search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dcerpc-netlogon: maintain netlogon_auth_vars for NetrServerAuthenticateKerberos
[wireshark-sm.git] / epan / dissectors / packet-dcerpc-netlogon.c
blob24ac921e93fa88e00ce2f119af1b0683f3b8f128
1 /* packet-dcerpc-netlogon.c
2 * Routines for SMB \PIPE\NETLOGON packet disassembly
3 * Copyright 2001,2003 Tim Potter <tpot@samba.org>
4 * 2002 structure and command dissectors by Ronnie Sahlberg
5 *
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
9 *
10 * SPDX-License-Identifier: GPL-2.0-or-later
11 */
12
13 #include "config.h"
14
15 #define WS_LOG_DOMAIN "packet-dcerpc-netlogon"
16
17 #include <epan/packet.h>
18 #include <epan/expert.h>
19 #include <epan/tfs.h>
20
21 #include <wsutil/wsgcrypt.h>
22 #include <wsutil/wslog.h>
23 #include <wsutil/str_util.h>
24
25 /* for dissect_mscldap_string */
26 #include "packet-ldap.h"
27 #include "packet-dcerpc.h"
28 #include "packet-dcerpc-nt.h"
29 #include "packet-dcerpc-netlogon.h"
30 #include "packet-windows-common.h"
31 #include "packet-dcerpc-lsa.h"
32 #include "packet-ntlmssp.h"
33 #include "packet-dcerpc-misc.h"
34 /* for keytab format */
35 #include <epan/asn1.h>
36 #include "packet-kerberos.h"
37 /* for routines to read the keytab file */
38 #include "read_keytab_file.h"
39 /* for decoding */
40
41 void proto_register_dcerpc_netlogon(void);
42 void proto_reg_handoff_dcerpc_netlogon(void);
43
44 static proto_item *
45 netlogon_dissect_neg_options(tvbuff_t *tvb,proto_tree *tree,uint32_t flags,int offset);
46
47 /* Debug function, log a hexdump of interesting memory */
48 static void printnbyte(wmem_allocator_t *scratch, const uint8_t* tab,int nb,const char* txt)
49 {
50 if (!ws_log_msg_is_active(WS_LOG_DOMAIN, LOG_LEVEL_DEBUG))
51 {
52 return;
53 }
54
55 char *hexdump = wmem_alloc0(scratch, nb*3 + 1);
56 int i;
57
58 for(i=0;i<nb;i++)
59 {
60 snprintf(hexdump+(i*3), 3, "%02X ", *(tab+i));
61 }
62 hexdump[nb*3] = '\0';
63
64 ws_debug("%s %s", txt, hexdump);
65 }
66
67 #define NETLOGON_FLAG_80000000 0x80000000
68 #define NETLOGON_FLAG_40000000 0x40000000
69 #define NETLOGON_FLAG_20000000 0x20000000
70 #define NETLOGON_FLAG_10000000 0x10000000
71 #define NETLOGON_FLAG_8000000 0x8000000
72 #define NETLOGON_FLAG_4000000 0x4000000
73 #define NETLOGON_FLAG_2000000 0x2000000
74 #define NETLOGON_FLAG_AES 0x1000000
75 #define NETLOGON_FLAG_800000 0x800000
76 #define NETLOGON_FLAG_400000 0x400000
77 #define NETLOGON_FLAG_200000 0x200000
78 #define NETLOGON_FLAG_100000 0x100000
79 #define NETLOGON_FLAG_80000 0x80000
80 #define NETLOGON_FLAG_40000 0x40000
81 #define NETLOGON_FLAG_20000 0x20000
82 #define NETLOGON_FLAG_10000 0x10000
83 #define NETLOGON_FLAG_8000 0x8000
84 #define NETLOGON_FLAG_STRONGKEY 0x4000
85 #define NETLOGON_FLAG_2000 0x2000
86 #define NETLOGON_FLAG_1000 0x1000
87 #define NETLOGON_FLAG_800 0x800
88 #define NETLOGON_FLAG_400 0x400
89 #define NETLOGON_FLAG_200 0x200
90 #define NETLOGON_FLAG_100 0x100
91 #define NETLOGON_FLAG_80 0x80
92 #define NETLOGON_FLAG_40 0x40
93 #define NETLOGON_FLAG_20 0x20
94 #define NETLOGON_FLAG_10 0x10
95 #define NETLOGON_FLAG_8 0x8
96 #define NETLOGON_FLAG_4 0x4
97 #define NETLOGON_FLAG_2 0x2
98 #define NETLOGON_FLAG_1 0x1
99
100 static wmem_map_t *netlogon_auths;
101 static wmem_map_t *schannel_auths;
102 static int proto_dcerpc_netlogon;
103
104 static int hf_netlogon_TrustedDomainName_string;
105 static int hf_netlogon_UserName_string;
106 static int hf_domain_info_sid;
107 static int hf_dns_domain_info_sid;
108 static int hf_dns_domain_info_domain_guid;
109 static int hf_dns_domain_info_dns_domain;
110 static int hf_dns_domain_info_dns_forest;
111 static int hf_dns_domain_info_name;
112 static int hf_client_challenge;
113 static int hf_server_rid;
114 static int hf_server_challenge;
115 static int hf_client_credential;
116 static int hf_server_credential;
117 static int hf_netlogon_logon_dnslogondomainname;
118 static int hf_netlogon_logon_upn;
119 static int hf_netlogon_opnum;
120 static int hf_netlogon_data_length;
121 static int hf_netlogon_extraflags;
122 static int hf_netlogon_extra_flags_root_forest;
123 static int hf_netlogon_trust_flags_dc_firsthop;
124 static int hf_netlogon_trust_flags_rodc_to_dc;
125 static int hf_netlogon_trust_flags_rodc_ntlm;
126 static int hf_netlogon_package_name;
127 static int hf_netlogon_rc;
128 static int hf_netlogon_dos_rc;
129 static int hf_netlogon_werr_rc;
130 static int hf_netlogon_len;
131 static int hf_netlogon_password_version_reserved;
132 static int hf_netlogon_password_version_number;
133 static int hf_netlogon_password_version_present;
134 static int hf_netlogon_sensitive_data_flag;
135 static int hf_netlogon_sensitive_data_len;
136 static int hf_netlogon_sensitive_data;
137 static int hf_netlogon_security_information;
138 static int hf_netlogon_dummy;
139 static int hf_netlogon_neg_flags;
140 static int hf_netlogon_neg_flags_80000000;
141 static int hf_netlogon_neg_flags_40000000;
142 static int hf_netlogon_neg_flags_20000000;
143 /* static int hf_netlogon_neg_flags_10000000; */
144 /* static int hf_netlogon_neg_flags_8000000; */
145 /* static int hf_netlogon_neg_flags_4000000; */
146 /* static int hf_netlogon_neg_flags_2000000; */
147 static int hf_netlogon_neg_flags_1000000;
148 /* static int hf_netlogon_neg_flags_800000; */
149 /* static int hf_netlogon_neg_flags_400000; */
150 static int hf_netlogon_neg_flags_200000;
151 static int hf_netlogon_neg_flags_100000;
152 static int hf_netlogon_neg_flags_80000;
153 static int hf_netlogon_neg_flags_40000;
154 static int hf_netlogon_neg_flags_20000;
155 static int hf_netlogon_neg_flags_10000;
156 static int hf_netlogon_neg_flags_8000;
157 static int hf_netlogon_neg_flags_4000;
158 static int hf_netlogon_neg_flags_2000;
159 static int hf_netlogon_neg_flags_1000;
160 static int hf_netlogon_neg_flags_800;
161 static int hf_netlogon_neg_flags_400;
162 static int hf_netlogon_neg_flags_200;
163 static int hf_netlogon_neg_flags_100;
164 static int hf_netlogon_neg_flags_80;
165 static int hf_netlogon_neg_flags_40;
166 static int hf_netlogon_neg_flags_20;
167 static int hf_netlogon_neg_flags_10;
168 static int hf_netlogon_neg_flags_8;
169 static int hf_netlogon_neg_flags_4;
170 static int hf_netlogon_neg_flags_2;
171 static int hf_netlogon_neg_flags_1;
172 static int hf_netlogon_minworkingsetsize;
173 static int hf_netlogon_maxworkingsetsize;
174 static int hf_netlogon_pagedpoollimit;
175 static int hf_netlogon_pagefilelimit;
176 static int hf_netlogon_timelimit;
177 static int hf_netlogon_nonpagedpoollimit;
178 /* static int hf_netlogon_pac_size; */
179 /* static int hf_netlogon_pac_data; */
180 /* static int hf_netlogon_auth_size; */
181 /* static int hf_netlogon_auth_data; */
182 static int hf_netlogon_cipher_len;
183 static int hf_netlogon_cipher_maxlen;
184 static int hf_netlogon_cipher_current_data;
185 static int hf_netlogon_cipher_current_set_time;
186 static int hf_netlogon_cipher_old_data;
187 static int hf_netlogon_cipher_old_set_time;
188 static int hf_netlogon_priv;
189 static int hf_netlogon_privilege_entries;
190 static int hf_netlogon_privilege_control;
191 static int hf_netlogon_privilege_name;
192 static int hf_netlogon_systemflags;
193 static int hf_netlogon_pdc_connection_status;
194 static int hf_netlogon_tc_connection_status;
195 static int hf_netlogon_restart_state;
196 static int hf_netlogon_attrs;
197 static int hf_netlogon_lsapolicy_len;
198 /* static int hf_netlogon_lsapolicy_referentid; */
199 /* static int hf_netlogon_lsapolicy_pointer; */
200 static int hf_netlogon_count;
201 static int hf_netlogon_entries;
202 static int hf_netlogon_minpasswdlen;
203 static int hf_netlogon_passwdhistorylen;
204 static int hf_netlogon_level16;
205 static int hf_netlogon_validation_level;
206 static int hf_netlogon_reference;
207 static int hf_netlogon_next_reference;
208 static int hf_netlogon_timestamp;
209 static int hf_netlogon_level;
210 static int hf_netlogon_challenge;
211 static int hf_netlogon_reserved;
212 static int hf_netlogon_audit_retention_period;
213 static int hf_netlogon_auditing_mode;
214 static int hf_netlogon_max_audit_event_count;
215 static int hf_netlogon_event_audit_option;
216 static int hf_netlogon_unknown_string;
217 static int hf_netlogon_new_password;
218 static int hf_netlogon_trust_extension;
219 static int hf_netlogon_trust_max;
220 static int hf_netlogon_trust_offset;
221 static int hf_netlogon_trust_len;
222 static int hf_netlogon_opaque_buffer_enc;
223 static int hf_netlogon_opaque_buffer_dec;
224 static int hf_netlogon_opaque_buffer_size;
225 static int hf_netlogon_dummy_string;
226 static int hf_netlogon_dummy_string2;
227 static int hf_netlogon_dummy_string3;
228 static int hf_netlogon_dummy_string4;
229 static int hf_netlogon_dummy_string5;
230 static int hf_netlogon_dummy_string6;
231 static int hf_netlogon_dummy_string7;
232 static int hf_netlogon_dummy_string8;
233 static int hf_netlogon_dummy_string9;
234 static int hf_netlogon_dummy_string10;
235 static int hf_netlogon_unknown_short;
236 static int hf_netlogon_unknown_long;
237 static int hf_netlogon_dummy1_long;
238 static int hf_netlogon_dummy2_long;
239 static int hf_netlogon_dummy3_long;
240 static int hf_netlogon_dummy4_long;
241 static int hf_netlogon_dummy5_long;
242 static int hf_netlogon_dummy6_long;
243 static int hf_netlogon_dummy7_long;
244 static int hf_netlogon_dummy8_long;
245 static int hf_netlogon_dummy9_long;
246 static int hf_netlogon_dummy10_long;
247 static int hf_netlogon_unknown_char;
248 static int hf_netlogon_logon_time;
249 static int hf_netlogon_logoff_time;
250 static int hf_netlogon_last_logoff_time;
251 static int hf_netlogon_kickoff_time;
252 static int hf_netlogon_pwd_age;
253 static int hf_netlogon_pwd_last_set_time;
254 static int hf_netlogon_pwd_can_change_time;
255 static int hf_netlogon_pwd_must_change_time;
256 static int hf_netlogon_nt_chal_resp;
257 static int hf_netlogon_lm_chal_resp;
258 static int hf_netlogon_credential;
259 static int hf_netlogon_acct_name;
260 static int hf_netlogon_acct_desc;
261 static int hf_netlogon_group_desc;
262 static int hf_netlogon_full_name;
263 static int hf_netlogon_comment;
264 static int hf_netlogon_parameters;
265 static int hf_netlogon_logon_script;
266 static int hf_netlogon_profile_path;
267 static int hf_netlogon_home_dir;
268 static int hf_netlogon_dir_drive;
269 static int hf_netlogon_logon_count;
270 static int hf_netlogon_logon_count16;
271 static int hf_netlogon_bad_pw_count;
272 static int hf_netlogon_bad_pw_count16;
273 static int hf_netlogon_user_rid;
274 static int hf_netlogon_alias_rid;
275 static int hf_netlogon_group_rid;
276 static int hf_netlogon_logon_srv;
277 /* static int hf_netlogon_principal; */
278 static int hf_netlogon_logon_dom;
279 static int hf_netlogon_resourcegroupcount;
280 static int hf_netlogon_accountdomaingroupcount;
281 static int hf_netlogon_domaingroupcount;
282 static int hf_netlogon_membership_domains_count;
283 static int hf_netlogon_downlevel_domain_name;
284 static int hf_netlogon_dns_domain_name;
285 static int hf_netlogon_ad_client_dns_name;
286 static int hf_netlogon_domain_name;
287 static int hf_netlogon_domain_create_time;
288 static int hf_netlogon_domain_modify_time;
289 static int hf_netlogon_modify_count;
290 static int hf_netlogon_db_modify_time;
291 static int hf_netlogon_db_create_time;
292 static int hf_netlogon_oem_info;
293 static int hf_netlogon_serial_number;
294 static int hf_netlogon_num_rids;
295 static int hf_netlogon_num_trusts;
296 static int hf_netlogon_num_controllers;
297 static int hf_netlogon_num_sid;
298 static int hf_netlogon_computer_name;
299 static int hf_netlogon_site_name;
300 static int hf_netlogon_trusted_dc_name;
301 static int hf_netlogon_dc_name;
302 static int hf_netlogon_dc_site_name;
303 static int hf_netlogon_dns_forest_name;
304 static int hf_netlogon_dc_address;
305 static int hf_netlogon_dc_address_type;
306 static int hf_netlogon_client_site_name;
307 static int hf_netlogon_workstation;
308 static int hf_netlogon_workstation_site_name;
309 static int hf_netlogon_os_version;
310 static int hf_netlogon_workstation_os;
311 static int hf_netlogon_workstation_flags;
312 static int hf_netlogon_supportedenctypes;
313
314 static int hf_netlogon_workstations;
315 static int hf_netlogon_workstation_fqdn;
316 static int hf_netlogon_group_name;
317 static int hf_netlogon_alias_name;
318 static int hf_netlogon_country;
319 static int hf_netlogon_codepage;
320 static int hf_netlogon_flags;
321 static int hf_netlogon_trust_attribs;
322 static int hf_netlogon_trust_attribs_non_transitive;
323 static int hf_netlogon_trust_attribs_uplevel_only;
324 static int hf_netlogon_trust_attribs_quarantined_domain;
325 static int hf_netlogon_trust_attribs_forest_transitive;
326 static int hf_netlogon_trust_attribs_cross_organization;
327 static int hf_netlogon_trust_attribs_within_forest;
328 static int hf_netlogon_trust_attribs_treat_as_external;
329 static int hf_netlogon_trust_type;
330 static int hf_netlogon_trust_flags;
331 static int hf_netlogon_trust_flags_inbound;
332 static int hf_netlogon_trust_flags_outbound;
333 static int hf_netlogon_trust_flags_in_forest;
334 static int hf_netlogon_trust_flags_native_mode;
335 static int hf_netlogon_trust_flags_primary;
336 static int hf_netlogon_trust_flags_tree_root;
337 static int hf_netlogon_trust_parent_index;
338 static int hf_netlogon_user_account_control;
339 static int hf_netlogon_user_account_control_dont_require_preauth;
340 static int hf_netlogon_user_account_control_use_des_key_only;
341 static int hf_netlogon_user_account_control_not_delegated;
342 static int hf_netlogon_user_account_control_trusted_for_delegation;
343 static int hf_netlogon_user_account_control_smartcard_required;
344 static int hf_netlogon_user_account_control_encrypted_text_password_allowed;
345 static int hf_netlogon_user_account_control_account_auto_locked;
346 static int hf_netlogon_user_account_control_dont_expire_password;
347 static int hf_netlogon_user_account_control_server_trust_account;
348 static int hf_netlogon_user_account_control_workstation_trust_account;
349 static int hf_netlogon_user_account_control_interdomain_trust_account;
350 static int hf_netlogon_user_account_control_mns_logon_account;
351 static int hf_netlogon_user_account_control_normal_account;
352 static int hf_netlogon_user_account_control_temp_duplicate_account;
353 static int hf_netlogon_user_account_control_password_not_required;
354 static int hf_netlogon_user_account_control_home_directory_required;
355 static int hf_netlogon_user_account_control_account_disabled;
356 static int hf_netlogon_user_flags;
357 static int hf_netlogon_user_flags_extra_sids;
358 static int hf_netlogon_user_flags_resource_groups;
359 static int hf_netlogon_auth_flags;
360 static int hf_netlogon_pwd_expired;
361 static int hf_netlogon_nt_pwd_present;
362 static int hf_netlogon_lm_pwd_present;
363 static int hf_netlogon_code;
364 static int hf_netlogon_database_id;
365 static int hf_netlogon_sync_context;
366 static int hf_netlogon_max_size;
367 static int hf_netlogon_max_log_size;
368 static int hf_netlogon_dns_host;
369 static int hf_netlogon_acct_expiry_time;
370 static int hf_netlogon_encrypted_lm_owf_password;
371 static int hf_netlogon_lm_owf_password;
372 static int hf_netlogon_nt_owf_password;
373 static int hf_netlogon_param_ctrl;
374 static int hf_netlogon_logon_id;
375 static int hf_netlogon_num_deltas;
376 static int hf_netlogon_user_session_key;
377 static int hf_netlogon_blob_size;
378 static int hf_netlogon_blob;
379 static int hf_netlogon_logon_attempts;
380 static int hf_netlogon_authoritative;
381 static int hf_netlogon_secure_channel_type;
382 static int hf_netlogon_logonsrv_handle;
383 static int hf_netlogon_delta_type;
384 static int hf_netlogon_get_dcname_request_flags;
385 static int hf_netlogon_get_dcname_request_flags_force_rediscovery;
386 static int hf_netlogon_get_dcname_request_flags_directory_service_required;
387 static int hf_netlogon_get_dcname_request_flags_directory_service_preferred;
388 static int hf_netlogon_get_dcname_request_flags_gc_server_required;
389 static int hf_netlogon_get_dcname_request_flags_pdc_required;
390 static int hf_netlogon_get_dcname_request_flags_background_only;
391 static int hf_netlogon_get_dcname_request_flags_ip_required;
392 static int hf_netlogon_get_dcname_request_flags_kdc_required;
393 static int hf_netlogon_get_dcname_request_flags_timeserv_required;
394 static int hf_netlogon_get_dcname_request_flags_writable_required;
395 static int hf_netlogon_get_dcname_request_flags_good_timeserv_preferred;
396 static int hf_netlogon_get_dcname_request_flags_avoid_self;
397 static int hf_netlogon_get_dcname_request_flags_only_ldap_needed;
398 static int hf_netlogon_get_dcname_request_flags_is_flat_name;
399 static int hf_netlogon_get_dcname_request_flags_is_dns_name;
400 static int hf_netlogon_get_dcname_request_flags_return_dns_name;
401 static int hf_netlogon_get_dcname_request_flags_return_flat_name;
402 static int hf_netlogon_dc_flags;
403 static int hf_netlogon_dc_flags_pdc_flag;
404 static int hf_netlogon_dc_flags_gc_flag;
405 static int hf_netlogon_dc_flags_ldap_flag;
406 static int hf_netlogon_dc_flags_ds_flag;
407 static int hf_netlogon_dc_flags_kdc_flag;
408 static int hf_netlogon_dc_flags_timeserv_flag;
409 static int hf_netlogon_dc_flags_closest_flag;
410 static int hf_netlogon_dc_flags_writable_flag;
411 static int hf_netlogon_dc_flags_good_timeserv_flag;
412 static int hf_netlogon_dc_flags_ndnc_flag;
413 static int hf_netlogon_dc_flags_dns_controller_flag;
414 static int hf_netlogon_dc_flags_dns_domain_flag;
415 static int hf_netlogon_dc_flags_dns_forest_flag;
416 /* static int hf_netlogon_dnsdomaininfo; */
417 static int hf_netlogon_s4u2proxytarget;
418 static int hf_netlogon_transitedlistsize;
419 static int hf_netlogon_transited_service;
420 static int hf_netlogon_logon_duration;
421 static int hf_netlogon_time_created;
422
423 static int ett_nt_counted_longs_as_string;
424 static int ett_dcerpc_netlogon;
425 static int ett_group_attrs;
426 static int ett_user_flags;
427 static int ett_user_account_control;
428 static int ett_QUOTA_LIMITS;
429 static int ett_IDENTITY_INFO;
430 static int ett_DELTA_ENUM;
431 static int ett_authenticate_flags;
432 static int ett_CYPHER_VALUE;
433 static int ett_UNICODE_MULTI;
434 static int ett_DOMAIN_CONTROLLER_INFO;
435 static int ett_netr_CryptPassword;
436 static int ett_NL_PASSWORD_VERSION;
437 static int ett_NL_GENERIC_RPC_DATA;
438 static int ett_TYPE_50;
439 static int ett_TYPE_52;
440 static int ett_DELTA_ID_UNION;
441 static int ett_CAPABILITIES;
442 static int ett_DELTA_UNION;
443 static int ett_LM_OWF_PASSWORD;
444 static int ett_NT_OWF_PASSWORD;
445 static int ett_GROUP_MEMBERSHIP;
446 static int ett_BLOB;
447 static int ett_DS_DOMAIN_TRUSTS;
448 static int ett_LSA_POLICY_INFO;
449 static int ett_DOMAIN_TRUST_INFO;
450 static int ett_trust_flags;
451 static int ett_trust_attribs;
452 static int ett_get_dcname_request_flags;
453 static int ett_dc_flags;
454 static int ett_wstr_LOGON_IDENTITY_INFO_string;
455 static int ett_domain_group_memberships;
456 static int ett_domains_group_memberships;
457
458 static expert_field ei_netlogon_auth_nthash;
459 static expert_field ei_netlogon_session_key;
460
461 typedef struct _netlogon_auth_vars {
462 uint64_t client_challenge;
463 uint64_t server_challenge;
464 md4_pass nthash;
465 int auth_fd_num;
466 uint8_t session_key[16];
467 uint8_t encryption_key[16];
468 uint8_t sequence[16];
469 uint32_t flags;
470 uint64_t seq;
471 uint64_t confounder;
472 uint8_t private_type;
473 bool can_decrypt;
474 char* client_name;
475 int start;
476 int next_start;
477 struct _netlogon_auth_vars *next;
478 } netlogon_auth_vars;
479
480 static gcry_error_t prepare_session_key_cipher(netlogon_auth_vars *vars,
481 gcry_cipher_hd_t *_cipher_hd);
482
483 typedef struct _seen_packet {
484 bool isseen;
485 uint32_t num;
486 } seen_packet;
487
488 static seen_packet seen;
489
490 static e_guid_t uuid_dcerpc_netlogon = {
491 0x12345678, 0x1234, 0xabcd,
492 { 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0xcf, 0xfb }
493 };
494
495 static uint16_t ver_dcerpc_netlogon = 1;
496
497 static int dissect_dcerpc_8bytes (tvbuff_t *tvb, int offset, packet_info *pinfo _U_,
498 proto_tree *tree, uint8_t *drep,
499 int hfindex, uint64_t *pdata)
500 {
501 uint64_t data;
502
503 data = ((drep[0] & DREP_LITTLE_ENDIAN)
504 ? tvb_get_letoh64 (tvb, offset)
505 : tvb_get_ntoh64 (tvb, offset));
506
507 /* These fields are FT_BYTES, hence the byte order doesn't matter */
508 if (tree) {
509 proto_tree_add_item(tree, hfindex, tvb, offset, 8, ENC_NA);
510 }
511 if (pdata)
512 *pdata = data;
513 return offset+8;
514 }
515
516 static const true_false_string user_account_control_dont_require_preauth= {
517 "This account DOESN'T_REQUIRE_PREAUTHENTICATION",
518 "This account REQUIRES preauthentication",
519 };
520 static const true_false_string user_account_control_use_des_key_only= {
521 "This account must USE_DES_KEY_ONLY for passwords",
522 "This account does NOT have to use_des_key_only",
523 };
524 static const true_false_string user_account_control_not_delegated= {
525 "This account is NOT_DELEGATED",
526 "This might have been delegated",
527 };
528 static const true_false_string user_account_control_trusted_for_delegation= {
529 "This account is TRUSTED_FOR_DELEGATION",
530 "This account is NOT trusted_for_delegation",
531 };
532 static const true_false_string user_account_control_smartcard_required= {
533 "This account REQUIRES_SMARTCARD to authenticate",
534 "This account does NOT require_smartcard to authenticate",
535 };
536 static const true_false_string user_account_control_encrypted_text_password_allowed= {
537 "This account allows ENCRYPTED_TEXT_PASSWORD",
538 "This account does NOT allow encrypted_text_password",
539 };
540 static const true_false_string user_account_control_account_auto_locked= {
541 "This account is AUTO_LOCKED",
542 "This account is NOT auto_locked",
543 };
544 static const true_false_string user_account_control_dont_expire_password= {
545 "This account DOESN'T_EXPIRE_PASSWORDs",
546 "This account might expire_passwords",
547 };
548 static const true_false_string user_account_control_server_trust_account= {
549 "This account is a SERVER_TRUST_ACCOUNT",
550 "This account is NOT a server_trust_account",
551 };
552 static const true_false_string user_account_control_workstation_trust_account= {
553 "This account is a WORKSTATION_TRUST_ACCOUNT",
554 "This account is NOT a workstation_trust_account",
555 };
556 static const true_false_string user_account_control_interdomain_trust_account= {
557 "This account is an INTERDOMAIN_TRUST_ACCOUNT",
558 "This account is NOT an interdomain_trust_account",
559 };
560 static const true_false_string user_account_control_mns_logon_account= {
561 "This account is a MNS_LOGON_ACCOUNT",
562 "This account is NOT a mns_logon_account",
563 };
564 static const true_false_string user_account_control_normal_account= {
565 "This account is a NORMAL_ACCOUNT",
566 "This account is NOT a normal_account",
567 };
568 static const true_false_string user_account_control_temp_duplicate_account= {
569 "This account is a TEMP_DUPLICATE_ACCOUNT",
570 "This account is NOT a temp_duplicate_account",
571 };
572 static const true_false_string user_account_control_password_not_required= {
573 "This account REQUIRES_NO_PASSWORD",
574 "This account REQUIRES a password",
575 };
576 static const true_false_string user_account_control_home_directory_required= {
577 "This account REQUIRES_HOME_DIRECTORY",
578 "This account does NOT require_home_directory",
579 };
580 static const true_false_string user_account_control_account_disabled= {
581 "This account is DISABLED",
582 "This account is NOT disabled",
583 };
584
585 typedef struct _netlogon_auth_key {
586 /*
587 * For now we only match the client and server ip
588 * addresses, as keys can be used across tcp connections.
589 *
590 * Also note that ServerChallenge and ServerAuthenticate
591 * can be on different tcp connections!
592 *
593 * TODO:
594 * * We could have a challenge table indexed by client, server
595 * and computer name
596 * * A good ServerAuthenticate could fill a session key table
597 * indexed by computer name.
598 * * A DCERPC bind/alter context could lookup the session key table
599 * and copy the session key to the DCERPC connection/auth_context.
600 */
601 address client;
602 address server;
603 } netlogon_auth_key;
604
605 static int
606 netlogon_auth_equal (const void *k1, const void *k2)
607 {
608 const netlogon_auth_key *key1 = (const netlogon_auth_key *)k1;
609 const netlogon_auth_key *key2 = (const netlogon_auth_key *)k2;
610
611 return (addresses_equal(&key1->client,&key2->client) && addresses_equal(&key1->server,&key2->server));
612 }
613
614 static unsigned
615 netlogon_auth_hash (const void *k)
616 {
617 const netlogon_auth_key *key1 = (const netlogon_auth_key *)k;
618 unsigned hash_val1 = 0;
619
620 hash_val1 = add_address_to_hash(hash_val1, &key1->client);
621 hash_val1 = add_address_to_hash(hash_val1, &key1->server);
622 return hash_val1;
623 }
624
625 typedef struct _dcerpc_auth_schannel_key {
626 conversation_t *conv;
627 uint64_t transport_salt;
628 uint32_t auth_context_id;
629 } dcerpc_auth_schannel_key;
630
631 static unsigned
632 dcerpc_auth_schannel_key_hash(const void *k)
633 {
634 const dcerpc_auth_schannel_key *key = (const dcerpc_auth_schannel_key *)k;
635 unsigned hash;
636
637 hash = GPOINTER_TO_UINT(key->conv);
638 /* sizeof(unsigned) might be smaller than sizeof(uint64_t) */
639 hash += (unsigned)key->transport_salt;
640 hash += (unsigned)(key->transport_salt << sizeof(unsigned));
641 hash += key->auth_context_id;
642
643 return hash;
644 }
645
646 static int
647 dcerpc_auth_schannel_key_equal(const void *k1, const void *k2)
648 {
649 const dcerpc_auth_schannel_key *key1 = (const dcerpc_auth_schannel_key *)k1;
650 const dcerpc_auth_schannel_key *key2 = (const dcerpc_auth_schannel_key *)k2;
651
652 return ((key1->conv == key2->conv)
653 && (key1->transport_salt == key2->transport_salt)
654 && (key1->auth_context_id == key2->auth_context_id));
655 }
656
657 static int
658 netlogon_dissect_EXTRA_FLAGS(tvbuff_t *tvb, int offset,
659 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, uint8_t *drep)
660 {
661 uint32_t mask;
662 static int * const extraflags[] = {
663 &hf_netlogon_extra_flags_root_forest,
664 &hf_netlogon_trust_flags_dc_firsthop,
665 &hf_netlogon_trust_flags_rodc_to_dc,
666 &hf_netlogon_trust_flags_rodc_ntlm,
667 NULL
668 };
669
670 if(di->conformant_run){
671 /*just a run to handle conformant arrays, nothing to dissect */
672 return offset;
673 }
674
675 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
676 -1, &mask);
677
678 proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset-4, hf_netlogon_extraflags, ett_trust_flags, extraflags, mask, BMT_NO_APPEND);
679 return offset;
680 }
681
682 struct LOGON_INFO_STATE;
683
684 struct LOGON_INFO_STATE_CB {
685 struct LOGON_INFO_STATE *state;
686 ntlmssp_blob *response;
687 const uint8_t **name_ptr;
688 int name_levels;
689 };
690
691 struct LOGON_INFO_STATE {
692 packet_info *pinfo;
693 proto_tree *tree;
694 uint8_t server_challenge[8];
695 ntlmssp_blob nt_response;
696 ntlmssp_blob lm_response;
697 ntlmssp_header_t ntlmssph;
698 struct LOGON_INFO_STATE_CB domain_cb, acct_cb, host_cb, nt_cb, lm_cb;
699 };
700
701 static void dissect_LOGON_INFO_STATE_finish(struct LOGON_INFO_STATE *state)
702 {
703 if (state->ntlmssph.acct_name != NULL &&
704 state->nt_response.length >= 24 &&
705 state->lm_response.length >= 24)
706 {
707 if (state->ntlmssph.domain_name == NULL) {
708 state->ntlmssph.domain_name = (const uint8_t *)"";
709 }
710 if (state->ntlmssph.host_name == NULL) {
711 state->ntlmssph.host_name = (const uint8_t *)"";
712 }
713
714 ntlmssp_create_session_key(state->pinfo,
715 state->tree,
716 &state->ntlmssph,
717 0, /* NTLMSSP_ flags */
718 state->server_challenge,
719 NULL, /* encryptedsessionkey */
720 &state->nt_response,
721 &state->lm_response);
722 }
723 }
724
725 static void dissect_ndr_lm_nt_byte_array(packet_info *pinfo,
726 proto_tree *tree,
727 proto_item *item _U_,
728 dcerpc_info *di,
729 tvbuff_t *tvb,
730 int start_offset,
731 int end_offset,
732 void *callback_args)
733 {
734 struct LOGON_INFO_STATE_CB *cb_ref = (struct LOGON_INFO_STATE_CB *)callback_args;
735 struct LOGON_INFO_STATE *state = NULL;
736 int offset = start_offset;
737 uint64_t tmp;
738 uint16_t len;
739
740 if (cb_ref == NULL) {
741 return;
742 }
743 state = cb_ref->state;
744
745 if (di->conformant_run) {
746 /* just a run to handle conformant arrays, no scalars to dissect */
747 return;
748 }
749
750 /* NDR array header */
751 ALIGN_TO_5_BYTES
752 if (di->call_data->flags & DCERPC_IS_NDR64) {
753 offset += 3 * 8;
754 } else {
755 offset += 3 * 4;
756 }
757
758 tmp = end_offset - offset;
759 if (tmp > NTLMSSP_BLOB_MAX_SIZE) {
760 tmp = NTLMSSP_BLOB_MAX_SIZE;
761 }
762 len = (uint16_t)tmp;
763 cb_ref->response->length = len;
764 cb_ref->response->contents = (uint8_t *)tvb_memdup(pinfo->pool, tvb, offset, len);
765 if (len > 24) {
766 dissect_ntlmv2_response(tvb, pinfo, tree, offset, len);
767 }
768
769 dissect_LOGON_INFO_STATE_finish(state);
770 }
771
772 static int
773 dissect_ndr_lm_nt_hash_cb(tvbuff_t *tvb, int offset,
774 packet_info *pinfo, proto_tree *tree,
775 dcerpc_info *di, uint8_t *drep, int hf_index,
776 dcerpc_callback_fnct_t *callback,
777 void *callback_args)
778 {
779 uint16_t len, size;
780
781 /* Structure starts with short, but is aligned for longs */
782
783 ALIGN_TO_4_BYTES;
784
785 if (di->conformant_run)
786 return offset;
787
788 #if 0
789 struct {
790 short len;
791 short size;
792 [size_is(size/2), length_is(len/2), ptr] unsigned short *string;
793 } HASH;
794
795 #endif
796
797 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
798 hf_nt_cs_len, &len);
799
800 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
801 hf_nt_cs_size, &size);
802
803 offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, tree, di, drep,
804 dissect_ndr_byte_array, NDR_POINTER_UNIQUE,
805 "Bytes Array", hf_index, callback, callback_args);
806
807 return offset;
808 }
809
810 static int
811 dissect_ndr_lm_nt_hash_helper(tvbuff_t *tvb, int offset,
812 packet_info *pinfo, proto_tree *tree,
813 dcerpc_info *di, uint8_t *drep, int hf_index,
814 struct LOGON_INFO_STATE_CB *cb_ref)
815 {
816 proto_tree *subtree;
817
818 subtree = proto_tree_add_subtree(
819 tree, tvb, offset, 0, ett_LM_OWF_PASSWORD, NULL,
820 proto_registrar_get_name(hf_index));
821
822 return dissect_ndr_lm_nt_hash_cb(
823 tvb, offset, pinfo, subtree, di, drep, hf_index,
824 dissect_ndr_lm_nt_byte_array, cb_ref);
825 }
826
827 static int
828 netlogon_dissect_USER_ACCOUNT_CONTROL(tvbuff_t *tvb, int offset,
829 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, uint8_t *drep)
830 {
831 uint32_t mask;
832 static int * const uac[] = {
833 &hf_netlogon_user_account_control_dont_require_preauth,
834 &hf_netlogon_user_account_control_use_des_key_only,
835 &hf_netlogon_user_account_control_not_delegated,
836 &hf_netlogon_user_account_control_trusted_for_delegation,
837 &hf_netlogon_user_account_control_smartcard_required,
838 &hf_netlogon_user_account_control_encrypted_text_password_allowed,
839 &hf_netlogon_user_account_control_account_auto_locked,
840 &hf_netlogon_user_account_control_dont_expire_password,
841 &hf_netlogon_user_account_control_server_trust_account,
842 &hf_netlogon_user_account_control_workstation_trust_account,
843 &hf_netlogon_user_account_control_interdomain_trust_account,
844 &hf_netlogon_user_account_control_mns_logon_account,
845 &hf_netlogon_user_account_control_normal_account,
846 &hf_netlogon_user_account_control_temp_duplicate_account,
847 &hf_netlogon_user_account_control_password_not_required,
848 &hf_netlogon_user_account_control_home_directory_required,
849 &hf_netlogon_user_account_control_account_disabled,
850 NULL
851 };
852
853 if(di->conformant_run){
854 /*just a run to handle conformant arrays, nothing to dissect */
855 return offset;
856 }
857
858 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
859 -1, &mask);
860
861 proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset-4, hf_netlogon_user_account_control, ett_user_account_control, uac, mask, BMT_NO_APPEND);
862
863 return offset;
864 }
865
866
867 static int
868 netlogon_dissect_LOGONSRV_HANDLE(tvbuff_t *tvb, int offset,
869 packet_info *pinfo, proto_tree *tree,
870 dcerpc_info *di, uint8_t *drep)
871 {
872 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
873 NDR_POINTER_UNIQUE, "Server Handle",
874 hf_netlogon_logonsrv_handle, 0);
875
876 return offset;
877 }
878
879 /*
880 * IDL typedef struct {
881 * IDL [unique][string] wchar_t *effective_name;
882 * IDL long priv;
883 * IDL long auth_flags;
884 * IDL long logon_count;
885 * IDL long bad_pw_count;
886 * IDL long last_logon;
887 * IDL long last_logoff;
888 * IDL long logoff_time;
889 * IDL long kickoff_time;
890 * IDL long password_age;
891 * IDL long pw_can_change;
892 * IDL long pw_must_change;
893 * IDL [unique][string] wchar_t *computer;
894 * IDL [unique][string] wchar_t *domain;
895 * IDL [unique][string] wchar_t *script_path;
896 * IDL long reserved;
897 */
898 static int
899 netlogon_dissect_VALIDATION_UAS_INFO(tvbuff_t *tvb, int offset,
900 packet_info *pinfo, proto_tree *tree,
901 dcerpc_info *di, uint8_t *drep)
902 {
903 if(di->conformant_run){
904 /*just a run to handle conformant arrays, nothing to dissect */
905 return offset;
906 }
907
908 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
909 NDR_POINTER_UNIQUE, "Effective Account",
910 hf_netlogon_acct_name, 0);
911
912 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
913 hf_netlogon_priv, NULL);
914
915 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
916 hf_netlogon_auth_flags, NULL);
917
918 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
919 hf_netlogon_logon_count, NULL);
920
921 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
922 hf_netlogon_bad_pw_count, NULL);
923
924
925 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_logon_time, NULL);
926
927 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_last_logoff_time, NULL);
928
929 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_logoff_time, NULL);
930
931 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_kickoff_time, NULL);
932
933 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_pwd_age, NULL);
934
935 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_pwd_can_change_time, NULL);
936
937 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_pwd_must_change_time, NULL);
938
939 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
940 NDR_POINTER_UNIQUE, "Computer", hf_netlogon_computer_name, 0);
941
942 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
943 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
944
945 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
946 NDR_POINTER_UNIQUE, "Script", hf_netlogon_logon_script, 0);
947
948 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
949 hf_netlogon_reserved, NULL);
950
951 return offset;
952 }
953
954 /*
955 * IDL long NetrLogonUasLogon(
956 * IDL [in][unique][string] wchar_t *ServerName,
957 * IDL [in][ref][string] wchar_t *UserName,
958 * IDL [in][ref][string] wchar_t *Workstation,
959 * IDL [out][unique] VALIDATION_UAS_INFO *info
960 * IDL );
961 */
962 static int
963 netlogon_dissect_netrlogonuaslogon_rqst(tvbuff_t *tvb, int offset,
964 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
965 {
966 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
967 pinfo, tree, di, drep);
968
969 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
970 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, CB_STR_COL_INFO);
971
972 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
973 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
974
975 return offset;
976 }
977
978
979 static int
980 netlogon_dissect_netrlogonuaslogon_reply(tvbuff_t *tvb, int offset,
981 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
982 {
983 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
984 netlogon_dissect_VALIDATION_UAS_INFO, NDR_POINTER_UNIQUE,
985 "VALIDATION_UAS_INFO", -1);
986
987 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
988 hf_netlogon_dos_rc, NULL);
989
990 return offset;
991 }
992
993 /*
994 * IDL typedef struct {
995 * IDL long duration;
996 * IDL short logon_count;
997 * IDL } LOGOFF_UAS_INFO;
998 */
999 static int
1000 netlogon_dissect_LOGOFF_UAS_INFO(tvbuff_t *tvb, int offset,
1001 packet_info *pinfo, proto_tree *tree,
1002 dcerpc_info *di, uint8_t *drep)
1003 {
1004 uint32_t duration;
1005
1006 if(di->conformant_run){
1007 /*just a run to handle conformant arrays, nothing to dissect */
1008 return offset;
1009 }
1010
1011 duration = tvb_get_uint32(tvb, offset, DREP_ENC_INTEGER(drep));
1012 proto_tree_add_uint_format_value(tree, hf_netlogon_logon_duration, tvb, offset, 4, duration, "unknown time format");
1013 offset+= 4;
1014
1015 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1016 hf_netlogon_logon_count16, NULL);
1017
1018 return offset;
1019 }
1020
1021 /*
1022 * IDL long NetrLogonUasLogoff(
1023 * IDL [in][unique][string] wchar_t *ServerName,
1024 * IDL [in][ref][string] wchar_t *UserName,
1025 * IDL [in][ref][string] wchar_t *Workstation,
1026 * IDL [out][ref] LOGOFF_UAS_INFO *info
1027 * IDL );
1028 */
1029 static int
1030 netlogon_dissect_netrlogonuaslogoff_rqst(tvbuff_t *tvb, int offset,
1031 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
1032 {
1033 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1034 pinfo, tree, di, drep);
1035
1036 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
1037 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, CB_STR_COL_INFO);
1038
1039 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
1040 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
1041
1042 return offset;
1043 }
1044
1045
1046 static int
1047 netlogon_dissect_netrlogonuaslogoff_reply(tvbuff_t *tvb, int offset,
1048 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
1049 {
1050 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1051 netlogon_dissect_LOGOFF_UAS_INFO, NDR_POINTER_REF,
1052 "LOGOFF_UAS_INFO", -1);
1053
1054 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
1055 hf_netlogon_dos_rc, NULL);
1056
1057 return offset;
1058 }
1059
1060 static int
1061 netlogon_dissect_BYTE_byte(tvbuff_t *tvb, int offset,
1062 packet_info *pinfo, proto_tree *tree,
1063 dcerpc_info *di, uint8_t *drep)
1064 {
1065 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
1066 hf_netlogon_unknown_char, NULL);
1067
1068 return offset;
1069 }
1070
1071 static int
1072 netlogon_dissect_BYTE_array(tvbuff_t *tvb, int offset,
1073 packet_info *pinfo, proto_tree *tree,
1074 dcerpc_info *di, uint8_t *drep)
1075 {
1076 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
1077 netlogon_dissect_BYTE_byte);
1078
1079 return offset;
1080 }
1081
1082
1083 static void cb_wstr_LOGON_IDENTITY_INFO(packet_info *pinfo, proto_tree *tree,
1084 proto_item *item, dcerpc_info *di,
1085 tvbuff_t *tvb,
1086 int start_offset, int end_offset,
1087 void *callback_args)
1088 {
1089 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
1090 struct LOGON_INFO_STATE_CB *cb_ref =
1091 (struct LOGON_INFO_STATE_CB *)callback_args;
1092 struct LOGON_INFO_STATE *state = cb_ref->state;
1093
1094 cb_wstr_postprocess(pinfo, tree, item, di, tvb, start_offset, end_offset,
1095 GINT_TO_POINTER(cb_ref->name_levels));
1096
1097 if (*cb_ref->name_ptr == NULL) {
1098 *cb_ref->name_ptr = (const uint8_t *)dcv->private_data;
1099 }
1100
1101 dissect_LOGON_INFO_STATE_finish(state);
1102 }
1103
1104 static int
1105 dissect_ndr_wstr_LOGON_IDENTITY_INFO(tvbuff_t *tvb, int offset,
1106 packet_info *pinfo, proto_tree *tree,
1107 dcerpc_info *di, uint8_t *drep,
1108 int hf_index, int levels,
1109 struct LOGON_INFO_STATE_CB *cb_ref)
1110 {
1111 proto_item *item = NULL;
1112 proto_tree *subtree = NULL;
1113
1114 if (cb_ref == NULL) {
1115 return dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1116 hf_index, levels);
1117 }
1118
1119 subtree = proto_tree_add_subtree(tree, tvb, offset, 0,
1120 ett_wstr_LOGON_IDENTITY_INFO_string, &item,
1121 proto_registrar_get_name(hf_index));
1122
1123 /*
1124 * Add 2 levels, so that the string gets attached to the
1125 * "Character Array" top-level item and to the top-level item
1126 * added above.
1127 */
1128 cb_ref->name_levels = 2 + levels;
1129 cb_ref->name_levels |= CB_STR_SAVE;
1130 return dissect_ndr_counted_string_cb(tvb, offset, pinfo, subtree, di, drep,
1131 hf_index, cb_wstr_LOGON_IDENTITY_INFO, cb_ref);
1132 }
1133
1134 /*
1135 * IDL typedef struct {
1136 * IDL UNICODESTRING LogonDomainName;
1137 * IDL long ParameterControl;
1138 * IDL uint64 LogonID;
1139 * IDL UNICODESTRING UserName;
1140 * IDL UNICODESTRING Workstation;
1141 * IDL } LOGON_IDENTITY_INFO;
1142 */
1143 static int
1144 netlogon_dissect_LOGON_IDENTITY_INFO(tvbuff_t *tvb, int offset,
1145 packet_info *pinfo, proto_tree *parent_tree,
1146 dcerpc_info *di, uint8_t *drep,
1147 struct LOGON_INFO_STATE *state)
1148 {
1149 struct LOGON_INFO_STATE_CB *domain_cb = NULL;
1150 struct LOGON_INFO_STATE_CB *acct_cb = NULL;
1151 struct LOGON_INFO_STATE_CB *host_cb = NULL;
1152 proto_item *item=NULL;
1153 proto_tree *tree=NULL;
1154 int old_offset=offset;
1155
1156 if (state != NULL) {
1157 domain_cb = &state->domain_cb;
1158 acct_cb = &state->acct_cb;
1159 host_cb = &state->host_cb;
1160 }
1161
1162 if(parent_tree){
1163 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
1164 ett_IDENTITY_INFO, &item, "IDENTITY_INFO:");
1165 }
1166
1167 /* XXX: It would be nice to get the domain and account name
1168 displayed in COL_INFO. */
1169
1170 offset = dissect_ndr_wstr_LOGON_IDENTITY_INFO(tvb, offset, pinfo, tree, di, drep,
1171 hf_netlogon_logon_dom, 0, domain_cb);
1172
1173 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1174 hf_netlogon_param_ctrl, NULL);
1175
1176 offset = dissect_ndr_duint32(tvb, offset, pinfo, tree, di, drep,
1177 hf_netlogon_logon_id, NULL);
1178
1179 offset = dissect_ndr_wstr_LOGON_IDENTITY_INFO(tvb, offset, pinfo, tree, di, drep,
1180 hf_netlogon_acct_name, 1, acct_cb);
1181
1182 offset = dissect_ndr_wstr_LOGON_IDENTITY_INFO(tvb, offset, pinfo, tree, di, drep,
1183 hf_netlogon_workstation, 0, host_cb);
1184
1185 #ifdef REMOVED
1186 /* NetMon does not recognize these bytes. I'll comment them out until someone complains */
1187 /* XXX 8 extra bytes here */
1188 /* there were 8 extra bytes, either here or in NETWORK_INFO that does not match
1189 the idl file. Could be a bug in either the NETLOGON implementation or in the
1190 idl file.
1191 */
1192 offset = netlogon_dissect_8_unknown_bytes(tvb, offset, pinfo, tree, di, drep);
1193 #endif
1194
1195 proto_item_set_len(item, offset-old_offset);
1196 return offset;
1197 }
1198
1199
1200 /*
1201 * IDL typedef struct {
1202 * IDL char password[16];
1203 * IDL } LM_OWF_PASSWORD;
1204 */
1205 static int
1206 netlogon_dissect_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
1207 packet_info *pinfo _U_, proto_tree *parent_tree,
1208 dcerpc_info *di, uint8_t *drep _U_)
1209 {
1210 proto_item *item=NULL;
1211 proto_tree *tree=NULL;
1212
1213 if(di->conformant_run){
1214 /*just a run to handle conformant arrays, nothing to dissect.*/
1215 return offset;
1216 }
1217
1218 if(parent_tree){
1219 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 16,
1220 ett_LM_OWF_PASSWORD, &item, "LM_OWF_PASSWORD:");
1221 }
1222
1223 proto_tree_add_item(tree, hf_netlogon_lm_owf_password, tvb, offset, 16,
1224 ENC_NA);
1225 offset += 16;
1226
1227 return offset;
1228 }
1229
1230 /*
1231 * IDL typedef struct {
1232 * IDL char password[16];
1233 * IDL } NT_OWF_PASSWORD;
1234 */
1235 static int
1236 netlogon_dissect_NT_OWF_PASSWORD(tvbuff_t *tvb, int offset,
1237 packet_info *pinfo _U_, proto_tree *parent_tree,
1238 dcerpc_info *di, uint8_t *drep _U_)
1239 {
1240 proto_item *item=NULL;
1241 proto_tree *tree=NULL;
1242
1243 if(di->conformant_run){
1244 /*just a run to handle conformant arrays, nothing to dissect.*/
1245 return offset;
1246 }
1247
1248 if(parent_tree){
1249 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 16,
1250 ett_NT_OWF_PASSWORD, &item, "NT_OWF_PASSWORD:");
1251 }
1252
1253 proto_tree_add_item(tree, hf_netlogon_nt_owf_password, tvb, offset, 16,
1254 ENC_NA);
1255 offset += 16;
1256
1257 return offset;
1258 }
1259
1260
1261 /*
1262 * IDL typedef struct {
1263 * IDL LOGON_IDENTITY_INFO identity_info;
1264 * IDL LM_OWF_PASSWORD lmpassword;
1265 * IDL NT_OWF_PASSWORD ntpassword;
1266 * IDL } INTERACTIVE_INFO;
1267 */
1268 static int
1269 netlogon_dissect_INTERACTIVE_INFO(tvbuff_t *tvb, int offset,
1270 packet_info *pinfo, proto_tree *tree,
1271 dcerpc_info *di, uint8_t *drep)
1272 {
1273 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
1274 pinfo, tree, di, drep,
1275 NULL);
1276
1277 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
1278 pinfo, tree, di, drep);
1279
1280 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
1281 pinfo, tree, di, drep);
1282
1283 return offset;
1284 }
1285
1286 /*
1287 * IDL typedef struct {
1288 * IDL char chl[8];
1289 * IDL } CHALLENGE;
1290 */
1291 static int
1292 netlogon_dissect_CHALLENGE(tvbuff_t *tvb, int offset,
1293 packet_info *pinfo _U_, proto_tree *tree,
1294 dcerpc_info *di, uint8_t *drep _U_)
1295 {
1296 if(di->conformant_run){
1297 /*just a run to handle conformant arrays, nothing to dissect.*/
1298 return offset;
1299 }
1300
1301 proto_tree_add_item(tree, hf_netlogon_challenge, tvb, offset, 8,
1302 ENC_NA);
1303 offset += 8;
1304
1305 return offset;
1306 }
1307
1308 static int
1309 netlogon_dissect_NETWORK_INFO(tvbuff_t *tvb, int offset,
1310 packet_info *pinfo, proto_tree *tree,
1311 dcerpc_info *di, uint8_t *drep)
1312 {
1313 struct LOGON_INFO_STATE *state =
1314 (struct LOGON_INFO_STATE *)di->private_data;
1315 int last_offset;
1316 struct LOGON_INFO_STATE_CB *nt_cb = NULL;
1317 struct LOGON_INFO_STATE_CB *lm_cb = NULL;
1318
1319 if (state == NULL) {
1320 state = wmem_new0(pinfo->pool, struct LOGON_INFO_STATE);
1321 state->ntlmssph = (ntlmssp_header_t) { .type = NTLMSSP_AUTH, };
1322 state->domain_cb.state = state;
1323 state->domain_cb.name_ptr = &state->ntlmssph.domain_name;
1324 state->acct_cb.state = state;
1325 state->acct_cb.name_ptr = &state->ntlmssph.acct_name;
1326 state->host_cb.state = state;
1327 state->host_cb.name_ptr = &state->ntlmssph.host_name;
1328 state->nt_cb.state = state;
1329 state->nt_cb.response = &state->nt_response;
1330 state->lm_cb.state = state;
1331 state->lm_cb.response = &state->lm_response;
1332 di->private_data = state;
1333 }
1334 state->pinfo = pinfo;
1335 state->tree = tree;
1336
1337 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
1338 pinfo, tree, di, drep,
1339 state);
1340 last_offset = offset;
1341 offset = netlogon_dissect_CHALLENGE(tvb, offset,
1342 pinfo, tree, di, drep);
1343 if (offset == (last_offset + 8)) {
1344 tvb_memcpy(tvb, state->server_challenge, last_offset, 8);
1345 nt_cb = &state->nt_cb;
1346 lm_cb = &state->lm_cb;
1347 }
1348 offset = dissect_ndr_lm_nt_hash_helper(tvb,offset,pinfo, tree, di, drep,
1349 hf_netlogon_nt_chal_resp,
1350 nt_cb);
1351 offset = dissect_ndr_lm_nt_hash_helper(tvb,offset,pinfo, tree, di, drep,
1352 hf_netlogon_lm_chal_resp,
1353 lm_cb);
1354 return offset;
1355 }
1356
1357
1358 /*
1359 * IDL typedef struct {
1360 * IDL LOGON_IDENTITY_INFO logon_info;
1361 * IDL LM_OWF_PASSWORD lmpassword;
1362 * IDL NT_OWF_PASSWORD ntpassword;
1363 * IDL } SERVICE_INFO;
1364 */
1365 static int
1366 netlogon_dissect_SERVICE_INFO(tvbuff_t *tvb, int offset,
1367 packet_info *pinfo, proto_tree *tree,
1368 dcerpc_info *di, uint8_t *drep)
1369 {
1370 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
1371 pinfo, tree, di, drep,
1372 NULL);
1373
1374 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
1375 pinfo, tree, di, drep);
1376
1377 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
1378 pinfo, tree, di, drep);
1379
1380 return offset;
1381 }
1382
1383 static int
1384 netlogon_dissect_GENERIC_INFO(tvbuff_t *tvb, int offset,
1385 packet_info *pinfo, proto_tree *tree,
1386 dcerpc_info *di, uint8_t *drep)
1387 {
1388 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
1389 pinfo, tree, di, drep,
1390 NULL);
1391
1392 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1393 hf_netlogon_package_name, 0|CB_STR_SAVE);
1394
1395 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1396 hf_netlogon_data_length, NULL);
1397
1398 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1399 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
1400 "Logon Data", -1);
1401 return offset;
1402 }
1403 /*
1404 * IDL typedef [switch_type(short)] union {
1405 * IDL [case(1)][unique] INTERACTIVE_INFO *iinfo;
1406 * IDL [case(2)][unique] NETWORK_INFO *ninfo;
1407 * IDL [case(3)][unique] SERVICE_INFO *sinfo;
1408 * IDL } LEVEL;
1409 */
1410 static int
1411 netlogon_dissect_LEVEL(tvbuff_t *tvb, int offset,
1412 packet_info *pinfo, proto_tree *tree,
1413 dcerpc_info *di, uint8_t *drep)
1414 {
1415 uint16_t level = 0;
1416
1417 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1418 hf_netlogon_level16, &level);
1419 ALIGN_TO_4_BYTES;
1420 switch(level){
1421 case 1:
1422 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1423 netlogon_dissect_INTERACTIVE_INFO, NDR_POINTER_UNIQUE,
1424 "INTERACTIVE_INFO:", -1);
1425 break;
1426 case 2:
1427 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1428 netlogon_dissect_NETWORK_INFO, NDR_POINTER_UNIQUE,
1429 "NETWORK_INFO:", -1);
1430 break;
1431 case 3:
1432 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1433 netlogon_dissect_SERVICE_INFO, NDR_POINTER_UNIQUE,
1434 "SERVICE_INFO:", -1);
1435 break;
1436 case 4:
1437 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1438 netlogon_dissect_GENERIC_INFO, NDR_POINTER_UNIQUE,
1439 "GENERIC_INFO:", -1);
1440 break;
1441 case 5:
1442 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1443 netlogon_dissect_INTERACTIVE_INFO, NDR_POINTER_UNIQUE,
1444 "INTERACTIVE_TRANSITIVE_INFO:", -1);
1445 break;
1446 case 6:
1447 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1448 netlogon_dissect_NETWORK_INFO, NDR_POINTER_UNIQUE,
1449 "NETWORK_TRANSITIVE_INFO", -1);
1450 break;
1451 case 7:
1452 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1453 netlogon_dissect_SERVICE_INFO, NDR_POINTER_UNIQUE,
1454 "SERVICE_TRANSITIVE_INFO", -1);
1455 break;
1456 }
1457 return offset;
1458 }
1459
1460 /*
1461 * IDL typedef struct {
1462 * IDL char cred[8];
1463 * IDL } CREDENTIAL;
1464 */
1465 static int
1466 netlogon_dissect_CREDENTIAL(tvbuff_t *tvb, int offset,
1467 packet_info *pinfo _U_, proto_tree *tree,
1468 dcerpc_info *di, uint8_t *drep _U_)
1469 {
1470 if(di->conformant_run){
1471 /*just a run to handle conformant arrays, nothing to dissect.*/
1472 return offset;
1473 }
1474
1475 proto_tree_add_item(tree, hf_netlogon_credential, tvb, offset, 8,
1476 ENC_NA);
1477 offset += 8;
1478
1479 return offset;
1480 }
1481
1482
1483 /*
1484 * IDL typedef struct {
1485 * IDL CREDENTIAL cred;
1486 * IDL long timestamp;
1487 * IDL } AUTHENTICATOR;
1488 */
1489 static int
1490 netlogon_dissect_AUTHENTICATOR(tvbuff_t *tvb, int offset,
1491 packet_info *pinfo, proto_tree *tree,
1492 dcerpc_info *di, uint8_t *drep)
1493 {
1494 if(di->conformant_run){
1495 /*just a run to handle conformant arrays, nothing to dissect */
1496 return offset;
1497 }
1498
1499 ALIGN_TO_4_BYTES;
1500
1501 offset = netlogon_dissect_CREDENTIAL(tvb, offset,
1502 pinfo, tree, di, drep);
1503
1504 /*
1505 * XXX - this appears to be a UNIX time_t in some credentials, but
1506 * appears to be random junk in other credentials.
1507 * For example, it looks like a UNIX time_t in "credential"
1508 * AUTHENTICATORs, but like random junk in "return_authenticator"
1509 * AUTHENTICATORs.
1510 */
1511 proto_tree_add_item(tree, hf_netlogon_timestamp, tvb, offset, 4, ENC_TIME_SECS|ENC_LITTLE_ENDIAN);
1512 offset+= 4;
1513
1514 return offset;
1515 }
1516
1517
1518 /*
1519 * IDL typedef struct {
1520 * IDL long user_id;
1521 * IDL long attributes;
1522 * IDL } GROUP_MEMBERSHIP;
1523 */
1524 static int
1525 netlogon_dissect_GROUP_MEMBERSHIP(tvbuff_t *tvb, int offset,
1526 packet_info *pinfo, proto_tree *parent_tree,
1527 dcerpc_info *di, uint8_t *drep)
1528 {
1529 proto_item *item=NULL;
1530 proto_tree *tree=NULL;
1531
1532 if(parent_tree){
1533 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
1534 ett_GROUP_MEMBERSHIP, &item, "GROUP_MEMBERSHIP:");
1535 }
1536
1537 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1538 hf_netlogon_group_rid, NULL);
1539
1540 offset = dissect_ndr_nt_SE_GROUP_ATTRIBUTES(tvb, offset, pinfo, tree, di, drep);
1541
1542 return offset;
1543 }
1544
1545 static int
1546 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY(tvbuff_t *tvb, int offset,
1547 packet_info *pinfo, proto_tree *tree,
1548 dcerpc_info *di, uint8_t *drep)
1549 {
1550 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
1551 netlogon_dissect_GROUP_MEMBERSHIP);
1552
1553 return offset;
1554 }
1555
1556 /*
1557 * IDL typedef struct {
1558 * IDL char user_session_key[16];
1559 * IDL } USER_SESSION_KEY;
1560 */
1561 static int
1562 netlogon_dissect_USER_SESSION_KEY(tvbuff_t *tvb, int offset,
1563 packet_info *pinfo _U_, proto_tree *tree,
1564 dcerpc_info *di, uint8_t *drep _U_)
1565 {
1566 if(di->conformant_run){
1567 /*just a run to handle conformant arrays, nothing to dissect.*/
1568 return offset;
1569 }
1570
1571 proto_tree_add_item(tree, hf_netlogon_user_session_key, tvb, offset, 16,
1572 ENC_NA);
1573 offset += 16;
1574
1575 return offset;
1576 }
1577
1578
1579
1580 static const true_false_string user_flags_extra_sids= {
1581 "The EXTRA_SIDS bit is SET",
1582 "The extra_sids is NOT set",
1583 };
1584 static const true_false_string user_flags_resource_groups= {
1585 "The RESOURCE_GROUPS bit is SET",
1586 "The resource_groups is NOT set",
1587 };
1588 static int
1589 netlogon_dissect_USER_FLAGS(tvbuff_t *tvb, int offset,
1590 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, uint8_t *drep)
1591 {
1592 uint32_t mask;
1593 static int * const flags[] = {
1594 &hf_netlogon_user_flags_resource_groups,
1595 &hf_netlogon_user_flags_extra_sids,
1596 NULL
1597 };
1598
1599 if(di->conformant_run){
1600 /*just a run to handle conformant arrays, nothing to dissect */
1601 return offset;
1602 }
1603
1604 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
1605 -1, &mask);
1606
1607 proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset-4, hf_netlogon_user_flags, ett_user_flags, flags, mask, BMT_NO_APPEND);
1608 return offset;
1609 }
1610
1611 static int
1612 netlogon_dissect_GROUP_MEMBERSHIPS(tvbuff_t *tvb, int offset,
1613 packet_info *pinfo, proto_tree *tree,
1614 dcerpc_info *di, uint8_t *drep,
1615 int hf_count, const char *array_name)
1616 {
1617 uint32_t rgc;
1618
1619 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1620 hf_count, &rgc);
1621
1622 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1623 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1624 array_name, -1);
1625
1626 return offset;
1627 }
1628
1629 static int
1630 netlogon_dissect_DOMAIN_GROUP_MEMBERSHIPS(tvbuff_t *tvb, int offset,
1631 packet_info *pinfo, proto_tree *parent_tree,
1632 dcerpc_info *di, uint8_t *drep,
1633 int hf_count, const char *name)
1634 {
1635 proto_item *item=NULL;
1636 proto_tree *tree=NULL;
1637 int old_offset=offset;
1638
1639 if(parent_tree){
1640 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
1641 ett_domain_group_memberships,
1642 &item, name);
1643 }
1644
1645 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
1646
1647 offset = netlogon_dissect_GROUP_MEMBERSHIPS(tvb, offset,
1648 pinfo, tree,
1649 di, drep,
1650 hf_count,
1651 "GroupIDs");
1652
1653 proto_item_set_len(item, offset-old_offset);
1654 return offset;
1655 }
1656
1657 static int
1658 netlogon_dissect_DOMAIN_GROUP_MEMBERSHIPS_WRAPPER(tvbuff_t *tvb, int offset,
1659 packet_info *pinfo, proto_tree *tree,
1660 dcerpc_info *di, uint8_t *drep)
1661 {
1662 return netlogon_dissect_DOMAIN_GROUP_MEMBERSHIPS(tvb, offset,
1663 pinfo, tree,
1664 di, drep,
1665 hf_netlogon_domaingroupcount,
1666 "DomainGroupIDs");
1667 }
1668
1669 static int
1670 netlogon_dissect_DOMAIN_GROUP_MEMBERSHIP_ARRAY(tvbuff_t *tvb, int offset,
1671 packet_info *pinfo, proto_tree *tree,
1672 dcerpc_info *di, uint8_t *drep)
1673 {
1674 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
1675 netlogon_dissect_DOMAIN_GROUP_MEMBERSHIPS_WRAPPER);
1676
1677 return offset;
1678 }
1679
1680 static int
1681 netlogon_dissect_DOMAINS_GROUP_MEMBERSHIPS(tvbuff_t *tvb, int offset,
1682 packet_info *pinfo, proto_tree *parent_tree,
1683 dcerpc_info *di, uint8_t *drep,
1684 int hf_count, const char *name)
1685 {
1686 proto_item *item=NULL;
1687 proto_tree *tree=NULL;
1688 int old_offset=offset;
1689 uint32_t rgc;
1690
1691 if(parent_tree){
1692 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
1693 ett_domains_group_memberships,
1694 &item, name);
1695 }
1696
1697 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1698 hf_count, &rgc);
1699
1700 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1701 netlogon_dissect_DOMAIN_GROUP_MEMBERSHIP_ARRAY,
1702 NDR_POINTER_UNIQUE,
1703 name, -1);
1704
1705 proto_item_set_len(item, offset-old_offset);
1706 return offset;
1707 }
1708
1709 /*
1710 * IDL typedef struct {
1711 * IDL uint64 LogonTime;
1712 * IDL uint64 LogoffTime;
1713 * IDL uint64 KickOffTime;
1714 * IDL uint64 PasswdLastSet;
1715 * IDL uint64 PasswdCanChange;
1716 * IDL uint64 PasswdMustChange;
1717 * IDL unicodestring effectivename;
1718 * IDL unicodestring fullname;
1719 * IDL unicodestring logonscript;
1720 * IDL unicodestring profilepath;
1721 * IDL unicodestring homedirectory;
1722 * IDL unicodestring homedirectorydrive;
1723 * IDL short LogonCount;
1724 * IDL short BadPasswdCount;
1725 * IDL long userid;
1726 * IDL long primarygroup;
1727 * IDL long groupcount;
1728 * IDL [unique][size_is(groupcount)] GROUP_MEMBERSHIP *groupids;
1729 * IDL long userflags;
1730 * IDL USER_SESSION_KEY key;
1731 * IDL unicodestring logonserver;
1732 * IDL unicodestring domainname;
1733 * IDL [unique] SID logondomainid;
1734 * IDL long expansionroom[2];
1735 * IDL long useraccountcontrol;
1736 * IDL long expansionroom[7];
1737 * IDL } VALIDATION_SAM_INFO;
1738 */
1739 static int
1740 netlogon_dissect_VALIDATION_SAM_INFO(tvbuff_t *tvb, int offset,
1741 packet_info *pinfo, proto_tree *tree,
1742 dcerpc_info *di, uint8_t *drep)
1743 {
1744
1745 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1746 hf_netlogon_logon_time);
1747
1748 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1749 hf_netlogon_logoff_time);
1750
1751 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1752 hf_netlogon_kickoff_time);
1753
1754 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1755 hf_netlogon_pwd_last_set_time);
1756
1757 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1758 hf_netlogon_pwd_can_change_time);
1759
1760 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1761 hf_netlogon_pwd_must_change_time);
1762
1763 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1764 hf_netlogon_acct_name, 0);
1765
1766 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1767 hf_netlogon_full_name, 0);
1768
1769 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1770 hf_netlogon_logon_script, 0);
1771
1772 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1773 hf_netlogon_profile_path, 0);
1774
1775 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1776 hf_netlogon_home_dir, 0);
1777
1778 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1779 hf_netlogon_dir_drive, 0);
1780
1781 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1782 hf_netlogon_logon_count16, NULL);
1783
1784 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1785 hf_netlogon_bad_pw_count16, NULL);
1786
1787 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1788 hf_netlogon_user_rid, NULL);
1789
1790 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1791 hf_netlogon_group_rid, NULL);
1792
1793 offset = netlogon_dissect_GROUP_MEMBERSHIPS(tvb, offset,
1794 pinfo, tree, di, drep,
1795 hf_netlogon_num_rids,
1796 "GroupIDs");
1797
1798 offset = netlogon_dissect_USER_FLAGS(tvb, offset,
1799 pinfo, tree, di, drep);
1800
1801 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1802 pinfo, tree, di, drep);
1803
1804 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1805 hf_netlogon_logon_srv, 0);
1806
1807 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1808 hf_netlogon_logon_dom, 0);
1809
1810 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
1811
1812 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1813 hf_netlogon_dummy1_long, NULL);
1814
1815 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1816 hf_netlogon_dummy2_long, NULL);
1817
1818 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1819 pinfo, tree, di, drep);
1820
1821 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1822 hf_netlogon_dummy4_long, NULL);
1823
1824 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1825 hf_netlogon_dummy5_long, NULL);
1826
1827 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1828 hf_netlogon_dummy6_long, NULL);
1829
1830 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1831 hf_netlogon_dummy7_long, NULL);
1832
1833 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1834 hf_netlogon_dummy8_long, NULL);
1835
1836 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1837 hf_netlogon_dummy9_long, NULL);
1838
1839 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1840 hf_netlogon_dummy10_long, NULL);
1841
1842 return offset;
1843 }
1844
1845
1846
1847 /*
1848 * IDL typedef struct {
1849 * IDL uint64 LogonTime;
1850 * IDL uint64 LogoffTime;
1851 * IDL uint64 KickOffTime;
1852 * IDL uint64 PasswdLastSet;
1853 * IDL uint64 PasswdCanChange;
1854 * IDL uint64 PasswdMustChange;
1855 * IDL unicodestring effectivename;
1856 * IDL unicodestring fullname;
1857 * IDL unicodestring logonscript;
1858 * IDL unicodestring profilepath;
1859 * IDL unicodestring homedirectory;
1860 * IDL unicodestring homedirectorydrive;
1861 * IDL short LogonCount;
1862 * IDL short BadPasswdCount;
1863 * IDL long userid;
1864 * IDL long primarygroup;
1865 * IDL long groupcount;
1866 * IDL [unique] GROUP_MEMBERSHIP *groupids;
1867 * IDL long userflags;
1868 * IDL USER_SESSION_KEY key;
1869 * IDL unicodestring logonserver;
1870 * IDL unicodestring domainname;
1871 * IDL [unique] SID logondomainid;
1872 * IDL long expansionroom[2];
1873 * IDL long useraccountcontrol;
1874 * IDL long expansionroom[7];
1875 * IDL long sidcount;
1876 * IDL [unique] SID_AND_ATTRIBS;
1877 * IDL } VALIDATION_SAM_INFO2;
1878 */
1879 static int
1880 netlogon_dissect_VALIDATION_SAM_INFO2(tvbuff_t *tvb, int offset,
1881 packet_info *pinfo, proto_tree *tree,
1882 dcerpc_info *di, uint8_t *drep)
1883 {
1884 offset = netlogon_dissect_VALIDATION_SAM_INFO(tvb,offset,pinfo,tree,di,drep);
1885 #if 0
1886 int i;
1887
1888 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1889 hf_netlogon_logon_time);
1890
1891 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1892 hf_netlogon_logoff_time);
1893
1894 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1895 hf_netlogon_kickoff_time);
1896
1897 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1898 hf_netlogon_pwd_last_set_time);
1899
1900 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1901 hf_netlogon_pwd_can_change_time);
1902
1903 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1904 hf_netlogon_pwd_must_change_time);
1905
1906 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1907 hf_netlogon_acct_name, 0);
1908
1909 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1910 hf_netlogon_full_name, 0);
1911
1912 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1913 hf_netlogon_logon_script, 0);
1914
1915 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1916 hf_netlogon_profile_path, 0);
1917
1918 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1919 hf_netlogon_home_dir, 0);
1920
1921 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1922 hf_netlogon_dir_drive, 0);
1923
1924 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1925 hf_netlogon_logon_count16, NULL);
1926
1927 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1928 hf_netlogon_bad_pw_count16, NULL);
1929
1930 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1931 hf_netlogon_user_rid, NULL);
1932
1933 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1934 hf_netlogon_group_rid, NULL);
1935
1936 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1937 hf_netlogon_num_rids, NULL);
1938
1939 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1940 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1941 "GROUP_MEMBERSHIP_ARRAY", -1);
1942
1943 offset = netlogon_dissect_USER_FLAGS(tvb, offset,
1944 pinfo, tree, di, drep);
1945
1946 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1947 pinfo, tree, di, drep);
1948
1949 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1950 hf_netlogon_logon_srv, 0);
1951
1952 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1953 hf_netlogon_logon_dom, 0);
1954
1955 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
1956
1957 for(i=0;i<2;i++){
1958 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1959 hf_netlogon_unknown_long, NULL);
1960 }
1961 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1962 pinfo, tree, di, drep);
1963
1964 for(i=0;i<7;i++){
1965 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1966 hf_netlogon_unknown_long, NULL);
1967 }
1968 #endif
1969 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1970 hf_netlogon_num_sid, NULL);
1971
1972 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1973 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
1974 "SID_AND_ATTRIBUTES_ARRAY:", -1);
1975
1976 return offset;
1977 }
1978
1979
1980 static int
1981 netlogon_dissect_VALIDATION_SAM_INFO4(tvbuff_t *tvb, int offset,
1982 packet_info *pinfo, proto_tree *tree,
1983 dcerpc_info *di, uint8_t *drep)
1984 {
1985 offset = netlogon_dissect_VALIDATION_SAM_INFO2(tvb,offset,pinfo,tree,di,drep);
1986
1987 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1988 hf_netlogon_logon_dnslogondomainname, 0);
1989
1990 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1991 hf_netlogon_logon_upn, 0);
1992
1993 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1994 hf_netlogon_dummy_string, 0);
1995
1996 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1997 hf_netlogon_dummy_string2, 0);
1998
1999 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2000 hf_netlogon_dummy_string3, 0);
2001
2002 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2003 hf_netlogon_dummy_string4, 0);
2004
2005 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2006 hf_netlogon_dummy_string5, 0);
2007
2008 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2009 hf_netlogon_dummy_string6, 0);
2010
2011 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2012 hf_netlogon_dummy_string7, 0);
2013
2014 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2015 hf_netlogon_dummy_string8, 0);
2016
2017 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2018 hf_netlogon_dummy_string9, 0);
2019
2020 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2021 hf_netlogon_dummy_string10, 0);
2022 return offset;
2023 }
2024
2025 /*
2026 * IDL typedef struct {
2027 * IDL uint64 LogonTime;
2028 * IDL uint64 LogoffTime;
2029 * IDL uint64 KickOffTime;
2030 * IDL uint64 PasswdLastSet;
2031 * IDL uint64 PasswdCanChange;
2032 * IDL uint64 PasswdMustChange;
2033 * IDL unicodestring effectivename;
2034 * IDL unicodestring fullname;
2035 * IDL unicodestring logonscript;
2036 * IDL unicodestring profilepath;
2037 * IDL unicodestring homedirectory;
2038 * IDL unicodestring homedirectorydrive;
2039 * IDL short LogonCount;
2040 * IDL short BadPasswdCount;
2041 * IDL long userid;
2042 * IDL long primarygroup;
2043 * IDL long groupcount;
2044 * IDL [unique] GROUP_MEMBERSHIP *groupids;
2045 * IDL long userflags;
2046 * IDL USER_SESSION_KEY key;
2047 * IDL unicodestring logonserver;
2048 * IDL unicodestring domainname;
2049 * IDL [unique] SID logondomainid;
2050 * IDL long expansionroom[2];
2051 * IDL long useraccountcontrol;
2052 * IDL long expansionroom[7];
2053 * IDL long sidcount;
2054 * IDL [unique] SID_AND_ATTRIBS;
2055 * IDL [unique] SID resourcegroupdomainsid;
2056 * IDL long resourcegroupcount;
2057 qqq
2058 * IDL } PAC_LOGON_INFO;
2059 */
2060 int
2061 netlogon_dissect_PAC_LOGON_INFO(tvbuff_t *tvb, int offset,
2062 packet_info *pinfo, proto_tree *tree,
2063 dcerpc_info *di, uint8_t *drep)
2064 {
2065 offset = netlogon_dissect_VALIDATION_SAM_INFO(tvb,offset,pinfo,tree,di, drep);
2066 #if 0
2067 int i;
2068
2069 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
2070 hf_netlogon_logon_time);
2071
2072 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
2073 hf_netlogon_logoff_time);
2074
2075 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
2076 hf_netlogon_kickoff_time);
2077
2078 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
2079 hf_netlogon_pwd_last_set_time);
2080
2081 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
2082 hf_netlogon_pwd_can_change_time);
2083
2084 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
2085 hf_netlogon_pwd_must_change_time);
2086
2087 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2088 hf_netlogon_acct_name, 0);
2089
2090 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2091 hf_netlogon_full_name, 0);
2092
2093 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2094 hf_netlogon_logon_script, 0);
2095
2096 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2097 hf_netlogon_profile_path, 0);
2098
2099 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2100 hf_netlogon_home_dir, 0);
2101
2102 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2103 hf_netlogon_dir_drive, 0);
2104
2105 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2106 hf_netlogon_logon_count16, NULL);
2107
2108 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2109 hf_netlogon_bad_pw_count16, NULL);
2110
2111 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2112 hf_netlogon_user_rid, NULL);
2113
2114 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2115 hf_netlogon_group_rid, NULL);
2116
2117 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2118 hf_netlogon_num_rids, NULL);
2119
2120 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2121 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
2122 "GROUP_MEMBERSHIP_ARRAY", -1);
2123
2124 offset = netlogon_dissect_USER_FLAGS(tvb, offset,
2125 pinfo, tree, di, drep);
2126
2127 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
2128 pinfo, tree, di, drep);
2129
2130 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2131 hf_netlogon_logon_srv, 0);
2132
2133 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2134 hf_netlogon_logon_dom, 0);
2135
2136 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
2137
2138 for(i=0;i<2;i++){
2139 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2140 hf_netlogon_unknown_long, NULL);
2141 }
2142 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
2143 pinfo, tree, di, drep);
2144
2145 for(i=0;i<7;i++){
2146 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2147 hf_netlogon_unknown_long, NULL);
2148 }
2149 #endif
2150
2151 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2152 hf_netlogon_num_sid, NULL);
2153
2154 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2155 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
2156 "SID_AND_ATTRIBUTES_ARRAY:", -1);
2157
2158 offset = netlogon_dissect_DOMAIN_GROUP_MEMBERSHIPS(tvb, offset,
2159 pinfo, tree, di, drep,
2160 hf_netlogon_resourcegroupcount,
2161 "ResourceGroupIDs");
2162
2163 return offset;
2164 }
2165
2166 static int
2167 netlogon_dissect_S4U_Transited_Service_name(tvbuff_t *tvb, int offset,
2168 packet_info *pinfo, proto_tree *tree,
2169 dcerpc_info *di, uint8_t *drep)
2170 {
2171 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2172 hf_netlogon_transited_service, 1);
2173
2174 return offset;
2175 }
2176
2177 static int
2178 netlogon_dissect_S4U_Transited_Services_array(tvbuff_t *tvb, int offset,
2179 packet_info *pinfo, proto_tree *tree,
2180 dcerpc_info *di, uint8_t *drep)
2181 {
2182 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
2183 netlogon_dissect_S4U_Transited_Service_name);
2184
2185 return offset;
2186 }
2187
2188 int
2189 netlogon_dissect_PAC_S4U_DELEGATION_INFO(tvbuff_t *tvb, int offset,
2190 packet_info *pinfo, proto_tree *tree,
2191 dcerpc_info *di, uint8_t *drep)
2192 {
2193 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2194 hf_netlogon_s4u2proxytarget, 0);
2195
2196 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2197 hf_netlogon_transitedlistsize, NULL);
2198
2199 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2200 netlogon_dissect_S4U_Transited_Services_array, NDR_POINTER_UNIQUE,
2201 "S4UTransitedServices", -1);
2202
2203 return offset;
2204 }
2205
2206 struct device_sid_callback_args {
2207 const char **device_sid_ptr;
2208 uint32_t user_rid;
2209 const char *domain_sid;
2210 const char *device_sid;
2211 };
2212
2213 static void device_sid_callback_fnct(packet_info *pinfo _U_,
2214 proto_tree *tree _U_,
2215 proto_item *item _U_,
2216 dcerpc_info *di,
2217 tvbuff_t *tvb _U_,
2218 int start_offset _U_,
2219 int end_offset _U_,
2220 void *callback_args)
2221 {
2222 struct device_sid_callback_args *args =
2223 (struct device_sid_callback_args *)callback_args;
2224 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
2225 const char *p = NULL;
2226 ptrdiff_t len;
2227
2228 if (di->ptype != UINT8_MAX) {
2229 return;
2230 }
2231
2232 if (dcv == NULL) {
2233 return;
2234 }
2235
2236 if (args == NULL) {
2237 return;
2238 }
2239
2240 args->domain_sid = (const char *)dcv->private_data;
2241 if (args->domain_sid == NULL) {
2242 /* this should not happen... */
2243 return;
2244 }
2245
2246 len = strnlen(args->domain_sid, 64);
2247
2248 /* remove any debug info after the sid */
2249 p = memchr(args->domain_sid, ' ', len);
2250 if (p != NULL) {
2251 ptrdiff_t mlen = p - args->domain_sid;
2252 if (mlen < len) {
2253 len = mlen;
2254 }
2255 }
2256 p = memchr(args->domain_sid, '(', len);
2257 if (p != NULL) {
2258 ptrdiff_t mlen = p - args->domain_sid;
2259 if (mlen < len) {
2260 len = mlen;
2261 }
2262 }
2263
2264 /*
2265 * we know we're called dissect_krb5_PAC_DEVICE_INFO
2266 * so we should allocate the device_sid on wmem_epan_scope()
2267 */
2268 args->device_sid = wmem_strdup_printf(wmem_epan_scope(),
2269 "%*.*s-%" PRIu32,
2270 (int)len, (int)len,
2271 args->domain_sid,
2272 args->user_rid);
2273 *args->device_sid_ptr = args->device_sid;
2274 }
2275
2276 /*
2277 * IDL typedef struct {
2278 * IDL long UserId;
2279 * IDL long PrimaryGroupId;
2280 * IDL SID AccountDomainId;
2281 * IDL long AccountGroupCount;
2282 * IDL [size_is(AccountGroupCount)] PGROUP_MEMBERSHIP AccountGroupIds;
2283 * IDL ULONG SidCount;
2284 * IDL [size_is(SidCount)] PKERB_SID_AND_ATTRIBUTES ExtraSids;
2285 * IDL ULONG DomainGroupCount;
2286 * IDL [size_is(DomainGroupCount)] PDOMAIN_GROUP_MEMBERSHIP DomainGroup;
2287 * IDL } PAC_DEVICE_INFO;
2288 */
2289 int
2290 netlogon_dissect_PAC_DEVICE_INFO(tvbuff_t *tvb, int offset,
2291 packet_info *pinfo, proto_tree *tree,
2292 dcerpc_info *di, uint8_t *drep)
2293 {
2294 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
2295 struct device_sid_callback_args *args = NULL;
2296 uint32_t *user_rid_ptr = NULL;
2297
2298 if (dcv && di->ptype == UINT8_MAX && dcv->private_data) {
2299 args = wmem_new0(pinfo->pool, struct device_sid_callback_args);
2300 /*
2301 * dissect_krb5_PAC_DEVICE_INFO passes
2302 * a pointer to const char *device_sid
2303 */
2304 args->device_sid_ptr = dcv->private_data;
2305 user_rid_ptr = &args->user_rid;
2306 }
2307
2308 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2309 hf_netlogon_user_rid, user_rid_ptr);
2310
2311 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2312 hf_netlogon_group_rid, NULL);
2313
2314 offset = dissect_ndr_nt_PSID_cb(tvb, offset, pinfo, tree, di, drep,
2315 device_sid_callback_fnct, args);
2316
2317 offset = netlogon_dissect_GROUP_MEMBERSHIPS(tvb, offset,
2318 pinfo, tree, di, drep,
2319 hf_netlogon_accountdomaingroupcount,
2320 "AccountDomainGroupIds");
2321
2322 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2323 hf_netlogon_num_sid, NULL);
2324
2325 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2326 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
2327 "ExtraSids:SID_AND_ATTRIBUTES_ARRAY:", -1);
2328
2329 offset = netlogon_dissect_DOMAINS_GROUP_MEMBERSHIPS(tvb, offset,
2330 pinfo, tree, di, drep,
2331 hf_netlogon_membership_domains_count,
2332 "ExtraDomain Membership Array");
2333
2334 return offset;
2335 }
2336
2337 #if 0
2338 static int
2339 netlogon_dissect_PAC(tvbuff_t *tvb, int offset,
2340 packet_info *pinfo, proto_tree *tree,
2341 dcerpc_info *di, uint8_t *drep _U_)
2342 {
2343 uint32_t pac_size;
2344
2345 if(di->conformant_run){
2346 return offset;
2347 }
2348
2349 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2350 hf_netlogon_pac_size, &pac_size);
2351
2352 proto_tree_add_item(tree, hf_netlogon_pac_data, tvb, offset, pac_size,
2353 ENC_NA);
2354 offset += pac_size;
2355
2356 return offset;
2357 }
2358
2359 static int
2360 netlogon_dissect_AUTH(tvbuff_t *tvb, int offset,
2361 packet_info *pinfo, proto_tree *tree,
2362 dcerpc_info *di, uint8_t *drep _U_)
2363 {
2364 uint32_t auth_size;
2365
2366 if(di->conformant_run){
2367 return offset;
2368 }
2369
2370 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2371 hf_netlogon_auth_size, &auth_size);
2372
2373 proto_tree_add_item(tree, hf_netlogon_auth_data, tvb, offset, auth_size,
2374 ENC_NA);
2375 offset += auth_size;
2376
2377 return offset;
2378 }
2379 #endif
2380
2381 static int
2382 netlogon_dissect_VALIDATION_GENERIC_INFO2 (tvbuff_t *tvb, int offset,
2383 packet_info *pinfo, proto_tree *tree,
2384 dcerpc_info *di, uint8_t *drep)
2385 {
2386 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2387 hf_netlogon_data_length, NULL);
2388
2389 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2390 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
2391 "Validation Data", -1);
2392
2393 return offset;
2394 }
2395 /*
2396 * IDL typedef struct {
2397 * IDL long pac_size
2398 * IDL [unique][size_is(pac_size)] char *pac;
2399 * IDL UNICODESTRING logondomain;
2400 * IDL UNICODESTRING logonserver;
2401 * IDL UNICODESTRING principalname;
2402 * IDL long auth_size;
2403 * IDL [unique][size_is(auth_size)] char *auth;
2404 * IDL USER_SESSION_KEY user_session_key;
2405 * IDL long expansionroom[2];
2406 * IDL long useraccountcontrol;
2407 * IDL long expansionroom[7];
2408 * IDL UNICODESTRING dummy1;
2409 * IDL UNICODESTRING dummy2;
2410 * IDL UNICODESTRING dummy3;
2411 * IDL UNICODESTRING dummy4;
2412 * IDL } VALIDATION_PAC_INFO;
2413 */
2414 #if 0 /* Not used (anymore ?) */
2415 static int
2416 netlogon_dissect_VALIDATION_PAC_INFO(tvbuff_t *tvb, int offset,
2417 packet_info *pinfo, proto_tree *tree,
2418 dcerpc_info *di, uint8_t *drep)
2419 {
2420 int i;
2421
2422 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2423 hf_netlogon_pac_size, NULL);
2424
2425 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2426 netlogon_dissect_PAC, NDR_POINTER_UNIQUE, "PAC:", -1);
2427
2428 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2429 hf_netlogon_logon_dom, 0);
2430
2431 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2432 hf_netlogon_logon_srv, 0);
2433
2434 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2435 hf_netlogon_principal, 0);
2436
2437 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2438 hf_netlogon_auth_size, NULL);
2439
2440 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2441 netlogon_dissect_AUTH, NDR_POINTER_UNIQUE, "AUTH:", -1);
2442
2443 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
2444 pinfo, tree, di, drep);
2445
2446 for(i=0;i<2;i++){
2447 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2448 hf_netlogon_unknown_long, NULL);
2449 }
2450 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
2451 pinfo, tree, di, drep);
2452
2453 for(i=0;i<7;i++){
2454 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2455 hf_netlogon_unknown_long, NULL);
2456 }
2457
2458 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2459 hf_netlogon_dummy, 0);
2460
2461 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2462 hf_netlogon_dummy, 0);
2463
2464 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2465 hf_netlogon_dummy, 0);
2466
2467 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2468 hf_netlogon_dummy, 0);
2469
2470 return offset;
2471 }
2472 #endif
2473
2474 /*
2475 * IDL typedef [switch_type(short)] union {
2476 * IDL [case(1)][unique] VALIDATION_UAS *uas;
2477 * IDL [case(2)][unique] VALIDATION_SAM_INFO *sam;
2478 * IDL [case(3)][unique] VALIDATION_SAM_INFO2 *sam2;
2479 * IDL [case(4)][unique] VALIDATION_GENERIC_INFO *generic;
2480 * IDL [case(5)][unique] VALIDATION_GENERIC_INFO *generic2;
2481 * IDL [case(5)][unique] VALIDATION_GENERIC_INFO *generic2;
2482 * IDL [case(6)][unique] VALIDATION_SAM_INFO4 *sam4;
2483 * IDL } VALIDATION;
2484 */
2485 static int
2486 netlogon_dissect_VALIDATION(tvbuff_t *tvb, int offset,
2487 packet_info *pinfo, proto_tree *tree,
2488 dcerpc_info *di, uint8_t *drep)
2489 {
2490 uint16_t level = 0;
2491
2492 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2493 hf_netlogon_validation_level, &level);
2494
2495 ALIGN_TO_4_BYTES;
2496 switch(level){
2497 case 1:
2498 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2499 netlogon_dissect_VALIDATION_UAS_INFO, NDR_POINTER_UNIQUE,
2500 "VALIDATION_UAS_INFO:", -1);
2501 break;
2502 case 2:
2503 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2504 netlogon_dissect_VALIDATION_SAM_INFO, NDR_POINTER_UNIQUE,
2505 "VALIDATION_SAM_INFO:", -1);
2506 break;
2507 case 3:
2508 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2509 netlogon_dissect_VALIDATION_SAM_INFO2, NDR_POINTER_UNIQUE,
2510 "VALIDATION_SAM_INFO2:", -1);
2511 break;
2512 case 4:
2513 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2514 netlogon_dissect_VALIDATION_GENERIC_INFO2, NDR_POINTER_UNIQUE,
2515 "VALIDATION_INFO:", -1);
2516 break;
2517 case 5:
2518 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2519 netlogon_dissect_VALIDATION_GENERIC_INFO2, NDR_POINTER_UNIQUE,
2520 "VALIDATION_INFO2:", -1);
2521 break;
2522 case 6:
2523 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2524 netlogon_dissect_VALIDATION_SAM_INFO4, NDR_POINTER_UNIQUE,
2525 "VALIDATION_SAM_INFO4:", -1);
2526 break;
2527 }
2528 return offset;
2529 }
2530 /*
2531 * IDL long NetrLogonSamLogonWithFlags(
2532 * IDL [in][unique][string] wchar_t *ServerName,
2533 * IDL [in][unique][string] wchar_t *Workstation,
2534 * IDL [in][unique] AUTHENTICATOR *credential,
2535 * IDL [in][out][unique] AUTHENTICATOR *returnauthenticator,
2536 * IDL [in] short LogonLevel,
2537 * IDL [in][ref] LOGON_LEVEL *logonlevel,
2538 * IDL [in] short ValidationLevel,
2539 * IDL [out][ref] VALIDATION *validation,
2540 * IDL [out][ref] boolean Authoritative
2541 * IDL [in][out] unsigned long ExtraFlags
2542 * IDL );
2543 */
2544 static int
2545 netlogon_dissect_netrlogonsamlogonflags_rqst(tvbuff_t *tvb, int offset,
2546 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
2547 {
2548 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
2549 pinfo, tree, di, drep);
2550
2551 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
2552 NDR_POINTER_UNIQUE, "Computer Name",
2553 hf_netlogon_computer_name, 0);
2554
2555 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2556 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2557 "AUTHENTICATOR: credential", -1);
2558
2559 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2560 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2561 "AUTHENTICATOR: return_authenticator", -1);
2562
2563 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2564 hf_netlogon_level16, NULL);
2565
2566 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2567 netlogon_dissect_LEVEL, NDR_POINTER_REF,
2568 "LEVEL: LogonLevel", -1);
2569
2570 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2571 hf_netlogon_validation_level, NULL);
2572
2573 offset = netlogon_dissect_EXTRA_FLAGS(tvb, offset, pinfo, tree, di, drep);
2574
2575 return offset;
2576 }
2577
2578 static int
2579 netlogon_dissect_netrlogonsamlogonflags_reply(tvbuff_t *tvb, int offset,
2580 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
2581 {
2582 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2583 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2584 "AUTHENTICATOR: return_authenticator", -1);
2585
2586 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2587 netlogon_dissect_VALIDATION, NDR_POINTER_REF,
2588 "VALIDATION:", -1);
2589
2590 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
2591 hf_netlogon_authoritative, NULL);
2592
2593 offset = netlogon_dissect_EXTRA_FLAGS(tvb, offset, pinfo, tree, di, drep);
2594
2595 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
2596 hf_netlogon_rc, NULL);
2597
2598 return offset;
2599 }
2600
2601
2602
2603 /*
2604 * IDL long NetrLogonSamLogon(
2605 * IDL [in][unique][string] wchar_t *ServerName,
2606 * IDL [in][unique][string] wchar_t *Workstation,
2607 * IDL [in][unique] AUTHENTICATOR *credential,
2608 * IDL [in][out][unique] AUTHENTICATOR *returnauthenticator,
2609 * IDL [in] short LogonLevel,
2610 * IDL [in][ref] LOGON_LEVEL *logonlevel,
2611 * IDL [in] short ValidationLevel,
2612 * IDL [out][ref] VALIDATION *validation,
2613 * IDL [out][ref] boolean Authoritative
2614 * IDL );
2615 */
2616 static int
2617 netlogon_dissect_netrlogonsamlogon_rqst(tvbuff_t *tvb, int offset,
2618 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
2619 {
2620 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
2621 pinfo, tree, di, drep);
2622
2623 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
2624 NDR_POINTER_UNIQUE, "Computer Name",
2625 hf_netlogon_computer_name, 0);
2626
2627 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2628 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2629 "AUTHENTICATOR: credential", -1);
2630
2631 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2632 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2633 "AUTHENTICATOR: return_authenticator", -1);
2634
2635 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2636 hf_netlogon_level16, NULL);
2637
2638 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2639 netlogon_dissect_LEVEL, NDR_POINTER_REF,
2640 "LEVEL: LogonLevel", -1);
2641
2642 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2643 hf_netlogon_validation_level, NULL);
2644
2645 return offset;
2646 }
2647
2648 static int
2649 netlogon_dissect_netrlogonsamlogon_reply(tvbuff_t *tvb, int offset,
2650 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
2651 {
2652 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2653 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2654 "AUTHENTICATOR: return_authenticator", -1);
2655
2656 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2657 netlogon_dissect_VALIDATION, NDR_POINTER_REF,
2658 "VALIDATION:", -1);
2659
2660 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
2661 hf_netlogon_authoritative, NULL);
2662
2663 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
2664 hf_netlogon_rc, NULL);
2665
2666 return offset;
2667 }
2668
2669
2670 /*
2671 * IDL long NetrLogonSamLogoff(
2672 * IDL [in][unique][string] wchar_t *ServerName,
2673 * IDL [in][unique][string] wchar_t *ComputerName,
2674 * IDL [in][unique] AUTHENTICATOR credential,
2675 * IDL [in][unique] AUTHENTICATOR return_authenticator,
2676 * IDL [in] short logon_level,
2677 * IDL [in][ref] LEVEL logoninformation
2678 * IDL );
2679 */
2680 static int
2681 netlogon_dissect_netrlogonsamlogoff_rqst(tvbuff_t *tvb, int offset,
2682 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
2683 {
2684 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
2685 pinfo, tree, di, drep);
2686
2687 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
2688 NDR_POINTER_UNIQUE, "Computer Name",
2689 hf_netlogon_computer_name, 0);
2690
2691 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2692 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2693 "AUTHENTICATOR: credential", -1);
2694
2695 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2696 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2697 "AUTHENTICATOR: return_authenticator", -1);
2698
2699 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2700 hf_netlogon_level16, NULL);
2701
2702 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2703 netlogon_dissect_LEVEL, NDR_POINTER_REF,
2704 "LEVEL: logoninformation", -1);
2705
2706 return offset;
2707 }
2708 static int
2709 netlogon_dissect_netrlogonsamlogoff_reply(tvbuff_t *tvb, int offset,
2710 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
2711 {
2712
2713 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2714 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2715 "AUTHENTICATOR: return_authenticator", -1);
2716
2717 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
2718 hf_netlogon_rc, NULL);
2719
2720 return offset;
2721 }
2722
2723 static void generate_hash_key(packet_info *pinfo,unsigned char is_server,netlogon_auth_key *key)
2724 {
2725 if(is_server) {
2726 copy_address_shallow(&key->server,&pinfo->src);
2727 copy_address_shallow(&key->client,&pinfo->dst);
2728 }
2729 else {
2730 copy_address_shallow(&key->server,&pinfo->dst);
2731 copy_address_shallow(&key->client,&pinfo->src);
2732 }
2733
2734 }
2735
2736 static netlogon_auth_vars *create_global_netlogon_auth_vars(packet_info *pinfo,
2737 const char *computer_name,
2738 unsigned char is_server)
2739 {
2740 netlogon_auth_vars *vars = NULL;
2741 netlogon_auth_vars *old_vars_head = NULL;
2742 netlogon_auth_vars *last = NULL;
2743 netlogon_auth_vars *cur = NULL;
2744 netlogon_auth_vars *new_vars_head = NULL;
2745 netlogon_auth_key key;
2746
2747 vars = wmem_new0(wmem_file_scope(), netlogon_auth_vars);
2748 vars->client_name = wmem_strdup(wmem_file_scope(), computer_name);
2749 vars->start = pinfo->num;
2750 vars->auth_fd_num = -1;
2751 vars->next_start = -1;
2752 vars->next = NULL;
2753
2754 generate_hash_key(pinfo, is_server, &key);
2755 old_vars_head = (netlogon_auth_vars *)wmem_map_lookup(netlogon_auths, &key);
2756 for (cur = old_vars_head; cur != NULL; last = cur, cur = cur->next) {
2757 if (cur->start == vars->start) {
2758 ws_debug("It seems that I already record this vars start packet = %d",vars->start);
2759 wmem_free(wmem_file_scope(), vars);
2760 return cur;
2761 }
2762
2763 if (cur->start > vars->start) {
2764 vars->next = cur;
2765 vars->next_start = cur->start;
2766 if (last != NULL) {
2767 last->next = vars;
2768 last->next_start = vars->start;
2769 }
2770 break;
2771 }
2772 if (new_vars_head == NULL) {
2773 new_vars_head = cur;
2774 }
2775
2776 if (cur->next == NULL) {
2777 cur->next = vars;
2778 cur->next_start = vars->start;
2779 break;
2780 }
2781 if (cur->next->start > vars->start) {
2782 vars->next = cur->next;
2783 vars->next_start = cur->next_start;
2784 cur->next = vars;
2785 cur->next_start = vars->start;
2786 break;
2787 }
2788 }
2789 if (new_vars_head == NULL) {
2790 new_vars_head = vars;
2791 }
2792
2793 for (cur = new_vars_head; cur != NULL; cur = cur->next) {
2794 if (cur->auth_fd_num != -1) {
2795 ws_assert(cur->start <= cur->auth_fd_num);
2796 ws_abort_if_fail(cur->start <= cur->auth_fd_num);
2797 }
2798 if (cur->next == NULL) {
2799 ws_assert(cur->next_start == -1);
2800 ws_abort_if_fail(cur->next_start == -1);
2801 continue;
2802 }
2803 ws_assert(cur->start < cur->next->start);
2804 ws_abort_if_fail(cur->start < cur->next->start);
2805 ws_assert(cur->next_start == cur->next->start);
2806 ws_abort_if_fail(cur->next_start == cur->next->start);
2807 }
2808
2809 if (old_vars_head != new_vars_head) {
2810 netlogon_auth_key *k = (netlogon_auth_key *)wmem_memdup(wmem_file_scope(), &key, sizeof(netlogon_auth_key));
2811 copy_address_wmem(wmem_file_scope(), &k->client, &key.client);
2812 copy_address_wmem(wmem_file_scope(), &k->server, &key.server);
2813 if (old_vars_head != NULL) {
2814 wmem_map_remove(netlogon_auths, &key);
2815 }
2816 wmem_map_insert(netlogon_auths, k, vars);
2817 }
2818
2819 return vars;
2820 }
2821
2822 static netlogon_auth_vars *find_tmp_netlogon_auth_vars(packet_info *pinfo, unsigned char is_server)
2823 {
2824 netlogon_auth_vars *lvars = NULL;
2825 netlogon_auth_vars *avars = NULL;
2826 netlogon_auth_key akey;
2827
2828 generate_hash_key(pinfo, is_server, &akey);
2829 lvars = (netlogon_auth_vars *)wmem_map_lookup(netlogon_auths, &akey);
2830
2831 for (; lvars != NULL; lvars = lvars->next) {
2832 int fd_num = (int) pinfo->num;
2833
2834 if (fd_num <= lvars->start) {
2835 /*
2836 * Before it even started,
2837 * can't be used..., keep
2838 * avars if we already found
2839 * one.
2840 */
2841 break;
2842 }
2843 /*
2844 * remember the current match,
2845 * but try to find a better one...
2846 */
2847 avars = lvars;
2848 if (lvars->auth_fd_num == -1) {
2849 /*
2850 * No ServerAuthenticate{,1,3}, keep
2851 * avars if we already found one,
2852 * but try to find a better one...
2853 */
2854 continue;
2855 }
2856 if (fd_num <= lvars->auth_fd_num) {
2857 /*
2858 * Before ServerAuthenticate{,1,3},
2859 * take it...
2860 */
2861 break;
2862 }
2863 /*
2864 * try to find a better one...
2865 */
2866 avars = NULL;
2867 }
2868
2869 return avars;
2870 }
2871
2872 static netlogon_auth_vars *find_global_netlogon_auth_vars(packet_info *pinfo, unsigned char is_server)
2873 {
2874 netlogon_auth_vars *lvars = NULL;
2875 netlogon_auth_vars *avars = NULL;
2876 netlogon_auth_key akey;
2877
2878 generate_hash_key(pinfo, is_server, &akey);
2879 lvars = (netlogon_auth_vars *)wmem_map_lookup(netlogon_auths, &akey);
2880
2881 for (; lvars != NULL; lvars = lvars->next) {
2882 int fd_num = (int) pinfo->num;
2883
2884 if (fd_num <= lvars->start) {
2885 /*
2886 * Before it even started,
2887 * can't be used..., keep
2888 * avars if we already found
2889 * one.
2890 */
2891 break;
2892 }
2893 if (lvars->auth_fd_num == -1) {
2894 /*
2895 * No ServerAuthenticate{,1,3},
2896 * no session key available,
2897 * just ignore...
2898 */
2899 continue;
2900 }
2901 if (fd_num <= lvars->auth_fd_num) {
2902 /*
2903 * Before ServerAuthenticate{,1,3}
2904 * can't be used..., keep
2905 * avars if we already found
2906 * one.
2907 */
2908 break;
2909 }
2910 /*
2911 * remember the current match,
2912 * but try to find a better one...
2913 */
2914 avars = lvars;
2915 }
2916
2917 return avars;
2918 }
2919
2920 static netlogon_auth_vars *find_or_create_schannel_netlogon_auth_vars(packet_info *pinfo,
2921 dcerpc_auth_info *auth_info,
2922 unsigned char is_server)
2923 {
2924 dcerpc_auth_schannel_key skey = {
2925 .conv = find_or_create_conversation(pinfo),
2926 .transport_salt = dcerpc_get_transport_salt(pinfo),
2927 .auth_context_id = auth_info->auth_context_id,
2928 };
2929 dcerpc_auth_schannel_key *sk = NULL;
2930 netlogon_auth_vars *svars = NULL;
2931 netlogon_auth_vars *avars = NULL;
2932
2933 svars = (netlogon_auth_vars *)wmem_map_lookup(schannel_auths, &skey);
2934 if (svars != NULL) {
2935 return svars;
2936 }
2937
2938 avars = find_global_netlogon_auth_vars(pinfo, is_server);
2939 if (avars == NULL) {
2940 return NULL;
2941 }
2942
2943 sk = wmem_memdup(wmem_file_scope(), &skey, sizeof(dcerpc_auth_schannel_key));
2944 if (sk == NULL) {
2945 return NULL;
2946 }
2947
2948 svars = wmem_memdup(wmem_file_scope(), avars, sizeof(netlogon_auth_vars));
2949 if (svars == NULL) {
2950 return NULL;
2951 }
2952 svars->client_name = wmem_strdup(wmem_file_scope(), avars->client_name);
2953 if (svars->client_name == NULL) {
2954 return NULL;
2955 }
2956 svars->next_start = -1;
2957 svars->next = NULL;
2958
2959 wmem_map_insert(schannel_auths, sk, svars);
2960
2961 return svars;
2962 }
2963
2964 /*
2965 * IDL long NetrServerReqChallenge(
2966 * IDL [in][unique][string] wchar_t *ServerName,
2967 * IDL [in][ref][string] wchar_t *ComputerName,
2968 * IDL [in][ref] CREDENTIAL client_credential,
2969 * IDL [out][ref] CREDENTIAL server_credential
2970 * IDL );
2971 */
2972 static int
2973 netlogon_dissect_netrserverreqchallenge_rqst(tvbuff_t *tvb, int offset,
2974 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
2975 {
2976 /*int oldoffset = offset;*/
2977 netlogon_auth_vars *vars;
2978 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
2979
2980 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset, pinfo, tree, di, drep);
2981 offset = dissect_ndr_pointer_cb(
2982 tvb, offset, pinfo, tree, di, drep,
2983 dissect_ndr_wchar_cvstring, NDR_POINTER_REF,
2984 "Computer Name", hf_netlogon_computer_name,
2985 cb_wstr_postprocess,
2986 GINT_TO_POINTER(CB_STR_COL_INFO |CB_STR_SAVE | 1));
2987
2988 ws_debug("1)Len %d offset %d txt %s",(int) strlen((char *)dcv->private_data),offset,(char*)dcv->private_data);
2989 vars = create_global_netlogon_auth_vars(pinfo, (char*)dcv->private_data, 0);
2990 ws_debug("2)Len %d offset %d txt %s",(int) strlen((char *)dcv->private_data),offset,vars->client_name);
2991
2992 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, tree, drep,
2993 hf_client_challenge,&vars->client_challenge);
2994
2995 return offset;
2996 }
2997
2998 static int
2999 netlogon_dissect_netrserverreqchallenge_reply(tvbuff_t *tvb, int offset,
3000 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
3001 {
3002 netlogon_auth_vars *vars;
3003 uint64_t server_challenge;
3004
3005 vars = find_tmp_netlogon_auth_vars(pinfo, 1);
3006
3007 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, tree, drep,
3008 hf_server_challenge, &server_challenge);
3009 /*offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3010 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
3011 "CREDENTIAL: server credential", -1);*/
3012
3013 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
3014 hf_netlogon_rc, NULL);
3015 if(vars != NULL) {
3016 vars->server_challenge = server_challenge;
3017 }
3018 /*
3019 else
3020 {
3021 ws_debug("Vars not found in challenge reply");
3022 }
3023 */
3024 return offset;
3025 }
3026
3027
3028 static int
3029 netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvbuff_t *tvb, int offset,
3030 packet_info *pinfo, proto_tree *tree,
3031 dcerpc_info *di, uint8_t *drep)
3032 {
3033 offset = dissect_ndr_uint1632(tvb, offset, pinfo, tree, di, drep,
3034 hf_netlogon_secure_channel_type, NULL);
3035
3036 return offset;
3037 }
3038
3039
3040 /*
3041 * IDL long NetrServerAuthenticate(
3042 * IDL [in][unique][string] wchar_t *ServerName,
3043 * IDL [in][ref][string] wchar_t *UserName,
3044 * IDL [in] short secure_challenge_type,
3045 * IDL [in][ref][string] wchar_t *ComputerName,
3046 * IDL [in][ref] CREDENTIAL client_challenge,
3047 * IDL [out][ref] CREDENTIAL server_challenge
3048 * IDL );
3049 */
3050 static int
3051 netlogon_dissect_netrserverauthenticate_rqst(tvbuff_t *tvb, int offset,
3052 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
3053 {
3054 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3055 pinfo, tree, di, drep);
3056
3057 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
3058 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, CB_STR_COL_INFO);
3059
3060 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
3061 pinfo, tree, di, drep);
3062
3063 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
3064 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, CB_STR_COL_INFO);
3065
3066 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3067 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
3068 "CREDENTIAL: client challenge", -1);
3069
3070 return offset;
3071 }
3072 static int
3073 netlogon_dissect_netrserverauthenticate023_reply(tvbuff_t *tvb, int offset,
3074 packet_info *pinfo,
3075 proto_tree *tree,
3076 dcerpc_info *di,
3077 uint8_t *drep,
3078 int version);
3079 static int
3080 netlogon_dissect_netrserverauthenticate_reply(tvbuff_t *tvb, int offset,
3081 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
3082 {
3083 return netlogon_dissect_netrserverauthenticate023_reply(tvb,offset,pinfo,tree,di,drep,0);
3084 }
3085
3086
3087
3088 /*
3089 * IDL typedef struct {
3090 * IDL char encrypted_password[16];
3091 * IDL } ENCRYPTED_LM_OWF_PASSWORD;
3092 */
3093 static int
3094 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
3095 packet_info *pinfo _U_, proto_tree *tree,
3096 dcerpc_info *di, uint8_t *drep _U_)
3097 {
3098 if(di->conformant_run){
3099 /*just a run to handle conformant arrays, nothing to dissect.*/
3100 return offset;
3101 }
3102
3103 proto_tree_add_item(tree, hf_netlogon_encrypted_lm_owf_password, tvb, offset, 16,
3104 ENC_NA);
3105 offset += 16;
3106
3107 return offset;
3108 }
3109
3110 /*
3111 * IDL long NetrServerPasswordSet(
3112 * IDL [in][unique][string] wchar_t *ServerName,
3113 * IDL [in][ref][string] wchar_t *UserName,
3114 * IDL [in] short secure_challenge_type,
3115 * IDL [in][ref][string] wchar_t *ComputerName,
3116 * IDL [in][ref] AUTHENTICATOR credential,
3117 * IDL [in][ref] LM_OWF_PASSWORD UasNewPassword,
3118 * IDL [out][ref] AUTHENTICATOR return_authenticator
3119 * IDL );
3120 */
3121 static int
3122 netlogon_dissect_netrserverpasswordset_rqst(tvbuff_t *tvb, int offset,
3123 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
3124 {
3125 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3126 pinfo, tree, di, drep);
3127
3128 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
3129 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, 0);
3130
3131 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
3132 pinfo, tree, di, drep);
3133
3134 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
3135 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3136
3137 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3138 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3139 "AUTHENTICATOR: credential", -1);
3140
3141 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3142 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD, NDR_POINTER_REF,
3143 "ENCRYPTED_LM_OWF_PASSWORD: hashed_pwd", -1);
3144
3145 return offset;
3146 }
3147 static int
3148 netlogon_dissect_netrserverpasswordset_reply(tvbuff_t *tvb, int offset,
3149 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
3150 {
3151 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3152 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3153 "AUTHENTICATOR: return_authenticator", -1);
3154
3155 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
3156 hf_netlogon_rc, NULL);
3157
3158 return offset;
3159 }
3160
3161
3162 /*
3163 * IDL typedef struct {
3164 * IDL [unique][string] wchar_t *UserName;
3165 * IDL UNICODESTRING dummy1;
3166 * IDL UNICODESTRING dummy2;
3167 * IDL UNICODESTRING dummy3;
3168 * IDL UNICODESTRING dummy4;
3169 * IDL long dummy5;
3170 * IDL long dummy6;
3171 * IDL long dummy7;
3172 * IDL long dummy8;
3173 * IDL } DELTA_DELETE_USER;
3174 */
3175 static int
3176 netlogon_dissect_DELTA_DELETE_USER(tvbuff_t *tvb, int offset,
3177 packet_info *pinfo, proto_tree *tree,
3178 dcerpc_info *di, uint8_t *drep)
3179 {
3180 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
3181 NDR_POINTER_UNIQUE, "Account Name", hf_netlogon_acct_name, 0);
3182
3183 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3184 hf_netlogon_dummy, 0);
3185
3186 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3187 hf_netlogon_dummy, 0);
3188
3189 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3190 hf_netlogon_dummy, 0);
3191
3192 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3193 hf_netlogon_dummy, 0);
3194
3195 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3196 hf_netlogon_reserved, NULL);
3197
3198 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3199 hf_netlogon_reserved, NULL);
3200
3201 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3202 hf_netlogon_reserved, NULL);
3203
3204 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3205 hf_netlogon_reserved, NULL);
3206
3207 return offset;
3208 }
3209
3210
3211 /*
3212 * IDL typedef struct {
3213 * IDL bool SensitiveDataFlag;
3214 * IDL long DataLength;
3215 * IDL [unique][size_is(DataLength)] char *SensitiveData;
3216 * IDL } USER_PRIVATE_INFO;
3217 */
3218 static int
3219 netlogon_dissect_SENSITIVE_DATA(tvbuff_t *tvb, int offset,
3220 packet_info *pinfo, proto_tree *tree,
3221 dcerpc_info *di, uint8_t *drep)
3222 {
3223 uint32_t data_len;
3224
3225 if(di->conformant_run){
3226 /*just a run to handle conformant arrays, nothing to dissect */
3227 return offset;
3228 }
3229
3230 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3231 hf_netlogon_sensitive_data_len, &data_len);
3232
3233 proto_tree_add_item(tree, hf_netlogon_sensitive_data, tvb, offset,
3234 data_len, ENC_NA);
3235 offset += data_len;
3236
3237 return offset;
3238 }
3239 static int
3240 netlogon_dissect_USER_PRIVATE_INFO(tvbuff_t *tvb, int offset,
3241 packet_info *pinfo, proto_tree *tree,
3242 dcerpc_info *di, uint8_t *drep)
3243 {
3244 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
3245 hf_netlogon_sensitive_data_flag, NULL);
3246
3247 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3248 hf_netlogon_sensitive_data_len, NULL);
3249
3250 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3251 netlogon_dissect_SENSITIVE_DATA, NDR_POINTER_UNIQUE,
3252 "SENSITIVE_DATA", -1);
3253
3254 return offset;
3255 }
3256
3257 /*
3258 * IDL typedef struct {
3259 * IDL UNICODESTRING UserName;
3260 * IDL UNICODESTRING FullName;
3261 * IDL long UserID;
3262 * IDL long PrimaryGroupID;
3263 * IDL UNICODESTRING HomeDir;
3264 * IDL UNICODESTRING HomeDirDrive;
3265 * IDL UNICODESTRING LogonScript;
3266 * IDL UNICODESTRING Comment;
3267 * IDL UNICODESTRING Workstations;
3268 * IDL NTTIME LastLogon;
3269 * IDL NTTIME LastLogoff;
3270 * IDL LOGON_HOURS logonhours;
3271 * IDL short BadPwCount;
3272 * IDL short LogonCount;
3273 * IDL NTTIME PwLastSet;
3274 * IDL NTTIME AccountExpires;
3275 * IDL long AccountControl;
3276 * IDL LM_OWF_PASSWORD lmpw;
3277 * IDL NT_OWF_PASSWORD ntpw;
3278 * IDL bool NTPwPresent;
3279 * IDL bool LMPwPresent;
3280 * IDL bool PwExpired;
3281 * IDL UNICODESTRING UserComment;
3282 * IDL UNICODESTRING Parameters;
3283 * IDL short CountryCode;
3284 * IDL short CodePage;
3285 * IDL USER_PRIVATE_INFO user_private_info;
3286 * IDL long SecurityInformation;
3287 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3288 * IDL UNICODESTRING dummy1;
3289 * IDL UNICODESTRING dummy2;
3290 * IDL UNICODESTRING dummy3;
3291 * IDL UNICODESTRING dummy4;
3292 * IDL long dummy5;
3293 * IDL long dummy6;
3294 * IDL long dummy7;
3295 * IDL long dummy8;
3296 * IDL } DELTA_USER;
3297 */
3298 static int
3299 netlogon_dissect_DELTA_USER(tvbuff_t *tvb, int offset,
3300 packet_info *pinfo, proto_tree *tree,
3301 dcerpc_info *di, uint8_t *drep)
3302 {
3303 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3304 hf_netlogon_acct_name, 3);
3305
3306 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3307 hf_netlogon_full_name, 0);
3308
3309 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3310 hf_netlogon_user_rid, NULL);
3311
3312 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3313 hf_netlogon_group_rid, NULL);
3314
3315 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3316 hf_netlogon_home_dir, 0);
3317
3318 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3319 hf_netlogon_dir_drive, 0);
3320
3321 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3322 hf_netlogon_logon_script, 0);
3323
3324 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3325 hf_netlogon_acct_desc, 0);
3326
3327 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3328 hf_netlogon_workstations, 0);
3329
3330 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3331 hf_netlogon_logon_time);
3332
3333 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3334 hf_netlogon_logoff_time);
3335
3336 offset = dissect_ndr_nt_LOGON_HOURS(tvb, offset, pinfo, tree, di, drep);
3337
3338 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
3339 hf_netlogon_bad_pw_count16, NULL);
3340
3341 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
3342 hf_netlogon_logon_count16, NULL);
3343
3344 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3345 hf_netlogon_pwd_last_set_time);
3346
3347 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3348 hf_netlogon_acct_expiry_time);
3349
3350 offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, di, drep);
3351
3352 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
3353 pinfo, tree, di, drep);
3354
3355 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
3356 pinfo, tree, di, drep);
3357
3358 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
3359 hf_netlogon_nt_pwd_present, NULL);
3360
3361 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
3362 hf_netlogon_lm_pwd_present, NULL);
3363
3364 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
3365 hf_netlogon_pwd_expired, NULL);
3366
3367 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3368 hf_netlogon_comment, 0);
3369
3370 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3371 hf_netlogon_parameters, 0);
3372
3373 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
3374 hf_netlogon_country, NULL);
3375
3376 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
3377 hf_netlogon_codepage, NULL);
3378
3379 offset = netlogon_dissect_USER_PRIVATE_INFO(tvb, offset, pinfo, tree,
3380 di, drep);
3381
3382 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3383 hf_netlogon_security_information, NULL);
3384
3385 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3386
3387 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3388 hf_netlogon_dummy, 0);
3389
3390 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3391 hf_netlogon_dummy, 0);
3392
3393 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3394 hf_netlogon_dummy, 0);
3395
3396 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3397 hf_netlogon_dummy, 0);
3398
3399 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3400 hf_netlogon_reserved, NULL);
3401
3402 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3403 hf_netlogon_reserved, NULL);
3404
3405 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3406 hf_netlogon_reserved, NULL);
3407
3408 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3409 hf_netlogon_reserved, NULL);
3410
3411 return offset;
3412 }
3413
3414
3415 /*
3416 * IDL typedef struct {
3417 * IDL UNICODESTRING DomainName;
3418 * IDL UNICODESTRING OEMInfo;
3419 * IDL NTTIME forcedlogoff;
3420 * IDL short minpasswdlen;
3421 * IDL short passwdhistorylen;
3422 * IDL NTTIME pwd_must_change_time;
3423 * IDL NTTIME pwd_can_change_time;
3424 * IDL NTTIME domain_modify_time;
3425 * IDL NTTIME domain_create_time;
3426 * IDL long SecurityInformation;
3427 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3428 * IDL UNICODESTRING dummy1;
3429 * IDL UNICODESTRING dummy2;
3430 * IDL UNICODESTRING dummy3;
3431 * IDL UNICODESTRING dummy4;
3432 * IDL long dummy5;
3433 * IDL long dummy6;
3434 * IDL long dummy7;
3435 * IDL long dummy8;
3436 * IDL } DELTA_DOMAIN;
3437 */
3438 static int
3439 netlogon_dissect_DELTA_DOMAIN(tvbuff_t *tvb, int offset,
3440 packet_info *pinfo, proto_tree *tree,
3441 dcerpc_info *di, uint8_t *drep)
3442 {
3443 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3444 hf_netlogon_domain_name, 3);
3445
3446 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3447 hf_netlogon_oem_info, 0);
3448
3449 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3450 hf_netlogon_kickoff_time);
3451
3452 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
3453 hf_netlogon_minpasswdlen, NULL);
3454
3455 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
3456 hf_netlogon_passwdhistorylen, NULL);
3457
3458 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3459 hf_netlogon_pwd_must_change_time);
3460
3461 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3462 hf_netlogon_pwd_can_change_time);
3463
3464 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3465 hf_netlogon_domain_modify_time);
3466
3467 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3468 hf_netlogon_domain_create_time);
3469
3470 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3471 hf_netlogon_security_information, NULL);
3472
3473 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3474
3475 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3476 hf_netlogon_dummy, 0);
3477
3478 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3479 hf_netlogon_dummy, 0);
3480
3481 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3482 hf_netlogon_dummy, 0);
3483
3484 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3485 hf_netlogon_dummy, 0);
3486
3487 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3488 hf_netlogon_reserved, NULL);
3489
3490 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3491 hf_netlogon_reserved, NULL);
3492
3493 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3494 hf_netlogon_reserved, NULL);
3495
3496 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3497 hf_netlogon_reserved, NULL);
3498
3499 return offset;
3500 }
3501
3502
3503 /*
3504 * IDL typedef struct {
3505 * IDL UNICODESTRING groupname;
3506 * IDL GROUP_MEMBERSHIP group_membership;
3507 * IDL UNICODESTRING comment;
3508 * IDL long SecurityInformation;
3509 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3510 * IDL UNICODESTRING dummy1;
3511 * IDL UNICODESTRING dummy2;
3512 * IDL UNICODESTRING dummy3;
3513 * IDL UNICODESTRING dummy4;
3514 * IDL long dummy5;
3515 * IDL long dummy6;
3516 * IDL long dummy7;
3517 * IDL long dummy8;
3518 * IDL } DELTA_GROUP;
3519 */
3520 static int
3521 netlogon_dissect_DELTA_GROUP(tvbuff_t *tvb, int offset,
3522 packet_info *pinfo, proto_tree *tree,
3523 dcerpc_info *di, uint8_t *drep)
3524 {
3525 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3526 hf_netlogon_group_name, 3);
3527
3528 offset = netlogon_dissect_GROUP_MEMBERSHIP(tvb, offset,
3529 pinfo, tree, di, drep);
3530
3531 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3532 hf_netlogon_group_desc, 0);
3533
3534 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3535 hf_netlogon_security_information, NULL);
3536
3537 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3538
3539 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3540 hf_netlogon_dummy, 0);
3541
3542 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3543 hf_netlogon_dummy, 0);
3544
3545 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3546 hf_netlogon_dummy, 0);
3547
3548 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3549 hf_netlogon_dummy, 0);
3550
3551 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3552 hf_netlogon_reserved, NULL);
3553
3554 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3555 hf_netlogon_reserved, NULL);
3556
3557 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3558 hf_netlogon_reserved, NULL);
3559
3560 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3561 hf_netlogon_reserved, NULL);
3562
3563 return offset;
3564 }
3565
3566
3567 /*
3568 * IDL typedef struct {
3569 * IDL UNICODESTRING OldName;
3570 * IDL UNICODESTRING NewName;
3571 * IDL UNICODESTRING dummy1;
3572 * IDL UNICODESTRING dummy2;
3573 * IDL UNICODESTRING dummy3;
3574 * IDL UNICODESTRING dummy4;
3575 * IDL long dummy5;
3576 * IDL long dummy6;
3577 * IDL long dummy7;
3578 * IDL long dummy8;
3579 * IDL } DELTA_RENAME;
3580 */
3581 static int
3582 netlogon_dissect_DELTA_RENAME(tvbuff_t *tvb, int offset,
3583 packet_info *pinfo, proto_tree *tree,
3584 dcerpc_info *di, uint8_t *drep)
3585 {
3586 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3587 di->hf_index, 0);
3588
3589 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3590 di->hf_index, 0);
3591
3592 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3593 hf_netlogon_dummy, 0);
3594
3595 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3596 hf_netlogon_dummy, 0);
3597
3598 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3599 hf_netlogon_dummy, 0);
3600
3601 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3602 hf_netlogon_dummy, 0);
3603
3604 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3605 hf_netlogon_reserved, NULL);
3606
3607 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3608 hf_netlogon_reserved, NULL);
3609
3610 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3611 hf_netlogon_reserved, NULL);
3612
3613 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3614 hf_netlogon_reserved, NULL);
3615
3616 return offset;
3617 }
3618
3619
3620 static int
3621 netlogon_dissect_RID(tvbuff_t *tvb, int offset,
3622 packet_info *pinfo, proto_tree *tree,
3623 dcerpc_info *di, uint8_t *drep)
3624 {
3625 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3626 hf_netlogon_user_rid, NULL);
3627
3628 return offset;
3629 }
3630
3631 static int
3632 netlogon_dissect_RID_array(tvbuff_t *tvb, int offset,
3633 packet_info *pinfo, proto_tree *tree,
3634 dcerpc_info *di, uint8_t *drep)
3635 {
3636 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
3637 netlogon_dissect_RID);
3638
3639 return offset;
3640 }
3641
3642 static int
3643 netlogon_dissect_ATTRIB(tvbuff_t *tvb, int offset,
3644 packet_info *pinfo, proto_tree *tree,
3645 dcerpc_info *di, uint8_t *drep)
3646 {
3647 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3648 hf_netlogon_attrs, NULL);
3649
3650 return offset;
3651 }
3652
3653 static int
3654 netlogon_dissect_ATTRIB_array(tvbuff_t *tvb, int offset,
3655 packet_info *pinfo, proto_tree *tree,
3656 dcerpc_info *di, uint8_t *drep)
3657 {
3658 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
3659 netlogon_dissect_ATTRIB);
3660
3661 return offset;
3662 }
3663
3664 /*
3665 * IDL typedef struct {
3666 * IDL [unique][size_is(num_rids)] long *rids;
3667 * IDL [unique][size_is(num_rids)] long *attribs;
3668 * IDL long num_rids;
3669 * IDL long dummy1;
3670 * IDL long dummy2;
3671 * IDL long dummy3;
3672 * IDL long dummy4;
3673 * IDL } DELTA_GROUP_MEMBER;
3674 */
3675 static int
3676 netlogon_dissect_DELTA_GROUP_MEMBER(tvbuff_t *tvb, int offset,
3677 packet_info *pinfo, proto_tree *tree,
3678 dcerpc_info *di, uint8_t *drep)
3679 {
3680 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3681 netlogon_dissect_RID_array, NDR_POINTER_UNIQUE,
3682 "RIDs:", -1);
3683
3684 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3685 netlogon_dissect_ATTRIB_array, NDR_POINTER_UNIQUE,
3686 "Attribs:", -1);
3687
3688 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3689 hf_netlogon_num_rids, NULL);
3690
3691 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3692 hf_netlogon_reserved, NULL);
3693
3694 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3695 hf_netlogon_reserved, NULL);
3696
3697 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3698 hf_netlogon_reserved, NULL);
3699
3700 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3701 hf_netlogon_reserved, NULL);
3702
3703 return offset;
3704 }
3705
3706
3707 /*
3708 * IDL typedef struct {
3709 * IDL UNICODESTRING alias_name;
3710 * IDL long rid;
3711 * IDL long SecurityInformation;
3712 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3713 * IDL UNICODESTRING dummy1;
3714 * IDL UNICODESTRING dummy2;
3715 * IDL UNICODESTRING dummy3;
3716 * IDL UNICODESTRING dummy4;
3717 * IDL long dummy5;
3718 * IDL long dummy6;
3719 * IDL long dummy7;
3720 * IDL long dummy8;
3721 * IDL } DELTA_ALIAS;
3722 */
3723 static int
3724 netlogon_dissect_DELTA_ALIAS(tvbuff_t *tvb, int offset,
3725 packet_info *pinfo, proto_tree *tree,
3726 dcerpc_info *di, uint8_t *drep)
3727 {
3728 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3729 hf_netlogon_alias_name, 0);
3730
3731 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3732 hf_netlogon_alias_rid, NULL);
3733
3734 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3735 hf_netlogon_security_information, NULL);
3736
3737 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3738
3739 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3740 hf_netlogon_dummy, 0);
3741
3742 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3743 hf_netlogon_dummy, 0);
3744
3745 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3746 hf_netlogon_dummy, 0);
3747
3748 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3749 hf_netlogon_dummy, 0);
3750
3751 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3752 hf_netlogon_reserved, NULL);
3753
3754 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3755 hf_netlogon_reserved, NULL);
3756
3757 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3758 hf_netlogon_reserved, NULL);
3759
3760 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3761 hf_netlogon_reserved, NULL);
3762
3763 return offset;
3764 }
3765
3766
3767 /*
3768 * IDL typedef struct {
3769 * IDL [unique] SID_ARRAY sids;
3770 * IDL long dummy1;
3771 * IDL long dummy2;
3772 * IDL long dummy3;
3773 * IDL long dummy4;
3774 * IDL } DELTA_ALIAS_MEMBER;
3775 */
3776 static int
3777 netlogon_dissect_DELTA_ALIAS_MEMBER(tvbuff_t *tvb, int offset,
3778 packet_info *pinfo, proto_tree *tree,
3779 dcerpc_info *di, uint8_t *drep)
3780 {
3781 offset = dissect_ndr_nt_PSID_ARRAY(tvb, offset, pinfo, tree, di, drep);
3782
3783 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3784 hf_netlogon_reserved, NULL);
3785
3786 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3787 hf_netlogon_reserved, NULL);
3788
3789 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3790 hf_netlogon_reserved, NULL);
3791
3792 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3793 hf_netlogon_reserved, NULL);
3794
3795 return offset;
3796 }
3797
3798
3799 static int
3800 netlogon_dissect_EVENT_AUDIT_OPTION(tvbuff_t *tvb, int offset,
3801 packet_info *pinfo, proto_tree *tree,
3802 dcerpc_info *di, uint8_t *drep)
3803 {
3804 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3805 hf_netlogon_event_audit_option, NULL);
3806
3807 return offset;
3808 }
3809
3810 static int
3811 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY(tvbuff_t *tvb, int offset,
3812 packet_info *pinfo, proto_tree *tree,
3813 dcerpc_info *di, uint8_t *drep)
3814 {
3815 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
3816 netlogon_dissect_EVENT_AUDIT_OPTION);
3817
3818 return offset;
3819 }
3820
3821
3822 /*
3823 * IDL typedef struct {
3824 * IDL long pagedpoollimit;
3825 * IDL long nonpagedpoollimit;
3826 * IDL long minimumworkingsetsize;
3827 * IDL long maximumworkingsetsize;
3828 * IDL long pagefilelimit;
3829 * IDL NTTIME timelimit;
3830 * IDL } QUOTA_LIMITS;
3831 */
3832 static int
3833 netlogon_dissect_QUOTA_LIMITS(tvbuff_t *tvb, int offset,
3834 packet_info *pinfo, proto_tree *parent_tree,
3835 dcerpc_info *di, uint8_t *drep)
3836 {
3837 proto_item *item=NULL;
3838 proto_tree *tree=NULL;
3839 int old_offset=offset;
3840
3841 if(parent_tree){
3842 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
3843 ett_QUOTA_LIMITS, &item, "QUOTA_LIMTS:");
3844 }
3845
3846 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3847 hf_netlogon_pagedpoollimit, NULL);
3848
3849 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3850 hf_netlogon_nonpagedpoollimit, NULL);
3851
3852 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3853 hf_netlogon_minworkingsetsize, NULL);
3854
3855 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3856 hf_netlogon_maxworkingsetsize, NULL);
3857
3858 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3859 hf_netlogon_pagefilelimit, NULL);
3860
3861 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3862 hf_netlogon_timelimit);
3863
3864 proto_item_set_len(item, offset-old_offset);
3865 return offset;
3866 }
3867
3868
3869 /*
3870 * IDL typedef struct {
3871 * IDL long maxlogsize;
3872 * IDL NTTIME auditretentionperiod;
3873 * IDL bool auditingmode;
3874 * IDL long maxauditeventcount;
3875 * IDL [unique][size_is(maxauditeventcount)] long *eventauditoptions;
3876 * IDL UNICODESTRING primarydomainname;
3877 * IDL [unique] SID *sid;
3878 * IDL QUOTA_LIMITS quota_limits;
3879 * IDL NTTIME db_modify_time;
3880 * IDL NTTIME db_create_time;
3881 * IDL long SecurityInformation;
3882 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3883 * IDL UNICODESTRING dummy1;
3884 * IDL UNICODESTRING dummy2;
3885 * IDL UNICODESTRING dummy3;
3886 * IDL UNICODESTRING dummy4;
3887 * IDL long dummy5;
3888 * IDL long dummy6;
3889 * IDL long dummy7;
3890 * IDL long dummy8;
3891 * IDL } DELTA_POLICY;
3892 */
3893 static int
3894 netlogon_dissect_DELTA_POLICY(tvbuff_t *tvb, int offset,
3895 packet_info *pinfo, proto_tree *tree,
3896 dcerpc_info *di, uint8_t *drep)
3897 {
3898 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3899 hf_netlogon_max_log_size, NULL);
3900
3901 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3902 hf_netlogon_audit_retention_period);
3903
3904 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
3905 hf_netlogon_auditing_mode, NULL);
3906
3907 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3908 hf_netlogon_max_audit_event_count, NULL);
3909
3910 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3911 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY, NDR_POINTER_UNIQUE,
3912 "Event Audit Options:", -1);
3913
3914 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3915 hf_netlogon_domain_name, 0);
3916
3917 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
3918
3919 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
3920 pinfo, tree, di, drep);
3921
3922 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3923 hf_netlogon_db_modify_time);
3924
3925 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3926 hf_netlogon_db_create_time);
3927
3928 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3929 hf_netlogon_security_information, NULL);
3930
3931 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3932
3933 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3934 hf_netlogon_dummy, 0);
3935
3936 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3937 hf_netlogon_dummy, 0);
3938
3939 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3940 hf_netlogon_dummy, 0);
3941
3942 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3943 hf_netlogon_dummy, 0);
3944
3945 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3946 hf_netlogon_reserved, NULL);
3947
3948 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3949 hf_netlogon_reserved, NULL);
3950
3951 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3952 hf_netlogon_reserved, NULL);
3953
3954 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3955 hf_netlogon_reserved, NULL);
3956
3957 return offset;
3958 }
3959
3960
3961 static int
3962 netlogon_dissect_CONTROLLER(tvbuff_t *tvb, int offset,
3963 packet_info *pinfo, proto_tree *tree,
3964 dcerpc_info *di, uint8_t *drep)
3965 {
3966 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3967 hf_netlogon_dc_name, 0);
3968
3969 return offset;
3970 }
3971
3972 static int
3973 netlogon_dissect_CONTROLLER_ARRAY(tvbuff_t *tvb, int offset,
3974 packet_info *pinfo, proto_tree *tree,
3975 dcerpc_info *di, uint8_t *drep)
3976 {
3977 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
3978 netlogon_dissect_CONTROLLER);
3979
3980 return offset;
3981 }
3982
3983
3984 /*
3985 * IDL typedef struct {
3986 * IDL UNICODESTRING DomainName;
3987 * IDL long num_controllers;
3988 * IDL [unique][size_is(num_controllers)] UNICODESTRING *controller_names;
3989 * IDL long SecurityInformation;
3990 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3991 * IDL UNICODESTRING dummy1;
3992 * IDL UNICODESTRING dummy2;
3993 * IDL UNICODESTRING dummy3;
3994 * IDL UNICODESTRING dummy4;
3995 * IDL long dummy5;
3996 * IDL long dummy6;
3997 * IDL long dummy7;
3998 * IDL long dummy8;
3999 * IDL } DELTA_TRUSTED_DOMAINS;
4000 */
4001 static int
4002 netlogon_dissect_DELTA_TRUSTED_DOMAINS(tvbuff_t *tvb, int offset,
4003 packet_info *pinfo, proto_tree *tree,
4004 dcerpc_info *di, uint8_t *drep)
4005 {
4006 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4007 hf_netlogon_domain_name, 0);
4008
4009 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4010 hf_netlogon_num_controllers, NULL);
4011
4012 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4013 netlogon_dissect_CONTROLLER_ARRAY, NDR_POINTER_UNIQUE,
4014 "Domain Controllers:", -1);
4015
4016 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4017 hf_netlogon_security_information, NULL);
4018
4019 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
4020
4021 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4022 hf_netlogon_dummy, 0);
4023
4024 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4025 hf_netlogon_dummy, 0);
4026
4027 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4028 hf_netlogon_dummy, 0);
4029
4030 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4031 hf_netlogon_dummy, 0);
4032
4033 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4034 hf_netlogon_reserved, NULL);
4035
4036 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4037 hf_netlogon_reserved, NULL);
4038
4039 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4040 hf_netlogon_reserved, NULL);
4041
4042 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4043 hf_netlogon_reserved, NULL);
4044
4045 return offset;
4046 }
4047
4048
4049 static int
4050 netlogon_dissect_PRIV_ATTR(tvbuff_t *tvb, int offset,
4051 packet_info *pinfo, proto_tree *tree,
4052 dcerpc_info *di, uint8_t *drep)
4053 {
4054 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4055 hf_netlogon_attrs, NULL);
4056
4057 return offset;
4058 }
4059
4060 static int
4061 netlogon_dissect_PRIV_ATTR_ARRAY(tvbuff_t *tvb, int offset,
4062 packet_info *pinfo, proto_tree *tree,
4063 dcerpc_info *di, uint8_t *drep)
4064 {
4065 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
4066 netlogon_dissect_PRIV_ATTR);
4067
4068 return offset;
4069 }
4070
4071 static int
4072 netlogon_dissect_PRIV_NAME(tvbuff_t *tvb, int offset,
4073 packet_info *pinfo, proto_tree *tree,
4074 dcerpc_info *di, uint8_t *drep)
4075 {
4076 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4077 hf_netlogon_privilege_name, 1);
4078
4079 return offset;
4080 }
4081
4082 static int
4083 netlogon_dissect_PRIV_NAME_ARRAY(tvbuff_t *tvb, int offset,
4084 packet_info *pinfo, proto_tree *tree,
4085 dcerpc_info *di, uint8_t *drep)
4086 {
4087 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
4088 netlogon_dissect_PRIV_NAME);
4089
4090 return offset;
4091 }
4092
4093
4094
4095 /*
4096 * IDL typedef struct {
4097 * IDL long privilegeentries;
4098 * IDL long provolegecontrol;
4099 * IDL [unique][size_is(privilege_entries)] long *privilege_attrib;
4100 * IDL [unique][size_is(privilege_entries)] UNICODESTRING *privilege_name;
4101 * IDL QUOTALIMITS quotalimits;
4102 * IDL long SecurityInformation;
4103 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
4104 * IDL UNICODESTRING dummy1;
4105 * IDL UNICODESTRING dummy2;
4106 * IDL UNICODESTRING dummy3;
4107 * IDL UNICODESTRING dummy4;
4108 * IDL long dummy5;
4109 * IDL long dummy6;
4110 * IDL long dummy7;
4111 * IDL long dummy8;
4112 * IDL } DELTA_ACCOUNTS;
4113 */
4114 static int
4115 netlogon_dissect_DELTA_ACCOUNTS(tvbuff_t *tvb, int offset,
4116 packet_info *pinfo, proto_tree *tree,
4117 dcerpc_info *di, uint8_t *drep)
4118 {
4119 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4120 hf_netlogon_privilege_entries, NULL);
4121
4122 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4123 hf_netlogon_privilege_control, NULL);
4124
4125 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4126 netlogon_dissect_PRIV_ATTR_ARRAY, NDR_POINTER_UNIQUE,
4127 "PRIV_ATTR_ARRAY:", -1);
4128
4129 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4130 netlogon_dissect_PRIV_NAME_ARRAY, NDR_POINTER_UNIQUE,
4131 "PRIV_NAME_ARRAY:", -1);
4132
4133 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
4134 pinfo, tree, di, drep);
4135
4136 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4137 hf_netlogon_systemflags, NULL);
4138
4139 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4140 hf_netlogon_security_information, NULL);
4141
4142 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
4143
4144 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4145 hf_netlogon_dummy, 0);
4146
4147 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4148 hf_netlogon_dummy, 0);
4149
4150 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4151 hf_netlogon_dummy, 0);
4152
4153 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4154 hf_netlogon_dummy, 0);
4155
4156 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4157 hf_netlogon_reserved, NULL);
4158
4159 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4160 hf_netlogon_reserved, NULL);
4161
4162 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4163 hf_netlogon_reserved, NULL);
4164
4165 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4166 hf_netlogon_reserved, NULL);
4167
4168 return offset;
4169 }
4170
4171 /*
4172 * IDL typedef struct {
4173 * IDL long len;
4174 * IDL long maxlen;
4175 * IDL [unique][size_is(maxlen)][length_is(len)] char *cipher_data;
4176 * IDL } CIPHER_VALUE;
4177 */
4178 static int
4179 netlogon_dissect_CIPHER_VALUE_DATA(tvbuff_t *tvb, int offset,
4180 packet_info *pinfo, proto_tree *tree,
4181 dcerpc_info *di, uint8_t *drep)
4182 {
4183 uint32_t data_len;
4184
4185 if(di->conformant_run){
4186 /*just a run to handle conformant arrays, nothing to dissect */
4187 return offset;
4188 }
4189
4190 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
4191 hf_netlogon_cipher_maxlen, NULL);
4192
4193 /* skip offset */
4194 offset += 4;
4195
4196 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
4197 hf_netlogon_cipher_len, &data_len);
4198
4199 proto_tree_add_item(tree, di->hf_index, tvb, offset,
4200 data_len, ENC_NA);
4201 offset += data_len;
4202
4203 return offset;
4204 }
4205 static int
4206 netlogon_dissect_CIPHER_VALUE(tvbuff_t *tvb, int offset,
4207 packet_info *pinfo, proto_tree *parent_tree,
4208 dcerpc_info *di, uint8_t *drep, const char *name, int hf_index)
4209 {
4210 proto_item *item=NULL;
4211 proto_tree *tree=NULL;
4212 int old_offset=offset;
4213
4214 if(parent_tree){
4215 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
4216 ett_CYPHER_VALUE, &item, name);
4217 }
4218
4219 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
4220 hf_netlogon_cipher_len, NULL);
4221
4222 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
4223 hf_netlogon_cipher_maxlen, NULL);
4224
4225 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4226 netlogon_dissect_CIPHER_VALUE_DATA, NDR_POINTER_UNIQUE,
4227 name, hf_index);
4228
4229 proto_item_set_len(item, offset-old_offset);
4230 return offset;
4231 }
4232
4233 /*
4234 * IDL typedef struct {
4235 * IDL CIPHER_VALUE current_cipher;
4236 * IDL NTTIME current_cipher_set_time;
4237 * IDL CIPHER_VALUE old_cipher;
4238 * IDL NTTIME old_cipher_set_time;
4239 * IDL long SecurityInformation;
4240 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
4241 * IDL UNICODESTRING dummy1;
4242 * IDL UNICODESTRING dummy2;
4243 * IDL UNICODESTRING dummy3;
4244 * IDL UNICODESTRING dummy4;
4245 * IDL long dummy5;
4246 * IDL long dummy6;
4247 * IDL long dummy7;
4248 * IDL long dummy8;
4249 * IDL } DELTA_SECRET;
4250 */
4251 static int
4252 netlogon_dissect_DELTA_SECRET(tvbuff_t *tvb, int offset,
4253 packet_info *pinfo, proto_tree *tree,
4254 dcerpc_info *di, uint8_t *drep)
4255 {
4256 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
4257 pinfo, tree, di, drep,
4258 "CIPHER_VALUE: current cipher value",
4259 hf_netlogon_cipher_current_data);
4260
4261 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
4262 hf_netlogon_cipher_current_set_time);
4263
4264 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
4265 pinfo, tree, di, drep,
4266 "CIPHER_VALUE: old cipher value",
4267 hf_netlogon_cipher_old_data);
4268
4269 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
4270 hf_netlogon_cipher_old_set_time);
4271
4272 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4273 hf_netlogon_security_information, NULL);
4274
4275 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
4276
4277 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4278 hf_netlogon_dummy, 0);
4279
4280 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4281 hf_netlogon_dummy, 0);
4282
4283 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4284 hf_netlogon_dummy, 0);
4285
4286 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4287 hf_netlogon_dummy, 0);
4288
4289 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4290 hf_netlogon_reserved, NULL);
4291
4292 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4293 hf_netlogon_reserved, NULL);
4294
4295 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4296 hf_netlogon_reserved, NULL);
4297
4298 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4299 hf_netlogon_reserved, NULL);
4300
4301 return offset;
4302 }
4303
4304 /*
4305 * IDL typedef struct {
4306 * IDL long low_value;
4307 * IDL long high_value;
4308 * } MODIFIED_COUNT;
4309 */
4310 static int
4311 netlogon_dissect_MODIFIED_COUNT(tvbuff_t *tvb, int offset,
4312 packet_info *pinfo, proto_tree *tree,
4313 dcerpc_info *di, uint8_t *drep)
4314 {
4315 offset = dissect_ndr_duint32(tvb, offset, pinfo, tree, di, drep,
4316 hf_netlogon_modify_count, NULL);
4317
4318 return offset;
4319 }
4320
4321
4322 #define DT_DELTA_DOMAIN 1
4323 #define DT_DELTA_GROUP 2
4324 #define DT_DELTA_DELETE_GROUP 3
4325 #define DT_DELTA_RENAME_GROUP 4
4326 #define DT_DELTA_USER 5
4327 #define DT_DELTA_DELETE_USER 6
4328 #define DT_DELTA_RENAME_USER 7
4329 #define DT_DELTA_GROUP_MEMBER 8
4330 #define DT_DELTA_ALIAS 9
4331 #define DT_DELTA_DELETE_ALIAS 10
4332 #define DT_DELTA_RENAME_ALIAS 11
4333 #define DT_DELTA_ALIAS_MEMBER 12
4334 #define DT_DELTA_POLICY 13
4335 #define DT_DELTA_TRUSTED_DOMAINS 14
4336 #define DT_DELTA_DELETE_TRUST 15
4337 #define DT_DELTA_ACCOUNTS 16
4338 #define DT_DELTA_DELETE_ACCOUNT 17
4339 #define DT_DELTA_SECRET 18
4340 #define DT_DELTA_DELETE_SECRET 19
4341 #define DT_DELTA_DELETE_GROUP2 20
4342 #define DT_DELTA_DELETE_USER2 21
4343 #define DT_MODIFIED_COUNT 22
4344
4345 static const value_string delta_type_vals[] = {
4346 { DT_DELTA_DOMAIN, "Domain" },
4347 { DT_DELTA_GROUP, "Group" },
4348 { DT_DELTA_DELETE_GROUP, "Delete Group" },
4349 { DT_DELTA_RENAME_GROUP, "Rename Group" },
4350 { DT_DELTA_USER, "User" },
4351 { DT_DELTA_DELETE_USER, "Delete User" },
4352 { DT_DELTA_RENAME_USER, "Rename User" },
4353 { DT_DELTA_GROUP_MEMBER, "Group Member" },
4354 { DT_DELTA_ALIAS, "Alias" },
4355 { DT_DELTA_DELETE_ALIAS, "Delete Alias" },
4356 { DT_DELTA_RENAME_ALIAS, "Rename Alias" },
4357 { DT_DELTA_ALIAS_MEMBER, "Alias Member" },
4358 { DT_DELTA_POLICY, "Policy" },
4359 { DT_DELTA_TRUSTED_DOMAINS, "Trusted Domains" },
4360 { DT_DELTA_DELETE_TRUST, "Delete Trust" },
4361 { DT_DELTA_ACCOUNTS, "Accounts" },
4362 { DT_DELTA_DELETE_ACCOUNT, "Delete Account" },
4363 { DT_DELTA_SECRET, "Secret" },
4364 { DT_DELTA_DELETE_SECRET, "Delete Secret" },
4365 { DT_DELTA_DELETE_GROUP2, "Delete Group2" },
4366 { DT_DELTA_DELETE_USER2, "Delete User2" },
4367 { DT_MODIFIED_COUNT, "Modified Count" },
4368 { 0, NULL }
4369 };
4370 /*
4371 * IDL typedef [switch_type(short)] union {
4372 * IDL [case(1)][unique] DELTA_DOMAIN *domain;
4373 * IDL [case(2)][unique] DELTA_GROUP *group;
4374 * IDL [case(3)][unique] rid only ;
4375 * IDL [case(4)][unique] DELTA_RENAME_GROUP *rename_group;
4376 * IDL [case(5)][unique] DELTA_USER *user;
4377 * IDL [case(6)][unique] rid only ;
4378 * IDL [case(7)][unique] DELTA_RENAME_USER *rename_user;
4379 * IDL [case(8)][unique] DELTA_GROUP_MEMBER *group_member;
4380 * IDL [case(9)][unique] DELTA_ALIAS *alias;
4381 * IDL [case(10)][unique] rid only ;
4382 * IDL [case(11)][unique] DELTA_RENAME_ALIAS *alias;
4383 * IDL [case(12)][unique] DELTA_ALIAS_MEMBER *alias_member;
4384 * IDL [case(13)][unique] DELTA_POLICY *policy;
4385 * IDL [case(14)][unique] DELTA_TRUSTED_DOMAINS *trusted_domains;
4386 * IDL [case(15)][unique] PSID ;
4387 * IDL [case(16)][unique] DELTA_ACCOUNTS *accounts;
4388 * IDL [case(17)][unique] PSID ;
4389 * IDL [case(18)][unique] DELTA_SECRET *secret;
4390 * IDL [case(19)][unique] string;
4391 * IDL [case(20)][unique] DELTA_DELETE_GROUP2 *delete_group;
4392 * IDL [case(21)][unique] DELTA_DELETE_USER2 *delete_user;
4393 * IDL [case(22)][unique] MODIFIED_COUNT *modified_count;
4394 * IDL } DELTA_UNION;
4395 */
4396 static int
4397 netlogon_dissect_DELTA_UNION(tvbuff_t *tvb, int offset,
4398 packet_info *pinfo, proto_tree *parent_tree,
4399 dcerpc_info *di, uint8_t *drep)
4400 {
4401 proto_item *item=NULL;
4402 proto_tree *tree=NULL;
4403 int old_offset=offset;
4404 uint16_t level = 0;
4405
4406 if(parent_tree){
4407 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
4408 ett_DELTA_UNION, &item, "DELTA_UNION:");
4409 }
4410
4411 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
4412 hf_netlogon_delta_type, &level);
4413
4414 ALIGN_TO_4_BYTES;
4415 switch(level){
4416 case 1:
4417 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4418 netlogon_dissect_DELTA_DOMAIN, NDR_POINTER_UNIQUE,
4419 "DELTA_DOMAIN:", -1);
4420 break;
4421 case 2:
4422 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4423 netlogon_dissect_DELTA_GROUP, NDR_POINTER_UNIQUE,
4424 "DELTA_GROUP:", -1);
4425 break;
4426 case 4:
4427 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4428 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
4429 "DELTA_RENAME_GROUP:", hf_netlogon_group_name);
4430 break;
4431 case 5:
4432 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4433 netlogon_dissect_DELTA_USER, NDR_POINTER_UNIQUE,
4434 "DELTA_USER:", -1);
4435 break;
4436 case 7:
4437 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4438 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
4439 "DELTA_RENAME_USER:", hf_netlogon_acct_name);
4440 break;
4441 case 8:
4442 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4443 netlogon_dissect_DELTA_GROUP_MEMBER, NDR_POINTER_UNIQUE,
4444 "DELTA_GROUP_MEMBER:", -1);
4445 break;
4446 case 9:
4447 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4448 netlogon_dissect_DELTA_ALIAS, NDR_POINTER_UNIQUE,
4449 "DELTA_ALIAS:", -1);
4450 break;
4451 case 11:
4452 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4453 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
4454 "DELTA_RENAME_ALIAS:", hf_netlogon_alias_name);
4455 break;
4456 case 12:
4457 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4458 netlogon_dissect_DELTA_ALIAS_MEMBER, NDR_POINTER_UNIQUE,
4459 "DELTA_ALIAS_MEMBER:", -1);
4460 break;
4461 case 13:
4462 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4463 netlogon_dissect_DELTA_POLICY, NDR_POINTER_UNIQUE,
4464 "DELTA_POLICY:", -1);
4465 break;
4466 case 14:
4467 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4468 netlogon_dissect_DELTA_TRUSTED_DOMAINS, NDR_POINTER_UNIQUE,
4469 "DELTA_TRUSTED_DOMAINS:", -1);
4470 break;
4471 case 16:
4472 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4473 netlogon_dissect_DELTA_ACCOUNTS, NDR_POINTER_UNIQUE,
4474 "DELTA_ACCOUNTS:", -1);
4475 break;
4476 case 18:
4477 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4478 netlogon_dissect_DELTA_SECRET, NDR_POINTER_UNIQUE,
4479 "DELTA_SECRET:", -1);
4480 break;
4481 case 20:
4482 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4483 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
4484 "DELTA_DELETE_GROUP:", -1);
4485 break;
4486 case 21:
4487 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4488 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
4489 "DELTA_DELETE_USER:", -1);
4490 break;
4491 case 22:
4492 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4493 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_UNIQUE,
4494 "MODIFIED_COUNT:", -1);
4495 break;
4496 }
4497
4498 proto_item_set_len(item, offset-old_offset);
4499 return offset;
4500 }
4501
4502
4503
4504 /* IDL XXX must verify this one, especially 13-19
4505 * IDL typedef [switch_type(short)] union {
4506 * IDL [case(1)] long rid;
4507 * IDL [case(2)] long rid;
4508 * IDL [case(3)] long rid;
4509 * IDL [case(4)] long rid;
4510 * IDL [case(5)] long rid;
4511 * IDL [case(6)] long rid;
4512 * IDL [case(7)] long rid;
4513 * IDL [case(8)] long rid;
4514 * IDL [case(9)] long rid;
4515 * IDL [case(10)] long rid;
4516 * IDL [case(11)] long rid;
4517 * IDL [case(12)] long rid;
4518 * IDL [case(13)] [unique] SID *sid;
4519 * IDL [case(14)] [unique] SID *sid;
4520 * IDL [case(15)] [unique] SID *sid;
4521 * IDL [case(16)] [unique] SID *sid;
4522 * IDL [case(17)] [unique] SID *sid;
4523 * IDL [case(18)] [unique][string] wchar_t *Name ;
4524 * IDL [case(19)] [unique][string] wchar_t *Name ;
4525 * IDL [case(20)] long rid;
4526 * IDL [case(21)] long rid;
4527 * IDL } DELTA_ID_UNION;
4528 */
4529 static int
4530 netlogon_dissect_DELTA_ID_UNION(tvbuff_t *tvb, int offset,
4531 packet_info *pinfo, proto_tree *parent_tree,
4532 dcerpc_info *di, uint8_t *drep)
4533 {
4534 proto_item *item=NULL;
4535 proto_tree *tree=NULL;
4536 int old_offset=offset;
4537 uint16_t level = 0;
4538
4539 if(parent_tree){
4540 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
4541 ett_DELTA_ID_UNION, &item, "DELTA_ID_UNION:");
4542 }
4543
4544 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
4545 hf_netlogon_delta_type, &level);
4546
4547 ALIGN_TO_4_BYTES;
4548 switch(level){
4549 case 1:
4550 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4551 hf_netlogon_group_rid, NULL);
4552 break;
4553 case 2:
4554 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4555 hf_netlogon_user_rid, NULL);
4556 break;
4557 case 3:
4558 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4559 hf_netlogon_user_rid, NULL);
4560 break;
4561 case 4:
4562 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4563 hf_netlogon_user_rid, NULL);
4564 break;
4565 case 5:
4566 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4567 hf_netlogon_user_rid, NULL);
4568 break;
4569 case 6:
4570 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4571 hf_netlogon_user_rid, NULL);
4572 break;
4573 case 7:
4574 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4575 hf_netlogon_user_rid, NULL);
4576 break;
4577 case 8:
4578 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4579 hf_netlogon_user_rid, NULL);
4580 break;
4581 case 9:
4582 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4583 hf_netlogon_user_rid, NULL);
4584 break;
4585 case 10:
4586 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4587 hf_netlogon_user_rid, NULL);
4588 break;
4589 case 11:
4590 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4591 hf_netlogon_user_rid, NULL);
4592 break;
4593 case 12:
4594 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4595 hf_netlogon_user_rid, NULL);
4596 break;
4597 case 13:
4598 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
4599 break;
4600 case 14:
4601 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
4602 break;
4603 case 15:
4604 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
4605 break;
4606 case 16:
4607 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
4608 break;
4609 case 17:
4610 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
4611 break;
4612 case 18:
4613 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
4614 tree, di, drep, NDR_POINTER_UNIQUE, "unknown",
4615 hf_netlogon_unknown_string, 0);
4616 break;
4617 case 19:
4618 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
4619 tree, di, drep, NDR_POINTER_UNIQUE, "unknown",
4620 hf_netlogon_unknown_string, 0);
4621 break;
4622 case 20:
4623 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4624 hf_netlogon_user_rid, NULL);
4625 break;
4626 case 21:
4627 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4628 hf_netlogon_user_rid, NULL);
4629 break;
4630 }
4631
4632 proto_item_set_len(item, offset-old_offset);
4633 return offset;
4634 }
4635
4636 /*
4637 * IDL typedef struct {
4638 * IDL short delta_type;
4639 * IDL DELTA_ID_UNION delta_id_union;
4640 * IDL DELTA_UNION delta_union;
4641 * IDL } DELTA_ENUM;
4642 */
4643 static int
4644 netlogon_dissect_DELTA_ENUM(tvbuff_t *tvb, int offset,
4645 packet_info *pinfo, proto_tree *parent_tree,
4646 dcerpc_info *di, uint8_t *drep)
4647 {
4648 proto_item *item=NULL;
4649 proto_tree *tree=NULL;
4650 int old_offset=offset;
4651 uint16_t type;
4652
4653 if(parent_tree){
4654 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
4655 ett_DELTA_ENUM, &item, "DELTA_ENUM:");
4656 }
4657
4658 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
4659 hf_netlogon_delta_type, &type);
4660
4661 proto_item_append_text(item, "%s", val_to_str(
4662 type, delta_type_vals, "Unknown"));
4663
4664 offset = netlogon_dissect_DELTA_ID_UNION(tvb, offset,
4665 pinfo, tree, di, drep);
4666
4667 offset = netlogon_dissect_DELTA_UNION(tvb, offset,
4668 pinfo, tree, di, drep);
4669
4670 proto_item_set_len(item, offset-old_offset);
4671 return offset;
4672 }
4673
4674 static int
4675 netlogon_dissect_DELTA_ENUM_array(tvbuff_t *tvb, int offset,
4676 packet_info *pinfo, proto_tree *tree,
4677 dcerpc_info *di, uint8_t *drep)
4678 {
4679 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
4680 netlogon_dissect_DELTA_ENUM);
4681
4682 return offset;
4683 }
4684
4685 /*
4686 * IDL typedef struct {
4687 * IDL long num_deltas;
4688 * IDL [unique][size_is(num_deltas)] DELTA_ENUM *delta_enum;
4689 * IDL } DELTA_ENUM_ARRAY;
4690 */
4691 static int
4692 netlogon_dissect_DELTA_ENUM_ARRAY(tvbuff_t *tvb, int offset,
4693 packet_info *pinfo, proto_tree *tree,
4694 dcerpc_info *di, uint8_t *drep)
4695 {
4696 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4697 hf_netlogon_num_deltas, NULL);
4698
4699 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4700 netlogon_dissect_DELTA_ENUM_array, NDR_POINTER_UNIQUE,
4701 "DELTA_ENUM: deltas", -1);
4702
4703 return offset;
4704 }
4705
4706
4707 /*
4708 * IDL long NetrDatabaseDeltas(
4709 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
4710 * IDL [in][string][ref] wchar_t *computername,
4711 * IDL [in][ref] AUTHENTICATOR credential,
4712 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4713 * IDL [in] long database_id,
4714 * IDL [in][out][ref] MODIFIED_COUNT domain_modify_count,
4715 * IDL [in] long preferredmaximumlength,
4716 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
4717 * IDL );
4718 */
4719 static int
4720 netlogon_dissect_netrdatabasedeltas_rqst(tvbuff_t *tvb, int offset,
4721 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
4722 {
4723 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4724 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
4725
4726 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4727 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4728
4729 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4730 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4731 "AUTHENTICATOR: credential", -1);
4732
4733 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4734 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4735 "AUTHENTICATOR: return_authenticator", -1);
4736
4737 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4738 hf_netlogon_database_id, NULL);
4739
4740 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4741 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
4742 "MODIFIED_COUNT: domain modified count", -1);
4743
4744 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4745 hf_netlogon_max_size, NULL);
4746
4747 return offset;
4748 }
4749 static int
4750 netlogon_dissect_netrdatabasedeltas_reply(tvbuff_t *tvb, int offset,
4751 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
4752 {
4753 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4754 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4755 "AUTHENTICATOR: return_authenticator", -1);
4756
4757 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4758 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
4759 "MODIFIED_COUNT: domain modified count", -1);
4760
4761 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4762 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
4763 "DELTA_ENUM_ARRAY: deltas", -1);
4764
4765 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
4766 hf_netlogon_rc, NULL);
4767
4768 return offset;
4769 }
4770
4771
4772 /*
4773 * IDL long NetrDatabaseSync(
4774 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
4775 * IDL [in][string][ref] wchar_t *computername,
4776 * IDL [in][ref] AUTHENTICATOR credential,
4777 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4778 * IDL [in] long database_id,
4779 * IDL [in][out][ref] long sync_context,
4780 * IDL [in] long preferredmaximumlength,
4781 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
4782 * IDL );
4783 */
4784 static int
4785 netlogon_dissect_netrdatabasesync_rqst(tvbuff_t *tvb, int offset,
4786 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
4787 {
4788 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4789 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
4790
4791 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4792 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4793
4794 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4795 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4796 "AUTHENTICATOR: credential", -1);
4797
4798 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4799 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4800 "AUTHENTICATOR: return_authenticator", -1);
4801
4802 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4803 hf_netlogon_database_id, NULL);
4804
4805 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4806 hf_netlogon_sync_context, NULL);
4807
4808 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4809 hf_netlogon_max_size, NULL);
4810
4811 return offset;
4812 }
4813
4814
4815 static int
4816 netlogon_dissect_netrdatabasesync_reply(tvbuff_t *tvb, int offset,
4817 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
4818 {
4819 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4820 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4821 "AUTHENTICATOR: return_authenticator", -1);
4822
4823 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4824 hf_netlogon_sync_context, NULL);
4825
4826 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4827 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
4828 "DELTA_ENUM_ARRAY: deltas", -1);
4829
4830 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
4831 hf_netlogon_rc, NULL);
4832
4833 return offset;
4834 }
4835
4836 /*
4837 * IDL typedef struct {
4838 * IDL char computer_name[16];
4839 * IDL long timecreated;
4840 * IDL long serial_number;
4841 * IDL } UAS_INFO_0;
4842 */
4843 static int
4844 netlogon_dissect_UAS_INFO_0(tvbuff_t *tvb, int offset,
4845 packet_info *pinfo, proto_tree *tree,
4846 dcerpc_info *di, uint8_t *drep)
4847 {
4848 uint32_t time_created;
4849 if(di->conformant_run){
4850 /*just a run to handle conformant arrays, nothing to dissect */
4851 return offset;
4852 }
4853
4854 proto_tree_add_item(tree, hf_netlogon_computer_name, tvb, offset, 16, ENC_ASCII);
4855 offset += 16;
4856
4857 time_created = tvb_get_uint32(tvb, offset, DREP_ENC_INTEGER(drep));
4858 proto_tree_add_uint_format_value(tree, hf_netlogon_time_created, tvb, offset, 4, time_created, "unknown time format");
4859 offset+= 4;
4860
4861 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4862 hf_netlogon_serial_number, NULL);
4863
4864 return offset;
4865 }
4866
4867
4868 /*
4869 * IDL long NetrAccountDeltas(
4870 * IDL [in][string][unique] wchar_t *logonserver,
4871 * IDL [in][string][ref] wchar_t *computername,
4872 * IDL [in][ref] AUTHENTICATOR credential,
4873 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4874 * IDL [out][ref][size_is(count_returned)] char *Buffer,
4875 * IDL [out][ref] long count_returned,
4876 * IDL [out][ref] long total_entries,
4877 * IDL [in][out][ref] UAS_INFO_0 recordid,
4878 * IDL [in][long] count,
4879 * IDL [in][long] level,
4880 * IDL [in][long] buffersize,
4881 * IDL );
4882 */
4883 static int
4884 netlogon_dissect_netraccountdeltas_rqst(tvbuff_t *tvb, int offset,
4885 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
4886 {
4887 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4888 pinfo, tree, di, drep);
4889
4890 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4891 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4892
4893 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4894 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4895 "AUTHENTICATOR: credential", -1);
4896
4897 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4898 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4899 "AUTHENTICATOR: return_authenticator", -1);
4900
4901 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4902 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
4903 "UAS_INFO_0: RecordID", -1);
4904
4905 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4906 hf_netlogon_count, NULL);
4907
4908 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4909 hf_netlogon_level, NULL);
4910
4911 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4912 hf_netlogon_max_size, NULL);
4913
4914 return offset;
4915 }
4916 static int
4917 netlogon_dissect_netraccountdeltas_reply(tvbuff_t *tvb, int offset,
4918 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
4919 {
4920 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4921 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4922 "AUTHENTICATOR: return_authenticator", -1);
4923
4924 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4925 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
4926 "BYTE_array: Buffer", -1);
4927
4928 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4929 hf_netlogon_count, NULL);
4930
4931 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4932 hf_netlogon_entries, NULL);
4933
4934 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4935 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
4936 "UAS_INFO_0: RecordID", -1);
4937
4938 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
4939 hf_netlogon_rc, NULL);
4940
4941 return offset;
4942 }
4943
4944
4945 /*
4946 * IDL long NetrAccountSync(
4947 * IDL [in][string][unique] wchar_t *logonserver,
4948 * IDL [in][string][ref] wchar_t *computername,
4949 * IDL [in][ref] AUTHENTICATOR credential,
4950 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4951 * IDL [out][ref][size_is(count_returned)] char *Buffer,
4952 * IDL [out][ref] long count_returned,
4953 * IDL [out][ref] long total_entries,
4954 * IDL [out][ref] long next_reference,
4955 * IDL [in][long] reference,
4956 * IDL [in][long] level,
4957 * IDL [in][long] buffersize,
4958 * IDL [in][out][ref] UAS_INFO_0 recordid,
4959 * IDL );
4960 */
4961 static int
4962 netlogon_dissect_netraccountsync_rqst(tvbuff_t *tvb, int offset,
4963 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
4964 {
4965 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4966 pinfo, tree, di, drep);
4967
4968 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4969 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4970
4971 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4972 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4973 "AUTHENTICATOR: credential", -1);
4974
4975 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4976 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4977 "AUTHENTICATOR: return_authenticator", -1);
4978
4979 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4980 hf_netlogon_reference, NULL);
4981
4982 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4983 hf_netlogon_level, NULL);
4984
4985 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4986 hf_netlogon_max_size, NULL);
4987
4988 return offset;
4989 }
4990 static int
4991 netlogon_dissect_netraccountsync_reply(tvbuff_t *tvb, int offset,
4992 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
4993 {
4994 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4995 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4996 "AUTHENTICATOR: return_authenticator", -1);
4997
4998 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4999 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
5000 "BYTE_array: Buffer", -1);
5001
5002 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5003 hf_netlogon_count, NULL);
5004
5005 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5006 hf_netlogon_entries, NULL);
5007
5008 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5009 hf_netlogon_next_reference, NULL);
5010
5011 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5012 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
5013 "UAS_INFO_0: RecordID", -1);
5014
5015 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
5016 hf_netlogon_rc, NULL);
5017
5018 return offset;
5019 }
5020
5021
5022 /*
5023 * IDL long NetrGetDcName(
5024 * IDL [in][ref][string] wchar_t *logon_server,
5025 * IDL [in][unique][string] wchar_t *domainname,
5026 * IDL [out][unique][string] wchar_t *dcname,
5027 * IDL };
5028 */
5029 static int
5030 netlogon_dissect_netrgetdcname_rqst(tvbuff_t *tvb, int offset,
5031 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5032 {
5033 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5034 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
5035
5036 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5037 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
5038
5039 return offset;
5040 }
5041 static int
5042 netlogon_dissect_netrgetdcname_reply(tvbuff_t *tvb, int offset,
5043 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5044 {
5045 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5046 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
5047
5048 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
5049 hf_netlogon_rc, NULL);
5050
5051 return offset;
5052 }
5053
5054
5055
5056 /*
5057 * IDL typedef struct {
5058 * IDL long flags;
5059 * IDL long pdc_connection_status;
5060 * IDL } NETLOGON_INFO_1;
5061 */
5062 static int
5063 netlogon_dissect_NETLOGON_INFO_1(tvbuff_t *tvb, int offset,
5064 packet_info *pinfo, proto_tree *tree,
5065 dcerpc_info *di, uint8_t *drep)
5066 {
5067 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5068 hf_netlogon_flags, NULL);
5069
5070 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5071 hf_netlogon_pdc_connection_status, NULL);
5072
5073 return offset;
5074 }
5075
5076
5077 /*
5078 * IDL typedef struct {
5079 * IDL long flags;
5080 * IDL long pdc_connection_status;
5081 * IDL [unique][string] wchar_t trusted_dc_name;
5082 * IDL long tc_connection_status;
5083 * IDL } NETLOGON_INFO_2;
5084 */
5085 static int
5086 netlogon_dissect_NETLOGON_INFO_2(tvbuff_t *tvb, int offset,
5087 packet_info *pinfo, proto_tree *tree,
5088 dcerpc_info *di, uint8_t *drep)
5089 {
5090 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5091 hf_netlogon_flags, NULL);
5092
5093 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5094 hf_netlogon_pdc_connection_status, NULL);
5095
5096 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5097 NDR_POINTER_UNIQUE, "Trusted DC Name",
5098 hf_netlogon_trusted_dc_name, 0);
5099
5100 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5101 hf_netlogon_tc_connection_status, NULL);
5102
5103 return offset;
5104 }
5105
5106
5107 /*
5108 * IDL typedef struct {
5109 * IDL long flags;
5110 * IDL long logon_attempts;
5111 * IDL long reserved;
5112 * IDL long reserved;
5113 * IDL long reserved;
5114 * IDL long reserved;
5115 * IDL long reserved;
5116 * IDL } NETLOGON_INFO_3;
5117 */
5118 static int
5119 netlogon_dissect_NETLOGON_INFO_3(tvbuff_t *tvb, int offset,
5120 packet_info *pinfo, proto_tree *tree,
5121 dcerpc_info *di, uint8_t *drep)
5122 {
5123 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5124 hf_netlogon_flags, NULL);
5125
5126 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5127 hf_netlogon_logon_attempts, NULL);
5128
5129 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5130 hf_netlogon_reserved, NULL);
5131
5132 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5133 hf_netlogon_reserved, NULL);
5134
5135 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5136 hf_netlogon_reserved, NULL);
5137
5138 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5139 hf_netlogon_reserved, NULL);
5140
5141 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5142 hf_netlogon_reserved, NULL);
5143
5144 return offset;
5145 }
5146
5147
5148 /*
5149 * IDL typedef [switch_type(long)] union {
5150 * IDL [case(1)] [unique] NETLOGON_INFO_1 *i1;
5151 * IDL [case(2)] [unique] NETLOGON_INFO_2 *i2;
5152 * IDL [case(3)] [unique] NETLOGON_INFO_3 *i3;
5153 * IDL } CONTROL_QUERY_INFORMATION;
5154 */
5155 static int
5156 netlogon_dissect_CONTROL_QUERY_INFORMATION(tvbuff_t *tvb, int offset,
5157 packet_info *pinfo, proto_tree *tree,
5158 dcerpc_info *di, uint8_t *drep)
5159 {
5160 uint32_t level = 0;
5161
5162 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5163 hf_netlogon_level, &level);
5164
5165 ALIGN_TO_4_BYTES;
5166 switch(level){
5167 case 1:
5168 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5169 netlogon_dissect_NETLOGON_INFO_1, NDR_POINTER_UNIQUE,
5170 "NETLOGON_INFO_1:", -1);
5171 break;
5172 case 2:
5173 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5174 netlogon_dissect_NETLOGON_INFO_2, NDR_POINTER_UNIQUE,
5175 "NETLOGON_INFO_2:", -1);
5176 break;
5177 case 3:
5178 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5179 netlogon_dissect_NETLOGON_INFO_3, NDR_POINTER_UNIQUE,
5180 "NETLOGON_INFO_3:", -1);
5181 break;
5182 }
5183
5184 return offset;
5185 }
5186
5187
5188 /*
5189 * IDL long NetrLogonControl(
5190 * IDL [in][string][unique] wchar_t *logonserver,
5191 * IDL [in] long function_code,
5192 * IDL [in] long level,
5193 * IDL [out][ref] CONTROL_QUERY_INFORMATION
5194 * IDL );
5195 */
5196 static int
5197 netlogon_dissect_netrlogoncontrol_rqst(tvbuff_t *tvb, int offset,
5198 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5199 {
5200 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5201 pinfo, tree, di, drep);
5202
5203 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5204 hf_netlogon_code, NULL);
5205
5206 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5207 hf_netlogon_level, NULL);
5208
5209 return offset;
5210 }
5211 static int
5212 netlogon_dissect_netrlogoncontrol_reply(tvbuff_t *tvb, int offset,
5213 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5214 {
5215 uint32_t status;
5216
5217 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5218 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
5219 "CONTROL_QUERY_INFORMATION:", -1);
5220
5221 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_netlogon_werr_rc, &status);
5222
5223 if (status != 0)
5224 col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str_ext(status, &WERR_errors_ext, "Unknown WERR error 0x%08x"));
5225
5226 return offset;
5227 }
5228
5229
5230 /*
5231 * IDL long NetrGetAnyDCName(
5232 * IDL [in][unique][string] wchar_t *logon_server,
5233 * IDL [in][unique][string] wchar_t *domainname,
5234 * IDL [out][unique][string] wchar_t *dcname,
5235 * IDL };
5236 */
5237 static int
5238 netlogon_dissect_netrgetanydcname_rqst(tvbuff_t *tvb, int offset,
5239 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5240 {
5241 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5242 NDR_POINTER_UNIQUE, "Server Handle",
5243 hf_netlogon_logonsrv_handle, 0);
5244
5245 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5246 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
5247
5248 return offset;
5249 }
5250 static int
5251 netlogon_dissect_netrgetanydcname_reply(tvbuff_t *tvb, int offset,
5252 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5253 {
5254 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5255 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
5256
5257 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
5258 hf_netlogon_dos_rc, NULL);
5259
5260 return offset;
5261 }
5262
5263
5264 /*
5265 * IDL typedef [switch_type(long)] union {
5266 * IDL [case(5)] [unique][string] wchar_t *unknown;
5267 * IDL [case(6)] [unique][string] wchar_t *unknown;
5268 * IDL [case(0xfffe)] long unknown;
5269 * IDL [case(7)] [unique][string] wchar_t *unknown;
5270 * IDL } CONTROL_DATA_INFORMATION;
5271 */
5272 /* XXX
5273 * According to muddle this is what CONTROL_DATA_INFORMATION is supposed
5274 * to look like. However NetMon does not recognize any such informationlevels.
5275 *
5276 * I'll leave it as CONTROL_DATA_INFORMATION with no informationlevels
5277 * until someone has any source of better authority to call upon.
5278 */
5279 static int
5280 netlogon_dissect_CONTROL_DATA_INFORMATION(tvbuff_t *tvb, int offset,
5281 packet_info *pinfo, proto_tree *tree,
5282 dcerpc_info *di, uint8_t *drep)
5283 {
5284 uint32_t level = 0;
5285
5286 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5287 hf_netlogon_level, &level);
5288
5289 ALIGN_TO_4_BYTES;
5290 switch(level){
5291 case 5:
5292 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
5293 tree, di, drep, NDR_POINTER_UNIQUE, "Trusted Domain Name",
5294 hf_netlogon_TrustedDomainName_string, 0);
5295 break;
5296 case 6:
5297 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
5298 tree, di, drep, NDR_POINTER_UNIQUE, "Trusted Domain Name",
5299 hf_netlogon_TrustedDomainName_string, 0);
5300 break;
5301 case 0xfffe:
5302 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5303 hf_netlogon_unknown_long, NULL);
5304 break;
5305 case 8:
5306 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
5307 tree, di, drep, NDR_POINTER_UNIQUE, "UserName",
5308 hf_netlogon_UserName_string, 0);
5309 break;
5310 }
5311
5312 return offset;
5313 }
5314
5315
5316 /*
5317 * IDL long NetrLogonControl2(
5318 * IDL [in][string][unique] wchar_t *logonserver,
5319 * IDL [in] long function_code,
5320 * IDL [in] long level,
5321 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
5322 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
5323 * IDL );
5324 */
5325 static int
5326 netlogon_dissect_netrlogoncontrol2_rqst(tvbuff_t *tvb, int offset,
5327 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5328 {
5329 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5330 pinfo, tree, di, drep);
5331
5332 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5333 hf_netlogon_code, NULL);
5334
5335 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5336 hf_netlogon_level, NULL);
5337
5338 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5339 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
5340 "CONTROL_DATA_INFORMATION: ", -1);
5341
5342 return offset;
5343 }
5344
5345 static int
5346 netlogon_dissect_netrlogoncontrol2_reply(tvbuff_t *tvb, int offset,
5347 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5348 {
5349 return netlogon_dissect_netrlogoncontrol_reply(tvb, offset, pinfo, tree, di, drep);
5350 }
5351
5352
5353
5354
5355 /*
5356 * IDL long NetrDatabaseSync2(
5357 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
5358 * IDL [in][string][ref] wchar_t *computername,
5359 * IDL [in][ref] AUTHENTICATOR credential,
5360 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
5361 * IDL [in] long database_id,
5362 * IDL [in] short restart_state,
5363 * IDL [in][out][ref] long *sync_context,
5364 * IDL [in] long preferredmaximumlength,
5365 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
5366 * IDL );
5367 */
5368 static int
5369 netlogon_dissect_netrdatabasesync2_rqst(tvbuff_t *tvb, int offset,
5370 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5371 {
5372 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5373 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
5374
5375 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5376 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
5377
5378 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5379 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5380 "AUTHENTICATOR: credential", -1);
5381
5382 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5383 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5384 "AUTHENTICATOR: return_authenticator", -1);
5385
5386 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5387 hf_netlogon_database_id, NULL);
5388
5389 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
5390 hf_netlogon_restart_state, NULL);
5391
5392 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5393 hf_netlogon_sync_context, NULL);
5394
5395 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5396 hf_netlogon_max_size, NULL);
5397
5398 return offset;
5399 }
5400
5401 static int
5402 netlogon_dissect_netrdatabasesync2_reply(tvbuff_t *tvb, int offset,
5403 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5404 {
5405 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5406 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5407 "AUTHENTICATOR: return_authenticator", -1);
5408
5409 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5410 hf_netlogon_sync_context, NULL);
5411
5412 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5413 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
5414 "DELTA_ENUM_ARRAY: deltas", -1);
5415
5416 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
5417 hf_netlogon_rc, NULL);
5418
5419 return offset;
5420 }
5421
5422
5423 /*
5424 * IDL long NetrDatabaseRedo(
5425 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
5426 * IDL [in][string][ref] wchar_t *computername,
5427 * IDL [in][ref] AUTHENTICATOR credential,
5428 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
5429 * IDL [in][ref][size_is(change_log_entry_size)] char *change_log_entry,
5430 * IDL [in] long change_log_entry_size,
5431 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
5432 * IDL );
5433 */
5434 static int
5435 netlogon_dissect_netrdatabaseredo_rqst(tvbuff_t *tvb, int offset,
5436 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5437 {
5438 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5439 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
5440
5441 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5442 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
5443
5444 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5445 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5446 "AUTHENTICATOR: credential", -1);
5447
5448 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5449 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5450 "AUTHENTICATOR: return_authenticator", -1);
5451
5452 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5453 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
5454 "Change log entry: ", -1);
5455
5456 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5457 hf_netlogon_max_log_size, NULL);
5458
5459 return offset;
5460 }
5461
5462 static int
5463 netlogon_dissect_netrdatabaseredo_reply(tvbuff_t *tvb, int offset,
5464 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5465 {
5466 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5467 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5468 "AUTHENTICATOR: return_authenticator", -1);
5469
5470 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5471 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
5472 "DELTA_ENUM_ARRAY: deltas", -1);
5473
5474 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
5475 hf_netlogon_rc, NULL);
5476
5477 return offset;
5478 }
5479
5480
5481 /*
5482 * IDL long NetrLogonControl2Ex(
5483 * IDL [in][string][unique] wchar_t *logonserver,
5484 * IDL [in] long function_code,
5485 * IDL [in] long level,
5486 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
5487 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
5488 * IDL );
5489 */
5490 static int
5491 netlogon_dissect_netrlogoncontrol2ex_rqst(tvbuff_t *tvb, int offset,
5492 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5493 {
5494 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5495 pinfo, tree, di, drep);
5496
5497 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5498 hf_netlogon_code, NULL);
5499
5500 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5501 hf_netlogon_level, NULL);
5502
5503 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5504 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
5505 "CONTROL_DATA_INFORMATION: ", -1);
5506
5507 return offset;
5508 }
5509 static int
5510 netlogon_dissect_netrlogoncontrol2ex_reply(tvbuff_t *tvb, int offset,
5511 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5512 {
5513 return netlogon_dissect_netrlogoncontrol_reply(tvb, offset, pinfo, tree, di, drep);
5514 }
5515
5516
5517
5518
5519 static const value_string trust_type_vals[] = {
5520 { 1, "NT4 Domain" },
5521 { 2, "AD Domain" },
5522 { 3, "MIT Kerberos realm" },
5523 { 4, "DCE realm" },
5524 { 0, NULL }
5525 };
5526
5527 #define DS_INET_ADDRESS 1
5528 #define DS_NETBIOS_ADDRESS 2
5529
5530 static const value_string dc_address_types[] = {
5531 { DS_INET_ADDRESS, "IP/DNS name" },
5532 { DS_NETBIOS_ADDRESS, "NetBIOS name" },
5533 { 0, NULL}
5534 };
5535
5536
5537 #define RQ_ROOT_FOREST 0x0001
5538 #define RQ_DC_XFOREST 0x0002
5539 #define RQ_RODC_DIF_DOMAIN 0x0004
5540 #define RQ_NTLM_FROM_RODC 0x0008
5541
5542 #define DS_DOMAIN_IN_FOREST 0x0001
5543 #define DS_DOMAIN_DIRECT_OUTBOUND 0x0002
5544 #define DS_DOMAIN_TREE_ROOT 0x0004
5545 #define DS_DOMAIN_PRIMARY 0x0008
5546 #define DS_DOMAIN_NATIVE_MODE 0x0010
5547 #define DS_DOMAIN_DIRECT_INBOUND 0x0020
5548
5549 static const true_false_string trust_inbound = {
5550 "There is a DIRECT INBOUND trust for the servers domain",
5551 "There is NO direct inbound trust for the servers domain"
5552 };
5553 static const true_false_string trust_outbound = {
5554 "There is a DIRECT OUTBOUND trust for this domain",
5555 "There is NO direct outbound trust for this domain"
5556 };
5557 static const true_false_string trust_in_forest = {
5558 "The domain is a member IN the same FOREST as the queried server",
5559 "The domain is NOT a member of the queried servers domain"
5560 };
5561 static const true_false_string trust_native_mode = {
5562 "The primary domain is a NATIVE MODE w2k domain",
5563 "The primary is NOT a native mode w2k domain"
5564 };
5565 static const true_false_string trust_primary = {
5566 "The domain is the PRIMARY domain of the queried server",
5567 "The domain is NOT the primary domain of the queried server"
5568 };
5569 static const true_false_string trust_tree_root = {
5570 "The domain is the ROOT of a domain TREE",
5571 "The domain is NOT a root of a domain tree"
5572 };
5573
5574
5575 static int
5576 netlogon_dissect_DOMAIN_TRUST_FLAGS(tvbuff_t *tvb, int offset,
5577 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, uint8_t *drep)
5578 {
5579 uint32_t mask;
5580 static int * const flags[] = {
5581 &hf_netlogon_trust_flags_inbound,
5582 &hf_netlogon_trust_flags_native_mode,
5583 &hf_netlogon_trust_flags_primary,
5584 &hf_netlogon_trust_flags_tree_root,
5585 &hf_netlogon_trust_flags_outbound,
5586 &hf_netlogon_trust_flags_in_forest,
5587 NULL
5588 };
5589
5590 if(di->conformant_run){
5591 /*just a run to handle conformant arrays, nothing to dissect */
5592 return offset;
5593 }
5594
5595 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
5596 -1, &mask);
5597
5598 proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset-4, hf_netlogon_trust_flags, ett_trust_flags, flags, mask, BMT_NO_APPEND);
5599 return offset;
5600 }
5601
5602
5603
5604 static const true_false_string trust_attribs_non_transitive = {
5605 "This is a NON TRANSITIVE trust relation",
5606 "This is a normal trust"
5607 };
5608 static const true_false_string trust_attribs_uplevel_only = {
5609 "This is an UPLEVEL ONLY trust relation",
5610 "This is a normal trust"
5611 };
5612 static const true_false_string trust_attribs_quarantined_domain = {
5613 "This is a QUARANTINED DOMAIN (so don't expect lookupsids to work)",
5614 "This is a normal trust"
5615 };
5616 static const true_false_string trust_attribs_forest_transitive = {
5617 "This is a FOREST TRANSITIVE trust",
5618 "This is a normal trust"
5619 };
5620 static const true_false_string trust_attribs_cross_organization = {
5621 "This is a CROSS ORGANIZATION trust",
5622 "This is a normal trust"
5623 };
5624 static const true_false_string trust_attribs_within_forest = {
5625 "This is a WITHIN FOREST trust",
5626 "This is a normal trust"
5627 };
5628 static const true_false_string trust_attribs_treat_as_external = {
5629 "TREAT this trust AS an EXTERNAL trust",
5630 "This is a normal trust"
5631 };
5632
5633 static int
5634 netlogon_dissect_DOMAIN_TRUST_ATTRIBS(tvbuff_t *tvb, int offset,
5635 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, uint8_t *drep)
5636 {
5637 uint32_t mask;
5638 static int * const attr[] = {
5639 &hf_netlogon_trust_attribs_treat_as_external,
5640 &hf_netlogon_trust_attribs_within_forest,
5641 &hf_netlogon_trust_attribs_cross_organization,
5642 &hf_netlogon_trust_attribs_forest_transitive,
5643 &hf_netlogon_trust_attribs_quarantined_domain,
5644 &hf_netlogon_trust_attribs_uplevel_only,
5645 &hf_netlogon_trust_attribs_non_transitive,
5646 NULL
5647 };
5648
5649 if(di->conformant_run){
5650 /*just a run to handle conformant arrays, nothing to dissect */
5651 return offset;
5652 }
5653
5654 offset = dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
5655 -1, &mask);
5656
5657 proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset-4, hf_netlogon_trust_attribs, ett_trust_attribs, attr, mask, BMT_NO_APPEND);
5658 return offset;
5659 }
5660
5661
5662 #define DS_FORCE_REDISCOVERY 0x00000001
5663 #define DS_DIRECTORY_SERVICE_REQUIRED 0x00000010
5664 #define DS_DIRECTORY_SERVICE_PREFERRED 0x00000020
5665 #define DS_GC_SERVER_REQUIRED 0x00000040
5666 #define DS_PDC_REQUIRED 0x00000080
5667 #define DS_BACKGROUND_ONLY 0x00000100
5668 #define DS_IP_REQUIRED 0x00000200
5669 #define DS_KDC_REQUIRED 0x00000400
5670 #define DS_TIMESERV_REQUIRED 0x00000800
5671 #define DS_WRITABLE_REQUIRED 0x00001000
5672 #define DS_GOOD_TIMESERV_PREFERRED 0x00002000
5673 #define DS_AVOID_SELF 0x00004000
5674 #define DS_ONLY_LDAP_NEEDED 0x00008000
5675 #define DS_IS_FLAT_NAME 0x00010000
5676 #define DS_IS_DNS_NAME 0x00020000
5677 #define DS_RETURN_DNS_NAME 0x40000000
5678 #define DS_RETURN_FLAT_NAME 0x80000000
5679
5680 static const true_false_string get_dcname_request_flags_force_rediscovery = {
5681 "FORCE REDISCOVERY of any cached data",
5682 "You may return cached data"
5683 };
5684 static const true_false_string get_dcname_request_flags_directory_service_required = {
5685 "DIRECTORY SERVICE is REQUIRED on the server",
5686 "We do NOT require directory service servers"
5687 };
5688 static const true_false_string get_dcname_request_flags_directory_service_preferred = {
5689 "DIRECTORY SERVICE servers are PREFERRED",
5690 "We do NOT have a preference for directory service servers"
5691 };
5692 static const true_false_string get_dcname_request_flags_gc_server_required = {
5693 "GC SERVER is REQUIRED",
5694 "gc server is NOT required"
5695 };
5696 static const true_false_string get_dcname_request_flags_pdc_required = {
5697 "PDC SERVER is REQUIRED",
5698 "pdc server is NOT required"
5699 };
5700 static const true_false_string get_dcname_request_flags_background_only = {
5701 "Only return cached data, even if it has expired",
5702 "Return cached data unless it has expired"
5703 };
5704 static const true_false_string get_dcname_request_flags_ip_required = {
5705 "IP address is REQUIRED",
5706 "ip address is NOT required"
5707 };
5708 static const true_false_string get_dcname_request_flags_kdc_required = {
5709 "KDC server is REQUIRED",
5710 "kdc server is NOT required"
5711 };
5712 static const true_false_string get_dcname_request_flags_timeserv_required = {
5713 "TIMESERV service is REQUIRED",
5714 "timeserv service is NOT required"
5715 };
5716 static const true_false_string get_dcname_request_flags_writable_required = {
5717 "the returned dc MUST be WRITEABLE",
5718 "a read-only dc may be returned"
5719 };
5720 static const true_false_string get_dcname_request_flags_good_timeserv_preferred = {
5721 "GOOD TIMESERV servers are PREFERRED",
5722 "we do NOT have a preference for good timeserv servers"
5723 };
5724 static const true_false_string get_dcname_request_flags_avoid_self = {
5725 "do NOT return self as dc; return someone else",
5726 "you may return yourSELF as the dc"
5727 };
5728 static const true_false_string get_dcname_request_flags_only_ldap_needed = {
5729 "we ONLY NEED LDAP; you don't have to return a dc",
5730 "we need a normal dc; an ldap only server will not do"
5731 };
5732 static const true_false_string get_dcname_request_flags_is_flat_name = {
5733 "the name we specify is a NetBIOS name",
5734 "the name we specify is NOT a NetBIOS name"
5735 };
5736 static const true_false_string get_dcname_request_flags_is_dns_name = {
5737 "the name we specify is a DNS name",
5738 "the name we specify is NOT a dns name"
5739 };
5740 static const true_false_string get_dcname_request_flags_return_dns_name = {
5741 "return a DNS name",
5742 "you may return a NON-dns name"
5743 };
5744 static const true_false_string get_dcname_request_flags_return_flat_name = {
5745 "return a NetBIOS name",
5746 "you may return a NON-NetBIOS name"
5747 };
5748 static int
5749 netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvbuff_t *tvb, int offset,
5750 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, uint8_t *drep)
5751 {
5752 uint32_t mask;
5753 static int * const flags[] = {
5754 &hf_netlogon_get_dcname_request_flags_return_flat_name,
5755 &hf_netlogon_get_dcname_request_flags_return_dns_name,
5756 &hf_netlogon_get_dcname_request_flags_is_flat_name,
5757 &hf_netlogon_get_dcname_request_flags_is_dns_name,
5758 &hf_netlogon_get_dcname_request_flags_only_ldap_needed,
5759 &hf_netlogon_get_dcname_request_flags_avoid_self,
5760 &hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
5761 &hf_netlogon_get_dcname_request_flags_writable_required,
5762 &hf_netlogon_get_dcname_request_flags_timeserv_required,
5763 &hf_netlogon_get_dcname_request_flags_kdc_required,
5764 &hf_netlogon_get_dcname_request_flags_ip_required,
5765 &hf_netlogon_get_dcname_request_flags_background_only,
5766 &hf_netlogon_get_dcname_request_flags_pdc_required,
5767 &hf_netlogon_get_dcname_request_flags_gc_server_required,
5768 &hf_netlogon_get_dcname_request_flags_directory_service_preferred,
5769 &hf_netlogon_get_dcname_request_flags_directory_service_required,
5770 &hf_netlogon_get_dcname_request_flags_force_rediscovery,
5771 NULL
5772 };
5773
5774 if(di->conformant_run){
5775 /*just a run to handle conformant arrays, nothing to dissect */
5776 return offset;
5777 }
5778
5779 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep, -1, &mask);
5780
5781 proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset-4, hf_netlogon_get_dcname_request_flags, ett_get_dcname_request_flags, flags, mask, BMT_NO_APPEND);
5782 return offset;
5783 }
5784
5785
5786
5787 #define DS_PDC_FLAG 0x00000001
5788 #define DS_GC_FLAG 0x00000004
5789 #define DS_LDAP_FLAG 0x00000008
5790 #define DS_DS_FLAG 0x00000010
5791 #define DS_KDC_FLAG 0x00000020
5792 #define DS_TIMESERV_FLAG 0x00000040
5793 #define DS_CLOSEST_FLAG 0x00000080
5794 #define DS_WRITABLE_FLAG 0x00000100
5795 #define DS_GOOD_TIMESERV_FLAG 0x00000200
5796 #define DS_NDNC_FLAG 0x00000400
5797 #define DS_DNS_CONTROLLER_FLAG 0x20000000
5798 #define DS_DNS_DOMAIN_FLAG 0x40000000
5799 #define DS_DNS_FOREST_FLAG 0x80000000
5800
5801 static const true_false_string dc_flags_pdc_flag = {
5802 "this is the PDC of the domain",
5803 "this is NOT the pdc of the domain"
5804 };
5805 static const true_false_string dc_flags_gc_flag = {
5806 "this is the GC of the forest",
5807 "this is NOT the gc of the forest"
5808 };
5809 static const true_false_string dc_flags_ldap_flag = {
5810 "this is an LDAP server",
5811 "this is NOT an ldap server"
5812 };
5813 static const true_false_string dc_flags_ds_flag = {
5814 "this is a DS server",
5815 "this is NOT a ds server"
5816 };
5817 static const true_false_string dc_flags_kdc_flag = {
5818 "this is a KDC server",
5819 "this is NOT a kdc server"
5820 };
5821 static const true_false_string dc_flags_timeserv_flag = {
5822 "this is a TIMESERV server",
5823 "this is NOT a timeserv server"
5824 };
5825 static const true_false_string dc_flags_closest_flag = {
5826 "this is the CLOSEST server",
5827 "this is NOT the closest server"
5828 };
5829 static const true_false_string dc_flags_writable_flag = {
5830 "this server has a WRITABLE ds database",
5831 "this server has a READ-ONLY ds database"
5832 };
5833 static const true_false_string dc_flags_good_timeserv_flag = {
5834 "this server is a GOOD TIMESERV server",
5835 "this is NOT a good timeserv server"
5836 };
5837 static const true_false_string dc_flags_ndnc_flag = {
5838 "NDNC is set",
5839 "ndnc is NOT set"
5840 };
5841 static const true_false_string dc_flags_dns_controller_flag = {
5842 "DomainControllerName is a DNS name",
5843 "DomainControllerName is NOT a dns name"
5844 };
5845 static const true_false_string dc_flags_dns_domain_flag = {
5846 "DomainName is a DNS name",
5847 "DomainName is NOT a dns name"
5848 };
5849 static const true_false_string dc_flags_dns_forest_flag = {
5850 "DnsForestName is a DNS name",
5851 "DnsForestName is NOT a dns name"
5852 };
5853 static int
5854 netlogon_dissect_DC_FLAGS(tvbuff_t *tvb, int offset,
5855 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, uint8_t *drep)
5856 {
5857 uint32_t mask;
5858 proto_item *item;
5859 static int * const flags[] = {
5860 &hf_netlogon_dc_flags_dns_forest_flag,
5861 &hf_netlogon_dc_flags_dns_domain_flag,
5862 &hf_netlogon_dc_flags_dns_controller_flag,
5863 &hf_netlogon_dc_flags_ndnc_flag,
5864 &hf_netlogon_dc_flags_good_timeserv_flag,
5865 &hf_netlogon_dc_flags_writable_flag,
5866 &hf_netlogon_dc_flags_closest_flag,
5867 &hf_netlogon_dc_flags_timeserv_flag,
5868 &hf_netlogon_dc_flags_kdc_flag,
5869 &hf_netlogon_dc_flags_ds_flag,
5870 &hf_netlogon_dc_flags_ldap_flag,
5871 &hf_netlogon_dc_flags_gc_flag,
5872 &hf_netlogon_dc_flags_pdc_flag,
5873 NULL
5874 };
5875
5876 if(di->conformant_run){
5877 /*just a run to handle conformant arrays, nothing to dissect */
5878 return offset;
5879 }
5880
5881 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep, -1, &mask);
5882
5883 item = proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset-4, hf_netlogon_dc_flags, ett_dc_flags, flags, mask, BMT_NO_APPEND);
5884 if (mask==0x0000ffff)
5885 proto_item_append_text(item, " PING (mask==0x0000ffff)");
5886
5887 return offset;
5888 }
5889
5890
5891
5892 static int
5893 netlogon_dissect_pointer_long(tvbuff_t *tvb, int offset,
5894 packet_info *pinfo, proto_tree *tree,
5895 dcerpc_info *di, uint8_t *drep)
5896 {
5897 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
5898 di->hf_index, NULL);
5899 return offset;
5900 }
5901
5902 #if 0
5903 static int
5904 netlogon_dissect_pointer_char(tvbuff_t *tvb, int offset,
5905 packet_info *pinfo, proto_tree *tree,
5906 dcerpc_info *di, uint8_t *drep)
5907 {
5908 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
5909 di->hf_index, NULL);
5910 return offset;
5911 }
5912 #endif
5913
5914 static int
5915 netlogon_dissect_UNICODE_MULTI_byte(tvbuff_t *tvb, int offset,
5916 packet_info *pinfo, proto_tree *tree,
5917 dcerpc_info *di, uint8_t *drep)
5918 {
5919 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
5920 hf_netlogon_unknown_char, NULL);
5921
5922 return offset;
5923 }
5924
5925 static int
5926 netlogon_dissect_UNICODE_MULTI_array(tvbuff_t *tvb, int offset,
5927 packet_info *pinfo, proto_tree *tree,
5928 dcerpc_info *di, uint8_t *drep)
5929 {
5930 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
5931 netlogon_dissect_UNICODE_MULTI_byte);
5932
5933 return offset;
5934 }
5935
5936 static int
5937 netlogon_dissect_UNICODE_MULTI(tvbuff_t *tvb, int offset,
5938 packet_info *pinfo, proto_tree *parent_tree,
5939 dcerpc_info *di, uint8_t *drep)
5940 {
5941 proto_item *item=NULL;
5942 proto_tree *tree=NULL;
5943 int old_offset=offset;
5944
5945 if(parent_tree){
5946 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
5947 ett_UNICODE_MULTI, &item, "UNICODE_MULTI:");
5948 }
5949
5950 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5951 hf_netlogon_len, NULL);
5952
5953 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5954 netlogon_dissect_UNICODE_MULTI_array, NDR_POINTER_UNIQUE,
5955 "unknown", hf_netlogon_unknown_string);
5956
5957 proto_item_set_len(item, offset-old_offset);
5958 return offset;
5959 }
5960
5961 static int
5962 netlogon_dissect_DOMAIN_CONTROLLER_INFO(tvbuff_t *tvb, int offset,
5963 packet_info *pinfo, proto_tree *parent_tree,
5964 dcerpc_info *di, uint8_t *drep)
5965 {
5966 proto_item *item=NULL;
5967 proto_tree *tree=NULL;
5968 int old_offset=offset;
5969
5970 if(parent_tree){
5971 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
5972 ett_DOMAIN_CONTROLLER_INFO, &item, "DOMAIN_CONTROLLER_INFO:");
5973 }
5974
5975 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5976 NDR_POINTER_UNIQUE, "DC Name", hf_netlogon_dc_name, 0);
5977
5978 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5979 NDR_POINTER_UNIQUE, "DC Address", hf_netlogon_dc_address, 0);
5980
5981 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5982 hf_netlogon_dc_address_type, NULL);
5983
5984 offset = dissect_nt_GUID(tvb, offset,
5985 pinfo, tree, di, drep);
5986
5987 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5988 NDR_POINTER_UNIQUE, "Logon Domain", hf_netlogon_logon_dom, 0);
5989
5990 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5991 NDR_POINTER_UNIQUE, "DNS Forest", hf_netlogon_dns_forest_name, 0);
5992
5993 offset = netlogon_dissect_DC_FLAGS(tvb, offset, pinfo, tree, di, drep);
5994
5995 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5996 NDR_POINTER_UNIQUE, "DC Site", hf_netlogon_dc_site_name, 0);
5997
5998 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5999 NDR_POINTER_UNIQUE, "Client Site",
6000 hf_netlogon_client_site_name, 0);
6001
6002 proto_item_set_len(item, offset-old_offset);
6003 return offset;
6004 }
6005
6006
6007
6008 static int
6009 dissect_ndr_trust_extension(tvbuff_t *tvb, int offset,
6010 packet_info *pinfo, proto_tree *tree,
6011 dcerpc_info *di, uint8_t *drep)
6012 {
6013 uint64_t len,max;
6014
6015 if(di->conformant_run){
6016 return offset;
6017 }
6018 offset = dissect_ndr_uint3264(tvb, offset, pinfo, tree, di, drep,
6019 hf_netlogon_trust_max, &max);
6020
6021 offset = dissect_ndr_uint3264(tvb, offset, pinfo, tree, di, drep,
6022 hf_netlogon_trust_offset, NULL);
6023
6024 offset = dissect_ndr_uint3264(tvb, offset, pinfo, tree, di, drep,
6025 hf_netlogon_trust_len, &len);
6026
6027 if( max * 2 == 16 ) {
6028 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, di, drep);
6029
6030 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6031 hf_netlogon_trust_parent_index, NULL);
6032
6033 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6034 hf_netlogon_trust_type, NULL);
6035
6036 offset = netlogon_dissect_DOMAIN_TRUST_ATTRIBS(tvb, offset, pinfo, tree, di, drep);
6037 }
6038 /* else do something scream shout .... */
6039
6040 return offset;
6041 }
6042
6043 static int
6044 netlogon_dissect_BLOB_array(tvbuff_t *tvb, int offset,
6045 packet_info *pinfo, proto_tree *tree,
6046 dcerpc_info *di, uint8_t *drep)
6047 {
6048 uint32_t len;
6049
6050 if(di->conformant_run){
6051 return offset;
6052 }
6053
6054 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6055 hf_netlogon_blob_size, &len);
6056
6057 proto_tree_add_item(tree, hf_netlogon_blob, tvb, offset, len,
6058 ENC_NA);
6059 offset += len;
6060
6061 return offset;
6062 }
6063
6064 static int
6065 dissect_ndr_ulongs_as_counted_string(tvbuff_t *tvb, int offset,
6066 packet_info *pinfo, proto_tree *tree,
6067 dcerpc_info *di, uint8_t *drep, int hf_index)
6068 {
6069 uint16_t len, size;
6070 bool add_subtree = true; /* Manage room for evolution*/
6071 proto_item *item;
6072 proto_tree *subtree = tree;
6073
6074 if (add_subtree) {
6075
6076 subtree = proto_tree_add_subtree(
6077 tree, tvb, offset, 0, ett_nt_counted_longs_as_string, &item,
6078 proto_registrar_get_name(hf_index));
6079 }
6080 /* Structure starts with short, but is aligned for longs */
6081 ALIGN_TO_4_BYTES;
6082
6083 if (di->conformant_run)
6084 return offset;
6085
6086 /*
6087 struct {
6088 short len;
6089 short size;
6090 [size_is(size/2), length_is(len/2), ptr] unsigned short *string;
6091 } UNICODE_STRING;
6092
6093 */
6094
6095 offset = dissect_ndr_uint16(tvb, offset, pinfo, subtree, di, drep,
6096 hf_nt_cs_len, &len);
6097 offset = dissect_ndr_uint16(tvb, offset, pinfo, subtree, di, drep,
6098 hf_nt_cs_size, &size);
6099 offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, subtree, di, drep,
6100 dissect_ndr_trust_extension, NDR_POINTER_UNIQUE,
6101 "Buffer", hf_index,NULL,NULL);
6102 return offset;
6103 }
6104
6105 static int
6106 DomainInfo_sid_(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6107 {
6108 offset = lsarpc_dissect_struct_dom_sid2(tvb, offset, pinfo, tree, di, drep, hf_domain_info_sid, 0);
6109
6110 return offset;
6111 }
6112 static int
6113 dissect_element_lsa_DnsDomainInfo_sid(tvbuff_t *tvb , int offset , packet_info *pinfo , proto_tree *tree , dcerpc_info *di, uint8_t *drep )
6114 {
6115 offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, di, drep, DomainInfo_sid_, NDR_POINTER_UNIQUE, "Pointer to Sid (dom_sid2)", hf_dns_domain_info_sid);
6116
6117 return offset;
6118 }
6119 static int
6120 dissect_element_lsa_DnsDomainInfo_domain_guid(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep )
6121 {
6122 offset = dissect_ndr_uuid_t(tvb, offset, pinfo, tree, di, drep, hf_dns_domain_info_domain_guid, NULL);
6123
6124 return offset;
6125 }
6126
6127
6128 static int dissect_part_DnsDomainInfo(tvbuff_t *tvb , int offset, packet_info *pinfo, proto_tree *tree , dcerpc_info *di, uint8_t *drep, int hf_index _U_, uint32_t param _U_)
6129 {
6130
6131 offset = lsarpc_dissect_struct_lsa_StringLarge(tvb, offset, pinfo, tree, di, drep, hf_dns_domain_info_name, 0);
6132
6133 offset = lsarpc_dissect_struct_lsa_StringLarge(tvb,offset, pinfo, tree, di, drep, hf_dns_domain_info_dns_domain, 0);
6134
6135 offset = lsarpc_dissect_struct_lsa_StringLarge(tvb,offset, pinfo, tree, di, drep, hf_dns_domain_info_dns_forest, 0);
6136
6137 offset = dissect_element_lsa_DnsDomainInfo_domain_guid(tvb, offset, pinfo, tree, di, drep);
6138
6139 offset = dissect_element_lsa_DnsDomainInfo_sid(tvb, offset, pinfo, tree, di, drep);
6140
6141
6142 return offset;
6143 }
6144
6145
6146 static int
6147 netlogon_dissect_ONE_DOMAIN_INFO(tvbuff_t *tvb, int offset,
6148 packet_info *pinfo, proto_tree *parent_tree,
6149 dcerpc_info *di, uint8_t *drep)
6150 {
6151 proto_item *item=NULL;
6152 proto_tree *tree=NULL;
6153 int old_offset=offset;
6154
6155 if(parent_tree){
6156 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
6157 ett_DOMAIN_TRUST_INFO, &item, "ONE_DOMAIN_INFO");
6158 }
6159 /*hf_netlogon_dnsdomaininfo*/
6160 offset = dissect_part_DnsDomainInfo(tvb, offset, pinfo, tree, di, drep, 0, 0);
6161
6162
6163 /* It is structed as a string but it's not ... it's 4 ulong */
6164 offset = dissect_ndr_ulongs_as_counted_string(tvb, offset, pinfo, tree, di, drep,
6165 hf_netlogon_trust_extension);
6166
6167 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6168 hf_netlogon_dummy_string2, 0);
6169
6170 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6171 hf_netlogon_dummy_string3, 0);
6172
6173 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6174 hf_netlogon_dummy_string4, 0);
6175
6176 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6177 hf_netlogon_dummy1_long, NULL);
6178
6179 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6180 hf_netlogon_dummy2_long, NULL);
6181
6182 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6183 hf_netlogon_dummy3_long, NULL);
6184
6185 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6186 hf_netlogon_dummy4_long, NULL);
6187
6188 proto_item_set_len(item, offset-old_offset);
6189 return offset;
6190 }
6191
6192 static int
6193 netlogon_dissect_DOMAIN_TRUST_INFO(tvbuff_t *tvb, int offset,
6194 packet_info *pinfo, proto_tree *tree,
6195 dcerpc_info *di, uint8_t *drep)
6196 {
6197 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
6198 netlogon_dissect_ONE_DOMAIN_INFO);
6199
6200 return offset;
6201 }
6202
6203
6204 static int
6205 netlogon_dissect_LSA_POLICY_INFO(tvbuff_t *tvb, int offset,
6206 packet_info *pinfo, proto_tree *tree,
6207 dcerpc_info *di, uint8_t *drep )
6208 {
6209 proto_item *item=NULL;
6210 proto_tree *subtree=NULL;
6211 uint32_t len;
6212
6213 if(di->conformant_run){
6214 return offset;
6215 }
6216
6217 if(tree){
6218 subtree = proto_tree_add_subtree(tree, tvb, offset, 0,
6219 ett_LSA_POLICY_INFO, &item, "LSA Policy");
6220 }
6221 offset = dissect_ndr_uint32(tvb, offset, pinfo, subtree, di, drep,
6222 hf_netlogon_lsapolicy_len, &len);
6223
6224 offset = dissect_ndr_pointer(tvb, offset, pinfo, subtree, di, drep,
6225 netlogon_dissect_BLOB_array, NDR_POINTER_UNIQUE,
6226 "Pointer:", -1);
6227
6228 return offset;
6229 }
6230
6231
6232
6233
6234 static int
6235 netlogon_dissect_WORKSTATION_INFO(tvbuff_t *tvb , int offset ,
6236 packet_info *pinfo , proto_tree *tree ,
6237 dcerpc_info *di, uint8_t *drep )
6238 {
6239 /* This is not the good way to do it ... it stinks ...
6240 * but after half of a day fighting against wireshark and ndr ...
6241 * I decided to keep this hack ...
6242 * At least data are correctly displayed without invented ints ...
6243 */
6244 offset = netlogon_dissect_LSA_POLICY_INFO(tvb, offset,
6245 pinfo, tree, di, drep);
6246
6247 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6248 NDR_POINTER_UNIQUE, "Workstation FQDN",
6249 hf_netlogon_workstation_fqdn, 0);
6250
6251 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6252 NDR_POINTER_UNIQUE, "Workstation Site",
6253 hf_netlogon_workstation_site_name, 0);
6254
6255 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6256 NDR_POINTER_UNIQUE, "Dummy 1", hf_netlogon_dummy_string, 0);
6257
6258 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6259 NDR_POINTER_UNIQUE, "Dummy 2", hf_netlogon_dummy_string2, 0);
6260
6261 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6262 NDR_POINTER_UNIQUE, "Dummy 3", hf_netlogon_dummy_string3, 0);
6263
6264 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6265 NDR_POINTER_UNIQUE, "Dummy 4", hf_netlogon_dummy_string4, 0);
6266
6267 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6268 hf_netlogon_os_version, 0);
6269
6270 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6271 hf_netlogon_workstation_os, 0);
6272
6273 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6274 hf_netlogon_dummy_string3, 0);
6275
6276 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6277 hf_netlogon_dummy_string4, 0);
6278
6279 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6280 hf_netlogon_workstation_flags, NULL);
6281
6282 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6283 hf_netlogon_supportedenctypes, NULL);
6284
6285 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6286 hf_netlogon_dummy3_long, NULL);
6287
6288 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6289 hf_netlogon_dummy4_long, NULL);
6290 return offset;
6291 }
6292
6293 static int
6294 netlogon_dissect_WORKSTATION_INFORMATION(tvbuff_t *tvb , int offset ,
6295 packet_info *pinfo , proto_tree *tree ,
6296 dcerpc_info *di, uint8_t *drep ) {
6297
6298 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6299 netlogon_dissect_WORKSTATION_INFO, NDR_POINTER_UNIQUE,
6300 "WORKSTATION INFO", -1);
6301 return offset;
6302 }
6303
6304 static int
6305 netlogon_dissect_DOMAIN_INFO(tvbuff_t *tvb, int offset,
6306 packet_info *pinfo, proto_tree *tree,
6307 dcerpc_info *di, uint8_t *drep)
6308 {
6309 offset = netlogon_dissect_ONE_DOMAIN_INFO(tvb, offset, pinfo, tree, di, drep);
6310
6311 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6312 hf_netlogon_num_trusts, NULL);
6313
6314 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6315 netlogon_dissect_DOMAIN_TRUST_INFO, NDR_POINTER_UNIQUE,
6316 "DOMAIN_TRUST_ARRAY: Trusted domains", -1);
6317
6318 offset = netlogon_dissect_LSA_POLICY_INFO(tvb,offset,pinfo, tree,di,drep);
6319
6320 /* offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6321 hf_netlogon_num_trusts, NULL);
6322
6323 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6324 netlogon_dissect_DOMAIN_TRUST_INFO, NDR_POINTER_UNIQUE,
6325 "LSA Policy", -1);
6326 */
6327 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6328 hf_netlogon_ad_client_dns_name, 0);
6329
6330 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6331 hf_netlogon_dummy_string2, 0);
6332
6333 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6334 hf_netlogon_dummy_string3, 0);
6335
6336 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6337 hf_netlogon_dummy_string4, 0);
6338
6339 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6340 hf_netlogon_workstation_flags, NULL);
6341
6342 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6343 hf_netlogon_supportedenctypes, NULL);
6344
6345 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6346 hf_netlogon_dummy3_long, NULL);
6347
6348 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6349 hf_netlogon_dummy4_long, NULL);
6350
6351 return offset;
6352 }
6353
6354
6355 static int
6356 netlogon_dissect_DOMAIN_INFORMATION(tvbuff_t *tvb, int offset,
6357 packet_info *pinfo, proto_tree *tree,
6358 dcerpc_info *di, uint8_t *drep)
6359 {
6360 uint32_t level;
6361
6362 UNION_ALIGN_TO_5_BYTES;
6363 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_netlogon_level, &level);
6364 UNION_ALIGN_TO_5_BYTES;
6365
6366 switch (level) {
6367 case 1:
6368 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6369 netlogon_dissect_DOMAIN_INFO, NDR_POINTER_UNIQUE,
6370 "DOMAIN_INFO", -1);
6371 break;
6372 case 2:
6373 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6374 netlogon_dissect_LSA_POLICY_INFO, NDR_POINTER_UNIQUE,
6375 "LSA_POLICY_INFO", -1);
6376 break;
6377 }
6378
6379 return offset;
6380 }
6381
6382 static int
6383 netlogon_dissect_netr_CryptPassword(tvbuff_t *tvb, int offset,
6384 packet_info *pinfo, proto_tree *parent_tree,
6385 dcerpc_info *di, uint8_t *drep)
6386 {
6387 int ret_offset = offset + 516;
6388 proto_item *item=NULL;
6389 proto_tree *tree=NULL;
6390 netlogon_auth_vars *vars = NULL;
6391 uint32_t pw_len;
6392 char *pw = NULL;
6393 uint32_t confounder_len;
6394 bool version_present = false;
6395
6396 /*
6397 * We have
6398 * uint16 array[256];
6399 * uint32 length;
6400 *
6401 * All these 516 bytes are potentially encrypted.
6402 *
6403 * The unencrypted length is in bytes in
6404 * instead of uint16 units, so it's a multiple
6405 * of 2 and it should be smaller than 512 -
6406 * SIZEOF(NL_PASSWORD_VERSION), so it's 500
6407 * as SIZEOF(NL_PASSWORD_VERSION) is 12.
6408 * The confounder should also be there with
6409 * a few bytes.
6410 *
6411 * Real clients typically use 28 or 240,
6412 * which means 14 or 120 uint16 characters.
6413 *
6414 * So if the value is larger than 500 or
6415 * bit 1 is set it's very likely an
6416 * encrypted value.
6417 */
6418 tvb_ensure_bytes_exist(tvb, offset, 516);
6419
6420 if(parent_tree){
6421 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 516,
6422 ett_netr_CryptPassword, &item,
6423 "netr_CryptPassword:");
6424 }
6425
6426 vars = find_global_netlogon_auth_vars(pinfo, 0);
6427 pw_len = tvb_get_uint32(tvb, offset+512, DREP_ENC_INTEGER(drep));
6428 if (pw_len > 500 || pw_len & 0x1) {
6429 gcry_error_t err;
6430 gcry_cipher_hd_t cipher_hd = NULL;
6431 uint8_t *buffer = NULL;
6432 tvbuff_t *dectvb = NULL;
6433
6434 proto_tree_add_bytes_format(tree, hf_netlogon_blob,
6435 tvb, offset, 516, NULL,
6436 "Encrypted netr_CryptPassword");
6437
6438 if (vars == NULL) {
6439 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
6440 &ei_netlogon_session_key,
6441 "No session key found");
6442 return ret_offset;
6443 }
6444
6445 err = prepare_session_key_cipher(vars, &cipher_hd);
6446 if (err != 0) {
6447 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
6448 &ei_netlogon_session_key,
6449 "Decryption not possible (%s/%s) with "
6450 "session key learned in frame %d ("
6451 "%02x%02x%02x%02x"
6452 ") from %s",
6453 gcry_strsource(err),
6454 gcry_strerror(err),
6455 vars->auth_fd_num,
6456 vars->session_key[0] & 0xFF,
6457 vars->session_key[1] & 0xFF,
6458 vars->session_key[2] & 0xFF,
6459 vars->session_key[3] & 0xFF,
6460 vars->nthash.key_origin);
6461 ws_warning("GCRY: prepare_session_key_cipher %s/%s\n",
6462 gcry_strsource(err), gcry_strerror(err));
6463 return ret_offset;
6464 }
6465
6466 buffer = (uint8_t*)tvb_memdup(pinfo->pool, tvb, offset, 516);
6467 if (buffer == NULL) {
6468 gcry_cipher_close(cipher_hd);
6469 return ret_offset;
6470 }
6471
6472 err = gcry_cipher_decrypt(cipher_hd, buffer, 516, NULL, 0);
6473 gcry_cipher_close(cipher_hd);
6474 if (err != 0) {
6475 ws_warning("GCRY: gcry_cipher_decrypt %s/%s\n",
6476 gcry_strsource(err), gcry_strerror(err));
6477 return ret_offset;
6478 }
6479
6480 dectvb = tvb_new_child_real_data(tvb, buffer, 516, 516);
6481 if (dectvb == NULL) {
6482 return ret_offset;
6483 }
6484
6485 pw_len = tvb_get_uint32(dectvb, 512, DREP_ENC_INTEGER(drep));
6486 if (pw_len > 500 || pw_len & 0x1) {
6487 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
6488 &ei_netlogon_session_key,
6489 "Unusable session key learned in frame %d ("
6490 "%02x%02x%02x%02x"
6491 ") from %s",
6492 vars->auth_fd_num,
6493 vars->session_key[0] & 0xFF,
6494 vars->session_key[1] & 0xFF,
6495 vars->session_key[2] & 0xFF,
6496 vars->session_key[3] & 0xFF,
6497 vars->nthash.key_origin);
6498 return ret_offset;
6499 }
6500
6501 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
6502 &ei_netlogon_session_key,
6503 "Used session key learned in frame %d ("
6504 "%02x%02x%02x%02x"
6505 ") from %s",
6506 vars->auth_fd_num,
6507 vars->session_key[0] & 0xFF,
6508 vars->session_key[1] & 0xFF,
6509 vars->session_key[2] & 0xFF,
6510 vars->session_key[3] & 0xFF,
6511 vars->nthash.key_origin);
6512 add_new_data_source(pinfo, dectvb, "netr_CryptPassword (Decrypted)");
6513 tvb = dectvb;
6514 offset = 0;
6515 proto_tree_add_bytes_format(tree, hf_netlogon_blob,
6516 tvb, offset, 516, NULL,
6517 "Decrypted netr_CryptPassword");
6518 } else {
6519 proto_tree_add_bytes_format(tree, hf_netlogon_blob,
6520 tvb, offset, 516, NULL,
6521 "Unencryption netr_CryptPassword");
6522 if (vars != NULL) {
6523 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
6524 &ei_netlogon_session_key,
6525 "Not encrypted with session key learned in frame %d ("
6526 "%02x%02x%02x%02x"
6527 ") from %s",
6528 vars->auth_fd_num,
6529 vars->session_key[0] & 0xFF,
6530 vars->session_key[1] & 0xFF,
6531 vars->session_key[2] & 0xFF,
6532 vars->session_key[3] & 0xFF,
6533 vars->nthash.key_origin);
6534 } else {
6535 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
6536 &ei_netlogon_session_key,
6537 "Not encrypted and no session key found nor needed");
6538 }
6539 }
6540
6541 confounder_len = 512 - pw_len;
6542 if (confounder_len >= 12) {
6543 uint32_t voffset = confounder_len - 12;
6544 uint32_t rf;
6545 uint32_t vp;
6546
6547 rf = tvb_get_uint32(tvb, voffset+0, DREP_ENC_INTEGER(drep));
6548 vp = tvb_get_uint32(tvb, voffset+8, DREP_ENC_INTEGER(drep));
6549 if (rf == 0 && vp == 0x02231968) {
6550 confounder_len -= 12;
6551 version_present = true;
6552 }
6553 }
6554
6555 if (confounder_len > 0) {
6556 proto_tree_add_bytes_format(tree, hf_netlogon_blob,
6557 tvb, offset, confounder_len,
6558 NULL, "Confounder: %"PRIu32" byte%s",
6559 confounder_len,
6560 plurality(confounder_len, "", "s"));
6561 offset += confounder_len;
6562 }
6563
6564 if (version_present) {
6565 proto_item *vitem=NULL;
6566 proto_tree *vtree=NULL;
6567
6568 if (tree) {
6569 vtree = proto_tree_add_subtree(tree, tvb, offset, 12,
6570 ett_NL_PASSWORD_VERSION, &vitem,
6571 "NL_PASSWORD_VERSION:");
6572 }
6573
6574 offset = dissect_ndr_uint32(tvb, offset, pinfo, vtree, di, drep,
6575 hf_netlogon_password_version_reserved, NULL);
6576 offset = dissect_ndr_uint32(tvb, offset, pinfo, vtree, di, drep,
6577 hf_netlogon_password_version_number, NULL);
6578 offset = dissect_ndr_uint32(tvb, offset, pinfo, vtree, di, drep,
6579 hf_netlogon_password_version_present, NULL);
6580 }
6581
6582 proto_tree_add_bytes_format(tree, hf_netlogon_blob,
6583 tvb, offset, pw_len, NULL,
6584 "Raw Password Bytes: %"PRIu32" byte%s",
6585 pw_len,
6586 plurality(pw_len, "", "s"));
6587 pw = (char *)tvb_get_string_enc(pinfo->pool, tvb, offset, pw_len,
6588 ENC_UTF_16|DREP_ENC_INTEGER(drep));
6589 proto_tree_add_string(tree, hf_netlogon_new_password, tvb, offset,
6590 pw_len, pw);
6591 offset += pw_len;
6592
6593 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6594 hf_netlogon_len, NULL);
6595
6596 return ret_offset;
6597 }
6598
6599 static int
6600 netlogon_dissect_element_844_byte(tvbuff_t *tvb, int offset,
6601 packet_info *pinfo, proto_tree *tree,
6602 dcerpc_info *di, uint8_t *drep)
6603 {
6604 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
6605 hf_netlogon_unknown_char, NULL);
6606
6607 return offset;
6608 }
6609
6610 static int
6611 netlogon_dissect_element_844_array(tvbuff_t *tvb, int offset,
6612 packet_info *pinfo, proto_tree *tree,
6613 dcerpc_info *di, uint8_t *drep)
6614 {
6615 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
6616 netlogon_dissect_element_844_byte);
6617
6618 return offset;
6619 }
6620
6621 static int
6622 netlogon_dissect_TYPE_50(tvbuff_t *tvb, int offset,
6623 packet_info *pinfo, proto_tree *parent_tree,
6624 dcerpc_info *di, uint8_t *drep)
6625 {
6626 proto_item *item=NULL;
6627 proto_tree *tree=NULL;
6628 int old_offset=offset;
6629
6630 if(parent_tree){
6631 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
6632 ett_TYPE_50, &item, "TYPE_50:");
6633 }
6634
6635 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6636 hf_netlogon_unknown_long, NULL);
6637
6638 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6639 netlogon_dissect_element_844_array, NDR_POINTER_UNIQUE,
6640 "unknown", hf_netlogon_unknown_string);
6641
6642 proto_item_set_len(item, offset-old_offset);
6643 return offset;
6644 }
6645
6646 static int
6647 netlogon_dissect_TYPE_50_ptr(tvbuff_t *tvb, int offset,
6648 packet_info *pinfo, proto_tree *tree,
6649 dcerpc_info *di, uint8_t *drep)
6650 {
6651 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6652 netlogon_dissect_TYPE_50, NDR_POINTER_UNIQUE,
6653 "TYPE_50 pointer: unknown_TYPE_50", -1);
6654
6655 return offset;
6656 }
6657
6658 static int
6659 netlogon_dissect_DS_DOMAIN_TRUSTS(tvbuff_t *tvb, int offset,
6660 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, uint8_t *drep)
6661 {
6662 uint32_t tmp;
6663 proto_item *item=NULL;
6664 proto_tree *tree=NULL;
6665 int old_offset=offset;
6666
6667 if(parent_tree){
6668 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
6669 ett_DS_DOMAIN_TRUSTS, NULL, "DS_DOMAIN_TRUSTS");
6670 }
6671
6672 /* name */
6673 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6674 NDR_POINTER_UNIQUE, "NetBIOS Name",
6675 hf_netlogon_downlevel_domain_name, 0);
6676
6677 /* domain */
6678 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6679 NDR_POINTER_UNIQUE, "DNS Domain Name",
6680 hf_netlogon_dns_domain_name, 0);
6681
6682 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, di, drep);
6683
6684 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6685 hf_netlogon_trust_parent_index, &tmp);
6686
6687 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6688 hf_netlogon_trust_type, &tmp);
6689
6690 offset = netlogon_dissect_DOMAIN_TRUST_ATTRIBS(tvb, offset, pinfo, tree, di, drep);
6691
6692 /* SID pointer */
6693 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
6694
6695 /* GUID */
6696 offset = dissect_nt_GUID(tvb, offset, pinfo, tree, di, drep);
6697
6698 proto_item_set_len(item, offset-old_offset);
6699 return offset;
6700 }
6701
6702 static int
6703 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY(tvbuff_t *tvb, int offset,
6704 packet_info *pinfo, proto_tree *tree,
6705 dcerpc_info *di, uint8_t *drep)
6706 {
6707 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
6708 netlogon_dissect_DS_DOMAIN_TRUSTS);
6709
6710 return offset;
6711 }
6712
6713 static int
6714 netlogon_dissect_element_865_byte(tvbuff_t *tvb, int offset,
6715 packet_info *pinfo, proto_tree *tree,
6716 dcerpc_info *di, uint8_t *drep)
6717 {
6718 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
6719 hf_netlogon_unknown_char, NULL);
6720
6721 return offset;
6722 }
6723
6724 static int
6725 netlogon_dissect_element_865_array(tvbuff_t *tvb, int offset,
6726 packet_info *pinfo, proto_tree *tree,
6727 dcerpc_info *di, uint8_t *drep)
6728 {
6729 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
6730 netlogon_dissect_element_865_byte);
6731
6732 return offset;
6733 }
6734
6735 static int
6736 netlogon_dissect_element_866_byte(tvbuff_t *tvb, int offset,
6737 packet_info *pinfo, proto_tree *tree,
6738 dcerpc_info *di, uint8_t *drep)
6739 {
6740 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
6741 hf_netlogon_unknown_char, NULL);
6742
6743 return offset;
6744 }
6745
6746 static int
6747 netlogon_dissect_element_866_array(tvbuff_t *tvb, int offset,
6748 packet_info *pinfo, proto_tree *tree,
6749 dcerpc_info *di, uint8_t *drep)
6750 {
6751 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
6752 netlogon_dissect_element_866_byte);
6753
6754 return offset;
6755 }
6756
6757 static int
6758 netlogon_dissect_TYPE_52(tvbuff_t *tvb, int offset,
6759 packet_info *pinfo, proto_tree *parent_tree,
6760 dcerpc_info *di, uint8_t *drep)
6761 {
6762 proto_item *item=NULL;
6763 proto_tree *tree=NULL;
6764 int old_offset=offset;
6765
6766 if(parent_tree){
6767 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
6768 ett_TYPE_52, &item, "TYPE_52:");
6769 }
6770
6771 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6772 hf_netlogon_unknown_long, NULL);
6773
6774 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6775 netlogon_dissect_element_865_array, NDR_POINTER_UNIQUE,
6776 "unknown", hf_netlogon_unknown_string);
6777
6778 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6779 netlogon_dissect_element_866_array, NDR_POINTER_UNIQUE,
6780 "unknown", hf_netlogon_unknown_string);
6781
6782 proto_item_set_len(item, offset-old_offset);
6783 return offset;
6784 }
6785
6786 static int
6787 netlogon_dissect_TYPE_52_ptr(tvbuff_t *tvb, int offset,
6788 packet_info *pinfo, proto_tree *tree,
6789 dcerpc_info *di, uint8_t *drep)
6790 {
6791 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6792 netlogon_dissect_TYPE_52, NDR_POINTER_UNIQUE,
6793 "TYPE_52 pointer: unknown_TYPE_52", -1);
6794 return offset;
6795 }
6796
6797
6798 static int
6799 netlogon_dissect_Capabilities(tvbuff_t *tvb, int offset,
6800 packet_info *pinfo, proto_tree *parent_tree,
6801 dcerpc_info *di, uint8_t *drep)
6802 {
6803 proto_item *item=NULL;
6804 proto_tree *tree=NULL;
6805 proto_item *pitem=NULL;
6806 proto_item *nitem=NULL;
6807 int old_offset=offset;
6808 uint32_t level = 0;
6809
6810 if(parent_tree){
6811 pitem = proto_tree_get_parent(parent_tree);
6812 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
6813 ett_CAPABILITIES, &item,
6814 "Capabilities");
6815 }
6816
6817 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6818 hf_netlogon_level, &level);
6819
6820 ALIGN_TO_4_BYTES;
6821 switch(level){
6822 case 1: {
6823 uint32_t flags;
6824 dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, -1, &flags);
6825 nitem = netlogon_dissect_neg_options(tvb,tree,flags,offset);
6826 proto_item_set_text(nitem, "NegotiatedFlags: 0x%08x", flags);
6827 proto_item_set_text(item, "ServerCapabilities");
6828 proto_item_append_text(pitem, ": ServerCapabilities");
6829 offset +=4;
6830 }
6831 break;
6832 case 2: {
6833 uint32_t flags;
6834 dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, -1, &flags);
6835 nitem = netlogon_dissect_neg_options(tvb,tree,flags,offset);
6836 proto_item_set_text(nitem, "RequestedFlags: 0x%08x", flags);
6837 proto_item_set_text(item, "RequestedFlags");
6838 proto_item_append_text(pitem, ": RequestedFlags");
6839 offset +=4;
6840 }
6841 break;
6842 }
6843
6844 proto_item_set_len(item, offset-old_offset);
6845 return offset;
6846 }
6847
6848 static int
6849 netlogon_dissect_WORKSTATION_BUFFER(tvbuff_t *tvb, int offset,
6850 packet_info *pinfo, proto_tree *tree,
6851 dcerpc_info *di, uint8_t *drep)
6852 {
6853 uint32_t level;
6854
6855 UNION_ALIGN_TO_5_BYTES;
6856 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_netlogon_level, &level);
6857 UNION_ALIGN_TO_5_BYTES;
6858
6859 switch (level) {
6860 case 1:
6861 case 2:
6862 offset = netlogon_dissect_WORKSTATION_INFORMATION(tvb, offset, pinfo, tree, di, drep);
6863 break;
6864 }
6865
6866 return offset;
6867 }
6868
6869 static int
6870 netlogon_dissect_netrenumeratetrusteddomains_rqst(tvbuff_t *tvb, int offset,
6871 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6872 {
6873 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6874 pinfo, tree, di, drep);
6875
6876 return offset;
6877 }
6878
6879
6880 static int
6881 netlogon_dissect_netrenumeratetrusteddomains_reply(tvbuff_t *tvb, int offset,
6882 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6883 {
6884 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6885 netlogon_dissect_UNICODE_MULTI, NDR_POINTER_REF,
6886 "UNICODE_MULTI pointer: trust_dom_name_list", -1);
6887
6888 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6889 hf_netlogon_dos_rc, NULL);
6890
6891 return offset;
6892 }
6893
6894 static int
6895 netlogon_dissect_dsrgetdcname_rqst(tvbuff_t *tvb, int offset,
6896 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6897 {
6898 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6899 pinfo, tree, di, drep);
6900
6901 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6902 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
6903
6904 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6905 dissect_nt_GUID, NDR_POINTER_UNIQUE,
6906 "GUID pointer: domain_guid", -1);
6907
6908 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6909 dissect_nt_GUID, NDR_POINTER_UNIQUE,
6910 "GUID pointer: site_guid", -1);
6911
6912 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6913 hf_netlogon_flags, NULL);
6914
6915 return offset;
6916 }
6917
6918
6919 static int
6920 netlogon_dissect_dsrgetdcname_reply(tvbuff_t *tvb, int offset,
6921 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6922 {
6923 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6924 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
6925 "DOMAIN_CONTROLLER_INFO:", -1);
6926
6927 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6928 hf_netlogon_dos_rc, NULL);
6929
6930 return offset;
6931 }
6932
6933 static int
6934 netlogon_dissect_netrlogondummyroutine1_rqst(tvbuff_t *tvb, int offset,
6935 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6936 {
6937 uint32_t level = 0;
6938 proto_item *litem = NULL;
6939
6940 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6941 NDR_POINTER_REF, "Server Handle",
6942 hf_netlogon_logonsrv_handle, 0);
6943
6944 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6945 NDR_POINTER_UNIQUE, "Computer Name",
6946 hf_netlogon_computer_name, 0);
6947
6948 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6949 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
6950 "AUTHENTICATOR: credential", -1);
6951
6952 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6953 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
6954 "AUTHENTICATOR: return_authenticator", -1);
6955
6956 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6957 -1, &level);
6958 litem = proto_tree_add_item(tree, hf_netlogon_level, tvb, offset-4, 4,
6959 DREP_ENC_INTEGER(drep));
6960 switch(level){
6961 case 1:
6962 proto_item_append_text(litem, " (ServerCapabilities)");
6963 break;
6964 case 2:
6965 proto_item_append_text(litem, " (RequestedFlags)");
6966 break;
6967 }
6968
6969 return offset;
6970 }
6971
6972
6973 static int
6974 netlogon_dissect_netrlogondummyroutine1_reply(tvbuff_t *tvb, int offset,
6975 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6976 {
6977 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6978 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
6979 "AUTHENTICATOR: return_authenticator", -1);
6980
6981 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6982 netlogon_dissect_Capabilities, NDR_POINTER_REF,
6983 "Capabilities", -1);
6984
6985 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6986 hf_netlogon_rc, NULL);
6987
6988 return offset;
6989 }
6990
6991 static int
6992 netlogon_dissect_netrlogonsetservicebits_rqst(tvbuff_t *tvb, int offset,
6993 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6994 {
6995 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6996 pinfo, tree, di, drep);
6997
6998 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6999 hf_netlogon_unknown_long, NULL);
7000
7001 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7002 hf_netlogon_unknown_long, NULL);
7003
7004 return offset;
7005 }
7006
7007
7008 static int
7009 netlogon_dissect_netrlogonsetservicebits_reply(tvbuff_t *tvb, int offset,
7010 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7011 {
7012 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7013 hf_netlogon_rc, NULL);
7014
7015 return offset;
7016 }
7017
7018
7019 static int
7020 netlogon_dissect_netrlogongettrustrid_rqst(tvbuff_t *tvb, int offset,
7021 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7022 {
7023 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7024 pinfo, tree, di, drep);
7025
7026 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7027 NDR_POINTER_UNIQUE, "unknown string",
7028 hf_netlogon_unknown_string, 0);
7029
7030 return offset;
7031 }
7032
7033
7034 static int
7035 netlogon_dissect_netrlogongettrustrid_reply(tvbuff_t *tvb, int offset,
7036 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7037 {
7038 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7039 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
7040 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
7041
7042 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7043 hf_netlogon_rc, NULL);
7044
7045 return offset;
7046 }
7047
7048
7049 static int
7050 netlogon_dissect_netrlogoncomputeserverdigest_rqst(tvbuff_t *tvb, int offset,
7051 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7052 {
7053 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7054 pinfo, tree, di, drep);
7055
7056 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7057 hf_netlogon_unknown_long, NULL);
7058
7059 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7060 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
7061 "BYTE pointer: unknown_BYTE", -1);
7062
7063 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7064 hf_netlogon_unknown_long, NULL);
7065
7066 return offset;
7067 }
7068
7069 static int
7070 netlogon_dissect_BYTE_16_array(tvbuff_t *tvb, int offset,
7071 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7072 {
7073 int i;
7074
7075 for(i=0;i<16;i++){
7076 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
7077 hf_netlogon_unknown_char, NULL);
7078 }
7079
7080 return offset;
7081 }
7082
7083 static int
7084 netlogon_dissect_netrlogoncomputeserverdigest_reply(tvbuff_t *tvb, int offset,
7085 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7086 {
7087 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7088 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
7089 "BYTE pointer: unknown_BYTE", -1);
7090
7091 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7092 hf_netlogon_rc, NULL);
7093
7094 return offset;
7095 }
7096
7097 static int
7098 netlogon_dissect_netrlogoncomputeclientdigest_rqst(tvbuff_t *tvb, int offset,
7099 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7100 {
7101 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7102 pinfo, tree, di, drep);
7103
7104 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7105 NDR_POINTER_UNIQUE, "unknown string",
7106 hf_netlogon_unknown_string, 0);
7107
7108 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7109 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
7110 "BYTE pointer: unknown_BYTE", -1);
7111
7112 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7113 hf_netlogon_unknown_long, NULL);
7114
7115 return offset;
7116 }
7117
7118
7119 static int
7120 netlogon_dissect_netrlogoncomputeclientdigest_reply(tvbuff_t *tvb, int offset,
7121 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7122 {
7123 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7124 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
7125 "BYTE pointer: unknown_BYTE", -1);
7126
7127 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7128 hf_netlogon_rc, NULL);
7129
7130 return offset;
7131 }
7132
7133 static proto_item *
7134 netlogon_dissect_neg_options(tvbuff_t *tvb,proto_tree *tree,uint32_t flags,int offset)
7135 {
7136 static int * const hf_flags[] = {
7137 &hf_netlogon_neg_flags_80000000,
7138 &hf_netlogon_neg_flags_40000000,
7139 &hf_netlogon_neg_flags_20000000,
7140 #if 0
7141 &hf_netlogon_neg_flags_10000000,
7142 &hf_netlogon_neg_flags_8000000,
7143 &hf_netlogon_neg_flags_4000000,
7144 &hf_netlogon_neg_flags_2000000,
7145 &hf_netlogon_neg_flags_800000,
7146 &hf_netlogon_neg_flags_400000,
7147 #endif
7148 &hf_netlogon_neg_flags_1000000,
7149 &hf_netlogon_neg_flags_200000,
7150 &hf_netlogon_neg_flags_100000,
7151 &hf_netlogon_neg_flags_80000,
7152 &hf_netlogon_neg_flags_40000,
7153 &hf_netlogon_neg_flags_20000,
7154 &hf_netlogon_neg_flags_10000,
7155 &hf_netlogon_neg_flags_8000,
7156 &hf_netlogon_neg_flags_4000,
7157 &hf_netlogon_neg_flags_2000,
7158 &hf_netlogon_neg_flags_1000,
7159 &hf_netlogon_neg_flags_800,
7160 &hf_netlogon_neg_flags_400,
7161 &hf_netlogon_neg_flags_200,
7162 &hf_netlogon_neg_flags_100,
7163 &hf_netlogon_neg_flags_80,
7164 &hf_netlogon_neg_flags_40,
7165 &hf_netlogon_neg_flags_20,
7166 &hf_netlogon_neg_flags_10,
7167 &hf_netlogon_neg_flags_8,
7168 &hf_netlogon_neg_flags_4,
7169 &hf_netlogon_neg_flags_2,
7170 &hf_netlogon_neg_flags_1,
7171 NULL
7172 };
7173
7174 return proto_tree_add_bitmask_value_with_flags(tree, tvb, offset, hf_netlogon_neg_flags, ett_authenticate_flags, hf_flags, flags, BMT_NO_APPEND);
7175 }
7176
7177 static int
7178 netlogon_dissect_netrserverauthenticate3_rqst(tvbuff_t *tvb, int offset,
7179 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7180 {
7181 uint32_t flags;
7182 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7183 pinfo, tree, di, drep);
7184 ALIGN_TO_5_BYTES
7185
7186 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7187 NDR_POINTER_REF, "Acct Name", hf_netlogon_acct_name, 0);
7188
7189 if (di->call_data->flags & DCERPC_IS_NDR64) {
7190 ALIGN_TO_4_BYTES
7191 } else {
7192 ALIGN_TO_2_BYTES
7193 }
7194
7195 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
7196 pinfo, tree, di, drep);
7197
7198 ALIGN_TO_5_BYTES
7199
7200 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7201 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
7202
7203 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, tree, drep,
7204 hf_client_credential, NULL);
7205 #if 0
7206 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7207 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
7208 "Client Challenge", -1);
7209 #endif
7210
7211 #if 0
7212 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7213 hf_netlogon_neg_flags, NULL);
7214 #endif
7215 ALIGN_TO_4_BYTES;
7216
7217 flags = tvb_get_letohl (tvb, offset);
7218 netlogon_dissect_neg_options(tvb,tree,flags,offset);
7219 seen.isseen = false;
7220 seen.num = 0;
7221 offset +=4;
7222 return offset;
7223 }
7224
7225 static int
7226 netlogon_dissect_netrserverauthenticatekerberos_rqst(tvbuff_t *tvb, int offset,
7227 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7228 {
7229 netlogon_auth_vars *vars = NULL;
7230 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
7231 uint32_t flags;
7232 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7233 pinfo, tree, di, drep);
7234 ALIGN_TO_5_BYTES
7235
7236 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7237 NDR_POINTER_REF, "Acct Name", hf_netlogon_acct_name, 0);
7238
7239 if (di->call_data->flags & DCERPC_IS_NDR64) {
7240 ALIGN_TO_4_BYTES
7241 } else {
7242 ALIGN_TO_2_BYTES
7243 }
7244
7245 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
7246 pinfo, tree, di, drep);
7247
7248 ALIGN_TO_5_BYTES
7249
7250 dcv = (dcerpc_call_value *)di->call_data;
7251 offset = dissect_ndr_pointer_cb(
7252 tvb, offset, pinfo, tree, di, drep,
7253 dissect_ndr_wchar_cvstring, NDR_POINTER_REF,
7254 "Computer Name", hf_netlogon_computer_name,
7255 cb_wstr_postprocess,
7256 GINT_TO_POINTER(CB_STR_COL_INFO |CB_STR_SAVE | 1));
7257
7258 ws_debug("1)Len %d offset %d txt %s",(int) strlen((char *)dcv->private_data),offset,(char*)dcv->private_data);
7259 vars = create_global_netlogon_auth_vars(pinfo, (char*)dcv->private_data, 0);
7260 ws_debug("2)Len %d offset %d txt %s",(int) strlen((char *)dcv->private_data),offset,vars->client_name);
7261
7262 ALIGN_TO_4_BYTES;
7263
7264 flags = tvb_get_letohl (tvb, offset);
7265 netlogon_dissect_neg_options(tvb,tree,flags,offset);
7266 seen.isseen = false;
7267 seen.num = 0;
7268 offset +=4;
7269
7270 vars->flags = flags;
7271
7272 return offset;
7273 }
7274
7275 /*
7276 * IDL long NetrServerAuthenticate2(
7277 * IDL [in][string][unique] wchar_t *logonserver,
7278 * IDL [in][ref][string] wchar_t *username,
7279 * IDL [in] short secure_channel_type,
7280 * IDL [in][ref][string] wchar_t *computername,
7281 * IDL [in][ref] CREDENTIAL *client_chal,
7282 * IDL [out][ref] CREDENTIAL *server_chal,
7283 * IDL [in][out][ref] long *negotiate_flags,
7284 * IDL );
7285 */
7286 static int
7287 netlogon_dissect_netrserverauthenticate2_rqst(tvbuff_t *tvb, int offset,
7288 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7289 {
7290 return netlogon_dissect_netrserverauthenticate3_rqst(tvb,offset,pinfo,tree,di,drep);
7291 }
7292
7293 static int
7294 netlogon_dissect_netrserverauthenticate023_reply(tvbuff_t *tvb, int offset,
7295 packet_info *pinfo,
7296 proto_tree *tree,
7297 dcerpc_info *di,
7298 uint8_t *drep,
7299 int version)
7300 {
7301 uint32_t flags = 0;
7302 netlogon_auth_vars *vars;
7303 uint64_t server_cred;
7304
7305 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, tree, drep,
7306 hf_server_credential, &server_cred);
7307
7308 if (version >= 2) {
7309 flags = tvb_get_letohl (tvb, offset);
7310 netlogon_dissect_neg_options(tvb,tree,flags,offset);
7311 offset +=4;
7312 }
7313 ALIGN_TO_4_BYTES;
7314 if (version >= 3) {
7315 offset = dissect_dcerpc_uint32(tvb, offset, pinfo, tree, drep,
7316 hf_server_rid, NULL);
7317 }
7318 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7319 hf_netlogon_rc, NULL);
7320
7321 vars = find_tmp_netlogon_auth_vars(pinfo, 1);
7322 if(vars != NULL) {
7323 ws_debug("Found some vars (ie. server/client challenges), let's see if I can get a session key");
7324 {
7325 md4_pass *pass_list=NULL;
7326 const md4_pass *used_md4 = NULL;
7327 const char *used_method = NULL;
7328 uint32_t list_size = 0;
7329 unsigned int i = 0;
7330 md4_pass password;
7331 uint8_t session_key[16];
7332 int found = 0;
7333
7334 vars->flags = flags;
7335 vars->can_decrypt = false;
7336 list_size = get_md4pass_list(pinfo->pool, &pass_list);
7337 ws_debug("Found %d passwords ",list_size);
7338 if( flags & NETLOGON_FLAG_AES )
7339 {
7340 uint8_t salt_buf[16] = { 0 };
7341 uint8_t sha256[HASH_SHA2_256_LENGTH];
7342 uint64_t calculated_cred;
7343
7344 memcpy(&salt_buf[0], (uint8_t*)&vars->client_challenge, 8);
7345 memcpy(&salt_buf[8], (uint8_t*)&vars->server_challenge, 8);
7346
7347 used_method = "AES";
7348 printnbyte(pinfo->pool, (uint8_t*)&vars->client_challenge, 8, "Client challenge:");
7349 printnbyte(pinfo->pool, (uint8_t*)&vars->server_challenge, 8, "Server challenge:");
7350 printnbyte(pinfo->pool, (uint8_t*)&server_cred, 8, "Server creds:");
7351 for(i=0;i<list_size;i++)
7352 {
7353 used_md4 = &pass_list[i];
7354 password = pass_list[i];
7355 printnbyte(pinfo->pool, (uint8_t*)&password, 16, "NTHASH:");
7356 if (!ws_hmac_buffer(GCRY_MD_SHA256, sha256, salt_buf, sizeof(salt_buf), (uint8_t*) &password, 16)) {
7357 gcry_error_t err;
7358 gcry_cipher_hd_t cipher_hd = NULL;
7359 uint8_t iv[16] = { 0 };
7360
7361 /* truncate the session key to 16 bytes */
7362 memcpy(session_key, sha256, 16);
7363 printnbyte(pinfo->pool, (uint8_t*)session_key, 16, "Session Key:");
7364
7365 /* Open the cipher */
7366 err = gcry_cipher_open(&cipher_hd, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CFB8, 0);
7367 if (err != 0) {
7368 ws_warning("GCRY: cipher open %s/%s\n", gcry_strsource(err), gcry_strerror(err));
7369 break;
7370 }
7371
7372 /* Set the initial value */
7373 err = gcry_cipher_setiv(cipher_hd, iv, sizeof(iv));
7374 if (err != 0) {
7375 ws_warning("GCRY: setiv %s/%s\n", gcry_strsource(err), gcry_strerror(err));
7376 gcry_cipher_close(cipher_hd);
7377 break;
7378 }
7379
7380 /* Set the key */
7381 err = gcry_cipher_setkey(cipher_hd, session_key, 16);
7382 if (err != 0) {
7383 ws_warning("GCRY: setkey %s/%s\n", gcry_strsource(err), gcry_strerror(err));
7384 gcry_cipher_close(cipher_hd);
7385 break;
7386 }
7387
7388 calculated_cred = 0x1234567812345678;
7389 err = gcry_cipher_encrypt(cipher_hd,
7390 (uint8_t *)&calculated_cred, 8,
7391 (const uint8_t *)&vars->server_challenge, 8);
7392 if (err != 0) {
7393 ws_warning("GCRY: encrypt %s/%s\n", gcry_strsource(err), gcry_strerror(err));
7394 gcry_cipher_close(cipher_hd);
7395 break;
7396 }
7397
7398 /* Done with the cipher */
7399 gcry_cipher_close(cipher_hd);
7400
7401 printnbyte(pinfo->pool, (uint8_t*)&calculated_cred, 8, "Calculated creds:");
7402
7403 if(calculated_cred==server_cred) {
7404 found = 1;
7405 break;
7406 }
7407 }
7408 }
7409 } else if ( flags & NETLOGON_FLAG_STRONGKEY ) {
7410 uint8_t zeros[4] = { 0 };
7411 uint8_t md5[HASH_MD5_LENGTH];
7412 gcry_md_hd_t md5_handle;
7413 uint8_t buf[8] = { 0 };
7414 uint64_t calculated_cred;
7415
7416 used_method = "MD5";
7417 if (!gcry_md_open(&md5_handle, GCRY_MD_MD5, 0)) {
7418 gcry_md_write(md5_handle, zeros, 4);
7419 gcry_md_write(md5_handle, (uint8_t*)&vars->client_challenge, 8);
7420 gcry_md_write(md5_handle, (uint8_t*)&vars->server_challenge, 8);
7421 memcpy(md5, gcry_md_read(md5_handle, 0), 16);
7422 gcry_md_close(md5_handle);
7423 }
7424 printnbyte(pinfo->pool, md5, 8, "MD5:");
7425 printnbyte(pinfo->pool, (uint8_t*)&vars->client_challenge, 8, "Client challenge:");
7426 printnbyte(pinfo->pool, (uint8_t*)&vars->server_challenge, 8, "Server challenge:");
7427 printnbyte(pinfo->pool, (uint8_t*)&server_cred, 8, "Server creds:");
7428 for(i=0;i<list_size;i++)
7429 {
7430 used_md4 = &pass_list[i];
7431 password = pass_list[i];
7432 if (!ws_hmac_buffer(GCRY_MD_MD5, session_key, md5, HASH_MD5_LENGTH, (uint8_t*) &password, 16)) {
7433 crypt_des_ecb(buf,(unsigned char*)&vars->server_challenge,session_key);
7434 crypt_des_ecb((unsigned char*)&calculated_cred,buf,session_key+7);
7435 printnbyte(pinfo->pool, (uint8_t*)&calculated_cred, 8, "Calculated creds:");
7436 if(calculated_cred==server_cred) {
7437 found = 1;
7438 break;
7439 }
7440 }
7441 }
7442 }
7443 else
7444 {
7445 uint32_t c1 = (uint32_t)(vars->client_challenge & UINT32_MAX);
7446 uint32_t c2 = (uint32_t)((vars->client_challenge >> 32) & UINT32_MAX);
7447 uint32_t s1 = (uint32_t)(vars->server_challenge & UINT32_MAX);
7448 uint32_t s2 = (uint32_t)((vars->server_challenge >> 32) & UINT32_MAX);
7449 uint32_t sum1 = c1 + s1;
7450 uint32_t sum2 = c2 + s2;
7451 uint64_t sum = (uint64_t)sum1 | ((uint64_t)sum2 << 32);
7452
7453 used_method = "DES";
7454 printnbyte(pinfo->pool, (uint8_t*)&sum, 8,"SUM for DES:");
7455 printnbyte(pinfo->pool, (uint8_t*)&vars->client_challenge,8,"Client challenge:");
7456 printnbyte(pinfo->pool, (uint8_t*)&vars->server_challenge,8,"Server challenge:");
7457 printnbyte(pinfo->pool, (uint8_t*)&server_cred,8,"Server creds:");
7458 for(i=0;i<list_size;i++)
7459 {
7460 uint8_t buf[8] = { 0 };
7461 uint64_t calculated_cred;
7462
7463 memset(session_key, 0, 16);
7464
7465 used_md4 = &pass_list[i];
7466 crypt_des_ecb(buf, (unsigned char*)&sum, used_md4->md4);
7467 crypt_des_ecb((unsigned char*)session_key, buf, used_md4->md4+9);
7468
7469 crypt_des_ecb(buf,(unsigned char*)&vars->server_challenge,session_key);
7470 crypt_des_ecb((unsigned char*)&calculated_cred,buf,session_key+7);
7471 printnbyte(pinfo->pool, (uint8_t*)&calculated_cred,8,"Calculated creds:");
7472 if(calculated_cred==server_cred) {
7473 found = 1;
7474 break;
7475 }
7476 }
7477 }
7478 if(found) {
7479 vars->nthash = *used_md4;
7480 vars->auth_fd_num = pinfo->num;
7481 memcpy(&vars->session_key,session_key,16);
7482 ws_debug("Found the good session key !");
7483 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
7484 &ei_netlogon_auth_nthash,
7485 "%s authenticated using %s (%02x%02x%02x%02x...)",
7486 used_method, used_md4->key_origin,
7487 used_md4->md4[0] & 0xFF, used_md4->md4[1] & 0xFF,
7488 used_md4->md4[2] & 0xFF, used_md4->md4[3] & 0xFF);
7489 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
7490 &ei_netlogon_session_key,
7491 "session key ("
7492 "%02x%02x%02x%02x"
7493 "%02x%02x%02x%02x"
7494 "%02x%02x%02x%02x"
7495 "%02x%02x%02x%02x"
7496 ")",
7497 session_key[0] & 0xFF, session_key[1] & 0xFF,
7498 session_key[2] & 0xFF, session_key[3] & 0xFF,
7499 session_key[4] & 0xFF, session_key[5] & 0xFF,
7500 session_key[6] & 0xFF, session_key[7] & 0xFF,
7501 session_key[8] & 0xFF, session_key[9] & 0xFF,
7502 session_key[10] & 0xFF, session_key[11] & 0xFF,
7503 session_key[12] & 0xFF, session_key[13] & 0xFF,
7504 session_key[14] & 0xFF, session_key[15] & 0xFF);
7505 }
7506 else {
7507 ws_debug("Session key not found !");
7508 memset(&vars->session_key,0,16);
7509 }
7510 }
7511 }
7512
7513 return offset;
7514 }
7515
7516 static int
7517 netlogon_dissect_netrserverauthenticate3_reply(tvbuff_t *tvb, int offset,
7518 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7519 {
7520 return netlogon_dissect_netrserverauthenticate023_reply(tvb,offset,pinfo,tree,di,drep,3);
7521 }
7522
7523 static int
7524 netlogon_dissect_netrserverauthenticate2_reply(tvbuff_t *tvb, int offset,
7525 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7526 {
7527 return netlogon_dissect_netrserverauthenticate023_reply(tvb,offset,pinfo,tree,di,drep,2);
7528 }
7529
7530 static int
7531 netlogon_dissect_netrserverauthenticatekerberos_reply(tvbuff_t *tvb, int offset,
7532 packet_info *pinfo,
7533 proto_tree *tree,
7534 dcerpc_info *di,
7535 uint8_t *drep)
7536 {
7537 netlogon_auth_vars *vars = NULL;
7538 uint32_t flags = 0;
7539
7540 flags = tvb_get_letohl (tvb, offset);
7541 netlogon_dissect_neg_options(tvb,tree,flags,offset);
7542 offset +=4;
7543 ALIGN_TO_4_BYTES;
7544 offset = dissect_dcerpc_uint32(tvb, offset, pinfo, tree, drep,
7545 hf_server_rid, NULL);
7546 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7547 hf_netlogon_rc, NULL);
7548
7549 vars = find_tmp_netlogon_auth_vars(pinfo, 1);
7550 if (vars != NULL) {
7551 vars->flags = flags;
7552 snprintf(vars->nthash.key_origin, NTLMSSP_MAX_ORIG_LEN,
7553 "ServerAuthenticateKerberos(%s) at frame %d",
7554 vars->client_name, pinfo->num);
7555 vars->auth_fd_num = pinfo->num;
7556 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
7557 &ei_netlogon_session_key,
7558 "zero session key");
7559 } else {
7560 ws_debug("ServerAuthenticateKerberos request not found !");
7561 }
7562
7563 return offset;
7564 }
7565
7566
7567 static int
7568 netlogon_dissect_dsrgetdcnameex_rqst(tvbuff_t *tvb, int offset,
7569 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7570 {
7571 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7572 pinfo, tree, di, drep);
7573
7574 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7575 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
7576
7577 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7578 dissect_nt_GUID, NDR_POINTER_UNIQUE,
7579 "GUID pointer: domain_guid", -1);
7580
7581 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7582 NDR_POINTER_UNIQUE, "Site Name", hf_netlogon_site_name, 0);
7583
7584 offset = netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvb, offset, pinfo, tree, di, drep);
7585
7586 return offset;
7587 }
7588
7589
7590 static int
7591 netlogon_dissect_dsrgetdcnameex_reply(tvbuff_t *tvb, int offset,
7592 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7593 {
7594 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7595 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
7596 "DOMAIN_CONTROLLER_INFO:", -1);
7597
7598 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7599 hf_netlogon_rc, NULL);
7600
7601 return offset;
7602 }
7603
7604 static int
7605 netlogon_dissect_dsrgetsitename_rqst(tvbuff_t *tvb, int offset,
7606 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7607 {
7608 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7609 pinfo, tree, di, drep);
7610
7611 return offset;
7612 }
7613
7614
7615 static int
7616 netlogon_dissect_dsrgetsitename_reply(tvbuff_t *tvb, int offset,
7617 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7618 {
7619
7620 /* XXX hmmm this does not really look like a UNIQUE pointer but
7621 will do for now. I think it is really a 32bit integer followed by
7622 a REF pointer to a unicode string */
7623 offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, tree, di, drep,
7624 dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE, "Site Name",
7625 hf_netlogon_site_name, cb_wstr_postprocess,
7626 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
7627
7628 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7629 hf_netlogon_dos_rc, NULL);
7630
7631 return offset;
7632 }
7633
7634 static int
7635 netlogon_dissect_netrlogongetdomaininfo_rqst(tvbuff_t *tvb, int offset,
7636 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7637 {
7638 /* Unlike the other NETLOGON RPCs, this is not a unique pointer. */
7639 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7640 NDR_POINTER_REF, "Server Handle", hf_netlogon_computer_name, 0);
7641 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7642 NDR_POINTER_UNIQUE, "Computer Name",
7643 hf_netlogon_computer_name, 0);
7644
7645 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7646 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7647 "AUTHENTICATOR: client", -1);
7648
7649 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7650 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7651 "AUTHENTICATOR: return_authenticator", -1);
7652 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7653 hf_netlogon_level, NULL);
7654 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7655 netlogon_dissect_WORKSTATION_BUFFER, NDR_POINTER_REF,
7656 "WORKSTATION_BUFFER", -1);
7657 return offset;
7658 }
7659
7660
7661 static int
7662 netlogon_dissect_netrlogongetdomaininfo_reply(tvbuff_t *tvb, int offset,
7663 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7664 {
7665 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7666 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7667 "AUTHENTICATOR: return_authenticator", -1);
7668
7669 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7670 netlogon_dissect_DOMAIN_INFORMATION, NDR_POINTER_REF,
7671 "DOMAIN_INFORMATION", -1);
7672
7673 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7674 hf_netlogon_rc, NULL);
7675
7676 return offset;
7677 }
7678
7679 static int
7680 netlogon_dissect_netrserverpasswordset2_rqst(tvbuff_t *tvb, int offset,
7681 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7682 {
7683 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7684 pinfo, tree, di, drep);
7685
7686 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7687 NDR_POINTER_REF, "Acct Name",
7688 hf_netlogon_acct_name, 0);
7689
7690 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
7691 pinfo, tree, di, drep);
7692
7693 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7694 NDR_POINTER_REF, "Computer Name",
7695 hf_netlogon_computer_name, 0);
7696
7697 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7698 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7699 "AUTHENTICATOR: credential", -1);
7700
7701 offset = netlogon_dissect_netr_CryptPassword(tvb, offset,
7702 pinfo, tree, di, drep);
7703
7704 return offset;
7705 }
7706
7707
7708 static int
7709 netlogon_dissect_netrserverpasswordset2_reply(tvbuff_t *tvb, int offset,
7710 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7711 {
7712 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7713 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7714 "AUTHENTICATOR: return_authenticator", -1);
7715
7716 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7717 hf_netlogon_rc, NULL);
7718
7719 return offset;
7720 }
7721
7722 static int
7723 netlogon_dissect_netrserverpasswordget_rqst(tvbuff_t *tvb, int offset,
7724 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7725 {
7726 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7727 pinfo, tree, di, drep);
7728
7729 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7730 NDR_POINTER_UNIQUE, "Acct Name", hf_netlogon_acct_name, 0);
7731
7732 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
7733 pinfo, tree, di, drep);
7734
7735 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7736 NDR_POINTER_UNIQUE, "Computer Name",
7737 hf_netlogon_computer_name, 0);
7738
7739 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7740 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7741 "AUTHENTICATOR: credential", -1);
7742
7743 return offset;
7744 }
7745
7746
7747 static int
7748 netlogon_dissect_netrserverpasswordget_reply(tvbuff_t *tvb, int offset,
7749 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7750 {
7751 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7752 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7753 "AUTHENTICATOR: return_authenticator", -1);
7754
7755 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7756 netlogon_dissect_LM_OWF_PASSWORD, NDR_POINTER_REF,
7757 "LM_OWF_PASSWORD pointer: server_pwd", -1);
7758
7759 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7760 hf_netlogon_rc, NULL);
7761
7762 return offset;
7763 }
7764
7765 #if GCRYPT_VERSION_NUMBER >= 0x010800 /* 1.8.0 */
7766 static gcry_error_t prepare_session_key_cipher_aes(netlogon_auth_vars *vars,
7767 gcry_cipher_hd_t *_cipher_hd)
7768 {
7769 gcry_error_t err;
7770 gcry_cipher_hd_t cipher_hd = NULL;
7771 uint8_t iv[16] = { 0 };
7772
7773 /* Open the cipher */
7774 err = gcry_cipher_open(&cipher_hd, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CFB8, 0);
7775 if (err != 0) {
7776 ws_warning("GCRY: cipher open %s/%s\n", gcry_strsource(err), gcry_strerror(err));
7777 return err;
7778 }
7779
7780 /* Set the initial value */
7781 err = gcry_cipher_setiv(cipher_hd, iv, sizeof(iv));
7782 if (err != 0) {
7783 ws_warning("GCRY: setiv %s/%s\n", gcry_strsource(err), gcry_strerror(err));
7784 gcry_cipher_close(cipher_hd);
7785 return err;
7786 }
7787
7788 /* Set the key */
7789 err = gcry_cipher_setkey(cipher_hd, vars->session_key, 16);
7790 if (err != 0) {
7791 ws_warning("GCRY: setkey %s/%s\n", gcry_strsource(err), gcry_strerror(err));
7792 gcry_cipher_close(cipher_hd);
7793 return err;
7794 }
7795
7796 *_cipher_hd = cipher_hd;
7797 return 0;
7798 }
7799 #endif
7800
7801 static gcry_error_t prepare_session_key_cipher_strong(netlogon_auth_vars *vars,
7802 gcry_cipher_hd_t *_cipher_hd)
7803 {
7804 gcry_error_t err;
7805 gcry_cipher_hd_t cipher_hd = NULL;
7806
7807 /* Open the cipher */
7808 err = gcry_cipher_open(&cipher_hd, GCRY_CIPHER_ARCFOUR, GCRY_CIPHER_MODE_STREAM, 0);
7809 if (err != 0) {
7810 ws_warning("GCRY: cipher open %s/%s\n", gcry_strsource(err), gcry_strerror(err));
7811 return err;
7812 }
7813
7814 /* Set the key */
7815 err = gcry_cipher_setkey(cipher_hd, vars->session_key, 16);
7816 if (err != 0) {
7817 ws_warning("GCRY: setkey %s/%s\n", gcry_strsource(err), gcry_strerror(err));
7818 gcry_cipher_close(cipher_hd);
7819 return err;
7820 }
7821
7822 *_cipher_hd = cipher_hd;
7823 return 0;
7824 }
7825
7826 static gcry_error_t prepare_session_key_cipher(netlogon_auth_vars *vars,
7827 gcry_cipher_hd_t *_cipher_hd)
7828 {
7829 *_cipher_hd = NULL;
7830
7831 #if GCRYPT_VERSION_NUMBER >= 0x010800 /* 1.8.0 */
7832 if (vars->flags & NETLOGON_FLAG_AES) {
7833 return prepare_session_key_cipher_aes(vars, _cipher_hd);
7834 }
7835 #endif
7836
7837 if (vars->flags & NETLOGON_FLAG_STRONGKEY) {
7838 return prepare_session_key_cipher_strong(vars, _cipher_hd);
7839 }
7840
7841 return GPG_ERR_UNSUPPORTED_ALGORITHM;
7842 }
7843
7844 static int
7845 netlogon_dissect_opaque_buffer_block(tvbuff_t *tvb, int offset, int length,
7846 packet_info *pinfo, proto_tree *tree,
7847 dcerpc_info *di, uint8_t *drep _U_)
7848 {
7849 int orig_offset = offset;
7850 unsigned char is_server = 0;
7851 netlogon_auth_vars *vars;
7852 gcry_error_t err;
7853 gcry_cipher_hd_t cipher_hd = NULL;
7854 uint8_t *buffer = NULL;
7855 tvbuff_t *dectvb = NULL;
7856 uint32_t expected_len;
7857 uint32_t decrypted_len;
7858
7859 proto_tree_add_item(tree, di->hf_index, tvb, offset, length, ENC_NA);
7860 offset += length;
7861
7862 if (length < 8) {
7863 return offset;
7864 }
7865
7866 vars = find_global_netlogon_auth_vars(pinfo, is_server);
7867 if (vars == NULL ) {
7868 ws_debug("Vars not found %d (packet_data)",wmem_map_size(netlogon_auths));
7869 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
7870 &ei_netlogon_session_key,
7871 "No session key found");
7872 return offset;
7873 }
7874
7875 err = prepare_session_key_cipher(vars, &cipher_hd);
7876 if (err != 0) {
7877 ws_warning("GCRY: prepare_session_key_cipher %s/%s\n",
7878 gcry_strsource(err), gcry_strerror(err));
7879 return offset;
7880 }
7881
7882 buffer = (uint8_t*)tvb_memdup(pinfo->pool, tvb, orig_offset, length);
7883 if (buffer == NULL) {
7884 gcry_cipher_close(cipher_hd);
7885 return offset;
7886 }
7887
7888 err = gcry_cipher_decrypt(cipher_hd, buffer, length, NULL, 0);
7889 gcry_cipher_close(cipher_hd);
7890 if (err != 0) {
7891 ws_warning("GCRY: prepare_session_key_cipher %s/%s\n",
7892 gcry_strsource(err), gcry_strerror(err));
7893 return offset;
7894 }
7895
7896 dectvb = tvb_new_child_real_data(tvb, buffer, length, length);
7897 if (dectvb == NULL) {
7898 return offset;
7899 }
7900
7901 expected_len = length - 8;
7902 decrypted_len = tvb_get_letohl(dectvb, 4);
7903 if (decrypted_len != expected_len) {
7904 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
7905 &ei_netlogon_session_key,
7906 "Unusable session key learned in frame %d ("
7907 "%02x%02x%02x%02x"
7908 ") from %s",
7909 vars->auth_fd_num,
7910 vars->session_key[0] & 0xFF, vars->session_key[1] & 0xFF,
7911 vars->session_key[2] & 0xFF, vars->session_key[3] & 0xFF,
7912 vars->nthash.key_origin);
7913 return offset;
7914 }
7915
7916 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
7917 &ei_netlogon_session_key,
7918 "Using session key learned in frame %d ("
7919 "%02x%02x%02x%02x"
7920 ") from %s",
7921 vars->auth_fd_num,
7922 vars->session_key[0] & 0xFF, vars->session_key[1] & 0xFF,
7923 vars->session_key[2] & 0xFF, vars->session_key[3] & 0xFF,
7924 vars->nthash.key_origin);
7925
7926 add_new_data_source(pinfo, dectvb, "OpaqueBuffer (Decrypted)");
7927
7928 proto_tree_add_item(tree, hf_netlogon_opaque_buffer_dec, dectvb, 0, length, ENC_NA);
7929 return offset;
7930 }
7931
7932 static int
7933 netlogon_dissect_opaque_buffer(tvbuff_t *tvb, int offset,
7934 packet_info *pinfo, proto_tree *tree,
7935 dcerpc_info *di, uint8_t *drep)
7936 {
7937 offset = dissect_ndr_ucarray_block(tvb, offset, pinfo, tree, di, drep,
7938 netlogon_dissect_opaque_buffer_block);
7939
7940 return offset;
7941 }
7942
7943 /*
7944 * IDL long NetrLogonSendToSam(
7945 * IDL [in][unique][string] wchar_t *ServerName,
7946 * IDL [in][ref][string] wchar_t *Workstation,
7947 * IDL [in][ref] AUTHENTICATOR *credential,
7948 * IDL [in][out][ref] AUTHENTICATOR *returnauthenticator,
7949 * IDL [in, size_is(OpaqueBufferSize)][ref] UCHAR * OpaqueBuffer,
7950 * IDL [in] ULONG OpaqueBufferSize
7951 * IDL );
7952 */
7953 static int
7954 netlogon_dissect_netrlogonsendtosam_rqst(tvbuff_t *tvb, int offset,
7955 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7956 {
7957 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7958 pinfo, tree, di, drep);
7959
7960 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7961 NDR_POINTER_REF, "Computer Name",
7962 hf_netlogon_computer_name, 0);
7963
7964 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7965 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7966 "AUTHENTICATOR: credential", -1);
7967
7968 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7969 netlogon_dissect_opaque_buffer, NDR_POINTER_REF,
7970 "OpaqueBuffer", hf_netlogon_opaque_buffer_enc);
7971
7972 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7973 hf_netlogon_opaque_buffer_size, NULL);
7974
7975 return offset;
7976 }
7977
7978
7979 static int
7980 netlogon_dissect_netrlogonsendtosam_reply(tvbuff_t *tvb, int offset,
7981 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7982 {
7983 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7984 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7985 "AUTHENTICATOR: return_authenticator", -1);
7986
7987 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7988 hf_netlogon_rc, NULL);
7989
7990 return offset;
7991 }
7992
7993 static int
7994 netlogon_dissect_dsraddresstositenamesw_rqst(tvbuff_t *tvb, int offset,
7995 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7996 {
7997 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7998 pinfo, tree, di, drep);
7999
8000 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8001 hf_netlogon_unknown_long, NULL);
8002
8003 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8004 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
8005 "BYTE pointer: unknown_BYTE", -1);
8006
8007 return offset;
8008 }
8009
8010
8011 static int
8012 netlogon_dissect_dsraddresstositenamesw_reply(tvbuff_t *tvb, int offset,
8013 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8014 {
8015 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8016 netlogon_dissect_TYPE_50_ptr, NDR_POINTER_UNIQUE,
8017 "TYPE_50** pointer: unknown_TYPE_50", -1);
8018
8019 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8020 hf_netlogon_rc, NULL);
8021
8022 return offset;
8023 }
8024
8025 static int
8026 netlogon_dissect_dsrgetdcnameex2_rqst(tvbuff_t *tvb, int offset,
8027 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8028 {
8029 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
8030 pinfo, tree, di, drep);
8031
8032 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8033 NDR_POINTER_UNIQUE, "Client Account",
8034 hf_netlogon_acct_name, 0);
8035
8036 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8037 hf_netlogon_unknown_long, NULL);
8038
8039 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8040 NDR_POINTER_UNIQUE, "Client Account",
8041 hf_netlogon_logon_dom, 0);
8042
8043 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8044 dissect_nt_GUID, NDR_POINTER_UNIQUE,
8045 "Domain GUID:", -1);
8046
8047 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8048 NDR_POINTER_UNIQUE, "Client Site",
8049 hf_netlogon_site_name, 0);
8050
8051 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8052 hf_netlogon_unknown_long, NULL);
8053
8054 return offset;
8055 }
8056
8057
8058 static int
8059 netlogon_dissect_dsrgetdcnameex2_reply(tvbuff_t *tvb, int offset,
8060 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8061 {
8062 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8063 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
8064 "DOMAIN_CONTROLLER_INFO:", -1);
8065
8066 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8067 hf_netlogon_dos_rc, NULL);
8068
8069 return offset;
8070 }
8071
8072 static int
8073 netlogon_dissect_netrlogongettimeserviceparentdomain_rqst(tvbuff_t *tvb, int offset,
8074 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8075 {
8076 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
8077 pinfo, tree, di, drep);
8078
8079 return offset;
8080 }
8081
8082
8083 static int
8084 netlogon_dissect_netrlogongettimeserviceparentdomain_reply(tvbuff_t *tvb, int offset,
8085 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8086 {
8087 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8088 NDR_POINTER_UNIQUE, "unknown string",
8089 hf_netlogon_unknown_string, 0);
8090
8091 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8092 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
8093 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
8094
8095 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8096 hf_netlogon_rc, NULL);
8097
8098 return offset;
8099 }
8100
8101 static int
8102 netlogon_dissect_netrenumeratetrusteddomainsex_rqst(tvbuff_t *tvb, int offset,
8103 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8104 {
8105 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
8106 pinfo, tree, di, drep);
8107
8108 return offset;
8109 }
8110
8111 static int
8112 netlogon_dissect_netrenumeratetrusteddomainsex_reply(tvbuff_t *tvb, int offset,
8113 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8114 {
8115 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8116 hf_netlogon_entries, NULL);
8117
8118 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8119 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
8120 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
8121
8122 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8123 hf_netlogon_rc, NULL);
8124
8125 return offset;
8126 }
8127
8128 static int
8129 netlogon_dissect_dsraddresstositenamesexw_rqst(tvbuff_t *tvb, int offset,
8130 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8131 {
8132 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
8133 pinfo, tree, di, drep);
8134
8135 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8136 hf_netlogon_unknown_long, NULL);
8137
8138 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8139 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
8140 "BYTE pointer: unknown_BYTE", -1);
8141
8142 return offset;
8143 }
8144
8145
8146 static int
8147 netlogon_dissect_dsraddresstositenamesexw_reply(tvbuff_t *tvb, int offset,
8148 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8149 {
8150 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8151 netlogon_dissect_TYPE_52_ptr, NDR_POINTER_UNIQUE,
8152 "TYPE_52 pointer: unknown_TYPE_52", -1);
8153
8154 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8155 hf_netlogon_rc, NULL);
8156
8157 return offset;
8158 }
8159
8160
8161 static int
8162 netlogon_dissect_site_name_item(tvbuff_t *tvb, int offset,
8163 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8164 {
8165 offset = dissect_ndr_counted_string_cb(
8166 tvb, offset, pinfo, tree, di, drep, hf_netlogon_site_name,
8167 cb_wstr_postprocess,
8168 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
8169
8170 return offset;
8171 }
8172 static int
8173 netlogon_dissect_site_name_array(tvbuff_t *tvb, int offset,
8174 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8175 {
8176 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
8177 netlogon_dissect_site_name_item);
8178
8179 return offset;
8180 }
8181
8182 static int
8183 netlogon_dissect_site_names(tvbuff_t *tvb, int offset,
8184 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8185 {
8186 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8187 hf_netlogon_count, NULL);
8188
8189 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8190 netlogon_dissect_site_name_array, NDR_POINTER_UNIQUE,
8191 "Site name array", -1);
8192
8193 return offset;
8194 }
8195
8196 static int
8197 netlogon_dissect_dsrgetdcsitecoveragew_rqst(tvbuff_t *tvb, int offset,
8198 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8199 {
8200 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
8201 pinfo, tree, di, drep);
8202
8203 return offset;
8204 }
8205
8206
8207 static int
8208 netlogon_dissect_dsrgetdcsitecoveragew_reply(tvbuff_t *tvb, int offset,
8209 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8210 {
8211 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8212 netlogon_dissect_site_names, NDR_POINTER_UNIQUE,
8213 "Site names", -1);
8214
8215 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8216 hf_netlogon_rc, NULL);
8217
8218 return offset;
8219 }
8220
8221 static int
8222 netlogon_dissect_netrlogonsamlogonex_rqst(tvbuff_t *tvb, int offset,
8223 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8224 {
8225
8226 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8227 NDR_POINTER_UNIQUE, "LogonServer",
8228 hf_netlogon_computer_name, 0);
8229 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8230 NDR_POINTER_UNIQUE, "Computer Name",
8231 hf_netlogon_computer_name, 0);
8232 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
8233 hf_netlogon_level16, NULL);
8234 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8235 netlogon_dissect_LEVEL, NDR_POINTER_REF,
8236 "LEVEL: LogonLevel", -1);
8237
8238 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
8239 hf_netlogon_validation_level, NULL);
8240
8241 offset = netlogon_dissect_EXTRA_FLAGS(tvb, offset, pinfo, tree, di, drep);
8242
8243 #if 0
8244 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8245 NDR_POINTER_UNIQUE, "unknown string",
8246 hf_netlogon_unknown_string, 0);
8247
8248 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8249 NDR_POINTER_UNIQUE, "unknown string",
8250 hf_netlogon_unknown_string, 0);
8251
8252 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
8253 hf_netlogon_unknown_short, NULL);
8254
8255 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8256 netlogon_dissect_LEVEL, NDR_POINTER_UNIQUE,
8257 "LEVEL pointer: unknown_NETLOGON_LEVEL", -1);
8258
8259 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
8260 hf_netlogon_unknown_short, NULL);
8261
8262 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8263 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
8264 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
8265 #endif
8266 return offset;
8267 }
8268
8269
8270 static int
8271 netlogon_dissect_netrlogonsamlogonex_reply(tvbuff_t *tvb, int offset,
8272 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8273 {
8274 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8275 netlogon_dissect_VALIDATION, NDR_POINTER_REF,
8276 "VALIDATION:", -1);
8277
8278 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
8279 hf_netlogon_authoritative, NULL);
8280
8281 offset = netlogon_dissect_EXTRA_FLAGS(tvb, offset, pinfo, tree, di, drep);
8282
8283 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8284 hf_netlogon_rc, NULL);
8285 #if 0
8286 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8287 netlogon_dissect_VALIDATION, NDR_POINTER_UNIQUE,
8288 "VALIDATION: unknown_NETLOGON_VALIDATION", -1);
8289
8290 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8291 netlogon_dissect_pointer_char, NDR_POINTER_UNIQUE,
8292 "BOOLEAN pointer: unknown_BOOLEAN", hf_netlogon_unknown_char);
8293
8294 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8295 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
8296 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
8297
8298 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8299 hf_netlogon_rc, NULL);
8300 #endif
8301 return offset;
8302 }
8303
8304
8305 static int
8306 netlogon_dissect_netrservergettrustinfo_rqst(tvbuff_t *tvb,
8307 int offset,
8308 packet_info *pinfo,
8309 proto_tree *tree,
8310 dcerpc_info *di,
8311 uint8_t *drep)
8312 {
8313 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
8314 pinfo, tree, di, drep);
8315
8316 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8317 NDR_POINTER_REF, "Acct Name",
8318 hf_netlogon_acct_name, 0);
8319
8320 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
8321 pinfo, tree, di, drep);
8322
8323 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8324 NDR_POINTER_REF, "Computer Name",
8325 hf_netlogon_computer_name, 0);
8326
8327 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8328 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
8329 "AUTHENTICATOR: credential", -1);
8330
8331 return offset;
8332 }
8333
8334 static int
8335 netlogon_dissect_NL_GENERIC_RPC_DATA_UINT32_ARRAY(tvbuff_t *tvb, int offset,
8336 packet_info *pinfo _U_, proto_tree *tree,
8337 dcerpc_info *di, uint8_t *drep _U_)
8338 {
8339 if(di->conformant_run){
8340 /*just a run to handle conformant arrays, nothing to dissect.*/
8341 return offset;
8342 }
8343
8344 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
8345 netlogon_dissect_DOMAIN_TRUST_ATTRIBS);
8346
8347 return offset;
8348 }
8349
8350 static int
8351 netlogon_dissect_NL_GENERIC_RPC_DATA_STRING(tvbuff_t *tvb, int offset,
8352 packet_info *pinfo _U_, proto_tree *tree,
8353 dcerpc_info *di, uint8_t *drep _U_)
8354 {
8355 if(di->conformant_run){
8356 /*just a run to handle conformant arrays, nothing to dissect.*/
8357 return offset;
8358 }
8359 // TODO
8360 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
8361 hf_netlogon_package_name, 0|CB_STR_SAVE);
8362
8363 return offset;
8364 }
8365
8366 static int
8367 netlogon_dissect_NL_GENERIC_RPC_DATA_STRING_ARRAY(tvbuff_t *tvb, int offset,
8368 packet_info *pinfo _U_, proto_tree *tree,
8369 dcerpc_info *di, uint8_t *drep _U_)
8370 {
8371 if(di->conformant_run){
8372 /*just a run to handle conformant arrays, nothing to dissect.*/
8373 return offset;
8374 }
8375
8376 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
8377 netlogon_dissect_NL_GENERIC_RPC_DATA_STRING);
8378
8379 return offset;
8380 }
8381
8382 static int
8383 netlogon_dissect_NL_GENERIC_RPC_DATA(tvbuff_t *tvb, int offset,
8384 packet_info *pinfo _U_, proto_tree *parent_tree,
8385 dcerpc_info *di, uint8_t *drep _U_)
8386 {
8387 proto_item *item=NULL;
8388 proto_tree *tree=NULL;
8389
8390 if(di->conformant_run){
8391 /*just a run to handle conformant arrays, nothing to dissect.*/
8392 return offset;
8393 }
8394
8395 if(parent_tree){
8396 tree = proto_tree_add_subtree(parent_tree, tvb, offset, -1,
8397 ett_NL_GENERIC_RPC_DATA, &item,
8398 "NL_GENERIC_RPC_DATA:");
8399 }
8400
8401 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8402 hf_netlogon_trust_len, NULL);
8403
8404 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8405 netlogon_dissect_NL_GENERIC_RPC_DATA_UINT32_ARRAY,
8406 NDR_POINTER_UNIQUE,
8407 "UINT32 ARRAY pointer: ", -1);
8408
8409 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8410 hf_netlogon_trust_len, NULL);
8411
8412 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8413 netlogon_dissect_NL_GENERIC_RPC_DATA_STRING_ARRAY,
8414 NDR_POINTER_UNIQUE,
8415 "STRING ARRAY pointer: ", -1);
8416
8417 return offset;
8418 }
8419
8420 static int
8421 netlogon_dissect_netrservergettrustinfo_reply(tvbuff_t *tvb,
8422 int offset,
8423 packet_info *pinfo,
8424 proto_tree *tree,
8425 dcerpc_info *di,
8426 uint8_t *drep)
8427 {
8428 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8429 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
8430 "AUTHENTICATOR: return_authenticator", -1);
8431
8432 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8433 netlogon_dissect_NT_OWF_PASSWORD, NDR_POINTER_REF,
8434 "NT_OWF_PASSWORD pointer: new_password", -1);
8435
8436 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8437 netlogon_dissect_NT_OWF_PASSWORD, NDR_POINTER_REF,
8438 "NT_OWF_PASSWORD pointer: old_password", -1);
8439
8440 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8441 netlogon_dissect_NL_GENERIC_RPC_DATA, NDR_POINTER_UNIQUE,
8442 "NL_GENERIC_RPC_DATA pointer: trust_info", -1);
8443
8444 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8445 hf_netlogon_rc, NULL);
8446
8447 return offset;
8448 }
8449
8450 static int
8451 netlogon_dissect_dsrenumeratedomaintrusts_rqst(tvbuff_t *tvb, int offset,
8452 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8453 {
8454 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
8455 pinfo, tree, di, drep);
8456
8457 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, di, drep);
8458
8459 return offset;
8460 }
8461
8462
8463 static int
8464 netlogon_dissect_dsrenumeratedomaintrusts_reply(tvbuff_t *tvb, int offset,
8465 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8466 {
8467 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8468 hf_netlogon_entries, NULL);
8469
8470 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8471 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
8472 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
8473
8474 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8475 hf_netlogon_dos_rc, NULL);
8476
8477 return offset;
8478 }
8479
8480 static int
8481 netlogon_dissect_dsrderegisterdnshostrecords_rqst(tvbuff_t *tvb, int offset,
8482 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8483 {
8484 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
8485 pinfo, tree, di, drep);
8486
8487 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8488 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
8489
8490 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8491 dissect_nt_GUID, NDR_POINTER_UNIQUE,
8492 "GUID pointer: domain_guid", -1);
8493
8494 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8495 dissect_nt_GUID, NDR_POINTER_UNIQUE,
8496 "GUID pointer: dsa_guid", -1);
8497
8498 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8499 NDR_POINTER_REF, "dns_host", hf_netlogon_dns_host, 0);
8500
8501 return offset;
8502 }
8503
8504
8505 static int
8506 netlogon_dissect_dsrderegisterdnshostrecords_reply(tvbuff_t *tvb, int offset,
8507 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8508 {
8509 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8510 hf_netlogon_rc, NULL);
8511
8512 return offset;
8513 }
8514
8515 /*
8516 * TODO
8517 * IDL long NetrChainSetClientAttributes(
8518 * IDL );
8519
8520 NetrChainSetClientAttributes(
8521 [in,string,ref] LOGONSRV_HANDLE PrimaryName,
8522 [in,string,ref] wchar_t * ChainedFromServerName,
8523 [in,string,ref] wchar_t * ChainedForClientName,
8524 [in,ref] PNETLOGON_AUTHENTICATOR Authenticator,
8525 [in,out,ref] PNETLOGON_AUTHENTICATOR ReturnAuthenticator,
8526 [in] DWORD dwInVersion,
8527 [in,ref] [switch_is(dwInVersion)]
8528 NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES *pmsgIn,
8529 [in,out,ref] DWORD * pdwOutVersion,
8530 [in,out,ref] [switch_is(*pdwOutVersion)]
8531 NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES *pmsgOut
8532 );
8533
8534 typedef struct _NL_OSVERSIONINFO_V1{
8535 DWORD dwOSVersionInfoSize;
8536 DWORD dwMajorVersion;
8537 DWORD dwMinorVersion;
8538 DWORD dwBuildNumber;
8539 DWORD dwPlatformId;
8540 wchar_t szCSDVersion[128];
8541 USHORT wServicePackMajor;
8542 USHORT wServicePackMinor;
8543 USHORT wSuiteMask;
8544 UCHAR wProductType;
8545 UCHAR wReserved;
8546 } NL_OSVERSIONINFO_V1;
8547 typedef struct _NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES_V1{
8548 [unique,string] wchar_t * ClientDnsHostName;
8549 [unique] NL_OSVERSIONINFO_V1 *OsVersionInfo_V1;
8550 [unique,string] wchar_t * OsName;
8551 } NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES_V1;
8552 typedef [switch_type(DWORD)] union{
8553 [case(1)] NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES_V1 V1;
8554 } NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES;
8555 typedef struct _NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES_V1{
8556 [unique,string] wchar_t *HubName;
8557 [unique,string] wchar_t **OldDnsHostName;
8558 [unique] ULONG * SupportedEncTypes;
8559 } NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES_V1;
8560 typedef [switch_type(DWORD)] union{
8561 [case(1)] NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES_V1 V1;
8562 } NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES;
8563
8564 static int
8565 netlogon_dissect_NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES(tvbuff_t *tvb, int offset,
8566 packet_info *pinfo, proto_tree *tree,
8567 dcerpc_info *di, uint8_t *drep)
8568 {
8569 uint32_t level;
8570
8571 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8572 hf_netlogon_level, &level);
8573 switch (level) {
8574 case 1:
8575 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8576 netlogon_dissect_WORKSTATION_INFORMATION, NDR_POINTER_UNIQUE,
8577 "LSA POLICY INFO", -1);
8578 break;
8579 }
8580 return offset;
8581 }
8582 */
8583 static int
8584 netlogon_dissect_netrchainsetclientattributes_rqst(tvbuff_t *tvb, int offset,
8585 packet_info *pinfo,
8586 proto_tree *tree,
8587 dcerpc_info *di,
8588 uint8_t *drep)
8589 {
8590 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8591 NDR_POINTER_REF, "Server Handle",
8592 hf_netlogon_logonsrv_handle, 0);
8593
8594 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8595 NDR_POINTER_REF, "ChainedFromServerName",
8596 hf_netlogon_computer_name, 0);
8597
8598 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8599 NDR_POINTER_REF, "ChainedForClientName",
8600 hf_netlogon_computer_name, 0);
8601
8602 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8603 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
8604 "AUTHENTICATOR: credential", -1);
8605
8606 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8607 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
8608 "AUTHENTICATOR: return_authenticator", -1);
8609
8610 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8611 hf_netlogon_level, NULL); // in_version
8612
8613 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8614 NULL, NDR_POINTER_REF,
8615 "IN_CHAIN_SET_CLIENT_ATTRIBUTES", -1);
8616
8617 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8618 hf_netlogon_level, NULL); // out_version
8619
8620 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8621 NULL, NDR_POINTER_REF,
8622 "OUT_CHAIN_SET_CLIENT_ATTRIBUTES", -1);
8623
8624 return offset;
8625 }
8626
8627 static int
8628 netlogon_dissect_netrchainsetclientattributes_reply(tvbuff_t *tvb, int offset,
8629 packet_info *pinfo,
8630 proto_tree *tree,
8631 dcerpc_info *di,
8632 uint8_t *drep)
8633 {
8634 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8635 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
8636 "AUTHENTICATOR: return_authenticator", -1);
8637
8638 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8639 hf_netlogon_level, NULL); // out_version
8640
8641 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8642 NULL, NDR_POINTER_REF,
8643 "OUT_CHAIN_SET_CLIENT_ATTRIBUTES", -1);
8644
8645 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8646 hf_netlogon_rc, NULL);
8647
8648 return offset;
8649 }
8650
8651 /* Dissect secure channel stuff */
8652
8653 static int hf_netlogon_secchan_nl_message_type;
8654 static int hf_netlogon_secchan_nl_message_flags;
8655 static int hf_netlogon_secchan_nl_message_flags_nb_domain;
8656 static int hf_netlogon_secchan_nl_message_flags_nb_host;
8657 static int hf_netlogon_secchan_nl_message_flags_dns_domain;
8658 static int hf_netlogon_secchan_nl_message_flags_dns_host;
8659 static int hf_netlogon_secchan_nl_message_flags_nb_host_utf8;
8660 static int hf_netlogon_secchan_nl_nb_domain;
8661 static int hf_netlogon_secchan_nl_nb_host;
8662 static int hf_netlogon_secchan_nl_dns_domain;
8663 static int hf_netlogon_secchan_nl_dns_host;
8664 static int hf_netlogon_secchan_nl_nb_host_utf8;
8665
8666 static int ett_secchan_verf;
8667 static int ett_secchan_nl_auth_message;
8668 static int ett_secchan_nl_auth_message_flags;
8669
8670 static const value_string nl_auth_types[] = {
8671 { 0x00000000, "Request"},
8672 { 0x00000001, "Response"},
8673 { 0, NULL }
8674 };
8675
8676
8677 /* MS-NRPC : 2.2.1.3.1 NL_AUTH_MESSAGE */
8678 static int dissect_secchan_nl_auth_message(tvbuff_t *tvb, int offset,
8679 packet_info *pinfo,
8680 proto_tree *tree, dcerpc_info *di _U_, uint8_t *drep)
8681 {
8682 dcerpc_auth_info *auth_info = di->auth_info;
8683 proto_item *item = NULL;
8684 proto_tree *subtree = NULL;
8685 uint32_t messagetype;
8686 uint64_t messageflags;
8687 static int * const flag_fields[] = {
8688 &hf_netlogon_secchan_nl_message_flags_nb_domain,
8689 &hf_netlogon_secchan_nl_message_flags_nb_host,
8690 &hf_netlogon_secchan_nl_message_flags_dns_domain,
8691 &hf_netlogon_secchan_nl_message_flags_dns_host,
8692 &hf_netlogon_secchan_nl_message_flags_nb_host_utf8,
8693 NULL
8694 };
8695 int len;
8696 netlogon_auth_vars *vars = NULL;
8697 unsigned char is_server;
8698
8699 if (tree) {
8700 subtree = proto_tree_add_subtree(
8701 tree, tvb, offset, -1, ett_secchan_nl_auth_message, &item,
8702 "Secure Channel NL_AUTH_MESSAGE");
8703 }
8704
8705 /* We can't use the NDR routines as the DCERPC call data hasn't
8706 been initialised since we haven't made a DCERPC call yet, just
8707 a bind request. */
8708
8709 /* Type */
8710 offset = dissect_dcerpc_uint32(
8711 tvb, offset, pinfo, subtree, drep,
8712 hf_netlogon_secchan_nl_message_type, &messagetype);
8713
8714 /* Flags */
8715 proto_tree_add_bitmask_ret_uint64(subtree, tvb, offset,
8716 hf_netlogon_secchan_nl_message_flags,
8717 ett_secchan_nl_auth_message_flags,
8718 flag_fields,
8719 (drep[0] & DREP_LITTLE_ENDIAN) ?
8720 ENC_LITTLE_ENDIAN :
8721 ENC_BIG_ENDIAN,
8722 &messageflags);
8723 offset += 4;
8724
8725
8726 /* Buffer */
8727 /* netbios domain name */
8728 if (messageflags&0x00000001) {
8729 len = tvb_strsize(tvb, offset);
8730 proto_tree_add_item(subtree, hf_netlogon_secchan_nl_nb_domain, tvb, offset, len, ENC_ASCII);
8731 offset += len;
8732 }
8733
8734 /* netbios host name */
8735 if (messageflags&0x00000002) {
8736 len = tvb_strsize(tvb, offset);
8737 proto_tree_add_item(subtree, hf_netlogon_secchan_nl_nb_host, tvb, offset, len, ENC_ASCII);
8738 offset += len;
8739 }
8740
8741 /* DNS domain name */
8742 if (messageflags&0x00000004) {
8743 int old_offset=offset;
8744 char *str;
8745
8746 offset=dissect_mscldap_string(pinfo->pool, tvb, offset, 255, &str);
8747 proto_tree_add_string(subtree, hf_netlogon_secchan_nl_dns_domain, tvb, old_offset, offset-old_offset, str);
8748 }
8749
8750 /* DNS host name */
8751 if (messageflags&0x00000008) {
8752 int old_offset=offset;
8753 char *str;
8754
8755 offset=dissect_mscldap_string(pinfo->pool, tvb, offset, 255, &str);
8756 proto_tree_add_string(subtree, hf_netlogon_secchan_nl_dns_host, tvb, old_offset, offset-old_offset, str);
8757 }
8758
8759 /* NetBios host name (UTF8) */
8760 if (messageflags&0x00000010) {
8761 int old_offset=offset;
8762 char *str;
8763
8764 offset=dissect_mscldap_string(pinfo->pool, tvb, offset, 255, &str);
8765 proto_tree_add_string(subtree, hf_netlogon_secchan_nl_nb_host_utf8, tvb, old_offset, offset-old_offset, str);
8766 }
8767
8768 switch (di->ptype) {
8769 case PDU_BIND:
8770 case PDU_ALTER:
8771 case PDU_AUTH3:
8772 is_server = 0;
8773 break;
8774 case PDU_BIND_ACK:
8775 case PDU_BIND_NAK:
8776 case PDU_ALTER_ACK:
8777 case PDU_FAULT:
8778 is_server = 1;
8779 break;
8780 default:
8781 return offset;
8782 }
8783
8784 vars = find_or_create_schannel_netlogon_auth_vars(pinfo, auth_info, is_server);
8785 if (vars != NULL) {
8786 expert_add_info_format(pinfo, proto_tree_get_parent(subtree),
8787 &ei_netlogon_session_key,
8788 "Using session key learned in frame %d ("
8789 "%02x%02x%02x%02x"
8790 ") from %s",
8791 vars->auth_fd_num,
8792 vars->session_key[0] & 0xFF,
8793 vars->session_key[1] & 0xFF,
8794 vars->session_key[2] & 0xFF,
8795 vars->session_key[3] & 0xFF,
8796 vars->nthash.key_origin);
8797 }
8798 else
8799 {
8800 ws_debug("Vars not found (is null %d) %d (dissect_verf)",vars==NULL,wmem_map_size(netlogon_auths));
8801 }
8802
8803 return offset;
8804 }
8805
8806 /* Subdissectors */
8807
8808 static const dcerpc_sub_dissector dcerpc_netlogon_dissectors[] = {
8809 { NETLOGON_NETRLOGONUASLOGON, "NetrLogonUasLogon",
8810 netlogon_dissect_netrlogonuaslogon_rqst,
8811 netlogon_dissect_netrlogonuaslogon_reply },
8812 { NETLOGON_NETRLOGONUASLOGOFF, "NetrLogonUasLogoff",
8813 netlogon_dissect_netrlogonuaslogoff_rqst,
8814 netlogon_dissect_netrlogonuaslogoff_reply },
8815 { NETLOGON_NETRLOGONSAMLOGON, "NetrLogonSamLogon",
8816 netlogon_dissect_netrlogonsamlogon_rqst,
8817 netlogon_dissect_netrlogonsamlogon_reply },
8818 { NETLOGON_NETRLOGONSAMLOGOFF, "NetrLogonSamLogoff",
8819 netlogon_dissect_netrlogonsamlogoff_rqst,
8820 netlogon_dissect_netrlogonsamlogoff_reply },
8821 { NETLOGON_NETRSERVERREQCHALLENGE, "NetrServerReqChallenge",
8822 netlogon_dissect_netrserverreqchallenge_rqst,
8823 netlogon_dissect_netrserverreqchallenge_reply },
8824 { NETLOGON_NETRSERVERAUTHENTICATE, "NetrServerAuthenticate",
8825 netlogon_dissect_netrserverauthenticate_rqst,
8826 netlogon_dissect_netrserverauthenticate_reply },
8827 { NETLOGON_NETRSERVERPASSWORDSET, "NetrServerPasswordSet",
8828 netlogon_dissect_netrserverpasswordset_rqst,
8829 netlogon_dissect_netrserverpasswordset_reply },
8830 { NETLOGON_NETRDATABASEDELTAS, "NetrDatabaseDeltas",
8831 netlogon_dissect_netrdatabasedeltas_rqst,
8832 netlogon_dissect_netrdatabasedeltas_reply },
8833 { NETLOGON_NETRDATABASESYNC, "NetrDatabaseSync",
8834 netlogon_dissect_netrdatabasesync_rqst,
8835 netlogon_dissect_netrdatabasesync_reply },
8836 { NETLOGON_NETRACCOUNTDELTAS, "NetrAccountDeltas",
8837 netlogon_dissect_netraccountdeltas_rqst,
8838 netlogon_dissect_netraccountdeltas_reply },
8839 { NETLOGON_NETRACCOUNTSYNC, "NetrAccountSync",
8840 netlogon_dissect_netraccountsync_rqst,
8841 netlogon_dissect_netraccountsync_reply },
8842 { NETLOGON_NETRGETDCNAME, "NetrGetDCName",
8843 netlogon_dissect_netrgetdcname_rqst,
8844 netlogon_dissect_netrgetdcname_reply },
8845 { NETLOGON_NETRLOGONCONTROL, "NetrLogonControl",
8846 netlogon_dissect_netrlogoncontrol_rqst,
8847 netlogon_dissect_netrlogoncontrol_reply },
8848 { NETLOGON_NETRGETANYDCNAME, "NetrGetAnyDCName",
8849 netlogon_dissect_netrgetanydcname_rqst,
8850 netlogon_dissect_netrgetanydcname_reply },
8851 { NETLOGON_NETRLOGONCONTROL2, "NetrLogonControl2",
8852 netlogon_dissect_netrlogoncontrol2_rqst,
8853 netlogon_dissect_netrlogoncontrol2_reply },
8854 { NETLOGON_NETRSERVERAUTHENTICATE2, "NetrServerAuthenticate2",
8855 netlogon_dissect_netrserverauthenticate2_rqst,
8856 netlogon_dissect_netrserverauthenticate2_reply },
8857 { NETLOGON_NETRDATABASESYNC2, "NetrDatabaseSync2",
8858 netlogon_dissect_netrdatabasesync2_rqst,
8859 netlogon_dissect_netrdatabasesync2_reply },
8860 { NETLOGON_NETRDATABASEREDO, "NetrDatabaseRedo",
8861 netlogon_dissect_netrdatabaseredo_rqst,
8862 netlogon_dissect_netrdatabaseredo_reply },
8863 { NETLOGON_NETRLOGONCONTROL2EX, "NetrLogonControl2Ex",
8864 netlogon_dissect_netrlogoncontrol2ex_rqst,
8865 netlogon_dissect_netrlogoncontrol2ex_reply },
8866 { NETLOGON_NETRENUMERATETRUSTEDDOMAINS, "NetrEnumerateTrustedDomains",
8867 netlogon_dissect_netrenumeratetrusteddomains_rqst,
8868 netlogon_dissect_netrenumeratetrusteddomains_reply },
8869 { NETLOGON_DSRGETDCNAME, "DsrGetDcName",
8870 netlogon_dissect_dsrgetdcname_rqst,
8871 netlogon_dissect_dsrgetdcname_reply },
8872 { NETLOGON_NETRLOGONDUMMYROUTINE1, "NetrLogonGetCapabilities",
8873 netlogon_dissect_netrlogondummyroutine1_rqst,
8874 netlogon_dissect_netrlogondummyroutine1_reply },
8875 { NETLOGON_NETRLOGONSETSERVICEBITS, "NetrLogonSetServiceBits",
8876 netlogon_dissect_netrlogonsetservicebits_rqst,
8877 netlogon_dissect_netrlogonsetservicebits_reply },
8878 { NETLOGON_NETRLOGONGETTRUSTRID, "NetrLogonGetTrustRid",
8879 netlogon_dissect_netrlogongettrustrid_rqst,
8880 netlogon_dissect_netrlogongettrustrid_reply },
8881 { NETLOGON_NETRLOGONCOMPUTESERVERDIGEST, "NetrLogonComputeServerDigest",
8882 netlogon_dissect_netrlogoncomputeserverdigest_rqst,
8883 netlogon_dissect_netrlogoncomputeserverdigest_reply },
8884 { NETLOGON_NETRLOGONCOMPUTECLIENTDIGEST, "NetrLogonComputeClientDigest",
8885 netlogon_dissect_netrlogoncomputeclientdigest_rqst,
8886 netlogon_dissect_netrlogoncomputeclientdigest_reply },
8887 { NETLOGON_NETRSERVERAUTHENTICATE3, "NetrServerAuthenticate3",
8888 netlogon_dissect_netrserverauthenticate3_rqst,
8889 netlogon_dissect_netrserverauthenticate3_reply },
8890 { NETLOGON_DSRGETDCNAMEX, "DsrGetDcNameEx",
8891 netlogon_dissect_dsrgetdcnameex_rqst,
8892 netlogon_dissect_dsrgetdcnameex_reply },
8893 { NETLOGON_DSRGETSITENAME, "DsrGetSiteName",
8894 netlogon_dissect_dsrgetsitename_rqst,
8895 netlogon_dissect_dsrgetsitename_reply },
8896 { NETLOGON_NETRLOGONGETDOMAININFO, "NetrLogonGetDomainInfo",
8897 netlogon_dissect_netrlogongetdomaininfo_rqst,
8898 netlogon_dissect_netrlogongetdomaininfo_reply },
8899 { NETLOGON_NETRSERVERPASSWORDSET2, "NetrServerPasswordSet2",
8900 netlogon_dissect_netrserverpasswordset2_rqst,
8901 netlogon_dissect_netrserverpasswordset2_reply },
8902 { NETLOGON_NETRSERVERPASSWORDGET, "NetrServerPasswordGet",
8903 netlogon_dissect_netrserverpasswordget_rqst,
8904 netlogon_dissect_netrserverpasswordget_reply },
8905 { NETLOGON_NETRLOGONSENDTOSAM, "NetrLogonSendToSam",
8906 netlogon_dissect_netrlogonsendtosam_rqst,
8907 netlogon_dissect_netrlogonsendtosam_reply },
8908 { NETLOGON_DSRADDRESSTOSITENAMESW, "DsrAddressToSiteNamesW",
8909 netlogon_dissect_dsraddresstositenamesw_rqst,
8910 netlogon_dissect_dsraddresstositenamesw_reply },
8911 { NETLOGON_DSRGETDCNAMEEX2, "DsrGetDcNameEx2",
8912 netlogon_dissect_dsrgetdcnameex2_rqst,
8913 netlogon_dissect_dsrgetdcnameex2_reply },
8914 { NETLOGON_NETRLOGONGETTIMESERVICEPARENTDOMAIN,
8915 "NetrLogonGetTimeServiceParentDomain",
8916 netlogon_dissect_netrlogongettimeserviceparentdomain_rqst,
8917 netlogon_dissect_netrlogongettimeserviceparentdomain_reply },
8918 { NETLOGON_NETRENUMERATETRUSTEDDOMAINSEX, "NetrEnumerateTrustedDomainsEx",
8919 netlogon_dissect_netrenumeratetrusteddomainsex_rqst,
8920 netlogon_dissect_netrenumeratetrusteddomainsex_reply },
8921 { NETLOGON_DSRADDRESSTOSITENAMESEXW, "DsrAddressToSiteNamesExW",
8922 netlogon_dissect_dsraddresstositenamesexw_rqst,
8923 netlogon_dissect_dsraddresstositenamesexw_reply },
8924 { NETLOGON_DSRGETDCSITECOVERAGEW, "DsrGetDcSiteCoverageW",
8925 netlogon_dissect_dsrgetdcsitecoveragew_rqst,
8926 netlogon_dissect_dsrgetdcsitecoveragew_reply },
8927 { NETLOGON_NETRLOGONSAMLOGONEX, "NetrLogonSamLogonEx",
8928 netlogon_dissect_netrlogonsamlogonex_rqst,
8929 netlogon_dissect_netrlogonsamlogonex_reply },
8930 { NETLOGON_DSRENUMERATEDOMAINTRUSTS, "DsrEnumerateDomainTrusts",
8931 netlogon_dissect_dsrenumeratedomaintrusts_rqst,
8932 netlogon_dissect_dsrenumeratedomaintrusts_reply },
8933 { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DsrDeregisterDnsHostRecords",
8934 netlogon_dissect_dsrderegisterdnshostrecords_rqst,
8935 netlogon_dissect_dsrderegisterdnshostrecords_reply },
8936 { NETLOGON_NETRSERVERTRUSTPASSWORDSGET, "NetrServerTrustPasswordsGet",
8937 NULL, NULL },
8938 { NETLOGON_DSRGETFORESTTRUSTINFORMATION, "DsrGetForestTrustInformation",
8939 NULL, NULL },
8940 { NETLOGON_NETRGETFORESTTRUSTINFORMATION, "NetrGetForestTrustInformation",
8941 NULL, NULL },
8942 { NETLOGON_NETRLOGONSAMLOGONWITHFLAGS, "NetrLogonSamLogonWithFlags",
8943 netlogon_dissect_netrlogonsamlogonflags_rqst,
8944 netlogon_dissect_netrlogonsamlogonflags_reply },
8945 { NETLOGON_NETRSERVERGETTRUSTINFO, "NetrServerGetTrustInfo",
8946 netlogon_dissect_netrservergettrustinfo_rqst,
8947 netlogon_dissect_netrservergettrustinfo_reply },
8948 { NETLOGON_DSRUPDATEREADONLYSERVERDNSRECORDS, "DsrUpdateReadOnlyServerDnsRecords",
8949 NULL, NULL },
8950 { NETLOGON_NETRCHAINSETCLIENTATTRIBUTES, "NetrChainSetClientAttributes",
8951 netlogon_dissect_netrchainsetclientattributes_rqst,
8952 netlogon_dissect_netrchainsetclientattributes_reply },
8953 { NETLOGON_NETRSERVERAUTHENTICATEKERBEROS, "NetrServerAuthenticateKerberos",
8954 netlogon_dissect_netrserverauthenticatekerberos_rqst,
8955 netlogon_dissect_netrserverauthenticatekerberos_reply },
8956 {0, NULL, NULL, NULL }
8957 };
8958
8959 static int hf_netlogon_secchan_verf;
8960 static int hf_netlogon_secchan_verf_signalg;
8961 static int hf_netlogon_secchan_verf_sealalg;
8962 static int hf_netlogon_secchan_verf_flag;
8963 static int hf_netlogon_secchan_verf_digest;
8964 static int hf_netlogon_secchan_verf_seq;
8965 static int hf_netlogon_secchan_verf_nonce;
8966
8967 static const value_string sign_algs[] = {
8968 { 0x0077, "HMAC-MD5"},
8969 { 0x0013, "HMAC-SHA256"},
8970 { 0, NULL}
8971 };
8972
8973 static const value_string seal_algs[] = {
8974 { 0xFFFF, "Not Encrypted"},
8975 { 0x007A, "RC4"},
8976 { 0x001A, "AES-128"},
8977 { 0, NULL}
8978 };
8979
8980 static int get_seal_key(const uint8_t *session_key,int key_len,uint8_t* seal_key)
8981 {
8982 uint8_t zero_sk[16] = { 0 };
8983 int i = 0;
8984
8985 memset(seal_key,0,16);
8986 if(memcmp(session_key,zero_sk,16)) {
8987 for(i=0;i<key_len;i++) {
8988 seal_key[i] = session_key[i] ^ 0xF0;
8989 }
8990 return 1;
8991 } else {
8992 return 0;
8993 }
8994
8995 }
8996
8997 static uint64_t uncrypt_sequence_aes(uint8_t* session_key,uint64_t checksum,uint64_t enc_seq,unsigned char is_server _U_)
8998 {
8999 gcry_error_t err;
9000 gcry_cipher_hd_t cipher_hd = NULL;
9001 uint8_t iv[16] = { 0 };
9002
9003 memcpy(&iv[0], (uint8_t*)&checksum, 8);
9004 memcpy(&iv[8], (uint8_t*)&checksum, 8);
9005
9006 /* Open the cipher */
9007 err = gcry_cipher_open(&cipher_hd, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CFB8, 0);
9008 if (err != 0) {
9009 ws_warning("GCRY: cipher open %s/%s\n", gcry_strsource(err), gcry_strerror(err));
9010 return 0;
9011 }
9012
9013 /* Set the initial value */
9014 err = gcry_cipher_setiv(cipher_hd, iv, sizeof(iv));
9015 if (err != 0) {
9016 ws_warning("GCRY: setiv %s/%s\n", gcry_strsource(err), gcry_strerror(err));
9017 gcry_cipher_close(cipher_hd);
9018 return 0;
9019 }
9020
9021 /* Set the key */
9022 err = gcry_cipher_setkey(cipher_hd, session_key, 16);
9023 if (err != 0) {
9024 ws_warning("GCRY: setkey %s/%s\n", gcry_strsource(err), gcry_strerror(err));
9025 gcry_cipher_close(cipher_hd);
9026 return 0;
9027 }
9028
9029 err = gcry_cipher_decrypt(cipher_hd, (uint8_t*) &enc_seq, 8, NULL, 0);
9030 if (err != 0) {
9031 ws_warning("GCRY: encrypt %s/%s\n", gcry_strsource(err), gcry_strerror(err));
9032 gcry_cipher_close(cipher_hd);
9033 return 0;
9034 }
9035 /* Done with the cipher */
9036 gcry_cipher_close(cipher_hd);
9037 return enc_seq;
9038 }
9039
9040 static uint64_t uncrypt_sequence_md5(uint8_t* session_key,uint64_t checksum,uint64_t enc_seq,unsigned char is_server _U_)
9041 {
9042 uint8_t zeros[4] = { 0 };
9043 uint8_t buf[HASH_MD5_LENGTH];
9044 uint8_t key[HASH_MD5_LENGTH];
9045 gcry_cipher_hd_t rc4_handle;
9046 uint8_t *p_seq = (uint8_t*) &enc_seq;
9047 /*uint32_t temp;*/
9048
9049 if (ws_hmac_buffer(GCRY_MD_MD5, buf, zeros, 4, session_key, 16)) {
9050 return 0;
9051 }
9052
9053 if (ws_hmac_buffer(GCRY_MD_MD5, key, (uint8_t*)&checksum, 8, buf, HASH_MD5_LENGTH)) {
9054 return 0;
9055 }
9056
9057 if (!gcry_cipher_open (&rc4_handle, GCRY_CIPHER_ARCFOUR, GCRY_CIPHER_MODE_STREAM, 0)) {
9058 if (!gcry_cipher_setkey(rc4_handle, key, HASH_MD5_LENGTH)) {
9059 gcry_cipher_decrypt(rc4_handle, p_seq, 8, NULL, 0);
9060 }
9061 gcry_cipher_close(rc4_handle);
9062 }
9063 /*temp = *((uint32_t*)p_seq);
9064 *((uint32_t*)p_seq) = *((uint32_t*)p_seq+1);
9065 *((uint32_t*)p_seq+1) = temp;
9066
9067 if(!is_server) {
9068 *p_seq = *p_seq & 0x7F;
9069 }
9070 */
9071 return enc_seq;
9072 }
9073
9074 static uint64_t uncrypt_sequence(uint32_t flags, uint8_t* session_key,uint64_t checksum,uint64_t enc_seq,unsigned char is_server _U_)
9075 {
9076 if (flags & NETLOGON_FLAG_AES) {
9077 return uncrypt_sequence_aes(session_key, checksum, enc_seq, is_server);
9078 }
9079
9080 return uncrypt_sequence_md5(session_key, checksum, enc_seq, is_server);
9081 }
9082
9083 static gcry_error_t prepare_decryption_cipher_aes(netlogon_auth_vars *vars,
9084 gcry_cipher_hd_t *_cipher_hd)
9085 {
9086 gcry_error_t err;
9087 gcry_cipher_hd_t cipher_hd = NULL;
9088 uint64_t sequence = vars->seq;
9089
9090 uint8_t iv[16] = { 0 };
9091
9092 memcpy(&iv[0], (uint8_t*)&sequence, 8);
9093 memcpy(&iv[8], (uint8_t*)&sequence, 8);
9094
9095 /* Open the cipher */
9096 err = gcry_cipher_open(&cipher_hd, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CFB8, 0);
9097 if (err != 0) {
9098 ws_warning("GCRY: cipher open %s/%s\n", gcry_strsource(err), gcry_strerror(err));
9099 return 0;
9100 }
9101
9102 /* Set the initial value */
9103 err = gcry_cipher_setiv(cipher_hd, iv, sizeof(iv));
9104 if (err != 0) {
9105 ws_warning("GCRY: setiv %s/%s\n", gcry_strsource(err), gcry_strerror(err));
9106 gcry_cipher_close(cipher_hd);
9107 return 0;
9108 }
9109
9110 /* Set the key */
9111 err = gcry_cipher_setkey(cipher_hd, vars->encryption_key, 16);
9112 if (err != 0) {
9113 ws_warning("GCRY: setkey %s/%s\n", gcry_strsource(err), gcry_strerror(err));
9114 gcry_cipher_close(cipher_hd);
9115 return 0;
9116 }
9117
9118 *_cipher_hd = cipher_hd;
9119 return 0;
9120 }
9121
9122 static gcry_error_t prepare_decryption_cipher_md5(netlogon_auth_vars *vars,
9123 gcry_cipher_hd_t *_cipher_hd)
9124 {
9125 gcry_error_t err;
9126 gcry_cipher_hd_t cipher_hd = NULL;
9127 uint8_t zeros[4] = { 0 };
9128 uint64_t sequence = vars->seq;
9129 uint8_t tmp[HASH_MD5_LENGTH] = { 0 };
9130 uint8_t seal_key[16] = { 0 };
9131
9132 err = ws_hmac_buffer(GCRY_MD_MD5, tmp, zeros, 4, vars->encryption_key, 16);
9133 if (err != 0) {
9134 ws_warning("GCRY: GCRY_MD_MD5 %s/%s\n", gcry_strsource(err), gcry_strerror(err));
9135 return err;
9136 }
9137 err = ws_hmac_buffer(GCRY_MD_MD5, seal_key, (uint8_t*)&sequence, 8, tmp, HASH_MD5_LENGTH);
9138 if (err != 0) {
9139 ws_warning("GCRY: GCRY_MD_MD5 %s/%s\n", gcry_strsource(err), gcry_strerror(err));
9140 return err;
9141 }
9142
9143 /* Open the cipher */
9144 err = gcry_cipher_open(&cipher_hd, GCRY_CIPHER_ARCFOUR, GCRY_CIPHER_MODE_STREAM, 0);
9145 if (err != 0) {
9146 ws_warning("GCRY: cipher open %s/%s\n", gcry_strsource(err), gcry_strerror(err));
9147 return err;
9148 }
9149
9150 /* Set the key */
9151 err = gcry_cipher_setkey(cipher_hd, seal_key, 16);
9152 if (err != 0) {
9153 ws_warning("GCRY: setkey %s/%s\n", gcry_strsource(err), gcry_strerror(err));
9154 gcry_cipher_close(cipher_hd);
9155 return err;
9156 }
9157
9158 *_cipher_hd = cipher_hd;
9159 return 0;
9160 }
9161
9162 static gcry_error_t prepare_decryption_cipher(netlogon_auth_vars *vars,
9163 gcry_cipher_hd_t *_cipher_hd)
9164 {
9165 *_cipher_hd = NULL;
9166
9167 if (vars->flags & NETLOGON_FLAG_AES) {
9168 return prepare_decryption_cipher_aes(vars, _cipher_hd);
9169 }
9170
9171 return prepare_decryption_cipher_md5(vars, _cipher_hd);
9172 }
9173
9174 static tvbuff_t *
9175 dissect_packet_data(tvbuff_t *tvb ,tvbuff_t *auth_tvb _U_,
9176 int offset , packet_info *pinfo ,dcerpc_auth_info *auth_info _U_,unsigned char is_server)
9177 {
9178
9179 tvbuff_t *buf = NULL;
9180 uint8_t* decrypted;
9181 netlogon_auth_vars *vars;
9182 /*ws_debug("Dissection of request data offset %d len=%d on packet %d",offset,tvb_length_remaining(tvb,offset),pinfo->num);*/
9183
9184 vars = find_or_create_schannel_netlogon_auth_vars(pinfo, auth_info, is_server);
9185 if (vars == NULL) {
9186 ws_debug("Vars not found %d (packet_data)",wmem_map_size(netlogon_auths));
9187 return(buf);
9188 }
9189
9190 if (vars->can_decrypt == true) {
9191 gcry_error_t err;
9192 gcry_cipher_hd_t cipher_hd = NULL;
9193 int data_len;
9194 uint64_t copyconfounder = vars->confounder;
9195
9196 data_len = tvb_captured_length_remaining(tvb,offset);
9197 if (data_len < 0) {
9198 return NULL;
9199 }
9200 err = prepare_decryption_cipher(vars, &cipher_hd);
9201 if (err != 0) {
9202 ws_warning("GCRY: prepare_decryption_cipher %s/%s",
9203 gcry_strsource(err), gcry_strerror(err));
9204 return NULL;
9205 }
9206 gcry_cipher_decrypt(cipher_hd, (uint8_t*)&copyconfounder, 8, NULL, 0);
9207 decrypted = (uint8_t*)tvb_memdup(pinfo->pool, tvb, offset,data_len);
9208 if (!(vars->flags & NETLOGON_FLAG_AES)) {
9209 gcry_cipher_reset(cipher_hd);
9210 }
9211 gcry_cipher_decrypt(cipher_hd, decrypted, data_len, NULL, 0);
9212 gcry_cipher_close(cipher_hd);
9213 buf = tvb_new_child_real_data(tvb, decrypted, data_len, data_len);
9214 /* Note: caller does add_new_data_source(...) */
9215 } else {
9216 ws_debug("Session key not found can't decrypt ...");
9217 }
9218
9219 return(buf);
9220 }
9221
9222 static tvbuff_t* dissect_request_data(tvbuff_t *header_tvb _U_,
9223 tvbuff_t *payload_tvb,
9224 tvbuff_t *trailer_tvb _U_,
9225 tvbuff_t *auth_tvb,
9226 packet_info *pinfo,
9227 dcerpc_auth_info *auth_info)
9228 {
9229 return dissect_packet_data(payload_tvb,auth_tvb,0,pinfo,auth_info,0);
9230 }
9231
9232 static tvbuff_t* dissect_response_data(tvbuff_t *header_tvb _U_,
9233 tvbuff_t *payload_tvb,
9234 tvbuff_t *trailer_tvb _U_,
9235 tvbuff_t *auth_tvb,
9236 packet_info *pinfo,
9237 dcerpc_auth_info *auth_info)
9238 {
9239 return dissect_packet_data(payload_tvb,auth_tvb,0,pinfo,auth_info,1);
9240 }
9241
9242 /* MS-NRPC 2.2.1.3.2 */
9243 static int
9244 dissect_secchan_verf(tvbuff_t *tvb, int offset, packet_info *pinfo,
9245 proto_tree *tree, uint8_t *drep,
9246 dcerpc_auth_info *auth_info,
9247 unsigned char is_server)
9248 {
9249 netlogon_auth_vars *vars;
9250 proto_item *vf = NULL;
9251 proto_tree *subtree = NULL;
9252 uint64_t encrypted_seq;
9253 uint64_t digest = 0;
9254 uint64_t confounder = 0;
9255 int update_vars = 0;
9256
9257 if( ! (seen.isseen && seen.num == pinfo->num) ) {
9258 /*
9259 * Create a new tree, and split into x components ...
9260 */
9261 vf = proto_tree_add_item(tree, hf_netlogon_secchan_verf, tvb,
9262 offset, -1, ENC_NA);
9263 subtree = proto_item_add_subtree(vf, ett_secchan_verf);
9264
9265 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_signalg, tvb,
9266 offset, 2, ENC_LITTLE_ENDIAN);
9267 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_sealalg, tvb,
9268 offset+2, 2, ENC_LITTLE_ENDIAN);
9269 /* 2 pad bytes */
9270 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_flag, tvb,
9271 offset+6, 2, ENC_NA);
9272 offset += 8;
9273
9274 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, subtree, drep,
9275 hf_netlogon_secchan_verf_seq, &encrypted_seq);
9276
9277 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, subtree, drep,
9278 hf_netlogon_secchan_verf_digest, &digest);
9279
9280 /* In some cases the nonce if the data/signture are encrypted ("integrity/seal in MS language")*/
9281
9282 if (tvb_bytes_exist(tvb, offset, 8)) {
9283 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, subtree, drep,
9284 hf_netlogon_secchan_verf_nonce, &confounder);
9285 }
9286 update_vars = 1;
9287 }
9288
9289 /*ws_debug("Setting isseen to true, old packet %d new %d",seen.num,pinfo->num);*/
9290 seen.isseen = true;
9291 seen.num = pinfo->num;
9292
9293 vars = find_or_create_schannel_netlogon_auth_vars(pinfo, auth_info, is_server);
9294 if (vars == NULL) {
9295 ws_debug("Vars not found %d (packet_data)",wmem_map_size(netlogon_auths));
9296 return(offset);
9297 }
9298 if(update_vars) {
9299 vars->confounder = confounder;
9300 vars->seq = uncrypt_sequence(vars->flags,vars->session_key,digest,encrypted_seq,is_server);
9301 }
9302
9303 if(get_seal_key(vars->session_key,16,vars->encryption_key))
9304 {
9305 vars->can_decrypt = true;
9306 }
9307 else
9308 {
9309 ws_debug("get seal key returned 0");
9310 }
9311
9312 if (vars->can_decrypt) {
9313 expert_add_info_format(pinfo, proto_tree_get_parent(subtree),
9314 &ei_netlogon_session_key,
9315 "Using session key learned in frame %d ("
9316 "%02x%02x%02x%02x"
9317 ") from %s",
9318 vars->auth_fd_num,
9319 vars->session_key[0] & 0xFF, vars->session_key[1] & 0xFF,
9320 vars->session_key[2] & 0xFF, vars->session_key[3] & 0xFF,
9321 vars->nthash.key_origin);
9322 }
9323
9324 return offset;
9325 }
9326 static int
9327 dissect_request_secchan_verf(tvbuff_t *tvb, int offset, packet_info *pinfo ,
9328 proto_tree *tree, dcerpc_info *di _U_, uint8_t *drep )
9329 {
9330 return dissect_secchan_verf(tvb,offset,pinfo,tree,drep, di->auth_info, 0);
9331 }
9332 static int
9333 dissect_response_secchan_verf(tvbuff_t *tvb, int offset, packet_info *pinfo ,
9334 proto_tree *tree, dcerpc_info *di _U_, uint8_t *drep )
9335 {
9336 return dissect_secchan_verf(tvb,offset,pinfo,tree,drep, di->auth_info, 1);
9337 }
9338
9339 void
9340 proto_register_dcerpc_netlogon(void)
9341 {
9342
9343 static hf_register_info hf[] = {
9344 { &hf_netlogon_opnum,
9345 { "Operation", "netlogon.opnum", FT_UINT16, BASE_DEC,
9346 NULL, 0x0, NULL, HFILL }},
9347
9348 { &hf_netlogon_rc, {
9349 "Return code", "netlogon.rc", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
9350 &NT_errors_ext, 0x0, "Netlogon return code", HFILL }},
9351
9352 { &hf_netlogon_dos_rc,
9353 { "DOS error code", "netlogon.dos.rc", FT_UINT32,
9354 BASE_HEX | BASE_EXT_STRING, &DOS_errors_ext, 0x0, NULL, HFILL}},
9355
9356 { &hf_netlogon_werr_rc,
9357 { "WERR error code", "netlogon.werr.rc", FT_UINT32,
9358 BASE_HEX | BASE_EXT_STRING, &WERR_errors_ext, 0x0, NULL, HFILL}},
9359
9360 { &hf_netlogon_param_ctrl, {
9361 "Param Ctrl", "netlogon.param_ctrl", FT_UINT32, BASE_HEX,
9362 NULL, 0x0, NULL, HFILL }},
9363
9364 { &hf_netlogon_logon_id, {
9365 "Logon ID", "netlogon.logon_id", FT_UINT64, BASE_DEC,
9366 NULL, 0x0, NULL, HFILL }},
9367
9368 { &hf_netlogon_modify_count, {
9369 "Modify Count", "netlogon.modify_count", FT_UINT64, BASE_DEC,
9370 NULL, 0x0, "How many times the object has been modified", HFILL }},
9371
9372 { &hf_netlogon_security_information, {
9373 "Security Information", "netlogon.security_information", FT_UINT32, BASE_DEC,
9374 NULL, 0x0, NULL, HFILL }},
9375
9376 { &hf_netlogon_count, {
9377 "Count", "netlogon.count", FT_UINT32, BASE_DEC,
9378 NULL, 0x0, NULL, HFILL }},
9379
9380 { &hf_netlogon_entries, {
9381 "Entries", "netlogon.entries", FT_UINT32, BASE_DEC,
9382 NULL, 0x0, NULL, HFILL }},
9383
9384 { &hf_netlogon_credential, {
9385 "Credential", "netlogon.credential", FT_BYTES, BASE_NONE,
9386 NULL, 0x0, "Netlogon Credential", HFILL }},
9387
9388 { &hf_netlogon_challenge, {
9389 "Challenge", "netlogon.challenge", FT_BYTES, BASE_NONE,
9390 NULL, 0x0, "Netlogon challenge", HFILL }},
9391
9392 { &hf_netlogon_lm_owf_password, {
9393 "LM Pwd", "netlogon.lm_owf_pwd", FT_BYTES, BASE_NONE,
9394 NULL, 0x0, "LanManager OWF Password", HFILL }},
9395
9396 { &hf_netlogon_user_session_key, {
9397 "User Session Key", "netlogon.user_session_key", FT_BYTES, BASE_NONE,
9398 NULL, 0x0, NULL, HFILL }},
9399
9400 { &hf_netlogon_encrypted_lm_owf_password, {
9401 "Encrypted LM Pwd", "netlogon.lm_owf_pwd.encrypted", FT_BYTES, BASE_NONE,
9402 NULL, 0x0, "Encrypted LanManager OWF Password", HFILL }},
9403
9404 { &hf_netlogon_nt_owf_password, {
9405 "NT Pwd", "netlogon.nt_owf_pwd", FT_BYTES, BASE_NONE,
9406 NULL, 0x0, "NT OWF Password", HFILL }},
9407
9408 { &hf_netlogon_blob, {
9409 "BLOB", "netlogon.blob", FT_BYTES, BASE_NONE,
9410 NULL, 0x0, NULL, HFILL }},
9411
9412 { &hf_netlogon_len, {
9413 "Len", "netlogon.len", FT_UINT32, BASE_DEC,
9414 NULL, 0, "Length", HFILL }},
9415
9416 { &hf_netlogon_password_version_reserved, {
9417 "ReservedField", "netlogon.password_version.reservedfield", FT_UINT32, BASE_HEX,
9418 NULL, 0, "ReservedField zero", HFILL }},
9419
9420 { &hf_netlogon_password_version_number, {
9421 "PasswordVersionNumber", "netlogon.password_version.reservedfield", FT_UINT32, BASE_HEX,
9422 NULL, 0, "PasswordVersionNumber trust", HFILL }},
9423
9424 { &hf_netlogon_password_version_present, {
9425 "PasswordVersionPresent", "netlogon.password_version.reservedfield", FT_UINT32, BASE_HEX,
9426 NULL, 0, "PasswordVersionPresent magic", HFILL }},
9427
9428 { &hf_netlogon_priv, {
9429 "Priv", "netlogon.priv", FT_UINT32, BASE_DEC,
9430 NULL, 0, NULL, HFILL }},
9431
9432 { &hf_netlogon_privilege_entries, {
9433 "Privilege Entries", "netlogon.privilege_entries", FT_UINT32, BASE_DEC,
9434 NULL, 0, NULL, HFILL }},
9435
9436 { &hf_netlogon_privilege_control, {
9437 "Privilege Control", "netlogon.privilege_control", FT_UINT32, BASE_HEX,
9438 NULL, 0, NULL, HFILL }},
9439
9440 { &hf_netlogon_privilege_name, {
9441 "Privilege Name", "netlogon.privilege_name", FT_STRING, BASE_NONE,
9442 NULL, 0, NULL, HFILL }},
9443
9444 { &hf_netlogon_pdc_connection_status, {
9445 "PDC Connection Status", "netlogon.pdc_connection_status", FT_UINT32, BASE_DEC,
9446 NULL, 0, NULL, HFILL }},
9447
9448 { &hf_netlogon_tc_connection_status, {
9449 "TC Connection Status", "netlogon.tc_connection_status", FT_UINT32, BASE_DEC,
9450 NULL, 0, NULL, HFILL }},
9451
9452 { &hf_netlogon_attrs, {
9453 "Attributes", "netlogon.attrs", FT_UINT32, BASE_HEX,
9454 NULL, 0, NULL, HFILL }},
9455
9456 #if 0
9457 { &hf_netlogon_lsapolicy_referentid,
9458 { "Referent ID", "netlogon.lsapolicy.referentID", FT_UINT32, BASE_HEX,
9459 NULL, 0x0, NULL, HFILL }},
9460 #endif
9461
9462 { &hf_netlogon_lsapolicy_len,
9463 { "Length", "netlogon.lsapolicy.length", FT_UINT32, BASE_DEC,
9464 NULL, 0x0, "Length of the policy buffer", HFILL }},
9465
9466 #if 0
9467 { &hf_netlogon_lsapolicy_pointer,
9468 { "Pointer", "netlogon.lsapolicy.pointer", FT_BYTES, BASE_NONE,
9469 NULL, 0x0, "Pointer to LSA POLICY", HFILL }},
9470 #endif
9471
9472 { &hf_netlogon_unknown_string,
9473 { "Unknown string", "netlogon.unknown_string", FT_STRING, BASE_NONE,
9474 NULL, 0, "Unknown string. If you know what this is, contact wireshark developers.", HFILL }},
9475
9476 { &hf_netlogon_new_password,
9477 { "New Password", "netlogon.new_password", FT_STRING, BASE_NONE,
9478 NULL, 0, "New Password for Computer or Trust", HFILL }},
9479
9480 { &hf_netlogon_TrustedDomainName_string,
9481 { "TrustedDomainName", "netlogon.TrustedDomainName", FT_STRING, BASE_NONE,
9482 NULL, 0, "TrustedDomainName string.", HFILL }},
9483
9484 { &hf_netlogon_UserName_string,
9485 { "UserName", "netlogon.UserName", FT_STRING, BASE_NONE,
9486 NULL, 0, "UserName string.", HFILL }},
9487
9488 { &hf_netlogon_dummy_string,
9489 { "Dummy String", "netlogon.dummy_string", FT_STRING, BASE_NONE,
9490 NULL, 0, "Dummy String. Used is reserved for next evolutions.", HFILL }},
9491
9492 { &hf_netlogon_trust_extension,
9493 { "Trust extension", "netlogon.trust.extension", FT_STRING, BASE_NONE,
9494 NULL, 0, "Trusts extension.", HFILL }},
9495
9496 { &hf_netlogon_trust_offset,
9497 { "Offset", "netlogon.trust.extension_offset", FT_UINT32, BASE_DEC,
9498 NULL, 0, "Trusts extension.", HFILL }},
9499
9500 { &hf_netlogon_trust_len,
9501 { "Length", "netlogon.trust.extension_length", FT_UINT32, BASE_DEC,
9502 NULL, 0, NULL, HFILL }},
9503
9504 { &hf_netlogon_trust_max,
9505 { "Max Count", "netlogon.trust.extension.maxcount", FT_UINT32, BASE_DEC,
9506 NULL, 0, NULL, HFILL }},
9507
9508 { &hf_netlogon_opaque_buffer_enc,
9509 { "Encrypted", "netlogon.sendtosam.opaquebuffer.enc", FT_BYTES, BASE_NONE,
9510 NULL, 0x0, "OpaqueBuffer (Encrypted)", HFILL }},
9511
9512 { &hf_netlogon_opaque_buffer_dec,
9513 { "Decrypted", "netlogon.sendtosam.opaquebuffer.dec", FT_BYTES, BASE_NONE,
9514 NULL, 0x0, "OpaqueBuffer (Decrypted)", HFILL }},
9515
9516 { &hf_netlogon_opaque_buffer_size,
9517 { "OpaqueBufferSize", "netlogon.sendtosam.opaquebuffer.size", FT_UINT32, BASE_HEX,
9518 NULL, 0x0, "Size of the OpaqueBuffer", HFILL }},
9519
9520 { &hf_netlogon_dummy_string2,
9521 { "Dummy String2", "netlogon.dummy_string", FT_STRING, BASE_NONE,
9522 NULL, 0, "Dummy String 2. Used is reserved for next evolutions.", HFILL }},
9523
9524 { &hf_netlogon_dummy_string3,
9525 { "Dummy String3", "netlogon.dummy_string", FT_STRING, BASE_NONE,
9526 NULL, 0, "Dummy String 3. Used is reserved for next evolutions.", HFILL }},
9527
9528 { &hf_netlogon_dummy_string4,
9529 { "Dummy String4", "netlogon.dummy_string", FT_STRING, BASE_NONE,
9530 NULL, 0, "Dummy String 4. Used is reserved for next evolutions.", HFILL }},
9531
9532 { &hf_netlogon_dummy_string5,
9533 { "Dummy String5", "netlogon.dummy_string", FT_STRING, BASE_NONE,
9534 NULL, 0, "Dummy String 5. Used is reserved for next evolutions.", HFILL }},
9535
9536 { &hf_netlogon_dummy_string6,
9537 { "Dummy String6", "netlogon.dummy_string", FT_STRING, BASE_NONE,
9538 NULL, 0, "Dummy String 6. Used is reserved for next evolutions.", HFILL }},
9539
9540 { &hf_netlogon_dummy_string7,
9541 { "Dummy String7", "netlogon.dummy_string", FT_STRING, BASE_NONE,
9542 NULL, 0, "Dummy String 7. Used is reserved for next evolutions.", HFILL }},
9543
9544 { &hf_netlogon_dummy_string8,
9545 { "Dummy String8", "netlogon.dummy_string", FT_STRING, BASE_NONE,
9546 NULL, 0, "Dummy String 8. Used is reserved for next evolutions.", HFILL }},
9547
9548 { &hf_netlogon_dummy_string9,
9549 { "Dummy String9", "netlogon.dummy_string", FT_STRING, BASE_NONE,
9550 NULL, 0, "Dummy String 9. Used is reserved for next evolutions.", HFILL }},
9551
9552 { &hf_netlogon_dummy_string10,
9553 { "Dummy String10", "netlogon.dummy_string", FT_STRING, BASE_NONE,
9554 NULL, 0, "Dummy String 10. Used is reserved for next evolutions.", HFILL }},
9555
9556 { &hf_netlogon_unknown_long,
9557 { "Unknown long", "netlogon.unknown.long", FT_UINT32, BASE_HEX,
9558 NULL, 0x0, "Unknown long. If you know what this is, contact wireshark developers.", HFILL }},
9559
9560 { &hf_netlogon_dummy1_long,
9561 { "Dummy1 Long", "netlogon.dummy.long1", FT_UINT32, BASE_HEX,
9562 NULL, 0x0, "Dummy long 1. Used is reserved for next evolutions.", HFILL }},
9563
9564 { &hf_netlogon_dummy2_long,
9565 { "Dummy2 Long", "netlogon.dummy.long2", FT_UINT32, BASE_HEX,
9566 NULL, 0x0, "Dummy long 2. Used is reserved for next evolutions.", HFILL }},
9567
9568 { &hf_netlogon_dummy3_long,
9569 { "Dummy3 Long", "netlogon.dummy.long3", FT_UINT32, BASE_HEX,
9570 NULL, 0x0, "Dummy long 3. Used is reserved for next evolutions.", HFILL }},
9571
9572 { &hf_netlogon_dummy4_long,
9573 { "Dummy4 Long", "netlogon.dummy.long4", FT_UINT32, BASE_HEX,
9574 NULL, 0x0, "Dummy long 4. Used is reserved for next evolutions.", HFILL }},
9575
9576 { &hf_netlogon_dummy5_long,
9577 { "Dummy5 Long", "netlogon.dummy.long5", FT_UINT32, BASE_HEX,
9578 NULL, 0x0, "Dummy long 5. Used is reserved for next evolutions.", HFILL }},
9579
9580 { &hf_netlogon_dummy6_long,
9581 { "Dummy6 Long", "netlogon.dummy.long6", FT_UINT32, BASE_HEX,
9582 NULL, 0x0, "Dummy long 6. Used is reserved for next evolutions.", HFILL }},
9583
9584 { &hf_netlogon_dummy7_long,
9585 { "Dummy7 Long", "netlogon.dummy.long7", FT_UINT32, BASE_HEX,
9586 NULL, 0x0, "Dummy long 7. Used is reserved for next evolutions.", HFILL }},
9587
9588 { &hf_netlogon_dummy8_long,
9589 { "Dummy8 Long", "netlogon.dummy.long8", FT_UINT32, BASE_HEX,
9590 NULL, 0x0, "Dummy long 8. Used is reserved for next evolutions.", HFILL }},
9591
9592 { &hf_netlogon_dummy9_long,
9593 { "Dummy9 Long", "netlogon.dummy.long9", FT_UINT32, BASE_HEX,
9594 NULL, 0x0, "Dummy long 9. Used is reserved for next evolutions.", HFILL }},
9595
9596 { &hf_netlogon_dummy10_long,
9597 { "Dummy10 Long", "netlogon.dummy.long10", FT_UINT32, BASE_HEX,
9598 NULL, 0x0, "Dummy long 10. Used is reserved for next evolutions.", HFILL }},
9599
9600
9601 { &hf_netlogon_supportedenctypes,
9602 { "Supported Encryption Types", "netlogon.encryption.types", FT_UINT32, BASE_HEX,
9603 NULL, 0x0, NULL, HFILL }},
9604
9605 { &hf_netlogon_workstation_flags,
9606 { "Workstation Flags", "netlogon.workstation.flags", FT_UINT32, BASE_HEX,
9607 NULL, 0x0, NULL, HFILL }},
9608
9609 { &hf_netlogon_reserved,
9610 { "Reserved", "netlogon.reserved", FT_UINT32, BASE_HEX,
9611 NULL, 0x0, NULL, HFILL }},
9612 { &hf_netlogon_unknown_short,
9613 { "Unknown short", "netlogon.unknown.short", FT_UINT16, BASE_HEX,
9614 NULL, 0x0, "Unknown short. If you know what this is, contact wireshark developers.", HFILL }},
9615
9616 { &hf_netlogon_unknown_char,
9617 { "Unknown char", "netlogon.unknown.char", FT_UINT8, BASE_HEX,
9618 NULL, 0x0, "Unknown char. If you know what this is, contact wireshark developers.", HFILL }},
9619
9620 { &hf_netlogon_acct_expiry_time,
9621 { "Acct Expiry Time", "netlogon.acct.expiry_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9622 NULL, 0x0, "When this account will expire", HFILL }},
9623
9624 { &hf_netlogon_nt_pwd_present,
9625 { "NT PWD Present", "netlogon.nt_pwd_present", FT_UINT8, BASE_HEX,
9626 NULL, 0x0, "Is NT password present for this account?", HFILL }},
9627
9628 { &hf_netlogon_lm_pwd_present,
9629 { "LM PWD Present", "netlogon.lm_pwd_present", FT_UINT8, BASE_HEX,
9630 NULL, 0x0, "Is LanManager password present for this account?", HFILL }},
9631
9632 { &hf_netlogon_pwd_expired,
9633 { "PWD Expired", "netlogon.pwd_expired", FT_UINT8, BASE_HEX,
9634 NULL, 0x0, "Whether this password has expired or not", HFILL }},
9635
9636 { &hf_netlogon_authoritative,
9637 { "Authoritative", "netlogon.authoritative", FT_UINT8, BASE_DEC,
9638 NULL, 0x0, NULL, HFILL }},
9639
9640 { &hf_netlogon_sensitive_data_flag,
9641 { "Sensitive Data", "netlogon.sensitive_data_flag", FT_UINT8, BASE_DEC,
9642 NULL, 0x0, "Sensitive data flag", HFILL }},
9643
9644 { &hf_netlogon_auditing_mode,
9645 { "Auditing Mode", "netlogon.auditing_mode", FT_UINT8, BASE_DEC,
9646 NULL, 0x0, NULL, HFILL }},
9647
9648 { &hf_netlogon_max_audit_event_count,
9649 { "Max Audit Event Count", "netlogon.max_audit_event_count", FT_UINT32, BASE_DEC,
9650 NULL, 0x0, NULL, HFILL }},
9651
9652 { &hf_netlogon_event_audit_option,
9653 { "Event Audit Option", "netlogon.event_audit_option", FT_UINT32, BASE_HEX,
9654 NULL, 0x0, NULL, HFILL }},
9655
9656 { &hf_netlogon_sensitive_data_len,
9657 { "Length", "netlogon.sensitive_data_len", FT_UINT32, BASE_DEC,
9658 NULL, 0x0, "Length of sensitive data", HFILL }},
9659
9660 { &hf_netlogon_nt_chal_resp,
9661 { "NT Chal resp", "netlogon.nt_chal_resp", FT_BYTES, BASE_NONE,
9662 NULL, 0, "Challenge response for NT authentication", HFILL }},
9663
9664 { &hf_netlogon_lm_chal_resp,
9665 { "LM Chal resp", "netlogon.lm_chal_resp", FT_BYTES, BASE_NONE,
9666 NULL, 0, "Challenge response for LM authentication", HFILL }},
9667
9668 { &hf_netlogon_cipher_len,
9669 { "Cipher Len", "netlogon.cipher_len", FT_UINT32, BASE_DEC,
9670 NULL, 0, NULL, HFILL }},
9671
9672 { &hf_netlogon_cipher_maxlen,
9673 { "Cipher Max Len", "netlogon.cipher_maxlen", FT_UINT32, BASE_DEC,
9674 NULL, 0, NULL, HFILL }},
9675
9676 #if 0
9677 { &hf_netlogon_pac_data,
9678 { "Pac Data", "netlogon.pac.data", FT_BYTES, BASE_NONE,
9679 NULL, 0, NULL, HFILL }},
9680 #endif
9681
9682 { &hf_netlogon_sensitive_data,
9683 { "Data", "netlogon.sensitive_data", FT_BYTES, BASE_NONE,
9684 NULL, 0, "Sensitive Data", HFILL }},
9685
9686 #if 0
9687 { &hf_netlogon_auth_data,
9688 { "Auth Data", "netlogon.auth.data", FT_BYTES, BASE_NONE,
9689 NULL, 0, NULL, HFILL }},
9690 #endif
9691
9692 { &hf_netlogon_cipher_current_data,
9693 { "Cipher Current Data", "netlogon.cipher_current_data", FT_BYTES, BASE_NONE,
9694 NULL, 0, NULL, HFILL }},
9695
9696 { &hf_netlogon_cipher_old_data,
9697 { "Cipher Old Data", "netlogon.cipher_old_data", FT_BYTES, BASE_NONE,
9698 NULL, 0, NULL, HFILL }},
9699
9700 { &hf_netlogon_acct_name,
9701 { "Acct Name", "netlogon.acct_name", FT_STRING, BASE_NONE,
9702 NULL, 0, "Account Name", HFILL }},
9703
9704 { &hf_netlogon_acct_desc,
9705 { "Acct Desc", "netlogon.acct_desc", FT_STRING, BASE_NONE,
9706 NULL, 0, "Account Description", HFILL }},
9707
9708 { &hf_netlogon_group_desc,
9709 { "Group Desc", "netlogon.group_desc", FT_STRING, BASE_NONE,
9710 NULL, 0, "Group Description", HFILL }},
9711
9712 { &hf_netlogon_full_name,
9713 { "Full Name", "netlogon.full_name", FT_STRING, BASE_NONE,
9714 NULL, 0, NULL, HFILL }},
9715
9716 { &hf_netlogon_comment,
9717 { "Comment", "netlogon.comment", FT_STRING, BASE_NONE,
9718 NULL, 0, NULL, HFILL }},
9719
9720 { &hf_netlogon_parameters,
9721 { "Parameters", "netlogon.parameters", FT_STRING, BASE_NONE,
9722 NULL, 0, NULL, HFILL }},
9723
9724 { &hf_netlogon_logon_script,
9725 { "Logon Script", "netlogon.logon_script", FT_STRING, BASE_NONE,
9726 NULL, 0, NULL, HFILL }},
9727
9728 { &hf_netlogon_profile_path,
9729 { "Profile Path", "netlogon.profile_path", FT_STRING, BASE_NONE,
9730 NULL, 0, NULL, HFILL }},
9731
9732 { &hf_netlogon_home_dir,
9733 { "Home Dir", "netlogon.home_dir", FT_STRING, BASE_NONE,
9734 NULL, 0, "Home Directory", HFILL }},
9735
9736 { &hf_netlogon_dir_drive,
9737 { "Dir Drive", "netlogon.dir_drive", FT_STRING, BASE_NONE,
9738 NULL, 0, "Drive letter for home directory", HFILL }},
9739
9740 { &hf_netlogon_logon_srv,
9741 { "Server", "netlogon.server", FT_STRING, BASE_NONE,
9742 NULL, 0, NULL, HFILL }},
9743
9744 #if 0
9745 { &hf_netlogon_principal,
9746 { "Principal", "netlogon.principal", FT_STRING, BASE_NONE,
9747 NULL, 0, NULL, HFILL }},
9748 #endif
9749
9750 { &hf_netlogon_logon_dom,
9751 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
9752 NULL, 0, NULL, HFILL }},
9753
9754 { &hf_netlogon_resourcegroupcount,
9755 { "ResourceGroup count", "netlogon.resourcegroupcount", FT_UINT32, BASE_DEC,
9756 NULL, 0, "Number of Resource Groups", HFILL }},
9757
9758 { &hf_netlogon_accountdomaingroupcount,
9759 { "AccountDomainGroup count", "netlogon.accountdomaingroupcount", FT_UINT32, BASE_DEC,
9760 NULL, 0, "Number of Account Domain Groups", HFILL }},
9761
9762 { &hf_netlogon_domaingroupcount,
9763 { "DomainGroup count", "netlogon.domaingroupcount", FT_UINT32, BASE_DEC,
9764 NULL, 0, "Number of Domain Groups", HFILL }},
9765
9766 { &hf_netlogon_membership_domains_count,
9767 { "Membership Domains count", "netlogon.membershipsdomainscount", FT_UINT32, BASE_DEC,
9768 NULL, 0, "Number of ExtraDomain Membership Arrays", HFILL }},
9769
9770 { &hf_netlogon_computer_name,
9771 { "Computer Name", "netlogon.computer_name", FT_STRING, BASE_NONE,
9772 NULL, 0, NULL, HFILL }},
9773
9774 { &hf_netlogon_site_name,
9775 { "Site Name", "netlogon.site_name", FT_STRING, BASE_NONE,
9776 NULL, 0, NULL, HFILL }},
9777
9778 { &hf_netlogon_dc_name,
9779 { "DC Name", "netlogon.dc.name", FT_STRING, BASE_NONE,
9780 NULL, 0, NULL, HFILL }},
9781
9782 { &hf_netlogon_dc_site_name,
9783 { "DC Site Name", "netlogon.dc.site_name", FT_STRING, BASE_NONE,
9784 NULL, 0, NULL, HFILL }},
9785
9786 { &hf_netlogon_dns_forest_name,
9787 { "DNS Forest Name", "netlogon.dns.forest_name", FT_STRING, BASE_NONE,
9788 NULL, 0, NULL, HFILL }},
9789
9790 { &hf_netlogon_dc_address,
9791 { "DC Address", "netlogon.dc.address", FT_STRING, BASE_NONE,
9792 NULL, 0, NULL, HFILL }},
9793
9794 { &hf_netlogon_dc_address_type,
9795 { "DC Address Type", "netlogon.dc.address_type", FT_UINT32, BASE_DEC,
9796 VALS(dc_address_types), 0, NULL, HFILL }},
9797
9798 { &hf_netlogon_client_site_name,
9799 { "Client Site Name", "netlogon.client.site_name", FT_STRING, BASE_NONE,
9800 NULL, 0, NULL, HFILL }},
9801
9802 { &hf_netlogon_workstation_site_name,
9803 { "Wkst Site Name", "netlogon.wkst.site_name", FT_STRING, BASE_NONE,
9804 NULL, 0, "Workstation Site Name", HFILL }},
9805
9806 { &hf_netlogon_workstation,
9807 { "Wkst Name", "netlogon.wkst.name", FT_STRING, BASE_NONE,
9808 NULL, 0, "Workstation Name", HFILL }},
9809
9810 { &hf_netlogon_os_version,
9811 { "OS version", "netlogon.os.version", FT_STRING, BASE_NONE,
9812 NULL, 0, NULL, HFILL }},
9813
9814 { &hf_netlogon_workstation_os,
9815 { "Wkst OS", "netlogon.wkst.os", FT_STRING, BASE_NONE,
9816 NULL, 0, "Workstation OS", HFILL }},
9817
9818 { &hf_netlogon_workstations,
9819 { "Workstations", "netlogon.wksts", FT_STRING, BASE_NONE,
9820 NULL, 0, NULL, HFILL }},
9821
9822 { &hf_netlogon_workstation_fqdn,
9823 { "Wkst FQDN", "netlogon.wkst.fqdn", FT_STRING, BASE_NONE,
9824 NULL, 0, "Workstation FQDN", HFILL }},
9825
9826 { &hf_netlogon_group_name,
9827 { "Group Name", "netlogon.group_name", FT_STRING, BASE_NONE,
9828 NULL, 0, NULL, HFILL }},
9829
9830 { &hf_netlogon_alias_name,
9831 { "Alias Name", "netlogon.alias_name", FT_STRING, BASE_NONE,
9832 NULL, 0, NULL, HFILL }},
9833
9834 { &hf_netlogon_dns_host,
9835 { "DNS Host", "netlogon.dns_host", FT_STRING, BASE_NONE,
9836 NULL, 0, NULL, HFILL }},
9837
9838 { &hf_netlogon_downlevel_domain_name,
9839 { "Downlevel Domain", "netlogon.downlevel_domain", FT_STRING, BASE_NONE,
9840 NULL, 0, "Downlevel Domain Name", HFILL }},
9841
9842 { &hf_netlogon_dns_domain_name,
9843 { "DNS Domain", "netlogon.dns_domain", FT_STRING, BASE_NONE,
9844 NULL, 0, "DNS Domain Name", HFILL }},
9845
9846 { &hf_netlogon_ad_client_dns_name,
9847 { "Client DNS Name", "netlogon.client_dns_name", FT_STRING, BASE_NONE,
9848 NULL, 0, NULL, HFILL }},
9849
9850 { &hf_netlogon_domain_name,
9851 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
9852 NULL, 0, "Domain Name", HFILL }},
9853
9854 { &hf_netlogon_oem_info,
9855 { "OEM Info", "netlogon.oem_info", FT_STRING, BASE_NONE,
9856 NULL, 0, NULL, HFILL }},
9857
9858 { &hf_netlogon_trusted_dc_name,
9859 { "Trusted DC", "netlogon.trusted_dc", FT_STRING, BASE_NONE,
9860 NULL, 0, NULL, HFILL }},
9861
9862 { &hf_netlogon_logon_dnslogondomainname,
9863 { "DNS Logon Domain name", "netlogon.logon.dnslogondomainname", FT_STRING, BASE_NONE,
9864 NULL, 0, "DNS Name of the logon domain", HFILL }},
9865
9866 { &hf_netlogon_logon_upn,
9867 { "UPN", "netlogon.logon.upn", FT_STRING, BASE_NONE,
9868 NULL, 0, "User Principal Name", HFILL }},
9869
9870 { &hf_netlogon_logonsrv_handle,
9871 { "Handle", "netlogon.handle", FT_STRING, BASE_NONE,
9872 NULL, 0, "Logon Srv Handle", HFILL }},
9873
9874 { &hf_netlogon_dummy,
9875 { "Dummy", "netlogon.dummy", FT_STRING, BASE_NONE,
9876 NULL, 0, "Dummy string", HFILL }},
9877
9878 { &hf_netlogon_logon_count16,
9879 { "Logon Count", "netlogon.logon_count16", FT_UINT16, BASE_DEC,
9880 NULL, 0x0, "Number of successful logins", HFILL }},
9881
9882 { &hf_netlogon_logon_count,
9883 { "Logon Count", "netlogon.logon_count", FT_UINT32, BASE_DEC,
9884 NULL, 0x0, "Number of successful logins", HFILL }},
9885
9886 { &hf_netlogon_bad_pw_count16,
9887 { "Bad PW Count", "netlogon.bad_pw_count16", FT_UINT16, BASE_DEC,
9888 NULL, 0x0, "Number of failed logins", HFILL }},
9889
9890 { &hf_netlogon_bad_pw_count,
9891 { "Bad PW Count", "netlogon.bad_pw_count", FT_UINT32, BASE_DEC,
9892 NULL, 0x0, "Number of failed logins", HFILL }},
9893
9894 { &hf_netlogon_country,
9895 { "Country", "netlogon.country", FT_UINT16, BASE_DEC | BASE_EXT_STRING,
9896 &ms_country_codes_ext, 0x0, "Country setting for this account", HFILL }},
9897
9898 { &hf_netlogon_codepage,
9899 { "Codepage", "netlogon.codepage", FT_UINT16, BASE_DEC,
9900 NULL, 0x0, "Codepage setting for this account", HFILL }},
9901
9902 { &hf_netlogon_level16,
9903 { "Level", "netlogon.level16", FT_UINT16, BASE_DEC,
9904 NULL, 0x0, "Which option of the union is represented here", HFILL }},
9905
9906 { &hf_netlogon_validation_level,
9907 { "Validation Level", "netlogon.validation_level", FT_UINT16, BASE_DEC,
9908 NULL, 0x0, "Requested level of validation", HFILL }},
9909
9910 { &hf_netlogon_minpasswdlen,
9911 { "Min Password Len", "netlogon.min_passwd_len", FT_UINT16, BASE_DEC,
9912 NULL, 0x0, "Minimum length of password", HFILL }},
9913
9914 { &hf_netlogon_passwdhistorylen,
9915 { "Passwd History Len", "netlogon.passwd_history_len", FT_UINT16, BASE_DEC,
9916 NULL, 0x0, "Length of password history", HFILL }},
9917
9918 { &hf_netlogon_secure_channel_type,
9919 { "Sec Chan Type", "netlogon.sec_chan_type", FT_UINT16, BASE_DEC,
9920 VALS(misc_netr_SchannelType_vals), 0x0, "Secure Channel Type", HFILL }},
9921
9922 { &hf_netlogon_restart_state,
9923 { "Restart State", "netlogon.restart_state", FT_UINT16, BASE_DEC,
9924 NULL, 0x0, NULL, HFILL }},
9925
9926 { &hf_netlogon_delta_type,
9927 { "Delta Type", "netlogon.delta_type", FT_UINT16, BASE_DEC,
9928 VALS(delta_type_vals), 0x0, NULL, HFILL }},
9929
9930 { &hf_netlogon_blob_size,
9931 { "Size", "netlogon.blob.size", FT_UINT32, BASE_DEC,
9932 NULL, 0x0, "Size in bytes of BLOB", HFILL }},
9933
9934 { &hf_netlogon_code,
9935 { "Code", "netlogon.code", FT_UINT32, BASE_HEX,
9936 NULL, 0x0, NULL, HFILL }},
9937
9938 { &hf_netlogon_level,
9939 { "Level", "netlogon.level", FT_UINT32, BASE_DEC,
9940 NULL, 0x0, "Which option of the union is represented here", HFILL }},
9941
9942 { &hf_netlogon_reference,
9943 { "Reference", "netlogon.reference", FT_UINT32, BASE_DEC,
9944 NULL, 0x0, NULL, HFILL }},
9945
9946 { &hf_netlogon_next_reference,
9947 { "Next Reference", "netlogon.next_reference", FT_UINT32, BASE_DEC,
9948 NULL, 0x0, NULL, HFILL }},
9949
9950 { &hf_netlogon_timestamp,
9951 { "Timestamp", "netlogon.timestamp", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9952 NULL, 0, NULL, HFILL }},
9953
9954 { &hf_netlogon_user_rid,
9955 { "User RID", "netlogon.rid", FT_UINT32, BASE_DEC,
9956 NULL, 0x0, NULL, HFILL }},
9957
9958 { &hf_netlogon_alias_rid,
9959 { "Alias RID", "netlogon.alias_rid", FT_UINT32, BASE_DEC,
9960 NULL, 0x0, NULL, HFILL }},
9961
9962 { &hf_netlogon_group_rid,
9963 { "Group RID", "netlogon.group_rid", FT_UINT32, BASE_DEC,
9964 NULL, 0x0, NULL, HFILL }},
9965
9966 { &hf_netlogon_num_rids,
9967 { "Num RIDs", "netlogon.num_rids", FT_UINT32, BASE_DEC,
9968 NULL, 0x0, "Number of RIDs", HFILL }},
9969
9970 { &hf_netlogon_num_controllers,
9971 { "Num DCs", "netlogon.num_dc", FT_UINT32, BASE_DEC,
9972 NULL, 0x0, "Number of domain controllers", HFILL }},
9973
9974 { &hf_netlogon_num_sid,
9975 { "Num Extra SID", "netlogon.num_sid", FT_UINT32, BASE_DEC,
9976 NULL, 0x0, NULL, HFILL }},
9977
9978 { &hf_netlogon_flags,
9979 { "Flags", "netlogon.flags", FT_UINT32, BASE_HEX,
9980 NULL, 0x0, NULL, HFILL }},
9981
9982 { &hf_netlogon_user_account_control,
9983 { "User Account Control", "netlogon.user_account_control", FT_UINT32, BASE_HEX,
9984 NULL, 0x0, NULL, HFILL }},
9985
9986 { &hf_netlogon_user_flags,
9987 { "User Flags", "netlogon.user_flags", FT_UINT32, BASE_HEX,
9988 NULL, 0x0, NULL, HFILL }},
9989
9990 { &hf_netlogon_auth_flags,
9991 { "Auth Flags", "netlogon.auth_flags", FT_UINT32, BASE_HEX,
9992 NULL, 0x0, NULL, HFILL }},
9993
9994 { &hf_netlogon_systemflags,
9995 { "System Flags", "netlogon.system_flags", FT_UINT32, BASE_HEX,
9996 NULL, 0x0, NULL, HFILL }},
9997
9998 { &hf_netlogon_database_id,
9999 { "Database Id", "netlogon.database_id", FT_UINT32, BASE_DEC,
10000 NULL, 0x0, NULL, HFILL }},
10001
10002 { &hf_netlogon_sync_context,
10003 { "Sync Context", "netlogon.sync_context", FT_UINT32, BASE_DEC,
10004 NULL, 0x0, NULL, HFILL }},
10005
10006 { &hf_netlogon_max_size,
10007 { "Max Size", "netlogon.max_size", FT_UINT32, BASE_DEC,
10008 NULL, 0x0, "Max Size of database", HFILL }},
10009
10010 { &hf_netlogon_max_log_size,
10011 { "Max Log Size", "netlogon.max_log_size", FT_UINT32, BASE_DEC,
10012 NULL, 0x0, "Max Size of log", HFILL }},
10013
10014 #if 0
10015 { &hf_netlogon_pac_size,
10016 { "Pac Size", "netlogon.pac.size", FT_UINT32, BASE_DEC,
10017 NULL, 0x0, "Size of PacData in bytes", HFILL }},
10018 #endif
10019
10020 #if 0
10021 { &hf_netlogon_auth_size,
10022 { "Auth Size", "netlogon.auth.size", FT_UINT32, BASE_DEC,
10023 NULL, 0x0, "Size of AuthData in bytes", HFILL }},
10024 #endif
10025
10026 { &hf_netlogon_num_deltas,
10027 { "Num Deltas", "netlogon.num_deltas", FT_UINT32, BASE_DEC,
10028 NULL, 0x0, "Number of SAM Deltas in array", HFILL }},
10029
10030 { &hf_netlogon_num_trusts,
10031 { "Num Trusts", "netlogon.num_trusts", FT_UINT32, BASE_DEC,
10032 NULL, 0x0, NULL, HFILL }},
10033
10034 { &hf_netlogon_logon_attempts,
10035 { "Logon Attempts", "netlogon.logon_attempts", FT_UINT32, BASE_DEC,
10036 NULL, 0x0, "Number of logon attempts", HFILL }},
10037
10038 { &hf_netlogon_pagefilelimit,
10039 { "Page File Limit", "netlogon.page_file_limit", FT_UINT32, BASE_DEC,
10040 NULL, 0x0, NULL, HFILL }},
10041
10042 { &hf_netlogon_pagedpoollimit,
10043 { "Paged Pool Limit", "netlogon.paged_pool_limit", FT_UINT32, BASE_DEC,
10044 NULL, 0x0, NULL, HFILL }},
10045
10046 { &hf_netlogon_nonpagedpoollimit,
10047 { "Non-Paged Pool Limit", "netlogon.nonpaged_pool_limit", FT_UINT32, BASE_DEC,
10048 NULL, 0x0, NULL, HFILL }},
10049
10050 { &hf_netlogon_minworkingsetsize,
10051 { "Min Working Set Size", "netlogon.min_working_set_size", FT_UINT32, BASE_DEC,
10052 NULL, 0x0, NULL, HFILL }},
10053
10054 { &hf_netlogon_maxworkingsetsize,
10055 { "Max Working Set Size", "netlogon.max_working_set_size", FT_UINT32, BASE_DEC,
10056 NULL, 0x0, NULL, HFILL }},
10057
10058 { &hf_netlogon_serial_number,
10059 { "Serial Number", "netlogon.serial_number", FT_UINT32, BASE_DEC,
10060 NULL, 0x0, NULL, HFILL }},
10061
10062 { &hf_netlogon_neg_flags,
10063 { "Negotiation options", "netlogon.neg_flags", FT_UINT32, BASE_HEX,
10064 NULL, 0x0, "Negotiation Flags", HFILL }},
10065
10066 { &hf_netlogon_neg_flags_80000000,
10067 { "Supports Kerberos Auth", "ntlmssp.neg_flags.supports_kerberos_auth", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_80000000, NULL, HFILL }},
10068
10069 { &hf_netlogon_neg_flags_40000000,
10070 { "Authenticated RPC supported", "ntlmssp.neg_flags.na4000000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_40000000, NULL, HFILL }},
10071
10072 { &hf_netlogon_neg_flags_20000000,
10073 { "Authenticated RPC via lsass supported", "ntlmssp.neg_flags.na2000000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_20000000, NULL, HFILL }},
10074
10075 #if 0
10076 { &hf_netlogon_neg_flags_10000000,
10077 { "Not used 10000000", "ntlmssp.neg_flags.na1000000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_10000000, NULL, HFILL }},
10078 #endif
10079
10080 #if 0
10081 { &hf_netlogon_neg_flags_8000000,
10082 { "Not used 8000000", "ntlmssp.neg_flags.na800000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_8000000, NULL, HFILL }},
10083 #endif
10084
10085 #if 0
10086 { &hf_netlogon_neg_flags_4000000,
10087 { "Not used 4000000", "ntlmssp.neg_flags.na400000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_4000000, NULL, HFILL }},
10088 #endif
10089
10090 #if 0
10091 { &hf_netlogon_neg_flags_2000000,
10092 { "Not used 2000000", "ntlmssp.neg_flags.na200000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_2000000, NULL, HFILL }},
10093 #endif
10094
10095 { &hf_netlogon_neg_flags_1000000,
10096 { "AES supported", "ntlmssp.neg_flags.na100000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_AES, NULL, HFILL }},
10097
10098 #if 0
10099 { &hf_netlogon_neg_flags_800000,
10100 { "Not used 800000", "ntlmssp.neg_flags.na800000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_800000, "Not used", HFILL }},
10101 #endif
10102
10103 #if 0
10104 { &hf_netlogon_neg_flags_400000,
10105 { "Not used 400000", "ntlmssp.neg_flags.na400000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_400000, "AES&SHA2", HFILL }},
10106 #endif
10107
10108 { &hf_netlogon_neg_flags_200000,
10109 { "RODC pass-through", "ntlmssp.neg_flags.na200000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_200000, "rodc pt", HFILL }},
10110
10111 { &hf_netlogon_neg_flags_100000,
10112 { "NO NT4 emulation", "ntlmssp.neg_flags.na100000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_100000, "No NT4 emu", HFILL }},
10113
10114 { &hf_netlogon_neg_flags_80000,
10115 { "Cross forest trust", "ntlmssp.neg_flags.na80000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_80000, NULL, HFILL }},
10116
10117 { &hf_netlogon_neg_flags_40000,
10118 { "GetDomainInfo supported", "ntlmssp.neg_flags.na40000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_40000, NULL, HFILL }},
10119
10120 { &hf_netlogon_neg_flags_20000,
10121 { "ServerPasswordSet2 supported", "ntlmssp.neg_flags.na20000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_20000, "PasswordSet2", HFILL }},
10122
10123 { &hf_netlogon_neg_flags_10000,
10124 { "DNS trusts supported", "ntlmssp.neg_flags.na10000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_10000, NULL, HFILL }},
10125
10126 { &hf_netlogon_neg_flags_8000,
10127 { "Transitive trusts", "ntlmssp.neg_flags.na8000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_8000, NULL, HFILL }},
10128
10129 { &hf_netlogon_neg_flags_4000,
10130 { "Strong key", "ntlmssp.neg_flags.na4000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_STRONGKEY, NULL, HFILL }},
10131
10132 { &hf_netlogon_neg_flags_2000,
10133 { "Avoid replication Auth database", "ntlmssp.neg_flags.na2000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_2000, NULL, HFILL }},
10134
10135 { &hf_netlogon_neg_flags_1000,
10136 { "Avoid replication account database", "ntlmssp.neg_flags.na1000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_1000, NULL, HFILL }},
10137
10138 { &hf_netlogon_neg_flags_800,
10139 { "Concurrent RPC", "ntlmssp.neg_flags.na800", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_800, NULL, HFILL }},
10140
10141 { &hf_netlogon_neg_flags_400,
10142 { "Generic pass-through", "ntlmssp.neg_flags.na400", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_400, NULL, HFILL }},
10143
10144 { &hf_netlogon_neg_flags_200,
10145 { "SendToSam", "ntlmssp.neg_flags.na200", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_200, NULL, HFILL }},
10146
10147 { &hf_netlogon_neg_flags_100,
10148 { "Refusal of password change", "ntlmssp.neg_flags.na100", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_100, "PWD change refusal", HFILL }},
10149
10150 { &hf_netlogon_neg_flags_80,
10151 { "DatabaseRedo call", "ntlmssp.neg_flags.na80", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_80, NULL, HFILL }},
10152
10153 { &hf_netlogon_neg_flags_40,
10154 { "Handle multiple SIDs", "ntlmssp.neg_flags.na40", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_40, NULL, HFILL }},
10155
10156 { &hf_netlogon_neg_flags_20,
10157 { "Restarting full DC sync", "ntlmssp.neg_flags.na20", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_20, NULL, HFILL }},
10158
10159 { &hf_netlogon_neg_flags_10,
10160 { "BDC handling Changelogs", "ntlmssp.neg_flags.na10", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_10, NULL, HFILL }},
10161
10162 { &hf_netlogon_neg_flags_8,
10163 { "Promotion count(deprecated)", "ntlmssp.neg_flags.na8", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_8, NULL, HFILL }},
10164
10165 { &hf_netlogon_neg_flags_4,
10166 { "RC4 encryption", "ntlmssp.neg_flags.na4", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_4, NULL, HFILL }},
10167
10168 { &hf_netlogon_neg_flags_2,
10169 { "NT3.5 BDC continuous update", "ntlmssp.neg_flags.na2", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_2, NULL, HFILL }},
10170
10171 { &hf_netlogon_neg_flags_1,
10172 { "Account lockout", "ntlmssp.neg_flags.na1", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_1, NULL, HFILL }},
10173
10174 { &hf_netlogon_dc_flags,
10175 { "Domain Controller Flags", "netlogon.dc.flags", FT_UINT32, BASE_HEX,
10176 NULL, 0x0, NULL, HFILL }},
10177
10178 { &hf_netlogon_dc_flags_pdc_flag,
10179 { "PDC", "netlogon.dc.flags.pdc",
10180 FT_BOOLEAN, 32, TFS(&dc_flags_pdc_flag), DS_PDC_FLAG,
10181 "If this server is a PDC", HFILL }},
10182
10183 { &hf_netlogon_dc_flags_gc_flag,
10184 { "GC", "netlogon.dc.flags.gc",
10185 FT_BOOLEAN, 32, TFS(&dc_flags_gc_flag), DS_GC_FLAG,
10186 "If this server is a GC", HFILL }},
10187
10188 { &hf_netlogon_dc_flags_ldap_flag,
10189 { "LDAP", "netlogon.dc.flags.ldap",
10190 FT_BOOLEAN, 32, TFS(&dc_flags_ldap_flag), DS_LDAP_FLAG,
10191 "If this is an LDAP server", HFILL }},
10192
10193 { &hf_netlogon_dc_flags_ds_flag,
10194 { "DS", "netlogon.dc.flags.ds",
10195 FT_BOOLEAN, 32, TFS(&dc_flags_ds_flag), DS_DS_FLAG,
10196 "If this server is a DS", HFILL }},
10197
10198 { &hf_netlogon_dc_flags_kdc_flag,
10199 { "KDC", "netlogon.dc.flags.kdc",
10200 FT_BOOLEAN, 32, TFS(&dc_flags_kdc_flag), DS_KDC_FLAG,
10201 "If this is a KDC", HFILL }},
10202
10203 { &hf_netlogon_dc_flags_timeserv_flag,
10204 { "Timeserv", "netlogon.dc.flags.timeserv",
10205 FT_BOOLEAN, 32, TFS(&dc_flags_timeserv_flag), DS_TIMESERV_FLAG,
10206 "If this server is a TimeServer", HFILL }},
10207
10208 { &hf_netlogon_dc_flags_closest_flag,
10209 { "Closest", "netlogon.dc.flags.closest",
10210 FT_BOOLEAN, 32, TFS(&dc_flags_closest_flag), DS_CLOSEST_FLAG,
10211 "If this is the closest server", HFILL }},
10212
10213 { &hf_netlogon_dc_flags_writable_flag,
10214 { "Writable", "netlogon.dc.flags.writable",
10215 FT_BOOLEAN, 32, TFS(&dc_flags_writable_flag), DS_WRITABLE_FLAG,
10216 "If this server can do updates to the database", HFILL }},
10217
10218 { &hf_netlogon_dc_flags_good_timeserv_flag,
10219 { "Good Timeserv", "netlogon.dc.flags.good_timeserv",
10220 FT_BOOLEAN, 32, TFS(&dc_flags_good_timeserv_flag), DS_GOOD_TIMESERV_FLAG,
10221 "If this is a Good TimeServer", HFILL }},
10222
10223 { &hf_netlogon_dc_flags_ndnc_flag,
10224 { "NDNC", "netlogon.dc.flags.ndnc",
10225 FT_BOOLEAN, 32, TFS(&dc_flags_ndnc_flag), DS_NDNC_FLAG,
10226 "If this is an NDNC server", HFILL }},
10227
10228 { &hf_netlogon_dc_flags_dns_controller_flag,
10229 { "DNS Controller", "netlogon.dc.flags.dns_controller",
10230 FT_BOOLEAN, 32, TFS(&dc_flags_dns_controller_flag), DS_DNS_CONTROLLER_FLAG,
10231 "If this server is a DNS Controller", HFILL }},
10232
10233 { &hf_netlogon_dc_flags_dns_domain_flag,
10234 { "DNS Domain", "netlogon.dc.flags.dns_domain",
10235 FT_BOOLEAN, 32, TFS(&dc_flags_dns_domain_flag), DS_DNS_DOMAIN_FLAG,
10236 NULL, HFILL }},
10237
10238 { &hf_netlogon_dc_flags_dns_forest_flag,
10239 { "DNS Forest", "netlogon.dc.flags.dns_forest",
10240 FT_BOOLEAN, 32, TFS(&dc_flags_dns_forest_flag), DS_DNS_FOREST_FLAG,
10241 NULL, HFILL }},
10242
10243 { &hf_netlogon_get_dcname_request_flags,
10244 { "Flags", "netlogon.get_dcname.request.flags", FT_UINT32, BASE_HEX,
10245 NULL, 0x0, "Flags for DSGetDCName request", HFILL }},
10246
10247 { &hf_netlogon_get_dcname_request_flags_force_rediscovery,
10248 { "Force Rediscovery", "netlogon.get_dcname.request.flags.force_rediscovery",
10249 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_force_rediscovery), DS_FORCE_REDISCOVERY,
10250 "Whether to allow the server to returned cached information or not", HFILL }},
10251
10252 { &hf_netlogon_get_dcname_request_flags_directory_service_required,
10253 { "DS Required", "netlogon.get_dcname.request.flags.ds_required",
10254 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_required), DS_DIRECTORY_SERVICE_REQUIRED,
10255 "Whether we require that the returned DC supports w2k or not", HFILL }},
10256
10257 { &hf_netlogon_get_dcname_request_flags_directory_service_preferred,
10258 { "DS Preferred", "netlogon.get_dcname.request.flags.ds_preferred",
10259 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_preferred), DS_DIRECTORY_SERVICE_PREFERRED,
10260 "Whether we prefer the call to return a w2k server (if available)", HFILL }},
10261
10262 { &hf_netlogon_get_dcname_request_flags_gc_server_required,
10263 { "GC Required", "netlogon.get_dcname.request.flags.gc_server_required",
10264 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_gc_server_required), DS_GC_SERVER_REQUIRED,
10265 "Whether we require that the returned DC is a Global Catalog server", HFILL }},
10266
10267 { &hf_netlogon_get_dcname_request_flags_pdc_required,
10268 { "PDC Required", "netlogon.get_dcname.request.flags.pdc_required",
10269 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_pdc_required), DS_PDC_REQUIRED,
10270 "Whether we require the returned DC to be the PDC", HFILL }},
10271
10272 { &hf_netlogon_get_dcname_request_flags_background_only,
10273 { "Background Only", "netlogon.get_dcname.request.flags.background_only",
10274 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_background_only), DS_BACKGROUND_ONLY,
10275 "If we want cached data, even if it may have expired", HFILL }},
10276
10277 { &hf_netlogon_get_dcname_request_flags_ip_required,
10278 { "IP Required", "netlogon.get_dcname.request.flags.ip_required",
10279 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_ip_required), DS_IP_REQUIRED,
10280 "If we require the IP of the DC in the reply", HFILL }},
10281
10282 { &hf_netlogon_get_dcname_request_flags_kdc_required,
10283 { "KDC Required", "netlogon.get_dcname.request.flags.kdc_required",
10284 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_kdc_required), DS_KDC_REQUIRED,
10285 "If we require that the returned server is a KDC", HFILL }},
10286
10287 { &hf_netlogon_get_dcname_request_flags_timeserv_required,
10288 { "Timeserv Required", "netlogon.get_dcname.request.flags.timeserv_required",
10289 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_timeserv_required), DS_TIMESERV_REQUIRED,
10290 "If we require the returned server to be a WindowsTimeServ server", HFILL }},
10291
10292 { &hf_netlogon_get_dcname_request_flags_writable_required,
10293 { "Writable Required", "netlogon.get_dcname.request.flags.writable_required",
10294 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_writable_required), DS_WRITABLE_REQUIRED,
10295 "If we require that the returned server is writable", HFILL }},
10296
10297 { &hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
10298 { "Timeserv Preferred", "netlogon.get_dcname.request.flags.good_timeserv_preferred",
10299 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_good_timeserv_preferred), DS_GOOD_TIMESERV_PREFERRED,
10300 "If we prefer Windows Time Servers", HFILL }},
10301
10302 { &hf_netlogon_get_dcname_request_flags_avoid_self,
10303 { "Avoid Self", "netlogon.get_dcname.request.flags.avoid_self",
10304 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_avoid_self), DS_AVOID_SELF,
10305 "Return another DC than the one we ask", HFILL }},
10306
10307 { &hf_netlogon_get_dcname_request_flags_only_ldap_needed,
10308 { "Only LDAP Needed", "netlogon.get_dcname.request.flags.only_ldap_needed",
10309 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_only_ldap_needed), DS_ONLY_LDAP_NEEDED,
10310 "We just want an LDAP server, it does not have to be a DC", HFILL }},
10311
10312 { &hf_netlogon_get_dcname_request_flags_is_flat_name,
10313 { "Is Flat Name", "netlogon.get_dcname.request.flags.is_flat_name",
10314 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_flat_name), DS_IS_FLAT_NAME,
10315 "If the specified domain name is a NetBIOS name", HFILL }},
10316
10317 { &hf_netlogon_get_dcname_request_flags_is_dns_name,
10318 { "Is DNS Name", "netlogon.get_dcname.request.flags.is_dns_name",
10319 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_dns_name), DS_IS_DNS_NAME,
10320 "If the specified domain name is a DNS name", HFILL }},
10321
10322 { &hf_netlogon_get_dcname_request_flags_return_dns_name,
10323 { "Return DNS Name", "netlogon.get_dcname.request.flags.return_dns_name",
10324 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_dns_name), DS_RETURN_DNS_NAME,
10325 "Only return a DNS name (or an error)", HFILL }},
10326
10327 { &hf_netlogon_get_dcname_request_flags_return_flat_name,
10328 { "Return Flat Name", "netlogon.get_dcname.request.flags.return_flat_name",
10329 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_flat_name), DS_RETURN_FLAT_NAME,
10330 "Only return a NetBIOS name (or an error)", HFILL }},
10331
10332 { &hf_netlogon_trust_attribs,
10333 { "Trust Attributes", "netlogon.trust_attribs", FT_UINT32, BASE_HEX,
10334 NULL, 0x0, NULL, HFILL }},
10335
10336 { &hf_netlogon_trust_attribs_non_transitive,
10337 { "Non Transitive", "netlogon.trust.attribs.non_transitive", FT_BOOLEAN, 32,
10338 TFS(&trust_attribs_non_transitive), 0x00000001, NULL, HFILL }},
10339
10340 { &hf_netlogon_trust_attribs_uplevel_only,
10341 { "Uplevel Only", "netlogon.trust.attribs.uplevel_only", FT_BOOLEAN, 32,
10342 TFS(&trust_attribs_uplevel_only), 0x00000002, NULL, HFILL }},
10343
10344 { &hf_netlogon_trust_attribs_quarantined_domain,
10345 { "Quarantined Domain", "netlogon.trust.attribs.quarantined_domain", FT_BOOLEAN, 32,
10346 TFS(&trust_attribs_quarantined_domain), 0x00000004, NULL, HFILL }},
10347
10348 { &hf_netlogon_trust_attribs_forest_transitive,
10349 { "Forest Transitive", "netlogon.trust.attribs.forest_transitive", FT_BOOLEAN, 32,
10350 TFS(&trust_attribs_forest_transitive), 0x00000008, NULL, HFILL }},
10351
10352 { &hf_netlogon_trust_attribs_cross_organization,
10353 { "Cross Organization", "netlogon.trust.attribs.cross_organization", FT_BOOLEAN, 32,
10354 TFS(&trust_attribs_cross_organization), 0x00000010, NULL, HFILL }},
10355
10356 { &hf_netlogon_trust_attribs_within_forest,
10357 { "Within Forest", "netlogon.trust.attribs.within_forest", FT_BOOLEAN, 32,
10358 TFS(&trust_attribs_within_forest), 0x00000020, NULL, HFILL }},
10359
10360 { &hf_netlogon_trust_attribs_treat_as_external,
10361 { "Treat As External", "netlogon.trust.attribs.treat_as_external", FT_BOOLEAN, 32,
10362 TFS(&trust_attribs_treat_as_external), 0x00000040, NULL, HFILL }},
10363
10364 { &hf_netlogon_trust_type,
10365 { "Trust Type", "netlogon.trust_type", FT_UINT32, BASE_DEC,
10366 VALS(trust_type_vals), 0x0, NULL, HFILL }},
10367
10368 { &hf_netlogon_extraflags,
10369 { "Extra Flags", "netlogon.extra_flags", FT_UINT32, BASE_HEX,
10370 NULL, 0x0, NULL, HFILL }},
10371
10372 { &hf_netlogon_extra_flags_root_forest,
10373 { "Request passed to DC of root forest", "netlogon.extra.flags.rootdc",
10374 FT_BOOLEAN, 32, TFS(&tfs_set_notset), RQ_ROOT_FOREST,
10375 NULL, HFILL }},
10376
10377 { &hf_netlogon_trust_flags_dc_firsthop,
10378 { "DC at the end of the first hop of cross forest", "netlogon.extra.flags.dc_firsthop",
10379 FT_BOOLEAN, 32, TFS(&tfs_set_notset), RQ_DC_XFOREST,
10380 NULL, HFILL }},
10381
10382 { &hf_netlogon_trust_flags_rodc_to_dc,
10383 { "Request from a RODC to a DC from another domain", "netlogon.extra.flags.rodc_to_dc",
10384 FT_BOOLEAN, 32, TFS(&tfs_set_notset), RQ_RODC_DIF_DOMAIN,
10385 NULL, HFILL }},
10386
10387 { &hf_netlogon_trust_flags_rodc_ntlm,
10388 { "Request is a NTLM auth passed by a RODC", "netlogon.extra.flags.rodc_ntlm",
10389 FT_BOOLEAN, 32, TFS(&tfs_set_notset), RQ_NTLM_FROM_RODC,
10390 NULL, HFILL }},
10391
10392 { &hf_netlogon_trust_flags,
10393 { "Trust Flags", "netlogon.trust_flags", FT_UINT32, BASE_HEX,
10394 NULL, 0x0, NULL, HFILL }},
10395
10396 { &hf_netlogon_trust_flags_inbound,
10397 { "Inbound Trust", "netlogon.trust.flags.inbound",
10398 FT_BOOLEAN, 32, TFS(&trust_inbound), DS_DOMAIN_DIRECT_INBOUND,
10399 "Inbound trust. Whether the domain directly trusts the queried servers domain", HFILL }},
10400
10401 { &hf_netlogon_trust_flags_outbound,
10402 { "Outbound Trust", "netlogon.trust.flags.outbound",
10403 FT_BOOLEAN, 32, TFS(&trust_outbound), DS_DOMAIN_DIRECT_OUTBOUND,
10404 "Outbound Trust. Whether the domain is directly trusted by the servers domain", HFILL }},
10405
10406 { &hf_netlogon_trust_flags_in_forest,
10407 { "In Forest", "netlogon.trust.flags.in_forest",
10408 FT_BOOLEAN, 32, TFS(&trust_in_forest), DS_DOMAIN_IN_FOREST,
10409 "Whether this domain is a member of the same forest as the servers domain", HFILL }},
10410
10411 { &hf_netlogon_trust_flags_native_mode,
10412 { "Native Mode", "netlogon.trust.flags.native_mode",
10413 FT_BOOLEAN, 32, TFS(&trust_native_mode), DS_DOMAIN_NATIVE_MODE,
10414 "Whether the domain is a w2k native mode domain or not", HFILL }},
10415
10416 { &hf_netlogon_trust_flags_primary,
10417 { "Primary", "netlogon.trust.flags.primary",
10418 FT_BOOLEAN, 32, TFS(&trust_primary), DS_DOMAIN_PRIMARY,
10419 "Whether the domain is the primary domain for the queried server or not", HFILL }},
10420
10421 { &hf_netlogon_trust_flags_tree_root,
10422 { "Tree Root", "netlogon.trust.flags.tree_root",
10423 FT_BOOLEAN, 32, TFS(&trust_tree_root), DS_DOMAIN_TREE_ROOT,
10424 "Whether the domain is the root of the tree for the queried server", HFILL }},
10425
10426 { &hf_netlogon_trust_parent_index,
10427 { "Parent Index", "netlogon.parent_index", FT_UINT32, BASE_HEX,
10428 NULL, 0x0, NULL, HFILL }},
10429
10430 { &hf_netlogon_logon_time,
10431 { "Logon Time", "netlogon.logon_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10432 NULL, 0, "Time for last time this user logged on", HFILL }},
10433
10434 { &hf_netlogon_kickoff_time,
10435 { "Kickoff Time", "netlogon.kickoff_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10436 NULL, 0, "Time when this user will be kicked off", HFILL }},
10437
10438 { &hf_netlogon_logoff_time,
10439 { "Logoff Time", "netlogon.logoff_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10440 NULL, 0, "Time for last time this user logged off", HFILL }},
10441
10442 { &hf_netlogon_last_logoff_time,
10443 { "Last Logoff Time", "netlogon.last_logoff_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10444 NULL, 0, "Time for last time this user logged off", HFILL }},
10445
10446 { &hf_netlogon_pwd_last_set_time,
10447 { "PWD Last Set", "netlogon.pwd_last_set_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10448 NULL, 0, "Last time this users password was changed", HFILL }},
10449
10450 { &hf_netlogon_pwd_age,
10451 { "PWD Age", "netlogon.pwd_age", FT_RELATIVE_TIME, BASE_NONE,
10452 NULL, 0, "Time since this users password was changed", HFILL }},
10453
10454 { &hf_netlogon_pwd_can_change_time,
10455 { "PWD Can Change", "netlogon.pwd_can_change_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10456 NULL, 0, "When this users password may be changed", HFILL }},
10457
10458 { &hf_netlogon_pwd_must_change_time,
10459 { "PWD Must Change", "netlogon.pwd_must_change_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10460 NULL, 0, "When this users password must be changed", HFILL }},
10461
10462 { &hf_netlogon_domain_create_time,
10463 { "Domain Create Time", "netlogon.domain_create_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10464 NULL, 0, "Time when this domain was created", HFILL }},
10465
10466 { &hf_netlogon_domain_modify_time,
10467 { "Domain Modify Time", "netlogon.domain_modify_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10468 NULL, 0, "Time when this domain was last modified", HFILL }},
10469
10470 { &hf_netlogon_db_modify_time,
10471 { "DB Modify Time", "netlogon.db_modify_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10472 NULL, 0, "Time when last modified", HFILL }},
10473
10474 { &hf_netlogon_db_create_time,
10475 { "DB Create Time", "netlogon.db_create_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10476 NULL, 0, "Time when created", HFILL }},
10477
10478 { &hf_netlogon_cipher_current_set_time,
10479 { "Cipher Current Set Time", "netlogon.cipher_current_set_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10480 NULL, 0, "Time when current cipher was initiated", HFILL }},
10481
10482 { &hf_netlogon_cipher_old_set_time,
10483 { "Cipher Old Set Time", "netlogon.cipher_old_set_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10484 NULL, 0, "Time when previous cipher was initiated", HFILL }},
10485
10486 { &hf_netlogon_audit_retention_period,
10487 { "Audit Retention Period", "netlogon.audit_retention_period", FT_RELATIVE_TIME, BASE_NONE,
10488 NULL, 0, NULL, HFILL }},
10489
10490 { &hf_netlogon_timelimit,
10491 { "Time Limit", "netlogon.time_limit", FT_RELATIVE_TIME, BASE_NONE,
10492 NULL, 0, NULL, HFILL }},
10493
10494
10495 { &hf_client_credential,
10496 { "Client Credential", "netlogon.clientcred", FT_BYTES, BASE_NONE,
10497 NULL, 0x0, NULL, HFILL }},
10498
10499 { &hf_server_credential,
10500 { "Server Credential", "netlogon.servercred", FT_BYTES, BASE_NONE,
10501 NULL, 0x0, NULL, HFILL }},
10502
10503 { &hf_server_rid,
10504 { "Account RID", "netlogon.serverrid", FT_UINT32, BASE_DEC,
10505 NULL, 0x0, NULL, HFILL }},
10506
10507 { &hf_client_challenge,
10508 { "Client Challenge", "netlogon.clientchallenge", FT_BYTES, BASE_NONE,
10509 NULL, 0x0, NULL, HFILL }},
10510
10511 { &hf_server_challenge,
10512 { "Server Challenge", "netlogon.serverchallenge", FT_BYTES, BASE_NONE,
10513 NULL, 0x0, NULL, HFILL }},
10514
10515 { &hf_netlogon_secchan_nl_message_type,
10516 { "Message Type", "netlogon.secchan.nl_auth_message.message_type", FT_UINT32, BASE_HEX,
10517 VALS(nl_auth_types), 0x0, NULL, HFILL }},
10518
10519 { &hf_netlogon_secchan_nl_message_flags,
10520 { "Message Flags", "netlogon.secchan.nl_auth_message.message_flags", FT_UINT32, BASE_HEX,
10521 NULL, 0x0, NULL, HFILL }},
10522
10523 { &hf_netlogon_secchan_nl_message_flags_nb_domain,
10524 { "NetBios Domain", "netlogon.secchan.nl_auth_message.message_flags.nb_domain", FT_BOOLEAN, 32,
10525 NULL, 0x00000001, NULL, HFILL }},
10526
10527 { &hf_netlogon_secchan_nl_message_flags_nb_host,
10528 { "NetBios Host", "netlogon.secchan.nl_auth_message.message_flags.nb_host", FT_BOOLEAN, 32,
10529 NULL, 0x00000002, NULL, HFILL }},
10530
10531 { &hf_netlogon_secchan_nl_message_flags_dns_domain,
10532 { "DNS Domain", "netlogon.secchan.nl_auth_message.message_flags.dns_domain", FT_BOOLEAN, 32,
10533 NULL, 0x00000004, NULL, HFILL }},
10534
10535 { &hf_netlogon_secchan_nl_message_flags_dns_host,
10536 { "DNS Host", "netlogon.secchan.nl_auth_message.message_flags.dns_host", FT_BOOLEAN, 32,
10537 NULL, 0x00000008, NULL, HFILL }},
10538
10539 { &hf_netlogon_secchan_nl_message_flags_nb_host_utf8,
10540 { "NetBios Host(UTF8)", "netlogon.secchan.nl_auth_message.message_flags.nb_host_utf8", FT_BOOLEAN, 32,
10541 NULL, 0x00000010, NULL, HFILL }},
10542
10543 { &hf_netlogon_secchan_nl_nb_domain,
10544 { "NetBios Domain", "netlogon.secchan.nl_auth_message.nb_domain", FT_STRING, BASE_NONE,
10545 NULL, 0, NULL, HFILL }},
10546
10547 { &hf_netlogon_secchan_nl_nb_host,
10548 { "NetBios Host", "netlogon.secchan.nl_auth_message.nb_host", FT_STRING, BASE_NONE,
10549 NULL, 0, NULL, HFILL }},
10550
10551 { &hf_netlogon_secchan_nl_nb_host_utf8,
10552 { "NetBios Host(UTF8)", "netlogon.secchan.nl_auth_message.nb_host_utf8", FT_STRING, BASE_NONE,
10553 NULL, 0, NULL, HFILL }},
10554
10555 { &hf_netlogon_secchan_nl_dns_domain,
10556 { "DNS Domain", "netlogon.secchan.nl_auth_message.dns_domain", FT_STRING, BASE_NONE,
10557 NULL, 0, NULL, HFILL }},
10558
10559 { &hf_netlogon_secchan_nl_dns_host,
10560 { "DNS Host", "netlogon.secchan.nl_auth_message.dns_host", FT_STRING, BASE_NONE,
10561 NULL, 0, NULL, HFILL }},
10562
10563 { &hf_netlogon_data_length,
10564 { "Length of Data", "netlogon.data.length", FT_UINT32, BASE_DEC,
10565 NULL, 0, NULL, HFILL }},
10566
10567 { &hf_netlogon_package_name,
10568 { "SSP Package Name", "netlogon.data.package_name", FT_STRING, BASE_NONE,
10569 NULL, 0, NULL, HFILL }},
10570
10571 { &hf_netlogon_secchan_verf,
10572 { "Secure Channel Verifier", "netlogon.secchan.verifier", FT_NONE, BASE_NONE,
10573 NULL, 0x0, NULL, HFILL }},
10574
10575 { &hf_netlogon_secchan_verf_signalg,
10576 { "Sign algorithm", "netlogon.secchan.signalg", FT_UINT16, BASE_HEX,
10577 VALS(sign_algs), 0, NULL, HFILL }},
10578
10579 { &hf_netlogon_secchan_verf_sealalg,
10580 { "Seal algorithm", "netlogon.secchan.sealalg", FT_UINT16, BASE_HEX,
10581 VALS(seal_algs), 0, NULL, HFILL }},
10582
10583 { &hf_netlogon_secchan_verf_flag,
10584 { "Flags", "netlogon.secchan.flags", FT_BYTES, BASE_NONE, NULL,
10585 0x0, NULL, HFILL }},
10586
10587 { &hf_netlogon_secchan_verf_digest,
10588 { "Packet Digest", "netlogon.secchan.digest", FT_BYTES, BASE_NONE, NULL,
10589 0x0, NULL, HFILL }},
10590
10591 { &hf_netlogon_secchan_verf_seq,
10592 { "Sequence No", "netlogon.secchan.seq", FT_BYTES, BASE_NONE, NULL,
10593 0x0, NULL, HFILL }},
10594
10595 { &hf_netlogon_secchan_verf_nonce,
10596 { "Nonce", "netlogon.secchan.nonce", FT_BYTES, BASE_NONE, NULL,
10597 0x0, NULL, HFILL }},
10598
10599 { &hf_netlogon_user_flags_extra_sids,
10600 { "Extra SIDs", "netlogon.user.flags.extra_sids",
10601 FT_BOOLEAN, 32, TFS(&user_flags_extra_sids), 0x00000020,
10602 "The user flags EXTRA_SIDS", HFILL }},
10603
10604 { &hf_netlogon_user_flags_resource_groups,
10605 { "Resource Groups", "netlogon.user.flags.resource_groups",
10606 FT_BOOLEAN, 32, TFS(&user_flags_resource_groups), 0x00000200,
10607 "The user flags RESOURCE_GROUPS", HFILL }},
10608
10609 { &hf_netlogon_user_account_control_dont_require_preauth,
10610 { "Don't Require PreAuth", "netlogon.user.account_control.dont_require_preauth",
10611 FT_BOOLEAN, 32, TFS(&user_account_control_dont_require_preauth), 0x00010000,
10612 "The user account control DONT_REQUIRE_PREAUTH flag", HFILL }},
10613
10614 { &hf_netlogon_user_account_control_use_des_key_only,
10615 { "Use DES Key Only", "netlogon.user.account_control.use_des_key_only",
10616 FT_BOOLEAN, 32, TFS(&user_account_control_use_des_key_only), 0x00008000,
10617 "The user account control use_des_key_only flag", HFILL }},
10618
10619 { &hf_netlogon_user_account_control_not_delegated,
10620 { "Not Delegated", "netlogon.user.account_control.not_delegated",
10621 FT_BOOLEAN, 32, TFS(&user_account_control_not_delegated), 0x00004000,
10622 "The user account control not_delegated flag", HFILL }},
10623
10624 { &hf_netlogon_user_account_control_trusted_for_delegation,
10625 { "Trusted For Delegation", "netlogon.user.account_control.trusted_for_delegation",
10626 FT_BOOLEAN, 32, TFS(&user_account_control_trusted_for_delegation), 0x00002000,
10627 "The user account control trusted_for_delegation flag", HFILL }},
10628
10629 { &hf_netlogon_user_account_control_smartcard_required,
10630 { "SmartCard Required", "netlogon.user.account_control.smartcard_required",
10631 FT_BOOLEAN, 32, TFS(&user_account_control_smartcard_required), 0x00001000,
10632 "The user account control smartcard_required flag", HFILL }},
10633
10634 { &hf_netlogon_user_account_control_encrypted_text_password_allowed,
10635 { "Encrypted Text Password Allowed", "netlogon.user.account_control.encrypted_text_password_allowed",
10636 FT_BOOLEAN, 32, TFS(&user_account_control_encrypted_text_password_allowed), 0x00000800,
10637 "The user account control encrypted_text_password_allowed flag", HFILL }},
10638
10639 { &hf_netlogon_user_account_control_account_auto_locked,
10640 { "Account Auto Locked", "netlogon.user.account_control.account_auto_locked",
10641 FT_BOOLEAN, 32, TFS(&user_account_control_account_auto_locked), 0x00000400,
10642 "The user account control account_auto_locked flag", HFILL }},
10643
10644 { &hf_netlogon_user_account_control_dont_expire_password,
10645 { "Don't Expire Password", "netlogon.user.account_control.dont_expire_password",
10646 FT_BOOLEAN, 32, TFS(&user_account_control_dont_expire_password), 0x00000200,
10647 "The user account control dont_expire_password flag", HFILL }},
10648
10649 { &hf_netlogon_user_account_control_server_trust_account,
10650 { "Server Trust Account", "netlogon.user.account_control.server_trust_account",
10651 FT_BOOLEAN, 32, TFS(&user_account_control_server_trust_account), 0x00000100,
10652 "The user account control server_trust_account flag", HFILL }},
10653
10654 { &hf_netlogon_user_account_control_workstation_trust_account,
10655 { "Workstation Trust Account", "netlogon.user.account_control.workstation_trust_account",
10656 FT_BOOLEAN, 32, TFS(&user_account_control_workstation_trust_account), 0x00000080,
10657 "The user account control workstation_trust_account flag", HFILL }},
10658
10659 { &hf_netlogon_user_account_control_interdomain_trust_account,
10660 { "Interdomain trust Account", "netlogon.user.account_control.interdomain_trust_account",
10661 FT_BOOLEAN, 32, TFS(&user_account_control_interdomain_trust_account), 0x00000040,
10662 "The user account control interdomain_trust_account flag", HFILL }},
10663
10664 { &hf_netlogon_user_account_control_mns_logon_account,
10665 { "MNS Logon Account", "netlogon.user.account_control.mns_logon_account",
10666 FT_BOOLEAN, 32, TFS(&user_account_control_mns_logon_account), 0x00000020,
10667 "The user account control mns_logon_account flag", HFILL }},
10668
10669 { &hf_netlogon_user_account_control_normal_account,
10670 { "Normal Account", "netlogon.user.account_control.normal_account",
10671 FT_BOOLEAN, 32, TFS(&user_account_control_normal_account), 0x00000010,
10672 "The user account control normal_account flag", HFILL }},
10673
10674 { &hf_netlogon_user_account_control_temp_duplicate_account,
10675 { "Temp Duplicate Account", "netlogon.user.account_control.temp_duplicate_account",
10676 FT_BOOLEAN, 32, TFS(&user_account_control_temp_duplicate_account), 0x00000008,
10677 "The user account control temp_duplicate_account flag", HFILL }},
10678
10679 { &hf_netlogon_user_account_control_password_not_required,
10680 { "Password Not Required", "netlogon.user.account_control.password_not_required",
10681 FT_BOOLEAN, 32, TFS(&user_account_control_password_not_required), 0x00000004,
10682 "The user account control password_not_required flag", HFILL }},
10683
10684 { &hf_netlogon_user_account_control_home_directory_required,
10685 { "Home Directory Required", "netlogon.user.account_control.home_directory_required",
10686 FT_BOOLEAN, 32, TFS(&user_account_control_home_directory_required), 0x00000002,
10687 "The user account control home_directory_required flag", HFILL }},
10688
10689 { &hf_netlogon_user_account_control_account_disabled,
10690 { "Account Disabled", "netlogon.user.account_control.account_disabled",
10691 FT_BOOLEAN, 32, TFS(&user_account_control_account_disabled), 0x00000001,
10692 "The user account control account_disabled flag", HFILL }},
10693
10694 #if 0
10695 { &hf_netlogon_dnsdomaininfo,
10696 { "DnsDomainInfo", "netlogon.dnsdomaininfo", FT_NONE, BASE_NONE,
10697 NULL, 0x0, NULL, HFILL }},
10698 #endif
10699
10700 { &hf_dns_domain_info_sid,
10701 { "Sid", "netlogon.lsa_DnsDomainInfo.sid", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
10702 { &hf_domain_info_sid,
10703 { "Sid", "netlogon.lsa_DomainInfo.sid", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
10704 { &hf_dns_domain_info_domain_guid,
10705 { "Domain Guid", "netlogon.lsa_DnsDomainInfo.domain_guid", FT_GUID, BASE_NONE, NULL, 0, NULL, HFILL }},
10706 { &hf_dns_domain_info_dns_forest,
10707 { "Dns Forest", "netlogon.lsa_DnsDomainInfo.dns_forest", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
10708 { &hf_dns_domain_info_dns_domain,
10709 { "Dns Domain", "netlogon.lsa_DnsDomainInfo.dns_domain", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
10710 { &hf_dns_domain_info_name,
10711 { "Name", "netlogon.lsa_DnsDomainInfo.name", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
10712 { &hf_netlogon_s4u2proxytarget,
10713 { "S4U2proxyTarget", "netlogon.s4u2proxytarget", FT_STRING, BASE_NONE,
10714 NULL, 0, "Target for constrained delegation using s4u2proxy", HFILL }},
10715 { &hf_netlogon_transitedlistsize,
10716 { "TransitedListSize", "netlogon.transited_list_size", FT_UINT32, BASE_HEX,
10717 NULL, 0x0, "Number of elements in the TransitedServices array.", HFILL }},
10718 { &hf_netlogon_transited_service,
10719 { "Transited Service", "netlogon.transited_service", FT_STRING, BASE_NONE,
10720 NULL, 0, "S4U2 Transited Service name", HFILL }},
10721 { &hf_netlogon_logon_duration,
10722 { "Duration", "netlogon.logon_duration", FT_UINT32, BASE_DEC,
10723 NULL, 0x0, NULL, HFILL }},
10724 { &hf_netlogon_time_created,
10725 { "Time Created", "netlogon.time_created", FT_UINT32, BASE_DEC,
10726 NULL, 0x0, NULL, HFILL }},
10727 };
10728
10729 static int *ett[] = {
10730 &ett_dcerpc_netlogon,
10731 &ett_authenticate_flags,
10732 &ett_CYPHER_VALUE,
10733 &ett_QUOTA_LIMITS,
10734 &ett_IDENTITY_INFO,
10735 &ett_DELTA_ENUM,
10736 &ett_UNICODE_MULTI,
10737 &ett_DOMAIN_CONTROLLER_INFO,
10738 &ett_netr_CryptPassword,
10739 &ett_NL_PASSWORD_VERSION,
10740 &ett_NL_GENERIC_RPC_DATA,
10741 &ett_TYPE_50,
10742 &ett_TYPE_52,
10743 &ett_DELTA_ID_UNION,
10744 &ett_CAPABILITIES,
10745 &ett_DELTA_UNION,
10746 &ett_LM_OWF_PASSWORD,
10747 &ett_NT_OWF_PASSWORD,
10748 &ett_GROUP_MEMBERSHIP,
10749 &ett_DS_DOMAIN_TRUSTS,
10750 &ett_BLOB,
10751 &ett_DOMAIN_TRUST_INFO,
10752 &ett_LSA_POLICY_INFO,
10753 &ett_trust_flags,
10754 &ett_trust_attribs,
10755 &ett_get_dcname_request_flags,
10756 &ett_dc_flags,
10757 &ett_secchan_nl_auth_message,
10758 &ett_secchan_nl_auth_message_flags,
10759 &ett_secchan_verf,
10760 &ett_group_attrs,
10761 &ett_user_flags,
10762 &ett_nt_counted_longs_as_string,
10763 &ett_user_account_control,
10764 &ett_wstr_LOGON_IDENTITY_INFO_string,
10765 &ett_domain_group_memberships,
10766 &ett_domains_group_memberships,
10767 };
10768 static ei_register_info ei[] = {
10769 { &ei_netlogon_auth_nthash, {
10770 "netlogon.authenticated", PI_SECURITY, PI_CHAT,
10771 "Authenticated NTHASH", EXPFILL
10772 }},
10773 { &ei_netlogon_session_key, {
10774 "netlogon.sessionkey", PI_SECURITY, PI_CHAT,
10775 "SessionKey", EXPFILL
10776 }},
10777 };
10778 expert_module_t* expert_netlogon;
10779
10780 proto_dcerpc_netlogon = proto_register_protocol("Microsoft Network Logon", "RPC_NETLOGON", "rpc_netlogon");
10781
10782 proto_register_field_array(proto_dcerpc_netlogon, hf, array_length(hf));
10783 proto_register_subtree_array(ett, array_length(ett));
10784 expert_netlogon = expert_register_protocol(proto_dcerpc_netlogon);
10785 expert_register_field_array(expert_netlogon, ei, array_length(ei));
10786
10787 netlogon_auths = wmem_map_new_autoreset(wmem_epan_scope(), wmem_file_scope(), netlogon_auth_hash, netlogon_auth_equal);
10788 schannel_auths = wmem_map_new_autoreset(wmem_epan_scope(), wmem_file_scope(), dcerpc_auth_schannel_key_hash, dcerpc_auth_schannel_key_equal);
10789 }
10790
10791 static dcerpc_auth_subdissector_fns secchan_auth_fns = {
10792 dissect_secchan_nl_auth_message, /* Bind */
10793 dissect_secchan_nl_auth_message, /* Bind ACK */
10794 NULL, /* AUTH3 */
10795 dissect_request_secchan_verf, /* Request verifier */
10796 dissect_response_secchan_verf, /* Response verifier */
10797 dissect_request_data, /* Request data */
10798 dissect_response_data /* Response data */
10799 };
10800
10801 void
10802 proto_reg_handoff_dcerpc_netlogon(void)
10803 {
10804 /* Register protocol as dcerpc */
10805 seen.isseen = false;
10806 seen.num = 0;
10807 dcerpc_init_uuid(proto_dcerpc_netlogon, ett_dcerpc_netlogon,
10808 &uuid_dcerpc_netlogon, ver_dcerpc_netlogon,
10809 dcerpc_netlogon_dissectors, hf_netlogon_opnum);
10810
10811
10812 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_INTEGRITY,
10813 DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,
10814 &secchan_auth_fns);
10815 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_PRIVACY,
10816 DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,
10817 &secchan_auth_fns);
10818 }
10819
10820 /*
10821 * Editor modelines - https://www.wireshark.org/tools/modelines.html
10822 *
10823 * Local variables:
10824 * c-basic-offset: 4
10825 * tab-width: 8
10826 * indent-tabs-mode: nil
10827 * End:
10828 *
10829 * vi: set shiftwidth=4 tabstop=8 expandtab:
10830 * :indentSize=4:tabSize=8:noTabs=true:
10831 */
Metzes wireshark repo