epan/dissectors/pidl/ C99 drsuapi
[wireshark-sm.git] / epan / dissectors / packet-smb-logon.c
blob4076024ebc09b177ebedb70db95d0d3486cd1e2a
1 /* packet-smb-logon.c
2 * Routines for SMB net logon packet dissection
3 * Copyright 2000, Jeffrey C. Foster <jfoste@woodward.com>
5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <gerald@wireshark.org>
7 * Copyright 1998 Gerald Combs
9 * Copied from packet-pop.c
11 * SPDX-License-Identifier: GPL-2.0-or-later
14 #include "config.h"
16 #include <epan/packet.h>
17 #include <epan/tfs.h>
18 #include <wsutil/array.h>
19 #include "packet-windows-common.h"
20 #include "packet-smb-common.h"
22 void proto_register_smb_logon(void);
24 static int proto_smb_logon;
25 static int hf_command;
26 static int hf_computer_name;
27 static int hf_unicode_computer_name;
28 static int hf_server_name;
29 static int hf_user_name;
30 static int hf_domain_name;
31 static int hf_server_dns_name;
32 static int hf_forest_dns_name;
33 static int hf_domain_dns_name;
34 static int hf_mailslot_name;
35 static int hf_pdc_name;
36 static int hf_unicode_pdc_name;
37 static int hf_script_name;
38 static int hf_nt_version;
39 static int hf_lmnt_token;
40 static int hf_lm_token;
41 static int hf_major_version;
42 static int hf_minor_version;
43 static int hf_os_version;
44 static int hf_signature;
45 static int hf_date_time;
46 static int hf_update_type;
47 static int hf_request_count;
48 static int hf_account_control;
49 static int hf_flags_autolock;
50 static int hf_flags_expire;
51 static int hf_flags_server_trust;
52 static int hf_flags_workstation_trust;
53 static int hf_flags_interdomain_trust;
54 static int hf_flags_mns_user;
55 static int hf_flags_normal_user;
56 static int hf_flags_temp_dup_user;
57 static int hf_flags_password_required;
58 static int hf_flags_homedir_required;
59 static int hf_flags_enabled;
60 static int hf_domain_sid_size;
61 static int hf_low_serial;
62 static int hf_pulse;
63 static int hf_random;
64 static int hf_db_count;
65 static int hf_db_index;
66 static int hf_large_serial;
67 static int hf_nt_date_time;
69 static int hf_unknown8;
70 static int hf_unknown32;
72 static int hf_domain_guid;
73 static int hf_server_ip;
75 static int hf_server_site_name;
76 static int hf_client_site_name;
77 static int hf_data;
79 static int ett_smb_logon;
80 static int ett_smb_account_flags;
81 static int ett_smb_db_info;
83 #define ACC_FLAG_AUTO_LOCKED 0x00000400
84 #define ACC_FLAG_EXPIRE 0x00000200
85 #define ACC_FLAG_SERVER_TRUST 0x00000100
86 #define ACC_FLAG_WORKSTATION_TRUST 0x00000080
87 #define ACC_FLAG_INTERDOMAIN_TRUST 0x00000040
88 #define ACC_FLAG_MNS_USER 0x00000020
89 #define ACC_FLAG_NORMAL_USER 0x00000010
90 #define ACC_FLAG_TEMP_DUP_USER 0x00000008
91 #define ACC_FLAG_PASSWORD_REQUIRED 0x00000004
92 #define ACC_FLAG_HOMEDIR_REQUIRED 0x00000002
93 #define ACC_FLAG_ENABLED 0x00000001
95 static const true_false_string tfs_flags_autolock = {
96 "User account auto-locked",
97 "User account NOT auto-locked"
99 static const true_false_string tfs_flags_expire = {
100 "User password will NOT expire",
101 "User password will expire"
103 static const true_false_string tfs_flags_server_trust = {
104 "Server Trust user account",
105 "NOT a Server Trust user account"
107 static const true_false_string tfs_flags_workstation_trust = {
108 "Workstation Trust user account",
109 "NOT a Workstation Trust user account"
111 static const true_false_string tfs_flags_interdomain_trust = {
112 "Inter-domain Trust user account",
113 "NOT a Inter-domain Trust user account"
115 static const true_false_string tfs_flags_mns_user = {
116 "MNS Logon user account",
117 "NOT a MNS Logon user account"
119 static const true_false_string tfs_flags_normal_user = {
120 "Normal user account",
121 "NOT a normal user account"
123 static const true_false_string tfs_flags_temp_dup_user = {
124 "Temp duplicate user account",
125 "NOT a temp duplicate user account"
127 static const true_false_string tfs_flags_password_required = {
128 "NO password required",
129 "Password required"
131 static const true_false_string tfs_flags_homedir_required = {
132 "NO homedir required",
133 "Homedir required"
135 static const true_false_string tfs_flags_enabled = {
136 "User account enabled",
137 "User account disabled"
142 static int
143 dissect_account_control(tvbuff_t *tvb, proto_tree *tree, int offset)
145 /* display the Allowable Account control bits */
146 static int * const flags[] = {
147 &hf_flags_autolock,
148 &hf_flags_expire,
149 &hf_flags_server_trust,
150 &hf_flags_workstation_trust,
151 &hf_flags_interdomain_trust,
152 &hf_flags_mns_user,
153 &hf_flags_normal_user,
154 &hf_flags_temp_dup_user,
155 &hf_flags_password_required,
156 &hf_flags_homedir_required,
157 &hf_flags_enabled,
158 NULL
161 proto_tree_add_bitmask(tree, tvb, offset, hf_account_control, ett_smb_account_flags, flags, ENC_LITTLE_ENDIAN);
163 offset += 4;
164 return offset;
167 static int
168 display_LM_token(tvbuff_t *tvb, int offset, proto_tree *tree)
170 uint16_t Token;
172 Token = tvb_get_letohs(tvb, offset);
174 if (Token & 0x01) {
175 proto_tree_add_uint_format(tree, hf_lm_token, tvb, offset, 2,
176 Token,
177 "LM20 Token: 0x%04x (LanMan 2.0 or higher)", Token);
178 } else {
180 * XXX - are all values with the lower bit set LM 2.0,
181 * and all values with it not set LM 1.0?
