offset
,
7597 pinfo
, tree
, di
, drep
);
7599 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
7600 NDR_POINTER_UNIQUE
, "Computer Name",
7601 hf_netlogon_computer_name
, 0);
7603 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
7604 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
7605 "AUTHENTICATOR: credential", -1);
7612 netlogon_dissect_netrserverpasswordget_reply(tvbuff_t
*tvb
, int offset
,
7613 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
7615 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
7616 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
7617 "AUTHENTICATOR: return_authenticator", -1);
7619 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
7620 netlogon_dissect_LM_OWF_PASSWORD
, NDR_POINTER_REF
,
7621 "LM_OWF_PASSWORD pointer: server_pwd", -1);
7623 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
7624 hf_netlogon_rc
, NULL
);
7629 #if GCRYPT_VERSION_NUMBER >= 0x010800 /* 1.8.0 */
7630 static gcry_error_t
prepare_session_key_cipher_aes(netlogon_auth_vars
*vars
,
7631 gcry_cipher_hd_t
*_cipher_hd
)
7634 gcry_cipher_hd_t cipher_hd
= NULL
;
7635 uint8_t iv
[16] = { 0 };
7637 /* Open the cipher */
7638 err
= gcry_cipher_open(&cipher_hd
, GCRY_CIPHER_AES128
, GCRY_CIPHER_MODE_CFB8
, 0);
7640 ws_warning("GCRY: cipher open %s/%s\n", gcry_strsource(err
), gcry_strerror(err
));
7644 /* Set the initial value */
7645 err
= gcry_cipher_setiv(cipher_hd
, iv
, sizeof(iv
));
7647 ws_warning("GCRY: setiv %s/%s\n", gcry_strsource(err
), gcry_strerror(err
));
7648 gcry_cipher_close(cipher_hd
);
7653 err
= gcry_cipher_setkey(cipher_hd
, vars
->session_key
, 16);
7655 ws_warning("GCRY: setkey %s/%s\n", gcry_strsource(err
), gcry_strerror(err
));
7656 gcry_cipher_close(cipher_hd
);
7660 *_cipher_hd
= cipher_hd
;
7665 static gcry_error_t
prepare_session_key_cipher_strong(netlogon_auth_vars
*vars
,
7666 gcry_cipher_hd_t
*_cipher_hd
)
7669 gcry_cipher_hd_t cipher_hd
= NULL
;
7671 /* Open the cipher */
7672 err
= gcry_cipher_open(&cipher_hd
, GCRY_CIPHER_ARCFOUR
, GCRY_CIPHER_MODE_STREAM
, 0);
7674 ws_warning("GCRY: cipher open %s/%s\n", gcry_strsource(err
), gcry_strerror(err
));
7679 err
= gcry_cipher_setkey(cipher_hd
, vars
->session_key
, 16);
7681 ws_warning("GCRY: setkey %s/%s\n", gcry_strsource(err
), gcry_strerror(err
));
7682 gcry_cipher_close(cipher_hd
);
7686 *_cipher_hd
= cipher_hd
;
7690 static gcry_error_t
prepare_session_key_cipher(netlogon_auth_vars
*vars
,
7691 gcry_cipher_hd_t
*_cipher_hd
)
7695 #if GCRYPT_VERSION_NUMBER >= 0x010800 /* 1.8.0 */
7696 if (vars
->flags
& NETLOGON_FLAG_AES
) {
7697 return prepare_session_key_cipher_aes(vars
, _cipher_hd
);
7701 if (vars
->flags
& NETLOGON_FLAG_STRONGKEY
) {
7702 return prepare_session_key_cipher_strong(vars
, _cipher_hd
);
7705 return GPG_ERR_UNSUPPORTED_ALGORITHM
;
7709 netlogon_dissect_opaque_buffer_block(tvbuff_t
*tvb
, int offset
, int length
,
7710 packet_info
*pinfo
, proto_tree
*tree
,
7711 dcerpc_info
*di
, uint8_t *drep _U_
)
7713 int orig_offset
= offset
;
7714 unsigned char is_server
= 0;
7715 netlogon_auth_vars
*vars
;
7717 gcry_cipher_hd_t cipher_hd
= NULL
;
7718 uint8_t *buffer
= NULL
;
7719 tvbuff_t
*dectvb
= NULL
;
7720 uint32_t expected_len
;
7721 uint32_t decrypted_len
;
7723 proto_tree_add_item(tree
, di
->hf_index
, tvb
, offset
, length
, ENC_NA
);
7730 vars
= find_global_netlogon_auth_vars(pinfo
, is_server
);
7731 if (vars
== NULL
) {
7732 ws_debug("Vars not found %d (packet_data)",wmem_map_size(netlogon_auths
));
7733 expert_add_info_format(pinfo
, proto_tree_get_parent(tree
),
7734 &ei_netlogon_session_key
,
7735 "No session key found");
7739 err
= prepare_session_key_cipher(vars
, &cipher_hd
);
7741 ws_warning("GCRY: prepare_session_key_cipher %s/%s\n",
7742 gcry_strsource(err
), gcry_strerror(err
));
7746 buffer
= (uint8_t*)tvb_memdup(pinfo
->pool
, tvb
, orig_offset
, length
);
7747 if (buffer
== NULL
) {
7748 gcry_cipher_close(cipher_hd
);
7752 err
= gcry_cipher_decrypt(cipher_hd
, buffer
, length
, NULL
, 0);
7753 gcry_cipher_close(cipher_hd
);
7755 ws_warning("GCRY: prepare_session_key_cipher %s/%s\n",
7756 gcry_strsource(err
), gcry_strerror(err
));
7760 dectvb
= tvb_new_child_real_data(tvb
, buffer
, length
, length
);
7761 if (dectvb
== NULL
) {
7765 expected_len
= length
- 8;
7766 decrypted_len
= tvb_get_letohl(dectvb
, 4);
7767 if (decrypted_len
!= expected_len
) {
7768 expert_add_info_format(pinfo
, proto_tree_get_parent(tree
),
7769 &ei_netlogon_session_key
,
7770 "Unusable session key learned in frame %d ("
7774 vars
->session_key
[0] & 0xFF, vars
->session_key
[1] & 0xFF,
7775 vars
->session_key
[2] & 0xFF, vars
->session_key
[3] & 0xFF,
7776 vars
->nthash
.key_origin
);
7780 expert_add_info_format(pinfo
, proto_tree_get_parent(tree
),
7781 &ei_netlogon_session_key
,
7782 "Using session key learned in frame %d ("
7786 vars
->session_key
[0] & 0xFF, vars
->session_key
[1] & 0xFF,
7787 vars
->session_key
[2] & 0xFF, vars
->session_key
[3] & 0xFF,
7788 vars
->nthash
.key_origin
);
7790 add_new_data_source(pinfo
, dectvb
, "OpaqueBuffer (Decrypted)");
7792 proto_tree_add_item(tree
, hf_netlogon_opaque_buffer_dec
, dectvb
, 0, length
, ENC_NA
);
7797 netlogon_dissect_opaque_buffer(tvbuff_t
*tvb
, int offset
,
7798 packet_info
*pinfo
, proto_tree
*tree
,
7799 dcerpc_info
*di
, uint8_t *drep
)
7801 offset
= dissect_ndr_ucarray_block(tvb
, offset
, pinfo
, tree
, di
, drep
,
7802 netlogon_dissect_opaque_buffer_block
);
7808 * IDL long NetrLogonSendToSam(
7809 * IDL [in][unique][string] wchar_t *ServerName,
7810 * IDL [in][ref][string] wchar_t *Workstation,
7811 * IDL [in][ref] AUTHENTICATOR *credential,
7812 * IDL [in][out][ref] AUTHENTICATOR *returnauthenticator,
7813 * IDL [in, size_is(OpaqueBufferSize)][ref] UCHAR * OpaqueBuffer,
7814 * IDL [in] ULONG OpaqueBufferSize
7818 netlogon_dissect_netrlogonsendtosam_rqst(tvbuff_t
*tvb
, int offset
,
7819 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
7821 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
7822 pinfo
, tree
, di
, drep
);
7824 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
7825 NDR_POINTER_REF
, "Computer Name",
7826 hf_netlogon_computer_name
, 0);
7828 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
7829 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
7830 "AUTHENTICATOR: credential", -1);
7832 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
7833 netlogon_dissect_opaque_buffer
, NDR_POINTER_REF
,
7834 "OpaqueBuffer", hf_netlogon_opaque_buffer_enc
);
7836 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
7837 hf_netlogon_opaque_buffer_size
, NULL
);
7844 netlogon_dissect_netrlogonsendtosam_reply(tvbuff_t
*tvb
, int offset
,
7845 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
7847 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
7848 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
7849 "AUTHENTICATOR: return_authenticator", -1);
7851 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
7852 hf_netlogon_rc
, NULL
);
7858 netlogon_dissect_dsraddresstositenamesw_rqst(tvbuff_t
*tvb
, int offset
,
7859 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
7861 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
7862 pinfo
, tree
, di
, drep
);
7864 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
7865 hf_netlogon_unknown_long
, NULL
);
7867 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
7868 netlogon_dissect_BYTE_array
, NDR_POINTER_UNIQUE
,
7869 "BYTE pointer: unknown_BYTE", -1);
7876 netlogon_dissect_dsraddresstositenamesw_reply(tvbuff_t
*tvb
, int offset
,
7877 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
7879 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
7880 netlogon_dissect_TYPE_50_ptr
, NDR_POINTER_UNIQUE
,
7881 "TYPE_50** pointer: unknown_TYPE_50", -1);
7883 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
7884 hf_netlogon_rc
, NULL
);
7890 netlogon_dissect_dsrgetdcnameex2_rqst(tvbuff_t
*tvb
, int offset
,
7891 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
7893 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
7894 pinfo
, tree
, di
, drep
);
7896 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
7897 NDR_POINTER_UNIQUE
, "Client Account",
7898 hf_netlogon_acct_name
, 0);
7900 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
7901 hf_netlogon_unknown_long
, NULL
);
7903 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
7904 NDR_POINTER_UNIQUE
, "Client Account",
7905 hf_netlogon_logon_dom
, 0);
7907 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
7908 dissect_nt_GUID
, NDR_POINTER_UNIQUE
,
7909 "Domain GUID:", -1);
7911 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
7912 NDR_POINTER_UNIQUE
, "Client Site",
7913 hf_netlogon_site_name
, 0);
7915 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
7916 hf_netlogon_unknown_long
, NULL
);
7923 netlogon_dissect_dsrgetdcnameex2_reply(tvbuff_t
*tvb
, int offset
,
7924 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
7926 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
7927 netlogon_dissect_DOMAIN_CONTROLLER_INFO
, NDR_POINTER_UNIQUE
,
7928 "DOMAIN_CONTROLLER_INFO:", -1);
7930 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
7931 hf_netlogon_dos_rc
, NULL
);
7937 netlogon_dissect_netrlogongettimeserviceparentdomain_rqst(tvbuff_t
*tvb
, int offset
,
7938 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
7940 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
7941 pinfo
, tree
, di
, drep
);
7948 netlogon_dissect_netrlogongettimeserviceparentdomain_reply(tvbuff_t
*tvb
, int offset
,
7949 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
7951 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
7952 NDR_POINTER_UNIQUE
, "unknown string",
7953 hf_netlogon_unknown_string
, 0);
7955 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
7956 netlogon_dissect_pointer_long
, NDR_POINTER_UNIQUE
,
7957 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long
);
7959 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
7960 hf_netlogon_rc
, NULL
);
7966 netlogon_dissect_netrenumeratetrusteddomainsex_rqst(tvbuff_t
*tvb
, int offset
,
7967 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
7969 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
7970 pinfo
, tree
, di
, drep
);
7976 netlogon_dissect_netrenumeratetrusteddomainsex_reply(tvbuff_t
*tvb
, int offset
,
7977 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
7979 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
7980 hf_netlogon_entries
, NULL
);
7982 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
7983 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY
, NDR_POINTER_UNIQUE
,
7984 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
7986 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
7987 hf_netlogon_rc
, NULL
);
7993 netlogon_dissect_dsraddresstositenamesexw_rqst(tvbuff_t
*tvb
, int offset
,
7994 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
7996 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
7997 pinfo
, tree
, di
, drep
);
7999 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
8000 hf_netlogon_unknown_long
, NULL
);
8002 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
8003 netlogon_dissect_BYTE_array
, NDR_POINTER_UNIQUE
,
8004 "BYTE pointer: unknown_BYTE", -1);
8011 netlogon_dissect_dsraddresstositenamesexw_reply(tvbuff_t
*tvb
, int offset
,
8012 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
8014 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
8015 netlogon_dissect_TYPE_52_ptr
, NDR_POINTER_UNIQUE
,
8016 "TYPE_52 pointer: unknown_TYPE_52", -1);
8018 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
8019 hf_netlogon_rc
, NULL
);
8026 netlogon_dissect_site_name_item(tvbuff_t
*tvb
, int offset
,
8027 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
8029 offset
= dissect_ndr_counted_string_cb(
8030 tvb
, offset
, pinfo
, tree
, di
, drep
, hf_netlogon_site_name
,
8031 cb_wstr_postprocess
,
8032 GINT_TO_POINTER(CB_STR_COL_INFO
| 1));
8037 netlogon_dissect_site_name_array(tvbuff_t
*tvb
, int offset
,
8038 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
8040 offset
= dissect_ndr_ucarray(tvb
, offset
, pinfo
, tree
, di
, drep
,
8041 netlogon_dissect_site_name_item
);
8047 netlogon_dissect_site_names(tvbuff_t
*tvb
, int offset
,
8048 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
8050 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
8051 hf_netlogon_count
, NULL
);
8053 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
8054 netlogon_dissect_site_name_array
, NDR_POINTER_UNIQUE
,
8055 "Site name array", -1);
8061 netlogon_dissect_dsrgetdcsitecoveragew_rqst(tvbuff_t
*tvb
, int offset
,
8062 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
8064 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
8065 pinfo
, tree
, di
, drep
);
8072 netlogon_dissect_dsrgetdcsitecoveragew_reply(tvbuff_t
*tvb
, int offset
,
8073 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
8075 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
8076 netlogon_dissect_site_names
, NDR_POINTER_UNIQUE
,
8079 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
8080 hf_netlogon_rc
, NULL
);
8086 netlogon_dissect_netrlogonsamlogonex_rqst(tvbuff_t
*tvb
, int offset
,
8087 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
8090 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
8091 NDR_POINTER_UNIQUE
, "LogonServer",
8092 hf_netlogon_computer_name
, 0);
8093 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
8094 NDR_POINTER_UNIQUE
, "Computer Name",
8095 hf_netlogon_computer_name
, 0);
8096 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, tree
, di
, drep
,
8097 hf_netlogon_level16
, NULL
);
8098 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
8099 netlogon_dissect_LEVEL
, NDR_POINTER_REF
,
8100 "LEVEL: LogonLevel", -1);
8102 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, tree
, di
, drep
,
8103 hf_netlogon_validation_level
, NULL
);
8105 offset
= netlogon_dissect_EXTRA_FLAGS(tvb
, offset
, pinfo
, tree
, di
, drep
);
8108 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
8109 NDR_POINTER_UNIQUE
, "unknown string",
8110 hf_netlogon_unknown_string
, 0);
8112 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
8113 NDR_POINTER_UNIQUE
, "unknown string",
8114 hf_netlogon_unknown_string
, 0);
8116 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, tree
, di
, drep
,
8117 hf_netlogon_unknown_short
, NULL
);
8119 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
8120 netlogon_dissect_LEVEL
, NDR_POINTER_UNIQUE
,
8121 "LEVEL pointer: unknown_NETLOGON_LEVEL", -1);
8123 offset
= dissect_ndr_uint16(tvb
, offset
, pinfo
, tree
, di
, drep
,
8124 hf_netlogon_unknown_short
, NULL
);
8126 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
8127 netlogon_dissect_pointer_long
, NDR_POINTER_UNIQUE
,
8128 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long
);
8135 netlogon_dissect_netrlogonsamlogonex_reply(tvbuff_t
*tvb
, int offset
,
8136 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
8138 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
8139 netlogon_dissect_VALIDATION
, NDR_POINTER_REF
,
8142 offset
= dissect_ndr_uint8(tvb
, offset
, pinfo
, tree
, di
, drep
,
8143 hf_netlogon_authoritative
, NULL
);
8145 offset
= netlogon_dissect_EXTRA_FLAGS(tvb
, offset
, pinfo
, tree
, di
, drep
);
8147 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
8148 hf_netlogon_rc
, NULL
);
8150 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
8151 netlogon_dissect_VALIDATION
, NDR_POINTER_UNIQUE
,
8152 "VALIDATION: unknown_NETLOGON_VALIDATION", -1);
8154 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
8155 netlogon_dissect_pointer_char
, NDR_POINTER_UNIQUE
,
8156 "BOOLEAN pointer: unknown_BOOLEAN", hf_netlogon_unknown_char
);
8158 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
8159 netlogon_dissect_pointer_long
, NDR_POINTER_UNIQUE
,
8160 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long
);
8162 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
8163 hf_netlogon_rc
, NULL
);
8170 netlogon_dissect_netrservergettrustinfo_rqst(tvbuff_t
*tvb
,
8177 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
8178 pinfo
, tree
, di
, drep
);
8180 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
8181 NDR_POINTER_REF
, "Acct Name",
8182 hf_netlogon_acct_name
, 0);
8184 offset
= netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb
, offset
,
8185 pinfo
, tree
, di
, drep
);
8187 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
8188 NDR_POINTER_REF
, "Computer Name",
8189 hf_netlogon_computer_name
, 0);
8191 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
8192 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
8193 "AUTHENTICATOR: credential", -1);
8199 netlogon_dissect_NL_GENERIC_RPC_DATA_UINT32_ARRAY(tvbuff_t
*tvb
, int offset
,
8200 packet_info
*pinfo _U_
, proto_tree
*tree
,
8201 dcerpc_info
*di
, uint8_t *drep _U_
)
8203 if(di
->conformant_run
){
8204 /*just a run to handle conformant arrays, nothing to dissect.*/
8208 offset
= dissect_ndr_ucarray(tvb
, offset
, pinfo
, tree
, di
, drep
,
8209 netlogon_dissect_DOMAIN_TRUST_ATTRIBS
);
8215 netlogon_dissect_NL_GENERIC_RPC_DATA_STRING(tvbuff_t
*tvb
, int offset
,
8216 packet_info
*pinfo _U_
, proto_tree
*tree
,
8217 dcerpc_info
*di
, uint8_t *drep _U_
)
8219 if(di
->conformant_run
){
8220 /*just a run to handle conformant arrays, nothing to dissect.*/
8224 offset
= dissect_ndr_counted_string(tvb
, offset
, pinfo
, tree
, di
, drep
,
8225 hf_netlogon_package_name
, 0|CB_STR_SAVE
);
8231 netlogon_dissect_NL_GENERIC_RPC_DATA_STRING_ARRAY(tvbuff_t
*tvb
, int offset
,
8232 packet_info
*pinfo _U_
, proto_tree
*tree
,
8233 dcerpc_info
*di
, uint8_t *drep _U_
)
8235 if(di
->conformant_run
){
8236 /*just a run to handle conformant arrays, nothing to dissect.*/
8240 offset
= dissect_ndr_ucarray(tvb
, offset
, pinfo
, tree
, di
, drep
,
8241 netlogon_dissect_NL_GENERIC_RPC_DATA_STRING
);
8247 netlogon_dissect_NL_GENERIC_RPC_DATA(tvbuff_t
*tvb
, int offset
,
8248 packet_info
*pinfo _U_
, proto_tree
*parent_tree
,
8249 dcerpc_info
*di
, uint8_t *drep _U_
)
8251 proto_item
*item
=NULL
;
8252 proto_tree
*tree
=NULL
;
8254 if(di
->conformant_run
){
8255 /*just a run to handle conformant arrays, nothing to dissect.*/
8260 tree
= proto_tree_add_subtree(parent_tree
, tvb
, offset
, -1,
8261 ett_NL_GENERIC_RPC_DATA
, &item
,
8262 "NL_GENERIC_RPC_DATA:");
8265 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
8266 hf_netlogon_trust_len
, NULL
);
8268 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
8269 netlogon_dissect_NL_GENERIC_RPC_DATA_UINT32_ARRAY
,
8271 "UINT32 ARRAY pointer: ", -1);
8273 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
8274 hf_netlogon_trust_len
, NULL
);
8276 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
8277 netlogon_dissect_NL_GENERIC_RPC_DATA_STRING_ARRAY
,
8279 "STRING ARRAY pointer: ", -1);
8285 netlogon_dissect_netrservergettrustinfo_reply(tvbuff_t
*tvb
,
8292 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
8293 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
8294 "AUTHENTICATOR: return_authenticator", -1);
8296 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
8297 netlogon_dissect_NT_OWF_PASSWORD
, NDR_POINTER_REF
,
8298 "NT_OWF_PASSWORD pointer: new_password", -1);
8300 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
8301 netlogon_dissect_NT_OWF_PASSWORD
, NDR_POINTER_REF
,
8302 "NT_OWF_PASSWORD pointer: old_password", -1);
8304 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
8305 netlogon_dissect_NL_GENERIC_RPC_DATA
, NDR_POINTER_UNIQUE
,
8306 "NL_GENERIC_RPC_DATA pointer: trust_info", -1);
8308 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
8309 hf_netlogon_rc
, NULL
);
8315 netlogon_dissect_dsrenumeratedomaintrusts_rqst(tvbuff_t
*tvb
, int offset
,
8316 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
8318 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
8319 pinfo
, tree
, di
, drep
);
8321 offset
= netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb
, offset
, pinfo
, tree
, di
, drep
);
8328 netlogon_dissect_dsrenumeratedomaintrusts_reply(tvbuff_t
*tvb
, int offset
,
8329 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
8331 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
8332 hf_netlogon_entries
, NULL
);
8334 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
8335 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY
, NDR_POINTER_UNIQUE
,
8336 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
8338 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
8339 hf_netlogon_dos_rc
, NULL
);
8345 netlogon_dissect_dsrderegisterdnshostrecords_rqst(tvbuff_t
*tvb
, int offset
,
8346 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
8348 offset
= netlogon_dissect_LOGONSRV_HANDLE(tvb
, offset
,
8349 pinfo
, tree
, di
, drep
);
8351 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
8352 NDR_POINTER_UNIQUE
, "Domain", hf_netlogon_logon_dom
, 0);
8354 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
8355 dissect_nt_GUID
, NDR_POINTER_UNIQUE
,
8356 "GUID pointer: domain_guid", -1);
8358 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
8359 dissect_nt_GUID
, NDR_POINTER_UNIQUE
,
8360 "GUID pointer: dsa_guid", -1);
8362 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
8363 NDR_POINTER_REF
, "dns_host", hf_netlogon_dns_host
, 0);
8370 netlogon_dissect_dsrderegisterdnshostrecords_reply(tvbuff_t
*tvb
, int offset
,
8371 packet_info
*pinfo
, proto_tree
*tree
, dcerpc_info
*di
, uint8_t *drep
)
8373 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
8374 hf_netlogon_rc
, NULL
);
8381 * IDL long NetrChainSetClientAttributes(
8384 NetrChainSetClientAttributes(
8385 [in,string,ref] LOGONSRV_HANDLE PrimaryName,
8386 [in,string,ref] wchar_t * ChainedFromServerName,
8387 [in,string,ref] wchar_t * ChainedForClientName,
8388 [in,ref] PNETLOGON_AUTHENTICATOR Authenticator,
8389 [in,out,ref] PNETLOGON_AUTHENTICATOR ReturnAuthenticator,
8390 [in] DWORD dwInVersion,
8391 [in,ref] [switch_is(dwInVersion)]
8392 NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES *pmsgIn,
8393 [in,out,ref] DWORD * pdwOutVersion,
8394 [in,out,ref] [switch_is(*pdwOutVersion)]
8395 NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES *pmsgOut
8398 typedef struct _NL_OSVERSIONINFO_V1{
8399 DWORD dwOSVersionInfoSize;
8400 DWORD dwMajorVersion;
8401 DWORD dwMinorVersion;
8402 DWORD dwBuildNumber;
8404 wchar_t szCSDVersion[128];
8405 USHORT wServicePackMajor;
8406 USHORT wServicePackMinor;
8410 } NL_OSVERSIONINFO_V1;
8411 typedef struct _NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES_V1{
8412 [unique,string] wchar_t * ClientDnsHostName;
8413 [unique] NL_OSVERSIONINFO_V1 *OsVersionInfo_V1;
8414 [unique,string] wchar_t * OsName;
8415 } NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES_V1;
8416 typedef [switch_type(DWORD)] union{
8417 [case(1)] NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES_V1 V1;
8418 } NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES;
8419 typedef struct _NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES_V1{
8420 [unique,string] wchar_t *HubName;
8421 [unique,string] wchar_t **OldDnsHostName;
8422 [unique] ULONG * SupportedEncTypes;
8423 } NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES_V1;
8424 typedef [switch_type(DWORD)] union{
8425 [case(1)] NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES_V1 V1;
8426 } NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES;
8429 netlogon_dissect_NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES(tvbuff_t *tvb, int offset,
8430 packet_info *pinfo, proto_tree *tree,
8431 dcerpc_info *di, uint8_t *drep)
8435 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8436 hf_netlogon_level, &level);
8439 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8440 netlogon_dissect_WORKSTATION_INFORMATION, NDR_POINTER_UNIQUE,
8441 "LSA POLICY INFO", -1);
8448 netlogon_dissect_netrchainsetclientattributes_rqst(tvbuff_t
*tvb
, int offset
,
8454 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
8455 NDR_POINTER_REF
, "Server Handle",
8456 hf_netlogon_logonsrv_handle
, 0);
8458 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
8459 NDR_POINTER_REF
, "ChainedFromServerName",
8460 hf_netlogon_computer_name
, 0);
8462 offset
= dissect_ndr_str_pointer_item(tvb
, offset
, pinfo
, tree
, di
, drep
,
8463 NDR_POINTER_REF
, "ChainedForClientName",
8464 hf_netlogon_computer_name
, 0);
8466 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
8467 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
8468 "AUTHENTICATOR: credential", -1);
8470 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
8471 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
8472 "AUTHENTICATOR: return_authenticator", -1);
8474 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
8475 hf_netlogon_level
, NULL
); // in_version
8477 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
8478 NULL
, NDR_POINTER_REF
,
8479 "IN_CHAIN_SET_CLIENT_ATTRIBUTES", -1);
8481 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
8482 hf_netlogon_level
, NULL
); // out_version
8484 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
8485 NULL
, NDR_POINTER_REF
,
8486 "OUT_CHAIN_SET_CLIENT_ATTRIBUTES", -1);
8492 netlogon_dissect_netrchainsetclientattributes_reply(tvbuff_t
*tvb
, int offset
,
8498 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
8499 netlogon_dissect_AUTHENTICATOR
, NDR_POINTER_REF
,
8500 "AUTHENTICATOR: return_authenticator", -1);
8502 offset
= dissect_ndr_uint32(tvb
, offset
, pinfo
, tree
, di
, drep
,
8503 hf_netlogon_level
, NULL
); // out_version
8505 offset
= dissect_ndr_pointer(tvb
, offset
, pinfo
, tree
, di
, drep
,
8506 NULL
, NDR_POINTER_REF
,
8507 "OUT_CHAIN_SET_CLIENT_ATTRIBUTES", -1);
8509 offset
= dissect_ntstatus(tvb
, offset
, pinfo
, tree
, di
, drep
,
8510 hf_netlogon_rc
, NULL
);
8515 /* Dissect secure channel stuff */
8517 static int hf_netlogon_secchan_nl_message_type
;
8518 static int hf_netlogon_secchan_nl_message_flags
;
8519 static int hf_netlogon_secchan_nl_message_flags_nb_domain
;
8520 static int hf_netlogon_secchan_nl_message_flags_nb_host
;
8521 static int hf_netlogon_secchan_nl_message_flags_dns_domain
;
8522 static int hf_netlogon_secchan_nl_message_flags_dns_host
;
8523 static int hf_netlogon_secchan_nl_message_flags_nb_host_utf8
;
8524 static int hf_netlogon_secchan_nl_nb_domain
;
8525 static int hf_netlogon_secchan_nl_nb_host
;
8526 static int hf_netlogon_secchan_nl_dns_domain
;
8527 static int hf_netlogon_secchan_nl_dns_host
;
8528 static int hf_netlogon_secchan_nl_nb_host_utf8
;
8530 static int ett_secchan_verf
;
8531 static int ett_secchan_nl_auth_message
;
8532 static int ett_secchan_nl_auth_message_flags
;
8534 static const value_string nl_auth_types
[] = {
8535 { 0x00000000, "Request"},
8536 { 0x00000001, "Response"},
8541 /* MS-NRPC : 2.2.1.3.1 NL_AUTH_MESSAGE */
8542 static int dissect_secchan_nl_auth_message(tvbuff_t
*tvb
, int offset
,
8544 proto_tree
*tree
, dcerpc_info
*di _U_
, uint8_t *drep
)
8546 dcerpc_auth_info
*auth_info
= di
->auth_info
;
8547 proto_item
*item
= NULL
;
8548 proto_tree
*subtree
= NULL
;
8549 uint32_t messagetype
;
8550 uint64_t messageflags
;
8551 static int * const flag_fields
[] = {
8552 &hf_netlogon_secchan_nl_message_flags_nb_domain
,
8553 &hf_netlogon_secchan_nl_message_flags_nb_host
,
8554 &hf_netlogon_secchan_nl_message_flags_dns_domain
,
8555 &hf_netlogon_secchan_nl_message_flags_dns_host
,
8556 &hf_netlogon_secchan_nl_message_flags_nb_host_utf8
,
8560 netlogon_auth_vars
*vars
= NULL
;
8561 unsigned char is_server
;
8564 subtree
= proto_tree_add_subtree(
8565 tree
, tvb
, offset
, -1, ett_secchan_nl_auth_message
, &item
,
8566 "Secure Channel NL_AUTH_MESSAGE");
8569 /* We can't use the NDR routines as the DCERPC call data hasn't
8570 been initialised since we haven't made a DCERPC call yet, just
8574 offset
= dissect_dcerpc_uint32(
8575 tvb
, offset
, pinfo
, subtree
, drep
,
8576 hf_netlogon_secchan_nl_message_type
, &messagetype
);
8579 proto_tree_add_bitmask_ret_uint64(subtree
, tvb
, offset
,
8580 hf_netlogon_secchan_nl_message_flags
,
8581 ett_secchan_nl_auth_message_flags
,
8583 (drep
[0] & DREP_LITTLE_ENDIAN
) ?
8591 /* netbios domain name */
8592 if (messageflags
&0x00000001) {
8593 len
= tvb_strsize(tvb
, offset
);
8594 proto_tree_add_item(subtree
, hf_netlogon_secchan_nl_nb_domain
, tvb
, offset
, len
, ENC_ASCII
);
8598 /* netbios host name */
8599 if (messageflags
&0x00000002) {
8600 len
= tvb_strsize(tvb
, offset
);
8601 proto_tree_add_item(subtree
, hf_netlogon_secchan_nl_nb_host
, tvb
, offset
, len
, ENC_ASCII
);
8605 /* DNS domain name */
8606 if (messageflags
&0x00000004) {
8607 int old_offset
=offset
;
8610 offset
=dissect_mscldap_string(pinfo
->pool
, tvb
, offset
, 255, &str
);
8611 proto_tree_add_string(subtree
, hf_netlogon_secchan_nl_dns_domain
, tvb
, old_offset
, offset
-old_offset
, str
);
8615 if (messageflags
&0x00000008) {
8616 int old_offset
=offset
;
8619 offset
=dissect_mscldap_string(pinfo
->pool
, tvb
, offset
, 255, &str
);
8620 proto_tree_add_string(subtree
, hf_netlogon_secchan_nl_dns_host
, tvb
, old_offset
, offset
-old_offset
, str
);
8623 /* NetBios host name (UTF8) */
8624 if (messageflags
&0x00000010) {
8625 int old_offset
=offset
;
8628 offset
=dissect_mscldap_string(pinfo
->pool
, tvb
, offset
, 255, &str
);
8629 proto_tree_add_string(subtree
, hf_netlogon_secchan_nl_nb_host_utf8
, tvb
, old_offset
, offset
-old_offset
, str
);
8632 switch (di
->ptype
) {
8648 vars
= find_or_create_schannel_netlogon_auth_vars(pinfo
, auth_info
, is_server
);
8650 expert_add_info_format(pinfo
, proto_tree_get_parent(subtree
),
8651 &ei_netlogon_session_key
,
8652 "Using session key learned in frame %d ("
8656 vars
->session_key
[0] & 0xFF,
8657 vars
->session_key
[1] & 0xFF,
8658 vars
->session_key
[2] & 0xFF,
8659 vars
->session_key
[3] & 0xFF,
8660 vars
->nthash
.key_origin
);
8664 ws_debug("Vars not found (is null %d) %d (dissect_verf)",vars
==NULL
,wmem_map_size(netlogon_auths
));
8672 static const dcerpc_sub_dissector dcerpc_netlogon_dissectors
[] = {
8673 { NETLOGON_NETRLOGONUASLOGON
, "NetrLogonUasLogon",
8674 netlogon_dissect_netrlogonuaslogon_rqst
,
8675 netlogon_dissect_netrlogonuaslogon_reply
},
8676 { NETLOGON_NETRLOGONUASLOGOFF
, "NetrLogonUasLogoff",
8677 netlogon_dissect_netrlogonuaslogoff_rqst
,
8678 netlogon_dissect_netrlogonuaslogoff_reply
},
8679 { NETLOGON_NETRLOGONSAMLOGON
, "NetrLogonSamLogon",
8680 netlogon_dissect_netrlogonsamlogon_rqst
,
8681 netlogon_dissect_netrlogonsamlogon_reply
},
8682 { NETLOGON_NETRLOGONSAMLOGOFF
, "NetrLogonSamLogoff",
8683 netlogon_dissect_netrlogonsamlogoff_rqst
,
8684 netlogon_dissect_netrlogonsamlogoff_reply
},
8685 { NETLOGON_NETRSERVERREQCHALLENGE
, "NetrServerReqChallenge",
8686 netlogon_dissect_netrserverreqchallenge_rqst
,
8687 netlogon_dissect_netrserverreqchallenge_reply
},
8688 { NETLOGON_NETRSERVERAUTHENTICATE
, "NetrServerAuthenticate",
8689 netlogon_dissect_netrserverauthenticate_rqst
,
8690 netlogon_dissect_netrserverauthenticate_reply
},
8691 { NETLOGON_NETRSERVERPASSWORDSET
, "NetrServerPasswordSet",
8692 netlogon_dissect_netrserverpasswordset_rqst
,
8693 netlogon_dissect_netrserverpasswordset_reply
},
8694 { NETLOGON_NETRDATABASEDELTAS
, "NetrDatabaseDeltas",
8695 netlogon_dissect_netrdatabasedeltas_rqst
,
8696 netlogon_dissect_netrdatabasedeltas_reply
},
8697 { NETLOGON_NETRDATABASESYNC
, "NetrDatabaseSync",
8698 netlogon_dissect_netrdatabasesync_rqst
,
8699 netlogon_dissect_netrdatabasesync_reply
},
8700 { NETLOGON_NETRACCOUNTDELTAS
, "NetrAccountDeltas",
8701 netlogon_dissect_netraccountdeltas_rqst
,
8702 netlogon_dissect_netraccountdeltas_reply
},
8703 { NETLOGON_NETRACCOUNTSYNC
, "NetrAccountSync",
8704 netlogon_dissect_netraccountsync_rqst
,
8705 netlogon_dissect_netraccountsync_reply
},
8706 { NETLOGON_NETRGETDCNAME
, "NetrGetDCName",
8707 netlogon_dissect_netrgetdcname_rqst
,
8708 netlogon_dissect_netrgetdcname_reply
},
8709 { NETLOGON_NETRLOGONCONTROL
, "NetrLogonControl",
8710 netlogon_dissect_netrlogoncontrol_rqst
,
8711 netlogon_dissect_netrlogoncontrol_reply
},
8712 { NETLOGON_NETRGETANYDCNAME
, "NetrGetAnyDCName",
8713 netlogon_dissect_netrgetanydcname_rqst
,
8714 netlogon_dissect_netrgetanydcname_reply
},
8715 { NETLOGON_NETRLOGONCONTROL2
, "NetrLogonControl2",
8716 netlogon_dissect_netrlogoncontrol2_rqst
,
8717 netlogon_dissect_netrlogoncontrol2_reply
},
8718 { NETLOGON_NETRSERVERAUTHENTICATE2
, "NetrServerAuthenticate2",
8719 netlogon_dissect_netrserverauthenticate2_rqst
,
8720 netlogon_dissect_netrserverauthenticate2_reply
},
8721 { NETLOGON_NETRDATABASESYNC2
, "NetrDatabaseSync2",
8722 netlogon_dissect_netrdatabasesync2_rqst
,
8723 netlogon_dissect_netrdatabasesync2_reply
},
8724 { NETLOGON_NETRDATABASEREDO
, "NetrDatabaseRedo",
8725 netlogon_dissect_netrdatabaseredo_rqst
,
8726 netlogon_dissect_netrdatabaseredo_reply
},
8727 { NETLOGON_NETRLOGONCONTROL2EX
, "NetrLogonControl2Ex",
8728 netlogon_dissect_netrlogoncontrol2ex_rqst
,
8729 netlogon_dissect_netrlogoncontrol2ex_reply
},
8730 { NETLOGON_NETRENUMERATETRUSTEDDOMAINS
, "NetrEnumerateTrustedDomains",
8731 netlogon_dissect_netrenumeratetrusteddomains_rqst
,
8732 netlogon_dissect_netrenumeratetrusteddomains_reply
},
8733 { NETLOGON_DSRGETDCNAME
, "DsrGetDcName",
8734 netlogon_dissect_dsrgetdcname_rqst
,
8735 netlogon_dissect_dsrgetdcname_reply
},
8736 { NETLOGON_NETRLOGONDUMMYROUTINE1
, "NetrLogonGetCapabilities",
8737 netlogon_dissect_netrlogondummyroutine1_rqst
,
8738 netlogon_dissect_netrlogondummyroutine1_reply
},
8739 { NETLOGON_NETRLOGONSETSERVICEBITS
, "NetrLogonSetServiceBits",
8740 netlogon_dissect_netrlogonsetservicebits_rqst
,
8741 netlogon_dissect_netrlogonsetservicebits_reply
},
8742 { NETLOGON_NETRLOGONGETTRUSTRID
, "NetrLogonGetTrustRid",
8743 netlogon_dissect_netrlogongettrustrid_rqst
,
8744 netlogon_dissect_netrlogongettrustrid_reply
},
8745 { NETLOGON_NETRLOGONCOMPUTESERVERDIGEST
, "NetrLogonComputeServerDigest",
8746 netlogon_dissect_netrlogoncomputeserverdigest_rqst
,
8747 netlogon_dissect_netrlogoncomputeserverdigest_reply
},
8748 { NETLOGON_NETRLOGONCOMPUTECLIENTDIGEST
, "NetrLogonComputeClientDigest",
8749 netlogon_dissect_netrlogoncomputeclientdigest_rqst
,
8750 netlogon_dissect_netrlogoncomputeclientdigest_reply
},
8751 { NETLOGON_NETRSERVERAUTHENTICATE3
, "NetrServerAuthenticate3",
8752 netlogon_dissect_netrserverauthenticate3_rqst
,
8753 netlogon_dissect_netrserverauthenticate3_reply
},
8754 { NETLOGON_DSRGETDCNAMEX
, "DsrGetDcNameEx",
8755 netlogon_dissect_dsrgetdcnameex_rqst
,
8756 netlogon_dissect_dsrgetdcnameex_reply
},
8757 { NETLOGON_DSRGETSITENAME
, "DsrGetSiteName",
8758 netlogon_dissect_dsrgetsitename_rqst
,
8759 netlogon_dissect_dsrgetsitename_reply
},
8760 { NETLOGON_NETRLOGONGETDOMAININFO
, "NetrLogonGetDomainInfo",
8761 netlogon_dissect_netrlogongetdomaininfo_rqst
,
8762 netlogon_dissect_netrlogongetdomaininfo_reply
},
8763 { NETLOGON_NETRSERVERPASSWORDSET2
, "NetrServerPasswordSet2",
8764 netlogon_dissect_netrserverpasswordset2_rqst
,
8765 netlogon_dissect_netrserverpasswordset2_reply
},
8766 { NETLOGON_NETRSERVERPASSWORDGET
, "NetrServerPasswordGet",
8767 netlogon_dissect_netrserverpasswordget_rqst
,
8768 netlogon_dissect_netrserverpasswordget_reply
},
8769 { NETLOGON_NETRLOGONSENDTOSAM
, "NetrLogonSendToSam",
8770 netlogon_dissect_netrlogonsendtosam_rqst
,
8771 netlogon_dissect_netrlogonsendtosam_reply
},
8772 { NETLOGON_DSRADDRESSTOSITENAMESW
, "DsrAddressToSiteNamesW",
8773 netlogon_dissect_dsraddresstositenamesw_rqst
,
8774 netlogon_dissect_dsraddresstositenamesw_reply
},
8775 { NETLOGON_DSRGETDCNAMEEX2
, "DsrGetDcNameEx2",
8776 netlogon_dissect_dsrgetdcnameex2_rqst
,
8777 netlogon_dissect_dsrgetdcnameex2_reply
},
8778 { NETLOGON_NETRLOGONGETTIMESERVICEPARENTDOMAIN
,
8779 "NetrLogonGetTimeServiceParentDomain",
8780 netlogon_dissect_netrlogongettimeserviceparentdomain_rqst
,
8781 netlogon_dissect_netrlogongettimeserviceparentdomain_reply
},
8782 { NETLOGON_NETRENUMERATETRUSTEDDOMAINSEX
, "NetrEnumerateTrustedDomainsEx",
8783 netlogon_dissect_netrenumeratetrusteddomainsex_rqst
,
8784 netlogon_dissect_netrenumeratetrusteddomainsex_reply
},
8785 { NETLOGON_DSRADDRESSTOSITENAMESEXW
, "DsrAddressToSiteNamesExW",
8786 netlogon_dissect_dsraddresstositenamesexw_rqst
,
8787 netlogon_dissect_dsraddresstositenamesexw_reply
},
8788 { NETLOGON_DSRGETDCSITECOVERAGEW
, "DsrGetDcSiteCoverageW",
8789 netlogon_dissect_dsrgetdcsitecoveragew_rqst
,
8790 netlogon_dissect_dsrgetdcsitecoveragew_reply
},
8791 { NETLOGON_NETRLOGONSAMLOGONEX
, "NetrLogonSamLogonEx",
8792 netlogon_dissect_netrlogonsamlogonex_rqst
,
8793 netlogon_dissect_netrlogonsamlogonex_reply
},
8794 { NETLOGON_DSRENUMERATEDOMAINTRUSTS
, "DsrEnumerateDomainTrusts",
8795 netlogon_dissect_dsrenumeratedomaintrusts_rqst
,
8796 netlogon_dissect_dsrenumeratedomaintrusts_reply
},
8797 { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS
, "DsrDeregisterDnsHostRecords",
8798 netlogon_dissect_dsrderegisterdnshostrecords_rqst
,
8799 netlogon_dissect_dsrderegisterdnshostrecords_reply
},
8800 { NETLOGON_NETRSERVERTRUSTPASSWORDSGET
, "NetrServerTrustPasswordsGet",
8802 { NETLOGON_DSRGETFORESTTRUSTINFORMATION
, "DsrGetForestTrustInformation",
8804 { NETLOGON_NETRGETFORESTTRUSTINFORMATION
, "NetrGetForestTrustInformation",
8806 { NETLOGON_NETRLOGONSAMLOGONWITHFLAGS
, "NetrLogonSamLogonWithFlags",
8807 netlogon_dissect_netrlogonsamlogonflags_rqst
,
8808 netlogon_dissect_netrlogonsamlogonflags_reply
},
8809 { NETLOGON_NETRSERVERGETTRUSTINFO
, "NetrServerGetTrustInfo",
8810 netlogon_dissect_netrservergettrustinfo_rqst
,
8811 netlogon_dissect_netrservergettrustinfo_reply
},
8812 { NETLOGON_DSRUPDATEREADONLYSERVERDNSRECORDS
, "DsrUpdateReadOnlyServerDnsRecords",
8814 { NETLOGON_NETRCHAINSETCLIENTATTRIBUTES
, "NetrChainSetClientAttributes",
8815 netlogon_dissect_netrchainsetclientattributes_rqst
,
8816 netlogon_dissect_netrchainsetclientattributes_reply
},
8817 { NETLOGON_NETRSERVERAUTHENTICATEKERBEROS
, "NetrServerAuthenticateKerberos",
8818 netlogon_dissect_netrserverauthenticatekerberos_rqst
,
8819 netlogon_dissect_netrserverauthenticatekerberos_reply
},
8820 {0, NULL
, NULL
, NULL
}
8823 static int hf_netlogon_secchan_verf
;
8824 static int hf_netlogon_secchan_verf_signalg
;
8825 static int hf_netlogon_secchan_verf_sealalg
;
8826 static int hf_netlogon_secchan_verf_flag
;
8827 static int hf_netlogon_secchan_verf_digest
;
8828 static int hf_netlogon_secchan_verf_seq
;
8829 static int hf_netlogon_secchan_verf_nonce
;
8831 static const value_string sign_algs
[] = {
8832 { 0x0077, "HMAC-MD5"},
8833 { 0x0013, "HMAC-SHA256"},
8837 static const value_string seal_algs
[] = {
8838 { 0xFFFF, "Not Encrypted"},
8840 { 0x001A, "AES-128"},
8844 static int get_seal_key(const uint8_t *session_key
,int key_len
,uint8_t* seal_key
)
8846 uint8_t zero_sk
[16] = { 0 };
8849 memset(seal_key
,0,16);
8850 if(memcmp(session_key
,zero_sk
,16)) {
8851 for(i
=0;i
<key_len
;i
++) {
8852 seal_key
[i
] = session_key
[i
] ^ 0xF0;
8861 static uint64_t uncrypt_sequence_aes(uint8_t* session_key
,uint64_t checksum
,uint64_t enc_seq
,unsigned char is_server _U_
)
8864 gcry_cipher_hd_t cipher_hd
= NULL
;
8865 uint8_t iv
[16] = { 0 };
8867 memcpy(&iv
[0], (uint8_t*)&checksum
, 8);
8868 memcpy(&iv
[8], (uint8_t*)&checksum
, 8);
8870 /* Open the cipher */
8871 err
= gcry_cipher_open(&cipher_hd
, GCRY_CIPHER_AES128
, GCRY_CIPHER_MODE_CFB8
, 0);
8873 ws_warning("GCRY: cipher open %s/%s\n", gcry_strsource(err
), gcry_strerror(err
));
8877 /* Set the initial value */
8878 err
= gcry_cipher_setiv(cipher_hd
, iv
, sizeof(iv
));
8880 ws_warning("GCRY: setiv %s/%s\n", gcry_strsource(err
), gcry_strerror(err
));
8881 gcry_cipher_close(cipher_hd
);
8886 err
= gcry_cipher_setkey(cipher_hd
, session_key
, 16);
8888 ws_warning("GCRY: setkey %s/%s\n", gcry_strsource(err
), gcry_strerror(err
));
8889 gcry_cipher_close(cipher_hd
);
8893 err
= gcry_cipher_decrypt(cipher_hd
, (uint8_t*) &enc_seq
, 8, NULL
, 0);
8895 ws_warning("GCRY: encrypt %s/%s\n", gcry_strsource(err
), gcry_strerror(err
));
8896 gcry_cipher_close(cipher_hd
);
8899 /* Done with the cipher */
8900 gcry_cipher_close(cipher_hd
);
8904 static uint64_t uncrypt_sequence_strong(uint8_t* session_key
,uint64_t checksum
,uint64_t enc_seq
,unsigned char is_server _U_
)
8906 uint8_t zeros
[4] = { 0 };
8907 uint8_t buf
[HASH_MD5_LENGTH
];
8908 uint8_t key
[HASH_MD5_LENGTH
];
8909 gcry_cipher_hd_t rc4_handle
;
8910 uint8_t *p_seq
= (uint8_t*) &enc_seq
;
8913 if (ws_hmac_buffer(GCRY_MD_MD5
, buf
, zeros
, 4, session_key
, 16)) {
8917 if (ws_hmac_buffer(GCRY_MD_MD5
, key
, (uint8_t*)&checksum
, 8, buf
, HASH_MD5_LENGTH
)) {
8921 if (!gcry_cipher_open (&rc4_handle
, GCRY_CIPHER_ARCFOUR
, GCRY_CIPHER_MODE_STREAM
, 0)) {
8922 if (!gcry_cipher_setkey(rc4_handle
, key
, HASH_MD5_LENGTH
)) {
8923 gcry_cipher_decrypt(rc4_handle
, p_seq
, 8, NULL
, 0);
8925 gcry_cipher_close(rc4_handle
);
8927 /*temp = *((uint32_t*)p_seq);
8928 *((uint32_t*)p_seq) = *((uint32_t*)p_seq+1);
8929 *((uint32_t*)p_seq+1) = temp;
8932 *p_seq = *p_seq & 0x7F;
8938 static uint64_t uncrypt_sequence(uint32_t flags
, uint8_t* session_key
,uint64_t checksum
,uint64_t enc_seq
,unsigned char is_server _U_
)
8940 if (flags
& NETLOGON_FLAG_AES
) {
8941 return uncrypt_sequence_aes(session_key
, checksum
, enc_seq
, is_server
);
8944 if (flags
& NETLOGON_FLAG_STRONGKEY
) {
8945 return uncrypt_sequence_strong(session_key
, checksum
, enc_seq
, is_server
);
8951 static gcry_error_t
prepare_decryption_cipher_aes(netlogon_auth_vars
*vars
,
8952 gcry_cipher_hd_t
*_cipher_hd
)
8955 gcry_cipher_hd_t cipher_hd
= NULL
;
8956 uint64_t sequence
= vars
->seq
;
8958 uint8_t iv
[16] = { 0 };
8960 memcpy(&iv
[0], (uint8_t*)&sequence
, 8);
8961 memcpy(&iv
[8], (uint8_t*)&sequence
, 8);
8963 /* Open the cipher */
8964 err
= gcry_cipher_open(&cipher_hd
, GCRY_CIPHER_AES128
, GCRY_CIPHER_MODE_CFB8
, 0);
8966 ws_warning("GCRY: cipher open %s/%s\n", gcry_strsource(err
), gcry_strerror(err
));
8970 /* Set the initial value */
8971 err
= gcry_cipher_setiv(cipher_hd
, iv
, sizeof(iv
));
8973 ws_warning("GCRY: setiv %s/%s\n", gcry_strsource(err
), gcry_strerror(err
));
8974 gcry_cipher_close(cipher_hd
);
8979 err
= gcry_cipher_setkey(cipher_hd
, vars
->encryption_key
, 16);
8981 ws_warning("GCRY: setkey %s/%s\n", gcry_strsource(err
), gcry_strerror(err
));
8982 gcry_cipher_close(cipher_hd
);
8986 *_cipher_hd
= cipher_hd
;
8990 static gcry_error_t
prepare_decryption_cipher_strong(netlogon_auth_vars
*vars
,
8991 gcry_cipher_hd_t
*_cipher_hd
)
8994 gcry_cipher_hd_t cipher_hd
= NULL
;
8995 uint8_t zeros
[4] = { 0 };
8996 uint64_t sequence
= vars
->seq
;
8997 uint8_t tmp
[HASH_MD5_LENGTH
] = { 0 };
8998 uint8_t seal_key
[16] = { 0 };
9000 err
= ws_hmac_buffer(GCRY_MD_MD5
, tmp
, zeros
, 4, vars
->encryption_key
, 16);
9002 ws_warning("GCRY: GCRY_MD_MD5 %s/%s\n", gcry_strsource(err
), gcry_strerror(err
));
9005 err
= ws_hmac_buffer(GCRY_MD_MD5
, seal_key
, (uint8_t*)&sequence
, 8, tmp
, HASH_MD5_LENGTH
);
9007 ws_warning("GCRY: GCRY_MD_MD5 %s/%s\n", gcry_strsource(err
), gcry_strerror(err
));
9011 /* Open the cipher */
9012 err
= gcry_cipher_open(&cipher_hd
, GCRY_CIPHER_ARCFOUR
, GCRY_CIPHER_MODE_STREAM
, 0);
9014 ws_warning("GCRY: cipher open %s/%s\n", gcry_strsource(err
), gcry_strerror(err
));
9019 err
= gcry_cipher_setkey(cipher_hd
, seal_key
, 16);
9021 ws_warning("GCRY: setkey %s/%s\n", gcry_strsource(err
), gcry_strerror(err
));
9022 gcry_cipher_close(cipher_hd
);
9026 *_cipher_hd
= cipher_hd
;
9030 static gcry_error_t
prepare_decryption_cipher(netlogon_auth_vars
*vars
,
9031 gcry_cipher_hd_t
*_cipher_hd
)
9035 if (vars
->flags
& NETLOGON_FLAG_AES
) {
9036 return prepare_decryption_cipher_aes(vars
, _cipher_hd
);
9039 if (vars
->flags
& NETLOGON_FLAG_STRONGKEY
) {
9040 return prepare_decryption_cipher_strong(vars
, _cipher_hd
);
9043 return GPG_ERR_UNSUPPORTED_ALGORITHM
;
9047 dissect_packet_data(tvbuff_t
*tvb
,tvbuff_t
*auth_tvb _U_
,
9048 int offset
, packet_info
*pinfo
,dcerpc_auth_info
*auth_info _U_
,unsigned char is_server
)
9051 tvbuff_t
*buf
= NULL
;
9053 netlogon_auth_vars
*vars
;
9054 /*ws_debug("Dissection of request data offset %d len=%d on packet %d",offset,tvb_length_remaining(tvb,offset),pinfo->num);*/
9056 vars
= find_or_create_schannel_netlogon_auth_vars(pinfo
, auth_info
, is_server
);
9058 ws_debug("Vars not found %d (packet_data)",wmem_map_size(netlogon_auths
));
9062 if (vars
->can_decrypt
== true) {
9064 gcry_cipher_hd_t cipher_hd
= NULL
;
9066 uint64_t copyconfounder
= vars
->confounder
;
9068 data_len
= tvb_captured_length_remaining(tvb
,offset
);
9072 err
= prepare_decryption_cipher(vars
, &cipher_hd
);
9074 ws_warning("GCRY: prepare_decryption_cipher %s/%s",
9075 gcry_strsource(err
), gcry_strerror(err
));
9078 gcry_cipher_decrypt(cipher_hd
, (uint8_t*)©confounder
, 8, NULL
, 0);
9079 decrypted
= (uint8_t*)tvb_memdup(pinfo
->pool
, tvb
, offset
,data_len
);
9080 if (!(vars
->flags
& NETLOGON_FLAG_AES
)) {
9081 gcry_cipher_reset(cipher_hd
);
9083 gcry_cipher_decrypt(cipher_hd
, decrypted
, data_len
, NULL
, 0);
9084 gcry_cipher_close(cipher_hd
);
9085 buf
= tvb_new_child_real_data(tvb
, decrypted
, data_len
, data_len
);
9086 /* Note: caller does add_new_data_source(...) */
9088 ws_debug("Session key not found can't decrypt ...");
9094 static tvbuff_t
* dissect_request_data(tvbuff_t
*header_tvb _U_
,
9095 tvbuff_t
*payload_tvb
,
9096 tvbuff_t
*trailer_tvb _U_
,
9099 dcerpc_auth_info
*auth_info
)
9101 return dissect_packet_data(payload_tvb
,auth_tvb
,0,pinfo
,auth_info
,0);
9104 static tvbuff_t
* dissect_response_data(tvbuff_t
*header_tvb _U_
,
9105 tvbuff_t
*payload_tvb
,
9106 tvbuff_t
*trailer_tvb _U_
,
9109 dcerpc_auth_info
*auth_info
)
9111 return dissect_packet_data(payload_tvb
,auth_tvb
,0,pinfo
,auth_info
,1);
9114 /* MS-NRPC 2.2.1.3.2 */
9116 dissect_secchan_verf(tvbuff_t
*tvb
, int offset
, packet_info
*pinfo
,
9117 proto_tree
*tree
, uint8_t *drep
,
9118 dcerpc_auth_info
*auth_info
,
9119 unsigned char is_server
)
9121 netlogon_auth_vars
*vars
;
9122 proto_item
*vf
= NULL
;
9123 proto_tree
*subtree
= NULL
;
9124 uint64_t encrypted_seq
;
9125 uint64_t digest
= 0;
9126 uint64_t confounder
= 0;
9127 int update_vars
= 0;
9129 if( ! (seen
.isseen
&& seen
.num
== pinfo
->num
) ) {
9131 * Create a new tree, and split into x components ...
9133 vf
= proto_tree_add_item(tree
, hf_netlogon_secchan_verf
, tvb
,
9134 offset
, -1, ENC_NA
);
9135 subtree
= proto_item_add_subtree(vf
, ett_secchan_verf
);
9137 proto_tree_add_item(subtree
, hf_netlogon_secchan_verf_signalg
, tvb
,
9138 offset
, 2, ENC_LITTLE_ENDIAN
);
9139 proto_tree_add_item(subtree
, hf_netlogon_secchan_verf_sealalg
, tvb
,
9140 offset
+2, 2, ENC_LITTLE_ENDIAN
);
9142 proto_tree_add_item(subtree
, hf_netlogon_secchan_verf_flag
, tvb
,
9143 offset
+6, 2, ENC_NA
);
9146 offset
= dissect_dcerpc_8bytes(tvb
, offset
, pinfo
, subtree
, drep
,
9147 hf_netlogon_secchan_verf_seq
, &encrypted_seq
);
9149 offset
= dissect_dcerpc_8bytes(tvb
, offset
, pinfo
, subtree
, drep
,
9150 hf_netlogon_secchan_verf_digest
, &digest
);
9152 /* In some cases the nonce if the data/signture are encrypted ("integrity/seal in MS language")*/
9154 if (tvb_bytes_exist(tvb
, offset
, 8)) {
9155 offset
= dissect_dcerpc_8bytes(tvb
, offset
, pinfo
, subtree
, drep
,
9156 hf_netlogon_secchan_verf_nonce
, &confounder
);
9161 /*ws_debug("Setting isseen to true, old packet %d new %d",seen.num,pinfo->num);*/
9163 seen
.num
= pinfo
->num
;
9165 vars
= find_or_create_schannel_netlogon_auth_vars(pinfo
, auth_info
, is_server
);
9167 ws_debug("Vars not found %d (packet_data)",wmem_map_size(netlogon_auths
));
9171 vars
->confounder
= confounder
;
9172 vars
->seq
= uncrypt_sequence(vars
->flags
,vars
->session_key
,digest
,encrypted_seq
,is_server
);
9175 if(get_seal_key(vars
->session_key
,16,vars
->encryption_key
))
9177 vars
->can_decrypt
= true;
9181 ws_debug("get seal key returned 0");
9184 if (vars
->can_decrypt
) {
9185 expert_add_info_format(pinfo
, proto_tree_get_parent(subtree
),
9186 &ei_netlogon_session_key
,
9187 "Using session key learned in frame %d ("
9191 vars
->session_key
[0] & 0xFF, vars
->session_key
[1] & 0xFF,
9192 vars
->session_key
[2] & 0xFF, vars
->session_key
[3] & 0xFF,
9193 vars
->nthash
.key_origin
);
9199 dissect_request_secchan_verf(tvbuff_t
*tvb
, int offset
, packet_info
*pinfo
,
9200 proto_tree
*tree
, dcerpc_info
*di _U_
, uint8_t *drep
)
9202 return dissect_secchan_verf(tvb
,offset
,pinfo
,tree
,drep
, di
->auth_info
, 0);
9205 dissect_response_secchan_verf(tvbuff_t
*tvb
, int offset
, packet_info
*pinfo
,
9206 proto_tree
*tree
, dcerpc_info
*di _U_
, uint8_t *drep
)
9208 return dissect_secchan_verf(tvb
,offset
,pinfo
,tree
,drep
, di
->auth_info
, 1);
9212 proto_register_dcerpc_netlogon(void)
9215 static hf_register_info hf
[] = {
9216 { &hf_netlogon_opnum
,
9217 { "Operation", "netlogon.opnum", FT_UINT16
, BASE_DEC
,
9218 NULL
, 0x0, NULL
, HFILL
}},
9220 { &hf_netlogon_rc
, {
9221 "Return code", "netlogon.rc", FT_UINT32
, BASE_HEX
| BASE_EXT_STRING
,
9222 &NT_errors_ext
, 0x0, "Netlogon return code", HFILL
}},
9224 { &hf_netlogon_dos_rc
,
9225 { "DOS error code", "netlogon.dos.rc", FT_UINT32
,
9226 BASE_HEX
| BASE_EXT_STRING
, &DOS_errors_ext
, 0x0, NULL
, HFILL
}},
9228 { &hf_netlogon_werr_rc
,
9229 { "WERR error code", "netlogon.werr.rc", FT_UINT32
,
9230 BASE_HEX
| BASE_EXT_STRING
, &WERR_errors_ext
, 0x0, NULL
, HFILL
}},
9232 { &hf_netlogon_param_ctrl
, {
9233 "Param Ctrl", "netlogon.param_ctrl", FT_UINT32
, BASE_HEX
,
9234 NULL
, 0x0, NULL
, HFILL
}},
9236 { &hf_netlogon_logon_id
, {
9237 "Logon ID", "netlogon.logon_id", FT_UINT64
, BASE_DEC
,
9238 NULL
, 0x0, NULL
, HFILL
}},
9240 { &hf_netlogon_modify_count
, {
9241 "Modify Count", "netlogon.modify_count", FT_UINT64
, BASE_DEC
,
9242 NULL
, 0x0, "How many times the object has been modified", HFILL
}},
9244 { &hf_netlogon_security_information
, {
9245 "Security Information", "netlogon.security_information", FT_UINT32
, BASE_DEC
,
9246 NULL
, 0x0, NULL
, HFILL
}},
9248 { &hf_netlogon_count
, {
9249 "Count", "netlogon.count", FT_UINT32
, BASE_DEC
,
9250 NULL
, 0x0, NULL
, HFILL
}},
9252 { &hf_netlogon_entries
, {
9253 "Entries", "netlogon.entries", FT_UINT32
, BASE_DEC
,
9254 NULL
, 0x0, NULL
, HFILL
}},
9256 { &hf_netlogon_credential
, {
9257 "Credential", "netlogon.credential", FT_BYTES
, BASE_NONE
,
9258 NULL
, 0x0, "Netlogon Credential", HFILL
}},
9260 { &hf_netlogon_challenge
, {
9261 "Challenge", "netlogon.challenge", FT_BYTES
, BASE_NONE
,
9262 NULL
, 0x0, "Netlogon challenge", HFILL
}},
9264 { &hf_netlogon_lm_owf_password
, {
9265 "LM Pwd", "netlogon.lm_owf_pwd", FT_BYTES
, BASE_NONE
,
9266 NULL
, 0x0, "LanManager OWF Password", HFILL
}},
9268 { &hf_netlogon_user_session_key
, {
9269 "User Session Key", "netlogon.user_session_key", FT_BYTES
, BASE_NONE
,
9270 NULL
, 0x0, NULL
, HFILL
}},
9272 { &hf_netlogon_encrypted_lm_owf_password
, {
9273 "Encrypted LM Pwd", "netlogon.lm_owf_pwd.encrypted", FT_BYTES
, BASE_NONE
,
9274 NULL
, 0x0, "Encrypted LanManager OWF Password", HFILL
}},
9276 { &hf_netlogon_nt_owf_password
, {
9277 "NT Pwd", "netlogon.nt_owf_pwd", FT_BYTES
, BASE_NONE
,
9278 NULL
, 0x0, "NT OWF Password", HFILL
}},
9280 { &hf_netlogon_blob
, {
9281 "BLOB", "netlogon.blob", FT_BYTES
, BASE_NONE
,
9282 NULL
, 0x0, NULL
, HFILL
}},
9284 { &hf_netlogon_len
, {
9285 "Len", "netlogon.len", FT_UINT32
, BASE_DEC
,
9286 NULL
, 0, "Length", HFILL
}},
9288 { &hf_netlogon_password_version_reserved
, {
9289 "ReservedField", "netlogon.password_version.reservedfield", FT_UINT32
, BASE_HEX
,
9290 NULL
, 0, "ReservedField zero", HFILL
}},
9292 { &hf_netlogon_password_version_number
, {
9293 "PasswordVersionNumber", "netlogon.password_version.reservedfield", FT_UINT32
, BASE_HEX
,
9294 NULL
, 0, "PasswordVersionNumber trust", HFILL
}},
9296 { &hf_netlogon_password_version_present
, {
9297 "PasswordVersionPresent", "netlogon.password_version.reservedfield", FT_UINT32
, BASE_HEX
,
9298 NULL
, 0, "PasswordVersionPresent magic", HFILL
}},
9300 { &hf_netlogon_priv
, {
9301 "Priv", "netlogon.priv", FT_UINT32
, BASE_DEC
,
9302 NULL
, 0, NULL
, HFILL
}},
9304 { &hf_netlogon_privilege_entries
, {
9305 "Privilege Entries", "netlogon.privilege_entries", FT_UINT32
, BASE_DEC
,
9306 NULL
, 0, NULL
, HFILL
}},
9308 { &hf_netlogon_privilege_control
, {
9309 "Privilege Control", "netlogon.privilege_control", FT_UINT32
, BASE_HEX
,
9310 NULL
, 0, NULL
, HFILL
}},
9312 { &hf_netlogon_privilege_name
, {
9313 "Privilege Name", "netlogon.privilege_name", FT_STRING
, BASE_NONE
,
9314 NULL
, 0, NULL
, HFILL
}},
9316 { &hf_netlogon_pdc_connection_status
, {
9317 "PDC Connection Status", "netlogon.pdc_connection_status", FT_UINT32
, BASE_DEC
,
9318 NULL
, 0, NULL
, HFILL
}},
9320 { &hf_netlogon_tc_connection_status
, {
9321 "TC Connection Status", "netlogon.tc_connection_status", FT_UINT32
, BASE_DEC
,
9322 NULL
, 0, NULL
, HFILL
}},
9324 { &hf_netlogon_attrs
, {
9325 "Attributes", "netlogon.attrs", FT_UINT32
, BASE_HEX
,
9326 NULL
, 0, NULL
, HFILL
}},
9329 { &hf_netlogon_lsapolicy_referentid
,
9330 { "Referent ID", "netlogon.lsapolicy.referentID", FT_UINT32
, BASE_HEX
,
9331 NULL
, 0x0, NULL
, HFILL
}},
9334 { &hf_netlogon_lsapolicy_len
,
9335 { "Length", "netlogon.lsapolicy.length", FT_UINT32
, BASE_DEC
,
9336 NULL
, 0x0, "Length of the policy buffer", HFILL
}},
9339 { &hf_netlogon_lsapolicy_pointer
,
9340 { "Pointer", "netlogon.lsapolicy.pointer", FT_BYTES
, BASE_NONE
,
9341 NULL
, 0x0, "Pointer to LSA POLICY", HFILL
}},
9344 { &hf_netlogon_unknown_string
,
9345 { "Unknown string", "netlogon.unknown_string", FT_STRING
, BASE_NONE
,
9346 NULL
, 0, "Unknown string. If you know what this is, contact wireshark developers.", HFILL
}},
9348 { &hf_netlogon_new_password
,
9349 { "New Password", "netlogon.new_password", FT_STRING
, BASE_NONE
,
9350 NULL
, 0, "New Password for Computer or Trust", HFILL
}},
9352 { &hf_netlogon_TrustedDomainName_string
,
9353 { "TrustedDomainName", "netlogon.TrustedDomainName", FT_STRING
, BASE_NONE
,
9354 NULL
, 0, "TrustedDomainName string.", HFILL
}},
9356 { &hf_netlogon_UserName_string
,
9357 { "UserName", "netlogon.UserName", FT_STRING
, BASE_NONE
,
9358 NULL
, 0, "UserName string.", HFILL
}},
9360 { &hf_netlogon_dummy_string
,
9361 { "Dummy String", "netlogon.dummy_string", FT_STRING
, BASE_NONE
,
9362 NULL
, 0, "Dummy String. Used is reserved for next evolutions.", HFILL
}},
9364 { &hf_netlogon_trust_extension
,
9365 { "Trust extension", "netlogon.trust.extension", FT_STRING
, BASE_NONE
,
9366 NULL
, 0, "Trusts extension.", HFILL
}},
9368 { &hf_netlogon_trust_offset
,
9369 { "Offset", "netlogon.trust.extension_offset", FT_UINT32
, BASE_DEC
,
9370 NULL
, 0, "Trusts extension.", HFILL
}},
9372 { &hf_netlogon_trust_len
,
9373 { "Length", "netlogon.trust.extension_length", FT_UINT32
, BASE_DEC
,
9374 NULL
, 0, NULL
, HFILL
}},
9376 { &hf_netlogon_trust_max
,
9377 { "Max Count", "netlogon.trust.extension.maxcount", FT_UINT32
, BASE_DEC
,
9378 NULL
, 0, NULL
, HFILL
}},
9380 { &hf_netlogon_opaque_buffer_enc
,
9381 { "Encrypted", "netlogon.sendtosam.opaquebuffer.enc", FT_BYTES
, BASE_NONE
,
9382 NULL
, 0x0, "OpaqueBuffer (Encrypted)", HFILL
}},
9384 { &hf_netlogon_opaque_buffer_dec
,
9385 { "Decrypted", "netlogon.sendtosam.opaquebuffer.dec", FT_BYTES
, BASE_NONE
,
9386 NULL
, 0x0, "OpaqueBuffer (Decrypted)", HFILL
}},
9388 { &hf_netlogon_opaque_buffer_size
,
9389 { "OpaqueBufferSize", "netlogon.sendtosam.opaquebuffer.size", FT_UINT32
, BASE_HEX
,
9390 NULL
, 0x0, "Size of the OpaqueBuffer", HFILL
}},
9392 { &hf_netlogon_dummy_string2
,
9393 { "Dummy String2", "netlogon.dummy_string", FT_STRING
, BASE_NONE
,
9394 NULL
, 0, "Dummy String 2. Used is reserved for next evolutions.", HFILL
}},
9396 { &hf_netlogon_dummy_string3
,
9397 { "Dummy String3", "netlogon.dummy_string", FT_STRING
, BASE_NONE
,
9398 NULL
, 0, "Dummy String 3. Used is reserved for next evolutions.", HFILL
}},
9400 { &hf_netlogon_dummy_string4
,
9401 { "Dummy String4", "netlogon.dummy_string", FT_STRING
, BASE_NONE
,
9402 NULL
, 0, "Dummy String 4. Used is reserved for next evolutions.", HFILL
}},
9404 { &hf_netlogon_dummy_string5
,
9405 { "Dummy String5", "netlogon.dummy_string", FT_STRING
, BASE_NONE
,
9406 NULL
, 0, "Dummy String 5. Used is reserved for next evolutions.", HFILL
}},
9408 { &hf_netlogon_dummy_string6
,
9409 { "Dummy String6", "netlogon.dummy_string", FT_STRING
, BASE_NONE
,
9410 NULL
, 0, "Dummy String 6. Used is reserved for next evolutions.", HFILL
}},
9412 { &hf_netlogon_dummy_string7
,
9413 { "Dummy String7", "netlogon.dummy_string", FT_STRING
, BASE_NONE
,
9414 NULL
, 0, "Dummy String 7. Used is reserved for next evolutions.", HFILL
}},
9416 { &hf_netlogon_dummy_string8
,
9417 { "Dummy String8", "netlogon.dummy_string", FT_STRING
, BASE_NONE
,
9418 NULL
, 0, "Dummy String 8. Used is reserved for next evolutions.", HFILL
}},
9420 { &hf_netlogon_dummy_string9
,
9421 { "Dummy String9", "netlogon.dummy_string", FT_STRING
, BASE_NONE
,
9422 NULL
, 0, "Dummy String 9. Used is reserved for next evolutions.", HFILL
}},
9424 { &hf_netlogon_dummy_string10
,
9425 { "Dummy String10", "netlogon.dummy_string", FT_STRING
, BASE_NONE
,
9426 NULL
, 0, "Dummy String 10. Used is reserved for next evolutions.", HFILL
}},
9428 { &hf_netlogon_unknown_long
,
9429 { "Unknown long", "netlogon.unknown.long", FT_UINT32
, BASE_HEX
,
9430 NULL
, 0x0, "Unknown long. If you know what this is, contact wireshark developers.", HFILL
}},
9432 { &hf_netlogon_dummy1_long
,
9433 { "Dummy1 Long", "netlogon.dummy.long1", FT_UINT32
, BASE_HEX
,
9434 NULL
, 0x0, "Dummy long 1. Used is reserved for next evolutions.", HFILL
}},
9436 { &hf_netlogon_dummy2_long
,
9437 { "Dummy2 Long", "netlogon.dummy.long2", FT_UINT32
, BASE_HEX
,
9438 NULL
, 0x0, "Dummy long 2. Used is reserved for next evolutions.", HFILL
}},
9440 { &hf_netlogon_dummy3_long
,
9441 { "Dummy3 Long", "netlogon.dummy.long3", FT_UINT32
, BASE_HEX
,
9442 NULL
, 0x0, "Dummy long 3. Used is reserved for next evolutions.", HFILL
}},
9444 { &hf_netlogon_dummy4_long
,
9445 { "Dummy4 Long", "netlogon.dummy.long4", FT_UINT32
, BASE_HEX
,
9446 NULL
, 0x0, "Dummy long 4. Used is reserved for next evolutions.", HFILL
}},
9448 { &hf_netlogon_dummy5_long
,
9449 { "Dummy5 Long", "netlogon.dummy.long5", FT_UINT32
, BASE_HEX
,
9450 NULL
, 0x0, "Dummy long 5. Used is reserved for next evolutions.", HFILL
}},
9452 { &hf_netlogon_dummy6_long
,
9453 { "Dummy6 Long", "netlogon.dummy.long6", FT_UINT32
, BASE_HEX
,
9454 NULL
, 0x0, "Dummy long 6. Used is reserved for next evolutions.", HFILL
}},
9456 { &hf_netlogon_dummy7_long
,
9457 { "Dummy7 Long", "netlogon.dummy.long7", FT_UINT32
, BASE_HEX
,
9458 NULL
, 0x0, "Dummy long 7. Used is reserved for next evolutions.", HFILL
}},
9460 { &hf_netlogon_dummy8_long
,
9461 { "Dummy8 Long", "netlogon.dummy.long8", FT_UINT32
, BASE_HEX
,
9462 NULL
, 0x0, "Dummy long 8. Used is reserved for next evolutions.", HFILL
}},
9464 { &hf_netlogon_dummy9_long
,
9465 { "Dummy9 Long", "netlogon.dummy.long9", FT_UINT32
, BASE_HEX
,
9466 NULL
, 0x0, "Dummy long 9. Used is reserved for next evolutions.", HFILL
}},
9468 { &hf_netlogon_dummy10_long
,
9469 { "Dummy10 Long", "netlogon.dummy.long10", FT_UINT32
, BASE_HEX
,
9470 NULL
, 0x0, "Dummy long 10. Used is reserved for next evolutions.", HFILL
}},
9473 { &hf_netlogon_supportedenctypes
,
9474 { "Supported Encryption Types", "netlogon.encryption.types", FT_UINT32
, BASE_HEX
,
9475 NULL
, 0x0, NULL
, HFILL
}},
9477 { &hf_netlogon_workstation_flags
,
9478 { "Workstation Flags", "netlogon.workstation.flags", FT_UINT32
, BASE_HEX
,
9479 NULL
, 0x0, NULL
, HFILL
}},
9481 { &hf_netlogon_reserved
,
9482 { "Reserved", "netlogon.reserved", FT_UINT32
, BASE_HEX
,
9483 NULL
, 0x0, NULL
, HFILL
}},
9484 { &hf_netlogon_unknown_short
,
9485 { "Unknown short", "netlogon.unknown.short", FT_UINT16
, BASE_HEX
,
9486 NULL
, 0x0, "Unknown short. If you know what this is, contact wireshark developers.", HFILL
}},
9488 { &hf_netlogon_unknown_char
,
9489 { "Unknown char", "netlogon.unknown.char", FT_UINT8
, BASE_HEX
,
9490 NULL
, 0x0, "Unknown char. If you know what this is, contact wireshark developers.", HFILL
}},
9492 { &hf_netlogon_acct_expiry_time
,
9493 { "Acct Expiry Time", "netlogon.acct.expiry_time", FT_ABSOLUTE_TIME
, ABSOLUTE_TIME_LOCAL
,
9494 NULL
, 0x0, "When this account will expire", HFILL
}},
9496 { &hf_netlogon_nt_pwd_present
,
9497 { "NT PWD Present", "netlogon.nt_pwd_present", FT_UINT8
, BASE_HEX
,
9498 NULL
, 0x0, "Is NT password present for this account?", HFILL
}},
9500 { &hf_netlogon_lm_pwd_present
,
9501 { "LM PWD Present", "netlogon.lm_pwd_present", FT_UINT8
, BASE_HEX
,
9502 NULL
, 0x0, "Is LanManager password present for this account?", HFILL
}},
9504 { &hf_netlogon_pwd_expired
,
9505 { "PWD Expired", "netlogon.pwd_expired", FT_UINT8
, BASE_HEX
,
9506 NULL
, 0x0, "Whether this password has expired or not", HFILL
}},
9508 { &hf_netlogon_authoritative
,
9509 { "Authoritative", "netlogon.authoritative", FT_UINT8
, BASE_DEC
,
9510 NULL
, 0x0, NULL
, HFILL
}},
9512 { &hf_netlogon_sensitive_data_flag
,
9513 { "Sensitive Data", "netlogon.sensitive_data_flag", FT_UINT8
, BASE_DEC
,
9514 NULL
, 0x0, "Sensitive data flag", HFILL
}},
9516 { &hf_netlogon_auditing_mode
,
9517 { "Auditing Mode", "netlogon.auditing_mode", FT_UINT8
, BASE_DEC
,
9518 NULL
, 0x0, NULL
, HFILL
}},
9520 { &hf_netlogon_max_audit_event_count
,
9521 { "Max Audit Event Count", "netlogon.max_audit_event_count", FT_UINT32
, BASE_DEC
,
9522 NULL
, 0x0, NULL
, HFILL
}},
9524 { &hf_netlogon_event_audit_option
,
9525 { "Event Audit Option", "netlogon.event_audit_option", FT_UINT32
, BASE_HEX
,
9526 NULL
, 0x0, NULL
, HFILL
}},
9528 { &hf_netlogon_sensitive_data_len
,
9529 { "Length", "netlogon.sensitive_data_len", FT_UINT32
, BASE_DEC
,
9530 NULL
, 0x0, "Length of sensitive data", HFILL
}},
9532 { &hf_netlogon_nt_chal_resp
,
9533 { "NT Chal resp", "netlogon.nt_chal_resp", FT_BYTES
, BASE_NONE
,
9534 NULL
, 0, "Challenge response for NT authentication", HFILL
}},
9536 { &hf_netlogon_lm_chal_resp
,
9537 { "LM Chal resp", "netlogon.lm_chal_resp", FT_BYTES
, BASE_NONE
,
9538 NULL
, 0, "Challenge response for LM authentication", HFILL
}},
9540 { &hf_netlogon_cipher_len
,
9541 { "Cipher Len", "netlogon.cipher_len", FT_UINT32
, BASE_DEC
,
9542 NULL
, 0, NULL
, HFILL
}},
9544 { &hf_netlogon_cipher_maxlen
,
9545 { "Cipher Max Len", "netlogon.cipher_maxlen", FT_UINT32
, BASE_DEC
,
9546 NULL
, 0, NULL
, HFILL
}},
9549 { &hf_netlogon_pac_data
,
9550 { "Pac Data", "netlogon.pac.data", FT_BYTES
, BASE_NONE
,
9551 NULL
, 0, NULL
, HFILL
}},
9554 { &hf_netlogon_sensitive_data
,
9555 { "Data", "netlogon.sensitive_data", FT_BYTES
, BASE_NONE
,
9556 NULL
, 0, "Sensitive Data", HFILL
}},
9559 { &hf_netlogon_auth_data
,
9560 { "Auth Data", "netlogon.auth.data", FT_BYTES
, BASE_NONE
,
9561 NULL
, 0, NULL
, HFILL
}},
9564 { &hf_netlogon_cipher_current_data
,
9565 { "Cipher Current Data", "netlogon.cipher_current_data", FT_BYTES
, BASE_NONE
,
9566 NULL
, 0, NULL
, HFILL
}},
9568 { &hf_netlogon_cipher_old_data
,
9569 { "Cipher Old Data", "netlogon.cipher_old_data", FT_BYTES
, BASE_NONE
,
9570 NULL
, 0, NULL
, HFILL
}},
9572 { &hf_netlogon_acct_name
,
9573 { "Acct Name", "netlogon.acct_name", FT_STRING
, BASE_NONE
,
9574 NULL
, 0, "Account Name", HFILL
}},
9576 { &hf_netlogon_acct_desc
,
9577 { "Acct Desc", "netlogon.acct_desc", FT_STRING
, BASE_NONE
,
9578 NULL
, 0, "Account Description", HFILL
}},
9580 { &hf_netlogon_group_desc
,
9581 { "Group Desc", "netlogon.group_desc", FT_STRING
, BASE_NONE
,
9582 NULL
, 0, "Group Description", HFILL
}},
9584 { &hf_netlogon_full_name
,
9585 { "Full Name", "netlogon.full_name", FT_STRING
, BASE_NONE
,
9586 NULL
, 0, NULL
, HFILL
}},
9588 { &hf_netlogon_comment
,
9589 { "Comment", "netlogon.comment", FT_STRING
, BASE_NONE
,
9590 NULL
, 0, NULL
, HFILL
}},
9592 { &hf_netlogon_parameters
,
9593 { "Parameters", "netlogon.parameters", FT_STRING
, BASE_NONE
,
9594 NULL
, 0, NULL
, HFILL
}},
9596 { &hf_netlogon_logon_script
,
9597 { "Logon Script", "netlogon.logon_script", FT_STRING
, BASE_NONE
,
9598 NULL
, 0, NULL
, HFILL
}},
9600 { &hf_netlogon_profile_path
,
9601 { "Profile Path", "netlogon.profile_path", FT_STRING
, BASE_NONE
,
9602 NULL
, 0, NULL
, HFILL
}},
9604 { &hf_netlogon_home_dir
,
9605 { "Home Dir", "netlogon.home_dir", FT_STRING
, BASE_NONE
,
9606 NULL
, 0, "Home Directory", HFILL
}},
9608 { &hf_netlogon_dir_drive
,
9609 { "Dir Drive", "netlogon.dir_drive", FT_STRING
, BASE_NONE
,
9610 NULL
, 0, "Drive letter for home directory", HFILL
}},
9612 { &hf_netlogon_logon_srv
,
9613 { "Server", "netlogon.server", FT_STRING
, BASE_NONE
,
9614 NULL
, 0, NULL
, HFILL
}},
9617 { &hf_netlogon_principal
,
9618 { "Principal", "netlogon.principal", FT_STRING
, BASE_NONE
,
9619 NULL
, 0, NULL
, HFILL
}},
9622 { &hf_netlogon_logon_dom
,
9623 { "Domain", "netlogon.domain", FT_STRING
, BASE_NONE
,
9624 NULL
, 0, NULL
, HFILL
}},
9626 { &hf_netlogon_resourcegroupcount
,
9627 { "ResourceGroup count", "netlogon.resourcegroupcount", FT_UINT32
, BASE_DEC
,
9628 NULL
, 0, "Number of Resource Groups", HFILL
}},
9630 { &hf_netlogon_accountdomaingroupcount
,
9631 { "AccountDomainGroup count", "netlogon.accountdomaingroupcount", FT_UINT32
, BASE_DEC
,
9632 NULL
, 0, "Number of Account Domain Groups", HFILL
}},
9634 { &hf_netlogon_domaingroupcount
,
9635 { "DomainGroup count", "netlogon.domaingroupcount", FT_UINT32
, BASE_DEC
,
9636 NULL
, 0, "Number of Domain Groups", HFILL
}},
9638 { &hf_netlogon_membership_domains_count
,
9639 { "Membership Domains count", "netlogon.membershipsdomainscount", FT_UINT32
, BASE_DEC
,
9640 NULL
, 0, "Number of ExtraDomain Membership Arrays", HFILL
}},
9642 { &hf_netlogon_computer_name
,
9643 { "Computer Name", "netlogon.computer_name", FT_STRING
, BASE_NONE
,
9644 NULL
, 0, NULL
, HFILL
}},
9646 { &hf_netlogon_site_name
,
9647 { "Site Name", "netlogon.site_name", FT_STRING
, BASE_NONE
,
9648 NULL
, 0, NULL
, HFILL
}},
9650 { &hf_netlogon_dc_name
,
9651 { "DC Name", "netlogon.dc.name", FT_STRING
, BASE_NONE
,
9652 NULL
, 0, NULL
, HFILL
}},
9654 { &hf_netlogon_dc_site_name
,
9655 { "DC Site Name", "netlogon.dc.site_name", FT_STRING
, BASE_NONE
,
9656 NULL
, 0, NULL
, HFILL
}},
9658 { &hf_netlogon_dns_forest_name
,
9659 { "DNS Forest Name", "netlogon.dns.forest_name", FT_STRING
, BASE_NONE
,
9660 NULL
, 0, NULL
, HFILL
}},
9662 { &hf_netlogon_dc_address
,
9663 { "DC Address", "netlogon.dc.address", FT_STRING
, BASE_NONE
,
9664 NULL
, 0, NULL
, HFILL
}},
9666 { &hf_netlogon_dc_address_type
,
9667 { "DC Address Type", "netlogon.dc.address_type", FT_UINT32
, BASE_DEC
,
9668 VALS(dc_address_types
), 0, NULL
, HFILL
}},
9670 { &hf_netlogon_client_site_name
,
9671 { "Client Site Name", "netlogon.client.site_name", FT_STRING
, BASE_NONE
,
9672 NULL
, 0, NULL
, HFILL
}},
9674 { &hf_netlogon_workstation_site_name
,
9675 { "Wkst Site Name", "netlogon.wkst.site_name", FT_STRING
, BASE_NONE
,
9676 NULL
, 0, "Workstation Site Name", HFILL
}},
9678 { &hf_netlogon_workstation
,
9679 { "Wkst Name", "netlogon.wkst.name", FT_STRING
, BASE_NONE
,
9680 NULL
, 0, "Workstation Name", HFILL
}},
9682 { &hf_netlogon_os_version
,
9683 { "OS version", "netlogon.os.version", FT_STRING
, BASE_NONE
,
9684 NULL
, 0, NULL
, HFILL
}},
9686 { &hf_netlogon_workstation_os
,
9687 { "Wkst OS", "netlogon.wkst.os", FT_STRING
, BASE_NONE
,
9688 NULL
, 0, "Workstation OS", HFILL
}},
9690 { &hf_netlogon_workstations
,
9691 { "Workstations", "netlogon.wksts", FT_STRING
, BASE_NONE
,
9692 NULL
, 0, NULL
, HFILL
}},
9694 { &hf_netlogon_workstation_fqdn
,
9695 { "Wkst FQDN", "netlogon.wkst.fqdn", FT_STRING
, BASE_NONE
,
9696 NULL
, 0, "Workstation FQDN", HFILL
}},
9698 { &hf_netlogon_group_name
,
9699 { "Group Name", "netlogon.group_name", FT_STRING
, BASE_NONE
,
9700 NULL
, 0, NULL
, HFILL
}},
9702 { &hf_netlogon_alias_name
,
9703 { "Alias Name", "netlogon.alias_name", FT_STRING
, BASE_NONE
,
9704 NULL
, 0, NULL
, HFILL
}},
9706 { &hf_netlogon_dns_host
,
9707 { "DNS Host", "netlogon.dns_host", FT_STRING
, BASE_NONE
,
9708 NULL
, 0, NULL
, HFILL
}},
9710 { &hf_netlogon_downlevel_domain_name
,
9711 { "Downlevel Domain", "netlogon.downlevel_domain", FT_STRING
, BASE_NONE
,
9712 NULL
, 0, "Downlevel Domain Name", HFILL
}},
9714 { &hf_netlogon_dns_domain_name
,
9715 { "DNS Domain", "netlogon.dns_domain", FT_STRING
, BASE_NONE
,
9716 NULL
, 0, "DNS Domain Name", HFILL
}},
9718 { &hf_netlogon_ad_client_dns_name
,
9719 { "Client DNS Name", "netlogon.client_dns_name", FT_STRING
, BASE_NONE
,
9720 NULL
, 0, NULL
, HFILL
}},
9722 { &hf_netlogon_domain_name
,
9723 { "Domain", "netlogon.domain", FT_STRING
, BASE_NONE
,
9724 NULL
, 0, "Domain Name", HFILL
}},
9726 { &hf_netlogon_oem_info
,
9727 { "OEM Info", "netlogon.oem_info", FT_STRING
, BASE_NONE
,
9728 NULL
, 0, NULL
, HFILL
}},
9730 { &hf_netlogon_trusted_dc_name
,
9731 { "Trusted DC", "netlogon.trusted_dc", FT_STRING
, BASE_NONE
,
9732 NULL
, 0, NULL
, HFILL
}},
9734 { &hf_netlogon_logon_dnslogondomainname
,
9735 { "DNS Logon Domain name", "netlogon.logon.dnslogondomainname", FT_STRING
, BASE_NONE
,
9736 NULL
, 0, "DNS Name of the logon domain", HFILL
}},
9738 { &hf_netlogon_logon_upn
,
9739 { "UPN", "netlogon.logon.upn", FT_STRING
, BASE_NONE
,
9740 NULL
, 0, "User Principal Name", HFILL
}},
9742 { &hf_netlogon_logonsrv_handle
,
9743 { "Handle", "netlogon.handle", FT_STRING
, BASE_NONE
,
9744 NULL
, 0, "Logon Srv Handle", HFILL
}},
9746 { &hf_netlogon_dummy
,
9747 { "Dummy", "netlogon.dummy", FT_STRING
, BASE_NONE
,
9748 NULL
, 0, "Dummy string", HFILL
}},
9750 { &hf_netlogon_logon_count16
,
9751 { "Logon Count", "netlogon.logon_count16", FT_UINT16
, BASE_DEC
,
9752 NULL
, 0x0, "Number of successful logins", HFILL
}},
9754 { &hf_netlogon_logon_count
,
9755 { "Logon Count", "netlogon.logon_count", FT_UINT32
, BASE_DEC
,
9756 NULL
, 0x0, "Number of successful logins", HFILL
}},
9758 { &hf_netlogon_bad_pw_count16
,
9759 { "Bad PW Count", "netlogon.bad_pw_count16", FT_UINT16
, BASE_DEC
,
9760 NULL
, 0x0, "Number of failed logins", HFILL
}},
9762 { &hf_netlogon_bad_pw_count
,
9763 { "Bad PW Count", "netlogon.bad_pw_count", FT_UINT32
, BASE_DEC
,
9764 NULL
, 0x0, "Number of failed logins", HFILL
}},
9766 { &hf_netlogon_country
,
9767 { "Country", "netlogon.country", FT_UINT16
, BASE_DEC
| BASE_EXT_STRING
,
9768 &ms_country_codes_ext
, 0x0, "Country setting for this account", HFILL
}},
9770 { &hf_netlogon_codepage
,
9771 { "Codepage", "netlogon.codepage", FT_UINT16
, BASE_DEC
,
9772 NULL
, 0x0, "Codepage setting for this account", HFILL
}},
9774 { &hf_netlogon_level16
,
9775 { "Level", "netlogon.level16", FT_UINT16
, BASE_DEC
,
9776 NULL
, 0x0, "Which option of the union is represented here", HFILL
}},
9778 { &hf_netlogon_validation_level
,
9779 { "Validation Level", "netlogon.validation_level", FT_UINT16
, BASE_DEC
,
9780 NULL
, 0x0, "Requested level of validation", HFILL
}},
9782 { &hf_netlogon_minpasswdlen
,
9783 { "Min Password Len", "netlogon.min_passwd_len", FT_UINT16
, BASE_DEC
,
9784 NULL
, 0x0, "Minimum length of password", HFILL
}},
9786 { &hf_netlogon_passwdhistorylen
,
9787 { "Passwd History Len", "netlogon.passwd_history_len", FT_UINT16
, BASE_DEC
,
9788 NULL
, 0x0, "Length of password history", HFILL
}},
9790 { &hf_netlogon_secure_channel_type
,
9791 { "Sec Chan Type", "netlogon.sec_chan_type", FT_UINT16
, BASE_DEC
,
9792 VALS(misc_netr_SchannelType_vals
), 0x0, "Secure Channel Type", HFILL
}},
9794 { &hf_netlogon_restart_state
,
9795 { "Restart State", "netlogon.restart_state", FT_UINT16
, BASE_DEC
,
9796 NULL
, 0x0, NULL
, HFILL
}},
9798 { &hf_netlogon_delta_type
,
9799 { "Delta Type", "netlogon.delta_type", FT_UINT16
, BASE_DEC
,
9800 VALS(delta_type_vals
), 0x0, NULL
, HFILL
}},
9802 { &hf_netlogon_blob_size
,
9803 { "Size", "netlogon.blob.size", FT_UINT32
, BASE_DEC
,
9804 NULL
, 0x0, "Size in bytes of BLOB", HFILL
}},
9806 { &hf_netlogon_code
,
9807 { "Code", "netlogon.code", FT_UINT32
, BASE_HEX
,
9808 NULL
, 0x0, NULL
, HFILL
}},
9810 { &hf_netlogon_level
,
9811 { "Level", "netlogon.level", FT_UINT32
, BASE_DEC
,
9812 NULL
, 0x0, "Which option of the union is represented here", HFILL
}},
9814 { &hf_netlogon_reference
,
9815 { "Reference", "netlogon.reference", FT_UINT32
, BASE_DEC
,
9816 NULL
, 0x0, NULL
, HFILL
}},
9818 { &hf_netlogon_next_reference
,
9819 { "Next Reference", "netlogon.next_reference", FT_UINT32
, BASE_DEC
,
9820 NULL
, 0x0, NULL
, HFILL
}},
9822 { &hf_netlogon_timestamp
,
9823 { "Timestamp", "netlogon.timestamp", FT_ABSOLUTE_TIME
, ABSOLUTE_TIME_LOCAL
,
9824 NULL
, 0, NULL
, HFILL
}},
9826 { &hf_netlogon_user_rid
,
9827 { "User RID", "netlogon.rid", FT_UINT32
, BASE_DEC
,
9828 NULL
, 0x0, NULL
, HFILL
}},
9830 { &hf_netlogon_alias_rid
,
9831 { "Alias RID", "netlogon.alias_rid", FT_UINT32
, BASE_DEC
,
9832 NULL
, 0x0, NULL
, HFILL
}},
9834 { &hf_netlogon_group_rid
,
9835 { "Group RID", "netlogon.group_rid", FT_UINT32
, BASE_DEC
,
9836 NULL
, 0x0, NULL
, HFILL
}},
9838 { &hf_netlogon_num_rids
,
9839 { "Num RIDs", "netlogon.num_rids", FT_UINT32
, BASE_DEC
,
9840 NULL
, 0x0, "Number of RIDs", HFILL
}},
9842 { &hf_netlogon_num_controllers
,
9843 { "Num DCs", "netlogon.num_dc", FT_UINT32
, BASE_DEC
,
9844 NULL
, 0x0, "Number of domain controllers", HFILL
}},
9846 { &hf_netlogon_num_sid
,
9847 { "Num Extra SID", "netlogon.num_sid", FT_UINT32
, BASE_DEC
,
9848 NULL
, 0x0, NULL
, HFILL
}},
9850 { &hf_netlogon_flags
,
9851 { "Flags", "netlogon.flags", FT_UINT32
, BASE_HEX
,
9852 NULL
, 0x0, NULL
, HFILL
}},
9854 { &hf_netlogon_user_account_control
,
9855 { "User Account Control", "netlogon.user_account_control", FT_UINT32
, BASE_HEX
,
9856 NULL
, 0x0, NULL
, HFILL
}},
9858 { &hf_netlogon_user_flags
,
9859 { "User Flags", "netlogon.user_flags", FT_UINT32
, BASE_HEX
,
9860 NULL
, 0x0, NULL
, HFILL
}},
9862 { &hf_netlogon_auth_flags
,
9863 { "Auth Flags", "netlogon.auth_flags", FT_UINT32
, BASE_HEX
,
9864 NULL
, 0x0, NULL
, HFILL
}},
9866 { &hf_netlogon_systemflags
,
9867 { "System Flags", "netlogon.system_flags", FT_UINT32
, BASE_HEX
,
9868 NULL
, 0x0, NULL
, HFILL
}},
9870 { &hf_netlogon_database_id
,
9871 { "Database Id", "netlogon.database_id", FT_UINT32
, BASE_DEC
,
9872 NULL
, 0x0, NULL
, HFILL
}},
9874 { &hf_netlogon_sync_context
,
9875 { "Sync Context", "netlogon.sync_context", FT_UINT32
, BASE_DEC
,
9876 NULL
, 0x0, NULL
, HFILL
}},
9878 { &hf_netlogon_max_size
,
9879 { "Max Size", "netlogon.max_size", FT_UINT32
, BASE_DEC
,
9880 NULL
, 0x0, "Max Size of database", HFILL
}},
9882 { &hf_netlogon_max_log_size
,
9883 { "Max Log Size", "netlogon.max_log_size", FT_UINT32
, BASE_DEC
,
9884 NULL
, 0x0, "Max Size of log", HFILL
}},
9887 { &hf_netlogon_pac_size
,
9888 { "Pac Size", "netlogon.pac.size", FT_UINT32
, BASE_DEC
,
9889 NULL
, 0x0, "Size of PacData in bytes", HFILL
}},
9893 { &hf_netlogon_auth_size
,
9894 { "Auth Size", "netlogon.auth.size", FT_UINT32
, BASE_DEC
,
9895 NULL
, 0x0, "Size of AuthData in bytes", HFILL
}},
9898 { &hf_netlogon_num_deltas
,
9899 { "Num Deltas", "netlogon.num_deltas", FT_UINT32
, BASE_DEC
,
9900 NULL
, 0x0, "Number of SAM Deltas in array", HFILL
}},
9902 { &hf_netlogon_num_trusts
,
9903 { "Num Trusts", "netlogon.num_trusts", FT_UINT32
, BASE_DEC
,
9904 NULL
, 0x0, NULL
, HFILL
}},
9906 { &hf_netlogon_logon_attempts
,
9907 { "Logon Attempts", "netlogon.logon_attempts", FT_UINT32
, BASE_DEC
,
9908 NULL
, 0x0, "Number of logon attempts", HFILL
}},
9910 { &hf_netlogon_pagefilelimit
,
9911 { "Page File Limit", "netlogon.page_file_limit", FT_UINT32
, BASE_DEC
,
9912 NULL
, 0x0, NULL
, HFILL
}},
9914 { &hf_netlogon_pagedpoollimit
,
9915 { "Paged Pool Limit", "netlogon.paged_pool_limit", FT_UINT32
, BASE_DEC
,
9916 NULL
, 0x0, NULL
, HFILL
}},
9918 { &hf_netlogon_nonpagedpoollimit
,
9919 { "Non-Paged Pool Limit", "netlogon.nonpaged_pool_limit", FT_UINT32
, BASE_DEC
,
9920 NULL
, 0x0, NULL
, HFILL
}},
9922 { &hf_netlogon_minworkingsetsize
,
9923 { "Min Working Set Size", "netlogon.min_working_set_size", FT_UINT32
, BASE_DEC
,
9924 NULL
, 0x0, NULL
, HFILL
}},
9926 { &hf_netlogon_maxworkingsetsize
,
9927 { "Max Working Set Size", "netlogon.max_working_set_size", FT_UINT32
, BASE_DEC
,
9928 NULL
, 0x0, NULL
, HFILL
}},
9930 { &hf_netlogon_serial_number
,
9931 { "Serial Number", "netlogon.serial_number", FT_UINT32
, BASE_DEC
,
9932 NULL
, 0x0, NULL
, HFILL
}},
9934 { &hf_netlogon_neg_flags
,
9935 { "Negotiation options", "netlogon.neg_flags", FT_UINT32
, BASE_HEX
,
9936 NULL
, 0x0, "Negotiation Flags", HFILL
}},
9938 { &hf_netlogon_neg_flags_80000000
,
9939 { "Supports Kerberos Auth", "ntlmssp.neg_flags.supports_kerberos_auth", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_80000000
, NULL
, HFILL
}},
9941 { &hf_netlogon_neg_flags_40000000
,
9942 { "Authenticated RPC supported", "ntlmssp.neg_flags.na4000000", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_40000000
, NULL
, HFILL
}},
9944 { &hf_netlogon_neg_flags_20000000
,
9945 { "Authenticated RPC via lsass supported", "ntlmssp.neg_flags.na2000000", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_20000000
, NULL
, HFILL
}},
9948 { &hf_netlogon_neg_flags_10000000
,
9949 { "Not used 10000000", "ntlmssp.neg_flags.na1000000", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_10000000
, NULL
, HFILL
}},
9953 { &hf_netlogon_neg_flags_8000000
,
9954 { "Not used 8000000", "ntlmssp.neg_flags.na800000", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_8000000
, NULL
, HFILL
}},
9958 { &hf_netlogon_neg_flags_4000000
,
9959 { "Not used 4000000", "ntlmssp.neg_flags.na400000", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_4000000
, NULL
, HFILL
}},
9963 { &hf_netlogon_neg_flags_2000000
,
9964 { "Not used 2000000", "ntlmssp.neg_flags.na200000", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_2000000
, NULL
, HFILL
}},
9967 { &hf_netlogon_neg_flags_1000000
,
9968 { "AES supported", "ntlmssp.neg_flags.na100000", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_AES
, NULL
, HFILL
}},
9971 { &hf_netlogon_neg_flags_800000
,
9972 { "Not used 800000", "ntlmssp.neg_flags.na800000", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_800000
, "Not used", HFILL
}},
9976 { &hf_netlogon_neg_flags_400000
,
9977 { "Not used 400000", "ntlmssp.neg_flags.na400000", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_400000
, "AES&SHA2", HFILL
}},
9980 { &hf_netlogon_neg_flags_200000
,
9981 { "RODC pass-through", "ntlmssp.neg_flags.na200000", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_200000
, "rodc pt", HFILL
}},
9983 { &hf_netlogon_neg_flags_100000
,
9984 { "NO NT4 emulation", "ntlmssp.neg_flags.na100000", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_100000
, "No NT4 emu", HFILL
}},
9986 { &hf_netlogon_neg_flags_80000
,
9987 { "Cross forest trust", "ntlmssp.neg_flags.na80000", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_80000
, NULL
, HFILL
}},
9989 { &hf_netlogon_neg_flags_40000
,
9990 { "GetDomainInfo supported", "ntlmssp.neg_flags.na40000", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_40000
, NULL
, HFILL
}},
9992 { &hf_netlogon_neg_flags_20000
,
9993 { "ServerPasswordSet2 supported", "ntlmssp.neg_flags.na20000", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_20000
, "PasswordSet2", HFILL
}},
9995 { &hf_netlogon_neg_flags_10000
,
9996 { "DNS trusts supported", "ntlmssp.neg_flags.na10000", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_10000
, NULL
, HFILL
}},
9998 { &hf_netlogon_neg_flags_8000
,
9999 { "Transitive trusts", "ntlmssp.neg_flags.na8000", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_8000
, NULL
, HFILL
}},
10001 { &hf_netlogon_neg_flags_4000
,
10002 { "Strong key", "ntlmssp.neg_flags.na4000", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_STRONGKEY
, NULL
, HFILL
}},
10004 { &hf_netlogon_neg_flags_2000
,
10005 { "Avoid replication Auth database", "ntlmssp.neg_flags.na2000", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_2000
, NULL
, HFILL
}},
10007 { &hf_netlogon_neg_flags_1000
,
10008 { "Avoid replication account database", "ntlmssp.neg_flags.na1000", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_1000
, NULL
, HFILL
}},
10010 { &hf_netlogon_neg_flags_800
,
10011 { "Concurrent RPC", "ntlmssp.neg_flags.na800", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_800
, NULL
, HFILL
}},
10013 { &hf_netlogon_neg_flags_400
,
10014 { "Generic pass-through", "ntlmssp.neg_flags.na400", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_400
, NULL
, HFILL
}},
10016 { &hf_netlogon_neg_flags_200
,
10017 { "SendToSam", "ntlmssp.neg_flags.na200", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_200
, NULL
, HFILL
}},
10019 { &hf_netlogon_neg_flags_100
,
10020 { "Refusal of password change", "ntlmssp.neg_flags.na100", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_100
, "PWD change refusal", HFILL
}},
10022 { &hf_netlogon_neg_flags_80
,
10023 { "DatabaseRedo call", "ntlmssp.neg_flags.na80", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_80
, NULL
, HFILL
}},
10025 { &hf_netlogon_neg_flags_40
,
10026 { "Handle multiple SIDs", "ntlmssp.neg_flags.na40", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_40
, NULL
, HFILL
}},
10028 { &hf_netlogon_neg_flags_20
,
10029 { "Restarting full DC sync", "ntlmssp.neg_flags.na20", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_20
, NULL
, HFILL
}},
10031 { &hf_netlogon_neg_flags_10
,
10032 { "BDC handling Changelogs", "ntlmssp.neg_flags.na10", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_10
, NULL
, HFILL
}},
10034 { &hf_netlogon_neg_flags_8
,
10035 { "Promotion count(deprecated)", "ntlmssp.neg_flags.na8", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_8
, NULL
, HFILL
}},
10037 { &hf_netlogon_neg_flags_4
,
10038 { "RC4 encryption", "ntlmssp.neg_flags.na4", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_4
, NULL
, HFILL
}},
10040 { &hf_netlogon_neg_flags_2
,
10041 { "NT3.5 BDC continuous update", "ntlmssp.neg_flags.na2", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_2
, NULL
, HFILL
}},
10043 { &hf_netlogon_neg_flags_1
,
10044 { "Account lockout", "ntlmssp.neg_flags.na1", FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), NETLOGON_FLAG_1
, NULL
, HFILL
}},
10046 { &hf_netlogon_dc_flags
,
10047 { "Domain Controller Flags", "netlogon.dc.flags", FT_UINT32
, BASE_HEX
,
10048 NULL
, 0x0, NULL
, HFILL
}},
10050 { &hf_netlogon_dc_flags_pdc_flag
,
10051 { "PDC", "netlogon.dc.flags.pdc",
10052 FT_BOOLEAN
, 32, TFS(&dc_flags_pdc_flag
), DS_PDC_FLAG
,
10053 "If this server is a PDC", HFILL
}},
10055 { &hf_netlogon_dc_flags_gc_flag
,
10056 { "GC", "netlogon.dc.flags.gc",
10057 FT_BOOLEAN
, 32, TFS(&dc_flags_gc_flag
), DS_GC_FLAG
,
10058 "If this server is a GC", HFILL
}},
10060 { &hf_netlogon_dc_flags_ldap_flag
,
10061 { "LDAP", "netlogon.dc.flags.ldap",
10062 FT_BOOLEAN
, 32, TFS(&dc_flags_ldap_flag
), DS_LDAP_FLAG
,
10063 "If this is an LDAP server", HFILL
}},
10065 { &hf_netlogon_dc_flags_ds_flag
,
10066 { "DS", "netlogon.dc.flags.ds",
10067 FT_BOOLEAN
, 32, TFS(&dc_flags_ds_flag
), DS_DS_FLAG
,
10068 "If this server is a DS", HFILL
}},
10070 { &hf_netlogon_dc_flags_kdc_flag
,
10071 { "KDC", "netlogon.dc.flags.kdc",
10072 FT_BOOLEAN
, 32, TFS(&dc_flags_kdc_flag
), DS_KDC_FLAG
,
10073 "If this is a KDC", HFILL
}},
10075 { &hf_netlogon_dc_flags_timeserv_flag
,
10076 { "Timeserv", "netlogon.dc.flags.timeserv",
10077 FT_BOOLEAN
, 32, TFS(&dc_flags_timeserv_flag
), DS_TIMESERV_FLAG
,
10078 "If this server is a TimeServer", HFILL
}},
10080 { &hf_netlogon_dc_flags_closest_flag
,
10081 { "Closest", "netlogon.dc.flags.closest",
10082 FT_BOOLEAN
, 32, TFS(&dc_flags_closest_flag
), DS_CLOSEST_FLAG
,
10083 "If this is the closest server", HFILL
}},
10085 { &hf_netlogon_dc_flags_writable_flag
,
10086 { "Writable", "netlogon.dc.flags.writable",
10087 FT_BOOLEAN
, 32, TFS(&dc_flags_writable_flag
), DS_WRITABLE_FLAG
,
10088 "If this server can do updates to the database", HFILL
}},
10090 { &hf_netlogon_dc_flags_good_timeserv_flag
,
10091 { "Good Timeserv", "netlogon.dc.flags.good_timeserv",
10092 FT_BOOLEAN
, 32, TFS(&dc_flags_good_timeserv_flag
), DS_GOOD_TIMESERV_FLAG
,
10093 "If this is a Good TimeServer", HFILL
}},
10095 { &hf_netlogon_dc_flags_ndnc_flag
,
10096 { "NDNC", "netlogon.dc.flags.ndnc",
10097 FT_BOOLEAN
, 32, TFS(&dc_flags_ndnc_flag
), DS_NDNC_FLAG
,
10098 "If this is an NDNC server", HFILL
}},
10100 { &hf_netlogon_dc_flags_dns_controller_flag
,
10101 { "DNS Controller", "netlogon.dc.flags.dns_controller",
10102 FT_BOOLEAN
, 32, TFS(&dc_flags_dns_controller_flag
), DS_DNS_CONTROLLER_FLAG
,
10103 "If this server is a DNS Controller", HFILL
}},
10105 { &hf_netlogon_dc_flags_dns_domain_flag
,
10106 { "DNS Domain", "netlogon.dc.flags.dns_domain",
10107 FT_BOOLEAN
, 32, TFS(&dc_flags_dns_domain_flag
), DS_DNS_DOMAIN_FLAG
,
10110 { &hf_netlogon_dc_flags_dns_forest_flag
,
10111 { "DNS Forest", "netlogon.dc.flags.dns_forest",
10112 FT_BOOLEAN
, 32, TFS(&dc_flags_dns_forest_flag
), DS_DNS_FOREST_FLAG
,
10115 { &hf_netlogon_get_dcname_request_flags
,
10116 { "Flags", "netlogon.get_dcname.request.flags", FT_UINT32
, BASE_HEX
,
10117 NULL
, 0x0, "Flags for DSGetDCName request", HFILL
}},
10119 { &hf_netlogon_get_dcname_request_flags_force_rediscovery
,
10120 { "Force Rediscovery", "netlogon.get_dcname.request.flags.force_rediscovery",
10121 FT_BOOLEAN
, 32, TFS(&get_dcname_request_flags_force_rediscovery
), DS_FORCE_REDISCOVERY
,
10122 "Whether to allow the server to returned cached information or not", HFILL
}},
10124 { &hf_netlogon_get_dcname_request_flags_directory_service_required
,
10125 { "DS Required", "netlogon.get_dcname.request.flags.ds_required",
10126 FT_BOOLEAN
, 32, TFS(&get_dcname_request_flags_directory_service_required
), DS_DIRECTORY_SERVICE_REQUIRED
,
10127 "Whether we require that the returned DC supports w2k or not", HFILL
}},
10129 { &hf_netlogon_get_dcname_request_flags_directory_service_preferred
,
10130 { "DS Preferred", "netlogon.get_dcname.request.flags.ds_preferred",
10131 FT_BOOLEAN
, 32, TFS(&get_dcname_request_flags_directory_service_preferred
), DS_DIRECTORY_SERVICE_PREFERRED
,
10132 "Whether we prefer the call to return a w2k server (if available)", HFILL
}},
10134 { &hf_netlogon_get_dcname_request_flags_gc_server_required
,
10135 { "GC Required", "netlogon.get_dcname.request.flags.gc_server_required",
10136 FT_BOOLEAN
, 32, TFS(&get_dcname_request_flags_gc_server_required
), DS_GC_SERVER_REQUIRED
,
10137 "Whether we require that the returned DC is a Global Catalog server", HFILL
}},
10139 { &hf_netlogon_get_dcname_request_flags_pdc_required
,
10140 { "PDC Required", "netlogon.get_dcname.request.flags.pdc_required",
10141 FT_BOOLEAN
, 32, TFS(&get_dcname_request_flags_pdc_required
), DS_PDC_REQUIRED
,
10142 "Whether we require the returned DC to be the PDC", HFILL
}},
10144 { &hf_netlogon_get_dcname_request_flags_background_only
,
10145 { "Background Only", "netlogon.get_dcname.request.flags.background_only",
10146 FT_BOOLEAN
, 32, TFS(&get_dcname_request_flags_background_only
), DS_BACKGROUND_ONLY
,
10147 "If we want cached data, even if it may have expired", HFILL
}},
10149 { &hf_netlogon_get_dcname_request_flags_ip_required
,
10150 { "IP Required", "netlogon.get_dcname.request.flags.ip_required",
10151 FT_BOOLEAN
, 32, TFS(&get_dcname_request_flags_ip_required
), DS_IP_REQUIRED
,
10152 "If we require the IP of the DC in the reply", HFILL
}},
10154 { &hf_netlogon_get_dcname_request_flags_kdc_required
,
10155 { "KDC Required", "netlogon.get_dcname.request.flags.kdc_required",
10156 FT_BOOLEAN
, 32, TFS(&get_dcname_request_flags_kdc_required
), DS_KDC_REQUIRED
,
10157 "If we require that the returned server is a KDC", HFILL
}},
10159 { &hf_netlogon_get_dcname_request_flags_timeserv_required
,
10160 { "Timeserv Required", "netlogon.get_dcname.request.flags.timeserv_required",
10161 FT_BOOLEAN
, 32, TFS(&get_dcname_request_flags_timeserv_required
), DS_TIMESERV_REQUIRED
,
10162 "If we require the returned server to be a WindowsTimeServ server", HFILL
}},
10164 { &hf_netlogon_get_dcname_request_flags_writable_required
,
10165 { "Writable Required", "netlogon.get_dcname.request.flags.writable_required",
10166 FT_BOOLEAN
, 32, TFS(&get_dcname_request_flags_writable_required
), DS_WRITABLE_REQUIRED
,
10167 "If we require that the returned server is writable", HFILL
}},
10169 { &hf_netlogon_get_dcname_request_flags_good_timeserv_preferred
,
10170 { "Timeserv Preferred", "netlogon.get_dcname.request.flags.good_timeserv_preferred",
10171 FT_BOOLEAN
, 32, TFS(&get_dcname_request_flags_good_timeserv_preferred
), DS_GOOD_TIMESERV_PREFERRED
,
10172 "If we prefer Windows Time Servers", HFILL
}},
10174 { &hf_netlogon_get_dcname_request_flags_avoid_self
,
10175 { "Avoid Self", "netlogon.get_dcname.request.flags.avoid_self",
10176 FT_BOOLEAN
, 32, TFS(&get_dcname_request_flags_avoid_self
), DS_AVOID_SELF
,
10177 "Return another DC than the one we ask", HFILL
}},
10179 { &hf_netlogon_get_dcname_request_flags_only_ldap_needed
,
10180 { "Only LDAP Needed", "netlogon.get_dcname.request.flags.only_ldap_needed",
10181 FT_BOOLEAN
, 32, TFS(&get_dcname_request_flags_only_ldap_needed
), DS_ONLY_LDAP_NEEDED
,
10182 "We just want an LDAP server, it does not have to be a DC", HFILL
}},
10184 { &hf_netlogon_get_dcname_request_flags_is_flat_name
,
10185 { "Is Flat Name", "netlogon.get_dcname.request.flags.is_flat_name",
10186 FT_BOOLEAN
, 32, TFS(&get_dcname_request_flags_is_flat_name
), DS_IS_FLAT_NAME
,
10187 "If the specified domain name is a NetBIOS name", HFILL
}},
10189 { &hf_netlogon_get_dcname_request_flags_is_dns_name
,
10190 { "Is DNS Name", "netlogon.get_dcname.request.flags.is_dns_name",
10191 FT_BOOLEAN
, 32, TFS(&get_dcname_request_flags_is_dns_name
), DS_IS_DNS_NAME
,
10192 "If the specified domain name is a DNS name", HFILL
}},
10194 { &hf_netlogon_get_dcname_request_flags_return_dns_name
,
10195 { "Return DNS Name", "netlogon.get_dcname.request.flags.return_dns_name",
10196 FT_BOOLEAN
, 32, TFS(&get_dcname_request_flags_return_dns_name
), DS_RETURN_DNS_NAME
,
10197 "Only return a DNS name (or an error)", HFILL
}},
10199 { &hf_netlogon_get_dcname_request_flags_return_flat_name
,
10200 { "Return Flat Name", "netlogon.get_dcname.request.flags.return_flat_name",
10201 FT_BOOLEAN
, 32, TFS(&get_dcname_request_flags_return_flat_name
), DS_RETURN_FLAT_NAME
,
10202 "Only return a NetBIOS name (or an error)", HFILL
}},
10204 { &hf_netlogon_trust_attribs
,
10205 { "Trust Attributes", "netlogon.trust_attribs", FT_UINT32
, BASE_HEX
,
10206 NULL
, 0x0, NULL
, HFILL
}},
10208 { &hf_netlogon_trust_attribs_non_transitive
,
10209 { "Non Transitive", "netlogon.trust.attribs.non_transitive", FT_BOOLEAN
, 32,
10210 TFS(&trust_attribs_non_transitive
), 0x00000001, NULL
, HFILL
}},
10212 { &hf_netlogon_trust_attribs_uplevel_only
,
10213 { "Uplevel Only", "netlogon.trust.attribs.uplevel_only", FT_BOOLEAN
, 32,
10214 TFS(&trust_attribs_uplevel_only
), 0x00000002, NULL
, HFILL
}},
10216 { &hf_netlogon_trust_attribs_quarantined_domain
,
10217 { "Quarantined Domain", "netlogon.trust.attribs.quarantined_domain", FT_BOOLEAN
, 32,
10218 TFS(&trust_attribs_quarantined_domain
), 0x00000004, NULL
, HFILL
}},
10220 { &hf_netlogon_trust_attribs_forest_transitive
,
10221 { "Forest Transitive", "netlogon.trust.attribs.forest_transitive", FT_BOOLEAN
, 32,
10222 TFS(&trust_attribs_forest_transitive
), 0x00000008, NULL
, HFILL
}},
10224 { &hf_netlogon_trust_attribs_cross_organization
,
10225 { "Cross Organization", "netlogon.trust.attribs.cross_organization", FT_BOOLEAN
, 32,
10226 TFS(&trust_attribs_cross_organization
), 0x00000010, NULL
, HFILL
}},
10228 { &hf_netlogon_trust_attribs_within_forest
,
10229 { "Within Forest", "netlogon.trust.attribs.within_forest", FT_BOOLEAN
, 32,
10230 TFS(&trust_attribs_within_forest
), 0x00000020, NULL
, HFILL
}},
10232 { &hf_netlogon_trust_attribs_treat_as_external
,
10233 { "Treat As External", "netlogon.trust.attribs.treat_as_external", FT_BOOLEAN
, 32,
10234 TFS(&trust_attribs_treat_as_external
), 0x00000040, NULL
, HFILL
}},
10236 { &hf_netlogon_trust_type
,
10237 { "Trust Type", "netlogon.trust_type", FT_UINT32
, BASE_DEC
,
10238 VALS(trust_type_vals
), 0x0, NULL
, HFILL
}},
10240 { &hf_netlogon_extraflags
,
10241 { "Extra Flags", "netlogon.extra_flags", FT_UINT32
, BASE_HEX
,
10242 NULL
, 0x0, NULL
, HFILL
}},
10244 { &hf_netlogon_extra_flags_root_forest
,
10245 { "Request passed to DC of root forest", "netlogon.extra.flags.rootdc",
10246 FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), RQ_ROOT_FOREST
,
10249 { &hf_netlogon_trust_flags_dc_firsthop
,
10250 { "DC at the end of the first hop of cross forest", "netlogon.extra.flags.dc_firsthop",
10251 FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), RQ_DC_XFOREST
,
10254 { &hf_netlogon_trust_flags_rodc_to_dc
,
10255 { "Request from a RODC to a DC from another domain", "netlogon.extra.flags.rodc_to_dc",
10256 FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), RQ_RODC_DIF_DOMAIN
,
10259 { &hf_netlogon_trust_flags_rodc_ntlm
,
10260 { "Request is a NTLM auth passed by a RODC", "netlogon.extra.flags.rodc_ntlm",
10261 FT_BOOLEAN
, 32, TFS(&tfs_set_notset
), RQ_NTLM_FROM_RODC
,
10264 { &hf_netlogon_trust_flags
,
10265 { "Trust Flags", "netlogon.trust_flags", FT_UINT32
, BASE_HEX
,
10266 NULL
, 0x0, NULL
, HFILL
}},
10268 { &hf_netlogon_trust_flags_inbound
,
10269 { "Inbound Trust", "netlogon.trust.flags.inbound",
10270 FT_BOOLEAN
, 32, TFS(&trust_inbound
), DS_DOMAIN_DIRECT_INBOUND
,
10271 "Inbound trust. Whether the domain directly trusts the queried servers domain", HFILL
}},
10273 { &hf_netlogon_trust_flags_outbound
,
10274 { "Outbound Trust", "netlogon.trust.flags.outbound",
10275 FT_BOOLEAN
, 32, TFS(&trust_outbound
), DS_DOMAIN_DIRECT_OUTBOUND
,
10276 "Outbound Trust. Whether the domain is directly trusted by the servers domain", HFILL
}},
10278 { &hf_netlogon_trust_flags_in_forest
,
10279 { "In Forest", "netlogon.trust.flags.in_forest",
10280 FT_BOOLEAN
, 32, TFS(&trust_in_forest
), DS_DOMAIN_IN_FOREST
,
10281 "Whether this domain is a member of the same forest as the servers domain", HFILL
}},
10283 { &hf_netlogon_trust_flags_native_mode
,
10284 { "Native Mode", "netlogon.trust.flags.native_mode",
10285 FT_BOOLEAN
, 32, TFS(&trust_native_mode
), DS_DOMAIN_NATIVE_MODE
,
10286 "Whether the domain is a w2k native mode domain or not", HFILL
}},
10288 { &hf_netlogon_trust_flags_primary
,
10289 { "Primary", "netlogon.trust.flags.primary",
10290 FT_BOOLEAN
, 32, TFS(&trust_primary
), DS_DOMAIN_PRIMARY
,
10291 "Whether the domain is the primary domain for the queried server or not", HFILL
}},
10293 { &hf_netlogon_trust_flags_tree_root
,
10294 { "Tree Root", "netlogon.trust.flags.tree_root",
10295 FT_BOOLEAN
, 32, TFS(&trust_tree_root
), DS_DOMAIN_TREE_ROOT
,
10296 "Whether the domain is the root of the tree for the queried server", HFILL
}},
10298 { &hf_netlogon_trust_parent_index
,
10299 { "Parent Index", "netlogon.parent_index", FT_UINT32
, BASE_HEX
,
10300 NULL
, 0x0, NULL
, HFILL
}},
10302 { &hf_netlogon_logon_time
,
10303 { "Logon Time", "netlogon.logon_time", FT_ABSOLUTE_TIME
, ABSOLUTE_TIME_LOCAL
,
10304 NULL
, 0, "Time for last time this user logged on", HFILL
}},
10306 { &hf_netlogon_kickoff_time
,
10307 { "Kickoff Time", "netlogon.kickoff_time", FT_ABSOLUTE_TIME
, ABSOLUTE_TIME_LOCAL
,
10308 NULL
, 0, "Time when this user will be kicked off", HFILL
}},
10310 { &hf_netlogon_logoff_time
,
10311 { "Logoff Time", "netlogon.logoff_time", FT_ABSOLUTE_TIME
, ABSOLUTE_TIME_LOCAL
,
10312 NULL
, 0, "Time for last time this user logged off", HFILL
}},
10314 { &hf_netlogon_last_logoff_time
,
10315 { "Last Logoff Time", "netlogon.last_logoff_time", FT_ABSOLUTE_TIME
, ABSOLUTE_TIME_LOCAL
,
10316 NULL
, 0, "Time for last time this user logged off", HFILL
}},
10318 { &hf_netlogon_pwd_last_set_time
,
10319 { "PWD Last Set", "netlogon.pwd_last_set_time", FT_ABSOLUTE_TIME
, ABSOLUTE_TIME_LOCAL
,
10320 NULL
, 0, "Last time this users password was changed", HFILL
}},
10322 { &hf_netlogon_pwd_age
,
10323 { "PWD Age", "netlogon.pwd_age", FT_RELATIVE_TIME
, BASE_NONE
,
10324 NULL
, 0, "Time since this users password was changed", HFILL
}},
10326 { &hf_netlogon_pwd_can_change_time
,
10327 { "PWD Can Change", "netlogon.pwd_can_change_time", FT_ABSOLUTE_TIME
, ABSOLUTE_TIME_LOCAL
,
10328 NULL
, 0, "When this users password may be changed", HFILL
}},
10330 { &hf_netlogon_pwd_must_change_time
,
10331 { "PWD Must Change", "netlogon.pwd_must_change_time", FT_ABSOLUTE_TIME
, ABSOLUTE_TIME_LOCAL
,
10332 NULL
, 0, "When this users password must be changed", HFILL
}},
10334 { &hf_netlogon_domain_create_time
,
10335 { "Domain Create Time", "netlogon.domain_create_time", FT_ABSOLUTE_TIME
, ABSOLUTE_TIME_LOCAL
,
10336 NULL
, 0, "Time when this domain was created", HFILL
}},
10338 { &hf_netlogon_domain_modify_time
,
10339 { "Domain Modify Time", "netlogon.domain_modify_time", FT_ABSOLUTE_TIME
, ABSOLUTE_TIME_LOCAL
,
10340 NULL
, 0, "Time when this domain was last modified", HFILL
}},
10342 { &hf_netlogon_db_modify_time
,
10343 { "DB Modify Time", "netlogon.db_modify_time", FT_ABSOLUTE_TIME
, ABSOLUTE_TIME_LOCAL
,
10344 NULL
, 0, "Time when last modified", HFILL
}},
10346 { &hf_netlogon_db_create_time
,
10347 { "DB Create Time", "netlogon.db_create_time", FT_ABSOLUTE_TIME
, ABSOLUTE_TIME_LOCAL
,
10348 NULL
, 0, "Time when created", HFILL
}},
10350 { &hf_netlogon_cipher_current_set_time
,
10351 { "Cipher Current Set Time", "netlogon.cipher_current_set_time", FT_ABSOLUTE_TIME
, ABSOLUTE_TIME_LOCAL
,
10352 NULL
, 0, "Time when current cipher was initiated", HFILL
}},
10354 { &hf_netlogon_cipher_old_set_time
,
10355 { "Cipher Old Set Time", "netlogon.cipher_old_set_time", FT_ABSOLUTE_TIME
, ABSOLUTE_TIME_LOCAL
,
10356 NULL
, 0, "Time when previous cipher was initiated", HFILL
}},
10358 { &hf_netlogon_audit_retention_period
,
10359 { "Audit Retention Period", "netlogon.audit_retention_period", FT_RELATIVE_TIME
, BASE_NONE
,
10360 NULL
, 0, NULL
, HFILL
}},
10362 { &hf_netlogon_timelimit
,
10363 { "Time Limit", "netlogon.time_limit", FT_RELATIVE_TIME
, BASE_NONE
,
10364 NULL
, 0, NULL
, HFILL
}},
10367 { &hf_client_credential
,
10368 { "Client Credential", "netlogon.clientcred", FT_BYTES
, BASE_NONE
,
10369 NULL
, 0x0, NULL
, HFILL
}},
10371 { &hf_server_credential
,
10372 { "Server Credential", "netlogon.servercred", FT_BYTES
, BASE_NONE
,
10373 NULL
, 0x0, NULL
, HFILL
}},
10376 { "Account RID", "netlogon.serverrid", FT_UINT32
, BASE_DEC
,
10377 NULL
, 0x0, NULL
, HFILL
}},
10379 { &hf_client_challenge
,
10380 { "Client Challenge", "netlogon.clientchallenge", FT_BYTES
, BASE_NONE
,
10381 NULL
, 0x0, NULL
, HFILL
}},
10383 { &hf_server_challenge
,
10384 { "Server Challenge", "netlogon.serverchallenge", FT_BYTES
, BASE_NONE
,
10385 NULL
, 0x0, NULL
, HFILL
}},
10387 { &hf_netlogon_secchan_nl_message_type
,
10388 { "Message Type", "netlogon.secchan.nl_auth_message.message_type", FT_UINT32
, BASE_HEX
,
10389 VALS(nl_auth_types
), 0x0, NULL
, HFILL
}},
10391 { &hf_netlogon_secchan_nl_message_flags
,
10392 { "Message Flags", "netlogon.secchan.nl_auth_message.message_flags", FT_UINT32
, BASE_HEX
,
10393 NULL
, 0x0, NULL
, HFILL
}},
10395 { &hf_netlogon_secchan_nl_message_flags_nb_domain
,
10396 { "NetBios Domain", "netlogon.secchan.nl_auth_message.message_flags.nb_domain", FT_BOOLEAN
, 32,
10397 NULL
, 0x00000001, NULL
, HFILL
}},
10399 { &hf_netlogon_secchan_nl_message_flags_nb_host
,
10400 { "NetBios Host", "netlogon.secchan.nl_auth_message.message_flags.nb_host", FT_BOOLEAN
, 32,
10401 NULL
, 0x00000002, NULL
, HFILL
}},
10403 { &hf_netlogon_secchan_nl_message_flags_dns_domain
,
10404 { "DNS Domain", "netlogon.secchan.nl_auth_message.message_flags.dns_domain", FT_BOOLEAN
, 32,
10405 NULL
, 0x00000004, NULL
, HFILL
}},
10407 { &hf_netlogon_secchan_nl_message_flags_dns_host
,
10408 { "DNS Host", "netlogon.secchan.nl_auth_message.message_flags.dns_host", FT_BOOLEAN
, 32,
10409 NULL
, 0x00000008, NULL
, HFILL
}},
10411 { &hf_netlogon_secchan_nl_message_flags_nb_host_utf8
,
10412 { "NetBios Host(UTF8)", "netlogon.secchan.nl_auth_message.message_flags.nb_host_utf8", FT_BOOLEAN
, 32,
10413 NULL
, 0x00000010, NULL
, HFILL
}},
10415 { &hf_netlogon_secchan_nl_nb_domain
,
10416 { "NetBios Domain", "netlogon.secchan.nl_auth_message.nb_domain", FT_STRING
, BASE_NONE
,
10417 NULL
, 0, NULL
, HFILL
}},
10419 { &hf_netlogon_secchan_nl_nb_host
,
10420 { "NetBios Host", "netlogon.secchan.nl_auth_message.nb_host", FT_STRING
, BASE_NONE
,
10421 NULL
, 0, NULL
, HFILL
}},
10423 { &hf_netlogon_secchan_nl_nb_host_utf8
,
10424 { "NetBios Host(UTF8)", "netlogon.secchan.nl_auth_message.nb_host_utf8", FT_STRING
, BASE_NONE
,
10425 NULL
, 0, NULL
, HFILL
}},
10427 { &hf_netlogon_secchan_nl_dns_domain
,
10428 { "DNS Domain", "netlogon.secchan.nl_auth_message.dns_domain", FT_STRING
, BASE_NONE
,
10429 NULL
, 0, NULL
, HFILL
}},
10431 { &hf_netlogon_secchan_nl_dns_host
,
10432 { "DNS Host", "netlogon.secchan.nl_auth_message.dns_host", FT_STRING
, BASE_NONE
,
10433 NULL
, 0, NULL
, HFILL
}},
10435 { &hf_netlogon_data_length
,
10436 { "Length of Data", "netlogon.data.length", FT_UINT32
, BASE_DEC
,
10437 NULL
, 0, NULL
, HFILL
}},
10439 { &hf_netlogon_package_name
,
10440 { "SSP Package Name", "netlogon.data.package_name", FT_STRING
, BASE_NONE
,
10441 NULL
, 0, NULL
, HFILL
}},
10443 { &hf_netlogon_secchan_verf
,
10444 { "Secure Channel Verifier", "netlogon.secchan.verifier", FT_NONE
, BASE_NONE
,
10445 NULL
, 0x0, NULL
, HFILL
}},
10447 { &hf_netlogon_secchan_verf_signalg
,
10448 { "Sign algorithm", "netlogon.secchan.signalg", FT_UINT16
, BASE_HEX
,
10449 VALS(sign_algs
), 0, NULL
, HFILL
}},
10451 { &hf_netlogon_secchan_verf_sealalg
,
10452 { "Seal algorithm", "netlogon.secchan.sealalg", FT_UINT16
, BASE_HEX
,
10453 VALS(seal_algs
), 0, NULL
, HFILL
}},
10455 { &hf_netlogon_secchan_verf_flag
,
10456 { "Flags", "netlogon.secchan.flags", FT_BYTES
, BASE_NONE
, NULL
,
10457 0x0, NULL
, HFILL
}},
10459 { &hf_netlogon_secchan_verf_digest
,
10460 { "Packet Digest", "netlogon.secchan.digest", FT_BYTES
, BASE_NONE
, NULL
,
10461 0x0, NULL
, HFILL
}},
10463 { &hf_netlogon_secchan_verf_seq
,
10464 { "Sequence No", "netlogon.secchan.seq", FT_BYTES
, BASE_NONE
, NULL
,
10465 0x0, NULL
, HFILL
}},
10467 { &hf_netlogon_secchan_verf_nonce
,
10468 { "Nonce", "netlogon.secchan.nonce", FT_BYTES
, BASE_NONE
, NULL
,
10469 0x0, NULL
, HFILL
}},
10471 { &hf_netlogon_user_flags_extra_sids
,
10472 { "Extra SIDs", "netlogon.user.flags.extra_sids",
10473 FT_BOOLEAN
, 32, TFS(&user_flags_extra_sids
), 0x00000020,
10474 "The user flags EXTRA_SIDS", HFILL
}},
10476 { &hf_netlogon_user_flags_resource_groups
,
10477 { "Resource Groups", "netlogon.user.flags.resource_groups",
10478 FT_BOOLEAN
, 32, TFS(&user_flags_resource_groups
), 0x00000200,
10479 "The user flags RESOURCE_GROUPS", HFILL
}},
10481 { &hf_netlogon_user_account_control_dont_require_preauth
,
10482 { "Don't Require PreAuth", "netlogon.user.account_control.dont_require_preauth",
10483 FT_BOOLEAN
, 32, TFS(&user_account_control_dont_require_preauth
), 0x00010000,
10484 "The user account control DONT_REQUIRE_PREAUTH flag", HFILL
}},
10486 { &hf_netlogon_user_account_control_use_des_key_only
,
10487 { "Use DES Key Only", "netlogon.user.account_control.use_des_key_only",
10488 FT_BOOLEAN
, 32, TFS(&user_account_control_use_des_key_only
), 0x00008000,
10489 "The user account control use_des_key_only flag", HFILL
}},
10491 { &hf_netlogon_user_account_control_not_delegated
,
10492 { "Not Delegated", "netlogon.user.account_control.not_delegated",
10493 FT_BOOLEAN
, 32, TFS(&user_account_control_not_delegated
), 0x00004000,
10494 "The user account control not_delegated flag", HFILL
}},
10496 { &hf_netlogon_user_account_control_trusted_for_delegation
,
10497 { "Trusted For Delegation", "netlogon.user.account_control.trusted_for_delegation",
10498 FT_BOOLEAN
, 32, TFS(&user_account_control_trusted_for_delegation
), 0x00002000,
10499 "The user account control trusted_for_delegation flag", HFILL
}},
10501 { &hf_netlogon_user_account_control_smartcard_required
,
10502 { "SmartCard Required", "netlogon.user.account_control.smartcard_required",
10503 FT_BOOLEAN
, 32, TFS(&user_account_control_smartcard_required
), 0x00001000,
10504 "The user account control smartcard_required flag", HFILL
}},
10506 { &hf_netlogon_user_account_control_encrypted_text_password_allowed
,
10507 { "Encrypted Text Password Allowed", "netlogon.user.account_control.encrypted_text_password_allowed",
10508 FT_BOOLEAN
, 32, TFS(&user_account_control_encrypted_text_password_allowed
), 0x00000800,
10509 "The user account control encrypted_text_password_allowed flag", HFILL
}},
10511 { &hf_netlogon_user_account_control_account_auto_locked
,
10512 { "Account Auto Locked", "netlogon.user.account_control.account_auto_locked",
10513 FT_BOOLEAN
, 32, TFS(&user_account_control_account_auto_locked
), 0x00000400,
10514 "The user account control account_auto_locked flag", HFILL
}},
10516 { &hf_netlogon_user_account_control_dont_expire_password
,
10517 { "Don't Expire Password", "netlogon.user.account_control.dont_expire_password",
10518 FT_BOOLEAN
, 32, TFS(&user_account_control_dont_expire_password
), 0x00000200,
10519 "The user account control dont_expire_password flag", HFILL
}},
10521 { &hf_netlogon_user_account_control_server_trust_account
,
10522 { "Server Trust Account", "netlogon.user.account_control.server_trust_account",
10523 FT_BOOLEAN
, 32, TFS(&user_account_control_server_trust_account
), 0x00000100,
10524 "The user account control server_trust_account flag", HFILL
}},
10526 { &hf_netlogon_user_account_control_workstation_trust_account
,
10527 { "Workstation Trust Account", "netlogon.user.account_control.workstation_trust_account",
10528 FT_BOOLEAN
, 32, TFS(&user_account_control_workstation_trust_account
), 0x00000080,
10529 "The user account control workstation_trust_account flag", HFILL
}},
10531 { &hf_netlogon_user_account_control_interdomain_trust_account
,
10532 { "Interdomain trust Account", "netlogon.user.account_control.interdomain_trust_account",
10533 FT_BOOLEAN
, 32, TFS(&user_account_control_interdomain_trust_account
), 0x00000040,
10534 "The user account control interdomain_trust_account flag", HFILL
}},
10536 { &hf_netlogon_user_account_control_mns_logon_account
,
10537 { "MNS Logon Account", "netlogon.user.account_control.mns_logon_account",
10538 FT_BOOLEAN
, 32, TFS(&user_account_control_mns_logon_account
), 0x00000020,
10539 "The user account control mns_logon_account flag", HFILL
}},
10541 { &hf_netlogon_user_account_control_normal_account
,
10542 { "Normal Account", "netlogon.user.account_control.normal_account",
10543 FT_BOOLEAN
, 32, TFS(&user_account_control_normal_account
), 0x00000010,
10544 "The user account control normal_account flag", HFILL
}},
10546 { &hf_netlogon_user_account_control_temp_duplicate_account
,
10547 { "Temp Duplicate Account", "netlogon.user.account_control.temp_duplicate_account",
10548 FT_BOOLEAN
, 32, TFS(&user_account_control_temp_duplicate_account
), 0x00000008,
10549 "The user account control temp_duplicate_account flag", HFILL
}},
10551 { &hf_netlogon_user_account_control_password_not_required
,
10552 { "Password Not Required", "netlogon.user.account_control.password_not_required",
10553 FT_BOOLEAN
, 32, TFS(&user_account_control_password_not_required
), 0x00000004,
10554 "The user account control password_not_required flag", HFILL
}},
10556 { &hf_netlogon_user_account_control_home_directory_required
,
10557 { "Home Directory Required", "netlogon.user.account_control.home_directory_required",
10558 FT_BOOLEAN
, 32, TFS(&user_account_control_home_directory_required
), 0x00000002,
10559 "The user account control home_directory_required flag", HFILL
}},
10561 { &hf_netlogon_user_account_control_account_disabled
,
10562 { "Account Disabled", "netlogon.user.account_control.account_disabled",
10563 FT_BOOLEAN
, 32, TFS(&user_account_control_account_disabled
), 0x00000001,
10564 "The user account control account_disabled flag", HFILL
}},
10567 { &hf_netlogon_dnsdomaininfo
,
10568 { "DnsDomainInfo", "netlogon.dnsdomaininfo", FT_NONE
, BASE_NONE
,
10569 NULL
, 0x0, NULL
, HFILL
}},
10572 { &hf_dns_domain_info_sid
,
10573 { "Sid", "netlogon.lsa_DnsDomainInfo.sid", FT_NONE
, BASE_NONE
, NULL
, 0, NULL
, HFILL
}},
10574 { &hf_domain_info_sid
,
10575 { "Sid", "netlogon.lsa_DomainInfo.sid", FT_NONE
, BASE_NONE
, NULL
, 0, NULL
, HFILL
}},
10576 { &hf_dns_domain_info_domain_guid
,
10577 { "Domain Guid", "netlogon.lsa_DnsDomainInfo.domain_guid", FT_GUID
, BASE_NONE
, NULL
, 0, NULL
, HFILL
}},
10578 { &hf_dns_domain_info_dns_forest
,
10579 { "Dns Forest", "netlogon.lsa_DnsDomainInfo.dns_forest", FT_NONE
, BASE_NONE
, NULL
, 0, NULL
, HFILL
}},
10580 { &hf_dns_domain_info_dns_domain
,
10581 { "Dns Domain", "netlogon.lsa_DnsDomainInfo.dns_domain", FT_NONE
, BASE_NONE
, NULL
, 0, NULL
, HFILL
}},
10582 { &hf_dns_domain_info_name
,
10583 { "Name", "netlogon.lsa_DnsDomainInfo.name", FT_NONE
, BASE_NONE
, NULL
, 0, NULL
, HFILL
}},
10584 { &hf_netlogon_s4u2proxytarget
,
10585 { "S4U2proxyTarget", "netlogon.s4u2proxytarget", FT_STRING
, BASE_NONE
,
10586 NULL
, 0, "Target for constrained delegation using s4u2proxy", HFILL
}},
10587 { &hf_netlogon_transitedlistsize
,
10588 { "TransitedListSize", "netlogon.transited_list_size", FT_UINT32
, BASE_HEX
,
10589 NULL
, 0x0, "Number of elements in the TransitedServices array.", HFILL
}},
10590 { &hf_netlogon_transited_service
,
10591 { "Transited Service", "netlogon.transited_service", FT_STRING
, BASE_NONE
,
10592 NULL
, 0, "S4U2 Transited Service name", HFILL
}},
10593 { &hf_netlogon_logon_duration
,
10594 { "Duration", "netlogon.logon_duration", FT_UINT32
, BASE_DEC
,
10595 NULL
, 0x0, NULL
, HFILL
}},
10596 { &hf_netlogon_time_created
,
10597 { "Time Created", "netlogon.time_created", FT_UINT32
, BASE_DEC
,
10598 NULL
, 0x0, NULL
, HFILL
}},
10601 static int *ett
[] = {
10602 &ett_dcerpc_netlogon
,
10603 &ett_authenticate_flags
,
10606 &ett_IDENTITY_INFO
,
10608 &ett_UNICODE_MULTI
,
10609 &ett_DOMAIN_CONTROLLER_INFO
,
10610 &ett_netr_CryptPassword
,
10611 &ett_NL_PASSWORD_VERSION
,
10612 &ett_NL_GENERIC_RPC_DATA
,
10615 &ett_DELTA_ID_UNION
,
10618 &ett_LM_OWF_PASSWORD
,
10619 &ett_NT_OWF_PASSWORD
,
10620 &ett_GROUP_MEMBERSHIP
,
10621 &ett_DS_DOMAIN_TRUSTS
,
10623 &ett_DOMAIN_TRUST_INFO
,
10624 &ett_LSA_POLICY_INFO
,
10626 &ett_trust_attribs
,
10627 &ett_get_dcname_request_flags
,
10629 &ett_secchan_nl_auth_message
,
10630 &ett_secchan_nl_auth_message_flags
,
10634 &ett_nt_counted_longs_as_string
,
10635 &ett_user_account_control
,
10636 &ett_wstr_LOGON_IDENTITY_INFO_string
,
10637 &ett_domain_group_memberships
,
10638 &ett_domains_group_memberships
,
10640 static ei_register_info ei
[] = {
10641 { &ei_netlogon_auth_nthash
, {
10642 "netlogon.authenticated", PI_SECURITY
, PI_CHAT
,
10643 "Authenticated NTHASH", EXPFILL
10645 { &ei_netlogon_session_key
, {
10646 "netlogon.sessionkey", PI_SECURITY
, PI_CHAT
,
10647 "SessionKey", EXPFILL
10650 expert_module_t
* expert_netlogon
;
10652 proto_dcerpc_netlogon
= proto_register_protocol("Microsoft Network Logon", "RPC_NETLOGON", "rpc_netlogon");
10654 proto_register_field_array(proto_dcerpc_netlogon
, hf
, array_length(hf
));
10655 proto_register_subtree_array(ett
, array_length(ett
));
10656 expert_netlogon
= expert_register_protocol(proto_dcerpc_netlogon
);
10657 expert_register_field_array(expert_netlogon
, ei
, array_length(ei
));
10659 netlogon_auths
= wmem_map_new_autoreset(wmem_epan_scope(), wmem_file_scope(), netlogon_auth_hash
, netlogon_auth_equal
);
10660 schannel_auths
= wmem_map_new_autoreset(wmem_epan_scope(), wmem_file_scope(), dcerpc_auth_schannel_key_hash
, dcerpc_auth_schannel_key_equal
);
10663 static dcerpc_auth_subdissector_fns secchan_auth_fns
= {
10664 dissect_secchan_nl_auth_message
, /* Bind */
10665 dissect_secchan_nl_auth_message
, /* Bind ACK */
10667 dissect_request_secchan_verf
, /* Request verifier */
10668 dissect_response_secchan_verf
, /* Response verifier */
10669 dissect_request_data
, /* Request data */
10670 dissect_response_data
/* Response data */
10674 proto_reg_handoff_dcerpc_netlogon(void)
10676 /* Register protocol as dcerpc */
10677 seen
.isseen
= false;
10679 dcerpc_init_uuid(proto_dcerpc_netlogon
, ett_dcerpc_netlogon
,
10680 &uuid_dcerpc_netlogon
, ver_dcerpc_netlogon
,
10681 dcerpc_netlogon_dissectors
, hf_netlogon_opnum
);
10684 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_INTEGRITY
,
10685 DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN
,
10686 &secchan_auth_fns
);
10687 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_PRIVACY
,
10688 DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN
,
10689 &secchan_auth_fns
);
10693 * Editor modelines - https://www.wireshark.org/tools/modelines.html
10696 * c-basic-offset: 4
10698 * indent-tabs-mode: nil
10701 * vi: set shiftwidth=4 tabstop=8 expandtab:
10702 * :indentSize=4:tabSize=8:noTabs=true: