search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
HACK: 2nd try to match RowsetProperties
[wireshark-wip.git] / epan / dissectors / packet-dcerpc-netlogon.c
blobf5db50da3986e26e4a487601cccf5628a1017952
1 /* packet-dcerpc-netlogon.c
2 * Routines for SMB \PIPE\NETLOGON packet disassembly
3 * Copyright 2001,2003 Tim Potter <tpot@samba.org>
4 * 2002 structure and command dissectors by Ronnie Sahlberg
5 *
6 * $Id$
7 *
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <gerald@wireshark.org>
10 * Copyright 1998 Gerald Combs
11 *
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
16 *
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
21 *
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
25 */
26
27 #include "config.h"
28
29
30 #include <glib.h>
31 #include <string.h>
32
33 #include <wsutil/rc4.h>
34 #include <wsutil/md4.h>
35 #include <wsutil/md5.h>
36 #include <wsutil/des.h>
37
38 #include <epan/packet.h>
39 #include <epan/wmem/wmem.h>
40 /* for dissect_mscldap_string */
41 #include "packet-ldap.h"
42 #include "packet-dcerpc.h"
43 #include "packet-dcerpc-nt.h"
44 #include "packet-dcerpc-netlogon.h"
45 #include "packet-windows-common.h"
46 #include "packet-ntlmssp.h"
47 #include "packet-dcerpc-lsa.h"
48 /* for keytab format */
49 #include <epan/asn1.h>
50 #include "packet-kerberos.h"
51 /* for decoding */
52
53 extern const char *gbl_nt_password;
54 #ifdef DEBUG_NETLOGON
55 #include <stdio.h>
56 #define debugprintf(...) fprintf(stderr,__VA_ARGS__)
57 static void printnbyte(const guint8* tab,int nb,const char* txt,const char* txt2)
58 {
59 int i=0;
60 debugprintf("%s ",txt);
61 for(i=0;i<nb;i++)
62 {
63 debugprintf("%02X ",*(tab+i));
64 }
65 debugprintf("%s",txt2);
66 }
67 #else
68 #define debugprintf(...)
69 static void printnbyte(const guint8* tab _U_,int nb _U_,const char* txt _U_,const char* txt2 _U_) {}
70 #endif
71
72 #define NETLOGON_FLAG_80000000 0x80000000
73 #define NETLOGON_FLAG_40000000 0x40000000
74 #define NETLOGON_FLAG_20000000 0x20000000
75 #define NETLOGON_FLAG_10000000 0x10000000
76 #define NETLOGON_FLAG_8000000 0x8000000
77 #define NETLOGON_FLAG_4000000 0x4000000
78 #define NETLOGON_FLAG_2000000 0x2000000
79 #define NETLOGON_FLAG_1000000 0x1000000
80 #define NETLOGON_FLAG_800000 0x800000
81 #define NETLOGON_FLAG_USEAES 0x400000
82 #define NETLOGON_FLAG_200000 0x200000
83 #define NETLOGON_FLAG_100000 0x100000
84 #define NETLOGON_FLAG_80000 0x80000
85 #define NETLOGON_FLAG_40000 0x40000
86 #define NETLOGON_FLAG_20000 0x20000
87 #define NETLOGON_FLAG_10000 0x10000
88 #define NETLOGON_FLAG_8000 0x8000
89 #define NETLOGON_FLAG_STRONGKEY 0x4000
90 #define NETLOGON_FLAG_2000 0x2000
91 #define NETLOGON_FLAG_1000 0x1000
92 #define NETLOGON_FLAG_800 0x800
93 #define NETLOGON_FLAG_400 0x400
94 #define NETLOGON_FLAG_200 0x200
95 #define NETLOGON_FLAG_100 0x100
96 #define NETLOGON_FLAG_80 0x80
97 #define NETLOGON_FLAG_40 0x40
98 #define NETLOGON_FLAG_20 0x20
99 #define NETLOGON_FLAG_10 0x10
100 #define NETLOGON_FLAG_8 0x8
101 #define NETLOGON_FLAG_4 0x4
102 #define NETLOGON_FLAG_2 0x2
103 #define NETLOGON_FLAG_1 0x1
104
105 static GHashTable *netlogon_auths=NULL;
106 static GHashTable *schannel_auths;
107 static gint hf_netlogon_TrustedDomainName_string = -1;
108 static gint hf_netlogon_UserName_string = -1;
109 static gint DomainInfo_sid = -1;
110 static gint DnsDomainInfo_sid = -1;
111 static gint DnsDomainInfo_domain_guid = -1;
112 static gint DnsDomainInfo_dns_domain = -1;
113 static gint DnsDomainInfo_dns_forest = -1;
114 static gint DnsDomainInfo_name = -1;
115 static int hf_client_challenge = -1;
116 static int hf_server_rid = -1;
117 static int hf_server_challenge = -1;
118 static int hf_client_credential = -1;
119 static int hf_server_credential = -1;
120 static int proto_dcerpc_netlogon = -1;
121 static int hf_netlogon_logon_dnslogondomainname = -1;
122 static int hf_netlogon_logon_upn = -1;
123 static int hf_netlogon_group_attrs_mandatory = -1;
124 static int hf_netlogon_group_attrs_enabled_by_default = -1;
125 static int hf_netlogon_group_attrs_enabled = -1;
126 static int hf_netlogon_opnum = -1;
127 static int hf_netlogon_data_length = -1;
128 static int hf_netlogon_extraflags = -1;
129 static int hf_netlogon_extra_flags_root_forest = -1;
130 static int hf_netlogon_trust_flags_dc_firsthop = -1;
131 static int hf_netlogon_trust_flags_rodc_to_dc = -1;
132 static int hf_netlogon_trust_flags_rodc_ntlm = -1;
133 static int hf_netlogon_package_name = -1;
134 static int hf_netlogon_rc = -1;
135 static int hf_netlogon_dos_rc = -1;
136 static int hf_netlogon_werr_rc = -1;
137 static int hf_netlogon_len = -1;
138 static int hf_netlogon_sensitive_data_flag = -1;
139 static int hf_netlogon_sensitive_data_len = -1;
140 static int hf_netlogon_sensitive_data = -1;
141 static int hf_netlogon_security_information = -1;
142 static int hf_netlogon_dummy = -1;
143 static int hf_netlogon_neg_flags = -1;
144 /* static int hf_netlogon_neg_flags_80000000 = -1; */
145 static int hf_netlogon_neg_flags_40000000 = -1;
146 static int hf_netlogon_neg_flags_20000000 = -1;
147 /* static int hf_netlogon_neg_flags_10000000 = -1; */
148 /* static int hf_netlogon_neg_flags_8000000 = -1; */
149 /* static int hf_netlogon_neg_flags_4000000 = -1; */
150 /* static int hf_netlogon_neg_flags_2000000 = -1; */
151 static int hf_netlogon_neg_flags_1000000 = -1;
152 /* static int hf_netlogon_neg_flags_800000 = -1; */
153 static int hf_netlogon_neg_flags_400000 = -1;
154 static int hf_netlogon_neg_flags_200000 = -1;
155 static int hf_netlogon_neg_flags_100000 = -1;
156 static int hf_netlogon_neg_flags_80000 = -1;
157 static int hf_netlogon_neg_flags_40000 = -1;
158 static int hf_netlogon_neg_flags_20000 = -1;
159 static int hf_netlogon_neg_flags_10000 = -1;
160 static int hf_netlogon_neg_flags_8000 = -1;
161 static int hf_netlogon_neg_flags_4000 = -1;
162 static int hf_netlogon_neg_flags_2000 = -1;
163 static int hf_netlogon_neg_flags_1000 = -1;
164 static int hf_netlogon_neg_flags_800 = -1;
165 static int hf_netlogon_neg_flags_400 = -1;
166 static int hf_netlogon_neg_flags_200 = -1;
167 static int hf_netlogon_neg_flags_100 = -1;
168 static int hf_netlogon_neg_flags_80 = -1;
169 static int hf_netlogon_neg_flags_40 = -1;
170 static int hf_netlogon_neg_flags_20 = -1;
171 static int hf_netlogon_neg_flags_10 = -1;
172 static int hf_netlogon_neg_flags_8 = -1;
173 static int hf_netlogon_neg_flags_4 = -1;
174 static int hf_netlogon_neg_flags_2 = -1;
175 static int hf_netlogon_neg_flags_1 = -1;
176 static int hf_netlogon_minworkingsetsize = -1;
177 static int hf_netlogon_maxworkingsetsize = -1;
178 static int hf_netlogon_pagedpoollimit = -1;
179 static int hf_netlogon_pagefilelimit = -1;
180 static int hf_netlogon_timelimit = -1;
181 static int hf_netlogon_nonpagedpoollimit = -1;
182 /* static int hf_netlogon_pac_size = -1; */
183 /* static int hf_netlogon_pac_data = -1; */
184 /* static int hf_netlogon_auth_size = -1; */
185 /* static int hf_netlogon_auth_data = -1; */
186 static int hf_netlogon_cipher_len = -1;
187 static int hf_netlogon_cipher_maxlen = -1;
188 static int hf_netlogon_cipher_current_data = -1;
189 static int hf_netlogon_cipher_current_set_time = -1;
190 static int hf_netlogon_cipher_old_data = -1;
191 static int hf_netlogon_cipher_old_set_time = -1;
192 static int hf_netlogon_priv = -1;
193 static int hf_netlogon_privilege_entries = -1;
194 static int hf_netlogon_privilege_control = -1;
195 static int hf_netlogon_privilege_name = -1;
196 static int hf_netlogon_systemflags = -1;
197 static int hf_netlogon_pdc_connection_status = -1;
198 static int hf_netlogon_tc_connection_status = -1;
199 static int hf_netlogon_restart_state = -1;
200 static int hf_netlogon_attrs = -1;
201 static int hf_netlogon_lsapolicy_len = -1;
202 /* static int hf_netlogon_lsapolicy_referentid = -1; */
203 /* static int hf_netlogon_lsapolicy_pointer = -1; */
204 static int hf_netlogon_count = -1;
205 static int hf_netlogon_entries = -1;
206 static int hf_netlogon_minpasswdlen = -1;
207 static int hf_netlogon_passwdhistorylen = -1;
208 static int hf_netlogon_level16 = -1;
209 static int hf_netlogon_validation_level = -1;
210 static int hf_netlogon_reference = -1;
211 static int hf_netlogon_next_reference = -1;
212 static int hf_netlogon_timestamp = -1;
213 static int hf_netlogon_level = -1;
214 static int hf_netlogon_challenge = -1;
215 static int hf_netlogon_reserved = -1;
216 static int hf_netlogon_audit_retention_period = -1;
217 static int hf_netlogon_auditing_mode = -1;
218 static int hf_netlogon_max_audit_event_count = -1;
219 static int hf_netlogon_event_audit_option = -1;
220 static int hf_netlogon_unknown_string = -1;
221 static int hf_netlogon_trust_extention = -1;
222 static int hf_netlogon_trust_max = -1;
223 static int hf_netlogon_trust_offset = -1;
224 static int hf_netlogon_trust_len = -1;
225 static int hf_netlogon_dummy_string = -1;
226 static int hf_netlogon_dummy_string2 = -1;
227 static int hf_netlogon_dummy_string3 = -1;
228 static int hf_netlogon_dummy_string4 = -1;
229 static int hf_netlogon_dummy_string5 = -1;
230 static int hf_netlogon_dummy_string6 = -1;
231 static int hf_netlogon_dummy_string7 = -1;
232 static int hf_netlogon_dummy_string8 = -1;
233 static int hf_netlogon_dummy_string9 = -1;
234 static int hf_netlogon_dummy_string10 = -1;
235 static int hf_netlogon_unknown_short = -1;
236 static int hf_netlogon_unknown_long = -1;
237 static int hf_netlogon_dummy1_long = -1;
238 static int hf_netlogon_dummy2_long = -1;
239 static int hf_netlogon_dummy3_long = -1;
240 static int hf_netlogon_dummy4_long = -1;
241 static int hf_netlogon_dummy5_long = -1;
242 static int hf_netlogon_dummy6_long = -1;
243 static int hf_netlogon_dummy7_long = -1;
244 static int hf_netlogon_dummy8_long = -1;
245 static int hf_netlogon_dummy9_long = -1;
246 static int hf_netlogon_dummy10_long = -1;
247 static int hf_netlogon_unknown_char = -1;
248 static int hf_netlogon_logon_time = -1;
249 static int hf_netlogon_logoff_time = -1;
250 static int hf_netlogon_last_logoff_time = -1;
251 static int hf_netlogon_kickoff_time = -1;
252 static int hf_netlogon_pwd_age = -1;
253 static int hf_netlogon_pwd_last_set_time = -1;
254 static int hf_netlogon_pwd_can_change_time = -1;
255 static int hf_netlogon_pwd_must_change_time = -1;
256 /* static int hf_netlogon_nt_chal_resp = -1; */
257 static int hf_netlogon_lm_chal_resp = -1;
258 static int hf_netlogon_credential = -1;
259 static int hf_netlogon_acct_name = -1;
260 static int hf_netlogon_acct_desc = -1;
261 static int hf_netlogon_group_desc = -1;
262 static int hf_netlogon_full_name = -1;
263 static int hf_netlogon_comment = -1;
264 static int hf_netlogon_parameters = -1;
265 static int hf_netlogon_logon_script = -1;
266 static int hf_netlogon_profile_path = -1;
267 static int hf_netlogon_home_dir = -1;
268 static int hf_netlogon_dir_drive = -1;
269 static int hf_netlogon_logon_count = -1;
270 static int hf_netlogon_logon_count16 = -1;
271 static int hf_netlogon_bad_pw_count = -1;
272 static int hf_netlogon_bad_pw_count16 = -1;
273 static int hf_netlogon_user_rid = -1;
274 static int hf_netlogon_alias_rid = -1;
275 static int hf_netlogon_group_rid = -1;
276 static int hf_netlogon_logon_srv = -1;
277 /* static int hf_netlogon_principal = -1; */
278 static int hf_netlogon_logon_dom = -1;
279 static int hf_netlogon_resourcegroupcount = -1;
280 static int hf_netlogon_downlevel_domain_name = -1;
281 static int hf_netlogon_dns_domain_name = -1;
282 static int hf_netlogon_ad_client_dns_name = -1;
283 static int hf_netlogon_domain_name = -1;
284 static int hf_netlogon_domain_create_time = -1;
285 static int hf_netlogon_domain_modify_time = -1;
286 static int hf_netlogon_modify_count = -1;
287 static int hf_netlogon_db_modify_time = -1;
288 static int hf_netlogon_db_create_time = -1;
289 static int hf_netlogon_oem_info = -1;
290 static int hf_netlogon_serial_number = -1;
291 static int hf_netlogon_num_rids = -1;
292 static int hf_netlogon_num_trusts = -1;
293 static int hf_netlogon_num_controllers = -1;
294 static int hf_netlogon_num_sid = -1;
295 static int hf_netlogon_computer_name = -1;
296 static int hf_netlogon_site_name = -1;
297 static int hf_netlogon_trusted_dc_name = -1;
298 static int hf_netlogon_dc_name = -1;
299 static int hf_netlogon_dc_site_name = -1;
300 static int hf_netlogon_dns_forest_name = -1;
301 static int hf_netlogon_dc_address = -1;
302 static int hf_netlogon_dc_address_type = -1;
303 static int hf_netlogon_client_site_name = -1;
304 static int hf_netlogon_workstation = -1;
305 static int hf_netlogon_workstation_site_name = -1;
306 static int hf_netlogon_os_version = -1;
307 static int hf_netlogon_workstation_os = -1;
308 static int hf_netlogon_workstation_flags = -1;
309 static int hf_netlogon_supportedenctypes = -1;
310
311 static int hf_netlogon_workstations = -1;
312 static int hf_netlogon_workstation_fqdn = -1;
313 static int hf_netlogon_group_name = -1;
314 static int hf_netlogon_alias_name = -1;
315 static int hf_netlogon_country = -1;
316 static int hf_netlogon_codepage = -1;
317 static int hf_netlogon_flags = -1;
318 static int hf_netlogon_trust_attribs = -1;
319 static int hf_netlogon_trust_attribs_non_transitive = -1;
320 static int hf_netlogon_trust_attribs_uplevel_only = -1;
321 static int hf_netlogon_trust_attribs_quarantined_domain = -1;
322 static int hf_netlogon_trust_attribs_forest_transitive = -1;
323 static int hf_netlogon_trust_attribs_cross_organization = -1;
324 static int hf_netlogon_trust_attribs_within_forest = -1;
325 static int hf_netlogon_trust_attribs_treat_as_external = -1;
326 static int hf_netlogon_trust_type = -1;
327 static int hf_netlogon_trust_flags = -1;
328 static int hf_netlogon_trust_flags_inbound = -1;
329 static int hf_netlogon_trust_flags_outbound = -1;
330 static int hf_netlogon_trust_flags_in_forest = -1;
331 static int hf_netlogon_trust_flags_native_mode = -1;
332 static int hf_netlogon_trust_flags_primary = -1;
333 static int hf_netlogon_trust_flags_tree_root = -1;
334 static int hf_netlogon_trust_parent_index = -1;
335 static int hf_netlogon_user_account_control = -1;
336 static int hf_netlogon_user_account_control_dont_require_preauth = -1;
337 static int hf_netlogon_user_account_control_use_des_key_only = -1;
338 static int hf_netlogon_user_account_control_not_delegated = -1;
339 static int hf_netlogon_user_account_control_trusted_for_delegation = -1;
340 static int hf_netlogon_user_account_control_smartcard_required = -1;
341 static int hf_netlogon_user_account_control_encrypted_text_password_allowed = -1;
342 static int hf_netlogon_user_account_control_account_auto_locked = -1;
343 static int hf_netlogon_user_account_control_dont_expire_password = -1;
344 static int hf_netlogon_user_account_control_server_trust_account = -1;
345 static int hf_netlogon_user_account_control_workstation_trust_account = -1;
346 static int hf_netlogon_user_account_control_interdomain_trust_account = -1;
347 static int hf_netlogon_user_account_control_mns_logon_account = -1;
348 static int hf_netlogon_user_account_control_normal_account = -1;
349 static int hf_netlogon_user_account_control_temp_duplicate_account = -1;
350 static int hf_netlogon_user_account_control_password_not_required = -1;
351 static int hf_netlogon_user_account_control_home_directory_required = -1;
352 static int hf_netlogon_user_account_control_account_disabled = -1;
353 static int hf_netlogon_user_flags = -1;
354 static int hf_netlogon_user_flags_extra_sids = -1;
355 static int hf_netlogon_user_flags_resource_groups = -1;
356 static int hf_netlogon_auth_flags = -1;
357 static int hf_netlogon_pwd_expired = -1;
358 static int hf_netlogon_nt_pwd_present = -1;
359 static int hf_netlogon_lm_pwd_present = -1;
360 static int hf_netlogon_code = -1;
361 static int hf_netlogon_database_id = -1;
362 static int hf_netlogon_sync_context = -1;
363 static int hf_netlogon_max_size = -1;
364 static int hf_netlogon_max_log_size = -1;
365 static int hf_netlogon_dns_host = -1;
366 static int hf_netlogon_acct_expiry_time = -1;
367 static int hf_netlogon_encrypted_lm_owf_password = -1;
368 static int hf_netlogon_lm_owf_password = -1;
369 static int hf_netlogon_nt_owf_password = -1;
370 static int hf_netlogon_param_ctrl = -1;
371 static int hf_netlogon_logon_id = -1;
372 static int hf_netlogon_num_deltas = -1;
373 static int hf_netlogon_user_session_key = -1;
374 static int hf_netlogon_blob_size = -1;
375 static int hf_netlogon_blob = -1;
376 static int hf_netlogon_logon_attempts = -1;
377 static int hf_netlogon_authoritative = -1;
378 static int hf_netlogon_secure_channel_type = -1;
379 static int hf_netlogon_logonsrv_handle = -1;
380 static int hf_netlogon_delta_type = -1;
381 static int hf_netlogon_get_dcname_request_flags = -1;
382 static int hf_netlogon_get_dcname_request_flags_force_rediscovery = -1;
383 static int hf_netlogon_get_dcname_request_flags_directory_service_required = -1;
384 static int hf_netlogon_get_dcname_request_flags_directory_service_preferred = -1;
385 static int hf_netlogon_get_dcname_request_flags_gc_server_required = -1;
386 static int hf_netlogon_get_dcname_request_flags_pdc_required = -1;
387 static int hf_netlogon_get_dcname_request_flags_background_only = -1;
388 static int hf_netlogon_get_dcname_request_flags_ip_required = -1;
389 static int hf_netlogon_get_dcname_request_flags_kdc_required = -1;
390 static int hf_netlogon_get_dcname_request_flags_timeserv_required = -1;
391 static int hf_netlogon_get_dcname_request_flags_writable_required = -1;
392 static int hf_netlogon_get_dcname_request_flags_good_timeserv_preferred = -1;
393 static int hf_netlogon_get_dcname_request_flags_avoid_self = -1;
394 static int hf_netlogon_get_dcname_request_flags_only_ldap_needed = -1;
395 static int hf_netlogon_get_dcname_request_flags_is_flat_name = -1;
396 static int hf_netlogon_get_dcname_request_flags_is_dns_name = -1;
397 static int hf_netlogon_get_dcname_request_flags_return_dns_name = -1;
398 static int hf_netlogon_get_dcname_request_flags_return_flat_name = -1;
399 static int hf_netlogon_dc_flags = -1;
400 static int hf_netlogon_dc_flags_pdc_flag = -1;
401 static int hf_netlogon_dc_flags_gc_flag = -1;
402 static int hf_netlogon_dc_flags_ldap_flag = -1;
403 static int hf_netlogon_dc_flags_ds_flag = -1;
404 static int hf_netlogon_dc_flags_kdc_flag = -1;
405 static int hf_netlogon_dc_flags_timeserv_flag = -1;
406 static int hf_netlogon_dc_flags_closest_flag = -1;
407 static int hf_netlogon_dc_flags_writable_flag = -1;
408 static int hf_netlogon_dc_flags_good_timeserv_flag = -1;
409 static int hf_netlogon_dc_flags_ndnc_flag = -1;
410 static int hf_netlogon_dc_flags_dns_controller_flag = -1;
411 static int hf_netlogon_dc_flags_dns_domain_flag = -1;
412 static int hf_netlogon_dc_flags_dns_forest_flag = -1;
413 /* static int hf_netlogon_dnsdomaininfo = -1; */
414 static int hf_netlogon_s4u2proxytarget = -1;
415 static int hf_netlogon_transitedlistsize = -1;
416 static int hf_netlogon_transited_service = -1;
417
418 static gint ett_nt_counted_longs_as_string = -1;
419 static gint ett_dcerpc_netlogon = -1;
420 static gint ett_group_attrs = -1;
421 static gint ett_user_flags = -1;
422 static gint ett_user_account_control = -1;
423 static gint ett_QUOTA_LIMITS = -1;
424 static gint ett_IDENTITY_INFO = -1;
425 static gint ett_DELTA_ENUM = -1;
426 static gint ett_authenticate_flags = -1;
427 static gint ett_CYPHER_VALUE = -1;
428 static gint ett_UNICODE_MULTI = -1;
429 static gint ett_DOMAIN_CONTROLLER_INFO = -1;
430 static gint ett_UNICODE_STRING_512 = -1;
431 static gint ett_TYPE_50 = -1;
432 static gint ett_TYPE_52 = -1;
433 static gint ett_DELTA_ID_UNION = -1;
434 static gint ett_TYPE_44 = -1;
435 static gint ett_DELTA_UNION = -1;
436 static gint ett_LM_OWF_PASSWORD = -1;
437 static gint ett_NT_OWF_PASSWORD = -1;
438 static gint ett_GROUP_MEMBERSHIP = -1;
439 static gint ett_BLOB = -1;
440 static gint ett_DS_DOMAIN_TRUSTS = -1;
441 static gint ett_LSA_POLICY_INFO = -1;
442 static gint ett_DOMAIN_TRUST_INFO = -1;
443 static gint ett_trust_flags = -1;
444 static gint ett_trust_attribs = -1;
445 static gint ett_get_dcname_request_flags = -1;
446 static gint ett_dc_flags = -1;
447
448 typedef struct _netlogon_auth_vars {
449 guint64 client_challenge;
450 guint64 server_challenge;
451 guint8 session_key[16];
452 guint8 encryption_key[16];
453 guint8 sequence[16];
454 guint32 flags;
455 guint64 seq;
456 guint64 confounder;
457 guint8 private_type;
458 gboolean can_decrypt;
459 char* client_name;
460 int start;
461 int next_start;
462 struct _netlogon_auth_vars *next;
463 } netlogon_auth_vars;
464
465 typedef struct _md4_pass {
466 guint8 md4[16];
467 } md4_pass;
468
469 typedef struct _seen_packet {
470 gboolean isseen;
471 guint32 num;
472 } seen_packet;
473
474 static seen_packet seen;
475
476 static e_uuid_t uuid_dcerpc_netlogon = {
477 0x12345678, 0x1234, 0xabcd,
478 { 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0xcf, 0xfb }
479 };
480
481 static guint16 ver_dcerpc_netlogon = 1;
482
483 static gint dissect_dcerpc_8bytes (tvbuff_t *tvb, gint offset, packet_info *pinfo _U_,
484 proto_tree *tree, guint8 *drep,
485 int hfindex, guint64 *pdata)
486 {
487 guint64 data;
488
489 data = ((drep[0] & DREP_LITTLE_ENDIAN)
490 ? tvb_get_letoh64 (tvb, offset)
491 : tvb_get_ntoh64 (tvb, offset));
492
493 /* These fields are FT_BYTES, hence the byte order doesn't matter */
494 if (tree) {
495 proto_tree_add_item(tree, hfindex, tvb, offset, 8, ENC_NA);
496 }
497 if (pdata)
498 *pdata = data;
499 return offset+8;
500 }
501
502 static const true_false_string user_account_control_dont_require_preauth= {
503 "This account DOESN'T_REQUIRE_PREAUTHENTICATION",
504 "This account REQUIRES preauthentication",
505 };
506 static const true_false_string user_account_control_use_des_key_only= {
507 "This account must USE_DES_KEY_ONLY for passwords",
508 "This account does NOT have to use_des_key_only",
509 };
510 static const true_false_string user_account_control_not_delegated= {
511 "This account is NOT_DELEGATED",
512 "This might have been delegated",
513 };
514 static const true_false_string user_account_control_trusted_for_delegation= {
515 "This account is TRUSTED_FOR_DELEGATION",
516 "This account is NOT trusted_for_delegation",
517 };
518 static const true_false_string user_account_control_smartcard_required= {
519 "This account REQUIRES_SMARTCARD to authenticate",
520 "This account does NOT require_smartcard to authenticate",
521 };
522 static const true_false_string user_account_control_encrypted_text_password_allowed= {
523 "This account allows ENCRYPTED_TEXT_PASSWORD",
524 "This account does NOT allow encrypted_text_password",
525 };
526 static const true_false_string user_account_control_account_auto_locked= {
527 "This account is AUTO_LOCKED",
528 "This account is NOT auto_locked",
529 };
530 static const true_false_string user_account_control_dont_expire_password= {
531 "This account DOESN'T_EXPIRE_PASSWORDs",
532 "This account might expire_passwords",
533 };
534 static const true_false_string user_account_control_server_trust_account= {
535 "This account is a SERVER_TRUST_ACCOUNT",
536 "This account is NOT a server_trust_account",
537 };
538 static const true_false_string user_account_control_workstation_trust_account= {
539 "This account is a WORKSTATION_TRUST_ACCOUNT",
540 "This account is NOT a workstation_trust_account",
541 };
542 static const true_false_string user_account_control_interdomain_trust_account= {
543 "This account is an INTERDOMAIN_TRUST_ACCOUNT",
544 "This account is NOT an interdomain_trust_account",
545 };
546 static const true_false_string user_account_control_mns_logon_account= {
547 "This account is a MNS_LOGON_ACCOUNT",
548 "This account is NOT a mns_logon_account",
549 };
550 static const true_false_string user_account_control_normal_account= {
551 "This account is a NORMAL_ACCOUNT",
552 "This account is NOT a normal_account",
553 };
554 static const true_false_string user_account_control_temp_duplicate_account= {
555 "This account is a TEMP_DUPLICATE_ACCOUNT",
556 "This account is NOT a temp_duplicate_account",
557 };
558 static const true_false_string user_account_control_password_not_required= {
559 "This account REQUIRES_NO_PASSWORD",
560 "This account REQUIRES a password",
561 };
562 static const true_false_string user_account_control_home_directory_required= {
563 "This account REQUIRES_HOME_DIRECTORY",
564 "This account does NOT require_home_directory",
565 };
566 static const true_false_string user_account_control_account_disabled= {
567 "This account is DISABLED",
568 "This account is NOT disabled",
569 };
570
571 typedef struct _netlogon_auth_key {
572 address src;
573 address dst;
574 guint32 srcport;
575 guint32 dstport;
576 char * name;
577 } netlogon_auth_key;
578
579 static gint
580 netlogon_auth_equal (gconstpointer k1, gconstpointer k2)
581 {
582 const netlogon_auth_key *key1 = (const netlogon_auth_key *)k1;
583 const netlogon_auth_key *key2 = (const netlogon_auth_key *)k2;
584 if(key1->name == NULL || key2->name ==NULL)
585 return ((key1->srcport == key2->srcport) && (key1->dstport == key2->dstport) && ADDRESSES_EQUAL(&key1->src,&key2->src) &&
586 ADDRESSES_EQUAL(&key1->dst,&key2->dst));
587 else
588 return ((strcmp(key1->name,key2->name)==0) && ADDRESSES_EQUAL(&key1->src,&key2->src) &&
589 ADDRESSES_EQUAL(&key1->dst,&key2->dst));
590 }
591
592 static guint
593 netlogon_auth_hash (gconstpointer k)
594 {
595 const netlogon_auth_key *key1 = (const netlogon_auth_key *)k;
596 guint hash_val1;
597 if(key1->name == NULL) {
598 hash_val1 = key1->dstport;
599 hash_val1 += key1->srcport;
600 }
601 else {
602 unsigned int i = 0;
603 hash_val1 = 0;
604 for(i=0; key1->name[i]; i++) {
605 hash_val1 += key1->name[i];
606 }
607 }
608
609 ADD_ADDRESS_TO_HASH(hash_val1, &key1->src);
610 ADD_ADDRESS_TO_HASH(hash_val1, &key1->dst);
611 return hash_val1;
612 }
613 static int
614 netlogon_dissect_EXTRA_FLAGS(tvbuff_t *tvb, int offset,
615 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, guint8 *drep)
616 {
617 guint32 mask;
618 proto_item *item = NULL;
619 proto_tree *tree = NULL;
620
621 if(di->conformant_run){
622 /*just a run to handle conformant arrays, nothing to dissect */
623 return offset;
624 }
625
626 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
627 hf_netlogon_extraflags, &mask);
628
629 if(parent_tree){
630 item = proto_tree_add_uint(parent_tree, hf_netlogon_extraflags,
631 tvb, offset-4, 4, mask);
632 tree = proto_item_add_subtree(item, ett_trust_flags);
633 }
634
635 proto_tree_add_boolean(tree, hf_netlogon_extra_flags_root_forest,
636 tvb, offset-4, 4, mask);
637 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_dc_firsthop,
638 tvb, offset-4, 4, mask);
639 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_rodc_to_dc,
640 tvb, offset-4, 4, mask);
641 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_rodc_ntlm,
642 tvb, offset-4, 4, mask);
643
644 return offset;
645 }
646 int
647 dissect_ndr_lm_nt_hash_cb(tvbuff_t *tvb, int offset,
648 packet_info *pinfo, proto_tree *tree,
649 dcerpc_info *di, guint8 *drep, int hf_index,
650 dcerpc_callback_fnct_t *callback,
651 void *callback_args)
652 {
653 guint16 len, size;
654
655 /* Structure starts with short, but is aligned for longs */
656
657 ALIGN_TO_4_BYTES;
658
659 if (di->conformant_run)
660 return offset;
661
662 #if 0
663 struct {
664 short len;
665 short size;
666 [size_is(size/2), length_is(len/2), ptr] unsigned short *string;
667 } HASH;
668
669 #endif
670
671 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
672 hf_nt_cs_len, &len);
673
674 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
675 hf_nt_cs_size, &size);
676
677 offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, tree, di, drep,
678 dissect_ndr_char_cvstring, NDR_POINTER_UNIQUE,
679 "Bytes Array", hf_index, callback, callback_args);
680
681 return offset;
682 }
683 static int
684 dissect_ndr_lm_nt_hash_helper(tvbuff_t *tvb, int offset,
685 packet_info *pinfo, proto_tree *tree,
686 dcerpc_info *di, guint8 *drep, int hf_index, int levels _U_,
687 gboolean add_subtree)
688 {
689 proto_item *item;
690 proto_tree *subtree = tree;
691
692 if (add_subtree) {
693
694 item = proto_tree_add_text(
695 tree, tvb, offset, 0, "%s",
696 proto_registrar_get_name(hf_index));
697
698 subtree = proto_item_add_subtree(item,ett_LM_OWF_PASSWORD);
699 }
700
701 return dissect_ndr_lm_nt_hash_cb(
702 tvb, offset, pinfo, subtree, di, drep, hf_index,
703 NULL, NULL);
704 /*cb_wstr_postprocess, GINT_TO_POINTER(2 + levels));*/
705 }
706 static int
707 netlogon_dissect_USER_ACCOUNT_CONTROL(tvbuff_t *tvb, int offset,
708 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, guint8 *drep)
709 {
710 guint32 mask;
711 proto_item *item = NULL;
712 proto_tree *tree = NULL;
713
714 if(di->conformant_run){
715 /*just a run to handle conformant arrays, nothing to dissect */
716 return offset;
717 }
718
719 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
720 hf_netlogon_user_account_control, &mask);
721
722 if(parent_tree){
723 item = proto_tree_add_uint(parent_tree, hf_netlogon_user_account_control,
724 tvb, offset-4, 4, mask);
725 tree = proto_item_add_subtree(item, ett_user_account_control);
726 }
727
728 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_dont_require_preauth,
729 tvb, offset-4, 4, mask);
730 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_use_des_key_only,
731 tvb, offset-4, 4, mask);
732 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_not_delegated,
733 tvb, offset-4, 4, mask);
734 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_trusted_for_delegation,
735 tvb, offset-4, 4, mask);
736 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_smartcard_required,
737 tvb, offset-4, 4, mask);
738 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_encrypted_text_password_allowed,
739 tvb, offset-4, 4, mask);
740 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_account_auto_locked,
741 tvb, offset-4, 4, mask);
742 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_dont_expire_password,
743 tvb, offset-4, 4, mask);
744 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_server_trust_account,
745 tvb, offset-4, 4, mask);
746 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_workstation_trust_account,
747 tvb, offset-4, 4, mask);
748 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_interdomain_trust_account,
749 tvb, offset-4, 4, mask);
750 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_mns_logon_account,
751 tvb, offset-4, 4, mask);
752 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_normal_account,
753 tvb, offset-4, 4, mask);
754 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_temp_duplicate_account,
755 tvb, offset-4, 4, mask);
756 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_password_not_required,
757 tvb, offset-4, 4, mask);
758 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_home_directory_required,
759 tvb, offset-4, 4, mask);
760 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_account_disabled,
761 tvb, offset-4, 4, mask);
762 return offset;
763 }
764
765
766 static int
767 netlogon_dissect_LOGONSRV_HANDLE(tvbuff_t *tvb, int offset,
768 packet_info *pinfo, proto_tree *tree,
769 dcerpc_info *di, guint8 *drep)
770 {
771 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
772 NDR_POINTER_UNIQUE, "Server Handle",
773 hf_netlogon_logonsrv_handle, 0);
774
775 return offset;
776 }
777
778 /*
779 * IDL typedef struct {
780 * IDL [unique][string] wchar_t *effective_name;
781 * IDL long priv;
782 * IDL long auth_flags;
783 * IDL long logon_count;
784 * IDL long bad_pw_count;
785 * IDL long last_logon;
786 * IDL long last_logoff;
787 * IDL long logoff_time;
788 * IDL long kickoff_time;
789 * IDL long password_age;
790 * IDL long pw_can_change;
791 * IDL long pw_must_change;
792 * IDL [unique][string] wchar_t *computer;
793 * IDL [unique][string] wchar_t *domain;
794 * IDL [unique][string] wchar_t *script_path;
795 * IDL long reserved;
796 */
797 static int
798 netlogon_dissect_VALIDATION_UAS_INFO(tvbuff_t *tvb, int offset,
799 packet_info *pinfo, proto_tree *tree,
800 dcerpc_info *di, guint8 *drep)
801 {
802 if(di->conformant_run){
803 /*just a run to handle conformant arrays, nothing to dissect */
804 return offset;
805 }
806
807 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
808 NDR_POINTER_UNIQUE, "Effective Account",
809 hf_netlogon_acct_name, 0);
810
811 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
812 hf_netlogon_priv, NULL);
813
814 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
815 hf_netlogon_auth_flags, NULL);
816
817 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
818 hf_netlogon_logon_count, NULL);
819
820 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
821 hf_netlogon_bad_pw_count, NULL);
822
823
824 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_logon_time, NULL);
825
826 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_last_logoff_time, NULL);
827
828 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_logoff_time, NULL);
829
830 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_kickoff_time, NULL);
831
832 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_pwd_age, NULL);
833
834 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_pwd_can_change_time, NULL);
835
836 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_pwd_must_change_time, NULL);
837
838 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
839 NDR_POINTER_UNIQUE, "Computer", hf_netlogon_computer_name, 0);
840
841 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
842 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
843
844 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
845 NDR_POINTER_UNIQUE, "Script", hf_netlogon_logon_script, 0);
846
847 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
848 hf_netlogon_reserved, NULL);
849
850 return offset;
851 }
852
853 /*
854 * IDL long NetrLogonUasLogon(
855 * IDL [in][unique][string] wchar_t *ServerName,
856 * IDL [in][ref][string] wchar_t *UserName,
857 * IDL [in][ref][string] wchar_t *Workstation,
858 * IDL [out][unique] VALIDATION_UAS_INFO *info
859 * IDL );
860 */
861 static int
862 netlogon_dissect_netrlogonuaslogon_rqst(tvbuff_t *tvb, int offset,
863 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
864 {
865 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
866 pinfo, tree, di, drep);
867
868 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
869 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, CB_STR_COL_INFO);
870
871 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
872 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
873
874 return offset;
875 }
876
877
878 static int
879 netlogon_dissect_netrlogonuaslogon_reply(tvbuff_t *tvb, int offset,
880 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
881 {
882 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
883 netlogon_dissect_VALIDATION_UAS_INFO, NDR_POINTER_UNIQUE,
884 "VALIDATION_UAS_INFO", -1);
885
886 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
887 hf_netlogon_dos_rc, NULL);
888
889 return offset;
890 }
891
892 /*
893 * IDL typedef struct {
894 * IDL long duration;
895 * IDL short logon_count;
896 * IDL } LOGOFF_UAS_INFO;
897 */
898 static int
899 netlogon_dissect_LOGOFF_UAS_INFO(tvbuff_t *tvb, int offset,
900 packet_info *pinfo, proto_tree *tree,
901 dcerpc_info *di, guint8 *drep)
902 {
903 if(di->conformant_run){
904 /*just a run to handle conformant arrays, nothing to dissect */
905 return offset;
906 }
907
908 proto_tree_add_text(tree, tvb, offset, 4, "Duration: unknown time format");
909 offset+= 4;
910
911 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
912 hf_netlogon_logon_count16, NULL);
913
914 return offset;
915 }
916
917 /*
918 * IDL long NetrLogonUasLogoff(
919 * IDL [in][unique][string] wchar_t *ServerName,
920 * IDL [in][ref][string] wchar_t *UserName,
921 * IDL [in][ref][string] wchar_t *Workstation,
922 * IDL [out][ref] LOGOFF_UAS_INFO *info
923 * IDL );
924 */
925 static int
926 netlogon_dissect_netrlogonuaslogoff_rqst(tvbuff_t *tvb, int offset,
927 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
928 {
929 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
930 pinfo, tree, di, drep);
931
932 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
933 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, CB_STR_COL_INFO);
934
935 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
936 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
937
938 return offset;
939 }
940
941
942 static int
943 netlogon_dissect_netrlogonuaslogoff_reply(tvbuff_t *tvb, int offset,
944 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
945 {
946 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
947 netlogon_dissect_LOGOFF_UAS_INFO, NDR_POINTER_REF,
948 "LOGOFF_UAS_INFO", -1);
949
950 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
951 hf_netlogon_dos_rc, NULL);
952
953 return offset;
954 }
955
956 static int
957 netlogon_dissect_BYTE_byte(tvbuff_t *tvb, int offset,
958 packet_info *pinfo, proto_tree *tree,
959 dcerpc_info *di, guint8 *drep)
960 {
961 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
962 hf_netlogon_unknown_char, NULL);
963
964 return offset;
965 }
966
967 static int
968 netlogon_dissect_BYTE_array(tvbuff_t *tvb, int offset,
969 packet_info *pinfo, proto_tree *tree,
970 dcerpc_info *di, guint8 *drep)
971 {
972 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
973 netlogon_dissect_BYTE_byte);
974
975 return offset;
976 }
977
978
979
980
981 /*
982 * IDL typedef struct {
983 * IDL UNICODESTRING LogonDomainName;
984 * IDL long ParameterControl;
985 * IDL uint64 LogonID;
986 * IDL UNICODESTRING UserName;
987 * IDL UNICODESTRING Workstation;
988 * IDL } LOGON_IDENTITY_INFO;
989 */
990 static int
991 netlogon_dissect_LOGON_IDENTITY_INFO(tvbuff_t *tvb, int offset,
992 packet_info *pinfo, proto_tree *parent_tree,
993 dcerpc_info *di, guint8 *drep)
994 {
995 proto_item *item=NULL;
996 proto_tree *tree=NULL;
997 int old_offset=offset;
998
999 if(parent_tree){
1000 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
1001 "IDENTITY_INFO:");
1002 tree = proto_item_add_subtree(item, ett_IDENTITY_INFO);
1003 }
1004
1005 /* XXX: It would be nice to get the domain and account name
1006 displayed in COL_INFO. */
1007
1008 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1009 hf_netlogon_logon_dom, 0);
1010
1011 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1012 hf_netlogon_param_ctrl, NULL);
1013
1014 offset = dissect_ndr_duint32(tvb, offset, pinfo, tree, di, drep,
1015 hf_netlogon_logon_id, NULL);
1016
1017 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1018 hf_netlogon_acct_name, 1);
1019
1020 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1021 hf_netlogon_workstation, 0);
1022
1023 #ifdef REMOVED
1024 /* NetMon does not recognize these bytes. Ill comment them out until someone complains */
1025 /* XXX 8 extra bytes here */
1026 /* there were 8 extra bytes, either here or in NETWORK_INFO that does not match
1027 the idl file. Could be a bug in either the NETLOGON implementation or in the
1028 idl file.
1029 */
1030 offset = netlogon_dissect_8_unknown_bytes(tvb, offset, pinfo, tree, di, drep);
1031 #endif
1032
1033 proto_item_set_len(item, offset-old_offset);
1034 return offset;
1035 }
1036
1037
1038 /*
1039 * IDL typedef struct {
1040 * IDL char password[16];
1041 * IDL } LM_OWF_PASSWORD;
1042 */
1043 static int
1044 netlogon_dissect_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
1045 packet_info *pinfo _U_, proto_tree *parent_tree,
1046 dcerpc_info *di, guint8 *drep _U_)
1047 {
1048 proto_item *item=NULL;
1049 proto_tree *tree=NULL;
1050
1051 if(di->conformant_run){
1052 /*just a run to handle conformant arrays, nothing to dissect.*/
1053 return offset;
1054 }
1055
1056 if(parent_tree){
1057 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
1058 "LM_OWF_PASSWORD:");
1059 tree = proto_item_add_subtree(item, ett_LM_OWF_PASSWORD);
1060 }
1061
1062 proto_tree_add_item(tree, hf_netlogon_lm_owf_password, tvb, offset, 16,
1063 ENC_NA);
1064 offset += 16;
1065
1066 return offset;
1067 }
1068
1069 /*
1070 * IDL typedef struct {
1071 * IDL char password[16];
1072 * IDL } NT_OWF_PASSWORD;
1073 */
1074 static int
1075 netlogon_dissect_NT_OWF_PASSWORD(tvbuff_t *tvb, int offset,
1076 packet_info *pinfo _U_, proto_tree *parent_tree,
1077 dcerpc_info *di, guint8 *drep _U_)
1078 {
1079 proto_item *item=NULL;
1080 proto_tree *tree=NULL;
1081
1082 if(di->conformant_run){
1083 /*just a run to handle conformant arrays, nothing to dissect.*/
1084 return offset;
1085 }
1086
1087 if(parent_tree){
1088 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
1089 "NT_OWF_PASSWORD:");
1090 tree = proto_item_add_subtree(item, ett_NT_OWF_PASSWORD);
1091 }
1092
1093 proto_tree_add_item(tree, hf_netlogon_nt_owf_password, tvb, offset, 16,
1094 ENC_NA);
1095 offset += 16;
1096
1097 return offset;
1098 }
1099
1100
1101 /*
1102 * IDL typedef struct {
1103 * IDL LOGON_IDENTITY_INFO identity_info;
1104 * IDL LM_OWF_PASSWORD lmpassword;
1105 * IDL NT_OWF_PASSWORD ntpassword;
1106 * IDL } INTERACTIVE_INFO;
1107 */
1108 static int
1109 netlogon_dissect_INTERACTIVE_INFO(tvbuff_t *tvb, int offset,
1110 packet_info *pinfo, proto_tree *tree,
1111 dcerpc_info *di, guint8 *drep)
1112 {
1113 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
1114 pinfo, tree, di, drep);
1115
1116 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
1117 pinfo, tree, di, drep);
1118
1119 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
1120 pinfo, tree, di, drep);
1121
1122 return offset;
1123 }
1124
1125 /*
1126 * IDL typedef struct {
1127 * IDL char chl[8];
1128 * IDL } CHALLENGE;
1129 */
1130 static int
1131 netlogon_dissect_CHALLENGE(tvbuff_t *tvb, int offset,
1132 packet_info *pinfo _U_, proto_tree *tree,
1133 dcerpc_info *di, guint8 *drep _U_)
1134 {
1135 if(di->conformant_run){
1136 /*just a run to handle conformant arrays, nothing to dissect.*/
1137 return offset;
1138 }
1139
1140 proto_tree_add_item(tree, hf_netlogon_challenge, tvb, offset, 8,
1141 ENC_NA);
1142 offset += 8;
1143
1144 return offset;
1145 }
1146
1147 #if 0
1148 /*
1149 * IDL typedef struct {
1150 * IDL LOGON_IDENTITY_INFO logon_info;
1151 * IDL CHALLENGE chal;
1152 * IDL STRING ntchallengeresponse;
1153 * IDL STRING lmchallengeresponse;
1154 * IDL } NETWORK_INFO;
1155 */
1156 static void dissect_nt_chal_resp_cb(packet_info *pinfo _U_, proto_tree *tree,
1157 proto_item *item _U_, tvbuff_t *tvb,
1158 int start_offset, int end_offset,
1159 void *callback_args )
1160 {
1161 int len;
1162 gint options = GPOINTER_TO_INT(callback_args);
1163 gint levels = CB_STR_ITEM_LEVELS(options);
1164 char *s;
1165
1166
1167 /* Skip over 3 guint32's in NDR format */
1168
1169 if (start_offset % 4)
1170 start_offset += 4 - (start_offset % 4);
1171
1172 start_offset += 12;
1173 len = end_offset - start_offset;
1174
1175 s = tvb_bytes_to_str(tvb, start_offset, len);
1176
1177 /* Append string to upper-level proto_items */
1178
1179 if (levels > 0 && item && s && s[0]) {
1180 proto_item_append_text(item, ": %s", s);
1181 item = item->parent;
1182 levels--;
1183 if (levels > 0) {
1184 proto_item_append_text(item, ": %s", s);
1185 item = item->parent;
1186 levels--;
1187 while (levels > 0) {
1188 proto_item_append_text(item, " %s", s);
1189 item = item->parent;
1190 levels--;
1191 }
1192 }
1193 }
1194 /* Call ntlmv2 response dissector */
1195
1196 if (len > 24)
1197 dissect_ntlmv2_response(tvb, tree, start_offset, len);
1198 }
1199 #endif
1200
1201 static int
1202 netlogon_dissect_NETWORK_INFO(tvbuff_t *tvb, int offset,
1203 packet_info *pinfo, proto_tree *tree,
1204 dcerpc_info *di, guint8 *drep)
1205 {
1206
1207 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
1208 pinfo, tree, di, drep);
1209 offset = netlogon_dissect_CHALLENGE(tvb, offset,
1210 pinfo, tree, di, drep);
1211 #if 0
1212 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
1213 NDR_POINTER_UNIQUE, "NT ",
1214 hf_netlogon_nt_owf_password, 0);
1215 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1216 hf_netlogon_data_length, NULL);
1217 #endif
1218 offset = dissect_ndr_lm_nt_hash_helper(tvb,offset,pinfo, tree, di, drep, hf_netlogon_lm_chal_resp, 0,TRUE);
1219 offset = dissect_ndr_lm_nt_hash_helper(tvb,offset,pinfo, tree, di, drep, hf_netlogon_lm_chal_resp, 0,TRUE);
1220 /* Not really sure that it really works with NTLM v2 ....*/
1221 #if 0
1222 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
1223 pinfo, tree, di, drep);
1224
1225 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
1226 pinfo, tree, di, drep);
1227 #endif
1228 return offset;
1229 #if 0
1230 offset = dissect_ndr_counted_byte_array_cb(
1231 tvb, offset, pinfo, tree, di, drep, hf_netlogon_nt_chal_resp,
1232 dissect_nt_chal_resp_cb,GINT_TO_POINTER(2));
1233
1234 offset = dissect_ndr_counted_byte_array(tvb, offset, pinfo, tree, di, drep,
1235 hf_netlogon_lm_chal_resp, 0);
1236
1237 return offset;
1238 #endif
1239 }
1240
1241
1242 /*
1243 * IDL typedef struct {
1244 * IDL LOGON_IDENTITY_INFO logon_info;
1245 * IDL LM_OWF_PASSWORD lmpassword;
1246 * IDL NT_OWF_PASSWORD ntpassword;
1247 * IDL } SERVICE_INFO;
1248 */
1249 static int
1250 netlogon_dissect_SERVICE_INFO(tvbuff_t *tvb, int offset,
1251 packet_info *pinfo, proto_tree *tree,
1252 dcerpc_info *di, guint8 *drep)
1253 {
1254 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
1255 pinfo, tree, di, drep);
1256
1257 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
1258 pinfo, tree, di, drep);
1259
1260 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
1261 pinfo, tree, di, drep);
1262
1263 return offset;
1264 }
1265
1266 static int
1267 netlogon_dissect_GENERIC_INFO(tvbuff_t *tvb, int offset,
1268 packet_info *pinfo, proto_tree *tree,
1269 dcerpc_info *di, guint8 *drep)
1270 {
1271 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
1272 pinfo, tree, di, drep);
1273
1274 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1275 hf_netlogon_package_name, 0|CB_STR_SAVE);
1276
1277 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1278 hf_netlogon_data_length, NULL);
1279
1280 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1281 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
1282 "Logon Data", -1);
1283 return offset;
1284 }
1285 /*
1286 * IDL typedef [switch_type(short)] union {
1287 * IDL [case(1)][unique] INTERACTIVE_INFO *iinfo;
1288 * IDL [case(2)][unique] NETWORK_INFO *ninfo;
1289 * IDL [case(3)][unique] SERVICE_INFO *sinfo;
1290 * IDL } LEVEL;
1291 */
1292 static int
1293 netlogon_dissect_LEVEL(tvbuff_t *tvb, int offset,
1294 packet_info *pinfo, proto_tree *tree,
1295 dcerpc_info *di, guint8 *drep)
1296 {
1297 guint16 level = 0;
1298
1299 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1300 hf_netlogon_level16, &level);
1301 ALIGN_TO_4_BYTES;
1302 switch(level){
1303 case 1:
1304 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1305 netlogon_dissect_INTERACTIVE_INFO, NDR_POINTER_UNIQUE,
1306 "INTERACTIVE_INFO:", -1);
1307 break;
1308 case 2:
1309 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1310 netlogon_dissect_NETWORK_INFO, NDR_POINTER_UNIQUE,
1311 "NETWORK_INFO:", -1);
1312 break;
1313 case 3:
1314 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1315 netlogon_dissect_SERVICE_INFO, NDR_POINTER_UNIQUE,
1316 "SERVICE_INFO:", -1);
1317 break;
1318 case 4:
1319 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1320 netlogon_dissect_GENERIC_INFO, NDR_POINTER_UNIQUE,
1321 "GENERIC_INFO:", -1);
1322 break;
1323 case 5:
1324 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1325 netlogon_dissect_INTERACTIVE_INFO, NDR_POINTER_UNIQUE,
1326 "INTERACTIVE_TRANSITIVE_INFO:", -1);
1327 break;
1328 case 6:
1329 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1330 netlogon_dissect_NETWORK_INFO, NDR_POINTER_UNIQUE,
1331 "NETWORK_TRANSITIVE_INFO", -1);
1332 break;
1333 case 7:
1334 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1335 netlogon_dissect_SERVICE_INFO, NDR_POINTER_UNIQUE,
1336 "SERVICE_TRANSITIVE_INFO", -1);
1337 break;
1338 }
1339 return offset;
1340 }
1341
1342 /*
1343 * IDL typedef struct {
1344 * IDL char cred[8];
1345 * IDL } CREDENTIAL;
1346 */
1347 static int
1348 netlogon_dissect_CREDENTIAL(tvbuff_t *tvb, int offset,
1349 packet_info *pinfo _U_, proto_tree *tree,
1350 dcerpc_info *di, guint8 *drep _U_)
1351 {
1352 if(di->conformant_run){
1353 /*just a run to handle conformant arrays, nothing to dissect.*/
1354 return offset;
1355 }
1356
1357 proto_tree_add_item(tree, hf_netlogon_credential, tvb, offset, 8,
1358 ENC_NA);
1359 offset += 8;
1360
1361 return offset;
1362 }
1363
1364
1365 /*
1366 * IDL typedef struct {
1367 * IDL CREDENTIAL cred;
1368 * IDL long timestamp;
1369 * IDL } AUTHENTICATOR;
1370 */
1371 static int
1372 netlogon_dissect_AUTHENTICATOR(tvbuff_t *tvb, int offset,
1373 packet_info *pinfo, proto_tree *tree,
1374 dcerpc_info *di, guint8 *drep)
1375 {
1376 nstime_t ts;
1377
1378 if(di->conformant_run){
1379 /*just a run to handle conformant arrays, nothing to dissect */
1380 return offset;
1381 }
1382
1383 offset = netlogon_dissect_CREDENTIAL(tvb, offset,
1384 pinfo, tree, di, drep);
1385
1386 /*
1387 * XXX - this appears to be a UNIX time_t in some credentials, but
1388 * appears to be random junk in other credentials.
1389 * For example, it looks like a UNIX time_t in "credential"
1390 * AUTHENTICATORs, but like random junk in "return_authenticator"
1391 * AUTHENTICATORs.
1392 */
1393 ALIGN_TO_4_BYTES;
1394 ts.secs = tvb_get_letohl(tvb, offset);
1395 ts.nsecs = 0;
1396 proto_tree_add_time(tree, hf_netlogon_timestamp, tvb, offset, 4, &ts);
1397 offset+= 4;
1398
1399 return offset;
1400 }
1401
1402
1403 static const true_false_string group_attrs_mandatory = {
1404 "The MANDATORY bit is SET",
1405 "The mandatory bit is NOT set",
1406 };
1407 static const true_false_string group_attrs_enabled_by_default = {
1408 "The ENABLED_BY_DEFAULT bit is SET",
1409 "The enabled_by_default bit is NOT set",
1410 };
1411 static const true_false_string group_attrs_enabled = {
1412 "The enabled bit is SET",
1413 "The enabled bit is NOT set",
1414 };
1415 static int
1416 netlogon_dissect_GROUP_MEMBERSHIP_ATTRIBUTES(tvbuff_t *tvb, int offset,
1417 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, guint8 *drep)
1418 {
1419 guint32 mask;
1420 proto_item *item = NULL;
1421 proto_tree *tree = NULL;
1422
1423 if(di->conformant_run){
1424 /*just a run to handle conformant arrays, nothing to dissect */
1425 return offset;
1426 }
1427
1428 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
1429 hf_netlogon_attrs, &mask);
1430
1431 if(parent_tree){
1432 item = proto_tree_add_uint(parent_tree, hf_netlogon_attrs,
1433 tvb, offset-4, 4, mask);
1434 tree = proto_item_add_subtree(item, ett_group_attrs);
1435 }
1436
1437 proto_tree_add_boolean(tree, hf_netlogon_group_attrs_enabled,
1438 tvb, offset-4, 4, mask);
1439 proto_tree_add_boolean(tree, hf_netlogon_group_attrs_enabled_by_default,
1440 tvb, offset-4, 4, mask);
1441 proto_tree_add_boolean(tree, hf_netlogon_group_attrs_mandatory,
1442 tvb, offset-4, 4, mask);
1443
1444 return offset;
1445 }
1446
1447 /*
1448 * IDL typedef struct {
1449 * IDL long user_id;
1450 * IDL long attributes;
1451 * IDL } GROUP_MEMBERSHIP;
1452 */
1453 static int
1454 netlogon_dissect_GROUP_MEMBERSHIP(tvbuff_t *tvb, int offset,
1455 packet_info *pinfo, proto_tree *parent_tree,
1456 dcerpc_info *di, guint8 *drep)
1457 {
1458 proto_item *item=NULL;
1459 proto_tree *tree=NULL;
1460
1461 if(parent_tree){
1462 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
1463 "GROUP_MEMBERSHIP:");
1464 tree = proto_item_add_subtree(item, ett_GROUP_MEMBERSHIP);
1465 }
1466
1467 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1468 hf_netlogon_group_rid, NULL);
1469
1470 offset = netlogon_dissect_GROUP_MEMBERSHIP_ATTRIBUTES(tvb, offset,
1471 pinfo, tree, di, drep);
1472
1473 return offset;
1474 }
1475
1476 static int
1477 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY(tvbuff_t *tvb, int offset,
1478 packet_info *pinfo, proto_tree *tree,
1479 dcerpc_info *di, guint8 *drep)
1480 {
1481 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
1482 netlogon_dissect_GROUP_MEMBERSHIP);
1483
1484 return offset;
1485 }
1486
1487 /*
1488 * IDL typedef struct {
1489 * IDL char user_session_key[16];
1490 * IDL } USER_SESSION_KEY;
1491 */
1492 static int
1493 netlogon_dissect_USER_SESSION_KEY(tvbuff_t *tvb, int offset,
1494 packet_info *pinfo _U_, proto_tree *tree,
1495 dcerpc_info *di, guint8 *drep _U_)
1496 {
1497 if(di->conformant_run){
1498 /*just a run to handle conformant arrays, nothing to dissect.*/
1499 return offset;
1500 }
1501
1502 proto_tree_add_item(tree, hf_netlogon_user_session_key, tvb, offset, 16,
1503 ENC_NA);
1504 offset += 16;
1505
1506 return offset;
1507 }
1508
1509
1510
1511 static const true_false_string user_flags_extra_sids= {
1512 "The EXTRA_SIDS bit is SET",
1513 "The extra_sids is NOT set",
1514 };
1515 static const true_false_string user_flags_resource_groups= {
1516 "The RESOURCE_GROUPS bit is SET",
1517 "The resource_groups is NOT set",
1518 };
1519 static int
1520 netlogon_dissect_USER_FLAGS(tvbuff_t *tvb, int offset,
1521 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, guint8 *drep)
1522 {
1523 guint32 mask;
1524 proto_item *item = NULL;
1525 proto_tree *tree = NULL;
1526
1527 if(di->conformant_run){
1528 /*just a run to handle conformant arrays, nothing to dissect */
1529 return offset;
1530 }
1531
1532 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
1533 hf_netlogon_user_flags, &mask);
1534
1535 if(parent_tree){
1536 item = proto_tree_add_uint(parent_tree, hf_netlogon_user_flags,
1537 tvb, offset-4, 4, mask);
1538 tree = proto_item_add_subtree(item, ett_user_flags);
1539 }
1540
1541 proto_tree_add_boolean(tree, hf_netlogon_user_flags_resource_groups,
1542 tvb, offset-4, 4, mask);
1543 proto_tree_add_boolean(tree, hf_netlogon_user_flags_extra_sids,
1544 tvb, offset-4, 4, mask);
1545
1546 return offset;
1547 }
1548
1549 /*
1550 * IDL typedef struct {
1551 * IDL uint64 LogonTime;
1552 * IDL uint64 LogoffTime;
1553 * IDL uint64 KickOffTime;
1554 * IDL uint64 PasswdLastSet;
1555 * IDL uint64 PasswdCanChange;
1556 * IDL uint64 PasswdMustChange;
1557 * IDL unicodestring effectivename;
1558 * IDL unicodestring fullname;
1559 * IDL unicodestring logonscript;
1560 * IDL unicodestring profilepath;
1561 * IDL unicodestring homedirectory;
1562 * IDL unicodestring homedirectorydrive;
1563 * IDL short LogonCount;
1564 * IDL short BadPasswdCount;
1565 * IDL long userid;
1566 * IDL long primarygroup;
1567 * IDL long groupcount;
1568 * IDL [unique][size_is(groupcount)] GROUP_MEMBERSHIP *groupids;
1569 * IDL long userflags;
1570 * IDL USER_SESSION_KEY key;
1571 * IDL unicodestring logonserver;
1572 * IDL unicodestring domainname;
1573 * IDL [unique] SID logondomainid;
1574 * IDL long expansionroom[2];
1575 * IDL long useraccountcontrol;
1576 * IDL long expansionroom[7];
1577 * IDL } VALIDATION_SAM_INFO;
1578 */
1579 static int
1580 netlogon_dissect_VALIDATION_SAM_INFO(tvbuff_t *tvb, int offset,
1581 packet_info *pinfo, proto_tree *tree,
1582 dcerpc_info *di, guint8 *drep)
1583 {
1584
1585 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1586 hf_netlogon_logon_time);
1587
1588 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1589 hf_netlogon_logoff_time);
1590
1591 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1592 hf_netlogon_kickoff_time);
1593
1594 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1595 hf_netlogon_pwd_last_set_time);
1596
1597 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1598 hf_netlogon_pwd_can_change_time);
1599
1600 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1601 hf_netlogon_pwd_must_change_time);
1602
1603 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1604 hf_netlogon_acct_name, 0);
1605
1606 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1607 hf_netlogon_full_name, 0);
1608
1609 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1610 hf_netlogon_logon_script, 0);
1611
1612 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1613 hf_netlogon_profile_path, 0);
1614
1615 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1616 hf_netlogon_home_dir, 0);
1617
1618 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1619 hf_netlogon_dir_drive, 0);
1620
1621 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1622 hf_netlogon_logon_count16, NULL);
1623
1624 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1625 hf_netlogon_bad_pw_count16, NULL);
1626
1627 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1628 hf_netlogon_user_rid, NULL);
1629
1630 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1631 hf_netlogon_group_rid, NULL);
1632
1633 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1634 hf_netlogon_num_rids, NULL);
1635
1636 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1637 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1638 "GROUP_MEMBERSHIP_ARRAY", -1);
1639
1640 offset = netlogon_dissect_USER_FLAGS(tvb, offset,
1641 pinfo, tree, di, drep);
1642
1643 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1644 pinfo, tree, di, drep);
1645
1646 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1647 hf_netlogon_logon_srv, 0);
1648
1649 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1650 hf_netlogon_logon_dom, 0);
1651
1652 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
1653
1654 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1655 hf_netlogon_dummy1_long, NULL);
1656
1657 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1658 hf_netlogon_dummy2_long, NULL);
1659
1660 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1661 pinfo, tree, di, drep);
1662
1663 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1664 hf_netlogon_dummy4_long, NULL);
1665
1666 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1667 hf_netlogon_dummy5_long, NULL);
1668
1669 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1670 hf_netlogon_dummy6_long, NULL);
1671
1672 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1673 hf_netlogon_dummy7_long, NULL);
1674
1675 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1676 hf_netlogon_dummy8_long, NULL);
1677
1678 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1679 hf_netlogon_dummy9_long, NULL);
1680
1681 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1682 hf_netlogon_dummy10_long, NULL);
1683
1684 return offset;
1685 }
1686
1687
1688
1689 /*
1690 * IDL typedef struct {
1691 * IDL uint64 LogonTime;
1692 * IDL uint64 LogoffTime;
1693 * IDL uint64 KickOffTime;
1694 * IDL uint64 PasswdLastSet;
1695 * IDL uint64 PasswdCanChange;
1696 * IDL uint64 PasswdMustChange;
1697 * IDL unicodestring effectivename;
1698 * IDL unicodestring fullname;
1699 * IDL unicodestring logonscript;
1700 * IDL unicodestring profilepath;
1701 * IDL unicodestring homedirectory;
1702 * IDL unicodestring homedirectorydrive;
1703 * IDL short LogonCount;
1704 * IDL short BadPasswdCount;
1705 * IDL long userid;
1706 * IDL long primarygroup;
1707 * IDL long groupcount;
1708 * IDL [unique] GROUP_MEMBERSHIP *groupids;
1709 * IDL long userflags;
1710 * IDL USER_SESSION_KEY key;
1711 * IDL unicodestring logonserver;
1712 * IDL unicodestring domainname;
1713 * IDL [unique] SID logondomainid;
1714 * IDL long expansionroom[2];
1715 * IDL long useraccountcontrol;
1716 * IDL long expansionroom[7];
1717 * IDL long sidcount;
1718 * IDL [unique] SID_AND_ATTRIBS;
1719 * IDL } VALIDATION_SAM_INFO2;
1720 */
1721 static int
1722 netlogon_dissect_VALIDATION_SAM_INFO2(tvbuff_t *tvb, int offset,
1723 packet_info *pinfo, proto_tree *tree,
1724 dcerpc_info *di, guint8 *drep)
1725 {
1726 offset = netlogon_dissect_VALIDATION_SAM_INFO(tvb,offset,pinfo,tree,di,drep);
1727 #if 0
1728 int i;
1729
1730 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1731 hf_netlogon_logon_time);
1732
1733 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1734 hf_netlogon_logoff_time);
1735
1736 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1737 hf_netlogon_kickoff_time);
1738
1739 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1740 hf_netlogon_pwd_last_set_time);
1741
1742 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1743 hf_netlogon_pwd_can_change_time);
1744
1745 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1746 hf_netlogon_pwd_must_change_time);
1747
1748 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1749 hf_netlogon_acct_name, 0);
1750
1751 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1752 hf_netlogon_full_name, 0);
1753
1754 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1755 hf_netlogon_logon_script, 0);
1756
1757 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1758 hf_netlogon_profile_path, 0);
1759
1760 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1761 hf_netlogon_home_dir, 0);
1762
1763 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1764 hf_netlogon_dir_drive, 0);
1765
1766 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1767 hf_netlogon_logon_count16, NULL);
1768
1769 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1770 hf_netlogon_bad_pw_count16, NULL);
1771
1772 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1773 hf_netlogon_user_rid, NULL);
1774
1775 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1776 hf_netlogon_group_rid, NULL);
1777
1778 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1779 hf_netlogon_num_rids, NULL);
1780
1781 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1782 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1783 "GROUP_MEMBERSHIP_ARRAY", -1);
1784
1785 offset = netlogon_dissect_USER_FLAGS(tvb, offset,
1786 pinfo, tree, di, drep);
1787
1788 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1789 pinfo, tree, di, drep);
1790
1791 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1792 hf_netlogon_logon_srv, 0);
1793
1794 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1795 hf_netlogon_logon_dom, 0);
1796
1797 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
1798
1799 for(i=0;i<2;i++){
1800 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1801 hf_netlogon_unknown_long, NULL);
1802 }
1803 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1804 pinfo, tree, di, drep);
1805
1806 for(i=0;i<7;i++){
1807 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1808 hf_netlogon_unknown_long, NULL);
1809 }
1810 #endif
1811 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1812 hf_netlogon_num_sid, NULL);
1813
1814 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1815 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
1816 "SID_AND_ATTRIBUTES_ARRAY:", -1);
1817
1818 return offset;
1819 }
1820
1821
1822 static int
1823 netlogon_dissect_VALIDATION_SAM_INFO4(tvbuff_t *tvb, int offset,
1824 packet_info *pinfo, proto_tree *tree,
1825 dcerpc_info *di, guint8 *drep)
1826 {
1827 offset = netlogon_dissect_VALIDATION_SAM_INFO2(tvb,offset,pinfo,tree,di,drep);
1828
1829 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1830 hf_netlogon_logon_dnslogondomainname, 0);
1831
1832 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1833 hf_netlogon_logon_upn, 0);
1834
1835 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1836 hf_netlogon_dummy_string, 0);
1837
1838 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1839 hf_netlogon_dummy_string2, 0);
1840
1841 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1842 hf_netlogon_dummy_string3, 0);
1843
1844 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1845 hf_netlogon_dummy_string4, 0);
1846
1847 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1848 hf_netlogon_dummy_string5, 0);
1849
1850 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1851 hf_netlogon_dummy_string6, 0);
1852
1853 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1854 hf_netlogon_dummy_string7, 0);
1855
1856 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1857 hf_netlogon_dummy_string8, 0);
1858
1859 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1860 hf_netlogon_dummy_string9, 0);
1861
1862 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1863 hf_netlogon_dummy_string10, 0);
1864 return offset;
1865 }
1866 /*
1867 * IDL typedef struct {
1868 * IDL uint64 LogonTime;
1869 * IDL uint64 LogoffTime;
1870 * IDL uint64 KickOffTime;
1871 * IDL uint64 PasswdLastSet;
1872 * IDL uint64 PasswdCanChange;
1873 * IDL uint64 PasswdMustChange;
1874 * IDL unicodestring effectivename;
1875 * IDL unicodestring fullname;
1876 * IDL unicodestring logonscript;
1877 * IDL unicodestring profilepath;
1878 * IDL unicodestring homedirectory;
1879 * IDL unicodestring homedirectorydrive;
1880 * IDL short LogonCount;
1881 * IDL short BadPasswdCount;
1882 * IDL long userid;
1883 * IDL long primarygroup;
1884 * IDL long groupcount;
1885 * IDL [unique] GROUP_MEMBERSHIP *groupids;
1886 * IDL long userflags;
1887 * IDL USER_SESSION_KEY key;
1888 * IDL unicodestring logonserver;
1889 * IDL unicodestring domainname;
1890 * IDL [unique] SID logondomainid;
1891 * IDL long expansionroom[2];
1892 * IDL long useraccountcontrol;
1893 * IDL long expansionroom[7];
1894 * IDL long sidcount;
1895 * IDL [unique] SID_AND_ATTRIBS;
1896 * IDL [unique] SID resourcegroupdomainsid;
1897 * IDL long resourcegroupcount;
1898 qqq
1899 * IDL } PAC_LOGON_INFO;
1900 */
1901 int
1902 netlogon_dissect_PAC_LOGON_INFO(tvbuff_t *tvb, int offset,
1903 packet_info *pinfo, proto_tree *tree,
1904 dcerpc_info *di, guint8 *drep)
1905 {
1906 guint32 rgc;
1907 offset = netlogon_dissect_VALIDATION_SAM_INFO(tvb,offset,pinfo,tree,di, drep);
1908 #if 0
1909 int i;
1910
1911 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1912 hf_netlogon_logon_time);
1913
1914 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1915 hf_netlogon_logoff_time);
1916
1917 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1918 hf_netlogon_kickoff_time);
1919
1920 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1921 hf_netlogon_pwd_last_set_time);
1922
1923 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1924 hf_netlogon_pwd_can_change_time);
1925
1926 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1927 hf_netlogon_pwd_must_change_time);
1928
1929 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1930 hf_netlogon_acct_name, 0);
1931
1932 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1933 hf_netlogon_full_name, 0);
1934
1935 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1936 hf_netlogon_logon_script, 0);
1937
1938 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1939 hf_netlogon_profile_path, 0);
1940
1941 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1942 hf_netlogon_home_dir, 0);
1943
1944 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1945 hf_netlogon_dir_drive, 0);
1946
1947 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1948 hf_netlogon_logon_count16, NULL);
1949
1950 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1951 hf_netlogon_bad_pw_count16, NULL);
1952
1953 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1954 hf_netlogon_user_rid, NULL);
1955
1956 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1957 hf_netlogon_group_rid, NULL);
1958
1959 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1960 hf_netlogon_num_rids, NULL);
1961
1962 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1963 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1964 "GROUP_MEMBERSHIP_ARRAY", -1);
1965
1966 offset = netlogon_dissect_USER_FLAGS(tvb, offset,
1967 pinfo, tree, di, drep);
1968
1969 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1970 pinfo, tree, di, drep);
1971
1972 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1973 hf_netlogon_logon_srv, 0);
1974
1975 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1976 hf_netlogon_logon_dom, 0);
1977
1978 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
1979
1980 for(i=0;i<2;i++){
1981 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1982 hf_netlogon_unknown_long, NULL);
1983 }
1984 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1985 pinfo, tree, di, drep);
1986
1987 for(i=0;i<7;i++){
1988 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1989 hf_netlogon_unknown_long, NULL);
1990 }
1991 #endif
1992
1993 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1994 hf_netlogon_num_sid, NULL);
1995
1996 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1997 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
1998 "SID_AND_ATTRIBUTES_ARRAY:", -1);
1999
2000
2001 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
2002
2003 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2004 hf_netlogon_resourcegroupcount, &rgc);
2005
2006 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2007 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
2008 "ResourceGroupIDs", -1);
2009
2010 return offset;
2011 }
2012
2013 static int
2014 netlogon_dissect_S4U_Transited_Service_name(tvbuff_t *tvb, int offset,
2015 packet_info *pinfo, proto_tree *tree,
2016 dcerpc_info *di, guint8 *drep)
2017 {
2018 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2019 hf_netlogon_transited_service, 1);
2020
2021 return offset;
2022 }
2023
2024 static int
2025 netlogon_dissect_S4U_Transited_Services_array(tvbuff_t *tvb, int offset,
2026 packet_info *pinfo, proto_tree *tree,
2027 dcerpc_info *di, guint8 *drep)
2028 {
2029 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
2030 netlogon_dissect_S4U_Transited_Service_name);
2031
2032 return offset;
2033 }
2034
2035 int
2036 netlogon_dissect_PAC_S4U_DELEGATION_INFO(tvbuff_t *tvb, int offset,
2037 packet_info *pinfo, proto_tree *tree,
2038 dcerpc_info *di, guint8 *drep)
2039 {
2040 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2041 hf_netlogon_s4u2proxytarget, 0);
2042
2043 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2044 hf_netlogon_transitedlistsize, NULL);
2045
2046 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2047 netlogon_dissect_S4U_Transited_Services_array, NDR_POINTER_UNIQUE,
2048 "S4UTransitedServices", -1);
2049
2050 return offset;
2051 }
2052
2053 #if 0
2054 static int
2055 netlogon_dissect_PAC(tvbuff_t *tvb, int offset,
2056 packet_info *pinfo, proto_tree *tree,
2057 dcerpc_info *di, guint8 *drep _U_)
2058 {
2059 guint32 pac_size;
2060
2061 if(di->conformant_run){
2062 return offset;
2063 }
2064
2065 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2066 hf_netlogon_pac_size, &pac_size);
2067
2068 proto_tree_add_item(tree, hf_netlogon_pac_data, tvb, offset, pac_size,
2069 ENC_NA);
2070 offset += pac_size;
2071
2072 return offset;
2073 }
2074
2075 static int
2076 netlogon_dissect_AUTH(tvbuff_t *tvb, int offset,
2077 packet_info *pinfo, proto_tree *tree,
2078 dcerpc_info *di, guint8 *drep _U_)
2079 {
2080 guint32 auth_size;
2081
2082 if(di->conformant_run){
2083 return offset;
2084 }
2085
2086 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2087 hf_netlogon_auth_size, &auth_size);
2088
2089 proto_tree_add_item(tree, hf_netlogon_auth_data, tvb, offset, auth_size,
2090 ENC_NA);
2091 offset += auth_size;
2092
2093 return offset;
2094 }
2095 #endif
2096
2097 static int
2098 netlogon_dissect_VALIDATION_GENERIC_INFO2 (tvbuff_t *tvb, int offset,
2099 packet_info *pinfo, proto_tree *tree,
2100 dcerpc_info *di, guint8 *drep)
2101 {
2102 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2103 hf_netlogon_data_length, NULL);
2104
2105 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2106 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
2107 "Validation Data", -1);
2108
2109 return offset;
2110 }
2111 /*
2112 * IDL typedef struct {
2113 * IDL long pac_size
2114 * IDL [unique][size_is(pac_size)] char *pac;
2115 * IDL UNICODESTRING logondomain;
2116 * IDL UNICODESTRING logonserver;
2117 * IDL UNICODESTRING principalname;
2118 * IDL long auth_size;
2119 * IDL [unique][size_is(auth_size)] char *auth;
2120 * IDL USER_SESSION_KEY user_session_key;
2121 * IDL long expansionroom[2];
2122 * IDL long useraccountcontrol;
2123 * IDL long expansionroom[7];
2124 * IDL UNICODESTRING dummy1;
2125 * IDL UNICODESTRING dummy2;
2126 * IDL UNICODESTRING dummy3;
2127 * IDL UNICODESTRING dummy4;
2128 * IDL } VALIDATION_PAC_INFO;
2129 */
2130 #if 0 /* Not used (anymore ?) */
2131 static int
2132 netlogon_dissect_VALIDATION_PAC_INFO(tvbuff_t *tvb, int offset,
2133 packet_info *pinfo, proto_tree *tree,
2134 dcerpc_info *di, guint8 *drep)
2135 {
2136 int i;
2137
2138 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2139 hf_netlogon_pac_size, NULL);
2140
2141 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2142 netlogon_dissect_PAC, NDR_POINTER_UNIQUE, "PAC:", -1);
2143
2144 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2145 hf_netlogon_logon_dom, 0);
2146
2147 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2148 hf_netlogon_logon_srv, 0);
2149
2150 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2151 hf_netlogon_principal, 0);
2152
2153 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2154 hf_netlogon_auth_size, NULL);
2155
2156 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2157 netlogon_dissect_AUTH, NDR_POINTER_UNIQUE, "AUTH:", -1);
2158
2159 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
2160 pinfo, tree, di, drep);
2161
2162 for(i=0;i<2;i++){
2163 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2164 hf_netlogon_unknown_long, NULL);
2165 }
2166 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
2167 pinfo, tree, di, drep);
2168
2169 for(i=0;i<7;i++){
2170 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2171 hf_netlogon_unknown_long, NULL);
2172 }
2173
2174 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2175 hf_netlogon_dummy, 0);
2176
2177 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2178 hf_netlogon_dummy, 0);
2179
2180 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2181 hf_netlogon_dummy, 0);
2182
2183 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2184 hf_netlogon_dummy, 0);
2185
2186 return offset;
2187 }
2188 #endif
2189
2190 /*
2191 * IDL typedef [switch_type(short)] union {
2192 * IDL [case(1)][unique] VALIDATION_UAS *uas;
2193 * IDL [case(2)][unique] VALIDATION_SAM_INFO *sam;
2194 * IDL [case(3)][unique] VALIDATION_SAM_INFO2 *sam2;
2195 * IDL [case(4)][unique] VALIDATION_GENERIC_INFO *generic;
2196 * IDL [case(5)][unique] VALIDATION_GENERIC_INFO *generic2;
2197 * IDL [case(5)][unique] VALIDATION_GENERIC_INFO *generic2;
2198 * IDL [case(6)][unique] VALIDATION_SAM_INFO4 *sam4;
2199 * IDL } VALIDATION;
2200 */
2201 static int
2202 netlogon_dissect_VALIDATION(tvbuff_t *tvb, int offset,
2203 packet_info *pinfo, proto_tree *tree,
2204 dcerpc_info *di, guint8 *drep)
2205 {
2206 guint16 level = 0;
2207
2208 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2209 hf_netlogon_validation_level, &level);
2210
2211 ALIGN_TO_4_BYTES;
2212 switch(level){
2213 case 1:
2214 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2215 netlogon_dissect_VALIDATION_UAS_INFO, NDR_POINTER_UNIQUE,
2216 "VALIDATION_UAS_INFO:", -1);
2217 break;
2218 case 2:
2219 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2220 netlogon_dissect_VALIDATION_SAM_INFO, NDR_POINTER_UNIQUE,
2221 "VALIDATION_SAM_INFO:", -1);
2222 break;
2223 case 3:
2224 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2225 netlogon_dissect_VALIDATION_SAM_INFO2, NDR_POINTER_UNIQUE,
2226 "VALIDATION_SAM_INFO2:", -1);
2227 break;
2228 case 4:
2229 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2230 netlogon_dissect_VALIDATION_GENERIC_INFO2, NDR_POINTER_UNIQUE,
2231 "VALIDATION_INFO:", -1);
2232 break;
2233 case 5:
2234 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2235 netlogon_dissect_VALIDATION_GENERIC_INFO2, NDR_POINTER_UNIQUE,
2236 "VALIDATION_INFO2:", -1);
2237 break;
2238 case 6:
2239 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2240 netlogon_dissect_VALIDATION_SAM_INFO4, NDR_POINTER_UNIQUE,
2241 "VALIDATION_SAM_INFO4:", -1);
2242 break;
2243 }
2244 return offset;
2245 }
2246 /*
2247 * IDL long NetrLogonSamLogonWithFlags(
2248 * IDL [in][unique][string] wchar_t *ServerName,
2249 * IDL [in][unique][string] wchar_t *Workstation,
2250 * IDL [in][unique] AUTHENTICATOR *credential,
2251 * IDL [in][out][unique] AUTHENTICATOR *returnauthenticator,
2252 * IDL [in] short LogonLevel,
2253 * IDL [in][ref] LOGON_LEVEL *logonlevel,
2254 * IDL [in] short ValidationLevel,
2255 * IDL [out][ref] VALIDATION *validation,
2256 * IDL [out][ref] boolean Authorative
2257 * IDL [in][out] unsigned long ExtraFlags
2258 * IDL );
2259 */
2260 static int
2261 netlogon_dissect_netrlogonsamlogonflags_rqst(tvbuff_t *tvb, int offset,
2262 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
2263 {
2264 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
2265 pinfo, tree, di, drep);
2266
2267 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
2268 NDR_POINTER_UNIQUE, "Computer Name",
2269 hf_netlogon_computer_name, 0);
2270
2271 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2272 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2273 "AUTHENTICATOR: credential", -1);
2274
2275 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2276 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2277 "AUTHENTICATOR: return_authenticator", -1);
2278
2279 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2280 hf_netlogon_level16, NULL);
2281
2282 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2283 netlogon_dissect_LEVEL, NDR_POINTER_REF,
2284 "LEVEL: LogonLevel", -1);
2285
2286 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2287 hf_netlogon_validation_level, NULL);
2288
2289 offset = netlogon_dissect_EXTRA_FLAGS(tvb, offset, pinfo, tree, di, drep);
2290
2291 return offset;
2292 }
2293
2294 static int
2295 netlogon_dissect_netrlogonsamlogonflags_reply(tvbuff_t *tvb, int offset,
2296 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
2297 {
2298 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2299 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2300 "AUTHENTICATOR: return_authenticator", -1);
2301
2302 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2303 netlogon_dissect_VALIDATION, NDR_POINTER_REF,
2304 "VALIDATION:", -1);
2305
2306 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
2307 hf_netlogon_authoritative, NULL);
2308
2309 offset = netlogon_dissect_EXTRA_FLAGS(tvb, offset, pinfo, tree, di, drep);
2310
2311 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
2312 hf_netlogon_rc, NULL);
2313
2314 return offset;
2315 }
2316
2317
2318
2319 /*
2320 * IDL long NetrLogonSamLogon(
2321 * IDL [in][unique][string] wchar_t *ServerName,
2322 * IDL [in][unique][string] wchar_t *Workstation,
2323 * IDL [in][unique] AUTHENTICATOR *credential,
2324 * IDL [in][out][unique] AUTHENTICATOR *returnauthenticator,
2325 * IDL [in] short LogonLevel,
2326 * IDL [in][ref] LOGON_LEVEL *logonlevel,
2327 * IDL [in] short ValidationLevel,
2328 * IDL [out][ref] VALIDATION *validation,
2329 * IDL [out][ref] boolean Authorative
2330 * IDL );
2331 */
2332 static int
2333 netlogon_dissect_netrlogonsamlogon_rqst(tvbuff_t *tvb, int offset,
2334 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
2335 {
2336 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
2337 pinfo, tree, di, drep);
2338
2339 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
2340 NDR_POINTER_UNIQUE, "Computer Name",
2341 hf_netlogon_computer_name, 0);
2342
2343 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2344 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2345 "AUTHENTICATOR: credential", -1);
2346
2347 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2348 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2349 "AUTHENTICATOR: return_authenticator", -1);
2350
2351 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2352 hf_netlogon_level16, NULL);
2353
2354 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2355 netlogon_dissect_LEVEL, NDR_POINTER_REF,
2356 "LEVEL: LogonLevel", -1);
2357
2358 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2359 hf_netlogon_validation_level, NULL);
2360
2361 return offset;
2362 }
2363
2364 static int
2365 netlogon_dissect_netrlogonsamlogon_reply(tvbuff_t *tvb, int offset,
2366 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
2367 {
2368 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2369 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2370 "AUTHENTICATOR: return_authenticator", -1);
2371
2372 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2373 netlogon_dissect_VALIDATION, NDR_POINTER_REF,
2374 "VALIDATION:", -1);
2375
2376 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
2377 hf_netlogon_authoritative, NULL);
2378
2379 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
2380 hf_netlogon_rc, NULL);
2381
2382 return offset;
2383 }
2384
2385
2386 /*
2387 * IDL long NetrLogonSamLogoff(
2388 * IDL [in][unique][string] wchar_t *ServerName,
2389 * IDL [in][unique][string] wchar_t *ComputerName,
2390 * IDL [in][unique] AUTHENTICATOR credential,
2391 * IDL [in][unique] AUTHENTICATOR return_authenticator,
2392 * IDL [in] short logon_level,
2393 * IDL [in][ref] LEVEL logoninformation
2394 * IDL );
2395 */
2396 static int
2397 netlogon_dissect_netrlogonsamlogoff_rqst(tvbuff_t *tvb, int offset,
2398 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
2399 {
2400 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
2401 pinfo, tree, di, drep);
2402
2403 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
2404 NDR_POINTER_UNIQUE, "Computer Name",
2405 hf_netlogon_computer_name, 0);
2406
2407 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2408 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2409 "AUTHENTICATOR: credential", -1);
2410
2411 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2412 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2413 "AUTHENTICATOR: return_authenticator", -1);
2414
2415 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2416 hf_netlogon_level16, NULL);
2417
2418 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2419 netlogon_dissect_LEVEL, NDR_POINTER_REF,
2420 "LEVEL: logoninformation", -1);
2421
2422 return offset;
2423 }
2424 static int
2425 netlogon_dissect_netrlogonsamlogoff_reply(tvbuff_t *tvb, int offset,
2426 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
2427 {
2428
2429 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2430 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2431 "AUTHENTICATOR: return_authenticator", -1);
2432
2433 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
2434 hf_netlogon_rc, NULL);
2435
2436 return offset;
2437 }
2438
2439 static void generate_hash_key(packet_info *pinfo,unsigned char is_server,netlogon_auth_key *key,char* name)
2440 {
2441 if(is_server) {
2442 key->dstport = pinfo->srcport;
2443 key->srcport = pinfo->destport;
2444 COPY_ADDRESS(&key->dst,&pinfo->src);
2445 COPY_ADDRESS(&key->src,&pinfo->dst);
2446 /* name has been durably allocated */
2447 key->name = name;
2448 }
2449 else {
2450 COPY_ADDRESS(&key->dst,&pinfo->dst);
2451 COPY_ADDRESS(&key->src,&pinfo->src);
2452 key->dstport = pinfo->destport;
2453 key->srcport = pinfo->srcport;
2454 /* name has been durably allocated */
2455 key->name = name;
2456 }
2457
2458 }
2459
2460 /*
2461 * IDL long NetrServerReqChallenge(
2462 * IDL [in][unique][string] wchar_t *ServerName,
2463 * IDL [in][ref][string] wchar_t *ComputerName,
2464 * IDL [in][ref] CREDENTIAL client_credential,
2465 * IDL [out][ref] CREDENTIAL server_credential
2466 * IDL );
2467 */
2468 static int
2469 netlogon_dissect_netrserverreqchallenge_rqst(tvbuff_t *tvb, int offset,
2470 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
2471 {
2472 /*int oldoffset = offset;*/
2473 netlogon_auth_vars *vars;
2474 netlogon_auth_vars *existing_vars;
2475 netlogon_auth_key *key = (netlogon_auth_key *)wmem_alloc(wmem_file_scope(), sizeof(netlogon_auth_key));
2476 guint8 tab[8] = { 0,0,0,0,0,0,0,0};
2477 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
2478
2479 /* As we are not always keeping this it could be more intelligent to g_malloc it
2480 and if we decide to keep it then transform it into wmem_alloc */
2481 vars = (netlogon_auth_vars *)wmem_alloc(wmem_file_scope(), sizeof(netlogon_auth_vars));
2482 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset, pinfo, tree, di, drep);
2483 offset = dissect_ndr_pointer_cb(
2484 tvb, offset, pinfo, tree, di, drep,
2485 dissect_ndr_wchar_cvstring, NDR_POINTER_REF,
2486 "Computer Name", hf_netlogon_computer_name,
2487 cb_wstr_postprocess,
2488 GINT_TO_POINTER(CB_STR_COL_INFO |CB_STR_SAVE | 1));
2489
2490 debugprintf("1)Len %d offset %d txt %s\n",(int) strlen(dcv->private_data),offset,(char*)dcv->private_data);
2491 vars->client_name = wmem_strdup(wmem_file_scope(), (const guint8 *)dcv->private_data);
2492 debugprintf("2)Len %d offset %d txt %s\n",(int) strlen(dcv->private_data),offset,vars->client_name);
2493
2494 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, tree, drep,
2495 hf_client_challenge,&vars->client_challenge);
2496 memcpy(tab,&vars->client_challenge,8);
2497
2498 vars->start = pinfo->fd->num;
2499 vars->next_start = -1;
2500 vars->next = NULL;
2501
2502 generate_hash_key(pinfo,0,key,NULL);
2503 existing_vars = NULL;
2504 existing_vars = (netlogon_auth_vars *)g_hash_table_lookup(netlogon_auths, key);
2505 if (!existing_vars) {
2506 debugprintf("Adding initial vars with this start packet = %d\n",vars->start);
2507 g_hash_table_insert(netlogon_auths, key, vars);
2508 }
2509 else {
2510 while(existing_vars->next != NULL && existing_vars->start < vars->start) {
2511 debugprintf("Looping to find existing vars ...\n");
2512 existing_vars = existing_vars->next;
2513 }
2514 if(existing_vars->next != NULL || existing_vars->start == vars->start) {
2515 debugprintf("It seems that I already record this vars start packet = %d\n",vars->start);
2516 }
2517 else {
2518 debugprintf("Adding a new entry with this start packet = %d\n",vars->start);
2519 existing_vars->next_start = pinfo->fd->num;
2520 existing_vars->next = vars;
2521 }
2522 }
2523 /* used by other rpc that use schannel ie lsa */
2524 #if 0
2525 generate_hash_key(pinfo,0,key,vars->client_name);
2526 existing_vars = NULL;
2527 existing_vars = g_hash_table_lookup(schannel_auths, key);
2528 if (!existing_vars)
2529 {
2530 g_hash_table_insert(schannel_auths, key, vars);
2531 }
2532 else
2533 {
2534 while(existing_vars->next != NULL && existing_vars->start <= vars->start) {
2535 existing_vars = existing_vars->next;
2536 }
2537 if(existing_vars->next != NULL || existing_vars == vars) {
2538 debugprintf("It seems that I already record this vars (schannel hash)%d\n",vars->start);
2539 }
2540 else {
2541 existing_vars->next_start = pinfo->fd->num;
2542 existing_vars->next = vars;
2543 }
2544 #endif
2545 return offset;
2546 }
2547
2548 static int
2549 netlogon_dissect_netrserverreqchallenge_reply(tvbuff_t *tvb, int offset,
2550 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
2551 {
2552 netlogon_auth_vars *vars;
2553 netlogon_auth_key key;
2554 guint64 server_challenge;
2555
2556 generate_hash_key(pinfo,1,&key,NULL);
2557 vars = (netlogon_auth_vars *)g_hash_table_lookup(netlogon_auths,(gconstpointer*) &key);
2558
2559 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, tree, drep,
2560 hf_server_challenge, &server_challenge);
2561 /*offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2562 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
2563 "CREDENTIAL: server credential", -1);*/
2564
2565 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
2566 hf_netlogon_rc, NULL);
2567 if(vars != NULL) {
2568 while(vars !=NULL && vars->next_start != -1 && vars->next_start < (int)pinfo->fd->num )
2569 {
2570 vars = vars->next;
2571 debugprintf("looping challenge reply... %d %d \n", vars->next_start, pinfo->fd->num);
2572 }
2573 if(vars == NULL)
2574 {
2575 debugprintf("Something strange happened while searching for challenge_reply\n");
2576 }
2577 else
2578 {
2579 vars->server_challenge = server_challenge;
2580 }
2581 }
2582 /*
2583 else
2584 {
2585 debugprintf("Vars not found in challenge reply\n");
2586 }
2587 */
2588 return offset;
2589 }
2590
2591
2592 static int
2593 netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvbuff_t *tvb, int offset,
2594 packet_info *pinfo, proto_tree *tree,
2595 dcerpc_info *di, guint8 *drep)
2596 {
2597 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2598 hf_netlogon_secure_channel_type, NULL);
2599
2600 return offset;
2601 }
2602
2603
2604 /*
2605 * IDL long NetrServerAuthenticate(
2606 * IDL [in][unique][string] wchar_t *ServerName,
2607 * IDL [in][ref][string] wchar_t *UserName,
2608 * IDL [in] short secure_challenge_type,
2609 * IDL [in][ref][string] wchar_t *ComputerName,
2610 * IDL [in][ref] CREDENTIAL client_challenge,
2611 * IDL [out][ref] CREDENTIAL server_challenge
2612 * IDL );
2613 */
2614 static int
2615 netlogon_dissect_netrserverauthenticate_rqst(tvbuff_t *tvb, int offset,
2616 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
2617 {
2618 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
2619 pinfo, tree, di, drep);
2620
2621 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
2622 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, CB_STR_COL_INFO);
2623
2624 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
2625 pinfo, tree, di, drep);
2626
2627 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
2628 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, CB_STR_COL_INFO);
2629
2630 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2631 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
2632 "CREDENTIAL: client challenge", -1);
2633
2634 return offset;
2635 }
2636 static int
2637 netlogon_dissect_netrserverauthenticate_reply(tvbuff_t *tvb, int offset,
2638 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
2639 {
2640 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2641 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
2642 "CREDENTIAL: server challenge", -1);
2643
2644 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
2645 hf_netlogon_rc, NULL);
2646
2647 return offset;
2648 }
2649
2650
2651
2652 /*
2653 * IDL typedef struct {
2654 * IDL char encrypted_password[16];
2655 * IDL } ENCRYPTED_LM_OWF_PASSWORD;
2656 */
2657 static int
2658 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
2659 packet_info *pinfo _U_, proto_tree *tree,
2660 dcerpc_info *di, guint8 *drep _U_)
2661 {
2662 if(di->conformant_run){
2663 /*just a run to handle conformant arrays, nothing to dissect.*/
2664 return offset;
2665 }
2666
2667 proto_tree_add_item(tree, hf_netlogon_encrypted_lm_owf_password, tvb, offset, 16,
2668 ENC_NA);
2669 offset += 16;
2670
2671 return offset;
2672 }
2673
2674 /*
2675 * IDL long NetrServerPasswordSet(
2676 * IDL [in][unique][string] wchar_t *ServerName,
2677 * IDL [in][ref][string] wchar_t *UserName,
2678 * IDL [in] short secure_challenge_type,
2679 * IDL [in][ref][string] wchar_t *ComputerName,
2680 * IDL [in][ref] AUTHENTICATOR credential,
2681 * IDL [in][ref] LM_OWF_PASSWORD UasNewPassword,
2682 * IDL [out][ref] AUTHENTICATOR return_authenticator
2683 * IDL );
2684 */
2685 static int
2686 netlogon_dissect_netrserverpasswordset_rqst(tvbuff_t *tvb, int offset,
2687 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
2688 {
2689 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
2690 pinfo, tree, di, drep);
2691
2692 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
2693 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, 0);
2694
2695 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
2696 pinfo, tree, di, drep);
2697
2698 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
2699 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
2700
2701 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2702 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
2703 "AUTHENTICATOR: credential", -1);
2704
2705 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2706 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD, NDR_POINTER_REF,
2707 "ENCRYPTED_LM_OWF_PASSWORD: hashed_pwd", -1);
2708
2709 return offset;
2710 }
2711 static int
2712 netlogon_dissect_netrserverpasswordset_reply(tvbuff_t *tvb, int offset,
2713 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
2714 {
2715 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2716 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
2717 "AUTHENTICATOR: return_authenticator", -1);
2718
2719 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
2720 hf_netlogon_rc, NULL);
2721
2722 return offset;
2723 }
2724
2725
2726 /*
2727 * IDL typedef struct {
2728 * IDL [unique][string] wchar_t *UserName;
2729 * IDL UNICODESTRING dummy1;
2730 * IDL UNICODESTRING dummy2;
2731 * IDL UNICODESTRING dummy3;
2732 * IDL UNICODESTRING dummy4;
2733 * IDL long dummy5;
2734 * IDL long dummy6;
2735 * IDL long dummy7;
2736 * IDL long dummy8;
2737 * IDL } DELTA_DELETE_USER;
2738 */
2739 static int
2740 netlogon_dissect_DELTA_DELETE_USER(tvbuff_t *tvb, int offset,
2741 packet_info *pinfo, proto_tree *tree,
2742 dcerpc_info *di, guint8 *drep)
2743 {
2744 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
2745 NDR_POINTER_UNIQUE, "Account Name", hf_netlogon_acct_name, 0);
2746
2747 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2748 hf_netlogon_dummy, 0);
2749
2750 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2751 hf_netlogon_dummy, 0);
2752
2753 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2754 hf_netlogon_dummy, 0);
2755
2756 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2757 hf_netlogon_dummy, 0);
2758
2759 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2760 hf_netlogon_reserved, NULL);
2761
2762 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2763 hf_netlogon_reserved, NULL);
2764
2765 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2766 hf_netlogon_reserved, NULL);
2767
2768 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2769 hf_netlogon_reserved, NULL);
2770
2771 return offset;
2772 }
2773
2774
2775 /*
2776 * IDL typedef struct {
2777 * IDL bool SensitiveDataFlag;
2778 * IDL long DataLength;
2779 * IDL [unique][size_is(DataLength)] char *SensitiveData;
2780 * IDL } USER_PRIVATE_INFO;
2781 */
2782 static int
2783 netlogon_dissect_SENSITIVE_DATA(tvbuff_t *tvb, int offset,
2784 packet_info *pinfo, proto_tree *tree,
2785 dcerpc_info *di, guint8 *drep)
2786 {
2787 guint32 data_len;
2788
2789 if(di->conformant_run){
2790 /*just a run to handle conformant arrays, nothing to dissect */
2791 return offset;
2792 }
2793
2794 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2795 hf_netlogon_sensitive_data_len, &data_len);
2796
2797 proto_tree_add_item(tree, hf_netlogon_sensitive_data, tvb, offset,
2798 data_len, ENC_NA);
2799 offset += data_len;
2800
2801 return offset;
2802 }
2803 static int
2804 netlogon_dissect_USER_PRIVATE_INFO(tvbuff_t *tvb, int offset,
2805 packet_info *pinfo, proto_tree *tree,
2806 dcerpc_info *di, guint8 *drep)
2807 {
2808 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
2809 hf_netlogon_sensitive_data_flag, NULL);
2810
2811 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2812 hf_netlogon_sensitive_data_len, NULL);
2813
2814 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2815 netlogon_dissect_SENSITIVE_DATA, NDR_POINTER_UNIQUE,
2816 "SENSITIVE_DATA", -1);
2817
2818 return offset;
2819 }
2820
2821 int
2822 lsarpc_dissect_sec_desc_buf(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep);
2823
2824 /*
2825 * IDL typedef struct {
2826 * IDL UNICODESTRING UserName;
2827 * IDL UNICODESTRING FullName;
2828 * IDL long UserID;
2829 * IDL long PrimaryGroupID;
2830 * IDL UNICODESTRING HomeDir;
2831 * IDL UNICODESTRING HomeDirDrive;
2832 * IDL UNICODESTRING LogonScript;
2833 * IDL UNICODESTRING Comment;
2834 * IDL UNICODESTRING Workstations;
2835 * IDL NTTIME LastLogon;
2836 * IDL NTTIME LastLogoff;
2837 * IDL LOGON_HOURS logonhours;
2838 * IDL short BadPwCount;
2839 * IDL short LogonCount;
2840 * IDL NTTIME PwLastSet;
2841 * IDL NTTIME AccountExpires;
2842 * IDL long AccountControl;
2843 * IDL LM_OWF_PASSWORD lmpw;
2844 * IDL NT_OWF_PASSWORD ntpw;
2845 * IDL bool NTPwPresent;
2846 * IDL bool LMPwPresent;
2847 * IDL bool PwExpired;
2848 * IDL UNICODESTRING UserComment;
2849 * IDL UNICODESTRING Parameters;
2850 * IDL short CountryCode;
2851 * IDL short CodePage;
2852 * IDL USER_PRIVATE_INFO user_private_info;
2853 * IDL long SecurityInformation;
2854 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2855 * IDL UNICODESTRING dummy1;
2856 * IDL UNICODESTRING dummy2;
2857 * IDL UNICODESTRING dummy3;
2858 * IDL UNICODESTRING dummy4;
2859 * IDL long dummy5;
2860 * IDL long dummy6;
2861 * IDL long dummy7;
2862 * IDL long dummy8;
2863 * IDL } DELTA_USER;
2864 */
2865 static int
2866 netlogon_dissect_DELTA_USER(tvbuff_t *tvb, int offset,
2867 packet_info *pinfo, proto_tree *tree,
2868 dcerpc_info *di, guint8 *drep)
2869 {
2870 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2871 hf_netlogon_acct_name, 3);
2872
2873 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2874 hf_netlogon_full_name, 0);
2875
2876 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2877 hf_netlogon_user_rid, NULL);
2878
2879 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2880 hf_netlogon_group_rid, NULL);
2881
2882 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2883 hf_netlogon_home_dir, 0);
2884
2885 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2886 hf_netlogon_dir_drive, 0);
2887
2888 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2889 hf_netlogon_logon_script, 0);
2890
2891 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2892 hf_netlogon_acct_desc, 0);
2893
2894 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2895 hf_netlogon_workstations, 0);
2896
2897 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
2898 hf_netlogon_logon_time);
2899
2900 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
2901 hf_netlogon_logoff_time);
2902
2903 offset = dissect_ndr_nt_LOGON_HOURS(tvb, offset, pinfo, tree, di, drep);
2904
2905 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2906 hf_netlogon_bad_pw_count16, NULL);
2907
2908 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2909 hf_netlogon_logon_count16, NULL);
2910
2911 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
2912 hf_netlogon_pwd_last_set_time);
2913
2914 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
2915 hf_netlogon_acct_expiry_time);
2916
2917 offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, di, drep);
2918
2919 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
2920 pinfo, tree, di, drep);
2921
2922 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
2923 pinfo, tree, di, drep);
2924
2925 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
2926 hf_netlogon_nt_pwd_present, NULL);
2927
2928 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
2929 hf_netlogon_lm_pwd_present, NULL);
2930
2931 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
2932 hf_netlogon_pwd_expired, NULL);
2933
2934 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2935 hf_netlogon_comment, 0);
2936
2937 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2938 hf_netlogon_parameters, 0);
2939
2940 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2941 hf_netlogon_country, NULL);
2942
2943 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2944 hf_netlogon_codepage, NULL);
2945
2946 offset = netlogon_dissect_USER_PRIVATE_INFO(tvb, offset, pinfo, tree,
2947 di, drep);
2948
2949 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2950 hf_netlogon_security_information, NULL);
2951
2952 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
2953
2954 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2955 hf_netlogon_dummy, 0);
2956
2957 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2958 hf_netlogon_dummy, 0);
2959
2960 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2961 hf_netlogon_dummy, 0);
2962
2963 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2964 hf_netlogon_dummy, 0);
2965
2966 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2967 hf_netlogon_reserved, NULL);
2968
2969 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2970 hf_netlogon_reserved, NULL);
2971
2972 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2973 hf_netlogon_reserved, NULL);
2974
2975 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2976 hf_netlogon_reserved, NULL);
2977
2978 return offset;
2979 }
2980
2981
2982 /*
2983 * IDL typedef struct {
2984 * IDL UNICODESTRING DomainName;
2985 * IDL UNICODESTRING OEMInfo;
2986 * IDL NTTIME forcedlogoff;
2987 * IDL short minpasswdlen;
2988 * IDL short passwdhistorylen;
2989 * IDL NTTIME pwd_must_change_time;
2990 * IDL NTTIME pwd_can_change_time;
2991 * IDL NTTIME domain_modify_time;
2992 * IDL NTTIME domain_create_time;
2993 * IDL long SecurityInformation;
2994 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2995 * IDL UNICODESTRING dummy1;
2996 * IDL UNICODESTRING dummy2;
2997 * IDL UNICODESTRING dummy3;
2998 * IDL UNICODESTRING dummy4;
2999 * IDL long dummy5;
3000 * IDL long dummy6;
3001 * IDL long dummy7;
3002 * IDL long dummy8;
3003 * IDL } DELTA_DOMAIN;
3004 */
3005 static int
3006 netlogon_dissect_DELTA_DOMAIN(tvbuff_t *tvb, int offset,
3007 packet_info *pinfo, proto_tree *tree,
3008 dcerpc_info *di, guint8 *drep)
3009 {
3010 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3011 hf_netlogon_domain_name, 3);
3012
3013 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3014 hf_netlogon_oem_info, 0);
3015
3016 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3017 hf_netlogon_kickoff_time);
3018
3019 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
3020 hf_netlogon_minpasswdlen, NULL);
3021
3022 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
3023 hf_netlogon_passwdhistorylen, NULL);
3024
3025 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3026 hf_netlogon_pwd_must_change_time);
3027
3028 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3029 hf_netlogon_pwd_can_change_time);
3030
3031 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3032 hf_netlogon_domain_modify_time);
3033
3034 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3035 hf_netlogon_domain_create_time);
3036
3037 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3038 hf_netlogon_security_information, NULL);
3039
3040 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3041
3042 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3043 hf_netlogon_dummy, 0);
3044
3045 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3046 hf_netlogon_dummy, 0);
3047
3048 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3049 hf_netlogon_dummy, 0);
3050
3051 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3052 hf_netlogon_dummy, 0);
3053
3054 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3055 hf_netlogon_reserved, NULL);
3056
3057 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3058 hf_netlogon_reserved, NULL);
3059
3060 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3061 hf_netlogon_reserved, NULL);
3062
3063 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3064 hf_netlogon_reserved, NULL);
3065
3066 return offset;
3067 }
3068
3069
3070 /*
3071 * IDL typedef struct {
3072 * IDL UNICODESTRING groupname;
3073 * IDL GROUP_MEMBERSHIP group_membership;
3074 * IDL UNICODESTRING comment;
3075 * IDL long SecurityInformation;
3076 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3077 * IDL UNICODESTRING dummy1;
3078 * IDL UNICODESTRING dummy2;
3079 * IDL UNICODESTRING dummy3;
3080 * IDL UNICODESTRING dummy4;
3081 * IDL long dummy5;
3082 * IDL long dummy6;
3083 * IDL long dummy7;
3084 * IDL long dummy8;
3085 * IDL } DELTA_GROUP;
3086 */
3087 static int
3088 netlogon_dissect_DELTA_GROUP(tvbuff_t *tvb, int offset,
3089 packet_info *pinfo, proto_tree *tree,
3090 dcerpc_info *di, guint8 *drep)
3091 {
3092 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3093 hf_netlogon_group_name, 3);
3094
3095 offset = netlogon_dissect_GROUP_MEMBERSHIP(tvb, offset,
3096 pinfo, tree, di, drep);
3097
3098 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3099 hf_netlogon_group_desc, 0);
3100
3101 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3102 hf_netlogon_security_information, NULL);
3103
3104 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3105
3106 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3107 hf_netlogon_dummy, 0);
3108
3109 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3110 hf_netlogon_dummy, 0);
3111
3112 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3113 hf_netlogon_dummy, 0);
3114
3115 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3116 hf_netlogon_dummy, 0);
3117
3118 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3119 hf_netlogon_reserved, NULL);
3120
3121 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3122 hf_netlogon_reserved, NULL);
3123
3124 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3125 hf_netlogon_reserved, NULL);
3126
3127 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3128 hf_netlogon_reserved, NULL);
3129
3130 return offset;
3131 }
3132
3133
3134 /*
3135 * IDL typedef struct {
3136 * IDL UNICODESTRING OldName;
3137 * IDL UNICODESTRING NewName;
3138 * IDL UNICODESTRING dummy1;
3139 * IDL UNICODESTRING dummy2;
3140 * IDL UNICODESTRING dummy3;
3141 * IDL UNICODESTRING dummy4;
3142 * IDL long dummy5;
3143 * IDL long dummy6;
3144 * IDL long dummy7;
3145 * IDL long dummy8;
3146 * IDL } DELTA_RENAME;
3147 */
3148 static int
3149 netlogon_dissect_DELTA_RENAME(tvbuff_t *tvb, int offset,
3150 packet_info *pinfo, proto_tree *tree,
3151 dcerpc_info *di, guint8 *drep)
3152 {
3153 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3154 di->hf_index, 0);
3155
3156 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3157 di->hf_index, 0);
3158
3159 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3160 hf_netlogon_dummy, 0);
3161
3162 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3163 hf_netlogon_dummy, 0);
3164
3165 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3166 hf_netlogon_dummy, 0);
3167
3168 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3169 hf_netlogon_dummy, 0);
3170
3171 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3172 hf_netlogon_reserved, NULL);
3173
3174 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3175 hf_netlogon_reserved, NULL);
3176
3177 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3178 hf_netlogon_reserved, NULL);
3179
3180 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3181 hf_netlogon_reserved, NULL);
3182
3183 return offset;
3184 }
3185
3186
3187 static int
3188 netlogon_dissect_RID(tvbuff_t *tvb, int offset,
3189 packet_info *pinfo, proto_tree *tree,
3190 dcerpc_info *di, guint8 *drep)
3191 {
3192 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3193 hf_netlogon_user_rid, NULL);
3194
3195 return offset;
3196 }
3197
3198 static int
3199 netlogon_dissect_RID_array(tvbuff_t *tvb, int offset,
3200 packet_info *pinfo, proto_tree *tree,
3201 dcerpc_info *di, guint8 *drep)
3202 {
3203 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
3204 netlogon_dissect_RID);
3205
3206 return offset;
3207 }
3208
3209 static int
3210 netlogon_dissect_ATTRIB(tvbuff_t *tvb, int offset,
3211 packet_info *pinfo, proto_tree *tree,
3212 dcerpc_info *di, guint8 *drep)
3213 {
3214 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3215 hf_netlogon_attrs, NULL);
3216
3217 return offset;
3218 }
3219
3220 static int
3221 netlogon_dissect_ATTRIB_array(tvbuff_t *tvb, int offset,
3222 packet_info *pinfo, proto_tree *tree,
3223 dcerpc_info *di, guint8 *drep)
3224 {
3225 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
3226 netlogon_dissect_ATTRIB);
3227
3228 return offset;
3229 }
3230
3231 /*
3232 * IDL typedef struct {
3233 * IDL [unique][size_is(num_rids)] long *rids;
3234 * IDL [unique][size_is(num_rids)] long *attribs;
3235 * IDL long num_rids;
3236 * IDL long dummy1;
3237 * IDL long dummy2;
3238 * IDL long dummy3;
3239 * IDL long dummy4;
3240 * IDL } DELTA_GROUP_MEMBER;
3241 */
3242 static int
3243 netlogon_dissect_DELTA_GROUP_MEMBER(tvbuff_t *tvb, int offset,
3244 packet_info *pinfo, proto_tree *tree,
3245 dcerpc_info *di, guint8 *drep)
3246 {
3247 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3248 netlogon_dissect_RID_array, NDR_POINTER_UNIQUE,
3249 "RIDs:", -1);
3250
3251 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3252 netlogon_dissect_ATTRIB_array, NDR_POINTER_UNIQUE,
3253 "Attribs:", -1);
3254
3255 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3256 hf_netlogon_num_rids, NULL);
3257
3258 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3259 hf_netlogon_reserved, NULL);
3260
3261 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3262 hf_netlogon_reserved, NULL);
3263
3264 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3265 hf_netlogon_reserved, NULL);
3266
3267 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3268 hf_netlogon_reserved, NULL);
3269
3270 return offset;
3271 }
3272
3273
3274 /*
3275 * IDL typedef struct {
3276 * IDL UNICODESTRING alias_name;
3277 * IDL long rid;
3278 * IDL long SecurityInformation;
3279 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3280 * IDL UNICODESTRING dummy1;
3281 * IDL UNICODESTRING dummy2;
3282 * IDL UNICODESTRING dummy3;
3283 * IDL UNICODESTRING dummy4;
3284 * IDL long dummy5;
3285 * IDL long dummy6;
3286 * IDL long dummy7;
3287 * IDL long dummy8;
3288 * IDL } DELTA_ALIAS;
3289 */
3290 static int
3291 netlogon_dissect_DELTA_ALIAS(tvbuff_t *tvb, int offset,
3292 packet_info *pinfo, proto_tree *tree,
3293 dcerpc_info *di, guint8 *drep)
3294 {
3295 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3296 hf_netlogon_alias_name, 0);
3297
3298 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3299 hf_netlogon_alias_rid, NULL);
3300
3301 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3302 hf_netlogon_security_information, NULL);
3303
3304 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3305
3306 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3307 hf_netlogon_dummy, 0);
3308
3309 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3310 hf_netlogon_dummy, 0);
3311
3312 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3313 hf_netlogon_dummy, 0);
3314
3315 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3316 hf_netlogon_dummy, 0);
3317
3318 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3319 hf_netlogon_reserved, NULL);
3320
3321 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3322 hf_netlogon_reserved, NULL);
3323
3324 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3325 hf_netlogon_reserved, NULL);
3326
3327 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3328 hf_netlogon_reserved, NULL);
3329
3330 return offset;
3331 }
3332
3333
3334 /*
3335 * IDL typedef struct {
3336 * IDL [unique] SID_ARRAY sids;
3337 * IDL long dummy1;
3338 * IDL long dummy2;
3339 * IDL long dummy3;
3340 * IDL long dummy4;
3341 * IDL } DELTA_ALIAS_MEMBER;
3342 */
3343 static int
3344 netlogon_dissect_DELTA_ALIAS_MEMBER(tvbuff_t *tvb, int offset,
3345 packet_info *pinfo, proto_tree *tree,
3346 dcerpc_info *di, guint8 *drep)
3347 {
3348 offset = dissect_ndr_nt_PSID_ARRAY(tvb, offset, pinfo, tree, di, drep);
3349
3350 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3351 hf_netlogon_reserved, NULL);
3352
3353 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3354 hf_netlogon_reserved, NULL);
3355
3356 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3357 hf_netlogon_reserved, NULL);
3358
3359 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3360 hf_netlogon_reserved, NULL);
3361
3362 return offset;
3363 }
3364
3365
3366 static int
3367 netlogon_dissect_EVENT_AUDIT_OPTION(tvbuff_t *tvb, int offset,
3368 packet_info *pinfo, proto_tree *tree,
3369 dcerpc_info *di, guint8 *drep)
3370 {
3371 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3372 hf_netlogon_event_audit_option, NULL);
3373
3374 return offset;
3375 }
3376
3377 static int
3378 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY(tvbuff_t *tvb, int offset,
3379 packet_info *pinfo, proto_tree *tree,
3380 dcerpc_info *di, guint8 *drep)
3381 {
3382 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
3383 netlogon_dissect_EVENT_AUDIT_OPTION);
3384
3385 return offset;
3386 }
3387
3388
3389 /*
3390 * IDL typedef struct {
3391 * IDL long pagedpoollimit;
3392 * IDL long nonpagedpoollimit;
3393 * IDL long minimumworkingsetsize;
3394 * IDL long maximumworkingsetsize;
3395 * IDL long pagefilelimit;
3396 * IDL NTTIME timelimit;
3397 * IDL } QUOTA_LIMITS;
3398 */
3399 static int
3400 netlogon_dissect_QUOTA_LIMITS(tvbuff_t *tvb, int offset,
3401 packet_info *pinfo, proto_tree *parent_tree,
3402 dcerpc_info *di, guint8 *drep)
3403 {
3404 proto_item *item=NULL;
3405 proto_tree *tree=NULL;
3406 int old_offset=offset;
3407
3408 if(parent_tree){
3409 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3410 "QUOTA_LIMTS:");
3411 tree = proto_item_add_subtree(item, ett_QUOTA_LIMITS);
3412 }
3413
3414 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3415 hf_netlogon_pagedpoollimit, NULL);
3416
3417 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3418 hf_netlogon_nonpagedpoollimit, NULL);
3419
3420 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3421 hf_netlogon_minworkingsetsize, NULL);
3422
3423 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3424 hf_netlogon_maxworkingsetsize, NULL);
3425
3426 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3427 hf_netlogon_pagefilelimit, NULL);
3428
3429 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3430 hf_netlogon_timelimit);
3431
3432 proto_item_set_len(item, offset-old_offset);
3433 return offset;
3434 }
3435
3436
3437 /*
3438 * IDL typedef struct {
3439 * IDL long maxlogsize;
3440 * IDL NTTIME auditretentionperiod;
3441 * IDL bool auditingmode;
3442 * IDL long maxauditeventcount;
3443 * IDL [unique][size_is(maxauditeventcount)] long *eventauditoptions;
3444 * IDL UNICODESTRING primarydomainname;
3445 * IDL [unique] SID *sid;
3446 * IDL QUOTA_LIMITS quota_limits;
3447 * IDL NTTIME db_modify_time;
3448 * IDL NTTIME db_create_time;
3449 * IDL long SecurityInformation;
3450 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3451 * IDL UNICODESTRING dummy1;
3452 * IDL UNICODESTRING dummy2;
3453 * IDL UNICODESTRING dummy3;
3454 * IDL UNICODESTRING dummy4;
3455 * IDL long dummy5;
3456 * IDL long dummy6;
3457 * IDL long dummy7;
3458 * IDL long dummy8;
3459 * IDL } DELTA_POLICY;
3460 */
3461 static int
3462 netlogon_dissect_DELTA_POLICY(tvbuff_t *tvb, int offset,
3463 packet_info *pinfo, proto_tree *tree,
3464 dcerpc_info *di, guint8 *drep)
3465 {
3466 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3467 hf_netlogon_max_log_size, NULL);
3468
3469 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3470 hf_netlogon_audit_retention_period);
3471
3472 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
3473 hf_netlogon_auditing_mode, NULL);
3474
3475 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3476 hf_netlogon_max_audit_event_count, NULL);
3477
3478 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3479 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY, NDR_POINTER_UNIQUE,
3480 "Event Audit Options:", -1);
3481
3482 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3483 hf_netlogon_domain_name, 0);
3484
3485 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
3486
3487 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
3488 pinfo, tree, di, drep);
3489
3490 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3491 hf_netlogon_db_modify_time);
3492
3493 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3494 hf_netlogon_db_create_time);
3495
3496 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3497 hf_netlogon_security_information, NULL);
3498
3499 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3500
3501 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3502 hf_netlogon_dummy, 0);
3503
3504 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3505 hf_netlogon_dummy, 0);
3506
3507 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3508 hf_netlogon_dummy, 0);
3509
3510 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3511 hf_netlogon_dummy, 0);
3512
3513 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3514 hf_netlogon_reserved, NULL);
3515
3516 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3517 hf_netlogon_reserved, NULL);
3518
3519 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3520 hf_netlogon_reserved, NULL);
3521
3522 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3523 hf_netlogon_reserved, NULL);
3524
3525 return offset;
3526 }
3527
3528
3529 static int
3530 netlogon_dissect_CONTROLLER(tvbuff_t *tvb, int offset,
3531 packet_info *pinfo, proto_tree *tree,
3532 dcerpc_info *di, guint8 *drep)
3533 {
3534 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3535 hf_netlogon_dc_name, 0);
3536
3537 return offset;
3538 }
3539
3540 static int
3541 netlogon_dissect_CONTROLLER_ARRAY(tvbuff_t *tvb, int offset,
3542 packet_info *pinfo, proto_tree *tree,
3543 dcerpc_info *di, guint8 *drep)
3544 {
3545 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
3546 netlogon_dissect_CONTROLLER);
3547
3548 return offset;
3549 }
3550
3551
3552 /*
3553 * IDL typedef struct {
3554 * IDL UNICODESTRING DomainName;
3555 * IDL long num_controllers;
3556 * IDL [unique][size_is(num_controllers)] UNICODESTRING *controller_names;
3557 * IDL long SecurityInformation;
3558 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3559 * IDL UNICODESTRING dummy1;
3560 * IDL UNICODESTRING dummy2;
3561 * IDL UNICODESTRING dummy3;
3562 * IDL UNICODESTRING dummy4;
3563 * IDL long dummy5;
3564 * IDL long dummy6;
3565 * IDL long dummy7;
3566 * IDL long dummy8;
3567 * IDL } DELTA_TRUSTED_DOMAINS;
3568 */
3569 static int
3570 netlogon_dissect_DELTA_TRUSTED_DOMAINS(tvbuff_t *tvb, int offset,
3571 packet_info *pinfo, proto_tree *tree,
3572 dcerpc_info *di, guint8 *drep)
3573 {
3574 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3575 hf_netlogon_domain_name, 0);
3576
3577 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3578 hf_netlogon_num_controllers, NULL);
3579
3580 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3581 netlogon_dissect_CONTROLLER_ARRAY, NDR_POINTER_UNIQUE,
3582 "Domain Controllers:", -1);
3583
3584 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3585 hf_netlogon_security_information, NULL);
3586
3587 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3588
3589 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3590 hf_netlogon_dummy, 0);
3591
3592 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3593 hf_netlogon_dummy, 0);
3594
3595 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3596 hf_netlogon_dummy, 0);
3597
3598 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3599 hf_netlogon_dummy, 0);
3600
3601 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3602 hf_netlogon_reserved, NULL);
3603
3604 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3605 hf_netlogon_reserved, NULL);
3606
3607 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3608 hf_netlogon_reserved, NULL);
3609
3610 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3611 hf_netlogon_reserved, NULL);
3612
3613 return offset;
3614 }
3615
3616
3617 static int
3618 netlogon_dissect_PRIV_ATTR(tvbuff_t *tvb, int offset,
3619 packet_info *pinfo, proto_tree *tree,
3620 dcerpc_info *di, guint8 *drep)
3621 {
3622 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3623 hf_netlogon_attrs, NULL);
3624
3625 return offset;
3626 }
3627
3628 static int
3629 netlogon_dissect_PRIV_ATTR_ARRAY(tvbuff_t *tvb, int offset,
3630 packet_info *pinfo, proto_tree *tree,
3631 dcerpc_info *di, guint8 *drep)
3632 {
3633 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
3634 netlogon_dissect_PRIV_ATTR);
3635
3636 return offset;
3637 }
3638
3639 static int
3640 netlogon_dissect_PRIV_NAME(tvbuff_t *tvb, int offset,
3641 packet_info *pinfo, proto_tree *tree,
3642 dcerpc_info *di, guint8 *drep)
3643 {
3644 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3645 hf_netlogon_privilege_name, 1);
3646
3647 return offset;
3648 }
3649
3650 static int
3651 netlogon_dissect_PRIV_NAME_ARRAY(tvbuff_t *tvb, int offset,
3652 packet_info *pinfo, proto_tree *tree,
3653 dcerpc_info *di, guint8 *drep)
3654 {
3655 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
3656 netlogon_dissect_PRIV_NAME);
3657
3658 return offset;
3659 }
3660
3661
3662
3663 /*
3664 * IDL typedef struct {
3665 * IDL long privilegeentries;
3666 * IDL long provolegecontrol;
3667 * IDL [unique][size_is(privilege_entries)] long *privilege_attrib;
3668 * IDL [unique][size_is(privilege_entries)] UNICODESTRING *privilege_name;
3669 * IDL QUOTALIMITS quotalimits;
3670 * IDL long SecurityInformation;
3671 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3672 * IDL UNICODESTRING dummy1;
3673 * IDL UNICODESTRING dummy2;
3674 * IDL UNICODESTRING dummy3;
3675 * IDL UNICODESTRING dummy4;
3676 * IDL long dummy5;
3677 * IDL long dummy6;
3678 * IDL long dummy7;
3679 * IDL long dummy8;
3680 * IDL } DELTA_ACCOUNTS;
3681 */
3682 static int
3683 netlogon_dissect_DELTA_ACCOUNTS(tvbuff_t *tvb, int offset,
3684 packet_info *pinfo, proto_tree *tree,
3685 dcerpc_info *di, guint8 *drep)
3686 {
3687 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3688 hf_netlogon_privilege_entries, NULL);
3689
3690 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3691 hf_netlogon_privilege_control, NULL);
3692
3693 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3694 netlogon_dissect_PRIV_ATTR_ARRAY, NDR_POINTER_UNIQUE,
3695 "PRIV_ATTR_ARRAY:", -1);
3696
3697 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3698 netlogon_dissect_PRIV_NAME_ARRAY, NDR_POINTER_UNIQUE,
3699 "PRIV_NAME_ARRAY:", -1);
3700
3701 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
3702 pinfo, tree, di, drep);
3703
3704 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3705 hf_netlogon_systemflags, NULL);
3706
3707 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3708 hf_netlogon_security_information, NULL);
3709
3710 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3711
3712 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3713 hf_netlogon_dummy, 0);
3714
3715 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3716 hf_netlogon_dummy, 0);
3717
3718 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3719 hf_netlogon_dummy, 0);
3720
3721 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3722 hf_netlogon_dummy, 0);
3723
3724 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3725 hf_netlogon_reserved, NULL);
3726
3727 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3728 hf_netlogon_reserved, NULL);
3729
3730 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3731 hf_netlogon_reserved, NULL);
3732
3733 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3734 hf_netlogon_reserved, NULL);
3735
3736 return offset;
3737 }
3738
3739 /*
3740 * IDL typedef struct {
3741 * IDL long len;
3742 * IDL long maxlen;
3743 * IDL [unique][size_is(maxlen)][length_is(len)] char *cipher_data;
3744 * IDL } CIPHER_VALUE;
3745 */
3746 static int
3747 netlogon_dissect_CIPHER_VALUE_DATA(tvbuff_t *tvb, int offset,
3748 packet_info *pinfo, proto_tree *tree,
3749 dcerpc_info *di, guint8 *drep)
3750 {
3751 guint32 data_len;
3752
3753 if(di->conformant_run){
3754 /*just a run to handle conformant arrays, nothing to dissect */
3755 return offset;
3756 }
3757
3758 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
3759 hf_netlogon_cipher_maxlen, NULL);
3760
3761 /* skip offset */
3762 offset += 4;
3763
3764 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
3765 hf_netlogon_cipher_len, &data_len);
3766
3767 proto_tree_add_item(tree, di->hf_index, tvb, offset,
3768 data_len, ENC_NA);
3769 offset += data_len;
3770
3771 return offset;
3772 }
3773 static int
3774 netlogon_dissect_CIPHER_VALUE(tvbuff_t *tvb, int offset,
3775 packet_info *pinfo, proto_tree *parent_tree,
3776 dcerpc_info *di, guint8 *drep, const char *name, int hf_index)
3777 {
3778 proto_item *item=NULL;
3779 proto_tree *tree=NULL;
3780 int old_offset=offset;
3781
3782 if(parent_tree){
3783 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3784 "%s", name);
3785 tree = proto_item_add_subtree(item, ett_CYPHER_VALUE);
3786 }
3787
3788 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
3789 hf_netlogon_cipher_len, NULL);
3790
3791 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
3792 hf_netlogon_cipher_maxlen, NULL);
3793
3794 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3795 netlogon_dissect_CIPHER_VALUE_DATA, NDR_POINTER_UNIQUE,
3796 name, hf_index);
3797
3798 proto_item_set_len(item, offset-old_offset);
3799 return offset;
3800 }
3801
3802 /*
3803 * IDL typedef struct {
3804 * IDL CIPHER_VALUE current_cipher;
3805 * IDL NTTIME current_cipher_set_time;
3806 * IDL CIPHER_VALUE old_cipher;
3807 * IDL NTTIME old_cipher_set_time;
3808 * IDL long SecurityInformation;
3809 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3810 * IDL UNICODESTRING dummy1;
3811 * IDL UNICODESTRING dummy2;
3812 * IDL UNICODESTRING dummy3;
3813 * IDL UNICODESTRING dummy4;
3814 * IDL long dummy5;
3815 * IDL long dummy6;
3816 * IDL long dummy7;
3817 * IDL long dummy8;
3818 * IDL } DELTA_SECRET;
3819 */
3820 static int
3821 netlogon_dissect_DELTA_SECRET(tvbuff_t *tvb, int offset,
3822 packet_info *pinfo, proto_tree *tree,
3823 dcerpc_info *di, guint8 *drep)
3824 {
3825 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
3826 pinfo, tree, di, drep,
3827 "CIPHER_VALUE: current cipher value",
3828 hf_netlogon_cipher_current_data);
3829
3830 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3831 hf_netlogon_cipher_current_set_time);
3832
3833 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
3834 pinfo, tree, di, drep,
3835 "CIPHER_VALUE: old cipher value",
3836 hf_netlogon_cipher_old_data);
3837
3838 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3839 hf_netlogon_cipher_old_set_time);
3840
3841 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3842 hf_netlogon_security_information, NULL);
3843
3844 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3845
3846 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3847 hf_netlogon_dummy, 0);
3848
3849 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3850 hf_netlogon_dummy, 0);
3851
3852 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3853 hf_netlogon_dummy, 0);
3854
3855 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3856 hf_netlogon_dummy, 0);
3857
3858 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3859 hf_netlogon_reserved, NULL);
3860
3861 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3862 hf_netlogon_reserved, NULL);
3863
3864 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3865 hf_netlogon_reserved, NULL);
3866
3867 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3868 hf_netlogon_reserved, NULL);
3869
3870 return offset;
3871 }
3872
3873 /*
3874 * IDL typedef struct {
3875 * IDL long low_value;
3876 * IDL long high_value;
3877 * } MODIFIED_COUNT;
3878 */
3879 static int
3880 netlogon_dissect_MODIFIED_COUNT(tvbuff_t *tvb, int offset,
3881 packet_info *pinfo, proto_tree *tree,
3882 dcerpc_info *di, guint8 *drep)
3883 {
3884 offset = dissect_ndr_duint32(tvb, offset, pinfo, tree, di, drep,
3885 hf_netlogon_modify_count, NULL);
3886
3887 return offset;
3888 }
3889
3890
3891 #define DT_DELTA_DOMAIN 1
3892 #define DT_DELTA_GROUP 2
3893 #define DT_DELTA_DELETE_GROUP 3
3894 #define DT_DELTA_RENAME_GROUP 4
3895 #define DT_DELTA_USER 5
3896 #define DT_DELTA_DELETE_USER 6
3897 #define DT_DELTA_RENAME_USER 7
3898 #define DT_DELTA_GROUP_MEMBER 8
3899 #define DT_DELTA_ALIAS 9
3900 #define DT_DELTA_DELETE_ALIAS 10
3901 #define DT_DELTA_RENAME_ALIAS 11
3902 #define DT_DELTA_ALIAS_MEMBER 12
3903 #define DT_DELTA_POLICY 13
3904 #define DT_DELTA_TRUSTED_DOMAINS 14
3905 #define DT_DELTA_DELETE_TRUST 15
3906 #define DT_DELTA_ACCOUNTS 16
3907 #define DT_DELTA_DELETE_ACCOUNT 17
3908 #define DT_DELTA_SECRET 18
3909 #define DT_DELTA_DELETE_SECRET 19
3910 #define DT_DELTA_DELETE_GROUP2 20
3911 #define DT_DELTA_DELETE_USER2 21
3912 #define DT_MODIFIED_COUNT 22
3913
3914 static const value_string delta_type_vals[] = {
3915 { DT_DELTA_DOMAIN, "Domain" },
3916 { DT_DELTA_GROUP, "Group" },
3917 { DT_DELTA_DELETE_GROUP, "Delete Group" },
3918 { DT_DELTA_RENAME_GROUP, "Rename Group" },
3919 { DT_DELTA_USER, "User" },
3920 { DT_DELTA_DELETE_USER, "Delete User" },
3921 { DT_DELTA_RENAME_USER, "Rename User" },
3922 { DT_DELTA_GROUP_MEMBER, "Group Member" },
3923 { DT_DELTA_ALIAS, "Alias" },
3924 { DT_DELTA_DELETE_ALIAS, "Delete Alias" },
3925 { DT_DELTA_RENAME_ALIAS, "Rename Alias" },
3926 { DT_DELTA_ALIAS_MEMBER, "Alias Member" },
3927 { DT_DELTA_POLICY, "Policy" },
3928 { DT_DELTA_TRUSTED_DOMAINS, "Trusted Domains" },
3929 { DT_DELTA_DELETE_TRUST, "Delete Trust" },
3930 { DT_DELTA_ACCOUNTS, "Accounts" },
3931 { DT_DELTA_DELETE_ACCOUNT, "Delete Account" },
3932 { DT_DELTA_SECRET, "Secret" },
3933 { DT_DELTA_DELETE_SECRET, "Delete Secret" },
3934 { DT_DELTA_DELETE_GROUP2, "Delete Group2" },
3935 { DT_DELTA_DELETE_USER2, "Delete User2" },
3936 { DT_MODIFIED_COUNT, "Modified Count" },
3937 { 0, NULL }
3938 };
3939 /*
3940 * IDL typedef [switch_type(short)] union {
3941 * IDL [case(1)][unique] DELTA_DOMAIN *domain;
3942 * IDL [case(2)][unique] DELTA_GROUP *group;
3943 * IDL [case(3)][unique] rid only ;
3944 * IDL [case(4)][unique] DELTA_RENAME_GROUP *rename_group;
3945 * IDL [case(5)][unique] DELTA_USER *user;
3946 * IDL [case(6)][unique] rid only ;
3947 * IDL [case(7)][unique] DELTA_RENAME_USER *rename_user;
3948 * IDL [case(8)][unique] DELTA_GROUP_MEMBER *group_member;
3949 * IDL [case(9)][unique] DELTA_ALIAS *alias;
3950 * IDL [case(10)][unique] rid only ;
3951 * IDL [case(11)][unique] DELTA_RENAME_ALIAS *alias;
3952 * IDL [case(12)][unique] DELTA_ALIAS_MEMBER *alias_member;
3953 * IDL [case(13)][unique] DELTA_POLICY *policy;
3954 * IDL [case(14)][unique] DELTA_TRUSTED_DOMAINS *trusted_domains;
3955 * IDL [case(15)][unique] PSID ;
3956 * IDL [case(16)][unique] DELTA_ACCOUNTS *accounts;
3957 * IDL [case(17)][unique] PSID ;
3958 * IDL [case(18)][unique] DELTA_SECRET *secret;
3959 * IDL [case(19)][unique] string;
3960 * IDL [case(20)][unique] DELTA_DELETE_GROUP2 *delete_group;
3961 * IDL [case(21)][unique] DELTA_DELETE_USER2 *delete_user;
3962 * IDL [case(22)][unique] MODIFIED_COUNT *modified_count;
3963 * IDL } DELTA_UNION;
3964 */
3965 static int
3966 netlogon_dissect_DELTA_UNION(tvbuff_t *tvb, int offset,
3967 packet_info *pinfo, proto_tree *parent_tree,
3968 dcerpc_info *di, guint8 *drep)
3969 {
3970 proto_item *item=NULL;
3971 proto_tree *tree=NULL;
3972 int old_offset=offset;
3973 guint16 level = 0;
3974
3975 if(parent_tree){
3976 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3977 "DELTA_UNION:");
3978 tree = proto_item_add_subtree(item, ett_DELTA_UNION);
3979 }
3980
3981 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
3982 hf_netlogon_delta_type, &level);
3983
3984 ALIGN_TO_4_BYTES;
3985 switch(level){
3986 case 1:
3987 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3988 netlogon_dissect_DELTA_DOMAIN, NDR_POINTER_UNIQUE,
3989 "DELTA_DOMAIN:", -1);
3990 break;
3991 case 2:
3992 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3993 netlogon_dissect_DELTA_GROUP, NDR_POINTER_UNIQUE,
3994 "DELTA_GROUP:", -1);
3995 break;
3996 case 4:
3997 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3998 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
3999 "DELTA_RENAME_GROUP:", hf_netlogon_group_name);
4000 break;
4001 case 5:
4002 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4003 netlogon_dissect_DELTA_USER, NDR_POINTER_UNIQUE,
4004 "DELTA_USER:", -1);
4005 break;
4006 case 7:
4007 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4008 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
4009 "DELTA_RENAME_USER:", hf_netlogon_acct_name);
4010 break;
4011 case 8:
4012 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4013 netlogon_dissect_DELTA_GROUP_MEMBER, NDR_POINTER_UNIQUE,
4014 "DELTA_GROUP_MEMBER:", -1);
4015 break;
4016 case 9:
4017 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4018 netlogon_dissect_DELTA_ALIAS, NDR_POINTER_UNIQUE,
4019 "DELTA_ALIAS:", -1);
4020 break;
4021 case 11:
4022 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4023 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
4024 "DELTA_RENAME_ALIAS:", hf_netlogon_alias_name);
4025 break;
4026 case 12:
4027 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4028 netlogon_dissect_DELTA_ALIAS_MEMBER, NDR_POINTER_UNIQUE,
4029 "DELTA_ALIAS_MEMBER:", -1);
4030 break;
4031 case 13:
4032 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4033 netlogon_dissect_DELTA_POLICY, NDR_POINTER_UNIQUE,
4034 "DELTA_POLICY:", -1);
4035 break;
4036 case 14:
4037 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4038 netlogon_dissect_DELTA_TRUSTED_DOMAINS, NDR_POINTER_UNIQUE,
4039 "DELTA_TRUSTED_DOMAINS:", -1);
4040 break;
4041 case 16:
4042 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4043 netlogon_dissect_DELTA_ACCOUNTS, NDR_POINTER_UNIQUE,
4044 "DELTA_ACCOUNTS:", -1);
4045 break;
4046 case 18:
4047 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4048 netlogon_dissect_DELTA_SECRET, NDR_POINTER_UNIQUE,
4049 "DELTA_SECRET:", -1);
4050 break;
4051 case 20:
4052 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4053 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
4054 "DELTA_DELETE_GROUP:", -1);
4055 break;
4056 case 21:
4057 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4058 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
4059 "DELTA_DELETE_USER:", -1);
4060 break;
4061 case 22:
4062 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4063 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_UNIQUE,
4064 "MODIFIED_COUNT:", -1);
4065 break;
4066 }
4067
4068 proto_item_set_len(item, offset-old_offset);
4069 return offset;
4070 }
4071
4072
4073
4074 /* IDL XXX must verify this one, especially 13-19
4075 * IDL typedef [switch_type(short)] union {
4076 * IDL [case(1)] long rid;
4077 * IDL [case(2)] long rid;
4078 * IDL [case(3)] long rid;
4079 * IDL [case(4)] long rid;
4080 * IDL [case(5)] long rid;
4081 * IDL [case(6)] long rid;
4082 * IDL [case(7)] long rid;
4083 * IDL [case(8)] long rid;
4084 * IDL [case(9)] long rid;
4085 * IDL [case(10)] long rid;
4086 * IDL [case(11)] long rid;
4087 * IDL [case(12)] long rid;
4088 * IDL [case(13)] [unique] SID *sid;
4089 * IDL [case(14)] [unique] SID *sid;
4090 * IDL [case(15)] [unique] SID *sid;
4091 * IDL [case(16)] [unique] SID *sid;
4092 * IDL [case(17)] [unique] SID *sid;
4093 * IDL [case(18)] [unique][string] wchar_t *Name ;
4094 * IDL [case(19)] [unique][string] wchar_t *Name ;
4095 * IDL [case(20)] long rid;
4096 * IDL [case(21)] long rid;
4097 * IDL } DELTA_ID_UNION;
4098 */
4099 static int
4100 netlogon_dissect_DELTA_ID_UNION(tvbuff_t *tvb, int offset,
4101 packet_info *pinfo, proto_tree *parent_tree,
4102 dcerpc_info *di, guint8 *drep)
4103 {
4104 proto_item *item=NULL;
4105 proto_tree *tree=NULL;
4106 int old_offset=offset;
4107 guint16 level = 0;
4108
4109 if(parent_tree){
4110 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4111 "DELTA_ID_UNION:");
4112 tree = proto_item_add_subtree(item, ett_DELTA_ID_UNION);
4113 }
4114
4115 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
4116 hf_netlogon_delta_type, &level);
4117
4118 ALIGN_TO_4_BYTES;
4119 switch(level){
4120 case 1:
4121 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4122 hf_netlogon_group_rid, NULL);
4123 break;
4124 case 2:
4125 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4126 hf_netlogon_user_rid, NULL);
4127 break;
4128 case 3:
4129 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4130 hf_netlogon_user_rid, NULL);
4131 break;
4132 case 4:
4133 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4134 hf_netlogon_user_rid, NULL);
4135 break;
4136 case 5:
4137 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4138 hf_netlogon_user_rid, NULL);
4139 break;
4140 case 6:
4141 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4142 hf_netlogon_user_rid, NULL);
4143 break;
4144 case 7:
4145 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4146 hf_netlogon_user_rid, NULL);
4147 break;
4148 case 8:
4149 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4150 hf_netlogon_user_rid, NULL);
4151 break;
4152 case 9:
4153 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4154 hf_netlogon_user_rid, NULL);
4155 break;
4156 case 10:
4157 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4158 hf_netlogon_user_rid, NULL);
4159 break;
4160 case 11:
4161 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4162 hf_netlogon_user_rid, NULL);
4163 break;
4164 case 12:
4165 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4166 hf_netlogon_user_rid, NULL);
4167 break;
4168 case 13:
4169 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
4170 break;
4171 case 14:
4172 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
4173 break;
4174 case 15:
4175 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
4176 break;
4177 case 16:
4178 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
4179 break;
4180 case 17:
4181 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
4182 break;
4183 case 18:
4184 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
4185 tree, di, drep, NDR_POINTER_UNIQUE, "unknown",
4186 hf_netlogon_unknown_string, 0);
4187 break;
4188 case 19:
4189 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
4190 tree, di, drep, NDR_POINTER_UNIQUE, "unknown",
4191 hf_netlogon_unknown_string, 0);
4192 break;
4193 case 20:
4194 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4195 hf_netlogon_user_rid, NULL);
4196 break;
4197 case 21:
4198 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4199 hf_netlogon_user_rid, NULL);
4200 break;
4201 }
4202
4203 proto_item_set_len(item, offset-old_offset);
4204 return offset;
4205 }
4206
4207 /*
4208 * IDL typedef struct {
4209 * IDL short delta_type;
4210 * IDL DELTA_ID_UNION delta_id_union;
4211 * IDL DELTA_UNION delta_union;
4212 * IDL } DELTA_ENUM;
4213 */
4214 static int
4215 netlogon_dissect_DELTA_ENUM(tvbuff_t *tvb, int offset,
4216 packet_info *pinfo, proto_tree *parent_tree,
4217 dcerpc_info *di, guint8 *drep)
4218 {
4219 proto_item *item=NULL;
4220 proto_tree *tree=NULL;
4221 int old_offset=offset;
4222 guint16 type;
4223
4224 if(parent_tree){
4225 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4226 "DELTA_ENUM:");
4227 tree = proto_item_add_subtree(item, ett_DELTA_ENUM);
4228 }
4229
4230 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
4231 hf_netlogon_delta_type, &type);
4232
4233 proto_item_append_text(item, "%s", val_to_str(
4234 type, delta_type_vals, "Unknown"));
4235
4236 offset = netlogon_dissect_DELTA_ID_UNION(tvb, offset,
4237 pinfo, tree, di, drep);
4238
4239 offset = netlogon_dissect_DELTA_UNION(tvb, offset,
4240 pinfo, tree, di, drep);
4241
4242 proto_item_set_len(item, offset-old_offset);
4243 return offset;
4244 }
4245
4246 static int
4247 netlogon_dissect_DELTA_ENUM_array(tvbuff_t *tvb, int offset,
4248 packet_info *pinfo, proto_tree *tree,
4249 dcerpc_info *di, guint8 *drep)
4250 {
4251 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
4252 netlogon_dissect_DELTA_ENUM);
4253
4254 return offset;
4255 }
4256
4257 /*
4258 * IDL typedef struct {
4259 * IDL long num_deltas;
4260 * IDL [unique][size_is(num_deltas)] DELTA_ENUM *delta_enum;
4261 * IDL } DELTA_ENUM_ARRAY;
4262 */
4263 static int
4264 netlogon_dissect_DELTA_ENUM_ARRAY(tvbuff_t *tvb, int offset,
4265 packet_info *pinfo, proto_tree *tree,
4266 dcerpc_info *di, guint8 *drep)
4267 {
4268 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4269 hf_netlogon_num_deltas, NULL);
4270
4271 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4272 netlogon_dissect_DELTA_ENUM_array, NDR_POINTER_UNIQUE,
4273 "DELTA_ENUM: deltas", -1);
4274
4275 return offset;
4276 }
4277
4278
4279 /*
4280 * IDL long NetrDatabaseDeltas(
4281 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
4282 * IDL [in][string][ref] wchar_t *computername,
4283 * IDL [in][ref] AUTHENTICATOR credential,
4284 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4285 * IDL [in] long database_id,
4286 * IDL [in][out][ref] MODIFIED_COUNT domain_modify_count,
4287 * IDL [in] long preferredmaximumlength,
4288 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
4289 * IDL );
4290 */
4291 static int
4292 netlogon_dissect_netrdatabasedeltas_rqst(tvbuff_t *tvb, int offset,
4293 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4294 {
4295 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4296 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
4297
4298 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4299 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4300
4301 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4302 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4303 "AUTHENTICATOR: credential", -1);
4304
4305 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4306 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4307 "AUTHENTICATOR: return_authenticator", -1);
4308
4309 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4310 hf_netlogon_database_id, NULL);
4311
4312 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4313 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
4314 "MODIFIED_COUNT: domain modified count", -1);
4315
4316 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4317 hf_netlogon_max_size, NULL);
4318
4319 return offset;
4320 }
4321 static int
4322 netlogon_dissect_netrdatabasedeltas_reply(tvbuff_t *tvb, int offset,
4323 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4324 {
4325 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4326 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4327 "AUTHENTICATOR: return_authenticator", -1);
4328
4329 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4330 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
4331 "MODIFIED_COUNT: domain modified count", -1);
4332
4333 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4334 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
4335 "DELTA_ENUM_ARRAY: deltas", -1);
4336
4337 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
4338 hf_netlogon_rc, NULL);
4339
4340 return offset;
4341 }
4342
4343
4344 /*
4345 * IDL long NetrDatabaseSync(
4346 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
4347 * IDL [in][string][ref] wchar_t *computername,
4348 * IDL [in][ref] AUTHENTICATOR credential,
4349 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4350 * IDL [in] long database_id,
4351 * IDL [in][out][ref] long sync_context,
4352 * IDL [in] long preferredmaximumlength,
4353 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
4354 * IDL );
4355 */
4356 static int
4357 netlogon_dissect_netrdatabasesync_rqst(tvbuff_t *tvb, int offset,
4358 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4359 {
4360 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4361 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
4362
4363 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4364 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4365
4366 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4367 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4368 "AUTHENTICATOR: credential", -1);
4369
4370 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4371 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4372 "AUTHENTICATOR: return_authenticator", -1);
4373
4374 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4375 hf_netlogon_database_id, NULL);
4376
4377 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4378 hf_netlogon_sync_context, NULL);
4379
4380 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4381 hf_netlogon_max_size, NULL);
4382
4383 return offset;
4384 }
4385
4386
4387 static int
4388 netlogon_dissect_netrdatabasesync_reply(tvbuff_t *tvb, int offset,
4389 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4390 {
4391 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4392 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4393 "AUTHENTICATOR: return_authenticator", -1);
4394
4395 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4396 hf_netlogon_sync_context, NULL);
4397
4398 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4399 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
4400 "DELTA_ENUM_ARRAY: deltas", -1);
4401
4402 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
4403 hf_netlogon_rc, NULL);
4404
4405 return offset;
4406 }
4407
4408 /*
4409 * IDL typedef struct {
4410 * IDL char computer_name[16];
4411 * IDL long timecreated;
4412 * IDL long serial_number;
4413 * IDL } UAS_INFO_0;
4414 */
4415 static int
4416 netlogon_dissect_UAS_INFO_0(tvbuff_t *tvb, int offset,
4417 packet_info *pinfo, proto_tree *tree,
4418 dcerpc_info *di, guint8 *drep)
4419 {
4420 if(di->conformant_run){
4421 /*just a run to handle conformant arrays, nothing to dissect */
4422 return offset;
4423 }
4424
4425 proto_tree_add_item(tree, hf_netlogon_computer_name, tvb, offset, 16, ENC_ASCII|ENC_NA);
4426 offset += 16;
4427
4428 proto_tree_add_text(tree, tvb, offset, 4, "Time Created: unknown time format");
4429 offset+= 4;
4430
4431 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4432 hf_netlogon_serial_number, NULL);
4433
4434 return offset;
4435 }
4436
4437
4438 /*
4439 * IDL long NetrAccountDeltas(
4440 * IDL [in][string][unique] wchar_t *logonserver,
4441 * IDL [in][string][ref] wchar_t *computername,
4442 * IDL [in][ref] AUTHENTICATOR credential,
4443 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4444 * IDL [out][ref][size_is(count_returned)] char *Buffer,
4445 * IDL [out][ref] long count_returned,
4446 * IDL [out][ref] long total_entries,
4447 * IDL [in][out][ref] UAS_INFO_0 recordid,
4448 * IDL [in][long] count,
4449 * IDL [in][long] level,
4450 * IDL [in][long] buffersize,
4451 * IDL );
4452 */
4453 static int
4454 netlogon_dissect_netraccountdeltas_rqst(tvbuff_t *tvb, int offset,
4455 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4456 {
4457 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4458 pinfo, tree, di, drep);
4459
4460 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4461 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4462
4463 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4464 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4465 "AUTHENTICATOR: credential", -1);
4466
4467 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4468 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4469 "AUTHENTICATOR: return_authenticator", -1);
4470
4471 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4472 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
4473 "UAS_INFO_0: RecordID", -1);
4474
4475 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4476 hf_netlogon_count, NULL);
4477
4478 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4479 hf_netlogon_level, NULL);
4480
4481 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4482 hf_netlogon_max_size, NULL);
4483
4484 return offset;
4485 }
4486 static int
4487 netlogon_dissect_netraccountdeltas_reply(tvbuff_t *tvb, int offset,
4488 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4489 {
4490 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4491 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4492 "AUTHENTICATOR: return_authenticator", -1);
4493
4494 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4495 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
4496 "BYTE_array: Buffer", -1);
4497
4498 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4499 hf_netlogon_count, NULL);
4500
4501 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4502 hf_netlogon_entries, NULL);
4503
4504 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4505 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
4506 "UAS_INFO_0: RecordID", -1);
4507
4508 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
4509 hf_netlogon_rc, NULL);
4510
4511 return offset;
4512 }
4513
4514
4515 /*
4516 * IDL long NetrAccountSync(
4517 * IDL [in][string][unique] wchar_t *logonserver,
4518 * IDL [in][string][ref] wchar_t *computername,
4519 * IDL [in][ref] AUTHENTICATOR credential,
4520 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4521 * IDL [out][ref][size_is(count_returned)] char *Buffer,
4522 * IDL [out][ref] long count_returned,
4523 * IDL [out][ref] long total_entries,
4524 * IDL [out][ref] long next_reference,
4525 * IDL [in][long] reference,
4526 * IDL [in][long] level,
4527 * IDL [in][long] buffersize,
4528 * IDL [in][out][ref] UAS_INFO_0 recordid,
4529 * IDL );
4530 */
4531 static int
4532 netlogon_dissect_netraccountsync_rqst(tvbuff_t *tvb, int offset,
4533 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4534 {
4535 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4536 pinfo, tree, di, drep);
4537
4538 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4539 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4540
4541 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4542 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4543 "AUTHENTICATOR: credential", -1);
4544
4545 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4546 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4547 "AUTHENTICATOR: return_authenticator", -1);
4548
4549 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4550 hf_netlogon_reference, NULL);
4551
4552 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4553 hf_netlogon_level, NULL);
4554
4555 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4556 hf_netlogon_max_size, NULL);
4557
4558 return offset;
4559 }
4560 static int
4561 netlogon_dissect_netraccountsync_reply(tvbuff_t *tvb, int offset,
4562 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4563 {
4564 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4565 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4566 "AUTHENTICATOR: return_authenticator", -1);
4567
4568 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4569 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
4570 "BYTE_array: Buffer", -1);
4571
4572 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4573 hf_netlogon_count, NULL);
4574
4575 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4576 hf_netlogon_entries, NULL);
4577
4578 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4579 hf_netlogon_next_reference, NULL);
4580
4581 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4582 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
4583 "UAS_INFO_0: RecordID", -1);
4584
4585 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
4586 hf_netlogon_rc, NULL);
4587
4588 return offset;
4589 }
4590
4591
4592 /*
4593 * IDL long NetrGetDcName(
4594 * IDL [in][ref][string] wchar_t *logon_server,
4595 * IDL [in][unique][string] wchar_t *domainname,
4596 * IDL [out][unique][string] wchar_t *dcname,
4597 * IDL };
4598 */
4599 static int
4600 netlogon_dissect_netrgetdcname_rqst(tvbuff_t *tvb, int offset,
4601 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4602 {
4603 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4604 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
4605
4606 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4607 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
4608
4609 return offset;
4610 }
4611 static int
4612 netlogon_dissect_netrgetdcname_reply(tvbuff_t *tvb, int offset,
4613 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4614 {
4615 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4616 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
4617
4618 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
4619 hf_netlogon_rc, NULL);
4620
4621 return offset;
4622 }
4623
4624
4625
4626 /*
4627 * IDL typedef struct {
4628 * IDL long flags;
4629 * IDL long pdc_connection_status;
4630 * IDL } NETLOGON_INFO_1;
4631 */
4632 static int
4633 netlogon_dissect_NETLOGON_INFO_1(tvbuff_t *tvb, int offset,
4634 packet_info *pinfo, proto_tree *tree,
4635 dcerpc_info *di, guint8 *drep)
4636 {
4637 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4638 hf_netlogon_flags, NULL);
4639
4640 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4641 hf_netlogon_pdc_connection_status, NULL);
4642
4643 return offset;
4644 }
4645
4646
4647 /*
4648 * IDL typedef struct {
4649 * IDL long flags;
4650 * IDL long pdc_connection_status;
4651 * IDL [unique][string] wchar_t trusted_dc_name;
4652 * IDL long tc_connection_status;
4653 * IDL } NETLOGON_INFO_2;
4654 */
4655 static int
4656 netlogon_dissect_NETLOGON_INFO_2(tvbuff_t *tvb, int offset,
4657 packet_info *pinfo, proto_tree *tree,
4658 dcerpc_info *di, guint8 *drep)
4659 {
4660 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4661 hf_netlogon_flags, NULL);
4662
4663 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4664 hf_netlogon_pdc_connection_status, NULL);
4665
4666 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4667 NDR_POINTER_UNIQUE, "Trusted DC Name",
4668 hf_netlogon_trusted_dc_name, 0);
4669
4670 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4671 hf_netlogon_tc_connection_status, NULL);
4672
4673 return offset;
4674 }
4675
4676
4677 /*
4678 * IDL typedef struct {
4679 * IDL long flags;
4680 * IDL long logon_attempts;
4681 * IDL long reserved;
4682 * IDL long reserved;
4683 * IDL long reserved;
4684 * IDL long reserved;
4685 * IDL long reserved;
4686 * IDL } NETLOGON_INFO_3;
4687 */
4688 static int
4689 netlogon_dissect_NETLOGON_INFO_3(tvbuff_t *tvb, int offset,
4690 packet_info *pinfo, proto_tree *tree,
4691 dcerpc_info *di, guint8 *drep)
4692 {
4693 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4694 hf_netlogon_flags, NULL);
4695
4696 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4697 hf_netlogon_logon_attempts, NULL);
4698
4699 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4700 hf_netlogon_reserved, NULL);
4701
4702 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4703 hf_netlogon_reserved, NULL);
4704
4705 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4706 hf_netlogon_reserved, NULL);
4707
4708 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4709 hf_netlogon_reserved, NULL);
4710
4711 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4712 hf_netlogon_reserved, NULL);
4713
4714 return offset;
4715 }
4716
4717
4718 /*
4719 * IDL typedef [switch_type(long)] union {
4720 * IDL [case(1)] [unique] NETLOGON_INFO_1 *i1;
4721 * IDL [case(2)] [unique] NETLOGON_INFO_2 *i2;
4722 * IDL [case(3)] [unique] NETLOGON_INFO_3 *i3;
4723 * IDL } CONTROL_QUERY_INFORMATION;
4724 */
4725 static int
4726 netlogon_dissect_CONTROL_QUERY_INFORMATION(tvbuff_t *tvb, int offset,
4727 packet_info *pinfo, proto_tree *tree,
4728 dcerpc_info *di, guint8 *drep)
4729 {
4730 guint32 level = 0;
4731
4732 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4733 hf_netlogon_level, &level);
4734
4735 ALIGN_TO_4_BYTES;
4736 switch(level){
4737 case 1:
4738 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4739 netlogon_dissect_NETLOGON_INFO_1, NDR_POINTER_UNIQUE,
4740 "NETLOGON_INFO_1:", -1);
4741 break;
4742 case 2:
4743 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4744 netlogon_dissect_NETLOGON_INFO_2, NDR_POINTER_UNIQUE,
4745 "NETLOGON_INFO_2:", -1);
4746 break;
4747 case 3:
4748 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4749 netlogon_dissect_NETLOGON_INFO_3, NDR_POINTER_UNIQUE,
4750 "NETLOGON_INFO_3:", -1);
4751 break;
4752 }
4753
4754 return offset;
4755 }
4756
4757
4758 /*
4759 * IDL long NetrLogonControl(
4760 * IDL [in][string][unique] wchar_t *logonserver,
4761 * IDL [in] long function_code,
4762 * IDL [in] long level,
4763 * IDL [out][ref] CONTROL_QUERY_INFORMATION
4764 * IDL );
4765 */
4766 static int
4767 netlogon_dissect_netrlogoncontrol_rqst(tvbuff_t *tvb, int offset,
4768 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4769 {
4770 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4771 pinfo, tree, di, drep);
4772
4773 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4774 hf_netlogon_code, NULL);
4775
4776 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4777 hf_netlogon_level, NULL);
4778
4779 return offset;
4780 }
4781 static int
4782 netlogon_dissect_netrlogoncontrol_reply(tvbuff_t *tvb, int offset,
4783 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4784 {
4785 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4786 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
4787 "CONTROL_QUERY_INFORMATION:", -1);
4788
4789 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
4790 hf_netlogon_dos_rc, NULL);
4791
4792 return offset;
4793 }
4794
4795
4796 /*
4797 * IDL long NetrGetAnyDCName(
4798 * IDL [in][unique][string] wchar_t *logon_server,
4799 * IDL [in][unique][string] wchar_t *domainname,
4800 * IDL [out][unique][string] wchar_t *dcname,
4801 * IDL };
4802 */
4803 static int
4804 netlogon_dissect_netrgetanydcname_rqst(tvbuff_t *tvb, int offset,
4805 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4806 {
4807 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4808 NDR_POINTER_UNIQUE, "Server Handle",
4809 hf_netlogon_logonsrv_handle, 0);
4810
4811 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4812 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
4813
4814 return offset;
4815 }
4816 static int
4817 netlogon_dissect_netrgetanydcname_reply(tvbuff_t *tvb, int offset,
4818 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4819 {
4820 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4821 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
4822
4823 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
4824 hf_netlogon_dos_rc, NULL);
4825
4826 return offset;
4827 }
4828
4829
4830 /*
4831 * IDL typedef [switch_type(long)] union {
4832 * IDL [case(5)] [unique][string] wchar_t *unknown;
4833 * IDL [case(6)] [unique][string] wchar_t *unknown;
4834 * IDL [case(0xfffe)] long unknown;
4835 * IDL [case(7)] [unique][string] wchar_t *unknown;
4836 * IDL } CONTROL_DATA_INFORMATION;
4837 */
4838 /* XXX
4839 * According to muddle this is what CONTROL_DATA_INFORMATION is supposed
4840 * to look like. However NetMon does not recognize any such informationlevels.
4841 *
4842 * Ill leave it as CONTROL_DATA_INFORMATION with no informationlevels
4843 * until someone has any source of better authority to call upon.
4844 */
4845 static int
4846 netlogon_dissect_CONTROL_DATA_INFORMATION(tvbuff_t *tvb, int offset,
4847 packet_info *pinfo, proto_tree *tree,
4848 dcerpc_info *di, guint8 *drep)
4849 {
4850 guint32 level = 0;
4851
4852 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4853 hf_netlogon_level, &level);
4854
4855 ALIGN_TO_4_BYTES;
4856 switch(level){
4857 case 5:
4858 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
4859 tree, di, drep, NDR_POINTER_UNIQUE, "Trusted Domain Name",
4860 hf_netlogon_TrustedDomainName_string, 0);
4861 break;
4862 case 6:
4863 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
4864 tree, di, drep, NDR_POINTER_UNIQUE, "Trusted Domain Name",
4865 hf_netlogon_TrustedDomainName_string, 0);
4866 break;
4867 case 0xfffe:
4868 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4869 hf_netlogon_unknown_long, NULL);
4870 break;
4871 case 8:
4872 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
4873 tree, di, drep, NDR_POINTER_UNIQUE, "UserName",
4874 hf_netlogon_UserName_string, 0);
4875 break;
4876 }
4877
4878 return offset;
4879 }
4880
4881
4882 /*
4883 * IDL long NetrLogonControl2(
4884 * IDL [in][string][unique] wchar_t *logonserver,
4885 * IDL [in] long function_code,
4886 * IDL [in] long level,
4887 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
4888 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
4889 * IDL );
4890 */
4891 static int
4892 netlogon_dissect_netrlogoncontrol2_rqst(tvbuff_t *tvb, int offset,
4893 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4894 {
4895 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4896 pinfo, tree, di, drep);
4897
4898 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4899 hf_netlogon_code, NULL);
4900
4901 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4902 hf_netlogon_level, NULL);
4903
4904 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4905 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
4906 "CONTROL_DATA_INFORMATION: ", -1);
4907
4908 return offset;
4909 }
4910
4911 static int
4912 netlogon_dissect_netrlogoncontrol2_reply(tvbuff_t *tvb, int offset,
4913 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4914 {
4915 guint32 status;
4916
4917 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4918 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
4919 "CONTROL_QUERY_INFORMATION:", -1);
4920
4921 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_netlogon_werr_rc, &status);
4922
4923 if (status != 0)
4924 col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, WERR_errors, "Unknown WERR error 0x%08x"));
4925
4926
4927 return offset;
4928 }
4929
4930
4931
4932
4933 /*
4934 * IDL long NetrDatabaseSync2(
4935 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
4936 * IDL [in][string][ref] wchar_t *computername,
4937 * IDL [in][ref] AUTHENTICATOR credential,
4938 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4939 * IDL [in] long database_id,
4940 * IDL [in] short restart_state,
4941 * IDL [in][out][ref] long *sync_context,
4942 * IDL [in] long preferredmaximumlength,
4943 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
4944 * IDL );
4945 */
4946 static int
4947 netlogon_dissect_netrdatabasesync2_rqst(tvbuff_t *tvb, int offset,
4948 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4949 {
4950 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4951 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
4952
4953 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4954 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4955
4956 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4957 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4958 "AUTHENTICATOR: credential", -1);
4959
4960 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4961 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4962 "AUTHENTICATOR: return_authenticator", -1);
4963
4964 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4965 hf_netlogon_database_id, NULL);
4966
4967 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
4968 hf_netlogon_restart_state, NULL);
4969
4970 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4971 hf_netlogon_sync_context, NULL);
4972
4973 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4974 hf_netlogon_max_size, NULL);
4975
4976 return offset;
4977 }
4978
4979 static int
4980 netlogon_dissect_netrdatabasesync2_reply(tvbuff_t *tvb, int offset,
4981 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4982 {
4983 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4984 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4985 "AUTHENTICATOR: return_authenticator", -1);
4986
4987 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4988 hf_netlogon_sync_context, NULL);
4989
4990 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4991 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
4992 "DELTA_ENUM_ARRAY: deltas", -1);
4993
4994 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
4995 hf_netlogon_rc, NULL);
4996
4997 return offset;
4998 }
4999
5000
5001 /*
5002 * IDL long NetrDatabaseRedo(
5003 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
5004 * IDL [in][string][ref] wchar_t *computername,
5005 * IDL [in][ref] AUTHENTICATOR credential,
5006 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
5007 * IDL [in][ref][size_is(change_log_entry_size)] char *change_log_entry,
5008 * IDL [in] long change_log_entry_size,
5009 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
5010 * IDL );
5011 */
5012 static int
5013 netlogon_dissect_netrdatabaseredo_rqst(tvbuff_t *tvb, int offset,
5014 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
5015 {
5016 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5017 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
5018
5019 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5020 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
5021
5022 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5023 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5024 "AUTHENTICATOR: credential", -1);
5025
5026 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5027 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5028 "AUTHENTICATOR: return_authenticator", -1);
5029
5030 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5031 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
5032 "Change log entry: ", -1);
5033
5034 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5035 hf_netlogon_max_log_size, NULL);
5036
5037 return offset;
5038 }
5039
5040 static int
5041 netlogon_dissect_netrdatabaseredo_reply(tvbuff_t *tvb, int offset,
5042 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
5043 {
5044 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5045 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5046 "AUTHENTICATOR: return_authenticator", -1);
5047
5048 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5049 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
5050 "DELTA_ENUM_ARRAY: deltas", -1);
5051
5052 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
5053 hf_netlogon_rc, NULL);
5054
5055 return offset;
5056 }
5057
5058
5059 /*
5060 * IDL long NetrLogonControl2Ex(
5061 * IDL [in][string][unique] wchar_t *logonserver,
5062 * IDL [in] long function_code,
5063 * IDL [in] long level,
5064 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
5065 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
5066 * IDL );
5067 */
5068 static int
5069 netlogon_dissect_netrlogoncontrol2ex_rqst(tvbuff_t *tvb, int offset,
5070 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
5071 {
5072 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5073 pinfo, tree, di, drep);
5074
5075 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5076 hf_netlogon_code, NULL);
5077
5078 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5079 hf_netlogon_level, NULL);
5080
5081 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5082 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
5083 "CONTROL_DATA_INFORMATION: ", -1);
5084
5085 return offset;
5086 }
5087 static int
5088 netlogon_dissect_netrlogoncontrol2ex_reply(tvbuff_t *tvb, int offset,
5089 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
5090 {
5091 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5092 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
5093 "CONTROL_QUERY_INFORMATION:", -1);
5094
5095 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
5096 hf_netlogon_dos_rc, NULL);
5097
5098 return offset;
5099 }
5100
5101
5102
5103
5104 static const value_string trust_type_vals[] = {
5105 { 1, "NT4 Domain" },
5106 { 2, "AD Domain" },
5107 { 3, "MIT Kerberos realm" },
5108 { 4, "DCE realm" },
5109 { 0, NULL }
5110 };
5111
5112 #define DS_INET_ADDRESS 1
5113 #define DS_NETBIOS_ADDRESS 2
5114
5115 static const value_string dc_address_types[] = {
5116 { DS_INET_ADDRESS, "IP/DNS name" },
5117 { DS_NETBIOS_ADDRESS, "NetBIOS name" },
5118 { 0, NULL}
5119 };
5120
5121
5122 #define RQ_ROOT_FOREST 0x0001
5123 #define RQ_DC_XFOREST 0x0002
5124 #define RQ_RODC_DIF_DOMAIN 0x0004
5125 #define RQ_NTLM_FROM_RODC 0x0008
5126
5127 #define DS_DOMAIN_IN_FOREST 0x0001
5128 #define DS_DOMAIN_DIRECT_OUTBOUND 0x0002
5129 #define DS_DOMAIN_TREE_ROOT 0x0004
5130 #define DS_DOMAIN_PRIMARY 0x0008
5131 #define DS_DOMAIN_NATIVE_MODE 0x0010
5132 #define DS_DOMAIN_DIRECT_INBOUND 0x0020
5133
5134 static const true_false_string trust_inbound = {
5135 "There is a DIRECT INBOUND trust for the servers domain",
5136 "There is NO direct inbound trust for the servers domain"
5137 };
5138 static const true_false_string trust_outbound = {
5139 "There is a DIRECT OUTBOUND trust for this domain",
5140 "There is NO direct outbound trust for this domain"
5141 };
5142 static const true_false_string trust_in_forest = {
5143 "The domain is a member IN the same FOREST as the queried server",
5144 "The domain is NOT a member of the queried servers domain"
5145 };
5146 static const true_false_string trust_native_mode = {
5147 "The primary domain is a NATIVE MODE w2k domain",
5148 "The primary is NOT a native mode w2k domain"
5149 };
5150 static const true_false_string trust_primary = {
5151 "The domain is the PRIMARY domain of the queried server",
5152 "The domain is NOT the primary domain of the queried server"
5153 };
5154 static const true_false_string trust_tree_root = {
5155 "The domain is the ROOT of a domain TREE",
5156 "The domain is NOT a root of a domain tree"
5157 };
5158
5159
5160 static int
5161 netlogon_dissect_DOMAIN_TRUST_FLAGS(tvbuff_t *tvb, int offset,
5162 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, guint8 *drep)
5163 {
5164 guint32 mask;
5165 proto_item *item = NULL;
5166 proto_tree *tree = NULL;
5167
5168 if(di->conformant_run){
5169 /*just a run to handle conformant arrays, nothing to dissect */
5170 return offset;
5171 }
5172
5173 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
5174 hf_netlogon_trust_flags, &mask);
5175
5176 if(parent_tree){
5177 item = proto_tree_add_uint(parent_tree, hf_netlogon_trust_flags,
5178 tvb, offset-4, 4, mask);
5179 tree = proto_item_add_subtree(item, ett_trust_flags);
5180 }
5181
5182 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_inbound,
5183 tvb, offset-4, 4, mask);
5184 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_native_mode,
5185 tvb, offset-4, 4, mask);
5186 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_primary,
5187 tvb, offset-4, 4, mask);
5188 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_tree_root,
5189 tvb, offset-4, 4, mask);
5190 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_outbound,
5191 tvb, offset-4, 4, mask);
5192 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_in_forest,
5193 tvb, offset-4, 4, mask);
5194
5195 return offset;
5196 }
5197
5198
5199
5200 static const true_false_string trust_attribs_non_transitive = {
5201 "This is a NON TRANSITIVE trust relation",
5202 "This is a normal trust"
5203 };
5204 static const true_false_string trust_attribs_uplevel_only = {
5205 "This is an UPLEVEL ONLY trust relation",
5206 "This is a normal trust"
5207 };
5208 static const true_false_string trust_attribs_quarantined_domain = {
5209 "This is a QUARANTINED DOMAIN (so don't expect lookupsids to work)",
5210 "This is a normal trust"
5211 };
5212 static const true_false_string trust_attribs_forest_transitive = {
5213 "This is a FOREST TRANSITIVE trust",
5214 "This is a normal trust"
5215 };
5216 static const true_false_string trust_attribs_cross_organization = {
5217 "This is a CROSS ORGANIZATION trust",
5218 "This is a normal trust"
5219 };
5220 static const true_false_string trust_attribs_within_forest = {
5221 "This is a WITHIN FOREST trust",
5222 "This is a normal trust"
5223 };
5224 static const true_false_string trust_attribs_treat_as_external = {
5225 "TREAT this trust AS an EXTERNAL trust",
5226 "This is a normal trust"
5227 };
5228
5229 static int
5230 netlogon_dissect_DOMAIN_TRUST_ATTRIBS(tvbuff_t *tvb, int offset,
5231 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, guint8 *drep)
5232 {
5233 guint32 mask;
5234 proto_item *item = NULL;
5235 proto_tree *tree = NULL;
5236
5237 if(di->conformant_run){
5238 /*just a run to handle conformant arrays, nothing to dissect */
5239 return offset;
5240 }
5241
5242 offset = dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
5243 hf_netlogon_trust_attribs, &mask);
5244
5245 if(parent_tree){
5246 item = proto_tree_add_uint(parent_tree, hf_netlogon_trust_attribs,
5247 tvb, offset-4, 4, mask);
5248 tree = proto_item_add_subtree(item, ett_trust_attribs);
5249 }
5250
5251 proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_treat_as_external,
5252 tvb, offset-4, 4, mask);
5253 proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_within_forest,
5254 tvb, offset-4, 4, mask);
5255 proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_cross_organization,
5256 tvb, offset-4, 4, mask);
5257 proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_forest_transitive,
5258 tvb, offset-4, 4, mask);
5259 proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_quarantined_domain,
5260 tvb, offset-4, 4, mask);
5261 proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_uplevel_only,
5262 tvb, offset-4, 4, mask);
5263 proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_non_transitive,
5264 tvb, offset-4, 4, mask);
5265
5266
5267 return offset;
5268 }
5269
5270
5271 #define DS_FORCE_REDISCOVERY 0x00000001
5272 #define DS_DIRECTORY_SERVICE_REQUIRED 0x00000010
5273 #define DS_DIRECTORY_SERVICE_PREFERRED 0x00000020
5274 #define DS_GC_SERVER_REQUIRED 0x00000040
5275 #define DS_PDC_REQUIRED 0x00000080
5276 #define DS_BACKGROUND_ONLY 0x00000100
5277 #define DS_IP_REQUIRED 0x00000200
5278 #define DS_KDC_REQUIRED 0x00000400
5279 #define DS_TIMESERV_REQUIRED 0x00000800
5280 #define DS_WRITABLE_REQUIRED 0x00001000
5281 #define DS_GOOD_TIMESERV_PREFERRED 0x00002000
5282 #define DS_AVOID_SELF 0x00004000
5283 #define DS_ONLY_LDAP_NEEDED 0x00008000
5284 #define DS_IS_FLAT_NAME 0x00010000
5285 #define DS_IS_DNS_NAME 0x00020000
5286 #define DS_RETURN_DNS_NAME 0x40000000
5287 #define DS_RETURN_FLAT_NAME 0x80000000
5288
5289 static const true_false_string get_dcname_request_flags_force_rediscovery = {
5290 "FORCE REDISCOVERY of any cached data",
5291 "You may return cached data"
5292 };
5293 static const true_false_string get_dcname_request_flags_directory_service_required = {
5294 "DIRECTORY SERVICE is REQUIRED on the server",
5295 "We do NOT require directory service servers"
5296 };
5297 static const true_false_string get_dcname_request_flags_directory_service_preferred = {
5298 "DIRECTORY SERVICE servers are PREFERRED",
5299 "We do NOT have a preference for directory service servers"
5300 };
5301 static const true_false_string get_dcname_request_flags_gc_server_required = {
5302 "GC SERVER is REQUIRED",
5303 "gc server is NOT required"
5304 };
5305 static const true_false_string get_dcname_request_flags_pdc_required = {
5306 "PDC SERVER is REQUIRED",
5307 "pdc server is NOT required"
5308 };
5309 static const true_false_string get_dcname_request_flags_background_only = {
5310 "Only return cached data, even if it has expired",
5311 "Return cached data unless it has expired"
5312 };
5313 static const true_false_string get_dcname_request_flags_ip_required = {
5314 "IP address is REQUIRED",
5315 "ip address is NOT required"
5316 };
5317 static const true_false_string get_dcname_request_flags_kdc_required = {
5318 "KDC server is REQUIRED",
5319 "kdc server is NOT required"
5320 };
5321 static const true_false_string get_dcname_request_flags_timeserv_required = {
5322 "TIMESERV service is REQUIRED",
5323 "timeserv service is NOT required"
5324 };
5325 static const true_false_string get_dcname_request_flags_writable_required = {
5326 "the returned dc MUST be WRITEABLE",
5327 "a read-only dc may be returned"
5328 };
5329 static const true_false_string get_dcname_request_flags_good_timeserv_preferred = {
5330 "GOOD TIMESERV servers are PREFERRED",
5331 "we do NOT have a preference for good timeserv servers"
5332 };
5333 static const true_false_string get_dcname_request_flags_avoid_self = {
5334 "do NOT return self as dc; return someone else",
5335 "you may return yourSELF as the dc"
5336 };
5337 static const true_false_string get_dcname_request_flags_only_ldap_needed = {
5338 "we ONLY NEED LDAP; you don't have to return a dc",
5339 "we need a normal dc; an ldap only server will not do"
5340 };
5341 static const true_false_string get_dcname_request_flags_is_flat_name = {
5342 "the name we specify is a NetBIOS name",
5343 "the name we specify is NOT a NetBIOS name"
5344 };
5345 static const true_false_string get_dcname_request_flags_is_dns_name = {
5346 "the name we specify is a DNS name",
5347 "the name we specify is NOT a dns name"
5348 };
5349 static const true_false_string get_dcname_request_flags_return_dns_name = {
5350 "return a DNS name",
5351 "you may return a NON-dns name"
5352 };
5353 static const true_false_string get_dcname_request_flags_return_flat_name = {
5354 "return a NetBIOS name",
5355 "you may return a NON-NetBIOS name"
5356 };
5357 static int
5358 netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvbuff_t *tvb, int offset,
5359 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, guint8 *drep)
5360 {
5361 guint32 mask;
5362 proto_item *item = NULL;
5363 proto_tree *tree = NULL;
5364
5365 if(di->conformant_run){
5366 /*just a run to handle conformant arrays, nothing to dissect */
5367 return offset;
5368 }
5369
5370 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
5371 hf_netlogon_get_dcname_request_flags, &mask);
5372
5373 if(parent_tree){
5374 item = proto_tree_add_uint(parent_tree, hf_netlogon_get_dcname_request_flags,
5375 tvb, offset-4, 4, mask);
5376 tree = proto_item_add_subtree(item, ett_get_dcname_request_flags);
5377 }
5378
5379 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_return_flat_name,
5380 tvb, offset-4, 4, mask);
5381 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_return_dns_name,
5382 tvb, offset-4, 4, mask);
5383 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_is_flat_name,
5384 tvb, offset-4, 4, mask);
5385 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_is_dns_name,
5386 tvb, offset-4, 4, mask);
5387 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_only_ldap_needed,
5388 tvb, offset-4, 4, mask);
5389 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_avoid_self,
5390 tvb, offset-4, 4, mask);
5391 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
5392 tvb, offset-4, 4, mask);
5393 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_writable_required,
5394 tvb, offset-4, 4, mask);
5395 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_timeserv_required,
5396 tvb, offset-4, 4, mask);
5397 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_kdc_required,
5398 tvb, offset-4, 4, mask);
5399 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_ip_required,
5400 tvb, offset-4, 4, mask);
5401 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_background_only,
5402 tvb, offset-4, 4, mask);
5403 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_pdc_required,
5404 tvb, offset-4, 4, mask);
5405 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_gc_server_required,
5406 tvb, offset-4, 4, mask);
5407 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_directory_service_preferred,
5408 tvb, offset-4, 4, mask);
5409 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_directory_service_required,
5410 tvb, offset-4, 4, mask);
5411 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_force_rediscovery,
5412 tvb, offset-4, 4, mask);
5413
5414 return offset;
5415 }
5416
5417
5418
5419 #define DS_PDC_FLAG 0x00000001
5420 #define DS_GC_FLAG 0x00000004
5421 #define DS_LDAP_FLAG 0x00000008
5422 #define DS_DS_FLAG 0x00000010
5423 #define DS_KDC_FLAG 0x00000020
5424 #define DS_TIMESERV_FLAG 0x00000040
5425 #define DS_CLOSEST_FLAG 0x00000080
5426 #define DS_WRITABLE_FLAG 0x00000100
5427 #define DS_GOOD_TIMESERV_FLAG 0x00000200
5428 #define DS_NDNC_FLAG 0x00000400
5429 #define DS_DNS_CONTROLLER_FLAG 0x20000000
5430 #define DS_DNS_DOMAIN_FLAG 0x40000000
5431 #define DS_DNS_FOREST_FLAG 0x80000000
5432
5433 static const true_false_string dc_flags_pdc_flag = {
5434 "this is the PDC of the domain",
5435 "this is NOT the pdc of the domain"
5436 };
5437 static const true_false_string dc_flags_gc_flag = {
5438 "this is the GC of the forest",
5439 "this is NOT the gc of the forest"
5440 };
5441 static const true_false_string dc_flags_ldap_flag = {
5442 "this is an LDAP server",
5443 "this is NOT an ldap server"
5444 };
5445 static const true_false_string dc_flags_ds_flag = {
5446 "this is a DS server",
5447 "this is NOT a ds server"
5448 };
5449 static const true_false_string dc_flags_kdc_flag = {
5450 "this is a KDC server",
5451 "this is NOT a kdc server"
5452 };
5453 static const true_false_string dc_flags_timeserv_flag = {
5454 "this is a TIMESERV server",
5455 "this is NOT a timeserv server"
5456 };
5457 static const true_false_string dc_flags_closest_flag = {
5458 "this is the CLOSEST server",
5459 "this is NOT the closest server"
5460 };
5461 static const true_false_string dc_flags_writable_flag = {
5462 "this server has a WRITABLE ds database",
5463 "this server has a READ-ONLY ds database"
5464 };
5465 static const true_false_string dc_flags_good_timeserv_flag = {
5466 "this server is a GOOD TIMESERV server",
5467 "this is NOT a good timeserv server"
5468 };
5469 static const true_false_string dc_flags_ndnc_flag = {
5470 "NDNC is set",
5471 "ndnc is NOT set"
5472 };
5473 static const true_false_string dc_flags_dns_controller_flag = {
5474 "DomainControllerName is a DNS name",
5475 "DomainControllerName is NOT a dns name"
5476 };
5477 static const true_false_string dc_flags_dns_domain_flag = {
5478 "DomainName is a DNS name",
5479 "DomainName is NOT a dns name"
5480 };
5481 static const true_false_string dc_flags_dns_forest_flag = {
5482 "DnsForestName is a DNS name",
5483 "DnsForestName is NOT a dns name"
5484 };
5485 static int
5486 netlogon_dissect_DC_FLAGS(tvbuff_t *tvb, int offset,
5487 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, guint8 *drep)
5488 {
5489 guint32 mask;
5490 proto_item *item = NULL;
5491 proto_tree *tree = NULL;
5492
5493 if(di->conformant_run){
5494 /*just a run to handle conformant arrays, nothing to dissect */
5495 return offset;
5496 }
5497
5498 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
5499 hf_netlogon_dc_flags, &mask);
5500
5501 if(parent_tree){
5502 item = proto_tree_add_uint_format_value(parent_tree, hf_netlogon_dc_flags,
5503 tvb, offset-4, 4, mask, "0x%08x%s", mask, (mask==0x0000ffff)?" PING (mask==0x0000ffff)":"");
5504 tree = proto_item_add_subtree(item, ett_dc_flags);
5505 }
5506
5507 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_forest_flag,
5508 tvb, offset-4, 4, mask);
5509 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_domain_flag,
5510 tvb, offset-4, 4, mask);
5511 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_controller_flag,
5512 tvb, offset-4, 4, mask);
5513 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ndnc_flag,
5514 tvb, offset-4, 4, mask);
5515 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_good_timeserv_flag,
5516 tvb, offset-4, 4, mask);
5517 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_writable_flag,
5518 tvb, offset-4, 4, mask);
5519 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_closest_flag,
5520 tvb, offset-4, 4, mask);
5521 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_timeserv_flag,
5522 tvb, offset-4, 4, mask);
5523 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_kdc_flag,
5524 tvb, offset-4, 4, mask);
5525 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ds_flag,
5526 tvb, offset-4, 4, mask);
5527 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ldap_flag,
5528 tvb, offset-4, 4, mask);
5529 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_gc_flag,
5530 tvb, offset-4, 4, mask);
5531 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_pdc_flag,
5532 tvb, offset-4, 4, mask);
5533
5534 return offset;
5535 }
5536
5537
5538
5539 static int
5540 netlogon_dissect_pointer_long(tvbuff_t *tvb, int offset,
5541 packet_info *pinfo, proto_tree *tree,
5542 dcerpc_info *di, guint8 *drep)
5543 {
5544 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
5545 di->hf_index, NULL);
5546 return offset;
5547 }
5548
5549 #if 0
5550 static int
5551 netlogon_dissect_pointer_char(tvbuff_t *tvb, int offset,
5552 packet_info *pinfo, proto_tree *tree,
5553 dcerpc_info *di, guint8 *drep)
5554 {
5555 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
5556 di->hf_index, NULL);
5557 return offset;
5558 }
5559 #endif
5560
5561 static int
5562 netlogon_dissect_UNICODE_MULTI_byte(tvbuff_t *tvb, int offset,
5563 packet_info *pinfo, proto_tree *tree,
5564 dcerpc_info *di, guint8 *drep)
5565 {
5566 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
5567 hf_netlogon_unknown_char, NULL);
5568
5569 return offset;
5570 }
5571
5572 static int
5573 netlogon_dissect_UNICODE_MULTI_array(tvbuff_t *tvb, int offset,
5574 packet_info *pinfo, proto_tree *tree,
5575 dcerpc_info *di, guint8 *drep)
5576 {
5577 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
5578 netlogon_dissect_UNICODE_MULTI_byte);
5579
5580 return offset;
5581 }
5582
5583 static int
5584 netlogon_dissect_UNICODE_MULTI(tvbuff_t *tvb, int offset,
5585 packet_info *pinfo, proto_tree *parent_tree,
5586 dcerpc_info *di, guint8 *drep)
5587 {
5588 proto_item *item=NULL;
5589 proto_tree *tree=NULL;
5590 int old_offset=offset;
5591
5592 if(parent_tree){
5593 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5594 "UNICODE_MULTI:");
5595 tree = proto_item_add_subtree(item, ett_UNICODE_MULTI);
5596 }
5597
5598 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5599 hf_netlogon_len, NULL);
5600
5601 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5602 netlogon_dissect_UNICODE_MULTI_array, NDR_POINTER_UNIQUE,
5603 "unknown", hf_netlogon_unknown_string);
5604
5605 proto_item_set_len(item, offset-old_offset);
5606 return offset;
5607 }
5608
5609 static int
5610 netlogon_dissect_DOMAIN_CONTROLLER_INFO(tvbuff_t *tvb, int offset,
5611 packet_info *pinfo, proto_tree *parent_tree,
5612 dcerpc_info *di, guint8 *drep)
5613 {
5614 proto_item *item=NULL;
5615 proto_tree *tree=NULL;
5616 int old_offset=offset;
5617
5618 if(parent_tree){
5619 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5620 "DOMAIN_CONTROLLER_INFO:");
5621 tree = proto_item_add_subtree(item, ett_DOMAIN_CONTROLLER_INFO);
5622 }
5623
5624 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5625 NDR_POINTER_UNIQUE, "DC Name", hf_netlogon_dc_name, 0);
5626
5627 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5628 NDR_POINTER_UNIQUE, "DC Address", hf_netlogon_dc_address, 0);
5629
5630 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5631 hf_netlogon_dc_address_type, NULL);
5632
5633 offset = dissect_nt_GUID(tvb, offset,
5634 pinfo, tree, di, drep);
5635
5636 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5637 NDR_POINTER_UNIQUE, "Logon Domain", hf_netlogon_logon_dom, 0);
5638
5639 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5640 NDR_POINTER_UNIQUE, "DNS Forest", hf_netlogon_dns_forest_name, 0);
5641
5642 offset = netlogon_dissect_DC_FLAGS(tvb, offset, pinfo, tree, di, drep);
5643
5644 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5645 NDR_POINTER_UNIQUE, "DC Site", hf_netlogon_dc_site_name, 0);
5646
5647 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5648 NDR_POINTER_UNIQUE, "Client Site",
5649 hf_netlogon_client_site_name, 0);
5650
5651 proto_item_set_len(item, offset-old_offset);
5652 return offset;
5653 }
5654
5655
5656
5657 static int
5658 dissect_ndr_trust_extension(tvbuff_t *tvb, int offset,
5659 packet_info *pinfo, proto_tree *tree,
5660 dcerpc_info *di, guint8 *drep)
5661 {
5662 guint32 len,max;
5663
5664 if(di->conformant_run){
5665 return offset;
5666 }
5667 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5668 hf_netlogon_trust_max, &max);
5669
5670 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5671 hf_netlogon_trust_offset, NULL);
5672
5673 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5674 hf_netlogon_trust_len, &len);
5675
5676 if( max * 2 == 16 ) {
5677 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, di, drep);
5678
5679 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5680 hf_netlogon_trust_parent_index, NULL);
5681
5682 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5683 hf_netlogon_trust_type, NULL);
5684
5685 offset = netlogon_dissect_DOMAIN_TRUST_ATTRIBS(tvb, offset, pinfo, tree, di, drep);
5686 }
5687 /* else do something scream shout .... */
5688
5689 return offset;
5690 }
5691
5692 static int
5693 netlogon_dissect_BLOB_array(tvbuff_t *tvb, int offset,
5694 packet_info *pinfo, proto_tree *tree,
5695 dcerpc_info *di, guint8 *drep)
5696 {
5697 guint32 len;
5698
5699 if(di->conformant_run){
5700 return offset;
5701 }
5702
5703 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5704 hf_netlogon_blob_size, &len);
5705
5706 proto_tree_add_item(tree, hf_netlogon_blob, tvb, offset, len,
5707 ENC_NA);
5708 offset += len;
5709
5710 return offset;
5711 }
5712
5713 static int
5714 dissect_ndr_ulongs_as_counted_string(tvbuff_t *tvb, int offset,
5715 packet_info *pinfo, proto_tree *tree,
5716 dcerpc_info *di, guint8 *drep, int hf_index)
5717 {
5718 guint16 len, size;
5719 gboolean add_subtree = TRUE; /* Manage room for evolution*/
5720 proto_item *item;
5721 proto_tree *subtree = tree;
5722
5723 if (add_subtree) {
5724
5725 item = proto_tree_add_text(
5726 tree, tvb, offset, 0, "%s",
5727 proto_registrar_get_name(hf_index));
5728
5729 subtree = proto_item_add_subtree(item, ett_nt_counted_longs_as_string);
5730 }
5731 /* Structure starts with short, but is aligned for longs */
5732 ALIGN_TO_4_BYTES;
5733
5734 if (di->conformant_run)
5735 return offset;
5736
5737 /*
5738 struct {
5739 short len;
5740 short size;
5741 [size_is(size/2), length_is(len/2), ptr] unsigned short *string;
5742 } UNICODE_STRING;
5743
5744 */
5745
5746 offset = dissect_ndr_uint16(tvb, offset, pinfo, subtree, di, drep,
5747 hf_nt_cs_len, &len);
5748 offset = dissect_ndr_uint16(tvb, offset, pinfo, subtree, di, drep,
5749 hf_nt_cs_size, &size);
5750 offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, subtree, di, drep,
5751 dissect_ndr_trust_extension, NDR_POINTER_UNIQUE,
5752 "Buffer", hf_index,NULL,NULL);
5753 return offset;
5754 }
5755
5756 extern int
5757 lsarpc_dissect_struct_dom_sid2(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info *di, guint8 *drep _U_, int unused1 _U_, int unused2 _U_);
5758
5759 static int
5760 DomainInfo_sid_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info *di, guint8 *drep _U_)
5761 {
5762 offset = lsarpc_dissect_struct_dom_sid2(tvb,offset,pinfo,tree,di,drep,DomainInfo_sid,0);
5763
5764 return offset;
5765 }
5766 static int
5767 dissect_element_lsa_DnsDomainInfo_sid(tvbuff_t *tvb , int offset , packet_info *pinfo , proto_tree *tree , dcerpc_info *di, guint8 *drep )
5768 {
5769 offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, di, drep, DomainInfo_sid_, NDR_POINTER_UNIQUE, "Pointer to Sid (dom_sid2)",DnsDomainInfo_sid);
5770
5771 return offset;
5772 }
5773 static int
5774 dissect_element_lsa_DnsDomainInfo_domain_guid(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info *di, guint8 *drep )
5775 {
5776 offset = dissect_ndr_uuid_t(tvb, offset, pinfo, tree, di, drep, DnsDomainInfo_domain_guid, NULL);
5777
5778 return offset;
5779 }
5780
5781
5782 static int dissect_part_DnsDomainInfo(tvbuff_t *tvb , int offset, packet_info *pinfo, proto_tree *tree , dcerpc_info *di, guint8 *drep, int hf_index _U_, guint32 param _U_)
5783 {
5784
5785 offset = lsarpc_dissect_struct_lsa_StringLarge(tvb,offset,pinfo,tree,di,drep,DnsDomainInfo_name,0);
5786
5787 offset = lsarpc_dissect_struct_lsa_StringLarge(tvb,offset,pinfo,tree,di,drep,DnsDomainInfo_dns_domain,0);
5788
5789 offset = lsarpc_dissect_struct_lsa_StringLarge(tvb,offset,pinfo,tree,di,drep,DnsDomainInfo_dns_forest,0);
5790
5791 offset = dissect_element_lsa_DnsDomainInfo_domain_guid(tvb, offset, pinfo, tree, di, drep);
5792
5793 offset = dissect_element_lsa_DnsDomainInfo_sid(tvb, offset, pinfo, tree, di, drep);
5794
5795
5796 return offset;
5797 }
5798
5799
5800 static int
5801 netlogon_dissect_ONE_DOMAIN_INFO(tvbuff_t *tvb, int offset,
5802 packet_info *pinfo, proto_tree *parent_tree,
5803 dcerpc_info *di, guint8 *drep)
5804 {
5805 proto_item *item=NULL;
5806 proto_tree *tree=NULL;
5807 int old_offset=offset;
5808
5809 if(parent_tree){
5810 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5811 "ONE_DOMAIN_INFO");
5812 tree = proto_item_add_subtree(item, ett_DOMAIN_TRUST_INFO);
5813 }
5814 /*hf_netlogon_dnsdomaininfo*/
5815 offset = dissect_part_DnsDomainInfo(tvb, offset, pinfo, tree, di, drep, 0, 0);
5816
5817
5818 /* It is structed as a string but it's not ... it's 4 ulong */
5819 offset = dissect_ndr_ulongs_as_counted_string(tvb, offset, pinfo, tree, di, drep,
5820 hf_netlogon_trust_extention);
5821
5822 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
5823 hf_netlogon_dummy_string2, 0);
5824
5825 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
5826 hf_netlogon_dummy_string3, 0);
5827
5828 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
5829 hf_netlogon_dummy_string4, 0);
5830
5831 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5832 hf_netlogon_dummy1_long, NULL);
5833
5834 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5835 hf_netlogon_dummy2_long, NULL);
5836
5837 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5838 hf_netlogon_dummy3_long, NULL);
5839
5840 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5841 hf_netlogon_dummy4_long, NULL);
5842
5843 proto_item_set_len(item, offset-old_offset);
5844 return offset;
5845 }
5846
5847 static int
5848 netlogon_dissect_DOMAIN_TRUST_INFO(tvbuff_t *tvb, int offset,
5849 packet_info *pinfo, proto_tree *tree,
5850 dcerpc_info *di, guint8 *drep)
5851 {
5852 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
5853 netlogon_dissect_ONE_DOMAIN_INFO);
5854
5855 return offset;
5856 }
5857
5858
5859 static int
5860 netlogon_dissect_LSA_POLICY_INFO(tvbuff_t *tvb _U_, int offset,
5861 packet_info *pinfo _U_, proto_tree *tree _U_,
5862 dcerpc_info *di, guint8 *drep _U_ )
5863 {
5864 proto_item *item=NULL;
5865 proto_tree *subtree=NULL;
5866 guint32 len;
5867
5868 if(di->conformant_run){
5869 return offset;
5870 }
5871
5872 if(tree){
5873 item = proto_tree_add_text(tree, tvb, offset, 0,
5874 "LSA Policy");
5875 subtree = proto_item_add_subtree(item, ett_LSA_POLICY_INFO);
5876 }
5877 offset = dissect_ndr_uint32(tvb, offset, pinfo, subtree, di, drep,
5878 hf_netlogon_lsapolicy_len, &len);
5879
5880 offset = dissect_ndr_pointer(tvb, offset, pinfo, subtree, di, drep,
5881 netlogon_dissect_BLOB_array, NDR_POINTER_UNIQUE,
5882 "Pointer:", -1);
5883
5884 return offset;
5885 }
5886
5887
5888
5889
5890 static int
5891 netlogon_dissect_WORKSTATION_INFO(tvbuff_t *tvb , int offset ,
5892 packet_info *pinfo , proto_tree *tree ,
5893 dcerpc_info *di, guint8 *drep )
5894 {
5895 /* This is not the good way to do it ... it stinks ...
5896 * but after half of a day fighting against wireshark and ndr ...
5897 * I decided to keep this hack ...
5898 * At least data are correctly displayed without invented ints ...
5899 */
5900 offset = netlogon_dissect_LSA_POLICY_INFO(tvb, offset,
5901 pinfo, tree, di, drep);
5902
5903 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5904 NDR_POINTER_UNIQUE, "Workstation FQDN",
5905 hf_netlogon_workstation_fqdn, 0);
5906
5907 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5908 NDR_POINTER_UNIQUE, "Workstation Site",
5909 hf_netlogon_workstation_site_name, 0);
5910
5911 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5912 NDR_POINTER_UNIQUE, "Dummy 1", hf_netlogon_dummy_string, 0);
5913
5914 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5915 NDR_POINTER_UNIQUE, "Dummy 2", hf_netlogon_dummy_string2, 0);
5916
5917 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5918 NDR_POINTER_UNIQUE, "Dummy 3", hf_netlogon_dummy_string3, 0);
5919
5920 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5921 NDR_POINTER_UNIQUE, "Dummy 4", hf_netlogon_dummy_string4, 0);
5922
5923 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
5924 hf_netlogon_os_version, 0);
5925
5926 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
5927 hf_netlogon_workstation_os, 0);
5928
5929 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
5930 hf_netlogon_dummy_string3, 0);
5931
5932 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
5933 hf_netlogon_dummy_string4, 0);
5934
5935 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5936 hf_netlogon_workstation_flags, NULL);
5937
5938 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5939 hf_netlogon_dummy2_long, NULL);
5940
5941 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5942 hf_netlogon_dummy3_long, NULL);
5943
5944 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5945 hf_netlogon_dummy4_long, NULL);
5946 return offset;
5947 }
5948
5949 static int
5950 netlogon_dissect_WORKSTATION_INFORMATION(tvbuff_t *tvb , int offset ,
5951 packet_info *pinfo , proto_tree *tree ,
5952 dcerpc_info *di, guint8 *drep ) {
5953
5954 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5955 netlogon_dissect_WORKSTATION_INFO, NDR_POINTER_UNIQUE,
5956 "WORKSTATION INFO", -1);
5957 return offset;
5958 }
5959
5960 static int
5961 netlogon_dissect_DOMAIN_INFO(tvbuff_t *tvb, int offset,
5962 packet_info *pinfo, proto_tree *tree,
5963 dcerpc_info *di, guint8 *drep)
5964 {
5965 offset = netlogon_dissect_ONE_DOMAIN_INFO(tvb, offset, pinfo, tree, di, drep);
5966
5967 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5968 hf_netlogon_num_trusts, NULL);
5969
5970 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5971 netlogon_dissect_DOMAIN_TRUST_INFO, NDR_POINTER_UNIQUE,
5972 "DOMAIN_TRUST_ARRAY: Trusted domains", -1);
5973
5974 offset = netlogon_dissect_LSA_POLICY_INFO(tvb,offset,pinfo, tree,di,drep);
5975
5976 /* offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5977 hf_netlogon_num_trusts, NULL);
5978
5979 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5980 netlogon_dissect_DOMAIN_TRUST_INFO, NDR_POINTER_UNIQUE,
5981 "LSA Policy", -1);
5982 */
5983 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
5984 hf_netlogon_ad_client_dns_name, 0);
5985
5986 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
5987 hf_netlogon_dummy_string2, 0);
5988
5989 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
5990 hf_netlogon_dummy_string3, 0);
5991
5992 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
5993 hf_netlogon_dummy_string4, 0);
5994
5995 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5996 hf_netlogon_workstation_flags, NULL);
5997
5998 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5999 hf_netlogon_supportedenctypes, NULL);
6000
6001 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6002 hf_netlogon_dummy3_long, NULL);
6003
6004 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6005 hf_netlogon_dummy4_long, NULL);
6006
6007 return offset;
6008 }
6009
6010
6011 static int
6012 netlogon_dissect_DOMAIN_INFORMATION(tvbuff_t *tvb, int offset,
6013 packet_info *pinfo, proto_tree *tree,
6014 dcerpc_info *di, guint8 *drep)
6015 {
6016 guint32 level = 0;
6017
6018 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6019 hf_netlogon_level, &level);
6020
6021 ALIGN_TO_4_BYTES;
6022 switch(level){
6023 case 1:
6024 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6025 netlogon_dissect_DOMAIN_INFO, NDR_POINTER_UNIQUE,
6026 "DOMAIN_INFO", -1);
6027 break;
6028 }
6029
6030 return offset;
6031 }
6032
6033 static int
6034 netlogon_dissect_UNICODE_STRING_512(tvbuff_t *tvb, int offset,
6035 packet_info *pinfo, proto_tree *parent_tree,
6036 dcerpc_info *di, guint8 *drep)
6037 {
6038 proto_item *item=NULL;
6039 proto_tree *tree=NULL;
6040 int old_offset=offset;
6041 int i;
6042
6043 if(parent_tree){
6044 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
6045 "UNICODE_STRING_512:");
6046 tree = proto_item_add_subtree(item, ett_UNICODE_STRING_512);
6047 }
6048
6049 for(i=0;i<512;i++){
6050 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
6051 hf_netlogon_unknown_short, NULL);
6052 }
6053
6054 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6055 hf_netlogon_unknown_long, NULL);
6056
6057 proto_item_set_len(item, offset-old_offset);
6058 return offset;
6059 }
6060
6061 static int
6062 netlogon_dissect_element_844_byte(tvbuff_t *tvb, int offset,
6063 packet_info *pinfo, proto_tree *tree,
6064 dcerpc_info *di, guint8 *drep)
6065 {
6066 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
6067 hf_netlogon_unknown_char, NULL);
6068
6069 return offset;
6070 }
6071
6072 static int
6073 netlogon_dissect_element_844_array(tvbuff_t *tvb, int offset,
6074 packet_info *pinfo, proto_tree *tree,
6075 dcerpc_info *di, guint8 *drep)
6076 {
6077 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
6078 netlogon_dissect_element_844_byte);
6079
6080 return offset;
6081 }
6082
6083 static int
6084 netlogon_dissect_TYPE_50(tvbuff_t *tvb, int offset,
6085 packet_info *pinfo, proto_tree *parent_tree,
6086 dcerpc_info *di, guint8 *drep)
6087 {
6088 proto_item *item=NULL;
6089 proto_tree *tree=NULL;
6090 int old_offset=offset;
6091
6092 if(parent_tree){
6093 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
6094 "TYPE_50:");
6095 tree = proto_item_add_subtree(item, ett_TYPE_50);
6096 }
6097
6098 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6099 hf_netlogon_unknown_long, NULL);
6100
6101 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6102 netlogon_dissect_element_844_array, NDR_POINTER_UNIQUE,
6103 "unknown", hf_netlogon_unknown_string);
6104
6105 proto_item_set_len(item, offset-old_offset);
6106 return offset;
6107 }
6108
6109 static int
6110 netlogon_dissect_TYPE_50_ptr(tvbuff_t *tvb, int offset,
6111 packet_info *pinfo, proto_tree *tree,
6112 dcerpc_info *di, guint8 *drep)
6113 {
6114 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6115 netlogon_dissect_TYPE_50, NDR_POINTER_UNIQUE,
6116 "TYPE_50 pointer: unknown_TYPE_50", -1);
6117
6118 return offset;
6119 }
6120
6121 static int
6122 netlogon_dissect_DS_DOMAIN_TRUSTS(tvbuff_t *tvb, int offset,
6123 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, guint8 *drep)
6124 {
6125 guint32 tmp;
6126 proto_item *item=NULL;
6127 proto_tree *tree=NULL;
6128 int old_offset=offset;
6129
6130 if(parent_tree){
6131 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
6132 "DS_DOMAIN_TRUSTS");
6133 tree = proto_item_add_subtree(item, ett_DS_DOMAIN_TRUSTS);
6134 }
6135
6136 /* name */
6137 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6138 NDR_POINTER_UNIQUE, "NetBIOS Name",
6139 hf_netlogon_downlevel_domain_name, 0);
6140
6141 /* domain */
6142 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6143 NDR_POINTER_UNIQUE, "DNS Domain Name",
6144 hf_netlogon_dns_domain_name, 0);
6145
6146 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, di, drep);
6147
6148 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6149 hf_netlogon_trust_parent_index, &tmp);
6150
6151 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6152 hf_netlogon_trust_type, &tmp);
6153
6154 offset = netlogon_dissect_DOMAIN_TRUST_ATTRIBS(tvb, offset, pinfo, tree, di, drep);
6155
6156 /* SID pointer */
6157 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
6158
6159 /* GUID */
6160 offset = dissect_nt_GUID(tvb, offset, pinfo, tree, di, drep);
6161
6162 proto_item_set_len(item, offset-old_offset);
6163 return offset;
6164 }
6165
6166 static int
6167 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY(tvbuff_t *tvb, int offset,
6168 packet_info *pinfo, proto_tree *tree,
6169 dcerpc_info *di, guint8 *drep)
6170 {
6171 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
6172 netlogon_dissect_DS_DOMAIN_TRUSTS);
6173
6174 return offset;
6175 }
6176
6177 static int
6178 netlogon_dissect_element_865_byte(tvbuff_t *tvb, int offset,
6179 packet_info *pinfo, proto_tree *tree,
6180 dcerpc_info *di, guint8 *drep)
6181 {
6182 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
6183 hf_netlogon_unknown_char, NULL);
6184
6185 return offset;
6186 }
6187
6188 static int
6189 netlogon_dissect_element_865_array(tvbuff_t *tvb, int offset,
6190 packet_info *pinfo, proto_tree *tree,
6191 dcerpc_info *di, guint8 *drep)
6192 {
6193 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
6194 netlogon_dissect_element_865_byte);
6195
6196 return offset;
6197 }
6198
6199 static int
6200 netlogon_dissect_element_866_byte(tvbuff_t *tvb, int offset,
6201 packet_info *pinfo, proto_tree *tree,
6202 dcerpc_info *di, guint8 *drep)
6203 {
6204 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
6205 hf_netlogon_unknown_char, NULL);
6206
6207 return offset;
6208 }
6209
6210 static int
6211 netlogon_dissect_element_866_array(tvbuff_t *tvb, int offset,
6212 packet_info *pinfo, proto_tree *tree,
6213 dcerpc_info *di, guint8 *drep)
6214 {
6215 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
6216 netlogon_dissect_element_866_byte);
6217
6218 return offset;
6219 }
6220
6221 static int
6222 netlogon_dissect_TYPE_52(tvbuff_t *tvb, int offset,
6223 packet_info *pinfo, proto_tree *parent_tree,
6224 dcerpc_info *di, guint8 *drep)
6225 {
6226 proto_item *item=NULL;
6227 proto_tree *tree=NULL;
6228 int old_offset=offset;
6229
6230 if(parent_tree){
6231 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
6232 "TYPE_52:");
6233 tree = proto_item_add_subtree(item, ett_TYPE_52);
6234 }
6235
6236 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6237 hf_netlogon_unknown_long, NULL);
6238
6239 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6240 netlogon_dissect_element_865_array, NDR_POINTER_UNIQUE,
6241 "unknown", hf_netlogon_unknown_string);
6242
6243 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6244 netlogon_dissect_element_866_array, NDR_POINTER_UNIQUE,
6245 "unknown", hf_netlogon_unknown_string);
6246
6247 proto_item_set_len(item, offset-old_offset);
6248 return offset;
6249 }
6250
6251 static int
6252 netlogon_dissect_TYPE_52_ptr(tvbuff_t *tvb, int offset,
6253 packet_info *pinfo, proto_tree *tree,
6254 dcerpc_info *di, guint8 *drep)
6255 {
6256 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6257 netlogon_dissect_TYPE_52, NDR_POINTER_UNIQUE,
6258 "TYPE_52 pointer: unknown_TYPE_52", -1);
6259 return offset;
6260 }
6261
6262
6263 static int
6264 netlogon_dissect_TYPE_44(tvbuff_t *tvb, int offset,
6265 packet_info *pinfo, proto_tree *parent_tree,
6266 dcerpc_info *di, guint8 *drep)
6267 {
6268 proto_item *item=NULL;
6269 proto_tree *tree=NULL;
6270 int old_offset=offset;
6271 guint32 level = 0;
6272
6273 if(parent_tree){
6274 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
6275 "TYPE_44:");
6276 tree = proto_item_add_subtree(item, ett_TYPE_44);
6277 }
6278
6279 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6280 hf_netlogon_level, &level);
6281
6282 ALIGN_TO_4_BYTES;
6283 switch(level){
6284 case 1:
6285 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6286 hf_netlogon_unknown_long, NULL);
6287 break;
6288 }
6289
6290 proto_item_set_len(item, offset-old_offset);
6291 return offset;
6292 }
6293
6294 static int
6295 netlogon_dissect_WORKSTATION_BUFFER(tvbuff_t *tvb, int offset,
6296 packet_info *pinfo, proto_tree *tree,
6297 dcerpc_info *di, guint8 *drep)
6298 {
6299 guint32 level;
6300
6301 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6302 hf_netlogon_level, &level);
6303 if (level == 2) {
6304 /* Specs are not very clear (as usual ...) it seems that the
6305 * structure in both case is a NETLOGON_WORKSTATION_INFO
6306 * but in this case only the LSA POLICY INFO will contain
6307 * something
6308 */
6309 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6310 netlogon_dissect_WORKSTATION_INFORMATION, NDR_POINTER_UNIQUE,
6311 "LSA POLICY INFO", -1);
6312 }
6313 else {
6314 if (level == 1) {
6315 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6316 netlogon_dissect_WORKSTATION_INFORMATION, NDR_POINTER_UNIQUE,
6317 "WORKSTATION INFORMATION", -1);}
6318 }
6319 return offset;
6320 }
6321
6322 static int
6323 netlogon_dissect_netrenumeratetrusteddomains_rqst(tvbuff_t *tvb, int offset,
6324 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6325 {
6326 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6327 pinfo, tree, di, drep);
6328
6329 return offset;
6330 }
6331
6332
6333 static int
6334 netlogon_dissect_netrenumeratetrusteddomains_reply(tvbuff_t *tvb, int offset,
6335 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6336 {
6337 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6338 netlogon_dissect_UNICODE_MULTI, NDR_POINTER_REF,
6339 "UNICODE_MULTI pointer: trust_dom_name_list", -1);
6340
6341 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6342 hf_netlogon_dos_rc, NULL);
6343
6344 return offset;
6345 }
6346
6347 static int
6348 netlogon_dissect_dsrgetdcname_rqst(tvbuff_t *tvb, int offset,
6349 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6350 {
6351 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6352 pinfo, tree, di, drep);
6353
6354 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6355 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
6356
6357 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6358 dissect_nt_GUID, NDR_POINTER_UNIQUE,
6359 "GUID pointer: domain_guid", -1);
6360
6361 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6362 dissect_nt_GUID, NDR_POINTER_UNIQUE,
6363 "GUID pointer: site_guid", -1);
6364
6365 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6366 hf_netlogon_flags, NULL);
6367
6368 return offset;
6369 }
6370
6371
6372 static int
6373 netlogon_dissect_dsrgetdcname_reply(tvbuff_t *tvb, int offset,
6374 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6375 {
6376 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6377 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
6378 "DOMAIN_CONTROLLER_INFO:", -1);
6379
6380 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6381 hf_netlogon_dos_rc, NULL);
6382
6383 return offset;
6384 }
6385
6386 static int
6387 netlogon_dissect_netrlogondummyroutine1_rqst(tvbuff_t *tvb, int offset,
6388 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6389 {
6390 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6391 pinfo, tree, di, drep);
6392
6393 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6394 NDR_POINTER_UNIQUE, "unknown string",
6395 hf_netlogon_unknown_string, 0);
6396
6397 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6398 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
6399 "AUTHENTICATOR: credential", -1);
6400
6401 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6402 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
6403 "AUTHENTICATOR: return_authenticator", -1);
6404
6405 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6406 hf_netlogon_unknown_long, NULL);
6407
6408 return offset;
6409 }
6410
6411
6412 static int
6413 netlogon_dissect_netrlogondummyroutine1_reply(tvbuff_t *tvb, int offset,
6414 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6415 {
6416 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6417 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
6418 "AUTHENTICATOR: return_authenticator", -1);
6419
6420 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6421 netlogon_dissect_TYPE_44, NDR_POINTER_UNIQUE,
6422 "TYPE_44 pointer: unknown_TYPE_44", -1);
6423
6424 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6425 hf_netlogon_rc, NULL);
6426
6427 return offset;
6428 }
6429
6430 static int
6431 netlogon_dissect_netrlogonsetservicebits_rqst(tvbuff_t *tvb, int offset,
6432 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6433 {
6434 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6435 pinfo, tree, di, drep);
6436
6437 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6438 hf_netlogon_unknown_long, NULL);
6439
6440 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6441 hf_netlogon_unknown_long, NULL);
6442
6443 return offset;
6444 }
6445
6446
6447 static int
6448 netlogon_dissect_netrlogonsetservicebits_reply(tvbuff_t *tvb, int offset,
6449 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6450 {
6451 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6452 hf_netlogon_rc, NULL);
6453
6454 return offset;
6455 }
6456
6457
6458 static int
6459 netlogon_dissect_netrlogongettrustrid_rqst(tvbuff_t *tvb, int offset,
6460 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6461 {
6462 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6463 pinfo, tree, di, drep);
6464
6465 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6466 NDR_POINTER_UNIQUE, "unknown string",
6467 hf_netlogon_unknown_string, 0);
6468
6469 return offset;
6470 }
6471
6472
6473 static int
6474 netlogon_dissect_netrlogongettrustrid_reply(tvbuff_t *tvb, int offset,
6475 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6476 {
6477 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6478 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
6479 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
6480
6481 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6482 hf_netlogon_rc, NULL);
6483
6484 return offset;
6485 }
6486
6487
6488 static int
6489 netlogon_dissect_netrlogoncomputeserverdigest_rqst(tvbuff_t *tvb, int offset,
6490 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6491 {
6492 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6493 pinfo, tree, di, drep);
6494
6495 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6496 hf_netlogon_unknown_long, NULL);
6497
6498 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6499 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
6500 "BYTE pointer: unknown_BYTE", -1);
6501
6502 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6503 hf_netlogon_unknown_long, NULL);
6504
6505 return offset;
6506 }
6507
6508 static int
6509 netlogon_dissect_BYTE_16_array(tvbuff_t *tvb, int offset,
6510 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6511 {
6512 int i;
6513
6514 for(i=0;i<16;i++){
6515 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
6516 hf_netlogon_unknown_char, NULL);
6517 }
6518
6519 return offset;
6520 }
6521
6522 static int
6523 netlogon_dissect_netrlogoncomputeserverdigest_reply(tvbuff_t *tvb, int offset,
6524 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6525 {
6526 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6527 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
6528 "BYTE pointer: unknown_BYTE", -1);
6529
6530 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6531 hf_netlogon_rc, NULL);
6532
6533 return offset;
6534 }
6535
6536 static int
6537 netlogon_dissect_netrlogoncomputeclientdigest_rqst(tvbuff_t *tvb, int offset,
6538 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6539 {
6540 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6541 pinfo, tree, di, drep);
6542
6543 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6544 NDR_POINTER_UNIQUE, "unknown string",
6545 hf_netlogon_unknown_string, 0);
6546
6547 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6548 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
6549 "BYTE pointer: unknown_BYTE", -1);
6550
6551 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6552 hf_netlogon_unknown_long, NULL);
6553
6554 return offset;
6555 }
6556
6557
6558 static int
6559 netlogon_dissect_netrlogoncomputeclientdigest_reply(tvbuff_t *tvb, int offset,
6560 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6561 {
6562 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6563 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
6564 "BYTE pointer: unknown_BYTE", -1);
6565
6566 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6567 hf_netlogon_rc, NULL);
6568
6569 return offset;
6570 }
6571 static int netlogon_dissect_neg_options(tvbuff_t *tvb,proto_tree *tree,guint32 flags,int offset)
6572 {
6573 if (tree) {
6574 proto_tree *negotiate_flags_tree = NULL;
6575 proto_item *tf = NULL;
6576 tf = proto_tree_add_uint (tree,
6577 hf_netlogon_neg_flags,
6578 tvb, offset, 4,flags);
6579 negotiate_flags_tree = proto_item_add_subtree (tf,ett_authenticate_flags);
6580
6581 #if 0
6582 proto_tree_add_boolean (negotiate_flags_tree,
6583 hf_netlogon_neg_flags_80000000,
6584 tvb, offset, 4, flags);
6585 #endif
6586 proto_tree_add_boolean (negotiate_flags_tree,
6587 hf_netlogon_neg_flags_40000000,
6588 tvb, offset, 4, flags);
6589 proto_tree_add_boolean (negotiate_flags_tree,
6590 hf_netlogon_neg_flags_20000000,
6591 tvb, offset, 4, flags);
6592 #if 0
6593 proto_tree_add_boolean (negotiate_flags_tree,
6594 hf_netlogon_neg_flags_10000000,
6595 tvb, offset, 4, flags);
6596 proto_tree_add_boolean (negotiate_flags_tree,
6597 hf_netlogon_neg_flags_8000000,
6598 tvb, offset, 4, flags);
6599 proto_tree_add_boolean (negotiate_flags_tree,
6600 hf_netlogon_neg_flags_4000000,
6601 tvb, offset, 4, flags);
6602 proto_tree_add_boolean (negotiate_flags_tree,
6603 hf_netlogon_neg_flags_2000000,
6604 tvb, offset, 4, flags);
6605 proto_tree_add_boolean (negotiate_flags_tree,
6606 hf_netlogon_neg_flags_800000,
6607 tvb, offset, 4, flags);
6608 #endif
6609 proto_tree_add_boolean (negotiate_flags_tree,
6610 hf_netlogon_neg_flags_1000000,
6611 tvb, offset, 4, flags);
6612 proto_tree_add_boolean (negotiate_flags_tree,
6613 hf_netlogon_neg_flags_400000,
6614 tvb, offset, 4, flags);
6615 proto_tree_add_boolean (negotiate_flags_tree,
6616 hf_netlogon_neg_flags_200000,
6617 tvb, offset, 4, flags);
6618 proto_tree_add_boolean (negotiate_flags_tree,
6619 hf_netlogon_neg_flags_100000,
6620 tvb, offset, 4, flags);
6621 proto_tree_add_boolean (negotiate_flags_tree,
6622 hf_netlogon_neg_flags_80000,
6623 tvb, offset, 4, flags);
6624 proto_tree_add_boolean (negotiate_flags_tree,
6625 hf_netlogon_neg_flags_40000,
6626 tvb, offset, 4, flags);
6627 proto_tree_add_boolean (negotiate_flags_tree,
6628 hf_netlogon_neg_flags_20000,
6629 tvb, offset, 4, flags);
6630 proto_tree_add_boolean (negotiate_flags_tree,
6631 hf_netlogon_neg_flags_10000,
6632 tvb, offset, 4, flags);
6633 proto_tree_add_boolean (negotiate_flags_tree,
6634 hf_netlogon_neg_flags_8000,
6635 tvb, offset, 4, flags);
6636 proto_tree_add_boolean (negotiate_flags_tree,
6637 hf_netlogon_neg_flags_4000,
6638 tvb, offset, 4, flags);
6639 proto_tree_add_boolean (negotiate_flags_tree,
6640 hf_netlogon_neg_flags_2000,
6641 tvb, offset, 4, flags);
6642 proto_tree_add_boolean (negotiate_flags_tree,
6643 hf_netlogon_neg_flags_1000,
6644 tvb, offset, 4, flags);
6645 proto_tree_add_boolean (negotiate_flags_tree,
6646 hf_netlogon_neg_flags_800,
6647 tvb, offset, 4, flags);
6648 proto_tree_add_boolean (negotiate_flags_tree,
6649 hf_netlogon_neg_flags_400,
6650 tvb, offset, 4, flags);
6651 proto_tree_add_boolean (negotiate_flags_tree,
6652 hf_netlogon_neg_flags_200,
6653 tvb, offset, 4, flags);
6654 proto_tree_add_boolean (negotiate_flags_tree,
6655 hf_netlogon_neg_flags_100,
6656 tvb, offset, 4, flags);
6657 proto_tree_add_boolean (negotiate_flags_tree,
6658 hf_netlogon_neg_flags_80,
6659 tvb, offset, 4, flags);
6660 proto_tree_add_boolean (negotiate_flags_tree,
6661 hf_netlogon_neg_flags_40,
6662 tvb, offset, 4, flags);
6663 proto_tree_add_boolean (negotiate_flags_tree,
6664 hf_netlogon_neg_flags_20,
6665 tvb, offset, 4, flags);
6666 proto_tree_add_boolean (negotiate_flags_tree,
6667 hf_netlogon_neg_flags_10,
6668 tvb, offset, 4, flags);
6669 proto_tree_add_boolean (negotiate_flags_tree,
6670 hf_netlogon_neg_flags_8,
6671 tvb, offset, 4, flags);
6672 proto_tree_add_boolean (negotiate_flags_tree,
6673 hf_netlogon_neg_flags_4,
6674 tvb, offset, 4, flags);
6675 proto_tree_add_boolean (negotiate_flags_tree,
6676 hf_netlogon_neg_flags_2,
6677 tvb, offset, 4, flags);
6678 proto_tree_add_boolean (negotiate_flags_tree,
6679 hf_netlogon_neg_flags_1,
6680 tvb, offset, 4, flags);
6681 }
6682 return 0;
6683 }
6684
6685 static int
6686 netlogon_dissect_netrserverauthenticate3_rqst(tvbuff_t *tvb, int offset,
6687 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6688 {
6689 guint32 flags;
6690 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6691 pinfo, tree, di, drep);
6692 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6693 NDR_POINTER_REF, "Acct Name", hf_netlogon_acct_name, 0);
6694
6695 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
6696 pinfo, tree, di, drep);
6697
6698 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6699 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
6700
6701 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, tree, drep,
6702 hf_client_credential, NULL);
6703 #if 0
6704 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6705 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
6706 "Client Challenge", -1);
6707 #endif
6708
6709 #if 0
6710 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6711 hf_netlogon_neg_flags, NULL);
6712 #endif
6713 ALIGN_TO_4_BYTES;
6714
6715 flags = tvb_get_letohl (tvb, offset);
6716 netlogon_dissect_neg_options(tvb,tree,flags,offset);
6717 seen.isseen = FALSE;
6718 seen.num = 0;
6719 offset +=4;
6720 return offset;
6721 }
6722
6723 /*
6724 * IDL long NetrServerAuthenticate2(
6725 * IDL [in][string][unique] wchar_t *logonserver,
6726 * IDL [in][ref][string] wchar_t *username,
6727 * IDL [in] short secure_channel_type,
6728 * IDL [in][ref][string] wchar_t *computername,
6729 * IDL [in][ref] CREDENTIAL *client_chal,
6730 * IDL [out][ref] CREDENTIAL *server_chal,
6731 * IDL [in][out][ref] long *negotiate_flags,
6732 * IDL );
6733 */
6734 static int
6735 netlogon_dissect_netrserverauthenticate2_rqst(tvbuff_t *tvb, int offset,
6736 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6737 {
6738 return netlogon_dissect_netrserverauthenticate3_rqst(tvb,offset,pinfo,tree,di,drep);
6739 }
6740
6741 #ifdef HAVE_KERBEROS
6742 static void str_to_unicode(const char *nt_password, char *nt_password_unicode)
6743 {
6744 size_t password_len = 0;
6745 size_t i;
6746
6747 password_len = strlen(nt_password);
6748 if(nt_password_unicode != NULL)
6749 {
6750 for(i=0;i<(password_len);i++)
6751 {
6752 nt_password_unicode[i*2]=nt_password[i];
6753 nt_password_unicode[i*2+1]=0;
6754 }
6755 nt_password_unicode[2*password_len]='\0';
6756 }
6757 }
6758 #endif
6759
6760 static guint32 get_keytab_as_list(md4_pass **p_pass_list,const char* ntlm_pass _U_)
6761 {
6762 #ifdef HAVE_KERBEROS
6763 enc_key_t *ek;
6764 md4_pass* pass_list;
6765 md4_pass ntlm_pass_hash;
6766 int i = 0;
6767 guint32 nb_pass = 0;
6768 char ntlm_pass_unicode[258];
6769 int add_ntlm = 0;
6770 int password_len;
6771
6772 if(!krb_decrypt){
6773 *p_pass_list=NULL;
6774 return 0;
6775 }
6776 read_keytab_file_from_preferences();
6777 memset(ntlm_pass_hash.md4,0,sizeof(md4_pass));
6778
6779 for(ek=enc_key_list;ek;ek=ek->next){
6780 if( ek->keylength == 16 ) {
6781 nb_pass++;
6782 }
6783 }
6784
6785 if (ntlm_pass[0] != '\0' && ( strlen(ntlm_pass) < 129 )) {
6786 nb_pass++;
6787 debugprintf("Password: %s\n",ntlm_pass);
6788 password_len = (int)strlen(ntlm_pass);
6789 str_to_unicode(ntlm_pass,ntlm_pass_unicode);
6790 crypt_md4(ntlm_pass_hash.md4,ntlm_pass_unicode,password_len*2);
6791 printnbyte(ntlm_pass_hash.md4,16,"Hash of the NT pass: ","\n");
6792 add_ntlm = 1;
6793 }
6794
6795 *p_pass_list = (md4_pass *)wmem_alloc(wmem_packet_scope(), nb_pass*sizeof(md4_pass));
6796 pass_list=*p_pass_list;
6797 if(add_ntlm) {
6798 memcpy(pass_list[0].md4,&(ntlm_pass_hash.md4),sizeof(md4_pass));
6799 i++;
6800 }
6801
6802 for(ek=enc_key_list;ek;ek=ek->next){
6803 if( ek->keylength == 16 ) {
6804 memcpy(pass_list[i].md4,ek->keyvalue,16);
6805 i++;
6806 }
6807 }
6808 return nb_pass;
6809 #else
6810 *p_pass_list = NULL;
6811 return 0;
6812 #endif
6813 }
6814
6815 static int
6816 netlogon_dissect_netrserverauthenticate23_reply(tvbuff_t *tvb, int offset,
6817 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, int version3)
6818 {
6819 guint32 flags;
6820 netlogon_auth_vars *vars;
6821 netlogon_auth_key key;
6822 guint64 server_cred;
6823
6824 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, tree, drep,
6825 hf_server_credential, &server_cred);
6826
6827 flags = tvb_get_letohl (tvb, offset);
6828 netlogon_dissect_neg_options(tvb,tree,flags,offset);
6829 offset +=4;
6830
6831 ALIGN_TO_4_BYTES;
6832 if(version3) {
6833 offset = dissect_dcerpc_uint32(tvb, offset, pinfo, tree, drep,
6834 hf_server_rid, NULL);
6835 }
6836 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6837 hf_netlogon_rc, NULL);
6838
6839 generate_hash_key(pinfo, 1 , &key, NULL);
6840
6841 vars = (netlogon_auth_vars *)g_hash_table_lookup(netlogon_auths, &key);
6842 if(vars != NULL) {
6843 debugprintf("Found some vars (ie. server/client challenges), let's see if I can get a session key\n");
6844 debugprintf("Context Id = %d \n", pinfo->dcectxid);
6845 while(vars != NULL && vars->next_start != -1 && vars->next_start < (int) pinfo->fd->num ) {
6846 debugprintf("looping auth reply...\n");
6847 vars = vars->next;
6848 }
6849 if(vars == NULL ) {
6850 debugprintf("Something strange happened while searching for authenticate_reply\n");
6851 }
6852 else {
6853 md4_pass *pass_list=NULL;
6854 guint32 list_size = 0;
6855 guint8 session_key[16];
6856 md4_pass password;
6857 int found = 0;
6858 unsigned int i = 0;
6859
6860 vars->flags = flags;
6861 vars->can_decrypt = FALSE;
6862 list_size = get_keytab_as_list(&pass_list,gbl_nt_password);
6863 debugprintf("Found %d passwords \n",list_size);
6864 if( flags & NETLOGON_FLAG_STRONGKEY ) {
6865 guint8 zeros[4];
6866 guint8 md5[16];
6867 md5_state_t md5state;
6868 guint8 buf[8];
6869 guint64 calculated_cred;
6870
6871
6872 memset(zeros,0,4);
6873 md5_init(&md5state);
6874 md5_append(&md5state,zeros,4);
6875 md5_append(&md5state,(unsigned char*)&vars->client_challenge,8);
6876 md5_append(&md5state,(unsigned char*)&vars->server_challenge,8);
6877 md5_finish(&md5state,md5);
6878 printnbyte(md5,8,"MD5:","\n");
6879 printnbyte((guint8*)&vars->client_challenge,8,"Client challenge:","\n");
6880 printnbyte((guint8*)&vars->server_challenge,8,"Server challenge:","\n");
6881 printnbyte((guint8*)&server_cred,8,"Server creds:","\n");
6882 for(i=0;i<list_size;i++)
6883 {
6884 password = pass_list[i];
6885 md5_hmac(md5,16,(guint8*) &password,16,session_key);
6886 crypt_des_ecb(buf,(unsigned char*)&vars->server_challenge,session_key,1);
6887 crypt_des_ecb((unsigned char*)&calculated_cred,buf,session_key+7,1);
6888 #if 0
6889 printnbyte((guint8*)&calculated_cred,8,"Calculated creds:","\n");
6890 #endif
6891 if(calculated_cred==server_cred) {
6892 found = 1;
6893 break;
6894 }
6895 }
6896 }
6897 else if( flags&NETLOGON_FLAG_USEAES)
6898 {
6899 /*Not implemented*/
6900 debugprintf("AES not supported yet\n");
6901 memset(session_key,0,16);
6902 }
6903 else
6904 {
6905 /*Not implemented*/
6906 debugprintf("Else case not implemented\n");
6907 memset(session_key,0,16);
6908 }
6909 if(found) {
6910 memcpy(&vars->session_key,session_key,16);
6911 debugprintf("Found the good session key !\n");
6912 }
6913 else {
6914 debugprintf("Session key not found !\n");
6915 memset(&vars->session_key,0,16);
6916 }
6917 }
6918 } else {
6919 printnbyte((guint8*)&vars->session_key, 16, "Session key:","\n");
6920 }
6921
6922 return offset;
6923 }
6924
6925 static int
6926 netlogon_dissect_netrserverauthenticate3_reply(tvbuff_t *tvb, int offset,
6927 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6928 {
6929 return netlogon_dissect_netrserverauthenticate23_reply(tvb,offset,pinfo,tree,di,drep,1);
6930 }
6931
6932 static int
6933 netlogon_dissect_netrserverauthenticate2_reply(tvbuff_t *tvb, int offset,
6934 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6935 {
6936 return netlogon_dissect_netrserverauthenticate23_reply(tvb,offset,pinfo,tree,di,drep,0);
6937 }
6938
6939
6940 static int
6941 netlogon_dissect_dsrgetdcnameex_rqst(tvbuff_t *tvb, int offset,
6942 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6943 {
6944 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6945 pinfo, tree, di, drep);
6946
6947 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6948 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
6949
6950 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6951 dissect_nt_GUID, NDR_POINTER_UNIQUE,
6952 "GUID pointer: domain_guid", -1);
6953
6954 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6955 NDR_POINTER_UNIQUE, "Site Name", hf_netlogon_site_name, 0);
6956
6957 offset = netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvb, offset, pinfo, tree, di, drep);
6958
6959 return offset;
6960 }
6961
6962
6963 static int
6964 netlogon_dissect_dsrgetdcnameex_reply(tvbuff_t *tvb, int offset,
6965 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6966 {
6967 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6968 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
6969 "DOMAIN_CONTROLLER_INFO:", -1);
6970
6971 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6972 hf_netlogon_rc, NULL);
6973
6974 return offset;
6975 }
6976
6977 static int
6978 netlogon_dissect_dsrgetsitename_rqst(tvbuff_t *tvb, int offset,
6979 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6980 {
6981 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6982 pinfo, tree, di, drep);
6983
6984 return offset;
6985 }
6986
6987
6988 static int
6989 netlogon_dissect_dsrgetsitename_reply(tvbuff_t *tvb, int offset,
6990 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6991 {
6992
6993 /* XXX hmmm this does not really look like a UNIQUE pointer but
6994 will do for now. I think it is really a 32bit integer followed by
6995 a REF pointer to a unicode string */
6996 offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, tree, di, drep,
6997 dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE, "Site Name",
6998 hf_netlogon_site_name, cb_wstr_postprocess,
6999 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
7000
7001 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7002 hf_netlogon_dos_rc, NULL);
7003
7004 return offset;
7005 }
7006
7007 static int
7008 netlogon_dissect_netrlogongetdomaininfo_rqst(tvbuff_t *tvb, int offset,
7009 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7010 {
7011 /* Unlike the other NETLOGON RPCs, this is not a unique pointer. */
7012 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7013 NDR_POINTER_REF, "Server Handle", hf_netlogon_computer_name, 0);
7014 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7015 NDR_POINTER_UNIQUE, "Computer Name",
7016 hf_netlogon_computer_name, 0);
7017
7018 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7019 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7020 "AUTHENTICATOR: client", -1);
7021
7022 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7023 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7024 "AUTHENTICATOR: return_authenticator", -1);
7025 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7026 netlogon_dissect_WORKSTATION_BUFFER, NDR_POINTER_REF,
7027 "WORKSTATION_BUFFER", -1);
7028 return offset;
7029 }
7030
7031
7032 static int
7033 netlogon_dissect_netrlogongetdomaininfo_reply(tvbuff_t *tvb, int offset,
7034 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7035 {
7036 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7037 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7038 "AUTHENTICATOR: return_authenticator", -1);
7039
7040 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7041 netlogon_dissect_DOMAIN_INFORMATION, NDR_POINTER_REF,
7042 "DOMAIN_INFORMATION", -1);
7043
7044 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7045 hf_netlogon_rc, NULL);
7046
7047 return offset;
7048 }
7049
7050 static int
7051 netlogon_dissect_netrserverpasswordset2_rqst(tvbuff_t *tvb, int offset,
7052 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7053 {
7054 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7055 pinfo, tree, di, drep);
7056
7057 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7058 NDR_POINTER_UNIQUE, "unknown string",
7059 hf_netlogon_unknown_string, 0);
7060
7061 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
7062 hf_netlogon_unknown_short, NULL);
7063
7064 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7065 NDR_POINTER_UNIQUE, "unknown string",
7066 hf_netlogon_unknown_string, 0);
7067
7068 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7069 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7070 "AUTHENTICATOR: credential", -1);
7071
7072 offset = netlogon_dissect_UNICODE_STRING_512(tvb, offset,
7073 pinfo, tree, di, drep);
7074
7075 return offset;
7076 }
7077
7078
7079 static int
7080 netlogon_dissect_netrserverpasswordset2_reply(tvbuff_t *tvb, int offset,
7081 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7082 {
7083 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7084 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
7085 "AUTHENTICATOR: return_authenticator", -1);
7086
7087 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7088 hf_netlogon_rc, NULL);
7089
7090 return offset;
7091 }
7092
7093 static int
7094 netlogon_dissect_netrserverpasswordget_rqst(tvbuff_t *tvb, int offset,
7095 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7096 {
7097 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7098 pinfo, tree, di, drep);
7099
7100 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7101 NDR_POINTER_UNIQUE, "Acct Name", hf_netlogon_acct_name, 0);
7102
7103 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
7104 pinfo, tree, di, drep);
7105
7106 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7107 NDR_POINTER_UNIQUE, "Computer Name",
7108 hf_netlogon_computer_name, 0);
7109
7110 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7111 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7112 "AUTHENTICATOR: credential", -1);
7113
7114 return offset;
7115 }
7116
7117
7118 static int
7119 netlogon_dissect_netrserverpasswordget_reply(tvbuff_t *tvb, int offset,
7120 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7121 {
7122 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7123 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7124 "AUTHENTICATOR: return_authenticator", -1);
7125
7126 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7127 netlogon_dissect_LM_OWF_PASSWORD, NDR_POINTER_REF,
7128 "LM_OWF_PASSWORD pointer: server_pwd", -1);
7129
7130 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7131 hf_netlogon_rc, NULL);
7132
7133 return offset;
7134 }
7135
7136 static int
7137 netlogon_dissect_netrlogonsendtosam_rqst(tvbuff_t *tvb, int offset,
7138 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7139 {
7140 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7141 pinfo, tree, di, drep);
7142
7143 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7144 NDR_POINTER_UNIQUE, "unknown string",
7145 hf_netlogon_unknown_string, 0);
7146
7147 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7148 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7149 "AUTHENTICATOR: credential", -1);
7150
7151 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7152 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
7153 "BYTE pointer: unknown_BYTE", -1);
7154
7155 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7156 hf_netlogon_unknown_long, NULL);
7157
7158 return offset;
7159 }
7160
7161
7162 static int
7163 netlogon_dissect_netrlogonsendtosam_reply(tvbuff_t *tvb, int offset,
7164 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7165 {
7166 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7167 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
7168 "AUTHENTICATOR: return_authenticator", -1);
7169
7170 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7171 hf_netlogon_rc, NULL);
7172
7173 return offset;
7174 }
7175
7176 static int
7177 netlogon_dissect_dsraddresstositenamesw_rqst(tvbuff_t *tvb, int offset,
7178 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7179 {
7180 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7181 pinfo, tree, di, drep);
7182
7183 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7184 hf_netlogon_unknown_long, NULL);
7185
7186 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7187 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
7188 "BYTE pointer: unknown_BYTE", -1);
7189
7190 return offset;
7191 }
7192
7193
7194 static int
7195 netlogon_dissect_dsraddresstositenamesw_reply(tvbuff_t *tvb, int offset,
7196 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7197 {
7198 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7199 netlogon_dissect_TYPE_50_ptr, NDR_POINTER_UNIQUE,
7200 "TYPE_50** pointer: unknown_TYPE_50", -1);
7201
7202 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7203 hf_netlogon_rc, NULL);
7204
7205 return offset;
7206 }
7207
7208 static int
7209 netlogon_dissect_dsrgetdcnameex2_rqst(tvbuff_t *tvb, int offset,
7210 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7211 {
7212 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7213 pinfo, tree, di, drep);
7214
7215 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7216 NDR_POINTER_UNIQUE, "Client Account",
7217 hf_netlogon_acct_name, 0);
7218
7219 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7220 hf_netlogon_unknown_long, NULL);
7221
7222 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7223 NDR_POINTER_UNIQUE, "Client Account",
7224 hf_netlogon_logon_dom, 0);
7225
7226 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7227 dissect_nt_GUID, NDR_POINTER_UNIQUE,
7228 "Domain GUID:", -1);
7229
7230 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7231 NDR_POINTER_UNIQUE, "Client Site",
7232 hf_netlogon_site_name, 0);
7233
7234 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7235 hf_netlogon_unknown_long, NULL);
7236
7237 return offset;
7238 }
7239
7240
7241 static int
7242 netlogon_dissect_dsrgetdcnameex2_reply(tvbuff_t *tvb, int offset,
7243 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7244 {
7245 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7246 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
7247 "DOMAIN_CONTROLLER_INFO:", -1);
7248
7249 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7250 hf_netlogon_dos_rc, NULL);
7251
7252 return offset;
7253 }
7254
7255 static int
7256 netlogon_dissect_netrlogongettimeserviceparentdomain_rqst(tvbuff_t *tvb, int offset,
7257 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7258 {
7259 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7260 pinfo, tree, di, drep);
7261
7262 return offset;
7263 }
7264
7265
7266 static int
7267 netlogon_dissect_netrlogongettimeserviceparentdomain_reply(tvbuff_t *tvb, int offset,
7268 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7269 {
7270 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7271 NDR_POINTER_UNIQUE, "unknown string",
7272 hf_netlogon_unknown_string, 0);
7273
7274 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7275 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
7276 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
7277
7278 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7279 hf_netlogon_rc, NULL);
7280
7281 return offset;
7282 }
7283
7284 static int
7285 netlogon_dissect_netrenumeratetrusteddomainsex_rqst(tvbuff_t *tvb, int offset,
7286 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7287 {
7288 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7289 pinfo, tree, di, drep);
7290
7291 return offset;
7292 }
7293
7294 static int
7295 netlogon_dissect_netrenumeratetrusteddomainsex_reply(tvbuff_t *tvb, int offset,
7296 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7297 {
7298 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7299 hf_netlogon_entries, NULL);
7300
7301 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7302 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
7303 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
7304
7305 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7306 hf_netlogon_rc, NULL);
7307
7308 return offset;
7309 }
7310
7311 static int
7312 netlogon_dissect_dsraddresstositenamesexw_rqst(tvbuff_t *tvb, int offset,
7313 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7314 {
7315 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7316 pinfo, tree, di, drep);
7317
7318 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7319 hf_netlogon_unknown_long, NULL);
7320
7321 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7322 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
7323 "BYTE pointer: unknown_BYTE", -1);
7324
7325 return offset;
7326 }
7327
7328
7329 static int
7330 netlogon_dissect_dsraddresstositenamesexw_reply(tvbuff_t *tvb, int offset,
7331 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7332 {
7333 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7334 netlogon_dissect_TYPE_52_ptr, NDR_POINTER_UNIQUE,
7335 "TYPE_52 pointer: unknown_TYPE_52", -1);
7336
7337 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7338 hf_netlogon_rc, NULL);
7339
7340 return offset;
7341 }
7342
7343
7344 static int
7345 netlogon_dissect_site_name_item(tvbuff_t *tvb, int offset,
7346 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7347 {
7348 offset = dissect_ndr_counted_string_cb(
7349 tvb, offset, pinfo, tree, di, drep, hf_netlogon_site_name,
7350 cb_wstr_postprocess,
7351 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
7352
7353 return offset;
7354 }
7355 static int
7356 netlogon_dissect_site_name_array(tvbuff_t *tvb, int offset,
7357 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7358 {
7359 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
7360 netlogon_dissect_site_name_item);
7361
7362 return offset;
7363 }
7364
7365 static int
7366 netlogon_dissect_site_names(tvbuff_t *tvb, int offset,
7367 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7368 {
7369 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7370 hf_netlogon_count, NULL);
7371
7372 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7373 netlogon_dissect_site_name_array, NDR_POINTER_UNIQUE,
7374 "Site name array", -1);
7375
7376 return offset;
7377 }
7378
7379 static int
7380 netlogon_dissect_dsrgetdcsitecoveragew_rqst(tvbuff_t *tvb, int offset,
7381 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7382 {
7383 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7384 pinfo, tree, di, drep);
7385
7386 return offset;
7387 }
7388
7389
7390 static int
7391 netlogon_dissect_dsrgetdcsitecoveragew_reply(tvbuff_t *tvb, int offset,
7392 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7393 {
7394 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7395 netlogon_dissect_site_names, NDR_POINTER_UNIQUE,
7396 "Site names", -1);
7397
7398 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7399 hf_netlogon_rc, NULL);
7400
7401 return offset;
7402 }
7403
7404 static int
7405 netlogon_dissect_netrlogonsamlogonex_rqst(tvbuff_t *tvb, int offset,
7406 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7407 {
7408
7409 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7410 NDR_POINTER_UNIQUE, "LogonServer",
7411 hf_netlogon_computer_name, 0);
7412 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7413 NDR_POINTER_UNIQUE, "Computer Name",
7414 hf_netlogon_computer_name, 0);
7415 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
7416 hf_netlogon_level16, NULL);
7417 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7418 netlogon_dissect_LEVEL, NDR_POINTER_REF,
7419 "LEVEL: LogonLevel", -1);
7420
7421 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
7422 hf_netlogon_validation_level, NULL);
7423
7424 offset = netlogon_dissect_EXTRA_FLAGS(tvb, offset, pinfo, tree, di, drep);
7425
7426 #if 0
7427 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7428 NDR_POINTER_UNIQUE, "unknown string",
7429 hf_netlogon_unknown_string, 0);
7430
7431 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7432 NDR_POINTER_UNIQUE, "unknown string",
7433 hf_netlogon_unknown_string, 0);
7434
7435 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
7436 hf_netlogon_unknown_short, NULL);
7437
7438 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7439 netlogon_dissect_LEVEL, NDR_POINTER_UNIQUE,
7440 "LEVEL pointer: unknown_NETLOGON_LEVEL", -1);
7441
7442 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
7443 hf_netlogon_unknown_short, NULL);
7444
7445 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7446 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
7447 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
7448 #endif
7449 return offset;
7450 }
7451
7452
7453 static int
7454 netlogon_dissect_netrlogonsamlogonex_reply(tvbuff_t *tvb, int offset,
7455 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7456 {
7457 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7458 netlogon_dissect_VALIDATION, NDR_POINTER_REF,
7459 "VALIDATION:", -1);
7460
7461 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
7462 hf_netlogon_authoritative, NULL);
7463
7464 offset = netlogon_dissect_EXTRA_FLAGS(tvb, offset, pinfo, tree, di, drep);
7465
7466 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7467 hf_netlogon_rc, NULL);
7468 #if 0
7469 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7470 netlogon_dissect_VALIDATION, NDR_POINTER_UNIQUE,
7471 "VALIDATION: unknown_NETLOGON_VALIDATION", -1);
7472
7473 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7474 netlogon_dissect_pointer_char, NDR_POINTER_UNIQUE,
7475 "BOOLEAN pointer: unknown_BOOLEAN", hf_netlogon_unknown_char);
7476
7477 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7478 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
7479 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
7480
7481 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7482 hf_netlogon_rc, NULL);
7483 #endif
7484 return offset;
7485 }
7486
7487
7488 static int
7489 netlogon_dissect_dsrenumeratedomaintrusts_rqst(tvbuff_t *tvb, int offset,
7490 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7491 {
7492 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7493 pinfo, tree, di, drep);
7494
7495 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, di, drep);
7496
7497 return offset;
7498 }
7499
7500
7501 static int
7502 netlogon_dissect_dsrenumeratedomaintrusts_reply(tvbuff_t *tvb, int offset,
7503 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7504 {
7505 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7506 hf_netlogon_entries, NULL);
7507
7508 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7509 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
7510 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
7511
7512 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7513 hf_netlogon_dos_rc, NULL);
7514
7515 return offset;
7516 }
7517
7518 static int
7519 netlogon_dissect_dsrderegisterdnshostrecords_rqst(tvbuff_t *tvb, int offset,
7520 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7521 {
7522 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7523 pinfo, tree, di, drep);
7524
7525 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7526 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
7527
7528 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7529 dissect_nt_GUID, NDR_POINTER_UNIQUE,
7530 "GUID pointer: domain_guid", -1);
7531
7532 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7533 dissect_nt_GUID, NDR_POINTER_UNIQUE,
7534 "GUID pointer: dsa_guid", -1);
7535
7536 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7537 NDR_POINTER_REF, "dns_host", hf_netlogon_dns_host, 0);
7538
7539 return offset;
7540 }
7541
7542
7543 static int
7544 netlogon_dissect_dsrderegisterdnshostrecords_reply(tvbuff_t *tvb, int offset,
7545 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7546 {
7547 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7548 hf_netlogon_rc, NULL);
7549
7550 return offset;
7551 }
7552
7553 /* Dissect secure channel stuff */
7554
7555 static int hf_netlogon_secchan_nl_message_type = -1;
7556 static int hf_netlogon_secchan_nl_message_flags = -1;
7557 static int hf_netlogon_secchan_nl_message_flags_nb_domain = -1;
7558 static int hf_netlogon_secchan_nl_message_flags_nb_host = -1;
7559 static int hf_netlogon_secchan_nl_message_flags_dns_domain = -1;
7560 static int hf_netlogon_secchan_nl_message_flags_dns_host = -1;
7561 static int hf_netlogon_secchan_nl_message_flags_nb_host_utf8 = -1;
7562 static int hf_netlogon_secchan_nl_nb_domain = -1;
7563 static int hf_netlogon_secchan_nl_nb_host = -1;
7564 static int hf_netlogon_secchan_nl_dns_domain = -1;
7565 static int hf_netlogon_secchan_nl_dns_host = -1;
7566 static int hf_netlogon_secchan_nl_nb_host_utf8 = -1;
7567
7568 static gint ett_secchan_verf = -1;
7569 static gint ett_secchan_nl_auth_message = -1;
7570 static gint ett_secchan_nl_auth_message_flags = -1;
7571
7572 static const value_string nl_auth_types[] = {
7573 { 0x00000000, "Request"},
7574 { 0x00000001, "Response"},
7575 { 0, NULL }
7576 };
7577
7578
7579 /* MS-NRPC : 2.2.1.3.1 NL_AUTH_MESSAGE */
7580 static int dissect_secchan_nl_auth_message(tvbuff_t *tvb, int offset,
7581 packet_info *pinfo,
7582 proto_tree *tree, dcerpc_info *di _U_, guint8 *drep)
7583 {
7584 proto_item *item = NULL;
7585 proto_tree *subtree = NULL;
7586 guint32 messagetype, messageflags;
7587 static const int *flag_fields[] = {
7588 &hf_netlogon_secchan_nl_message_flags_nb_domain,
7589 &hf_netlogon_secchan_nl_message_flags_nb_host,
7590 &hf_netlogon_secchan_nl_message_flags_dns_domain,
7591 &hf_netlogon_secchan_nl_message_flags_dns_host,
7592 &hf_netlogon_secchan_nl_message_flags_nb_host_utf8,
7593 NULL
7594 };
7595 int len;
7596
7597 if (tree) {
7598 item = proto_tree_add_text(
7599 tree, tvb, offset, -1,
7600 "Secure Channel NL_AUTH_MESSAGE");
7601 subtree = proto_item_add_subtree(
7602 item, ett_secchan_nl_auth_message);
7603 }
7604
7605 /* We can't use the NDR routines as the DCERPC call data hasn't
7606 been initialised since we haven't made a DCERPC call yet, just
7607 a bind request. */
7608
7609 /* Type */
7610 offset = dissect_dcerpc_uint32(
7611 tvb, offset, pinfo, subtree, drep,
7612 hf_netlogon_secchan_nl_message_type, &messagetype);
7613
7614 /* Flags */
7615 proto_tree_add_bitmask(subtree, tvb, offset, hf_netlogon_secchan_nl_message_flags, ett_secchan_nl_auth_message_flags, flag_fields, (drep[0] & DREP_LITTLE_ENDIAN));
7616 messageflags = ((drep[0] & DREP_LITTLE_ENDIAN)
7617 ? tvb_get_letohl (tvb, offset)
7618 : tvb_get_ntohl (tvb, offset));
7619 offset += 4;
7620
7621
7622 /* Buffer */
7623 /* netbios domain name */
7624 if (messageflags&0x00000001) {
7625 len = tvb_strsize(tvb, offset);
7626 proto_tree_add_item(subtree, hf_netlogon_secchan_nl_nb_domain, tvb, offset, len, ENC_ASCII|ENC_NA);
7627 offset += len;
7628 }
7629
7630 /* netbios host name */
7631 if (messageflags&0x00000002) {
7632 len = tvb_strsize(tvb, offset);
7633 proto_tree_add_item(subtree, hf_netlogon_secchan_nl_nb_host, tvb, offset, len, ENC_ASCII|ENC_NA);
7634 offset += len;
7635 }
7636
7637 /* DNS domain name */
7638 if (messageflags&0x00000004) {
7639 int old_offset=offset;
7640 char str[256];
7641
7642 offset=dissect_mscldap_string(tvb, offset, str, 255, FALSE);
7643 proto_tree_add_string(subtree, hf_netlogon_secchan_nl_dns_domain, tvb, old_offset, offset-old_offset, str);
7644 }
7645
7646 /* DNS host name */
7647 if (messageflags&0x00000008) {
7648 int old_offset=offset;
7649 char str[256];
7650
7651 offset=dissect_mscldap_string(tvb, offset, str, 255, FALSE);
7652 proto_tree_add_string(subtree, hf_netlogon_secchan_nl_dns_host, tvb, old_offset, offset-old_offset, str);
7653 }
7654
7655 /* NetBios host name (UTF8) */
7656 if (messageflags&0x00000010) {
7657 int old_offset=offset;
7658 char str[256];
7659
7660 offset=dissect_mscldap_string(tvb, offset, str, 255, FALSE);
7661 proto_tree_add_string(subtree, hf_netlogon_secchan_nl_nb_host_utf8, tvb, old_offset, offset-old_offset, str);
7662 }
7663
7664
7665 return offset;
7666 }
7667
7668 /* Subdissectors */
7669
7670 static dcerpc_sub_dissector dcerpc_netlogon_dissectors[] = {
7671 { NETLOGON_NETRLOGONUASLOGON, "NetrLogonUasLogon",
7672 netlogon_dissect_netrlogonuaslogon_rqst,
7673 netlogon_dissect_netrlogonuaslogon_reply },
7674 { NETLOGON_NETRLOGONUASLOGOFF, "NetrLogonUasLogoff",
7675 netlogon_dissect_netrlogonuaslogoff_rqst,
7676 netlogon_dissect_netrlogonuaslogoff_reply },
7677 { NETLOGON_NETRLOGONSAMLOGON, "NetrLogonSamLogon",
7678 netlogon_dissect_netrlogonsamlogon_rqst,
7679 netlogon_dissect_netrlogonsamlogon_reply },
7680 { NETLOGON_NETRLOGONSAMLOGOFF, "NetrLogonSamLogoff",
7681 netlogon_dissect_netrlogonsamlogoff_rqst,
7682 netlogon_dissect_netrlogonsamlogoff_reply },
7683 { NETLOGON_NETRSERVERREQCHALLENGE, "NetrServerReqChallenge",
7684 netlogon_dissect_netrserverreqchallenge_rqst,
7685 netlogon_dissect_netrserverreqchallenge_reply },
7686 { NETLOGON_NETRSERVERAUTHENTICATE, "NetrServerAuthenticate",
7687 netlogon_dissect_netrserverauthenticate_rqst,
7688 netlogon_dissect_netrserverauthenticate_reply },
7689 { NETLOGON_NETRSERVERPASSWORDSET, "NetrServerPasswordSet",
7690 netlogon_dissect_netrserverpasswordset_rqst,
7691 netlogon_dissect_netrserverpasswordset_reply },
7692 { NETLOGON_NETRDATABASEDELTAS, "NetrDatabaseDeltas",
7693 netlogon_dissect_netrdatabasedeltas_rqst,
7694 netlogon_dissect_netrdatabasedeltas_reply },
7695 { NETLOGON_NETRDATABASESYNC, "NetrDatabaseSync",
7696 netlogon_dissect_netrdatabasesync_rqst,
7697 netlogon_dissect_netrdatabasesync_reply },
7698 { NETLOGON_NETRACCOUNTDELTAS, "NetrAccountDeltas",
7699 netlogon_dissect_netraccountdeltas_rqst,
7700 netlogon_dissect_netraccountdeltas_reply },
7701 { NETLOGON_NETRACCOUNTSYNC, "NetrAccountSync",
7702 netlogon_dissect_netraccountsync_rqst,
7703 netlogon_dissect_netraccountsync_reply },
7704 { NETLOGON_NETRGETDCNAME, "NetrGetDCName",
7705 netlogon_dissect_netrgetdcname_rqst,
7706 netlogon_dissect_netrgetdcname_reply },
7707 { NETLOGON_NETRLOGONCONTROL, "NetrLogonControl",
7708 netlogon_dissect_netrlogoncontrol_rqst,
7709 netlogon_dissect_netrlogoncontrol_reply },
7710 { NETLOGON_NETRGETANYDCNAME, "NetrGetAnyDCName",
7711 netlogon_dissect_netrgetanydcname_rqst,
7712 netlogon_dissect_netrgetanydcname_reply },
7713 { NETLOGON_NETRLOGONCONTROL2, "NetrLogonControl2",
7714 netlogon_dissect_netrlogoncontrol2_rqst,
7715 netlogon_dissect_netrlogoncontrol2_reply },
7716 { NETLOGON_NETRSERVERAUTHENTICATE2, "NetrServerAuthenticate2",
7717 netlogon_dissect_netrserverauthenticate2_rqst,
7718 netlogon_dissect_netrserverauthenticate2_reply },
7719 { NETLOGON_NETRDATABASESYNC2, "NetrDatabaseSync2",
7720 netlogon_dissect_netrdatabasesync2_rqst,
7721 netlogon_dissect_netrdatabasesync2_reply },
7722 { NETLOGON_NETRDATABASEREDO, "NetrDatabaseRedo",
7723 netlogon_dissect_netrdatabaseredo_rqst,
7724 netlogon_dissect_netrdatabaseredo_reply },
7725 { NETLOGON_NETRLOGONCONTROL2EX, "NetrLogonControl2Ex",
7726 netlogon_dissect_netrlogoncontrol2ex_rqst,
7727 netlogon_dissect_netrlogoncontrol2ex_reply },
7728 { NETLOGON_NETRENUMERATETRUSTEDDOMAINS, "NetrEnumerateTrustedDomains",
7729 netlogon_dissect_netrenumeratetrusteddomains_rqst,
7730 netlogon_dissect_netrenumeratetrusteddomains_reply },
7731 { NETLOGON_DSRGETDCNAME, "DsrGetDcName",
7732 netlogon_dissect_dsrgetdcname_rqst,
7733 netlogon_dissect_dsrgetdcname_reply },
7734 { NETLOGON_NETRLOGONDUMMYROUTINE1, "NetrLogonDummyRoutine1",
7735 netlogon_dissect_netrlogondummyroutine1_rqst,
7736 netlogon_dissect_netrlogondummyroutine1_reply },
7737 { NETLOGON_NETRLOGONSETSERVICEBITS, "NetrLogonSetServiceBits",
7738 netlogon_dissect_netrlogonsetservicebits_rqst,
7739 netlogon_dissect_netrlogonsetservicebits_reply },
7740 { NETLOGON_NETRLOGONGETTRUSTRID, "NetrLogonGetTrustRid",
7741 netlogon_dissect_netrlogongettrustrid_rqst,
7742 netlogon_dissect_netrlogongettrustrid_reply },
7743 { NETLOGON_NETRLOGONCOMPUTESERVERDIGEST, "NetrLogonComputeServerDigest",
7744 netlogon_dissect_netrlogoncomputeserverdigest_rqst,
7745 netlogon_dissect_netrlogoncomputeserverdigest_reply },
7746 { NETLOGON_NETRLOGONCOMPUTECLIENTDIGEST, "NetrLogonComputeClientDigest",
7747 netlogon_dissect_netrlogoncomputeclientdigest_rqst,
7748 netlogon_dissect_netrlogoncomputeclientdigest_reply },
7749 { NETLOGON_NETRSERVERAUTHENTICATE3, "NetrServerAuthenticate3",
7750 netlogon_dissect_netrserverauthenticate3_rqst,
7751 netlogon_dissect_netrserverauthenticate3_reply },
7752 { NETLOGON_DSRGETDCNAMEX, "DsrGetDcNameEx",
7753 netlogon_dissect_dsrgetdcnameex_rqst,
7754 netlogon_dissect_dsrgetdcnameex_reply },
7755 { NETLOGON_DSRGETSITENAME, "DsrGetSiteName",
7756 netlogon_dissect_dsrgetsitename_rqst,
7757 netlogon_dissect_dsrgetsitename_reply },
7758 { NETLOGON_NETRLOGONGETDOMAININFO, "NetrLogonGetDomainInfo",
7759 netlogon_dissect_netrlogongetdomaininfo_rqst,
7760 netlogon_dissect_netrlogongetdomaininfo_reply },
7761 { NETLOGON_NETRSERVERPASSWORDSET2, "NetrServerPasswordSet2",
7762 netlogon_dissect_netrserverpasswordset2_rqst,
7763 netlogon_dissect_netrserverpasswordset2_reply },
7764 { NETLOGON_NETRSERVERPASSWORDGET, "NetrServerPasswordGet",
7765 netlogon_dissect_netrserverpasswordget_rqst,
7766 netlogon_dissect_netrserverpasswordget_reply },
7767 { NETLOGON_NETRLOGONSENDTOSAM, "NetrLogonSendToSam",
7768 netlogon_dissect_netrlogonsendtosam_rqst,
7769 netlogon_dissect_netrlogonsendtosam_reply },
7770 { NETLOGON_DSRADDRESSTOSITENAMESW, "DsrAddressToSiteNamesW",
7771 netlogon_dissect_dsraddresstositenamesw_rqst,
7772 netlogon_dissect_dsraddresstositenamesw_reply },
7773 { NETLOGON_DSRGETDCNAMEEX2, "DsrGetDcNameEx2",
7774 netlogon_dissect_dsrgetdcnameex2_rqst,
7775 netlogon_dissect_dsrgetdcnameex2_reply },
7776 { NETLOGON_NETRLOGONGETTIMESERVICEPARENTDOMAIN,
7777 "NetrLogonGetTimeServiceParentDomain",
7778 netlogon_dissect_netrlogongettimeserviceparentdomain_rqst,
7779 netlogon_dissect_netrlogongettimeserviceparentdomain_reply },
7780 { NETLOGON_NETRENUMERATETRUSTEDDOMAINSEX, "NetrEnumerateTrustedDomainsEx",
7781 netlogon_dissect_netrenumeratetrusteddomainsex_rqst,
7782 netlogon_dissect_netrenumeratetrusteddomainsex_reply },
7783 { NETLOGON_DSRADDRESSTOSITENAMESEXW, "DsrAddressToSiteNamesExW",
7784 netlogon_dissect_dsraddresstositenamesexw_rqst,
7785 netlogon_dissect_dsraddresstositenamesexw_reply },
7786 { NETLOGON_DSRGETDCSITECOVERAGEW, "DsrGetDcSiteCoverageW",
7787 netlogon_dissect_dsrgetdcsitecoveragew_rqst,
7788 netlogon_dissect_dsrgetdcsitecoveragew_reply },
7789 { NETLOGON_NETRLOGONSAMLOGONEX, "NetrLogonSamLogonEx",
7790 netlogon_dissect_netrlogonsamlogonex_rqst,
7791 netlogon_dissect_netrlogonsamlogonex_reply },
7792 { NETLOGON_DSRENUMERATEDOMAINTRUSTS, "DsrEnumerateDomainTrusts",
7793 netlogon_dissect_dsrenumeratedomaintrusts_rqst,
7794 netlogon_dissect_dsrenumeratedomaintrusts_reply },
7795 { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DsrDeregisterDnsHostRecords",
7796 netlogon_dissect_dsrderegisterdnshostrecords_rqst,
7797 netlogon_dissect_dsrderegisterdnshostrecords_reply },
7798 { NETLOGON_NETRSERVERTRUSTPASSWORDSGET, "NetrServerTrustPasswordsGet",
7799 NULL, NULL },
7800 { NETLOGON_DSRGETFORESTTRUSTINFORMATION, "DsrGetForestTrustInformation",
7801 NULL, NULL },
7802 { NETLOGON_NETRGETFORESTTRUSTINFORMATION, "NetrGetForestTrustInformation",
7803 NULL, NULL },
7804 { NETLOGON_NETRLOGONSAMLOGONWITHFLAGS, "NetrLogonSamLogonWithFlags",
7805 netlogon_dissect_netrlogonsamlogonflags_rqst,
7806 netlogon_dissect_netrlogonsamlogonflags_reply },
7807 { NETLOGON_NETRSERVERGETTRUSTINFO, "NetrServerGetTrustInfo",
7808 NULL, NULL },
7809 {0, NULL, NULL, NULL }
7810 };
7811
7812 static int hf_netlogon_secchan_verf = -1;
7813 static int hf_netlogon_secchan_verf_signalg = -1;
7814 static int hf_netlogon_secchan_verf_sealalg = -1;
7815 static int hf_netlogon_secchan_verf_flag = -1;
7816 static int hf_netlogon_secchan_verf_digest = -1;
7817 static int hf_netlogon_secchan_verf_seq = -1;
7818 static int hf_netlogon_secchan_verf_nonce = -1;
7819
7820 static const value_string sign_algs[] = {
7821 { 0x0077, "HMAC-MD5"},
7822 { 0, NULL}
7823 };
7824
7825 static const value_string seal_algs[] = {
7826 { 0xFFFF, "Not Encrypted"},
7827 { 0x007A, "RC4"},
7828 { 0, NULL}
7829 };
7830
7831 static int get_seal_key(const guint8 *session_key,int key_len,guint64 sequence,guint8* seal_key)
7832 {
7833 guint8 zeros[4];
7834 guint8 *buf = (guint8 *)wmem_alloc(wmem_packet_scope(), key_len);
7835 guint8 buf2[16];
7836 guint8 zero_sk[16];
7837 int i = 0;
7838 memset(zero_sk,0,16);
7839 memset(seal_key,0,16);
7840 if(memcmp(session_key,zero_sk,16)) {
7841 memset(zeros,0,4);
7842 for(i=0;i<key_len;i++) {
7843 buf[i] = session_key[i] ^ 0xF0;
7844 }
7845 md5_hmac(zeros,4,buf,key_len,buf2);
7846 md5_hmac((guint8*)&sequence,8,buf2,16,seal_key);
7847 return 1;
7848 }
7849 else {
7850 return 0;
7851 }
7852
7853 }
7854
7855 static guint64 uncrypt_sequence(guint8* session_key,guint64 checksum,guint64 enc_seq,unsigned char is_server _U_)
7856 {
7857 guint8 zeros[4];
7858 guint8 buf[16];
7859 guint8 key[16];
7860 rc4_state_struct rc4state;
7861 guint8 *p_seq = (guint8*) &enc_seq;
7862 /*guint32 temp;*/
7863
7864 memset(zeros,0,4);
7865 md5_hmac(zeros,4,session_key,16,buf);
7866 md5_hmac((guint8*)&checksum,8,buf,16,key);
7867
7868 crypt_rc4_init(&rc4state,key,16);
7869 crypt_rc4(&rc4state,p_seq,8);
7870 /*temp = *((guint32*)p_seq);
7871 *((guint32*)p_seq) = *((guint32*)p_seq+1);
7872 *((guint32*)p_seq+1) = temp;
7873
7874 if(!is_server) {
7875 *p_seq = *p_seq & 0x7F;
7876 }
7877 */
7878 return enc_seq;
7879 }
7880
7881 static tvbuff_t *
7882 dissect_packet_data(tvbuff_t *tvb ,tvbuff_t *auth_tvb _U_,
7883 int offset , packet_info *pinfo ,dcerpc_auth_info *auth_info _U_,unsigned char is_server)
7884 {
7885
7886 tvbuff_t *buf = NULL;
7887 guint8* decrypted;
7888 netlogon_auth_vars *vars;
7889 netlogon_auth_key key;
7890 /*debugprintf("Dissection of request data offset %d len=%d on packet %d\n",offset,tvb_length_remaining(tvb,offset),pinfo->fd->num);*/
7891
7892 generate_hash_key(pinfo,is_server,&key,NULL);
7893 vars = (netlogon_auth_vars *)g_hash_table_lookup(netlogon_auths, &key);
7894
7895 if(vars != NULL ) {
7896 while(vars != NULL && vars->next_start != -1 && vars->next_start < (int) pinfo->fd->num ) {
7897 vars = vars->next;
7898 }
7899 if(vars == NULL ) {
7900 debugprintf("Vars not found %d (packet_data)\n",g_hash_table_size(netlogon_auths));
7901 return(buf);
7902 }
7903 else {
7904 if(vars->can_decrypt == TRUE) {
7905 rc4_state_struct rc4state;
7906 int data_len;
7907 guint64 copyconfounder = vars->confounder;
7908
7909 data_len = tvb_length_remaining(tvb,offset);
7910 if (data_len < 0) {
7911 return NULL;
7912 }
7913 crypt_rc4_init(&rc4state,vars->encryption_key,16);
7914 crypt_rc4(&rc4state,(guint8*)&copyconfounder,8);
7915 decrypted = (guint8*)tvb_memdup(NULL, tvb, offset,data_len);
7916 crypt_rc4_init(&rc4state,vars->encryption_key,16);
7917 crypt_rc4(&rc4state,decrypted,data_len);
7918 buf = tvb_new_child_real_data(tvb, decrypted, data_len, data_len);
7919 tvb_set_free_cb(buf, g_free);
7920 /* Note: caller does add_new_data_source(...) */
7921 }
7922 else {
7923 debugprintf("Session key not found can't decrypt ...\n");
7924 }
7925 }
7926 } else {
7927 debugprintf("Vars not found %d (packet_data)\n",g_hash_table_size(netlogon_auths));
7928 return(buf);
7929 }
7930
7931 return(buf);
7932 }
7933
7934 static tvbuff_t* dissect_request_data( tvbuff_t *tvb ,tvbuff_t *auth_tvb ,
7935 int offset , packet_info *pinfo ,dcerpc_auth_info *auth_info )
7936 {
7937 return dissect_packet_data(tvb,auth_tvb,offset,pinfo,auth_info,0);
7938 }
7939 static tvbuff_t* dissect_response_data( tvbuff_t *tvb ,tvbuff_t *auth_tvb ,
7940 int offset , packet_info *pinfo ,dcerpc_auth_info *auth_info )
7941 {
7942 return dissect_packet_data(tvb,auth_tvb,offset,pinfo,auth_info,1);
7943 }
7944
7945 /* MS-NRPC 2.2.1.3.2 */
7946 static int
7947 dissect_secchan_verf(tvbuff_t *tvb, int offset, packet_info *pinfo _U_,
7948 proto_tree *tree, guint8 *drep _U_, unsigned char is_server)
7949 {
7950 netlogon_auth_vars *vars;
7951 netlogon_auth_key key;
7952 proto_item *vf = NULL;
7953 proto_tree *subtree = NULL;
7954 guint64 encrypted_seq;
7955 guint64 digest;
7956 guint64 confounder = 0;
7957 int update_vars = 0;
7958
7959 generate_hash_key(pinfo,is_server,&key,NULL);
7960 vars = (netlogon_auth_vars *)g_hash_table_lookup(netlogon_auths,(gconstpointer*) &key);
7961 if( ! (seen.isseen && seen.num == pinfo->fd->num) ) {
7962 /*
7963 * Create a new tree, and split into x components ...
7964 */
7965 vf = proto_tree_add_item(tree, hf_netlogon_secchan_verf, tvb,
7966 offset, -1, ENC_NA);
7967 subtree = proto_item_add_subtree(vf, ett_secchan_verf);
7968
7969 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_signalg, tvb,
7970 offset, 2, ENC_LITTLE_ENDIAN);
7971 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_sealalg, tvb,
7972 offset+2, 2, ENC_LITTLE_ENDIAN);
7973 /* 2 pad bytes */
7974 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_flag, tvb,
7975 offset+6, 2, ENC_NA);
7976 offset += 8;
7977
7978 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, subtree, drep,
7979 hf_netlogon_secchan_verf_seq, &encrypted_seq);
7980
7981 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, subtree, drep,
7982 hf_netlogon_secchan_verf_digest, &digest);
7983
7984 /* In some cases the nonce if the data/signture are encrypted ("integrity/seal in MS language")*/
7985
7986 if (tvb_bytes_exist(tvb, offset, 8)) {
7987 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, subtree, drep,
7988 hf_netlogon_secchan_verf_nonce, &confounder);
7989 }
7990 update_vars = 1;
7991 }
7992 if( vars != NULL ) {
7993 while(vars != NULL && vars->next_start != -1 && vars->next_start < (int)pinfo->fd->num ) {
7994 vars = vars->next;
7995 }
7996 if(vars == NULL ) {
7997 debugprintf("Vars not found %d (packet_data)\n",g_hash_table_size(netlogon_auths));
7998 return(offset);
7999 }
8000 else {
8001 if(update_vars) {
8002 vars->confounder = confounder;
8003 vars->seq = uncrypt_sequence(vars->session_key,digest,encrypted_seq,is_server);
8004 }
8005
8006 if(get_seal_key(vars->session_key,16,vars->seq,vars->encryption_key))
8007 {
8008 vars->can_decrypt = TRUE;
8009 }
8010 else
8011 {
8012 debugprintf("get seal key returned 0\n");
8013 }
8014 }
8015 }
8016 else
8017 {
8018 debugprintf("Vars not found (is null %d) %d (dissect_verf)\n",vars==NULL,g_hash_table_size(netlogon_auths));
8019 }
8020 /*debugprintf("Setting isseen to true, old packet %d new %d\n",seen.num,pinfo->fd->num);*/
8021 seen.isseen = TRUE;
8022 seen.num = pinfo->fd->num;
8023
8024 return offset;
8025 }
8026 static int
8027 dissect_request_secchan_verf(tvbuff_t *tvb, int offset, packet_info *pinfo ,
8028 proto_tree *tree, dcerpc_info *di _U_, guint8 *drep )
8029 {
8030 return dissect_secchan_verf(tvb,offset,pinfo,tree,drep,0);
8031 }
8032 static int
8033 dissect_response_secchan_verf(tvbuff_t *tvb, int offset, packet_info *pinfo ,
8034 proto_tree *tree, dcerpc_info *di _U_, guint8 *drep )
8035 {
8036 return dissect_secchan_verf(tvb,offset,pinfo,tree,drep,1);
8037 }
8038
8039 /* Secure channel types */
8040
8041 static const value_string sec_chan_type_vals[] = {
8042 { SEC_CHAN_WKSTA, "Workstation" },
8043 { SEC_CHAN_DOMAIN, "Domain trust" },
8044 { SEC_CHAN_BDC, "Backup domain controller" },
8045 { 0, NULL }
8046 };
8047 static void
8048 netlogon_reassemble_init(void)
8049 {
8050 if (netlogon_auths){
8051 g_hash_table_destroy (netlogon_auths);
8052 }
8053 netlogon_auths = g_hash_table_new (netlogon_auth_hash, netlogon_auth_equal);
8054 if (schannel_auths){
8055 g_hash_table_destroy (schannel_auths);
8056 }
8057 schannel_auths = g_hash_table_new (netlogon_auth_hash, netlogon_auth_equal);
8058
8059 }
8060
8061 void
8062 proto_register_dcerpc_netlogon(void)
8063 {
8064
8065 static hf_register_info hf[] = {
8066 { &hf_netlogon_opnum,
8067 { "Operation", "netlogon.opnum", FT_UINT16, BASE_DEC,
8068 NULL, 0x0, NULL, HFILL }},
8069
8070 { &hf_netlogon_rc, {
8071 "Return code", "netlogon.rc", FT_UINT32, BASE_HEX,
8072 VALS(NT_errors), 0x0, "Netlogon return code", HFILL }},
8073
8074 { &hf_netlogon_dos_rc,
8075 { "DOS error code", "netlogon.dos.rc", FT_UINT32,
8076 BASE_HEX, VALS(DOS_errors), 0x0, NULL, HFILL}},
8077
8078 { &hf_netlogon_werr_rc,
8079 { "WERR error code", "netlogon.werr.rc", FT_UINT32,
8080 BASE_HEX, VALS(WERR_errors), 0x0, NULL, HFILL}},
8081
8082 { &hf_netlogon_param_ctrl, {
8083 "Param Ctrl", "netlogon.param_ctrl", FT_UINT32, BASE_HEX,
8084 NULL, 0x0, NULL, HFILL }},
8085
8086 { &hf_netlogon_logon_id, {
8087 "Logon ID", "netlogon.logon_id", FT_UINT64, BASE_DEC,
8088 NULL, 0x0, NULL, HFILL }},
8089
8090 { &hf_netlogon_modify_count, {
8091 "Modify Count", "netlogon.modify_count", FT_UINT64, BASE_DEC,
8092 NULL, 0x0, "How many times the object has been modified", HFILL }},
8093
8094 { &hf_netlogon_security_information, {
8095 "Security Information", "netlogon.security_information", FT_UINT32, BASE_DEC,
8096 NULL, 0x0, NULL, HFILL }},
8097
8098 { &hf_netlogon_count, {
8099 "Count", "netlogon.count", FT_UINT32, BASE_DEC,
8100 NULL, 0x0, NULL, HFILL }},
8101
8102 { &hf_netlogon_entries, {
8103 "Entries", "netlogon.entries", FT_UINT32, BASE_DEC,
8104 NULL, 0x0, NULL, HFILL }},
8105
8106 { &hf_netlogon_credential, {
8107 "Credential", "netlogon.credential", FT_BYTES, BASE_NONE,
8108 NULL, 0x0, "Netlogon Credential", HFILL }},
8109
8110 { &hf_netlogon_challenge, {
8111 "Challenge", "netlogon.challenge", FT_BYTES, BASE_NONE,
8112 NULL, 0x0, "Netlogon challenge", HFILL }},
8113
8114 { &hf_netlogon_lm_owf_password, {
8115 "LM Pwd", "netlogon.lm_owf_pwd", FT_BYTES, BASE_NONE,
8116 NULL, 0x0, "LanManager OWF Password", HFILL }},
8117
8118 { &hf_netlogon_user_session_key, {
8119 "User Session Key", "netlogon.user_session_key", FT_BYTES, BASE_NONE,
8120 NULL, 0x0, NULL, HFILL }},
8121
8122 { &hf_netlogon_encrypted_lm_owf_password, {
8123 "Encrypted LM Pwd", "netlogon.lm_owf_pwd.encrypted", FT_BYTES, BASE_NONE,
8124 NULL, 0x0, "Encrypted LanManager OWF Password", HFILL }},
8125
8126 { &hf_netlogon_nt_owf_password, {
8127 "NT Pwd", "netlogon.nt_owf_pwd", FT_BYTES, BASE_NONE,
8128 NULL, 0x0, "NT OWF Password", HFILL }},
8129
8130 { &hf_netlogon_blob, {
8131 "BLOB", "netlogon.blob", FT_BYTES, BASE_NONE,
8132 NULL, 0x0, NULL, HFILL }},
8133
8134 { &hf_netlogon_len, {
8135 "Len", "netlogon.len", FT_UINT32, BASE_DEC,
8136 NULL, 0, "Length", HFILL }},
8137
8138 { &hf_netlogon_priv, {
8139 "Priv", "netlogon.priv", FT_UINT32, BASE_DEC,
8140 NULL, 0, NULL, HFILL }},
8141
8142 { &hf_netlogon_privilege_entries, {
8143 "Privilege Entries", "netlogon.privilege_entries", FT_UINT32, BASE_DEC,
8144 NULL, 0, NULL, HFILL }},
8145
8146 { &hf_netlogon_privilege_control, {
8147 "Privilege Control", "netlogon.privilege_control", FT_UINT32, BASE_HEX,
8148 NULL, 0, NULL, HFILL }},
8149
8150 { &hf_netlogon_privilege_name, {
8151 "Privilege Name", "netlogon.privilege_name", FT_STRING, BASE_NONE,
8152 NULL, 0, NULL, HFILL }},
8153
8154 { &hf_netlogon_pdc_connection_status, {
8155 "PDC Connection Status", "netlogon.pdc_connection_status", FT_UINT32, BASE_DEC,
8156 NULL, 0, NULL, HFILL }},
8157
8158 { &hf_netlogon_tc_connection_status, {
8159 "TC Connection Status", "netlogon.tc_connection_status", FT_UINT32, BASE_DEC,
8160 NULL, 0, NULL, HFILL }},
8161
8162 { &hf_netlogon_attrs, {
8163 "Attributes", "netlogon.attrs", FT_UINT32, BASE_HEX,
8164 NULL, 0, NULL, HFILL }},
8165
8166 #if 0
8167 { &hf_netlogon_lsapolicy_referentid,
8168 { "Referent ID", "netlogon.lsapolicy.referentID", FT_UINT32, BASE_HEX,
8169 NULL, 0x0, NULL, HFILL }},
8170 #endif
8171
8172 { &hf_netlogon_lsapolicy_len,
8173 { "Length", "netlogon.lsapolicy.length", FT_UINT32, BASE_DEC,
8174 NULL, 0x0, "Length of the policy buffer", HFILL }},
8175
8176 #if 0
8177 { &hf_netlogon_lsapolicy_pointer,
8178 { "Pointer", "netlogon.lsapolicy.pointer", FT_BYTES, BASE_NONE,
8179 NULL, 0x0, "Pointer to LSA POLICY", HFILL }},
8180 #endif
8181
8182 { &hf_netlogon_unknown_string,
8183 { "Unknown string", "netlogon.unknown_string", FT_STRING, BASE_NONE,
8184 NULL, 0, "Unknown string. If you know what this is, contact wireshark developers.", HFILL }},
8185
8186 { &hf_netlogon_TrustedDomainName_string,
8187 { "TrustedDomainName", "netlogon.TrustedDomainName", FT_STRING, BASE_NONE,
8188 NULL, 0, "TrustedDomainName string.", HFILL }},
8189
8190 { &hf_netlogon_UserName_string,
8191 { "UserName", "netlogon.UserName", FT_STRING, BASE_NONE,
8192 NULL, 0, "UserName string.", HFILL }},
8193
8194 { &hf_netlogon_dummy_string,
8195 { "Dummy String", "netlogon.dummy_string", FT_STRING, BASE_NONE,
8196 NULL, 0, "Dummy String. Used is reserved for next evolutions.", HFILL }},
8197
8198 { &hf_netlogon_trust_extention,
8199 { "Trust extension", "netlogon.trust.extention", FT_STRING, BASE_NONE,
8200 NULL, 0, "Trusts extension.", HFILL }},
8201
8202 { &hf_netlogon_trust_offset,
8203 { "Offset", "netlogon.trust.extention_offset", FT_UINT32, BASE_DEC,
8204 NULL, 0, "Trusts extension.", HFILL }},
8205
8206 { &hf_netlogon_trust_len,
8207 { "Length", "netlogon.trust.extention_length", FT_UINT32, BASE_DEC,
8208 NULL, 0, NULL, HFILL }},
8209
8210 { &hf_netlogon_trust_max,
8211 { "Max Count", "netlogon.trust.extention.maxcount", FT_UINT32, BASE_DEC,
8212 NULL, 0, NULL, HFILL }},
8213
8214 { &hf_netlogon_dummy_string2,
8215 { "Dummy String2", "netlogon.dummy_string", FT_STRING, BASE_NONE,
8216 NULL, 0, "Dummy String 2. Used is reserved for next evolutions.", HFILL }},
8217
8218 { &hf_netlogon_dummy_string3,
8219 { "Dummy String3", "netlogon.dummy_string", FT_STRING, BASE_NONE,
8220 NULL, 0, "Dummy String 3. Used is reserved for next evolutions.", HFILL }},
8221
8222 { &hf_netlogon_dummy_string4,
8223 { "Dummy String4", "netlogon.dummy_string", FT_STRING, BASE_NONE,
8224 NULL, 0, "Dummy String 4. Used is reserved for next evolutions.", HFILL }},
8225
8226 { &hf_netlogon_dummy_string5,
8227 { "Dummy String5", "netlogon.dummy_string", FT_STRING, BASE_NONE,
8228 NULL, 0, "Dummy String 5. Used is reserved for next evolutions.", HFILL }},
8229
8230 { &hf_netlogon_dummy_string6,
8231 { "Dummy String6", "netlogon.dummy_string", FT_STRING, BASE_NONE,
8232 NULL, 0, "Dummy String 6. Used is reserved for next evolutions.", HFILL }},
8233
8234 { &hf_netlogon_dummy_string7,
8235 { "Dummy String7", "netlogon.dummy_string", FT_STRING, BASE_NONE,
8236 NULL, 0, "Dummy String 7. Used is reserved for next evolutions.", HFILL }},
8237
8238 { &hf_netlogon_dummy_string8,
8239 { "Dummy String8", "netlogon.dummy_string", FT_STRING, BASE_NONE,
8240 NULL, 0, "Dummy String 8. Used is reserved for next evolutions.", HFILL }},
8241
8242 { &hf_netlogon_dummy_string9,
8243 { "Dummy String9", "netlogon.dummy_string", FT_STRING, BASE_NONE,
8244 NULL, 0, "Dummy String 9. Used is reserved for next evolutions.", HFILL }},
8245
8246 { &hf_netlogon_dummy_string10,
8247 { "Dummy String10", "netlogon.dummy_string", FT_STRING, BASE_NONE,
8248 NULL, 0, "Dummy String 10. Used is reserved for next evolutions.", HFILL }},
8249
8250 { &hf_netlogon_unknown_long,
8251 { "Unknown long", "netlogon.unknown.long", FT_UINT32, BASE_HEX,
8252 NULL, 0x0, "Unknown long. If you know what this is, contact wireshark developers.", HFILL }},
8253
8254 { &hf_netlogon_dummy1_long,
8255 { "Dummy1 Long", "netlogon.dummy.long1", FT_UINT32, BASE_HEX,
8256 NULL, 0x0, "Dummy long 1. Used is reserved for next evolutions.", HFILL }},
8257
8258 { &hf_netlogon_dummy2_long,
8259 { "Dummy2 Long", "netlogon.dummy.long2", FT_UINT32, BASE_HEX,
8260 NULL, 0x0, "Dummy long 2. Used is reserved for next evolutions.", HFILL }},
8261
8262 { &hf_netlogon_dummy3_long,
8263 { "Dummy3 Long", "netlogon.dummy.long3", FT_UINT32, BASE_HEX,
8264 NULL, 0x0, "Dummy long 3. Used is reserved for next evolutions.", HFILL }},
8265
8266 { &hf_netlogon_dummy4_long,
8267 { "Dummy4 Long", "netlogon.dummy.long4", FT_UINT32, BASE_HEX,
8268 NULL, 0x0, "Dummy long 4. Used is reserved for next evolutions.", HFILL }},
8269
8270 { &hf_netlogon_dummy5_long,
8271 { "Dummy5 Long", "netlogon.dummy.long5", FT_UINT32, BASE_HEX,
8272 NULL, 0x0, "Dummy long 5. Used is reserved for next evolutions.", HFILL }},
8273
8274 { &hf_netlogon_dummy6_long,
8275 { "Dummy6 Long", "netlogon.dummy.long6", FT_UINT32, BASE_HEX,
8276 NULL, 0x0, "Dummy long 6. Used is reserved for next evolutions.", HFILL }},
8277
8278 { &hf_netlogon_dummy7_long,
8279 { "Dummy7 Long", "netlogon.dummy.long7", FT_UINT32, BASE_HEX,
8280 NULL, 0x0, "Dummy long 7. Used is reserved for next evolutions.", HFILL }},
8281
8282 { &hf_netlogon_dummy8_long,
8283 { "Dummy8 Long", "netlogon.dummy.long8", FT_UINT32, BASE_HEX,
8284 NULL, 0x0, "Dummy long 8. Used is reserved for next evolutions.", HFILL }},
8285
8286 { &hf_netlogon_dummy9_long,
8287 { "Dummy9 Long", "netlogon.dummy.long9", FT_UINT32, BASE_HEX,
8288 NULL, 0x0, "Dummy long 9. Used is reserved for next evolutions.", HFILL }},
8289
8290 { &hf_netlogon_dummy10_long,
8291 { "Dummy10 Long", "netlogon.dummy.long10", FT_UINT32, BASE_HEX,
8292 NULL, 0x0, "Dummy long 10. Used is reserved for next evolutions.", HFILL }},
8293
8294
8295 { &hf_netlogon_supportedenctypes,
8296 { "Supported Encryption Types", "netlogon.encryption.types", FT_UINT32, BASE_HEX,
8297 NULL, 0x0, "Encryption types", HFILL }},
8298
8299 { &hf_netlogon_workstation_flags,
8300 { "Workstation Flags", "netlogon.workstation.flags", FT_UINT32, BASE_HEX,
8301 NULL, 0x0, "Flags", HFILL }},
8302
8303 { &hf_netlogon_reserved,
8304 { "Reserved", "netlogon.reserved", FT_UINT32, BASE_HEX,
8305 NULL, 0x0, NULL, HFILL }},
8306 { &hf_netlogon_unknown_short,
8307 { "Unknown short", "netlogon.unknown.short", FT_UINT16, BASE_HEX,
8308 NULL, 0x0, "Unknown short. If you know what this is, contact wireshark developers.", HFILL }},
8309
8310 { &hf_netlogon_unknown_char,
8311 { "Unknown char", "netlogon.unknown.char", FT_UINT8, BASE_HEX,
8312 NULL, 0x0, "Unknown char. If you know what this is, contact wireshark developers.", HFILL }},
8313
8314 { &hf_netlogon_acct_expiry_time,
8315 { "Acct Expiry Time", "netlogon.acct.expiry_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
8316 NULL, 0x0, "When this account will expire", HFILL }},
8317
8318 { &hf_netlogon_nt_pwd_present,
8319 { "NT PWD Present", "netlogon.nt_pwd_present", FT_UINT8, BASE_HEX,
8320 NULL, 0x0, "Is NT password present for this account?", HFILL }},
8321
8322 { &hf_netlogon_lm_pwd_present,
8323 { "LM PWD Present", "netlogon.lm_pwd_present", FT_UINT8, BASE_HEX,
8324 NULL, 0x0, "Is LanManager password present for this account?", HFILL }},
8325
8326 { &hf_netlogon_pwd_expired,
8327 { "PWD Expired", "netlogon.pwd_expired", FT_UINT8, BASE_HEX,
8328 NULL, 0x0, "Whether this password has expired or not", HFILL }},
8329
8330 { &hf_netlogon_authoritative,
8331 { "Authoritative", "netlogon.authoritative", FT_UINT8, BASE_DEC,
8332 NULL, 0x0, NULL, HFILL }},
8333
8334 { &hf_netlogon_sensitive_data_flag,
8335 { "Sensitive Data", "netlogon.sensitive_data_flag", FT_UINT8, BASE_DEC,
8336 NULL, 0x0, "Sensitive data flag", HFILL }},
8337
8338 { &hf_netlogon_auditing_mode,
8339 { "Auditing Mode", "netlogon.auditing_mode", FT_UINT8, BASE_DEC,
8340 NULL, 0x0, NULL, HFILL }},
8341
8342 { &hf_netlogon_max_audit_event_count,
8343 { "Max Audit Event Count", "netlogon.max_audit_event_count", FT_UINT32, BASE_DEC,
8344 NULL, 0x0, NULL, HFILL }},
8345
8346 { &hf_netlogon_event_audit_option,
8347 { "Event Audit Option", "netlogon.event_audit_option", FT_UINT32, BASE_HEX,
8348 NULL, 0x0, NULL, HFILL }},
8349
8350 { &hf_netlogon_sensitive_data_len,
8351 { "Length", "netlogon.sensitive_data_len", FT_UINT32, BASE_DEC,
8352 NULL, 0x0, "Length of sensitive data", HFILL }},
8353
8354 #if 0
8355 { &hf_netlogon_nt_chal_resp,
8356 { "NT Chal resp", "netlogon.nt_chal_resp", FT_BYTES, BASE_NONE,
8357 NULL, 0, "Challenge response for NT authentication", HFILL }},
8358 #endif
8359
8360 { &hf_netlogon_lm_chal_resp,
8361 { "LM Chal resp", "netlogon.lm_chal_resp", FT_BYTES, BASE_NONE,
8362 NULL, 0, "Challenge response for LM authentication", HFILL }},
8363
8364 { &hf_netlogon_cipher_len,
8365 { "Cipher Len", "netlogon.cipher_len", FT_UINT32, BASE_DEC,
8366 NULL, 0, NULL, HFILL }},
8367
8368 { &hf_netlogon_cipher_maxlen,
8369 { "Cipher Max Len", "netlogon.cipher_maxlen", FT_UINT32, BASE_DEC,
8370 NULL, 0, NULL, HFILL }},
8371
8372 #if 0
8373 { &hf_netlogon_pac_data,
8374 { "Pac Data", "netlogon.pac.data", FT_BYTES, BASE_NONE,
8375 NULL, 0, NULL, HFILL }},
8376 #endif
8377
8378 { &hf_netlogon_sensitive_data,
8379 { "Data", "netlogon.sensitive_data", FT_BYTES, BASE_NONE,
8380 NULL, 0, "Sensitive Data", HFILL }},
8381
8382 #if 0
8383 { &hf_netlogon_auth_data,
8384 { "Auth Data", "netlogon.auth.data", FT_BYTES, BASE_NONE,
8385 NULL, 0, NULL, HFILL }},
8386 #endif
8387
8388 { &hf_netlogon_cipher_current_data,
8389 { "Cipher Current Data", "netlogon.cipher_current_data", FT_BYTES, BASE_NONE,
8390 NULL, 0, NULL, HFILL }},
8391
8392 { &hf_netlogon_cipher_old_data,
8393 { "Cipher Old Data", "netlogon.cipher_old_data", FT_BYTES, BASE_NONE,
8394 NULL, 0, NULL, HFILL }},
8395
8396 { &hf_netlogon_acct_name,
8397 { "Acct Name", "netlogon.acct_name", FT_STRING, BASE_NONE,
8398 NULL, 0, "Account Name", HFILL }},
8399
8400 { &hf_netlogon_acct_desc,
8401 { "Acct Desc", "netlogon.acct_desc", FT_STRING, BASE_NONE,
8402 NULL, 0, "Account Description", HFILL }},
8403
8404 { &hf_netlogon_group_desc,
8405 { "Group Desc", "netlogon.group_desc", FT_STRING, BASE_NONE,
8406 NULL, 0, "Group Description", HFILL }},
8407
8408 { &hf_netlogon_full_name,
8409 { "Full Name", "netlogon.full_name", FT_STRING, BASE_NONE,
8410 NULL, 0, NULL, HFILL }},
8411
8412 { &hf_netlogon_comment,
8413 { "Comment", "netlogon.comment", FT_STRING, BASE_NONE,
8414 NULL, 0, NULL, HFILL }},
8415
8416 { &hf_netlogon_parameters,
8417 { "Parameters", "netlogon.parameters", FT_STRING, BASE_NONE,
8418 NULL, 0, NULL, HFILL }},
8419
8420 { &hf_netlogon_logon_script,
8421 { "Logon Script", "netlogon.logon_script", FT_STRING, BASE_NONE,
8422 NULL, 0, NULL, HFILL }},
8423
8424 { &hf_netlogon_profile_path,
8425 { "Profile Path", "netlogon.profile_path", FT_STRING, BASE_NONE,
8426 NULL, 0, NULL, HFILL }},
8427
8428 { &hf_netlogon_home_dir,
8429 { "Home Dir", "netlogon.home_dir", FT_STRING, BASE_NONE,
8430 NULL, 0, "Home Directory", HFILL }},
8431
8432 { &hf_netlogon_dir_drive,
8433 { "Dir Drive", "netlogon.dir_drive", FT_STRING, BASE_NONE,
8434 NULL, 0, "Drive letter for home directory", HFILL }},
8435
8436 { &hf_netlogon_logon_srv,
8437 { "Server", "netlogon.server", FT_STRING, BASE_NONE,
8438 NULL, 0, NULL, HFILL }},
8439
8440 #if 0
8441 { &hf_netlogon_principal,
8442 { "Principal", "netlogon.principal", FT_STRING, BASE_NONE,
8443 NULL, 0, NULL, HFILL }},
8444 #endif
8445
8446 { &hf_netlogon_logon_dom,
8447 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
8448 NULL, 0, NULL, HFILL }},
8449
8450 { &hf_netlogon_resourcegroupcount,
8451 { "ResourceGroup count", "netlogon.resourcegroupcount", FT_UINT32, BASE_DEC,
8452 NULL, 0, "Number of Resource Groups", HFILL }},
8453
8454 { &hf_netlogon_computer_name,
8455 { "Computer Name", "netlogon.computer_name", FT_STRING, BASE_NONE,
8456 NULL, 0, NULL, HFILL }},
8457
8458 { &hf_netlogon_site_name,
8459 { "Site Name", "netlogon.site_name", FT_STRING, BASE_NONE,
8460 NULL, 0, NULL, HFILL }},
8461
8462 { &hf_netlogon_dc_name,
8463 { "DC Name", "netlogon.dc.name", FT_STRING, BASE_NONE,
8464 NULL, 0, NULL, HFILL }},
8465
8466 { &hf_netlogon_dc_site_name,
8467 { "DC Site Name", "netlogon.dc.site_name", FT_STRING, BASE_NONE,
8468 NULL, 0, NULL, HFILL }},
8469
8470 { &hf_netlogon_dns_forest_name,
8471 { "DNS Forest Name", "netlogon.dns.forest_name", FT_STRING, BASE_NONE,
8472 NULL, 0, NULL, HFILL }},
8473
8474 { &hf_netlogon_dc_address,
8475 { "DC Address", "netlogon.dc.address", FT_STRING, BASE_NONE,
8476 NULL, 0, NULL, HFILL }},
8477
8478 { &hf_netlogon_dc_address_type,
8479 { "DC Address Type", "netlogon.dc.address_type", FT_UINT32, BASE_DEC,
8480 VALS(dc_address_types), 0, NULL, HFILL }},
8481
8482 { &hf_netlogon_client_site_name,
8483 { "Client Site Name", "netlogon.client.site_name", FT_STRING, BASE_NONE,
8484 NULL, 0, NULL, HFILL }},
8485
8486 { &hf_netlogon_workstation_site_name,
8487 { "Wkst Site Name", "netlogon.wkst.site_name", FT_STRING, BASE_NONE,
8488 NULL, 0, "Workstation Site Name", HFILL }},
8489
8490 { &hf_netlogon_workstation,
8491 { "Wkst Name", "netlogon.wkst.name", FT_STRING, BASE_NONE,
8492 NULL, 0, "Workstation Name", HFILL }},
8493
8494 { &hf_netlogon_os_version,
8495 { "OS version", "netlogon.os.version", FT_STRING, BASE_NONE,
8496 NULL, 0, NULL, HFILL }},
8497
8498 { &hf_netlogon_workstation_os,
8499 { "Wkst OS", "netlogon.wkst.os", FT_STRING, BASE_NONE,
8500 NULL, 0, "Workstation OS", HFILL }},
8501
8502 { &hf_netlogon_workstations,
8503 { "Workstations", "netlogon.wksts", FT_STRING, BASE_NONE,
8504 NULL, 0, NULL, HFILL }},
8505
8506 { &hf_netlogon_workstation_fqdn,
8507 { "Wkst FQDN", "netlogon.wkst.fqdn", FT_STRING, BASE_NONE,
8508 NULL, 0, "Workstation FQDN", HFILL }},
8509
8510 { &hf_netlogon_group_name,
8511 { "Group Name", "netlogon.group_name", FT_STRING, BASE_NONE,
8512 NULL, 0, NULL, HFILL }},
8513
8514 { &hf_netlogon_alias_name,
8515 { "Alias Name", "netlogon.alias_name", FT_STRING, BASE_NONE,
8516 NULL, 0, NULL, HFILL }},
8517
8518 { &hf_netlogon_dns_host,
8519 { "DNS Host", "netlogon.dns_host", FT_STRING, BASE_NONE,
8520 NULL, 0, NULL, HFILL }},
8521
8522 { &hf_netlogon_downlevel_domain_name,
8523 { "Downlevel Domain", "netlogon.downlevel_domain", FT_STRING, BASE_NONE,
8524 NULL, 0, "Downlevel Domain Name", HFILL }},
8525
8526 { &hf_netlogon_dns_domain_name,
8527 { "DNS Domain", "netlogon.dns_domain", FT_STRING, BASE_NONE,
8528 NULL, 0, "DNS Domain Name", HFILL }},
8529
8530 { &hf_netlogon_ad_client_dns_name,
8531 { "Client DNS Name", "netlogon.client_dns_name", FT_STRING, BASE_NONE,
8532 NULL, 0, NULL, HFILL }},
8533
8534 { &hf_netlogon_domain_name,
8535 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
8536 NULL, 0, "Domain Name", HFILL }},
8537
8538 { &hf_netlogon_oem_info,
8539 { "OEM Info", "netlogon.oem_info", FT_STRING, BASE_NONE,
8540 NULL, 0, NULL, HFILL }},
8541
8542 { &hf_netlogon_trusted_dc_name,
8543 { "Trusted DC", "netlogon.trusted_dc", FT_STRING, BASE_NONE,
8544 NULL, 0, NULL, HFILL }},
8545
8546 { &hf_netlogon_logon_dnslogondomainname,
8547 { "DNS Logon Domain name", "netlogon.logon.dnslogondomainname", FT_STRING, BASE_NONE,
8548 NULL, 0, "DNS Name of the logon domain", HFILL }},
8549
8550 { &hf_netlogon_logon_upn,
8551 { "UPN", "netlogon.logon.upn", FT_STRING, BASE_NONE,
8552 NULL, 0, "User Principal Name", HFILL }},
8553
8554 { &hf_netlogon_logonsrv_handle,
8555 { "Handle", "netlogon.handle", FT_STRING, BASE_NONE,
8556 NULL, 0, "Logon Srv Handle", HFILL }},
8557
8558 { &hf_netlogon_dummy,
8559 { "Dummy", "netlogon.dummy", FT_STRING, BASE_NONE,
8560 NULL, 0, "Dummy string", HFILL }},
8561
8562 { &hf_netlogon_logon_count16,
8563 { "Logon Count", "netlogon.logon_count16", FT_UINT16, BASE_DEC,
8564 NULL, 0x0, "Number of successful logins", HFILL }},
8565
8566 { &hf_netlogon_logon_count,
8567 { "Logon Count", "netlogon.logon_count", FT_UINT32, BASE_DEC,
8568 NULL, 0x0, "Number of successful logins", HFILL }},
8569
8570 { &hf_netlogon_bad_pw_count16,
8571 { "Bad PW Count", "netlogon.bad_pw_count16", FT_UINT16, BASE_DEC,
8572 NULL, 0x0, "Number of failed logins", HFILL }},
8573
8574 { &hf_netlogon_bad_pw_count,
8575 { "Bad PW Count", "netlogon.bad_pw_count", FT_UINT32, BASE_DEC,
8576 NULL, 0x0, "Number of failed logins", HFILL }},
8577
8578 { &hf_netlogon_country,
8579 { "Country", "netlogon.country", FT_UINT16, BASE_DEC,
8580 VALS(ms_country_codes), 0x0, "Country setting for this account", HFILL }},
8581
8582 { &hf_netlogon_codepage,
8583 { "Codepage", "netlogon.codepage", FT_UINT16, BASE_DEC,
8584 NULL, 0x0, "Codepage setting for this account", HFILL }},
8585
8586 { &hf_netlogon_level16,
8587 { "Level", "netlogon.level16", FT_UINT16, BASE_DEC,
8588 NULL, 0x0, "Which option of the union is represented here", HFILL }},
8589
8590 { &hf_netlogon_validation_level,
8591 { "Validation Level", "netlogon.validation_level", FT_UINT16, BASE_DEC,
8592 NULL, 0x0, "Requested level of validation", HFILL }},
8593
8594 { &hf_netlogon_minpasswdlen,
8595 { "Min Password Len", "netlogon.min_passwd_len", FT_UINT16, BASE_DEC,
8596 NULL, 0x0, "Minimum length of password", HFILL }},
8597
8598 { &hf_netlogon_passwdhistorylen,
8599 { "Passwd History Len", "netlogon.passwd_history_len", FT_UINT16, BASE_DEC,
8600 NULL, 0x0, "Length of password history", HFILL }},
8601
8602 { &hf_netlogon_secure_channel_type,
8603 { "Sec Chan Type", "netlogon.sec_chan_type", FT_UINT16, BASE_DEC,
8604 VALS(sec_chan_type_vals), 0x0, "Secure Channel Type", HFILL }},
8605
8606 { &hf_netlogon_restart_state,
8607 { "Restart State", "netlogon.restart_state", FT_UINT16, BASE_DEC,
8608 NULL, 0x0, NULL, HFILL }},
8609
8610 { &hf_netlogon_delta_type,
8611 { "Delta Type", "netlogon.delta_type", FT_UINT16, BASE_DEC,
8612 VALS(delta_type_vals), 0x0, NULL, HFILL }},
8613
8614 { &hf_netlogon_blob_size,
8615 { "Size", "netlogon.blob.size", FT_UINT32, BASE_DEC,
8616 NULL, 0x0, "Size in bytes of BLOB", HFILL }},
8617
8618 { &hf_netlogon_code,
8619 { "Code", "netlogon.code", FT_UINT32, BASE_HEX,
8620 NULL, 0x0, NULL, HFILL }},
8621
8622 { &hf_netlogon_level,
8623 { "Level", "netlogon.level", FT_UINT32, BASE_DEC,
8624 NULL, 0x0, "Which option of the union is represented here", HFILL }},
8625
8626 { &hf_netlogon_reference,
8627 { "Reference", "netlogon.reference", FT_UINT32, BASE_DEC,
8628 NULL, 0x0, NULL, HFILL }},
8629
8630 { &hf_netlogon_next_reference,
8631 { "Next Reference", "netlogon.next_reference", FT_UINT32, BASE_DEC,
8632 NULL, 0x0, NULL, HFILL }},
8633
8634 { &hf_netlogon_timestamp,
8635 { "Timestamp", "netlogon.timestamp", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
8636 NULL, 0, NULL, HFILL }},
8637
8638 { &hf_netlogon_user_rid,
8639 { "User RID", "netlogon.rid", FT_UINT32, BASE_DEC,
8640 NULL, 0x0, NULL, HFILL }},
8641
8642 { &hf_netlogon_alias_rid,
8643 { "Alias RID", "netlogon.alias_rid", FT_UINT32, BASE_DEC,
8644 NULL, 0x0, NULL, HFILL }},
8645
8646 { &hf_netlogon_group_rid,
8647 { "Group RID", "netlogon.group_rid", FT_UINT32, BASE_DEC,
8648 NULL, 0x0, NULL, HFILL }},
8649
8650 { &hf_netlogon_num_rids,
8651 { "Num RIDs", "netlogon.num_rids", FT_UINT32, BASE_DEC,
8652 NULL, 0x0, "Number of RIDs", HFILL }},
8653
8654 { &hf_netlogon_num_controllers,
8655 { "Num DCs", "netlogon.num_dc", FT_UINT32, BASE_DEC,
8656 NULL, 0x0, "Number of domain controllers", HFILL }},
8657
8658 { &hf_netlogon_num_sid,
8659 { "Num Extra SID", "netlogon.num_sid", FT_UINT32, BASE_DEC,
8660 NULL, 0x0, NULL, HFILL }},
8661
8662 { &hf_netlogon_flags,
8663 { "Flags", "netlogon.flags", FT_UINT32, BASE_HEX,
8664 NULL, 0x0, NULL, HFILL }},
8665
8666 { &hf_netlogon_user_account_control,
8667 { "User Account Control", "netlogon.user_account_control", FT_UINT32, BASE_HEX,
8668 NULL, 0x0, NULL, HFILL }},
8669
8670 { &hf_netlogon_user_flags,
8671 { "User Flags", "netlogon.user_flags", FT_UINT32, BASE_HEX,
8672 NULL, 0x0, NULL, HFILL }},
8673
8674 { &hf_netlogon_auth_flags,
8675 { "Auth Flags", "netlogon.auth_flags", FT_UINT32, BASE_HEX,
8676 NULL, 0x0, NULL, HFILL }},
8677
8678 { &hf_netlogon_systemflags,
8679 { "System Flags", "netlogon.system_flags", FT_UINT32, BASE_HEX,
8680 NULL, 0x0, NULL, HFILL }},
8681
8682 { &hf_netlogon_database_id,
8683 { "Database Id", "netlogon.database_id", FT_UINT32, BASE_DEC,
8684 NULL, 0x0, NULL, HFILL }},
8685
8686 { &hf_netlogon_sync_context,
8687 { "Sync Context", "netlogon.sync_context", FT_UINT32, BASE_DEC,
8688 NULL, 0x0, NULL, HFILL }},
8689
8690 { &hf_netlogon_max_size,
8691 { "Max Size", "netlogon.max_size", FT_UINT32, BASE_DEC,
8692 NULL, 0x0, "Max Size of database", HFILL }},
8693
8694 { &hf_netlogon_max_log_size,
8695 { "Max Log Size", "netlogon.max_log_size", FT_UINT32, BASE_DEC,
8696 NULL, 0x0, "Max Size of log", HFILL }},
8697
8698 #if 0
8699 { &hf_netlogon_pac_size,
8700 { "Pac Size", "netlogon.pac.size", FT_UINT32, BASE_DEC,
8701 NULL, 0x0, "Size of PacData in bytes", HFILL }},
8702 #endif
8703
8704 #if 0
8705 { &hf_netlogon_auth_size,
8706 { "Auth Size", "netlogon.auth.size", FT_UINT32, BASE_DEC,
8707 NULL, 0x0, "Size of AuthData in bytes", HFILL }},
8708 #endif
8709
8710 { &hf_netlogon_num_deltas,
8711 { "Num Deltas", "netlogon.num_deltas", FT_UINT32, BASE_DEC,
8712 NULL, 0x0, "Number of SAM Deltas in array", HFILL }},
8713
8714 { &hf_netlogon_num_trusts,
8715 { "Num Trusts", "netlogon.num_trusts", FT_UINT32, BASE_DEC,
8716 NULL, 0x0, NULL, HFILL }},
8717
8718 { &hf_netlogon_logon_attempts,
8719 { "Logon Attempts", "netlogon.logon_attempts", FT_UINT32, BASE_DEC,
8720 NULL, 0x0, "Number of logon attempts", HFILL }},
8721
8722 { &hf_netlogon_pagefilelimit,
8723 { "Page File Limit", "netlogon.page_file_limit", FT_UINT32, BASE_DEC,
8724 NULL, 0x0, NULL, HFILL }},
8725
8726 { &hf_netlogon_pagedpoollimit,
8727 { "Paged Pool Limit", "netlogon.paged_pool_limit", FT_UINT32, BASE_DEC,
8728 NULL, 0x0, NULL, HFILL }},
8729
8730 { &hf_netlogon_nonpagedpoollimit,
8731 { "Non-Paged Pool Limit", "netlogon.nonpaged_pool_limit", FT_UINT32, BASE_DEC,
8732 NULL, 0x0, NULL, HFILL }},
8733
8734 { &hf_netlogon_minworkingsetsize,
8735 { "Min Working Set Size", "netlogon.min_working_set_size", FT_UINT32, BASE_DEC,
8736 NULL, 0x0, NULL, HFILL }},
8737
8738 { &hf_netlogon_maxworkingsetsize,
8739 { "Max Working Set Size", "netlogon.max_working_set_size", FT_UINT32, BASE_DEC,
8740 NULL, 0x0, NULL, HFILL }},
8741
8742 { &hf_netlogon_serial_number,
8743 { "Serial Number", "netlogon.serial_number", FT_UINT32, BASE_DEC,
8744 NULL, 0x0, NULL, HFILL }},
8745
8746 { &hf_netlogon_neg_flags,
8747 { "Negotiation options", "netlogon.neg_flags", FT_UINT32, BASE_HEX,
8748 NULL, 0x0, "Negotiation Flags", HFILL }},
8749
8750 #if 0
8751 { &hf_netlogon_neg_flags_80000000,
8752 { "Not used 80000000", "ntlmssp.neg_flags.na8000000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_80000000, "Not used", HFILL }},
8753 #endif
8754
8755 { &hf_netlogon_neg_flags_40000000,
8756 { "Authenticated RPC supported", "ntlmssp.neg_flags.na8000000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_40000000, NULL, HFILL }},
8757
8758 { &hf_netlogon_neg_flags_20000000,
8759 { "Authenticated RPC via lsass supported", "ntlmssp.neg_flags.na8000000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_20000000, "rpc via lsass", HFILL }},
8760
8761 #if 0
8762 { &hf_netlogon_neg_flags_10000000,
8763 { "Not used 10000000", "ntlmssp.neg_flags.na8000000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_10000000, "Not used", HFILL }},
8764 #endif
8765
8766 #if 0
8767 { &hf_netlogon_neg_flags_8000000,
8768 { "Not used 8000000", "ntlmssp.neg_flags.na800000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_8000000, "Not used", HFILL }},
8769 #endif
8770
8771 #if 0
8772 { &hf_netlogon_neg_flags_4000000,
8773 { "Not used 4000000", "ntlmssp.neg_flags.na400000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_4000000, "Not used", HFILL }},
8774 #endif
8775
8776 #if 0
8777 { &hf_netlogon_neg_flags_2000000,
8778 { "Not used 2000000", "ntlmssp.neg_flags.na200000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_2000000, "Not used", HFILL }},
8779 #endif
8780
8781 { &hf_netlogon_neg_flags_1000000,
8782 { "AES supported", "ntlmssp.neg_flags.na100000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_1000000, "AES", HFILL }},
8783
8784 #if 0
8785 { &hf_netlogon_neg_flags_800000,
8786 { "Not used 800000", "ntlmssp.neg_flags.na8000000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_800000, "Not used", HFILL }},
8787 #endif
8788
8789 { &hf_netlogon_neg_flags_400000,
8790 { "AES & SHA2 supported", "ntlmssp.neg_flags.na400000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_USEAES, "AES&SHA2", HFILL }},
8791
8792 { &hf_netlogon_neg_flags_200000,
8793 { "RODC pass-through", "ntlmssp.neg_flags.na200000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_200000, "rodc pt", HFILL }},
8794
8795 { &hf_netlogon_neg_flags_100000,
8796 { "NO NT4 emulation", "ntlmssp.neg_flags.na100000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_100000, "No NT4 emu", HFILL }},
8797
8798 { &hf_netlogon_neg_flags_80000,
8799 { "Cross forest trust", "ntlmssp.neg_flags.na80000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_80000, NULL, HFILL }},
8800
8801 { &hf_netlogon_neg_flags_40000,
8802 { "GetDomainInfo supported", "ntlmssp.neg_flags.na40000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_40000, "GetDomainInfo", HFILL }},
8803
8804 { &hf_netlogon_neg_flags_20000,
8805 { "ServerPasswordSet2 supported", "ntlmssp.neg_flags.na20000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_20000, "PasswordSet2", HFILL }},
8806
8807 { &hf_netlogon_neg_flags_10000,
8808 { "DNS trusts supported", "ntlmssp.neg_flags.na10000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_10000, "DNS Trusts", HFILL }},
8809
8810 { &hf_netlogon_neg_flags_8000,
8811 { "Transitive trusts", "ntlmssp.neg_flags.na8000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_8000, "Transitive trust", HFILL }},
8812
8813 { &hf_netlogon_neg_flags_4000,
8814 { "Strong key", "ntlmssp.neg_flags.na4000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_STRONGKEY, NULL, HFILL }},
8815
8816 { &hf_netlogon_neg_flags_2000,
8817 { "Avoid replication Auth database", "ntlmssp.neg_flags.na2000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_2000, NULL, HFILL }},
8818
8819 { &hf_netlogon_neg_flags_1000,
8820 { "Avoid replication account database", "ntlmssp.neg_flags.na1000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_1000, NULL, HFILL }},
8821
8822 { &hf_netlogon_neg_flags_800,
8823 { "Concurent RPC", "ntlmssp.neg_flags.na800", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_800, NULL, HFILL }},
8824
8825 { &hf_netlogon_neg_flags_400,
8826 { "Generic pass-through", "ntlmssp.neg_flags.na400", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_400, NULL, HFILL }},
8827
8828 { &hf_netlogon_neg_flags_200,
8829 { "SendToSam", "ntlmssp.neg_flags.na200", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_200, NULL, HFILL }},
8830
8831 { &hf_netlogon_neg_flags_100,
8832 { "Refusal of password change", "ntlmssp.neg_flags.na100", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_100, "PWD change refusal", HFILL }},
8833
8834 { &hf_netlogon_neg_flags_80,
8835 { "DatabaseRedo call", "ntlmssp.neg_flags.na80", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_80, NULL, HFILL }},
8836
8837 { &hf_netlogon_neg_flags_40,
8838 { "Handle multiple SIDs", "ntlmssp.neg_flags.na40", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_40, NULL, HFILL }},
8839
8840 { &hf_netlogon_neg_flags_20,
8841 { "Restarting full DC sync", "ntlmssp.neg_flags.na20", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_20, NULL, HFILL }},
8842
8843 { &hf_netlogon_neg_flags_10,
8844 { "BDC handling Changelogs", "ntlmssp.neg_flags.na10", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_10, "BDC Changelog", HFILL }},
8845
8846 { &hf_netlogon_neg_flags_8,
8847 { "Promotion count(deprecated)", "ntlmssp.neg_flags.na8", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_8, "Promotion count", HFILL }},
8848
8849 { &hf_netlogon_neg_flags_4,
8850 { "RC4 encryption", "ntlmssp.neg_flags.na4", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_4, "RC4", HFILL }},
8851
8852 { &hf_netlogon_neg_flags_2,
8853 { "NT3.5 BDC continuous update", "ntlmssp.neg_flags.na2", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_2, "NT3.5", HFILL }},
8854
8855 { &hf_netlogon_neg_flags_1,
8856 { "Account lockout", "ntlmssp.neg_flags.na1", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_1, NULL, HFILL }},
8857
8858 { &hf_netlogon_dc_flags,
8859 { "Domain Controller Flags", "netlogon.dc.flags", FT_UINT32, BASE_HEX,
8860 NULL, 0x0, NULL, HFILL }},
8861
8862 { &hf_netlogon_dc_flags_pdc_flag,
8863 { "PDC", "netlogon.dc.flags.pdc",
8864 FT_BOOLEAN, 32, TFS(&dc_flags_pdc_flag), DS_PDC_FLAG,
8865 "If this server is a PDC", HFILL }},
8866
8867 { &hf_netlogon_dc_flags_gc_flag,
8868 { "GC", "netlogon.dc.flags.gc",
8869 FT_BOOLEAN, 32, TFS(&dc_flags_gc_flag), DS_GC_FLAG,
8870 "If this server is a GC", HFILL }},
8871
8872 { &hf_netlogon_dc_flags_ldap_flag,
8873 { "LDAP", "netlogon.dc.flags.ldap",
8874 FT_BOOLEAN, 32, TFS(&dc_flags_ldap_flag), DS_LDAP_FLAG,
8875 "If this is an LDAP server", HFILL }},
8876
8877 { &hf_netlogon_dc_flags_ds_flag,
8878 { "DS", "netlogon.dc.flags.ds",
8879 FT_BOOLEAN, 32, TFS(&dc_flags_ds_flag), DS_DS_FLAG,
8880 "If this server is a DS", HFILL }},
8881
8882 { &hf_netlogon_dc_flags_kdc_flag,
8883 { "KDC", "netlogon.dc.flags.kdc",
8884 FT_BOOLEAN, 32, TFS(&dc_flags_kdc_flag), DS_KDC_FLAG,
8885 "If this is a KDC", HFILL }},
8886
8887 { &hf_netlogon_dc_flags_timeserv_flag,
8888 { "Timeserv", "netlogon.dc.flags.timeserv",
8889 FT_BOOLEAN, 32, TFS(&dc_flags_timeserv_flag), DS_TIMESERV_FLAG,
8890 "If this server is a TimeServer", HFILL }},
8891
8892 { &hf_netlogon_dc_flags_closest_flag,
8893 { "Closest", "netlogon.dc.flags.closest",
8894 FT_BOOLEAN, 32, TFS(&dc_flags_closest_flag), DS_CLOSEST_FLAG,
8895 "If this is the closest server", HFILL }},
8896
8897 { &hf_netlogon_dc_flags_writable_flag,
8898 { "Writable", "netlogon.dc.flags.writable",
8899 FT_BOOLEAN, 32, TFS(&dc_flags_writable_flag), DS_WRITABLE_FLAG,
8900 "If this server can do updates to the database", HFILL }},
8901
8902 { &hf_netlogon_dc_flags_good_timeserv_flag,
8903 { "Good Timeserv", "netlogon.dc.flags.good_timeserv",
8904 FT_BOOLEAN, 32, TFS(&dc_flags_good_timeserv_flag), DS_GOOD_TIMESERV_FLAG,
8905 "If this is a Good TimeServer", HFILL }},
8906
8907 { &hf_netlogon_dc_flags_ndnc_flag,
8908 { "NDNC", "netlogon.dc.flags.ndnc",
8909 FT_BOOLEAN, 32, TFS(&dc_flags_ndnc_flag), DS_NDNC_FLAG,
8910 "If this is an NDNC server", HFILL }},
8911
8912 { &hf_netlogon_dc_flags_dns_controller_flag,
8913 { "DNS Controller", "netlogon.dc.flags.dns_controller",
8914 FT_BOOLEAN, 32, TFS(&dc_flags_dns_controller_flag), DS_DNS_CONTROLLER_FLAG,
8915 "If this server is a DNS Controller", HFILL }},
8916
8917 { &hf_netlogon_dc_flags_dns_domain_flag,
8918 { "DNS Domain", "netlogon.dc.flags.dns_domain",
8919 FT_BOOLEAN, 32, TFS(&dc_flags_dns_domain_flag), DS_DNS_DOMAIN_FLAG,
8920 NULL, HFILL }},
8921
8922 { &hf_netlogon_dc_flags_dns_forest_flag,
8923 { "DNS Forest", "netlogon.dc.flags.dns_forest",
8924 FT_BOOLEAN, 32, TFS(&dc_flags_dns_forest_flag), DS_DNS_FOREST_FLAG,
8925 NULL, HFILL }},
8926
8927 { &hf_netlogon_get_dcname_request_flags,
8928 { "Flags", "netlogon.get_dcname.request.flags", FT_UINT32, BASE_HEX,
8929 NULL, 0x0, "Flags for DSGetDCName request", HFILL }},
8930
8931 { &hf_netlogon_get_dcname_request_flags_force_rediscovery,
8932 { "Force Rediscovery", "netlogon.get_dcname.request.flags.force_rediscovery",
8933 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_force_rediscovery), DS_FORCE_REDISCOVERY,
8934 "Whether to allow the server to returned cached information or not", HFILL }},
8935
8936 { &hf_netlogon_get_dcname_request_flags_directory_service_required,
8937 { "DS Required", "netlogon.get_dcname.request.flags.ds_required",
8938 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_required), DS_DIRECTORY_SERVICE_REQUIRED,
8939 "Whether we require that the returned DC supports w2k or not", HFILL }},
8940
8941 { &hf_netlogon_get_dcname_request_flags_directory_service_preferred,
8942 { "DS Preferred", "netlogon.get_dcname.request.flags.ds_preferred",
8943 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_preferred), DS_DIRECTORY_SERVICE_PREFERRED,
8944 "Whether we prefer the call to return a w2k server (if available)", HFILL }},
8945
8946 { &hf_netlogon_get_dcname_request_flags_gc_server_required,
8947 { "GC Required", "netlogon.get_dcname.request.flags.gc_server_required",
8948 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_gc_server_required), DS_GC_SERVER_REQUIRED,
8949 "Whether we require that the returned DC is a Global Catalog server", HFILL }},
8950
8951 { &hf_netlogon_get_dcname_request_flags_pdc_required,
8952 { "PDC Required", "netlogon.get_dcname.request.flags.pdc_required",
8953 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_pdc_required), DS_PDC_REQUIRED,
8954 "Whether we require the returned DC to be the PDC", HFILL }},
8955
8956 { &hf_netlogon_get_dcname_request_flags_background_only,
8957 { "Background Only", "netlogon.get_dcname.request.flags.background_only",
8958 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_background_only), DS_BACKGROUND_ONLY,
8959 "If we want cached data, even if it may have expired", HFILL }},
8960
8961 { &hf_netlogon_get_dcname_request_flags_ip_required,
8962 { "IP Required", "netlogon.get_dcname.request.flags.ip_required",
8963 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_ip_required), DS_IP_REQUIRED,
8964 "If we require the IP of the DC in the reply", HFILL }},
8965
8966 { &hf_netlogon_get_dcname_request_flags_kdc_required,
8967 { "KDC Required", "netlogon.get_dcname.request.flags.kdc_required",
8968 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_kdc_required), DS_KDC_REQUIRED,
8969 "If we require that the returned server is a KDC", HFILL }},
8970
8971 { &hf_netlogon_get_dcname_request_flags_timeserv_required,
8972 { "Timeserv Required", "netlogon.get_dcname.request.flags.timeserv_required",
8973 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_timeserv_required), DS_TIMESERV_REQUIRED,
8974 "If we require the returned server to be a WindowsTimeServ server", HFILL }},
8975
8976 { &hf_netlogon_get_dcname_request_flags_writable_required,
8977 { "Writable Required", "netlogon.get_dcname.request.flags.writable_required",
8978 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_writable_required), DS_WRITABLE_REQUIRED,
8979 "If we require that the returned server is writable", HFILL }},
8980
8981 { &hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
8982 { "Timeserv Preferred", "netlogon.get_dcname.request.flags.good_timeserv_preferred",
8983 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_good_timeserv_preferred), DS_GOOD_TIMESERV_PREFERRED,
8984 "If we prefer Windows Time Servers", HFILL }},
8985
8986 { &hf_netlogon_get_dcname_request_flags_avoid_self,
8987 { "Avoid Self", "netlogon.get_dcname.request.flags.avoid_self",
8988 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_avoid_self), DS_AVOID_SELF,
8989 "Return another DC than the one we ask", HFILL }},
8990
8991 { &hf_netlogon_get_dcname_request_flags_only_ldap_needed,
8992 { "Only LDAP Needed", "netlogon.get_dcname.request.flags.only_ldap_needed",
8993 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_only_ldap_needed), DS_ONLY_LDAP_NEEDED,
8994 "We just want an LDAP server, it does not have to be a DC", HFILL }},
8995
8996 { &hf_netlogon_get_dcname_request_flags_is_flat_name,
8997 { "Is Flat Name", "netlogon.get_dcname.request.flags.is_flat_name",
8998 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_flat_name), DS_IS_FLAT_NAME,
8999 "If the specified domain name is a NetBIOS name", HFILL }},
9000
9001 { &hf_netlogon_get_dcname_request_flags_is_dns_name,
9002 { "Is DNS Name", "netlogon.get_dcname.request.flags.is_dns_name",
9003 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_dns_name), DS_IS_DNS_NAME,
9004 "If the specified domain name is a DNS name", HFILL }},
9005
9006 { &hf_netlogon_get_dcname_request_flags_return_dns_name,
9007 { "Return DNS Name", "netlogon.get_dcname.request.flags.return_dns_name",
9008 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_dns_name), DS_RETURN_DNS_NAME,
9009 "Only return a DNS name (or an error)", HFILL }},
9010
9011 { &hf_netlogon_get_dcname_request_flags_return_flat_name,
9012 { "Return Flat Name", "netlogon.get_dcname.request.flags.return_flat_name",
9013 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_flat_name), DS_RETURN_FLAT_NAME,
9014 "Only return a NetBIOS name (or an error)", HFILL }},
9015
9016 { &hf_netlogon_trust_attribs,
9017 { "Trust Attributes", "netlogon.trust_attribs", FT_UINT32, BASE_HEX,
9018 NULL, 0x0, NULL, HFILL }},
9019
9020 { &hf_netlogon_trust_attribs_non_transitive,
9021 { "Non Transitive", "netlogon.trust.attribs.non_transitive", FT_BOOLEAN, 32,
9022 TFS(&trust_attribs_non_transitive), 0x00000001, NULL, HFILL }},
9023
9024 { &hf_netlogon_trust_attribs_uplevel_only,
9025 { "Uplevel Only", "netlogon.trust.attribs.uplevel_only", FT_BOOLEAN, 32,
9026 TFS(&trust_attribs_uplevel_only), 0x00000002, NULL, HFILL }},
9027
9028 { &hf_netlogon_trust_attribs_quarantined_domain,
9029 { "Quarantined Domain", "netlogon.trust.attribs.quarantined_domain", FT_BOOLEAN, 32,
9030 TFS(&trust_attribs_quarantined_domain), 0x00000004, NULL, HFILL }},
9031
9032 { &hf_netlogon_trust_attribs_forest_transitive,
9033 { "Forest Transitive", "netlogon.trust.attribs.forest_transitive", FT_BOOLEAN, 32,
9034 TFS(&trust_attribs_forest_transitive), 0x00000008, NULL, HFILL }},
9035
9036 { &hf_netlogon_trust_attribs_cross_organization,
9037 { "Cross Organization", "netlogon.trust.attribs.cross_organization", FT_BOOLEAN, 32,
9038 TFS(&trust_attribs_cross_organization), 0x00000010, NULL, HFILL }},
9039
9040 { &hf_netlogon_trust_attribs_within_forest,
9041 { "Within Forest", "netlogon.trust.attribs.within_forest", FT_BOOLEAN, 32,
9042 TFS(&trust_attribs_within_forest), 0x00000020, NULL, HFILL }},
9043
9044 { &hf_netlogon_trust_attribs_treat_as_external,
9045 { "Treat As External", "netlogon.trust.attribs.treat_as_external", FT_BOOLEAN, 32,
9046 TFS(&trust_attribs_treat_as_external), 0x00000040, NULL, HFILL }},
9047
9048 { &hf_netlogon_trust_type,
9049 { "Trust Type", "netlogon.trust_type", FT_UINT32, BASE_DEC,
9050 VALS(trust_type_vals), 0x0, NULL, HFILL }},
9051
9052 { &hf_netlogon_extraflags,
9053 { "Extra Flags", "netlogon.extra_flags", FT_UINT32, BASE_HEX,
9054 NULL, 0x0, NULL, HFILL }},
9055
9056 { &hf_netlogon_extra_flags_root_forest,
9057 { "Request passed to DC of root forest", "netlogon.extra.flags.rootdc",
9058 FT_BOOLEAN, 32, TFS(&tfs_set_notset), RQ_ROOT_FOREST,
9059 NULL, HFILL }},
9060
9061 { &hf_netlogon_trust_flags_dc_firsthop,
9062 { "DC at the end of the first hop of cross forest", "netlogon.extra.flags.dc_firsthop",
9063 FT_BOOLEAN, 32, TFS(&tfs_set_notset), RQ_DC_XFOREST,
9064 NULL, HFILL }},
9065
9066 { &hf_netlogon_trust_flags_rodc_to_dc,
9067 { "Request from a RODC to a DC from another domain", "netlogon.extra.flags.rodc_to_dc",
9068 FT_BOOLEAN, 32, TFS(&tfs_set_notset), RQ_RODC_DIF_DOMAIN,
9069 NULL, HFILL }},
9070
9071 { &hf_netlogon_trust_flags_rodc_ntlm,
9072 { "Request is a NTLM auth passed by a RODC", "netlogon.extra.flags.rodc_ntlm",
9073 FT_BOOLEAN, 32, TFS(&tfs_set_notset), RQ_NTLM_FROM_RODC,
9074 NULL, HFILL }},
9075
9076 { &hf_netlogon_trust_flags,
9077 { "Trust Flags", "netlogon.trust_flags", FT_UINT32, BASE_HEX,
9078 NULL, 0x0, NULL, HFILL }},
9079
9080 { &hf_netlogon_trust_flags_inbound,
9081 { "Inbound Trust", "netlogon.trust.flags.inbound",
9082 FT_BOOLEAN, 32, TFS(&trust_inbound), DS_DOMAIN_DIRECT_INBOUND,
9083 "Inbound trust. Whether the domain directly trusts the queried servers domain", HFILL }},
9084
9085 { &hf_netlogon_trust_flags_outbound,
9086 { "Outbound Trust", "netlogon.trust.flags.outbound",
9087 FT_BOOLEAN, 32, TFS(&trust_outbound), DS_DOMAIN_DIRECT_OUTBOUND,
9088 "Outbound Trust. Whether the domain is directly trusted by the servers domain", HFILL }},
9089
9090 { &hf_netlogon_trust_flags_in_forest,
9091 { "In Forest", "netlogon.trust.flags.in_forest",
9092 FT_BOOLEAN, 32, TFS(&trust_in_forest), DS_DOMAIN_IN_FOREST,
9093 "Whether this domain is a member of the same forest as the servers domain", HFILL }},
9094
9095 { &hf_netlogon_trust_flags_native_mode,
9096 { "Native Mode", "netlogon.trust.flags.native_mode",
9097 FT_BOOLEAN, 32, TFS(&trust_native_mode), DS_DOMAIN_NATIVE_MODE,
9098 "Whether the domain is a w2k native mode domain or not", HFILL }},
9099
9100 { &hf_netlogon_trust_flags_primary,
9101 { "Primary", "netlogon.trust.flags.primary",
9102 FT_BOOLEAN, 32, TFS(&trust_primary), DS_DOMAIN_PRIMARY,
9103 "Whether the domain is the primary domain for the queried server or not", HFILL }},
9104
9105 { &hf_netlogon_trust_flags_tree_root,
9106 { "Tree Root", "netlogon.trust.flags.tree_root",
9107 FT_BOOLEAN, 32, TFS(&trust_tree_root), DS_DOMAIN_TREE_ROOT,
9108 "Whether the domain is the root of the tree for the queried server", HFILL }},
9109
9110 { &hf_netlogon_trust_parent_index,
9111 { "Parent Index", "netlogon.parent_index", FT_UINT32, BASE_HEX,
9112 NULL, 0x0, NULL, HFILL }},
9113
9114 { &hf_netlogon_logon_time,
9115 { "Logon Time", "netlogon.logon_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9116 NULL, 0, "Time for last time this user logged on", HFILL }},
9117
9118 { &hf_netlogon_kickoff_time,
9119 { "Kickoff Time", "netlogon.kickoff_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9120 NULL, 0, "Time when this user will be kicked off", HFILL }},
9121
9122 { &hf_netlogon_logoff_time,
9123 { "Logoff Time", "netlogon.logoff_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9124 NULL, 0, "Time for last time this user logged off", HFILL }},
9125
9126 { &hf_netlogon_last_logoff_time,
9127 { "Last Logoff Time", "netlogon.last_logoff_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9128 NULL, 0, "Time for last time this user logged off", HFILL }},
9129
9130 { &hf_netlogon_pwd_last_set_time,
9131 { "PWD Last Set", "netlogon.pwd_last_set_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9132 NULL, 0, "Last time this users password was changed", HFILL }},
9133
9134 { &hf_netlogon_pwd_age,
9135 { "PWD Age", "netlogon.pwd_age", FT_RELATIVE_TIME, BASE_NONE,
9136 NULL, 0, "Time since this users password was changed", HFILL }},
9137
9138 { &hf_netlogon_pwd_can_change_time,
9139 { "PWD Can Change", "netlogon.pwd_can_change_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9140 NULL, 0, "When this users password may be changed", HFILL }},
9141
9142 { &hf_netlogon_pwd_must_change_time,
9143 { "PWD Must Change", "netlogon.pwd_must_change_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9144 NULL, 0, "When this users password must be changed", HFILL }},
9145
9146 { &hf_netlogon_domain_create_time,
9147 { "Domain Create Time", "netlogon.domain_create_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9148 NULL, 0, "Time when this domain was created", HFILL }},
9149
9150 { &hf_netlogon_domain_modify_time,
9151 { "Domain Modify Time", "netlogon.domain_modify_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9152 NULL, 0, "Time when this domain was last modified", HFILL }},
9153
9154 { &hf_netlogon_db_modify_time,
9155 { "DB Modify Time", "netlogon.db_modify_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9156 NULL, 0, "Time when last modified", HFILL }},
9157
9158 { &hf_netlogon_db_create_time,
9159 { "DB Create Time", "netlogon.db_create_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9160 NULL, 0, "Time when created", HFILL }},
9161
9162 { &hf_netlogon_cipher_current_set_time,
9163 { "Cipher Current Set Time", "netlogon.cipher_current_set_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9164 NULL, 0, "Time when current cipher was initiated", HFILL }},
9165
9166 { &hf_netlogon_cipher_old_set_time,
9167 { "Cipher Old Set Time", "netlogon.cipher_old_set_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9168 NULL, 0, "Time when previous cipher was initiated", HFILL }},
9169
9170 { &hf_netlogon_audit_retention_period,
9171 { "Audit Retention Period", "netlogon.audit_retention_period", FT_RELATIVE_TIME, BASE_NONE,
9172 NULL, 0, NULL, HFILL }},
9173
9174 { &hf_netlogon_timelimit,
9175 { "Time Limit", "netlogon.time_limit", FT_RELATIVE_TIME, BASE_NONE,
9176 NULL, 0, NULL, HFILL }},
9177
9178
9179 { &hf_client_credential,
9180 { "Client Credential", "netlogon.clientcred", FT_BYTES, BASE_NONE,
9181 NULL, 0x0, NULL, HFILL }},
9182
9183 { &hf_server_credential,
9184 { "Server Credential", "netlogon.servercred", FT_BYTES, BASE_NONE,
9185 NULL, 0x0, NULL, HFILL }},
9186
9187 { &hf_server_rid,
9188 { "Account RID", "netlogon.serverrid", FT_UINT32, BASE_DEC,
9189 NULL, 0x0, NULL, HFILL }},
9190
9191 { &hf_client_challenge,
9192 { "Client Challenge", "netlogon.clientchallenge", FT_BYTES, BASE_NONE,
9193 NULL, 0x0, NULL, HFILL }},
9194
9195 { &hf_server_challenge,
9196 { "Server Challenge", "netlogon.serverchallenge", FT_BYTES, BASE_NONE,
9197 NULL, 0x0, NULL, HFILL }},
9198
9199 { &hf_netlogon_secchan_nl_message_type,
9200 { "Message Type", "netlogon.secchan.nl_auth_message.message_type", FT_UINT32, BASE_HEX,
9201 VALS(nl_auth_types), 0x0, NULL, HFILL }},
9202
9203 { &hf_netlogon_secchan_nl_message_flags,
9204 { "Message Flags", "netlogon.secchan.nl_auth_message.message_flags", FT_UINT32, BASE_HEX,
9205 NULL, 0x0, NULL, HFILL }},
9206
9207 { &hf_netlogon_secchan_nl_message_flags_nb_domain,
9208 { "NetBios Domain", "netlogon.secchan.nl_auth_message.message_flags.nb_domain", FT_BOOLEAN, 32,
9209 NULL, 0x00000001, NULL, HFILL }},
9210
9211 { &hf_netlogon_secchan_nl_message_flags_nb_host,
9212 { "NetBios Host", "netlogon.secchan.nl_auth_message.message_flags.nb_host", FT_BOOLEAN, 32,
9213 NULL, 0x00000002, NULL, HFILL }},
9214
9215 { &hf_netlogon_secchan_nl_message_flags_dns_domain,
9216 { "DNS Domain", "netlogon.secchan.nl_auth_message.message_flags.dns_domain", FT_BOOLEAN, 32,
9217 NULL, 0x00000004, NULL, HFILL }},
9218
9219 { &hf_netlogon_secchan_nl_message_flags_dns_host,
9220 { "DNS Host", "netlogon.secchan.nl_auth_message.message_flags.dns_host", FT_BOOLEAN, 32,
9221 NULL, 0x00000008, NULL, HFILL }},
9222
9223 { &hf_netlogon_secchan_nl_message_flags_nb_host_utf8,
9224 { "NetBios Host(UTF8)", "netlogon.secchan.nl_auth_message.message_flags.nb_host_utf8", FT_BOOLEAN, 32,
9225 NULL, 0x00000010, NULL, HFILL }},
9226
9227 { &hf_netlogon_secchan_nl_nb_domain,
9228 { "NetBios Domain", "netlogon.secchan.nl_auth_message.nb_domain", FT_STRING, BASE_NONE,
9229 NULL, 0, NULL, HFILL }},
9230
9231 { &hf_netlogon_secchan_nl_nb_host,
9232 { "NetBios Host", "netlogon.secchan.nl_auth_message.nb_host", FT_STRING, BASE_NONE,
9233 NULL, 0, NULL, HFILL }},
9234
9235 { &hf_netlogon_secchan_nl_nb_host_utf8,
9236 { "NetBios Host(UTF8)", "netlogon.secchan.nl_auth_message.nb_host_utf8", FT_STRING, BASE_NONE,
9237 NULL, 0, NULL, HFILL }},
9238
9239 { &hf_netlogon_secchan_nl_dns_domain,
9240 { "DNS Domain", "netlogon.secchan.nl_auth_message.dns_domain", FT_STRING, BASE_NONE,
9241 NULL, 0, NULL, HFILL }},
9242
9243 { &hf_netlogon_secchan_nl_dns_host,
9244 { "DNS Host", "netlogon.secchan.nl_auth_message.dns_host", FT_STRING, BASE_NONE,
9245 NULL, 0, NULL, HFILL }},
9246
9247 { &hf_netlogon_data_length,
9248 { "Length of Data", "netlogon.data.length", FT_UINT32, BASE_DEC,
9249 NULL, 0, NULL, HFILL }},
9250
9251 { &hf_netlogon_package_name,
9252 { "SSP Package Name", "netlogon.data.package_name", FT_STRING, BASE_NONE,
9253 NULL, 0, NULL, HFILL }},
9254
9255 { &hf_netlogon_secchan_verf,
9256 { "Secure Channel Verifier", "netlogon.secchan.verifier", FT_NONE, BASE_NONE,
9257 NULL, 0x0, "Verifier", HFILL }},
9258
9259 { &hf_netlogon_secchan_verf_signalg,
9260 { "Sign algorithm", "netlogon.secchan.signalg", FT_UINT16, BASE_HEX,
9261 VALS(sign_algs), 0, NULL, HFILL }},
9262
9263 { &hf_netlogon_secchan_verf_sealalg,
9264 { "Seal algorithm", "netlogon.secchan.sealalg", FT_UINT16, BASE_HEX,
9265 VALS(seal_algs), 0, NULL, HFILL }},
9266
9267 { &hf_netlogon_secchan_verf_flag,
9268 { "Flags", "netlogon.secchan.flags", FT_BYTES, BASE_NONE, NULL,
9269 0x0, NULL, HFILL }},
9270
9271 { &hf_netlogon_secchan_verf_digest,
9272 { "Packet Digest", "netlogon.secchan.digest", FT_BYTES, BASE_NONE, NULL,
9273 0x0, NULL, HFILL }},
9274
9275 { &hf_netlogon_secchan_verf_seq,
9276 { "Sequence No", "netlogon.secchan.seq", FT_BYTES, BASE_NONE, NULL,
9277 0x0, NULL, HFILL }},
9278
9279 { &hf_netlogon_secchan_verf_nonce,
9280 { "Nonce", "netlogon.secchan.nonce", FT_BYTES, BASE_NONE, NULL,
9281 0x0, NULL, HFILL }},
9282
9283 { &hf_netlogon_group_attrs_mandatory,
9284 { "Mandatory", "netlogon.groups.attrs.mandatory",
9285 FT_BOOLEAN, 32, TFS(&group_attrs_mandatory), 0x00000001,
9286 "The group attributes MANDATORY flag", HFILL }},
9287
9288 { &hf_netlogon_group_attrs_enabled_by_default,
9289 { "Enabled By Default", "netlogon.groups.attrs.enabled_by_default",
9290 FT_BOOLEAN, 32, TFS(&group_attrs_enabled_by_default), 0x00000002,
9291 "The group attributes ENABLED_BY_DEFAULT flag", HFILL }},
9292
9293 { &hf_netlogon_group_attrs_enabled,
9294 { "Enabled", "netlogon.groups.attrs.enabled",
9295 FT_BOOLEAN, 32, TFS(&group_attrs_enabled), 0x00000004,
9296 "The group attributes ENABLED flag", HFILL }},
9297
9298 { &hf_netlogon_user_flags_extra_sids,
9299 { "Extra SIDs", "netlogon.user.flags.extra_sids",
9300 FT_BOOLEAN, 32, TFS(&user_flags_extra_sids), 0x00000020,
9301 "The user flags EXTRA_SIDS", HFILL }},
9302
9303 { &hf_netlogon_user_flags_resource_groups,
9304 { "Resource Groups", "netlogon.user.flags.resource_groups",
9305 FT_BOOLEAN, 32, TFS(&user_flags_resource_groups), 0x00000200,
9306 "The user flags RESOURCE_GROUPS", HFILL }},
9307
9308 { &hf_netlogon_user_account_control_dont_require_preauth,
9309 { "Don't Require PreAuth", "netlogon.user.account_control.dont_require_preauth",
9310 FT_BOOLEAN, 32, TFS(&user_account_control_dont_require_preauth), 0x00010000,
9311 "The user account control DONT_REQUIRE_PREAUTH flag", HFILL }},
9312
9313 { &hf_netlogon_user_account_control_use_des_key_only,
9314 { "Use DES Key Only", "netlogon.user.account_control.use_des_key_only",
9315 FT_BOOLEAN, 32, TFS(&user_account_control_use_des_key_only), 0x00008000,
9316 "The user account control use_des_key_only flag", HFILL }},
9317
9318 { &hf_netlogon_user_account_control_not_delegated,
9319 { "Not Delegated", "netlogon.user.account_control.not_delegated",
9320 FT_BOOLEAN, 32, TFS(&user_account_control_not_delegated), 0x00004000,
9321 "The user account control not_delegated flag", HFILL }},
9322
9323 { &hf_netlogon_user_account_control_trusted_for_delegation,
9324 { "Trusted For Delegation", "netlogon.user.account_control.trusted_for_delegation",
9325 FT_BOOLEAN, 32, TFS(&user_account_control_trusted_for_delegation), 0x00002000,
9326 "The user account control trusted_for_delegation flag", HFILL }},
9327
9328 { &hf_netlogon_user_account_control_smartcard_required,
9329 { "SmartCard Required", "netlogon.user.account_control.smartcard_required",
9330 FT_BOOLEAN, 32, TFS(&user_account_control_smartcard_required), 0x00001000,
9331 "The user account control smartcard_required flag", HFILL }},
9332
9333 { &hf_netlogon_user_account_control_encrypted_text_password_allowed,
9334 { "Encrypted Text Password Allowed", "netlogon.user.account_control.encrypted_text_password_allowed",
9335 FT_BOOLEAN, 32, TFS(&user_account_control_encrypted_text_password_allowed), 0x00000800,
9336 "The user account control encrypted_text_password_allowed flag", HFILL }},
9337
9338 { &hf_netlogon_user_account_control_account_auto_locked,
9339 { "Account Auto Locked", "netlogon.user.account_control.account_auto_locked",
9340 FT_BOOLEAN, 32, TFS(&user_account_control_account_auto_locked), 0x00000400,
9341 "The user account control account_auto_locked flag", HFILL }},
9342
9343 { &hf_netlogon_user_account_control_dont_expire_password,
9344 { "Don't Expire Password", "netlogon.user.account_control.dont_expire_password",
9345 FT_BOOLEAN, 32, TFS(&user_account_control_dont_expire_password), 0x00000200,
9346 "The user account control dont_expire_password flag", HFILL }},
9347
9348 { &hf_netlogon_user_account_control_server_trust_account,
9349 { "Server Trust Account", "netlogon.user.account_control.server_trust_account",
9350 FT_BOOLEAN, 32, TFS(&user_account_control_server_trust_account), 0x00000100,
9351 "The user account control server_trust_account flag", HFILL }},
9352
9353 { &hf_netlogon_user_account_control_workstation_trust_account,
9354 { "Workstation Trust Account", "netlogon.user.account_control.workstation_trust_account",
9355 FT_BOOLEAN, 32, TFS(&user_account_control_workstation_trust_account), 0x00000080,
9356 "The user account control workstation_trust_account flag", HFILL }},
9357
9358 { &hf_netlogon_user_account_control_interdomain_trust_account,
9359 { "Interdomain trust Account", "netlogon.user.account_control.interdomain_trust_account",
9360 FT_BOOLEAN, 32, TFS(&user_account_control_interdomain_trust_account), 0x00000040,
9361 "The user account control interdomain_trust_account flag", HFILL }},
9362
9363 { &hf_netlogon_user_account_control_mns_logon_account,
9364 { "MNS Logon Account", "netlogon.user.account_control.mns_logon_account",
9365 FT_BOOLEAN, 32, TFS(&user_account_control_mns_logon_account), 0x00000020,
9366 "The user account control mns_logon_account flag", HFILL }},
9367
9368 { &hf_netlogon_user_account_control_normal_account,
9369 { "Normal Account", "netlogon.user.account_control.normal_account",
9370 FT_BOOLEAN, 32, TFS(&user_account_control_normal_account), 0x00000010,
9371 "The user account control normal_account flag", HFILL }},
9372
9373 { &hf_netlogon_user_account_control_temp_duplicate_account,
9374 { "Temp Duplicate Account", "netlogon.user.account_control.temp_duplicate_account",
9375 FT_BOOLEAN, 32, TFS(&user_account_control_temp_duplicate_account), 0x00000008,
9376 "The user account control temp_duplicate_account flag", HFILL }},
9377
9378 { &hf_netlogon_user_account_control_password_not_required,
9379 { "Password Not Required", "netlogon.user.account_control.password_not_required",
9380 FT_BOOLEAN, 32, TFS(&user_account_control_password_not_required), 0x00000004,
9381 "The user account control password_not_required flag", HFILL }},
9382
9383 { &hf_netlogon_user_account_control_home_directory_required,
9384 { "Home Directory Required", "netlogon.user.account_control.home_directory_required",
9385 FT_BOOLEAN, 32, TFS(&user_account_control_home_directory_required), 0x00000002,
9386 "The user account control home_directory_required flag", HFILL }},
9387
9388 { &hf_netlogon_user_account_control_account_disabled,
9389 { "Account Disabled", "netlogon.user.account_control.account_disabled",
9390 FT_BOOLEAN, 32, TFS(&user_account_control_account_disabled), 0x00000001,
9391 "The user account control account_disabled flag", HFILL }},
9392
9393 #if 0
9394 { &hf_netlogon_dnsdomaininfo,
9395 { "DnsDomainInfo", "netlogon.dnsdomaininfo", FT_NONE, BASE_NONE,
9396 NULL, 0x0, NULL, HFILL }},
9397 #endif
9398
9399 { &DnsDomainInfo_sid,
9400 { "Sid", "lsarpc.lsa_DnsDomainInfo.sid", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
9401 { &DomainInfo_sid,
9402 { "Sid", "lsarpc.lsa_DomainInfo.sid", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
9403 { &DnsDomainInfo_domain_guid,
9404 { "Domain Guid", "lsarpc.lsa_DnsDomainInfo.domain_guid", FT_GUID, BASE_NONE, NULL, 0, NULL, HFILL }},
9405 { &DnsDomainInfo_dns_forest,
9406 { "Dns Forest", "lsarpc.lsa_DnsDomainInfo.dns_forest", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
9407 { &DnsDomainInfo_dns_domain,
9408 { "Dns Domain", "lsarpc.lsa_DnsDomainInfo.dns_domain", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
9409 { &DnsDomainInfo_name,
9410 { "Name", "lsarpc.lsa_DnsDomainInfo.name", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
9411 { &hf_netlogon_s4u2proxytarget,
9412 { "S4U2proxyTarget", "netlogon.s4u2proxytarget", FT_STRING, BASE_NONE,
9413 NULL, 0, "Target for constrained delegation using s4u2proxy", HFILL }},
9414 { &hf_netlogon_transitedlistsize,
9415 { "TransitedListSize", "netlogon.transited_list_size", FT_UINT32, BASE_HEX,
9416 NULL, 0x0, "Number of elements in the TransitedServices array.", HFILL }},
9417 { &hf_netlogon_transited_service,
9418 { "Transited Service", "netlogon.transited_service", FT_STRING, BASE_NONE,
9419 NULL, 0, "S4U2 Transited Service name", HFILL }},
9420 };
9421
9422 static gint *ett[] = {
9423 &ett_dcerpc_netlogon,
9424 &ett_authenticate_flags,
9425 &ett_CYPHER_VALUE,
9426 &ett_QUOTA_LIMITS,
9427 &ett_IDENTITY_INFO,
9428 &ett_DELTA_ENUM,
9429 &ett_UNICODE_MULTI,
9430 &ett_DOMAIN_CONTROLLER_INFO,
9431 &ett_UNICODE_STRING_512,
9432 &ett_TYPE_50,
9433 &ett_TYPE_52,
9434 &ett_DELTA_ID_UNION,
9435 &ett_TYPE_44,
9436 &ett_DELTA_UNION,
9437 &ett_LM_OWF_PASSWORD,
9438 &ett_NT_OWF_PASSWORD,
9439 &ett_GROUP_MEMBERSHIP,
9440 &ett_DS_DOMAIN_TRUSTS,
9441 &ett_BLOB,
9442 &ett_DOMAIN_TRUST_INFO,
9443 &ett_LSA_POLICY_INFO,
9444 &ett_trust_flags,
9445 &ett_trust_attribs,
9446 &ett_get_dcname_request_flags,
9447 &ett_dc_flags,
9448 &ett_secchan_nl_auth_message,
9449 &ett_secchan_nl_auth_message_flags,
9450 &ett_secchan_verf,
9451 &ett_group_attrs,
9452 &ett_user_flags,
9453 &ett_nt_counted_longs_as_string,
9454 &ett_user_account_control
9455 };
9456
9457 proto_dcerpc_netlogon = proto_register_protocol(
9458 "Microsoft Network Logon", "RPC_NETLOGON", "rpc_netlogon");
9459
9460 proto_register_field_array(proto_dcerpc_netlogon, hf,
9461 array_length(hf));
9462 proto_register_subtree_array(ett, array_length(ett));
9463 register_init_routine(netlogon_reassemble_init);
9464
9465 }
9466
9467 static dcerpc_auth_subdissector_fns secchan_auth_fns = {
9468 dissect_secchan_nl_auth_message, /* Bind */
9469 dissect_secchan_nl_auth_message, /* Bind ACK */
9470 NULL, /* AUTH3 */
9471 dissect_request_secchan_verf, /* Request verifier */
9472 dissect_response_secchan_verf, /* Response verifier */
9473 dissect_request_data, /* Request data */
9474 dissect_response_data /* Response data */
9475 };
9476
9477 void
9478 proto_reg_handoff_dcerpc_netlogon(void)
9479 {
9480 /* Register protocol as dcerpc */
9481 seen.isseen = FALSE;
9482 seen.num = 0;
9483 dcerpc_init_uuid(proto_dcerpc_netlogon, ett_dcerpc_netlogon,
9484 &uuid_dcerpc_netlogon, ver_dcerpc_netlogon,
9485 dcerpc_netlogon_dissectors, hf_netlogon_opnum);
9486
9487
9488 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_INTEGRITY,
9489 DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,
9490 &secchan_auth_fns);
9491 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_PRIVACY,
9492 DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,
9493 &secchan_auth_fns);
9494 }