182 * What do the other bits mean, if anything?
184 proto_tree_add_uint_format(tree, hf_lm_token, tvb, offset, 2,
185 Token,
186 "LM10 Token: 0x%04x (WFW Networking)", Token);
189 offset += 2;
191 return offset;
194 static int
195 display_LMNT_token(tvbuff_t *tvb, int offset, proto_tree *tree)
197 uint16_t Token;
199 Token = tvb_get_letohs(tvb, offset);
201 if (Token == 0xffff) {
202 proto_tree_add_uint_format_value(tree, hf_lmnt_token, tvb, offset, 2,
203 Token,
204 "0x%04x (Windows NT Networking)", Token);
205 } else {
207 * XXX - what is it if it's not 0xffff?
209 proto_tree_add_uint_format(tree, hf_lm_token, tvb, offset, 2,
210 Token,
211 "LMNT Token: 0x%04x (Unknown)", Token);
214 offset += 2;
216 return offset;
219 static int
220 dissect_smb_logon_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset)
222 /*** 0x00 (LM1.0/LM2.0 LOGON Request) ***/
224 /* computer name */
225 offset = display_ms_string(tvb, pinfo, tree, offset, hf_computer_name, NULL);
227 /* user name */
228 offset = display_ms_string(tvb, pinfo, tree, offset, hf_user_name, NULL);
230 /* mailslot name */
231 offset = display_ms_string(tvb, pinfo, tree, offset, hf_mailslot_name, NULL);
233 /*$$$$$ here add the Mailslot to the response list (if needed) */
235 /* Request count */
236 proto_tree_add_item(tree, hf_request_count, tvb, offset, 1, ENC_LITTLE_ENDIAN);
237 offset += 1;
239 /* NT version */
240 proto_tree_add_item(tree, hf_nt_version, tvb, offset, 2, ENC_LITTLE_ENDIAN);
241 offset += 2;
243 /* LM token */
244 offset = display_LM_token(tvb, offset, tree);
246 return offset;
251 static int
252 dissect_smb_logon_LM10_resp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset)
254 /*** 0x01 LanMan 1.0 Logon response ***/
256 /* user name */
257 offset = display_ms_string(tvb, pinfo, tree, offset, hf_user_name, NULL);
259 /* script name */
260 offset = display_ms_string(tvb, pinfo, tree, offset, hf_script_name, NULL);
262 return offset;
266 static int
267 dissect_smb_logon_2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset)
269 /*** 0x02 LM1.0 Query - Centralized Initialization ***/
270 /*** 0x03 LM1.0 Query - Distributed Initialization ***/
271 /*** 0x04 LM1.0 Query - Centralized Query Response ***/
272 /*** 0x04 LM1.0 Query - Distributed Query Response ***/
274 /* computer name */
275 offset = display_ms_string(tvb, pinfo, tree, offset, hf_computer_name, NULL);
277 /* mailslot name */
278 offset = display_ms_string(tvb, pinfo, tree, offset, hf_mailslot_name, NULL);
280 /* NT version */
281 proto_tree_add_item(tree, hf_nt_version, tvb, offset, 2, ENC_LITTLE_ENDIAN);
282 offset += 2;
284 /* LM token */
285 offset = display_LM_token(tvb, offset, tree);
287 return offset;
292 static int
293 dissect_smb_logon_LM20_resp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset)
295 /*** 0x06 (LM2.0 LOGON Response) ***/
297 /* server name */
298 offset = display_ms_string(tvb, pinfo, tree, offset, hf_server_name, NULL);
300 /* LM token */
301 offset = display_LM_token(tvb, offset, tree);
303 return offset;
308 static int
309 dissect_smb_pdc_query(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset)
311 char *name;
313 /*** 0x07 Query for Primary PDC ***/
315 /* computer name */
316 offset = display_ms_string(tvb, pinfo, tree, offset, hf_computer_name, &name);
318 col_append_fstr(pinfo->cinfo, COL_INFO, " from %s", name);
320 /* mailslot name */
321 offset = display_ms_string(tvb, pinfo, tree, offset, hf_mailslot_name, NULL);
323 if (tvb_reported_length_remaining(tvb, offset) > 2) {
325 * NT-style Query for PDC?
326 * If only 2 bytes remain, it's probably a Windows 95-style
327 * query, which has only an LM token after the mailslot
328 * name.
330 * XXX - base this on flags in the SMB header, e.g.
331 * the ASCII/Unicode strings flag?
333 if (offset % 2) offset++; /* word align ... */
335 /* Unicode computer name */
336 offset = display_unicode_string(tvb, pinfo, tree, offset, hf_unicode_computer_name, NULL);
338 /* NT version */
339 proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, ENC_LITTLE_ENDIAN);
340 offset += 4;
342 /* LMNT token */
343 offset = display_LMNT_token(tvb, offset, tree);
346 /* LM token */
347 offset = display_LM_token(tvb, offset, tree);
349 return offset;
354 static int
355 dissect_smb_pdc_startup(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset)
357 /*** 0x08 Announce startup of PDC ***/
359 /* pdc name */
360 offset = display_ms_string(tvb, pinfo, tree, offset, hf_pdc_name, NULL);
362 /* A short Announce will not have the rest */
364 if (tvb_reported_length_remaining(tvb, offset) != 0) {
365 char *name = NULL;
367 if (offset % 2) offset++; /* word align ... */
369 /* pdc name */
370 offset = display_unicode_string(tvb, pinfo, tree, offset, hf_unicode_pdc_name, &name);
372 if (name) {
373 col_append_fstr(pinfo->cinfo, COL_INFO, ": host %s", name);
374 name = NULL;
377 if (offset % 2) offset++;
379 /* domain name */
380 offset = display_unicode_string(tvb, pinfo, tree, offset, hf_domain_name, &name);
382 if (name) {
383 col_append_fstr(pinfo->cinfo, COL_INFO, ", domain %s", name);
384 name = NULL;
387 /* NT version */
388 proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, ENC_LITTLE_ENDIAN);
389 offset += 4;
391 /* LMNT token */
392 offset = display_LMNT_token(tvb, offset, tree);
394 /* LM token */
395 offset = display_LM_token(tvb, offset, tree);
398 return offset;
403 static int
404 dissect_smb_pdc_failure(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
406 /*** 0x09 Announce failure of the PDC ***/
407 /*** 0x0F LM2.0 Resp. during LOGON pause ***/
408 /*** 0x10 (LM 2.0 Unknown user response) ***/
410 /* NT version */
411 proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, ENC_LITTLE_ENDIAN);
412 offset += 4;
414 /* LM token */
415 offset = display_LM_token(tvb, offset, tree);
417 return offset;
421 static int
422 dissect_announce_change(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset)
424 /*** 0x0A ( Announce change to UAS or SAM ) ***/
425 uint32_t info_count;
426 proto_tree *info_tree;
427 uint32_t db_index;
428 uint32_t domain_sid_size;
430 /* low serial number */
431 proto_tree_add_item(tree, hf_low_serial, tvb, offset, 4, ENC_LITTLE_ENDIAN);
432 offset += 4;
434 /* date/time */
435 /* XXX - what format is this? Neither SMB_Date/SMB_Time nor
436 "time_t but in the local time zone" appear to be correct. */
437 proto_tree_add_item(tree, hf_date_time, tvb, offset, 4, ENC_LITTLE_ENDIAN);
438 offset += 4;
440 /* pulse */
441 proto_tree_add_item(tree, hf_pulse, tvb, offset, 4, ENC_LITTLE_ENDIAN);
442 offset += 4;
444 /* random */
445 proto_tree_add_item(tree, hf_random, tvb, offset, 4, ENC_LITTLE_ENDIAN);
446 offset += 4;
448 /* pdc name */
449 offset = display_ms_string(tvb, pinfo, tree, offset, hf_pdc_name, NULL);
451 /* domain name */
452 offset = display_ms_string(tvb, pinfo, tree, offset, hf_domain_name, NULL);
454 if (offset % 2) offset++; /* word align ... */
456 if (tvb_reported_length_remaining(tvb, offset) > 2) {
458 * XXX - older protocol versions don't have this stuff?
460 /* pdc name */
461 offset = display_unicode_string(tvb, pinfo, tree, offset, hf_unicode_pdc_name, NULL);
463 /* domain name */
464 offset = display_unicode_string(tvb, pinfo, tree, offset, hf_domain_name, NULL);
466 /* DB count */
467 info_count = tvb_get_letohl(tvb, offset);
468 proto_tree_add_uint(tree, hf_db_count, tvb, offset, 4, info_count);
469 offset += 4;
471 while (info_count != 0) {
472 db_index = tvb_get_letohl(tvb, offset);
473 info_tree = proto_tree_add_subtree_format(tree, tvb, offset, 20,
474 ett_smb_db_info, NULL, "DBChange Info Structure: index %u", db_index);
476 proto_tree_add_uint(info_tree, hf_db_index, tvb, offset, 4,
477 db_index);
478 offset += 4;
480 proto_tree_add_item(info_tree, hf_large_serial, tvb, offset, 8,
481 ENC_LITTLE_ENDIAN);
482 offset += 8;
484 dissect_nttime(tvb, info_tree, offset,
485 hf_nt_date_time, ENC_LITTLE_ENDIAN);
486 offset += 8;
488 info_count--;
491 /* Domain SID Size */
492 domain_sid_size = tvb_get_letohl(tvb, offset);
493 proto_tree_add_uint(tree, hf_domain_sid_size, tvb, offset, 4,
494 domain_sid_size);
495 offset += 4;
497 if (domain_sid_size != 0) {
498 /* Align to four-byte boundary */
499 offset = ((offset + 3)/4)*4;
501 /* Domain SID */
502 offset = dissect_nt_sid(
503 tvb, offset, tree, "Domain", NULL, -1);
506 /* NT version */
507 proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, ENC_LITTLE_ENDIAN);
508 offset += 4;
510 /* LMNT token */
511 offset = display_LMNT_token(tvb, offset, tree);
514 /* LM token */
515 offset = display_LM_token(tvb, offset, tree);
517 return offset;
521 static int
522 dissect_smb_sam_logon_req(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset)
524 /* Netlogon command 0x12 - decode the SAM logon request from client */
526 uint32_t domain_sid_size;
528 /* Request count */
529 proto_tree_add_item(tree, hf_request_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
530 offset += 2;
532 /* computer name */
533 offset = display_unicode_string(tvb, pinfo, tree, offset, hf_unicode_computer_name, NULL);
535 /* user name */
536 offset = display_unicode_string(tvb, pinfo, tree, offset, hf_user_name, NULL);
538 /* mailslot name */
539 offset = display_ms_string(tvb, pinfo, tree, offset, hf_mailslot_name, NULL);
541 /* account control */
542 offset = dissect_account_control(tvb, tree, offset);
544 /* Domain SID Size */
545 domain_sid_size = tvb_get_letohl(tvb, offset);
546 proto_tree_add_uint(tree, hf_domain_sid_size, tvb, offset, 4,
547 domain_sid_size);
548 offset += 4;
550 if (domain_sid_size != 0) {
551 /* Align to four-byte boundary */
552 offset = ((offset + 3)/4)*4;
554 /* Domain SID */
555 offset = dissect_nt_sid(tvb, offset, tree, "Domain", NULL, -1);
558 /* NT version */
559 proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, ENC_LITTLE_ENDIAN);
560 offset += 4;
562 /* LMNT token */
563 offset = display_LMNT_token(tvb, offset, tree);
565 /* LM token */
566 offset = display_LM_token(tvb, offset, tree);
568 return offset;
573 static int
574 dissect_smb_no_user(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset)
576 /* 0x0B (Announce no user on machine) */
578 /* computer name */
579 offset = display_ms_string(tvb, pinfo, tree, offset, hf_computer_name, NULL);
581 return offset;
586 static int
587 dissect_smb_relogon_resp(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
589 /*** 0x0d LanMan Response to relogon request ***/
591 /* Major version */
592 proto_tree_add_item(tree, hf_major_version, tvb, offset, 1, ENC_LITTLE_ENDIAN);
593 offset += 1;
595 /* Minor version */
596 proto_tree_add_item(tree, hf_minor_version, tvb, offset, 1, ENC_LITTLE_ENDIAN);
597 offset += 1;
599 /* OS version */
600 proto_tree_add_item(tree, hf_os_version, tvb, offset, 1, ENC_LITTLE_ENDIAN);
601 offset += 1;
603 /* NT version */
604 proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, ENC_LITTLE_ENDIAN);
605 offset += 4;
607 /* LM token */
608 offset = display_LM_token(tvb, offset, tree);
610 return offset;
615 static int
616 dissect_smb_acc_update(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset)
618 /*** 0x11 LM2.1 Announce Acc updates ***/
620 /* signature */
621 proto_tree_add_item(tree, hf_signature, tvb, offset, 8, ENC_LITTLE_ENDIAN);
622 offset += 8;
624 /* date/time */
625 /* XXX - what format is this? Neither SMB_Date/SMB_Time nor
626 "time_t but in the local time zone" appear to be correct. */
627 proto_tree_add_item(tree, hf_date_time, tvb, offset, 4, ENC_LITTLE_ENDIAN);
628 offset += 4;
630 /* computer name */
631 offset = display_ms_string(tvb, pinfo, tree, offset, hf_computer_name, NULL);
633 /* user name */
634 offset = display_ms_string(tvb, pinfo, tree, offset, hf_user_name, NULL);
636 /* update type */
637 proto_tree_add_item(tree, hf_update_type, tvb, offset, 2, ENC_LITTLE_ENDIAN);
638 offset += 2;
640 /* NT version */
641 proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, ENC_LITTLE_ENDIAN);
642 offset += 4;
644 /* LM token */
645 offset = display_LM_token(tvb, offset, tree);
647 return offset;
652 static int
653 dissect_smb_inter_resp(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
655 /* 0x0e LanMan Response to interrogate request */
657 /* Major version */
658 proto_tree_add_item(tree, hf_major_version, tvb, offset, 1, ENC_LITTLE_ENDIAN);
659 offset += 1;
661 /* Minor version */
662 proto_tree_add_item(tree, hf_minor_version, tvb, offset, 1, ENC_LITTLE_ENDIAN);
663 offset += 1;
665 /* OS version */
666 proto_tree_add_item(tree, hf_os_version, tvb, offset, 1, ENC_LITTLE_ENDIAN);
667 offset += 1;
669 /* NT version */
670 proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, ENC_LITTLE_ENDIAN);
671 offset += 4;
673 /* LMNT token */
674 offset = display_LMNT_token(tvb, offset, tree);
676 /* XXX - no LM token? Every other packet has one after the LMNT
677 token. */
679 return offset;
683 static int
684 dissect_smb_sam_logon_resp(tvbuff_t *tvb, packet_info *pinfo,
685 proto_tree *tree, int offset)
687 /* Netlogon command 0x13 - decode the SAM logon response from server */
688 /* Netlogon command 0x15 - decode the SAM logon response from server unknown user */
690 /* server name */
691 offset = display_unicode_string(tvb, pinfo, tree, offset, hf_server_name, NULL);
693 /* user name */
694 offset = display_unicode_string(tvb, pinfo, tree, offset, hf_user_name, NULL);
696 /* domain name */
697 offset = display_unicode_string(tvb, pinfo, tree, offset, hf_domain_name, NULL);
699 /* NT version */
700 proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, ENC_LITTLE_ENDIAN);
701 offset += 4;
703 /* LMNT token */
704 offset = display_LMNT_token(tvb, offset, tree);
706 /* LM token */
707 offset = display_LM_token(tvb, offset, tree);
709 return offset;
712 static int
713 dissect_smb_pdc_response_ads(tvbuff_t *tvb, packet_info *pinfo,
714 proto_tree *tree, int offset)
716 /* Netlogon command 0x17 - decode the response from PDC ADS */
717 /* Netlogon command 0x19 - decode the response from PDC ADS USER ?*/
719 /* Align to four-byte boundary */
720 offset = ((offset + 3)/4)*4;
722 /* unknown uint32 type */
723 proto_tree_add_item(tree, hf_unknown32, tvb, offset, 4, ENC_LITTLE_ENDIAN);
724 offset += 4;
726 /* Domain GUID */
727 proto_tree_add_item(tree, hf_domain_guid, tvb, offset, 16, ENC_NA);
728 offset += 16;
730 /* forest dns name */
731 offset=dissect_ms_compressed_string(tvb, pinfo, tree, offset, hf_forest_dns_name, NULL);
733 /* domain dns name */
734 offset=dissect_ms_compressed_string(tvb, pinfo, tree, offset, hf_domain_dns_name, NULL);
736 /* server dns name */
737 offset=dissect_ms_compressed_string(tvb, pinfo, tree, offset, hf_server_dns_name, NULL);
739 /* domain name */
740 offset=dissect_ms_compressed_string(tvb, pinfo, tree, offset, hf_domain_name, NULL);
742 /* server name */
743 offset=dissect_ms_compressed_string(tvb, pinfo, tree, offset, hf_server_name, NULL);
745 /* user name */
746 offset=dissect_ms_compressed_string(tvb, pinfo, tree, offset, hf_user_name, NULL);
748 /* server_site name */
749 offset=dissect_ms_compressed_string(tvb, pinfo, tree, offset, hf_server_site_name, NULL);
751 /* client_site name */
752 offset=dissect_ms_compressed_string(tvb, pinfo, tree, offset, hf_client_site_name, NULL);
754 /* unknown uint8 type */
755 proto_tree_add_item(tree, hf_unknown8, tvb, offset, 1, ENC_LITTLE_ENDIAN);
756 offset += 1;
758 /* unknown uint32 type */
759 proto_tree_add_item(tree, hf_unknown32, tvb, offset, 4, ENC_LITTLE_ENDIAN);
760 offset += 4;
762 /* server ip */
763 proto_tree_add_item(tree, hf_server_ip, tvb, offset, 4, ENC_BIG_ENDIAN);
764 offset += 4;
766 /* unknown uint32 type */
767 proto_tree_add_item(tree, hf_unknown32, tvb, offset, 4, ENC_LITTLE_ENDIAN);
768 offset += 4;
770 /* unknown uint32 type */
771 proto_tree_add_item(tree, hf_unknown32, tvb, offset, 4, ENC_LITTLE_ENDIAN);
772 offset += 4;
774 /* NT version */
775 proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, ENC_LITTLE_ENDIAN);
776 offset += 4;
778 /* LMNT token */
779 offset = display_LMNT_token(tvb, offset, tree);
781 /* LM token */
782 offset = display_LM_token(tvb, offset, tree);
784 return offset;
787 static int
788 dissect_smb_unknown(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
790 /* display data as unknown */
792 proto_tree_add_item(tree, hf_data, tvb, offset, -1, ENC_NA);
794 return offset+tvb_reported_length_remaining(tvb, offset);
797 #define LOGON_LM10_LOGON_REQUEST 0x00
798 #define LOGON_LM10_LOGON_RESPONSE 0x01
799 #define LOGON_LM10_QUERY_CI 0x02
800 #define LOGON_LM10_QUERY_DI 0x03
801 #define LOGON_LM10_RESPONSE_CI 0x04
802 #define LOGON_LM10_RESPONSE_DI 0x05
803 #define LOGON_LM20_LOGON_RESPONSE 0x06
804 #define LOGON_PDC_QUERY 0x07
805 #define LOGON_PDC_STARTUP 0x08
806 #define LOGON_PDC_FAILED 0x09
807 #define LOGON_UAS_SAM 0x0a
808 #define LOGON_NO_USER 0x0b
809 #define LOGON_PDC_RESPONSE 0x0c
810 #define LOGON_RELOGON_RESPONSE 0x0d
811 #define LOGON_INTERROGATE_RESPONSE 0x0e
812 #define LOGON_LM20_RESPONSE_DURING_LOGON 0x0f
813 #define LOGON_LM20_USER_UNKNOWN 0x10
814 #define LOGON_LM20_ACCOUNT_UPDATE 0x11
815 #define LOGON_SAM_LOGON_REQUEST 0x12
816 #define LOGON_SAM_LOGON_RESPONSE 0x13
817 #define LOGON_SAM_RESPONSE_DURING_LOGON 0x14
818 #define LOGON_SAM_USER_UNKNOWN 0x15
819 #define LOGON_SAM_INTERROGATE_RESPONSE 0x16
820 #define LOGON_SAM_AD_USER_UNKNOWN 0x17
821 #define LOGON_SAM_UNKNOWN_18 0x18
822 #define LOGON_SAM_AD_LOGON_RESPONSE 0x19
823 #define LOGON_LAST_CMD 0x19
825 static const value_string commands[] = {
826 {LOGON_LM10_LOGON_REQUEST, "LM1.0/LM2.0 LOGON Request"},
827 {LOGON_LM10_LOGON_RESPONSE, "LM1.0 LOGON Response"},
828 {LOGON_LM10_QUERY_CI, "LM1.0 Query - Centralized Initialization"},
829 {LOGON_LM10_QUERY_DI, "LM1.0 Query - Distributed Initialization"},
830 {LOGON_LM10_RESPONSE_CI, "LM1.0 Response - Centralized Query"},
831 {LOGON_LM10_RESPONSE_DI, "LM1.0 Response - Distributed Initialization"},
832 {LOGON_LM20_LOGON_RESPONSE, "LM2.0 Response to LOGON Request"},
833 {LOGON_PDC_QUERY, "Query for PDC"},
834 {LOGON_PDC_STARTUP, "Announce Startup of PDC"},
835 {LOGON_PDC_FAILED, "Announce Failed PDC"},
836 {LOGON_UAS_SAM, "Announce Change to UAS or SAM"},
837 {LOGON_NO_USER, "Announce no user on machine"},
838 {LOGON_PDC_RESPONSE, "Response from PDC"},
839 {LOGON_RELOGON_RESPONSE, "LM1.0/LM2.0 Response to re-LOGON Request"},
840 {LOGON_INTERROGATE_RESPONSE, "LM1.0/LM2.0 Response to Interrogate Request"},
841 {LOGON_LM20_RESPONSE_DURING_LOGON, "LM2.0 Response during LOGON pause"},
842 {LOGON_LM20_USER_UNKNOWN, "LM2.0 Response - user unknown"},
843 {LOGON_LM20_ACCOUNT_UPDATE, "LM2.0 Announce account updates"},
844 {LOGON_SAM_LOGON_REQUEST, "SAM LOGON request from client"},
845 {LOGON_SAM_LOGON_RESPONSE, "Response to SAM LOGON request"},
846 {LOGON_SAM_RESPONSE_DURING_LOGON, "SAM Response during LOGON pause"},
847 {LOGON_SAM_USER_UNKNOWN, "SAM Response - user unknown"},
848 {LOGON_SAM_INTERROGATE_RESPONSE, "SAM Response to Interrogate Request"},
849 {LOGON_SAM_AD_USER_UNKNOWN, "SAM Active Directory Response - user unknown"},
850 {LOGON_SAM_UNKNOWN_18, "SAM unknown command 0x18"},
851 {LOGON_SAM_AD_LOGON_RESPONSE, "Active Directory Response to SAM LOGON request"},
852 {0, NULL}
855 static int (*dissect_smb_logon_cmds[])(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset) = {
856 dissect_smb_logon_request, /* 0x00 (LM1.0/LM2.0 LOGON Request) */
857 dissect_smb_logon_LM10_resp, /* 0x01 (LM1.0 LOGON Response) */
858 dissect_smb_logon_2, /* 0x02 (LM1.0 Query Centralized Init.)*/
859 dissect_smb_logon_2, /* 0x03 (LM1.0 Query Distributed Init.)*/
860 dissect_smb_logon_2, /* 0x04 (LM1.0 Centralized Query Resp.)*/
861 dissect_smb_logon_2, /* 0x05 (LM1.0 Distributed Query Resp.) */
862 dissect_smb_logon_LM20_resp, /* 0x06 (LM2.0 LOGON Response) */
863 dissect_smb_pdc_query, /* 0x07 (Query for PDC) */
864 dissect_smb_pdc_startup, /* 0x08 (Announce PDC startup) */
865 dissect_smb_pdc_failure, /* 0x09 (Announce Failed PDC) */
866 dissect_announce_change, /* 0x0A (Announce Change to UAS or SAM)*/
867 dissect_smb_no_user, /* 0x0B (Announce no user on machine)*/
868 dissect_smb_pdc_startup, /* 0x0C (Response from PDC) */
869 dissect_smb_relogon_resp, /* 0x0D (Relogon response) */
870 dissect_smb_inter_resp, /* 0x0E (Interrogate response) */
871 dissect_smb_pdc_failure, /* 0x0F (LM2.0 Resp. during LOGON pause*/
872 dissect_smb_pdc_failure, /* 0x10 (LM 2.0 Unknown user response)*/
873 dissect_smb_acc_update, /* 0x11 (LM2.1 Announce Acc updates)*/
874 dissect_smb_sam_logon_req, /* 0x12 (SAM LOGON request ) */
875 dissect_smb_sam_logon_resp, /* 0x13 (SAM LOGON response) */
876 dissect_smb_unknown, /* 0x14 (SAM Response during LOGON Pause) */
877 dissect_smb_sam_logon_resp, /* 0x15 (SAM Response User Unknown) */
878 dissect_smb_unknown, /* 0x16 (SAM Response to Interrogate)*/
879 dissect_smb_pdc_response_ads, /* 0x17 (SAM AD response User Unknown*/
880 dissect_smb_unknown, /* 0x18 (Unknown command) */
881 dissect_smb_pdc_response_ads /* 0x19 (SAM LOGON AD response) */
885 static int
886 dissect_smb_logon(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
888 int offset = 0;
889 uint8_t cmd;
890 proto_tree *smb_logon_tree = NULL;
891 proto_item *item = NULL;
893 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMB_NETLOGON");
894 col_clear(pinfo->cinfo, COL_INFO);
896 /* get the Command field */
897 cmd = tvb_get_uint8(tvb, offset);
899 col_add_str(pinfo->cinfo, COL_INFO, val_to_str(cmd, commands, "Unknown Command:%02x") );
901 if (tree) {
902 item = proto_tree_add_item(tree, proto_smb_logon, tvb,
903 offset, -1, ENC_NA);
905 smb_logon_tree = proto_item_add_subtree(item, ett_smb_logon);
908 /* command */
909 proto_tree_add_uint(smb_logon_tree, hf_command, tvb, offset, 1, cmd);
910 offset += 1;
912 /* skip next byte */
913 offset += 1;
915 if (cmd<LOGON_LAST_CMD) {
916 (dissect_smb_logon_cmds[cmd])(tvb, pinfo,
917 smb_logon_tree, offset);
918 } else {
919 /* unknown command */
920 dissect_smb_unknown(tvb, pinfo, smb_logon_tree,
921 offset);
923 return tvb_captured_length(tvb);
926 void
927 proto_register_smb_logon( void)
929 static hf_register_info hf[] = {
930 { &hf_command,
931 { "Command", "smb_netlogon.command", FT_UINT8, BASE_HEX,
932 VALS(commands), 0, "SMB NETLOGON Command", HFILL }},
934 { &hf_computer_name,
935 { "Computer Name", "smb_netlogon.computer_name", FT_STRING, BASE_NONE,
936 NULL, 0, "SMB NETLOGON Computer Name", HFILL }},
938 { &hf_unicode_computer_name,
939 { "Unicode Computer Name", "smb_netlogon.unicode_computer_name", FT_STRING, BASE_NONE,
940 NULL, 0, "SMB NETLOGON Unicode Computer Name", HFILL }},
942 { &hf_server_name,
943 { "Server Name", "smb_netlogon.server_name", FT_STRING, BASE_NONE,
944 NULL, 0, "SMB NETLOGON Server Name", HFILL }},
946 { &hf_server_dns_name,
947 { "Server DNS Name", "smb_netlogon.server_dns_name", FT_STRING, BASE_NONE,
948 NULL, 0, "SMB NETLOGON Server DNS Name", HFILL }},
950 { &hf_user_name,
951 { "User Name", "smb_netlogon.user_name", FT_STRING, BASE_NONE,
952 NULL, 0, "SMB NETLOGON User Name", HFILL }},
954 { &hf_domain_name,
955 { "Domain Name", "smb_netlogon.domain_name", FT_STRING, BASE_NONE,
956 NULL, 0, "SMB NETLOGON Domain Name", HFILL }},
958 { &hf_domain_dns_name,
959 { "Domain DNS Name", "smb_netlogon.domain_dns_name", FT_STRING, BASE_NONE,
960 NULL, 0, "SMB NETLOGON Domain DNS Name", HFILL }},
962 { &hf_forest_dns_name,
963 { "Forest DNS Name", "smb_netlogon.forest_dns_name", FT_STRING, BASE_NONE,
964 NULL, 0, "SMB NETLOGON Forest DNS Name", HFILL }},
966 { &hf_mailslot_name,
967 { "Mailslot Name", "smb_netlogon.mailslot_name", FT_STRING, BASE_NONE,
968 NULL, 0, "SMB NETLOGON Mailslot Name", HFILL }},
970 { &hf_pdc_name,
971 { "PDC Name", "smb_netlogon.pdc_name", FT_STRING, BASE_NONE,
972 NULL, 0, "SMB NETLOGON PDC Name", HFILL }},
974 { &hf_unicode_pdc_name,
975 { "Unicode PDC Name", "smb_netlogon.unicode_pdc_name", FT_STRING, BASE_NONE,
976 NULL, 0, "SMB NETLOGON Unicode PDC Name", HFILL }},
978 { &hf_script_name,
979 { "Script Name", "smb_netlogon.script_name", FT_STRING, BASE_NONE,
980 NULL, 0, "SMB NETLOGON Script Name", HFILL }},
982 { &hf_nt_version,
983 { "NT Version", "smb_netlogon.nt_version", FT_UINT32, BASE_DEC,
984 NULL, 0, "SMB NETLOGON NT Version", HFILL }},
986 /* An LMNT Token, if 0xffff, is "WindowsNT Networking";
987 what is it otherwise? */
988 { &hf_lmnt_token,
989 { "LMNT Token", "smb_netlogon.lmnt_token", FT_UINT16, BASE_HEX,
990 NULL, 0, "SMB NETLOGON LMNT Token", HFILL }},
992 { &hf_lm_token,
993 { "LM Token", "smb_netlogon.lm_token", FT_UINT16, BASE_HEX,
994 NULL, 0, "SMB NETLOGON LM Token", HFILL }},
996 { &hf_major_version,
997 { "Workstation Major Version", "smb_netlogon.major_version", FT_UINT8, BASE_DEC,
998 NULL, 0, "SMB NETLOGON Workstation Major Version", HFILL }},
1000 { &hf_minor_version,
1001 { "Workstation Minor Version", "smb_netlogon.minor_version", FT_UINT8, BASE_DEC,
1002 NULL, 0, "SMB NETLOGON Workstation Minor Version", HFILL }},
1004 { &hf_os_version,
1005 { "Workstation OS Version", "smb_netlogon.os_version", FT_UINT8, BASE_DEC,
1006 NULL, 0, "SMB NETLOGON Workstation OS Version", HFILL }},
1008 { &hf_signature,
1009 { "Signature", "smb_netlogon.signature", FT_UINT64, BASE_HEX,
1010 NULL, 0, NULL, HFILL }},
1012 { &hf_date_time,
1013 { "Date/Time", "smb_netlogon.date_time", FT_UINT32, BASE_DEC,
1014 NULL, 0, "SMB NETLOGON Date/Time", HFILL }},
1016 { &hf_update_type,
1017 { "Update Type", "smb_netlogon.update", FT_UINT16, BASE_DEC,
1018 NULL, 0, "SMB NETLOGON Update Type", HFILL }},
1020 { &hf_request_count,
1021 { "Request Count", "smb_netlogon.request_count", FT_UINT16, BASE_DEC,
1022 NULL, 0, "SMB NETLOGON Request Count", HFILL }},
1024 { &hf_account_control,
1025 { "Account control", "smb_netlogon.flags", FT_UINT32, BASE_HEX,
1026 NULL, 0, NULL, HFILL }},
1028 { &hf_flags_autolock,
1029 { "Autolock", "smb_netlogon.flags.autolock", FT_BOOLEAN, 32,
1030 TFS(&tfs_flags_autolock), ACC_FLAG_AUTO_LOCKED, "SMB NETLOGON Account Autolock", HFILL}},
1032 { &hf_flags_expire,
1033 { "Expire", "smb_netlogon.flags.expire", FT_BOOLEAN, 32,
1034 TFS(&tfs_flags_expire), ACC_FLAG_EXPIRE, "SMB NETLOGON Will Account Expire", HFILL}},
1036 { &hf_flags_server_trust,
1037 { "Server Trust", "smb_netlogon.flags.server", FT_BOOLEAN, 32,
1038 TFS(&tfs_flags_server_trust), ACC_FLAG_SERVER_TRUST, "SMB NETLOGON Server Trust Account", HFILL}},
1040 { &hf_flags_workstation_trust,
1041 { "Workstation Trust", "smb_netlogon.flags.workstation", FT_BOOLEAN, 32,
1042 TFS(&tfs_flags_workstation_trust), ACC_FLAG_WORKSTATION_TRUST, "SMB NETLOGON Workstation Trust Account", HFILL}},
1044 { &hf_flags_interdomain_trust,
1045 { "Interdomain Trust", "smb_netlogon.flags.interdomain", FT_BOOLEAN, 32,
1046 TFS(&tfs_flags_interdomain_trust), ACC_FLAG_INTERDOMAIN_TRUST, "SMB NETLOGON Inter-domain Trust Account", HFILL}},
1048 { &hf_flags_mns_user,
1049 { "MNS User", "smb_netlogon.flags.mns", FT_BOOLEAN, 32,
1050 TFS(&tfs_flags_mns_user), ACC_FLAG_MNS_USER, "SMB NETLOGON MNS User Account", HFILL}},
1052 { &hf_flags_normal_user,
1053 { "Normal User", "smb_netlogon.flags.normal", FT_BOOLEAN, 32,
1054 TFS(&tfs_flags_normal_user), ACC_FLAG_NORMAL_USER, "SMB NETLOGON Normal User Account", HFILL}},
1056 { &hf_flags_temp_dup_user,
1057 { "Temp Duplicate User", "smb_netlogon.flags.temp_dup", FT_BOOLEAN, 32,
1058 TFS(&tfs_flags_temp_dup_user), ACC_FLAG_TEMP_DUP_USER, "SMB NETLOGON Temp Duplicate User Account", HFILL}},
1060 { &hf_flags_password_required,
1061 { "Password", "smb_netlogon.flags.password", FT_BOOLEAN, 32,
1062 TFS(&tfs_flags_password_required), ACC_FLAG_PASSWORD_REQUIRED, "SMB NETLOGON Password Required", HFILL}},
1064 { &hf_flags_homedir_required,
1065 { "Homedir", "smb_netlogon.flags.homedir", FT_BOOLEAN, 32,
1066 TFS(&tfs_flags_homedir_required), ACC_FLAG_HOMEDIR_REQUIRED, "SMB NETLOGON Homedir Required", HFILL}},
1068 { &hf_flags_enabled,
1069 { "Enabled", "smb_netlogon.flags.enabled", FT_BOOLEAN, 32,
1070 TFS(&tfs_flags_enabled), ACC_FLAG_ENABLED, "SMB NETLOGON Is This Account Enabled", HFILL}},
1072 { &hf_domain_sid_size,
1073 { "Domain SID Size", "smb_netlogon.domain_sid_size", FT_UINT32, BASE_DEC,
1074 NULL, 0, "SMB NETLOGON Domain SID Size", HFILL }},
1076 { &hf_low_serial,
1077 { "Low Serial Number", "smb_netlogon.low_serial", FT_UINT32, BASE_DEC,
1078 NULL, 0, "SMB NETLOGON Low Serial Number", HFILL }},
1080 { &hf_pulse,
1081 { "Pulse", "smb_netlogon.pulse", FT_UINT32, BASE_DEC,
1082 NULL, 0, "SMB NETLOGON Pulse", HFILL }},
1084 { &hf_random,
1085 { "Random", "smb_netlogon.random", FT_UINT32, BASE_DEC,
1086 NULL, 0, "SMB NETLOGON Random", HFILL }},
1088 { &hf_db_count,
1089 { "DB Count", "smb_netlogon.db_count", FT_UINT32, BASE_DEC,
1090 NULL, 0, "SMB NETLOGON DB Count", HFILL }},
1092 { &hf_db_index,
1093 { "Database Index", "smb_netlogon.db_index", FT_UINT32, BASE_DEC,
1094 NULL, 0, "SMB NETLOGON Database Index", HFILL }},
1096 { &hf_large_serial,
1097 { "Large Serial Number", "smb_netlogon.large_serial", FT_UINT64, BASE_DEC,
1098 NULL, 0, "SMB NETLOGON Large Serial Number", HFILL }},
1100 { &hf_nt_date_time,
1101 { "NT Date/Time", "smb_netlogon.nt_date_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
1102 NULL, 0, "SMB NETLOGON NT Date/Time", HFILL }},
1104 { &hf_unknown8,
1105 { "Unknown", "smb_netlogon.unknown", FT_UINT8, BASE_HEX,
1106 NULL, 0, NULL, HFILL }},
1108 { &hf_unknown32,
1109 { "Unknown", "smb_netlogon.unknown", FT_UINT32, BASE_HEX,
1110 NULL, 0, NULL, HFILL }},
1112 { &hf_domain_guid,
1113 { "Domain GUID", "smb_netlogon.domain.guid", FT_BYTES, BASE_NONE,
1114 NULL, 0x0, NULL, HFILL }},
1116 { &hf_server_ip, {
1117 "Server IP", "smb_netlogon.server_ip", FT_IPv4, BASE_NONE,
1118 NULL, 0x0, "Server IP Address", HFILL }},
1120 { &hf_server_site_name,
1121 { "Server Site Name", "smb_netlogon.server_site_name", FT_STRING, BASE_NONE,
1122 NULL, 0, "SMB NETLOGON Server Site Name", HFILL }},
1124 { &hf_client_site_name,
1125 { "Client Site Name", "smb_netlogon.client_site_name", FT_STRING, BASE_NONE,
1126 NULL, 0, "SMB NETLOGON Client Site Name", HFILL }},
1128 { &hf_data,
1129 { "Data", "smb_netlogon.data", FT_BYTES, BASE_NONE,
1130 NULL, 0, NULL, HFILL }},
1133 static int *ett[] = {
1134 &ett_smb_logon,
1135 &ett_smb_account_flags,
1136 &ett_smb_db_info
1139 proto_smb_logon = proto_register_protocol("Microsoft Windows Logon Protocol (Old)", "SMB_NETLOGON", "smb_netlogon");
1141 proto_register_field_array(proto_smb_logon, hf, array_length(hf));
1142 proto_register_subtree_array(ett, array_length(ett));
1144 register_dissector("smb_netlogon", dissect_smb_logon, proto_smb_logon);
1148 * Editor modelines - https://www.wireshark.org/tools/modelines.html
1150 * Local variables:
1151 * c-basic-offset: 8
1152 * tab-width: 8
1153 * indent-tabs-mode: t
1154 * End:
1156 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
1157 * :indentSize=8:tabSize=8:noTabs=false: