[2007/12/14 15:52:56, 5] lib/debug.c:debug_dump_status(392) INFO: Current debug levels: all: True/10 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 acls: False/0 locking: False/0 msdfs: False/0 dmapi: False/0 registry: False/0 [2007/12/14 15:52:56, 3] param/loadparm.c:lp_load(5656) lp_load: refreshing parameters [2007/12/14 15:52:56, 3] param/loadparm.c:init_globals(1457) Initialising global parameters [2007/12/14 15:52:56, 3] param/params.c:pm_process(569) params.c:pm_process() - Processing configuration file "/usr/local/samba/lib/smb.conf" [2007/12/14 15:52:56, 3] param/loadparm.c:do_section(4349) Processing section "[global]" doing parameter workgroup = MM doing parameter security = domain doing parameter max log size = 0 doing parameter log file = /var/log/samba/log.%I doing parameter log level = 10 doing parameter debug pid = yes doing parameter debug hires timestamp = yes [2007/12/14 15:52:56.360275, 4, pid=6050] param/loadparm.c:lp_load(5688) pm_process() returned Yes [2007/12/14 15:52:56.360341, 7, pid=6050] param/loadparm.c:lp_servicenumber(5829) lp_servicenumber: couldn't find homes [2007/12/14 15:52:56.360413, 10, pid=6050] param/loadparm.c:set_server_role(4893) set_server_role: role = ROLE_DOMAIN_MEMBER [2007/12/14 15:52:56.360965, 5, pid=6050] lib/iconv.c:smb_register_charset(104) Attempting to register new charset UCS-2LE [2007/12/14 15:52:56.361081, 5, pid=6050] lib/iconv.c:smb_register_charset(112) Registered charset UCS-2LE [2007/12/14 15:52:56.361115, 5, pid=6050] lib/iconv.c:smb_register_charset(104) Attempting to register new charset UTF-16LE [2007/12/14 15:52:56.361160, 5, pid=6050] lib/iconv.c:smb_register_charset(112) Registered charset UTF-16LE [2007/12/14 15:52:56.361193, 5, pid=6050] lib/iconv.c:smb_register_charset(104) Attempting to register new charset UCS-2BE [2007/12/14 15:52:56.361225, 5, pid=6050] lib/iconv.c:smb_register_charset(112) Registered charset UCS-2BE [2007/12/14 15:52:56.361256, 5, pid=6050] lib/iconv.c:smb_register_charset(104) Attempting to register new charset UTF-16BE [2007/12/14 15:52:56.361288, 5, pid=6050] lib/iconv.c:smb_register_charset(112) Registered charset UTF-16BE [2007/12/14 15:52:56.361319, 5, pid=6050] lib/iconv.c:smb_register_charset(104) Attempting to register new charset UTF8 [2007/12/14 15:52:56.361917, 5, pid=6050] lib/iconv.c:smb_register_charset(112) Registered charset UTF8 [2007/12/14 15:52:56.362085, 5, pid=6050] lib/iconv.c:smb_register_charset(104) Attempting to register new charset UTF-8 [2007/12/14 15:52:56.362243, 5, pid=6050] lib/iconv.c:smb_register_charset(112) Registered charset UTF-8 [2007/12/14 15:52:56.362277, 5, pid=6050] lib/iconv.c:smb_register_charset(104) Attempting to register new charset ASCII [2007/12/14 15:52:56.362308, 5, pid=6050] lib/iconv.c:smb_register_charset(112) Registered charset ASCII [2007/12/14 15:52:56.362923, 5, pid=6050] lib/iconv.c:smb_register_charset(104) Attempting to register new charset 646 [2007/12/14 15:52:56.362956, 5, pid=6050] lib/iconv.c:smb_register_charset(112) Registered charset 646 [2007/12/14 15:52:56.363085, 5, pid=6050] lib/iconv.c:smb_register_charset(104) Attempting to register new charset ISO-8859-1 [2007/12/14 15:52:56.363119, 5, pid=6050] lib/iconv.c:smb_register_charset(112) Registered charset ISO-8859-1 [2007/12/14 15:52:56.363150, 5, pid=6050] lib/iconv.c:smb_register_charset(104) Attempting to register new charset UCS2-HEX [2007/12/14 15:52:56.363262, 5, pid=6050] lib/iconv.c:smb_register_charset(112) Registered charset UCS2-HEX [2007/12/14 15:52:56.363983, 5, pid=6050] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2007/12/14 15:52:56.365100, 5, pid=6050] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2007/12/14 15:52:56.365201, 5, pid=6050] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2007/12/14 15:52:56.365248, 5, pid=6050] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2007/12/14 15:52:56.365351, 5, pid=6050] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2007/12/14 15:52:56.365962, 5, pid=6050] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2007/12/14 15:52:56.366077, 5, pid=6050] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2007/12/14 15:52:56.366169, 5, pid=6050] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2007/12/14 15:52:56.366217, 5, pid=6050] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2007/12/14 15:52:56.366302, 5, pid=6050] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2007/12/14 15:52:56.367065, 5, pid=6050] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2007/12/14 15:52:56.367152, 5, pid=6050] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2007/12/14 15:52:56.367238, 5, pid=6050] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2007/12/14 15:52:56.367286, 5, pid=6050] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2007/12/14 15:52:56.367333, 5, pid=6050] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2007/12/14 15:52:56.367955, 5, pid=6050] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2007/12/14 15:52:56.368074, 5, pid=6050] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2007/12/14 15:52:56.368149, 5, pid=6050] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2007/12/14 15:52:56.368197, 5, pid=6050] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2007/12/14 15:52:56.368240, 5, pid=6050] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2007/12/14 15:52:56.368282, 5, pid=6050] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2007/12/14 15:52:56.368328, 5, pid=6050] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2007/12/14 15:52:56.368965, 5, pid=6050] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2007/12/14 15:52:56.369078, 5, pid=6050] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2007/12/14 15:52:56.426182, 5, pid=6050] lib/util.c:init_names(273) Netbios name list:- my_netbios_names[0]="SARGE26" [2007/12/14 15:52:56.428213, 2, pid=6050] lib/interface.c:add_interface(334) added interface eth0 ip=fe80::20c:29ff:fe06:ad6d%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff:: [2007/12/14 15:52:56.429067, 2, pid=6050] lib/interface.c:add_interface(334) added interface eth1 ip=fe80::20c:29ff:fe06:ad77%eth1 bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff:: [2007/12/14 15:52:56.429140, 2, pid=6050] lib/interface.c:add_interface(334) added interface eth1 ip=192.168.42.248 bcast=192.168.42.255 netmask=255.255.255.0 [2007/12/14 15:52:56.429180, 2, pid=6050] lib/interface.c:add_interface(334) added interface eth0 ip=10.0.27.2 bcast=10.255.255.255 netmask=255.0.0.0 [2007/12/14 15:52:56.429308, 10, pid=6050] libsmb/namequery.c:internal_resolve_name(1443) internal_resolve_name: looking up MM#1b (sitename (null)) [2007/12/14 15:52:56.429975, 5, pid=6050] lib/gencache.c:gencache_init(62) Opening cache file at /usr/local/samba/var/locks/gencache.tdb [2007/12/14 15:52:56.430922, 10, pid=6050] lib/gencache.c:gencache_get(219) Returning valid cache entry: key = NBT/MM#1B, value = 10.0.27.1:0, timeout = Fri Dec 14 16:01:05 2007 [2007/12/14 15:52:56.431082, 5, pid=6050] libsmb/namecache.c:namecache_fetch(233) name MM#1B found. [2007/12/14 15:52:56.431246, 10, pid=6050] libsmb/namequery.c:name_status_find(319) name_status_find: looking up MM#1b at 10.0.27.1 [2007/12/14 15:52:56.431304, 10, pid=6050] lib/gencache.c:gencache_get(219) Returning valid cache entry: key = NBT/MM#1B.20.10.0.27.1, value = WIN2008, timeout = Fri Dec 14 16:01:05 2007 [2007/12/14 15:52:56.431931, 5, pid=6050] libsmb/namecache.c:namecache_status_fetch(387) namecache_status_fetch: key NBT/MM#1B.20.10.0.27.1 -> WIN2008 [2007/12/14 15:52:56.432961, 3, pid=6050] libsmb/cliconnect.c:cli_start_connection(1560) Connecting to host=WIN2008 [2007/12/14 15:52:56.433156, 3, pid=6050] lib/util_sock.c:open_socket_out(1457) Connecting to 10.0.27.1 at port 445 [2007/12/14 15:52:56.446962, 5, pid=6050] lib/util_sock.c:print_socket_options(776) socket option SO_KEEPALIVE = 0 [2007/12/14 15:52:56.447109, 5, pid=6050] lib/util_sock.c:print_socket_options(776) socket option SO_REUSEADDR = 0 [2007/12/14 15:52:56.447146, 5, pid=6050] lib/util_sock.c:print_socket_options(776) socket option SO_BROADCAST = 0 [2007/12/14 15:52:56.447186, 5, pid=6050] lib/util_sock.c:print_socket_options(776) socket option TCP_NODELAY = 1 [2007/12/14 15:52:56.447219, 5, pid=6050] lib/util_sock.c:print_socket_options(776) socket option TCP_KEEPCNT = 9 [2007/12/14 15:52:56.447253, 5, pid=6050] lib/util_sock.c:print_socket_options(776) socket option TCP_KEEPIDLE = 7200 [2007/12/14 15:52:56.447318, 5, pid=6050] lib/util_sock.c:print_socket_options(776) socket option TCP_KEEPINTVL = 75 [2007/12/14 15:52:56.447358, 5, pid=6050] lib/util_sock.c:print_socket_options(776) socket option IPTOS_LOWDELAY = 0 [2007/12/14 15:52:56.447934, 5, pid=6050] lib/util_sock.c:print_socket_options(776) socket option IPTOS_THROUGHPUT = 0 [2007/12/14 15:52:56.448072, 5, pid=6050] lib/util_sock.c:print_socket_options(776) socket option SO_SNDBUF = 16384 [2007/12/14 15:52:56.448107, 5, pid=6050] lib/util_sock.c:print_socket_options(776) socket option SO_RCVBUF = 87380 [2007/12/14 15:52:56.448140, 5, pid=6050] lib/util_sock.c:print_socket_options(776) socket option SO_SNDLOWAT = 1 [2007/12/14 15:52:56.448173, 5, pid=6050] lib/util_sock.c:print_socket_options(776) socket option SO_RCVLOWAT = 1 [2007/12/14 15:52:56.448205, 5, pid=6050] lib/util_sock.c:print_socket_options(776) socket option SO_SNDTIMEO = 0 [2007/12/14 15:52:56.448241, 5, pid=6050] lib/util_sock.c:print_socket_options(776) socket option SO_RCVTIMEO = 0 [2007/12/14 15:52:56.448313, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,194) [2007/12/14 15:52:56.448937, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,194) wrote 194 [2007/12/14 15:52:56.450172, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 193 [2007/12/14 15:52:56.450254, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.450280, 5, pid=6050] lib/util.c:show_msg(582) size=193 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=6050 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 9 (0x9) smb_vwv[ 1]=12815 (0x320F) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 17 (0x11) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 499 (0x1F3) smb_vwv[11]=28288 (0x6E80) smb_vwv[12]=50515 (0xC553) smb_vwv[13]=24822 (0x60F6) smb_vwv[14]=51262 (0xC83E) smb_vwv[15]=50177 (0xC401) smb_vwv[16]= 255 (0xFF) smb_bcc=124 [2007/12/14 15:52:56.451168, 10, pid=6050] lib/util.c:dump_data(2192) [000] 9C 85 79 AD 09 86 14 47 93 C3 B9 DD FE A9 CB EE ..y­...G .ùÝþ©Ëî [010] 60 6A 06 06 2B 06 01 05 05 02 A0 60 30 5E A0 30 `j..+... .. `0^ 0 [020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. ÷......* [030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H.÷.... ..*.H.÷. [040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... [050] A3 2A 30 28 A0 26 1B 24 6E 6F 74 5F 64 65 66 69 £*0( &.$ not_defi [060] 6E 65 64 5F 69 6E 5F 52 46 43 34 31 37 38 40 70 ned_in_R FC4178@p [070] 6C 65 61 73 65 5F 69 67 6E 6F 72 65 lease_ig nore [2007/12/14 15:52:56.452089, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.452116, 5, pid=6050] lib/util.c:show_msg(582) size=193 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=6050 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 9 (0x9) smb_vwv[ 1]=12815 (0x320F) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 17 (0x11) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 499 (0x1F3) smb_vwv[11]=28288 (0x6E80) smb_vwv[12]=50515 (0xC553) smb_vwv[13]=24822 (0x60F6) smb_vwv[14]=51262 (0xC83E) smb_vwv[15]=50177 (0xC401) smb_vwv[16]= 255 (0xFF) smb_bcc=124 [2007/12/14 15:52:56.452905, 10, pid=6050] lib/util.c:dump_data(2192) [000] 9C 85 79 AD 09 86 14 47 93 C3 B9 DD FE A9 CB EE ..y­...G .ùÝþ©Ëî [010] 60 6A 06 06 2B 06 01 05 05 02 A0 60 30 5E A0 30 `j..+... .. `0^ 0 [020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. ÷......* [030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H.÷.... ..*.H.÷. [040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... [050] A3 2A 30 28 A0 26 1B 24 6E 6F 74 5F 64 65 66 69 £*0( &.$ not_defi [060] 6E 65 64 5F 69 6E 5F 52 46 43 34 31 37 38 40 70 ned_in_R FC4178@p [070] 6C 65 61 73 65 5F 69 67 6E 6F 72 65 lease_ig nore [2007/12/14 15:52:56.453977, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,92) [2007/12/14 15:52:56.454074, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,92) wrote 92 [2007/12/14 15:52:56.455098, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 241 [2007/12/14 15:52:56.455154, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.455179, 5, pid=6050] lib/util.c:show_msg(582) size=241 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=6050 smb_uid=6144 smb_mid=2 smt_wct=3 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 241 (0xF1) smb_vwv[ 2]= 0 (0x0) smb_bcc=200 [2007/12/14 15:52:56.455310, 10, pid=6050] lib/util.c:dump_data(2192) [000] 11 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 .W.i.n.d .o.w.s. [010] 00 53 00 65 00 72 00 76 00 65 00 72 00 20 00 28 .S.e.r.v .e.r. .( [020] 00 52 00 29 00 20 00 32 00 30 00 30 00 38 00 20 .R.). .2 .0.0.8. [030] 00 53 00 74 00 61 00 6E 00 64 00 61 00 72 00 64 .S.t.a.n .d.a.r.d [040] 00 20 00 36 00 30 00 30 00 31 00 20 00 53 00 65 . .6.0.0 .1. .S.e [050] 00 72 00 76 00 69 00 63 00 65 00 20 00 50 00 61 .r.v.i.c .e. .P.a [060] 00 63 00 6B 00 20 00 31 00 2C 00 20 00 76 00 2E .c.k. .1 .,. .v.. [070] 00 36 00 36 00 37 00 00 00 57 00 69 00 6E 00 64 .6.6.7.. .W.i.n.d [080] 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 00 76 .o.w.s. .S.e.r.v [090] 00 65 00 72 00 20 00 28 00 52 00 29 00 20 00 32 .e.r. .( .R.). .2 [0A0] 00 30 00 30 00 38 00 20 00 53 00 74 00 61 00 6E .0.0.8. .S.t.a.n [0B0] 00 64 00 61 00 72 00 64 00 20 00 36 00 2E 00 30 .d.a.r.d . .6...0 [0C0] 00 00 00 4D 00 4D 00 00 ...M.M.. [2007/12/14 15:52:56.456283, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.456310, 5, pid=6050] lib/util.c:show_msg(582) size=241 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=6050 smb_uid=6144 smb_mid=2 smt_wct=3 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 241 (0xF1) smb_vwv[ 2]= 0 (0x0) smb_bcc=200 [2007/12/14 15:52:56.456441, 10, pid=6050] lib/util.c:dump_data(2192) [000] 11 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 .W.i.n.d .o.w.s. [010] 00 53 00 65 00 72 00 76 00 65 00 72 00 20 00 28 .S.e.r.v .e.r. .( [020] 00 52 00 29 00 20 00 32 00 30 00 30 00 38 00 20 .R.). .2 .0.0.8. [030] 00 53 00 74 00 61 00 6E 00 64 00 61 00 72 00 64 .S.t.a.n .d.a.r.d [040] 00 20 00 36 00 30 00 30 00 31 00 20 00 53 00 65 . .6.0.0 .1. .S.e [050] 00 72 00 76 00 69 00 63 00 65 00 20 00 50 00 61 .r.v.i.c .e. .P.a [060] 00 63 00 6B 00 20 00 31 00 2C 00 20 00 76 00 2E .c.k. .1 .,. .v.. [070] 00 36 00 36 00 37 00 00 00 57 00 69 00 6E 00 64 .6.6.7.. .W.i.n.d [080] 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 00 76 .o.w.s. .S.e.r.v [090] 00 65 00 72 00 20 00 28 00 52 00 29 00 20 00 32 .e.r. .( .R.). .2 [0A0] 00 30 00 30 00 38 00 20 00 53 00 74 00 61 00 6E .0.0.8. .S.t.a.n [0B0] 00 64 00 61 00 72 00 64 00 20 00 36 00 2E 00 30 .d.a.r.d . .6...0 [0C0] 00 00 00 4D 00 4D 00 00 ...M.M.. [2007/12/14 15:52:56.457512, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,82) [2007/12/14 15:52:56.457600, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,82) wrote 82 [2007/12/14 15:52:56.459075, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 56 [2007/12/14 15:52:56.459130, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.459154, 5, pid=6050] lib/util.c:show_msg(582) size=56 smb_com=0x75 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=4096 smb_pid=6050 smb_uid=6144 smb_mid=3 smt_wct=7 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 56 (0x38) smb_vwv[ 2]= 1 (0x1) smb_vwv[ 3]=65535 (0xFFFF) smb_vwv[ 4]= 31 (0x1F) smb_vwv[ 5]=65535 (0xFFFF) smb_vwv[ 6]= 31 (0x1F) smb_bcc=7 [2007/12/14 15:52:56.459940, 10, pid=6050] lib/util.c:dump_data(2192) [000] 49 50 43 00 00 00 00 IPC.... [2007/12/14 15:52:56.460079, 10, pid=6050] libsmb/clientgen.c:cli_init_creds(415) cli_init_creds: user domain [2007/12/14 15:52:56.460132, 10, pid=6050] libsmb/namequery.c:saf_store(75) saf_store: domain = [MM], server = [WIN2008], expire = [1197644876] [2007/12/14 15:52:56.460179, 10, pid=6050] lib/gencache.c:gencache_set(138) Adding cache entry with key = SAF/DOMAIN/MM; value = WIN2008 and timeout = Fri Dec 14 16:07:56 2007 (900 seconds ahead) [2007/12/14 15:52:56.460901, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,104) [2007/12/14 15:52:56.461069, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,104) wrote 104 [2007/12/14 15:52:56.462111, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 103 [2007/12/14 15:52:56.462176, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.462201, 5, pid=6050] lib/util.c:show_msg(582) size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=4096 smb_pid=6050 smb_uid=6144 smb_mid=4 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 1024 (0x400) smb_vwv[ 3]= 384 (0x180) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 [2007/12/14 15:52:56.463108, 5, pid=6050] rpc_client/cli_pipe.c:rpc_pipe_bind(2045) Bind RPC Pipe[8004]: \lsarpc auth_type 0, auth_level 0 [2007/12/14 15:52:56.463158, 5, pid=6050] rpc_client/cli_pipe.c:valid_pipe_name(1648) Bind Abstract Syntax: [000] 78 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB xW4.4.Í« ï..#Eg.« [010] 00 00 00 00 .... [2007/12/14 15:52:56.463285, 5, pid=6050] rpc_client/cli_pipe.c:valid_pipe_name(1651) Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]..ë.É. .è..+.H` [010] 02 00 00 00 .... [2007/12/14 15:52:56.463918, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr hdr [2007/12/14 15:52:56.464159, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:52:56.464196, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:52:56.464228, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 0b [2007/12/14 15:52:56.464260, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:52:56.464292, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:52:56.464324, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:52:56.464894, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:52:56.464927, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:52:56.465059, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0048 [2007/12/14 15:52:56.465094, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:52:56.465126, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000001 [2007/12/14 15:52:56.465159, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_rb [2007/12/14 15:52:56.465223, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_bba [2007/12/14 15:52:56.465255, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0010 max_tsize: 10b8 [2007/12/14 15:52:56.465287, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0012 max_rsize: 10b8 [2007/12/14 15:52:56.465319, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0014 assoc_gid: 00000000 [2007/12/14 15:52:56.465914, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0018 num_contexts: 01 [2007/12/14 15:52:56.466050, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 001c context_id : 0000 [2007/12/14 15:52:56.466084, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 001e num_transfer_syntaxes: 01 [2007/12/14 15:52:56.466117, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 00001f smb_io_rpc_iface [2007/12/14 15:52:56.466157, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000020 smb_io_uuid uuid [2007/12/14 15:52:56.466191, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0020 data : 12345778 [2007/12/14 15:52:56.466223, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0024 data : 1234 [2007/12/14 15:52:56.466255, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0026 data : abcd [2007/12/14 15:52:56.466287, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 0028 data : ef 00 [2007/12/14 15:52:56.466930, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 002a data : 01 23 45 67 89 ab [2007/12/14 15:52:56.467053, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0030 version: 00000000 [2007/12/14 15:52:56.467087, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000034 smb_io_rpc_iface [2007/12/14 15:52:56.467118, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000034 smb_io_uuid uuid [2007/12/14 15:52:56.467150, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0034 data : 8a885d04 [2007/12/14 15:52:56.467181, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0038 data : 1ceb [2007/12/14 15:52:56.467213, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 003a data : 11c9 [2007/12/14 15:52:56.467245, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 003c data : 9f e8 [2007/12/14 15:52:56.467278, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 003e data : 08 00 2b 10 48 60 [2007/12/14 15:52:56.467898, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0044 version: 00000002 [2007/12/14 15:52:56.468048, 5, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(769) rpc_api_pipe: Remote machine WIN2008 pipe \lsarpc fnum 0x8004 [2007/12/14 15:52:56.468138, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.468167, 5, pid=6050] lib/util.c:show_msg(582) size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=4096 smb_pid=6050 smb_uid=6144 smb_mid=5 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32772 (0x8004) smb_bcc=87 [2007/12/14 15:52:56.468979, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 01 00 00 00 B8 .......H .......¸ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 .¸...... .......x [030] 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB 00 W4.4.Í«ï ..#Eg.«. [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]..ë .É..è..+ [050] 10 48 60 02 00 00 00 .H`.... [2007/12/14 15:52:56.469269, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,158) [2007/12/14 15:52:56.469370, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,158) wrote 158 [2007/12/14 15:52:56.470930, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 124 [2007/12/14 15:52:56.471108, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.471136, 5, pid=6050] lib/util.c:show_msg(582) size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=4096 smb_pid=6050 smb_uid=6144 smb_mid=5 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [2007/12/14 15:52:56.471323, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 ........ .D...... [010] 00 B8 10 B8 10 5D 98 00 00 0C 00 5C 70 69 70 65 .¸.¸.].. ...\pipe [020] 5C 6C 73 61 73 73 00 00 C0 01 00 00 00 00 00 00 \lsass.. À....... [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..ë.É ..è..+.H [040] 60 02 00 00 00 `.... [2007/12/14 15:52:56.472123, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.472150, 5, pid=6050] lib/util.c:show_msg(582) size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=4096 smb_pid=6050 smb_uid=6144 smb_mid=5 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [2007/12/14 15:52:56.472335, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 ........ .D...... [010] 00 B8 10 B8 10 5D 98 00 00 0C 00 5C 70 69 70 65 .¸.¸.].. ...\pipe [020] 5C 6C 73 61 73 73 00 00 C0 01 00 00 00 00 00 00 \lsass.. À....... [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..ë.É ..è..+.H [040] 60 02 00 00 00 `.... [2007/12/14 15:52:56.473094, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr rpc_hdr [2007/12/14 15:52:56.473148, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:52:56.473182, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:52:56.473214, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 0c [2007/12/14 15:52:56.473246, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:52:56.473278, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:52:56.473310, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:52:56.473922, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:52:56.474060, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:52:56.474094, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0044 [2007/12/14 15:52:56.474126, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:52:56.474186, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000001 [2007/12/14 15:52:56.474243, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(842) rpc_api_pipe: got PDU len of 68 at offset 0 [2007/12/14 15:52:56.474279, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(893) rpc_api_pipe: Remote machine WIN2008 pipe \lsarpc fnum 0x8004 returned 68 bytes. [2007/12/14 15:52:56.474904, 3, pid=6050] rpc_client/cli_pipe.c:rpc_pipe_bind(2082) rpc_pipe_bind: Remote machine WIN2008 pipe \lsarpc fnum 0x8004 bind request returned ok. [2007/12/14 15:52:56.475046, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr hdr [2007/12/14 15:52:56.475081, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:52:56.475114, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:52:56.475146, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 0c [2007/12/14 15:52:56.475177, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:52:56.475210, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:52:56.475241, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:52:56.475274, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:52:56.475914, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:52:56.476047, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0044 [2007/12/14 15:52:56.476081, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:52:56.476113, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000001 [2007/12/14 15:52:56.476146, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_ba [2007/12/14 15:52:56.476179, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_bba [2007/12/14 15:52:56.476211, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0010 max_tsize: 10b8 [2007/12/14 15:52:56.476243, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0012 max_rsize: 10b8 [2007/12/14 15:52:56.476275, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0014 assoc_gid: 0000985d [2007/12/14 15:52:56.476308, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000018 smb_io_rpc_addr_str [2007/12/14 15:52:56.477127, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0018 len: 000c [2007/12/14 15:52:56.477170, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 001a str: \pipe\lsass. [2007/12/14 15:52:56.477252, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000026 smb_io_rpc_results [2007/12/14 15:52:56.477287, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0028 num_results: 01 [2007/12/14 15:52:56.477319, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 002c result : 0000 [2007/12/14 15:52:56.477361, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 002e reason : 0000 [2007/12/14 15:52:56.477920, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000030 smb_io_rpc_iface [2007/12/14 15:52:56.478047, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000030 smb_io_uuid uuid [2007/12/14 15:52:56.478082, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0030 data : 8a885d04 [2007/12/14 15:52:56.478114, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0034 data : 1ceb [2007/12/14 15:52:56.478146, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0036 data : 11c9 [2007/12/14 15:52:56.478210, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 0038 data : 9f e8 [2007/12/14 15:52:56.478249, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 003a data : 08 00 2b 10 48 60 [2007/12/14 15:52:56.478286, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0040 version: 00000002 [2007/12/14 15:52:56.478899, 5, pid=6050] rpc_client/cli_pipe.c:check_bind_response(1702) check_bind_response: accepted! [2007/12/14 15:52:56.478933, 10, pid=6050] rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2278) cli_rpc_pipe_open_noauth: opened pipe \lsarpc to machine WIN2008 and bound anonymously. [2007/12/14 15:52:56.479089, 5, pid=6050] rpc_parse/parse_lsa.c:init_q_open_pol(303) init_open_pol: attr:0 da:33554432 [2007/12/14 15:52:56.479123, 5, pid=6050] rpc_parse/parse_lsa.c:init_lsa_obj_attr(235) init_lsa_obj_attr [2007/12/14 15:52:56.479183, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 lsa_io_q_open_pol [2007/12/14 15:52:56.479251, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0000 ptr : 00000001 [2007/12/14 15:52:56.479285, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0004 system_name: 005c [2007/12/14 15:52:56.479916, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000008 lsa_io_obj_attr [2007/12/14 15:52:56.480046, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0008 len : 00000018 [2007/12/14 15:52:56.480080, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c ptr_root_dir: 00000000 [2007/12/14 15:52:56.480112, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 ptr_obj_name: 00000000 [2007/12/14 15:52:56.480145, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0014 attributes : 00000000 [2007/12/14 15:52:56.480177, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0018 ptr_sec_desc: 00000000 [2007/12/14 15:52:56.480209, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 001c ptr_sec_qos : 00000000 [2007/12/14 15:52:56.480242, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0020 des_access: 02000000 [2007/12/14 15:52:56.480907, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr hdr [2007/12/14 15:52:56.481046, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:52:56.481080, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:52:56.481144, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 00 [2007/12/14 15:52:56.481178, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:52:56.481211, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:52:56.481242, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:52:56.481274, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:52:56.481306, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:52:56.481917, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 003c [2007/12/14 15:52:56.482045, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:52:56.482114, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000002 [2007/12/14 15:52:56.482150, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_req hdr_req [2007/12/14 15:52:56.482183, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 00000024 [2007/12/14 15:52:56.482215, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:52:56.482278, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0016 opnum : 0006 [2007/12/14 15:52:56.482902, 5, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(769) rpc_api_pipe: Remote machine WIN2008 pipe \lsarpc fnum 0x8004 [2007/12/14 15:52:56.483046, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.483071, 5, pid=6050] lib/util.c:show_msg(582) size=142 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=4096 smb_pid=6050 smb_uid=6144 smb_mid=6 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 60 (0x3C) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 60 (0x3C) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32772 (0x8004) smb_bcc=75 [2007/12/14 15:52:56.483302, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 3C 00 00 00 02 00 00 00 24 .......< .......$ [020] 00 00 00 00 00 06 00 01 00 00 00 5C 00 00 00 18 ........ ...\.... [030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [040] 00 00 00 00 00 00 00 00 00 00 02 ........ ... [2007/12/14 15:52:56.484134, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,146) [2007/12/14 15:52:56.484186, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,146) wrote 146 [2007/12/14 15:52:56.485163, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 104 [2007/12/14 15:52:56.485234, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.485259, 5, pid=6050] lib/util.c:show_msg(582) size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=4096 smb_pid=6050 smb_uid=6144 smb_mid=6 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [2007/12/14 15:52:56.486046, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 30 00 00 00 02 00 00 ........ .0...... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 FB D7 17 ........ .....û×. [020] ED 7E 3D 6D 41 94 E4 C8 62 12 C2 D4 D3 00 00 00 í~=mA.äÈ b.ÂÔÓ... [030] 00 . [2007/12/14 15:52:56.486251, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.486277, 5, pid=6050] lib/util.c:show_msg(582) size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=4096 smb_pid=6050 smb_uid=6144 smb_mid=6 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [2007/12/14 15:52:56.486965, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 30 00 00 00 02 00 00 ........ .0...... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 FB D7 17 ........ .....û×. [020] ED 7E 3D 6D 41 94 E4 C8 62 12 C2 D4 D3 00 00 00 í~=mA.äÈ b.ÂÔÓ... [030] 00 . [2007/12/14 15:52:56.487177, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr rpc_hdr [2007/12/14 15:52:56.487245, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:52:56.487279, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:52:56.487311, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 02 [2007/12/14 15:52:56.487342, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:52:56.487374, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:52:56.487897, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:52:56.487930, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:52:56.488070, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:52:56.488104, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0030 [2007/12/14 15:52:56.488192, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:52:56.488226, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000002 [2007/12/14 15:52:56.488260, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_resp rpc_hdr_resp [2007/12/14 15:52:56.488325, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 00000018 [2007/12/14 15:52:56.488921, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:52:56.489046, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0016 cancel_ct : 00 [2007/12/14 15:52:56.489079, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0017 reserved : 00 [2007/12/14 15:52:56.489111, 10, pid=6050] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(576) cli_pipe_validate_current_pdu: got pdu len 48, data_len 24, ss_len 0 [2007/12/14 15:52:56.489156, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(842) rpc_api_pipe: got PDU len of 48 at offset 0 [2007/12/14 15:52:56.489192, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(893) rpc_api_pipe: Remote machine WIN2008 pipe \lsarpc fnum 0x8004 returned 48 bytes. [2007/12/14 15:52:56.489232, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 lsa_io_r_open_pol [2007/12/14 15:52:56.489267, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_pol_hnd [2007/12/14 15:52:56.489300, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0000 handle_type: 00000000 [2007/12/14 15:52:56.489910, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000004 smb_io_uuid uuid [2007/12/14 15:52:56.490042, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0004 data : ed17d7fb [2007/12/14 15:52:56.490106, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 data : 3d7e [2007/12/14 15:52:56.490138, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a data : 416d [2007/12/14 15:52:56.490170, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 000c data : 94 e4 [2007/12/14 15:52:56.490205, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 000e data : c8 62 12 c2 d4 d3 [2007/12/14 15:52:56.490242, 5, pid=6050] rpc_parse/parse_prs.c:prs_ntstatus(777) 0014 status: NT_STATUS_OK [2007/12/14 15:52:56.490292, 5, pid=6050] rpc_parse/parse_lsa.c:init_q_query(487) init_q_query [2007/12/14 15:52:56.490914, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 lsa_io_q_query [2007/12/14 15:52:56.491044, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_pol_hnd [2007/12/14 15:52:56.491079, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0000 handle_type: 00000000 [2007/12/14 15:52:56.491110, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000004 smb_io_uuid uuid [2007/12/14 15:52:56.491142, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0004 data : ed17d7fb [2007/12/14 15:52:56.491223, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 data : 3d7e [2007/12/14 15:52:56.491259, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a data : 416d [2007/12/14 15:52:56.491292, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 000c data : 94 e4 [2007/12/14 15:52:56.491905, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 000e data : c8 62 12 c2 d4 d3 [2007/12/14 15:52:56.492045, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 info_class: 0005 [2007/12/14 15:52:56.492084, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr hdr [2007/12/14 15:52:56.492117, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:52:56.492149, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:52:56.492181, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 00 [2007/12/14 15:52:56.492212, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:52:56.492244, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:52:56.492275, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:52:56.492307, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:52:56.492954, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:52:56.493064, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 002e [2007/12/14 15:52:56.493098, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:52:56.493130, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000003 [2007/12/14 15:52:56.493161, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_req hdr_req [2007/12/14 15:52:56.493193, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 00000016 [2007/12/14 15:52:56.493225, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:52:56.493257, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0016 opnum : 0007 [2007/12/14 15:52:56.493306, 5, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(769) rpc_api_pipe: Remote machine WIN2008 pipe \lsarpc fnum 0x8004 [2007/12/14 15:52:56.493912, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.493937, 5, pid=6050] lib/util.c:show_msg(582) size=128 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=4096 smb_pid=6050 smb_uid=6144 smb_mid=7 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 46 (0x2E) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 46 (0x2E) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32772 (0x8004) smb_bcc=61 [2007/12/14 15:52:56.494295, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 2E 00 00 00 03 00 00 00 16 ........ ........ [020] 00 00 00 00 00 07 00 00 00 00 00 FB D7 17 ED 7E ........ ...û×.í~ [030] 3D 6D 41 94 E4 C8 62 12 C2 D4 D3 05 00 =mA.äÈb. ÂÔÓ.. [2007/12/14 15:52:56.494959, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,132) [2007/12/14 15:52:56.495905, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,132) wrote 132 [2007/12/14 15:52:56.496144, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 148 [2007/12/14 15:52:56.496195, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.496220, 5, pid=6050] lib/util.c:show_msg(582) size=148 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=4096 smb_pid=6050 smb_uid=6144 smb_mid=7 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 92 (0x5C) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 92 (0x5C) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=93 [2007/12/14 15:52:56.496985, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 5C 00 00 00 03 00 00 ........ .\...... [010] 00 44 00 00 00 00 00 00 00 00 00 02 00 05 00 00 .D...... ........ [020] 00 04 00 06 00 04 00 02 00 08 00 02 00 03 00 00 ........ ........ [030] 00 00 00 00 00 02 00 00 00 4D 00 4D 00 04 00 00 ........ .M.M.... [040] 00 01 04 00 00 00 00 00 05 15 00 00 00 D0 C2 54 ........ .....ÐÂT [050] 8B 0C F8 91 62 2F 75 AA ED 00 00 00 00 ..ø.b/uª í.... [2007/12/14 15:52:56.497238, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.497263, 5, pid=6050] lib/util.c:show_msg(582) size=148 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=4096 smb_pid=6050 smb_uid=6144 smb_mid=7 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 92 (0x5C) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 92 (0x5C) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=93 [2007/12/14 15:52:56.497925, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 5C 00 00 00 03 00 00 ........ .\...... [010] 00 44 00 00 00 00 00 00 00 00 00 02 00 05 00 00 .D...... ........ [020] 00 04 00 06 00 04 00 02 00 08 00 02 00 03 00 00 ........ ........ [030] 00 00 00 00 00 02 00 00 00 4D 00 4D 00 04 00 00 ........ .M.M.... [040] 00 01 04 00 00 00 00 00 05 15 00 00 00 D0 C2 54 ........ .....ÐÂT [050] 8B 0C F8 91 62 2F 75 AA ED 00 00 00 00 ..ø.b/uª í.... [2007/12/14 15:52:56.498218, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr rpc_hdr [2007/12/14 15:52:56.498253, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:52:56.498285, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:52:56.498316, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 02 [2007/12/14 15:52:56.498380, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:52:56.498414, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:52:56.498903, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:52:56.499040, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:52:56.499074, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:52:56.499105, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 005c [2007/12/14 15:52:56.499137, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:52:56.499168, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000003 [2007/12/14 15:52:56.499201, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_resp rpc_hdr_resp [2007/12/14 15:52:56.499233, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 00000044 [2007/12/14 15:52:56.499264, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:52:56.499296, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0016 cancel_ct : 00 [2007/12/14 15:52:56.499980, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0017 reserved : 00 [2007/12/14 15:52:56.500073, 10, pid=6050] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(576) cli_pipe_validate_current_pdu: got pdu len 92, data_len 68, ss_len 0 [2007/12/14 15:52:56.500108, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(842) rpc_api_pipe: got PDU len of 92 at offset 0 [2007/12/14 15:52:56.500179, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(893) rpc_api_pipe: Remote machine WIN2008 pipe \lsarpc fnum 0x8004 returned 136 bytes. [2007/12/14 15:52:56.500246, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 lsa_io_r_query [2007/12/14 15:52:56.500285, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0000 dom_ptr: 00020000 [2007/12/14 15:52:56.500317, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000004 lsa_io_query_info_ctr [2007/12/14 15:52:56.500908, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0004 info_class: 0005 [2007/12/14 15:52:56.501041, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000008 lsa_io_dom_query_3 [2007/12/14 15:52:56.501075, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 uni_dom_max_len: 0004 [2007/12/14 15:52:56.501139, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a uni_dom_str_len: 0006 [2007/12/14 15:52:56.501174, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c buffer_dom_name: 00020004 [2007/12/14 15:52:56.501206, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 buffer_dom_sid : 00020008 [2007/12/14 15:52:56.501238, 8, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000014 smb_io_unistr2 unistr2 [2007/12/14 15:52:56.501270, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0014 uni_max_len: 00000003 [2007/12/14 15:52:56.501302, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0018 offset : 00000000 [2007/12/14 15:52:56.501912, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 001c uni_str_len: 00000002 [2007/12/14 15:52:56.502043, 5, pid=6050] rpc_parse/parse_prs.c:dbg_rw_punival(950) 0020 buffer : M.M. [2007/12/14 15:52:56.502090, 8, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000024 smb_io_dom_sid2 [2007/12/14 15:52:56.502124, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0024 num_auths: 00000004 [2007/12/14 15:52:56.502156, 9, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000028 smb_io_dom_sid sid [2007/12/14 15:52:56.502264, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0028 sid_rev_num: 01 [2007/12/14 15:52:56.502304, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0029 num_auths : 04 [2007/12/14 15:52:56.502916, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 002a id_auth[0] : 00 [2007/12/14 15:52:56.503043, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 002b id_auth[1] : 00 [2007/12/14 15:52:56.503078, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 002c id_auth[2] : 00 [2007/12/14 15:52:56.503111, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 002d id_auth[3] : 00 [2007/12/14 15:52:56.503144, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 002e id_auth[4] : 00 [2007/12/14 15:52:56.503177, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 002f id_auth[5] : 05 [2007/12/14 15:52:56.503209, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32s(1005) 0030 sub_auths : 00000015 8b54c2d0 6291f80c edaa752f [2007/12/14 15:52:56.503247, 5, pid=6050] rpc_parse/parse_prs.c:prs_ntstatus(777) 0040 status: NT_STATUS_OK lsa_Close: struct lsa_Close in: struct lsa_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : ed17d7fb-3d7e-416d-94e4-c86212c2d4d3 [2007/12/14 15:52:56.504269, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr hdr [2007/12/14 15:52:56.504327, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:52:56.504909, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:52:56.505087, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 00 [2007/12/14 15:52:56.505123, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:52:56.505186, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:52:56.505218, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:52:56.505250, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:52:56.505282, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:52:56.505314, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 002c [2007/12/14 15:52:56.505895, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:52:56.505929, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000004 [2007/12/14 15:52:56.506065, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_req hdr_req [2007/12/14 15:52:56.506100, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 00000014 [2007/12/14 15:52:56.506132, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:52:56.506164, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0016 opnum : 0000 [2007/12/14 15:52:56.506197, 5, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(769) rpc_api_pipe: Remote machine WIN2008 pipe \lsarpc fnum 0x8004 [2007/12/14 15:52:56.506236, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.506309, 5, pid=6050] lib/util.c:show_msg(582) size=126 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=4096 smb_pid=6050 smb_uid=6144 smb_mid=8 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 44 (0x2C) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 44 (0x2C) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32772 (0x8004) smb_bcc=59 [2007/12/14 15:52:56.506958, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 2C 00 00 00 04 00 00 00 14 ......., ........ [020] 00 00 00 00 00 00 00 00 00 00 00 FB D7 17 ED 7E ........ ...û×.í~ [030] 3D 6D 41 94 E4 C8 62 12 C2 D4 D3 =mA.äÈb. ÂÔÓ [2007/12/14 15:52:56.507129, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,130) [2007/12/14 15:52:56.507219, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,130) wrote 130 [2007/12/14 15:52:56.508098, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 104 [2007/12/14 15:52:56.508159, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.508184, 5, pid=6050] lib/util.c:show_msg(582) size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=4096 smb_pid=6050 smb_uid=6144 smb_mid=8 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [2007/12/14 15:52:56.508372, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 30 00 00 00 04 00 00 ........ .0...... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [030] 00 . [2007/12/14 15:52:56.508512, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.508662, 5, pid=6050] lib/util.c:show_msg(582) size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=4096 smb_pid=6050 smb_uid=6144 smb_mid=8 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [2007/12/14 15:52:56.508994, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 30 00 00 00 04 00 00 ........ .0...... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [030] 00 . [2007/12/14 15:52:56.509220, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr rpc_hdr [2007/12/14 15:52:56.509255, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:52:56.509287, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:52:56.509318, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 02 [2007/12/14 15:52:56.509350, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:52:56.509381, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:52:56.509413, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:52:56.509444, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:52:56.509475, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:52:56.509540, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0030 [2007/12/14 15:52:56.509574, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:52:56.509606, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000004 [2007/12/14 15:52:56.509639, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_resp rpc_hdr_resp [2007/12/14 15:52:56.509671, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 00000018 [2007/12/14 15:52:56.509702, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:52:56.509734, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0016 cancel_ct : 00 [2007/12/14 15:52:56.509765, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0017 reserved : 00 [2007/12/14 15:52:56.509797, 10, pid=6050] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(576) cli_pipe_validate_current_pdu: got pdu len 48, data_len 24, ss_len 0 [2007/12/14 15:52:56.509831, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(842) rpc_api_pipe: got PDU len of 48 at offset 0 [2007/12/14 15:52:56.509865, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(893) rpc_api_pipe: Remote machine WIN2008 pipe \lsarpc fnum 0x8004 returned 48 bytes. lsa_Close: struct lsa_Close out: struct lsa_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK [2007/12/14 15:52:56.510128, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,45) [2007/12/14 15:52:56.510682, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,45) wrote 45 [2007/12/14 15:52:56.510770, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 35 [2007/12/14 15:52:56.510820, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.510845, 5, pid=6050] lib/util.c:show_msg(582) size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=4096 smb_pid=6050 smb_uid=6144 smb_mid=9 smt_wct=0 smb_bcc=0 [2007/12/14 15:52:56.510955, 10, pid=6050] libsmb/clientgen.c:cli_rpc_pipe_close(553) cli_rpc_pipe_close: closed pipe \lsarpc to machine WIN2008 [2007/12/14 15:52:56.511012, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,108) [2007/12/14 15:52:56.511069, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,108) wrote 108 [2007/12/14 15:52:56.511751, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 103 [2007/12/14 15:52:56.511810, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.511859, 5, pid=6050] lib/util.c:show_msg(582) size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=4096 smb_pid=6050 smb_uid=6144 smb_mid=10 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 1280 (0x500) smb_vwv[ 3]= 384 (0x180) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 [2007/12/14 15:52:56.512303, 5, pid=6050] rpc_client/cli_pipe.c:rpc_pipe_bind(2045) Bind RPC Pipe[8005]: \NETLOGON auth_type 0, auth_level 0 [2007/12/14 15:52:56.512440, 5, pid=6050] rpc_client/cli_pipe.c:valid_pipe_name(1648) Bind Abstract Syntax: [000] 78 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB xV4.4.Í« ï..#EgÏû [010] 01 00 00 00 .... [2007/12/14 15:52:56.512524, 5, pid=6050] rpc_client/cli_pipe.c:valid_pipe_name(1651) Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]..ë.É. .è..+.H` [010] 02 00 00 00 .... [2007/12/14 15:52:56.512606, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr hdr [2007/12/14 15:52:56.512645, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:52:56.512677, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:52:56.512806, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 0b [2007/12/14 15:52:56.512870, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:52:56.512908, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:52:56.512941, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:52:56.512974, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:52:56.513006, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:52:56.513054, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0048 [2007/12/14 15:52:56.513088, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:52:56.513120, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000005 [2007/12/14 15:52:56.513153, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_rb [2007/12/14 15:52:56.513186, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_bba [2007/12/14 15:52:56.513218, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0010 max_tsize: 10b8 [2007/12/14 15:52:56.513250, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0012 max_rsize: 10b8 [2007/12/14 15:52:56.513351, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0014 assoc_gid: 00000000 [2007/12/14 15:52:56.513393, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0018 num_contexts: 01 [2007/12/14 15:52:56.513426, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 001c context_id : 0000 [2007/12/14 15:52:56.513459, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 001e num_transfer_syntaxes: 01 [2007/12/14 15:52:56.513491, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 00001f smb_io_rpc_iface [2007/12/14 15:52:56.513523, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000020 smb_io_uuid uuid [2007/12/14 15:52:56.513555, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0020 data : 12345678 [2007/12/14 15:52:56.513587, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0024 data : 1234 [2007/12/14 15:52:56.513619, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0026 data : abcd [2007/12/14 15:52:56.513651, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 0028 data : ef 00 [2007/12/14 15:52:56.513686, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 002a data : 01 23 45 67 cf fb [2007/12/14 15:52:56.513723, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0030 version: 00000001 [2007/12/14 15:52:56.513755, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000034 smb_io_rpc_iface [2007/12/14 15:52:56.513816, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000034 smb_io_uuid uuid [2007/12/14 15:52:56.513853, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0034 data : 8a885d04 [2007/12/14 15:52:56.513891, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0038 data : 1ceb [2007/12/14 15:52:56.513925, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 003a data : 11c9 [2007/12/14 15:52:56.513957, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 003c data : 9f e8 [2007/12/14 15:52:56.513991, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 003e data : 08 00 2b 10 48 60 [2007/12/14 15:52:56.514045, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0044 version: 00000002 [2007/12/14 15:52:56.514080, 5, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(769) rpc_api_pipe: Remote machine WIN2008 pipe \NETLOGON fnum 0x8005 [2007/12/14 15:52:56.514115, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.514139, 5, pid=6050] lib/util.c:show_msg(582) size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=4096 smb_pid=6050 smb_uid=6144 smb_mid=11 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32773 (0x8005) smb_bcc=87 [2007/12/14 15:52:56.514400, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 05 00 00 00 B8 .......H .......¸ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 .¸...... .......x [030] 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB 01 V4.4.Í«ï ..#EgÏû. [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]..ë .É..è..+ [050] 10 48 60 02 00 00 00 .H`.... [2007/12/14 15:52:56.514602, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,158) [2007/12/14 15:52:56.514989, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,158) wrote 158 [2007/12/14 15:52:56.515125, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 124 [2007/12/14 15:52:56.515213, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.515242, 5, pid=6050] lib/util.c:show_msg(582) size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=4096 smb_pid=6050 smb_uid=6144 smb_mid=11 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [2007/12/14 15:52:56.515425, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 05 00 00 ........ .D...... [010] 00 B8 10 B8 10 5E 98 00 00 0C 00 5C 70 69 70 65 .¸.¸.^.. ...\pipe [020] 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..ë.É ..è..+.H [040] 60 02 00 00 00 `.... [2007/12/14 15:52:56.515623, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.515649, 5, pid=6050] lib/util.c:show_msg(582) size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=4096 smb_pid=6050 smb_uid=6144 smb_mid=11 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [2007/12/14 15:52:56.515854, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 05 00 00 ........ .D...... [010] 00 B8 10 B8 10 5E 98 00 00 0C 00 5C 70 69 70 65 .¸.¸.^.. ...\pipe [020] 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..ë.É ..è..+.H [040] 60 02 00 00 00 `.... [2007/12/14 15:52:56.515947, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr rpc_hdr [2007/12/14 15:52:56.515982, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:52:56.516119, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:52:56.516152, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 0c [2007/12/14 15:52:56.516208, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:52:56.516240, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:52:56.516272, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:52:56.516303, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:52:56.516335, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:52:56.516367, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0044 [2007/12/14 15:52:56.516398, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:52:56.516430, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000005 [2007/12/14 15:52:56.516463, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(842) rpc_api_pipe: got PDU len of 68 at offset 0 [2007/12/14 15:52:56.516614, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(893) rpc_api_pipe: Remote machine WIN2008 pipe \NETLOGON fnum 0x8005 returned 68 bytes. [2007/12/14 15:52:56.516647, 3, pid=6050] rpc_client/cli_pipe.c:rpc_pipe_bind(2082) rpc_pipe_bind: Remote machine WIN2008 pipe \NETLOGON fnum 0x8005 bind request returned ok. [2007/12/14 15:52:56.516680, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr hdr [2007/12/14 15:52:56.516712, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:52:56.516744, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:52:56.516813, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 0c [2007/12/14 15:52:56.516847, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:52:56.516884, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:52:56.516918, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:52:56.516950, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:52:56.517063, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:52:56.517098, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0044 [2007/12/14 15:52:56.517129, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:52:56.517161, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000005 [2007/12/14 15:52:56.517194, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_ba [2007/12/14 15:52:56.517226, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_bba [2007/12/14 15:52:56.517258, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0010 max_tsize: 10b8 [2007/12/14 15:52:56.517290, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0012 max_rsize: 10b8 [2007/12/14 15:52:56.517322, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0014 assoc_gid: 0000985e [2007/12/14 15:52:56.517354, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000018 smb_io_rpc_addr_str [2007/12/14 15:52:56.517386, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0018 len: 000c [2007/12/14 15:52:56.517418, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 001a str: \pipe\lsass. [2007/12/14 15:52:56.517491, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000026 smb_io_rpc_results [2007/12/14 15:52:56.517526, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0028 num_results: 01 [2007/12/14 15:52:56.517558, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 002c result : 0000 [2007/12/14 15:52:56.517590, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 002e reason : 0000 [2007/12/14 15:52:56.517622, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000030 smb_io_rpc_iface [2007/12/14 15:52:56.517654, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000030 smb_io_uuid uuid [2007/12/14 15:52:56.517686, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0030 data : 8a885d04 [2007/12/14 15:52:56.517718, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0034 data : 1ceb [2007/12/14 15:52:56.517750, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0036 data : 11c9 [2007/12/14 15:52:56.517782, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 0038 data : 9f e8 [2007/12/14 15:52:56.517816, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 003a data : 08 00 2b 10 48 60 [2007/12/14 15:52:56.517854, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0040 version: 00000002 [2007/12/14 15:52:56.517892, 5, pid=6050] rpc_client/cli_pipe.c:check_bind_response(1702) check_bind_response: accepted! [2007/12/14 15:52:56.517926, 10, pid=6050] rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2278) cli_rpc_pipe_open_noauth: opened pipe \NETLOGON to machine WIN2008 and bound anonymously. [2007/12/14 15:52:56.518124, 4, pid=6050] rpc_client/cli_netlogon.c:rpccli_net_req_chal(45) cli_net_req_chal: LSA Request Challenge from SARGE26 to \\WIN2008 [2007/12/14 15:52:56.518171, 5, pid=6050] rpc_parse/parse_net.c:init_q_req_chal(762) init_q_req_chal: 762 [2007/12/14 15:52:56.518245, 5, pid=6050] rpc_parse/parse_net.c:init_q_req_chal(771) init_q_req_chal: 771 [2007/12/14 15:52:56.518332, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 net_io_q_req_chal [2007/12/14 15:52:56.518370, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0000 undoc_buffer: 00000001 [2007/12/14 15:52:56.518465, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000004 smb_io_unistr2 [2007/12/14 15:52:56.518500, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0004 uni_max_len: 0000000a [2007/12/14 15:52:56.518532, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0008 offset : 00000000 [2007/12/14 15:52:56.518564, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c uni_str_len: 0000000a [2007/12/14 15:52:56.518596, 5, pid=6050] rpc_parse/parse_prs.c:dbg_rw_punival(950) 0010 buffer : \.\.W.I.N.2.0.0.8... [2007/12/14 15:52:56.518642, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000024 smb_io_unistr2 [2007/12/14 15:52:56.518674, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0024 uni_max_len: 00000008 [2007/12/14 15:52:56.518706, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0028 offset : 00000000 [2007/12/14 15:52:56.518738, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 002c uni_str_len: 00000008 [2007/12/14 15:52:56.518770, 5, pid=6050] rpc_parse/parse_prs.c:dbg_rw_punival(950) 0030 buffer : S.A.R.G.E.2.6... [2007/12/14 15:52:56.518820, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000040 smb_io_chal [2007/12/14 15:52:56.518854, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 0040 data: 37 50 89 c9 79 af 7b 6f [2007/12/14 15:52:56.519069, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr hdr [2007/12/14 15:52:56.519110, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:52:56.519142, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:52:56.519173, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 00 [2007/12/14 15:52:56.519205, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:52:56.519237, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:52:56.519268, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:52:56.519300, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:52:56.519332, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:52:56.519363, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0060 [2007/12/14 15:52:56.519395, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:52:56.519461, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000006 [2007/12/14 15:52:56.519494, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_req hdr_req [2007/12/14 15:52:56.519526, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 00000048 [2007/12/14 15:52:56.519558, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:52:56.519590, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0016 opnum : 0004 [2007/12/14 15:52:56.519622, 5, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(769) rpc_api_pipe: Remote machine WIN2008 pipe \NETLOGON fnum 0x8005 [2007/12/14 15:52:56.519656, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.519680, 5, pid=6050] lib/util.c:show_msg(582) size=178 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=4096 smb_pid=6050 smb_uid=6144 smb_mid=12 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 96 (0x60) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 96 (0x60) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32773 (0x8005) smb_bcc=111 [2007/12/14 15:52:56.520067, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 60 00 00 00 06 00 00 00 48 .......` .......H [020] 00 00 00 00 00 04 00 01 00 00 00 0A 00 00 00 00 ........ ........ [030] 00 00 00 0A 00 00 00 5C 00 5C 00 57 00 49 00 4E .......\ .\.W.I.N [040] 00 32 00 30 00 30 00 38 00 00 00 08 00 00 00 00 .2.0.0.8 ........ [050] 00 00 00 08 00 00 00 53 00 41 00 52 00 47 00 45 .......S .A.R.G.E [060] 00 32 00 36 00 00 00 37 50 89 C9 79 AF 7B 6F .2.6...7 P.Éy¯{o [2007/12/14 15:52:56.520308, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,182) [2007/12/14 15:52:56.520351, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,182) wrote 182 [2007/12/14 15:52:56.521071, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 92 [2007/12/14 15:52:56.521170, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.521200, 5, pid=6050] lib/util.c:show_msg(582) size=92 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=4096 smb_pid=6050 smb_uid=6144 smb_mid=12 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 36 (0x24) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 36 (0x24) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=37 [2007/12/14 15:52:56.521387, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 24 00 00 00 06 00 00 ........ .$...... [010] 00 0C 00 00 00 00 00 00 00 AB 68 2A 95 44 4C 51 ........ .«h*.DLQ [020] 3A 00 00 00 00 :.... [2007/12/14 15:52:56.521516, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.521540, 5, pid=6050] lib/util.c:show_msg(582) size=92 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=4096 smb_pid=6050 smb_uid=6144 smb_mid=12 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 36 (0x24) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 36 (0x24) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=37 [2007/12/14 15:52:56.521756, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 24 00 00 00 06 00 00 ........ .$...... [010] 00 0C 00 00 00 00 00 00 00 AB 68 2A 95 44 4C 51 ........ .«h*.DLQ [020] 3A 00 00 00 00 :.... [2007/12/14 15:52:56.521875, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr rpc_hdr [2007/12/14 15:52:56.521911, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:52:56.521943, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:52:56.521975, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 02 [2007/12/14 15:52:56.522041, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:52:56.522074, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:52:56.522106, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:52:56.522169, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:52:56.522203, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:52:56.522235, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0024 [2007/12/14 15:52:56.522267, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:52:56.522299, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000006 [2007/12/14 15:52:56.522332, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_resp rpc_hdr_resp [2007/12/14 15:52:56.522404, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 0000000c [2007/12/14 15:52:56.522440, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:52:56.522472, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0016 cancel_ct : 00 [2007/12/14 15:52:56.522504, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0017 reserved : 00 [2007/12/14 15:52:56.522536, 10, pid=6050] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(576) cli_pipe_validate_current_pdu: got pdu len 36, data_len 12, ss_len 0 [2007/12/14 15:52:56.522570, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(842) rpc_api_pipe: got PDU len of 36 at offset 0 [2007/12/14 15:52:56.522604, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(893) rpc_api_pipe: Remote machine WIN2008 pipe \NETLOGON fnum 0x8005 returned 24 bytes. [2007/12/14 15:52:56.522665, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 net_io_r_req_chal [2007/12/14 15:52:56.522700, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_chal [2007/12/14 15:52:56.522733, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 0000 data: ab 68 2a 95 44 4c 51 3a [2007/12/14 15:52:56.522772, 5, pid=6050] rpc_parse/parse_prs.c:prs_ntstatus(777) 0008 status: NT_STATUS_OK [2007/12/14 15:52:56.522823, 10, pid=6050] libsmb/credentials.c:creds_client_init(289) creds_client_init: neg_flags : 701ff [2007/12/14 15:52:56.522920, 10, pid=6050] libsmb/credentials.c:creds_client_init(290) creds_client_init: client chal : 375089C979AF7B6F [2007/12/14 15:52:56.522993, 10, pid=6050] libsmb/credentials.c:creds_client_init(291) creds_client_init: server chal : AB682A95444C513A [2007/12/14 15:52:56.523202, 5, pid=6050] libsmb/credentials.c:creds_init_64(120) creds_init_64 [2007/12/14 15:52:56.523239, 5, pid=6050] libsmb/credentials.c:creds_init_64(121) clnt_chal_in: 375089C979AF7B6F [2007/12/14 15:52:56.523275, 5, pid=6050] libsmb/credentials.c:creds_init_64(122) srv_chal_in : AB682A95444C513A [2007/12/14 15:52:56.523310, 5, pid=6050] libsmb/credentials.c:creds_init_64(123) clnt+srv : E2B8B35EBDFBCCA9 [2007/12/14 15:52:56.523345, 5, pid=6050] libsmb/credentials.c:creds_init_64(124) sess_key_out : 01156ABC6EEC1BEA [2007/12/14 15:52:56.523670, 10, pid=6050] libsmb/credentials.c:creds_client_init(309) creds_client_init: clnt : 024C0A4733B61802 [2007/12/14 15:52:56.523713, 10, pid=6050] libsmb/credentials.c:creds_client_init(310) creds_client_init: server : F94BC5D49E3A14F2 [2007/12/14 15:52:56.523748, 10, pid=6050] libsmb/credentials.c:creds_client_init(311) creds_client_init: seed : 024C0A4733B61802 [2007/12/14 15:52:56.523784, 4, pid=6050] rpc_client/cli_netlogon.c:rpccli_net_auth2(169) cli_net_auth2: srv:\\WIN2008 acct:SARGE26$ sc:2 mc: SARGE26 neg: 701ff [2007/12/14 15:52:56.523825, 5, pid=6050] rpc_parse/parse_net.c:init_q_auth_2(883) init_q_auth_2: 883 [2007/12/14 15:52:56.523858, 5, pid=6050] rpc_parse/parse_misc.c:init_log_info(1383) make_log_info 1383 [2007/12/14 15:52:56.523898, 5, pid=6050] rpc_parse/parse_net.c:init_q_auth_2(889) init_q_auth_2: 889 [2007/12/14 15:52:56.523942, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 net_io_q_auth_2 [2007/12/14 15:52:56.523975, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_log_info [2007/12/14 15:52:56.524008, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0000 undoc_buffer: 00000001 [2007/12/14 15:52:56.524056, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000004 smb_io_unistr2 unistr2 [2007/12/14 15:52:56.524653, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0004 uni_max_len: 0000000a [2007/12/14 15:52:56.524690, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0008 offset : 00000000 [2007/12/14 15:52:56.524722, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c uni_str_len: 0000000a [2007/12/14 15:52:56.524754, 5, pid=6050] rpc_parse/parse_prs.c:dbg_rw_punival(950) 0010 buffer : \.\.W.I.N.2.0.0.8... [2007/12/14 15:52:56.524839, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000024 smb_io_unistr2 unistr2 [2007/12/14 15:52:56.524873, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0024 uni_max_len: 00000009 [2007/12/14 15:52:56.524913, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0028 offset : 00000000 [2007/12/14 15:52:56.524946, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 002c uni_str_len: 00000009 [2007/12/14 15:52:56.524978, 5, pid=6050] rpc_parse/parse_prs.c:dbg_rw_punival(950) 0030 buffer : S.A.R.G.E.2.6.$... [2007/12/14 15:52:56.525040, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0042 sec_chan: 0002 [2007/12/14 15:52:56.525106, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000044 smb_io_unistr2 unistr2 [2007/12/14 15:52:56.525140, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0044 uni_max_len: 00000008 [2007/12/14 15:52:56.525172, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0048 offset : 00000000 [2007/12/14 15:52:56.525204, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 004c uni_str_len: 00000008 [2007/12/14 15:52:56.525236, 5, pid=6050] rpc_parse/parse_prs.c:dbg_rw_punival(950) 0050 buffer : S.A.R.G.E.2.6... [2007/12/14 15:52:56.525279, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000060 smb_io_chal [2007/12/14 15:52:56.525312, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 0060 data: 02 4c 0a 47 33 b6 18 02 [2007/12/14 15:52:56.525361, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000068 net_io_neg_flags [2007/12/14 15:52:56.525394, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0068 neg_flags: 000701ff [2007/12/14 15:52:56.525476, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr hdr [2007/12/14 15:52:56.525514, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:52:56.525577, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:52:56.525612, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 00 [2007/12/14 15:52:56.525644, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:52:56.525675, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:52:56.525707, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:52:56.525738, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:52:56.525770, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:52:56.525801, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0084 [2007/12/14 15:52:56.525833, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:52:56.525867, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000007 [2007/12/14 15:52:56.525906, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_req hdr_req [2007/12/14 15:52:56.525939, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 0000006c [2007/12/14 15:52:56.525972, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:52:56.526004, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0016 opnum : 000f [2007/12/14 15:52:56.526078, 5, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(769) rpc_api_pipe: Remote machine WIN2008 pipe \NETLOGON fnum 0x8005 [2007/12/14 15:52:56.526156, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.526182, 5, pid=6050] lib/util.c:show_msg(582) size=214 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=4096 smb_pid=6050 smb_uid=6144 smb_mid=13 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 132 (0x84) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 132 (0x84) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32773 (0x8005) smb_bcc=147 [2007/12/14 15:52:56.526453, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 84 00 00 00 07 00 00 00 6C ........ .......l [020] 00 00 00 00 00 0F 00 01 00 00 00 0A 00 00 00 00 ........ ........ [030] 00 00 00 0A 00 00 00 5C 00 5C 00 57 00 49 00 4E .......\ .\.W.I.N [040] 00 32 00 30 00 30 00 38 00 00 00 09 00 00 00 00 .2.0.0.8 ........ [050] 00 00 00 09 00 00 00 53 00 41 00 52 00 47 00 45 .......S .A.R.G.E [060] 00 32 00 36 00 24 00 00 00 02 00 08 00 00 00 00 .2.6.$.. ........ [070] 00 00 00 08 00 00 00 53 00 41 00 52 00 47 00 45 .......S .A.R.G.E [080] 00 32 00 36 00 00 00 02 4C 0A 47 33 B6 18 02 FF .2.6.... L.G3¶..ÿ [090] 01 07 00 ... [2007/12/14 15:52:56.526814, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,218) [2007/12/14 15:52:56.527000, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,218) wrote 218 [2007/12/14 15:52:56.527139, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 96 [2007/12/14 15:52:56.527191, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.527216, 5, pid=6050] lib/util.c:show_msg(582) size=96 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=4096 smb_pid=6050 smb_uid=6144 smb_mid=13 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 40 (0x28) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 40 (0x28) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=41 [2007/12/14 15:52:56.527403, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 28 00 00 00 07 00 00 ........ .(...... [010] 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [020] 00 FF 01 07 00 88 03 00 C0 .ÿ...... À [2007/12/14 15:52:56.527512, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.527535, 5, pid=6050] lib/util.c:show_msg(582) size=96 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=4096 smb_pid=6050 smb_uid=6144 smb_mid=13 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 40 (0x28) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 40 (0x28) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=41 [2007/12/14 15:52:56.527814, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 28 00 00 00 07 00 00 ........ .(...... [010] 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [020] 00 FF 01 07 00 88 03 00 C0 .ÿ...... À [2007/12/14 15:52:56.528170, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr rpc_hdr [2007/12/14 15:52:56.528208, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:52:56.528240, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:52:56.528272, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 02 [2007/12/14 15:52:56.528304, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:52:56.528337, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:52:56.528369, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:52:56.528401, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:52:56.528445, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:52:56.528478, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0028 [2007/12/14 15:52:56.528510, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:52:56.528542, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000007 [2007/12/14 15:52:56.528650, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_resp rpc_hdr_resp [2007/12/14 15:52:56.528685, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 00000010 [2007/12/14 15:52:56.528718, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:52:56.528750, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0016 cancel_ct : 00 [2007/12/14 15:52:56.528782, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0017 reserved : 00 [2007/12/14 15:52:56.528814, 10, pid=6050] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(576) cli_pipe_validate_current_pdu: got pdu len 40, data_len 16, ss_len 0 [2007/12/14 15:52:56.528849, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(842) rpc_api_pipe: got PDU len of 40 at offset 0 [2007/12/14 15:52:56.528888, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(893) rpc_api_pipe: Remote machine WIN2008 pipe \NETLOGON fnum 0x8005 returned 32 bytes. [2007/12/14 15:52:56.528924, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 net_io_r_auth_2 [2007/12/14 15:52:56.528957, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_chal [2007/12/14 15:52:56.528989, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 0000 data: 00 00 00 00 00 00 00 00 [2007/12/14 15:52:56.529073, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000008 net_io_neg_flags [2007/12/14 15:52:56.529114, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0008 neg_flags: 000701ff [2007/12/14 15:52:56.529146, 5, pid=6050] rpc_parse/parse_prs.c:prs_ntstatus(777) 000c status: NT_STATUS_DOWNGRADE_DETECTED [2007/12/14 15:52:56.529226, 3, pid=6050] libsmb/trusts_util.c:just_change_the_password(56) just_change_the_password: unable to setup creds (NT_STATUS_DOWNGRADE_DETECTED)! [2007/12/14 15:52:56.531128, 1, pid=6050] utils/net_rpc.c:run_rpc_command(176) rpc command function failed! (NT_STATUS_DOWNGRADE_DETECTED) [2007/12/14 15:52:56.531214, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,45) [2007/12/14 15:52:56.531302, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,45) wrote 45 [2007/12/14 15:52:56.532049, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 35 [2007/12/14 15:52:56.532117, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.532142, 5, pid=6050] lib/util.c:show_msg(582) size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=4096 smb_pid=6050 smb_uid=6144 smb_mid=14 smt_wct=0 smb_bcc=0 [2007/12/14 15:52:56.532312, 10, pid=6050] libsmb/clientgen.c:cli_rpc_pipe_close(553) cli_rpc_pipe_close: closed pipe \NETLOGON to machine WIN2008 [2007/12/14 15:52:56.532356, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,39) [2007/12/14 15:52:56.532656, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,39) wrote 39 [2007/12/14 15:52:56.532710, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 35 [2007/12/14 15:52:56.532789, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:52:56.532816, 5, pid=6050] lib/util.c:show_msg(582) size=35 smb_com=0x71 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=4096 smb_pid=6050 smb_uid=6144 smb_mid=15 smt_wct=0 smb_bcc=0 [2007/12/14 15:52:56.533041, 10, pid=6050] libsmb/namequery.c:internal_resolve_name(1443) internal_resolve_name: looking up MM#1b (sitename (null)) [2007/12/14 15:52:56.533121, 10, pid=6050] lib/gencache.c:gencache_get(219) Returning valid cache entry: key = NBT/MM#1B, value = 10.0.27.1:0, timeout = Fri Dec 14 16:01:05 2007 [2007/12/14 15:52:56.533178, 5, pid=6050] libsmb/namecache.c:namecache_fetch(233) name MM#1B found. [2007/12/14 15:52:56.533454, 10, pid=6050] libsmb/namequery.c:name_status_find(319) name_status_find: looking up MM#1b at 10.0.27.1 [2007/12/14 15:52:56.533508, 10, pid=6050] lib/gencache.c:gencache_get(219) Returning valid cache entry: key = NBT/MM#1B.20.10.0.27.1, value = WIN2008, timeout = Fri Dec 14 16:01:05 2007 [2007/12/14 15:52:56.533561, 5, pid=6050] libsmb/namecache.c:namecache_status_fetch(387) namecache_status_fetch: key NBT/MM#1B.20.10.0.27.1 -> WIN2008 [2007/12/14 15:53:05.450306, 3, pid=6050] libsmb/cliconnect.c:cli_start_connection(1560) Connecting to host=WIN2008 [2007/12/14 15:53:05.450421, 3, pid=6050] lib/util_sock.c:open_socket_out(1457) Connecting to 10.0.27.1 at port 445 [2007/12/14 15:53:05.462809, 5, pid=6050] lib/util_sock.c:print_socket_options(776) socket option SO_KEEPALIVE = 0 [2007/12/14 15:53:05.462876, 5, pid=6050] lib/util_sock.c:print_socket_options(776) socket option SO_REUSEADDR = 0 [2007/12/14 15:53:05.462911, 5, pid=6050] lib/util_sock.c:print_socket_options(776) socket option SO_BROADCAST = 0 [2007/12/14 15:53:05.462945, 5, pid=6050] lib/util_sock.c:print_socket_options(776) socket option TCP_NODELAY = 1 [2007/12/14 15:53:05.462979, 5, pid=6050] lib/util_sock.c:print_socket_options(776) socket option TCP_KEEPCNT = 9 [2007/12/14 15:53:05.463012, 5, pid=6050] lib/util_sock.c:print_socket_options(776) socket option TCP_KEEPIDLE = 7200 [2007/12/14 15:53:05.463046, 5, pid=6050] lib/util_sock.c:print_socket_options(776) socket option TCP_KEEPINTVL = 75 [2007/12/14 15:53:05.463081, 5, pid=6050] lib/util_sock.c:print_socket_options(776) socket option IPTOS_LOWDELAY = 0 [2007/12/14 15:53:05.463115, 5, pid=6050] lib/util_sock.c:print_socket_options(776) socket option IPTOS_THROUGHPUT = 0 [2007/12/14 15:53:05.463178, 5, pid=6050] lib/util_sock.c:print_socket_options(776) socket option SO_SNDBUF = 16384 [2007/12/14 15:53:05.463213, 5, pid=6050] lib/util_sock.c:print_socket_options(776) socket option SO_RCVBUF = 87380 [2007/12/14 15:53:05.463247, 5, pid=6050] lib/util_sock.c:print_socket_options(776) socket option SO_SNDLOWAT = 1 [2007/12/14 15:53:05.463280, 5, pid=6050] lib/util_sock.c:print_socket_options(776) socket option SO_RCVLOWAT = 1 [2007/12/14 15:53:05.463314, 5, pid=6050] lib/util_sock.c:print_socket_options(776) socket option SO_SNDTIMEO = 0 [2007/12/14 15:53:05.463346, 5, pid=6050] lib/util_sock.c:print_socket_options(776) socket option SO_RCVTIMEO = 0 [2007/12/14 15:53:05.463403, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,194) [2007/12/14 15:53:05.463497, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,194) wrote 194 [2007/12/14 15:53:05.463834, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 193 [2007/12/14 15:53:05.463906, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.463932, 5, pid=6050] lib/util.c:show_msg(582) size=193 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=6050 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 9 (0x9) smb_vwv[ 1]=12815 (0x320F) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 17 (0x11) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 499 (0x1F3) smb_vwv[11]=57472 (0xE080) smb_vwv[12]= 7030 (0x1B76) smb_vwv[13]=24828 (0x60FC) smb_vwv[14]=51262 (0xC83E) smb_vwv[15]=50177 (0xC401) smb_vwv[16]= 255 (0xFF) smb_bcc=124 [2007/12/14 15:53:05.464199, 10, pid=6050] lib/util.c:dump_data(2192) [000] 9C 85 79 AD 09 86 14 47 93 C3 B9 DD FE A9 CB EE ..y­...G .ùÝþ©Ëî [010] 60 6A 06 06 2B 06 01 05 05 02 A0 60 30 5E A0 30 `j..+... .. `0^ 0 [020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. ÷......* [030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H.÷.... ..*.H.÷. [040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... [050] A3 2A 30 28 A0 26 1B 24 6E 6F 74 5F 64 65 66 69 £*0( &.$ not_defi [060] 6E 65 64 5F 69 6E 5F 52 46 43 34 31 37 38 40 70 ned_in_R FC4178@p [070] 6C 65 61 73 65 5F 69 67 6E 6F 72 65 lease_ig nore [2007/12/14 15:53:05.464680, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.464708, 5, pid=6050] lib/util.c:show_msg(582) size=193 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=6050 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 9 (0x9) smb_vwv[ 1]=12815 (0x320F) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 17 (0x11) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 499 (0x1F3) smb_vwv[11]=57472 (0xE080) smb_vwv[12]= 7030 (0x1B76) smb_vwv[13]=24828 (0x60FC) smb_vwv[14]=51262 (0xC83E) smb_vwv[15]=50177 (0xC401) smb_vwv[16]= 255 (0xFF) smb_bcc=124 [2007/12/14 15:53:05.464986, 10, pid=6050] lib/util.c:dump_data(2192) [000] 9C 85 79 AD 09 86 14 47 93 C3 B9 DD FE A9 CB EE ..y­...G .ùÝþ©Ëî [010] 60 6A 06 06 2B 06 01 05 05 02 A0 60 30 5E A0 30 `j..+... .. `0^ 0 [020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. ÷......* [030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H.÷.... ..*.H.÷. [040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... [050] A3 2A 30 28 A0 26 1B 24 6E 6F 74 5F 64 65 66 69 £*0( &.$ not_defi [060] 6E 65 64 5F 69 6E 5F 52 46 43 34 31 37 38 40 70 ned_in_R FC4178@p [070] 6C 65 61 73 65 5F 69 67 6E 6F 72 65 lease_ig nore [2007/12/14 15:53:05.465368, 3, pid=6050] libsmb/cliconnect.c:cli_session_setup_spnego(790) Doing spnego session setup (blob length=124) [2007/12/14 15:53:05.465480, 3, pid=6050] libsmb/cliconnect.c:cli_session_setup_spnego(815) got OID=1 2 840 48018 1 2 2 [2007/12/14 15:53:05.465514, 3, pid=6050] libsmb/cliconnect.c:cli_session_setup_spnego(815) got OID=1 2 840 113554 1 2 2 [2007/12/14 15:53:05.465545, 3, pid=6050] libsmb/cliconnect.c:cli_session_setup_spnego(815) got OID=1 2 840 113554 1 2 2 3 [2007/12/14 15:53:05.465576, 3, pid=6050] libsmb/cliconnect.c:cli_session_setup_spnego(815) got OID=1 3 6 1 4 1 311 2 2 10 [2007/12/14 15:53:05.465607, 3, pid=6050] libsmb/cliconnect.c:cli_session_setup_spnego(823) got principal=not_defined_in_RFC4178@please_ignore [2007/12/14 15:53:05.465811, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,160) [2007/12/14 15:53:05.465900, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,160) wrote 160 [2007/12/14 15:53:05.466787, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 458 [2007/12/14 15:53:05.466852, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.466878, 5, pid=6050] lib/util.c:show_msg(582) size=458 smb_com=0x73 smb_rcls=22 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=6050 smb_uid=6144 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 458 (0x1CA) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 221 (0xDD) smb_bcc=415 [2007/12/14 15:53:05.467017, 10, pid=6050] lib/util.c:dump_data(2192) [000] A1 81 DA 30 81 D7 A0 03 0A 01 01 A1 0C 06 0A 2B ¡.Ú0.× . ...¡...+ [010] 06 01 04 01 82 37 02 02 0A A2 81 C1 04 81 BE 4E .....7.. .¢.Á..¾N [020] 54 4C 4D 53 53 50 00 02 00 00 00 04 00 04 00 38 TLMSSP.. .......8 [030] 00 00 00 15 82 89 62 D4 90 68 8A B4 D7 A3 83 00 ......bÔ .h.´×£.. [040] 00 00 00 00 00 00 00 82 00 82 00 3C 00 00 00 06 ........ ...<.... [050] 00 71 17 00 00 00 0F 4D 00 4D 00 02 00 04 00 4D .q.....M .M.....M [060] 00 4D 00 01 00 0E 00 57 00 49 00 4E 00 32 00 30 .M.....W .I.N.2.0 [070] 00 30 00 38 00 04 00 14 00 6D 00 6D 00 2E 00 70 .0.8.... .m.m...p [080] 00 72 00 69 00 76 00 61 00 74 00 65 00 03 00 24 .r.i.v.a .t.e...$ [090] 00 77 00 69 00 6E 00 32 00 30 00 30 00 38 00 2E .w.i.n.2 .0.0.8.. [0A0] 00 6D 00 6D 00 2E 00 70 00 72 00 69 00 76 00 61 .m.m...p .r.i.v.a [0B0] 00 74 00 65 00 05 00 14 00 6D 00 6D 00 2E 00 70 .t.e.... .m.m...p [0C0] 00 72 00 69 00 76 00 61 00 74 00 65 00 07 00 08 .r.i.v.a .t.e.... [0D0] 00 E0 76 1B FC 60 3E C8 01 00 00 00 00 57 00 69 .àv.ü`>È .....W.i [0E0] 00 6E 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 .n.d.o.w .s. .S.e [0F0] 00 72 00 76 00 65 00 72 00 20 00 28 00 52 00 29 .r.v.e.r . .(.R.) [100] 00 20 00 32 00 30 00 30 00 38 00 20 00 53 00 74 . .2.0.0 .8. .S.t [110] 00 61 00 6E 00 64 00 61 00 72 00 64 00 20 00 36 .a.n.d.a .r.d. .6 [120] 00 30 00 30 00 31 00 20 00 53 00 65 00 72 00 76 .0.0.1. .S.e.r.v [130] 00 69 00 63 00 65 00 20 00 50 00 61 00 63 00 6B .i.c.e. .P.a.c.k [140] 00 20 00 31 00 2C 00 20 00 76 00 2E 00 36 00 36 . .1.,. .v...6.6 [150] 00 37 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 .7...W.i .n.d.o.w [160] 00 73 00 20 00 53 00 65 00 72 00 76 00 65 00 72 .s. .S.e .r.v.e.r [170] 00 20 00 28 00 52 00 29 00 20 00 32 00 30 00 30 . .(.R.) . .2.0.0 [180] 00 38 00 20 00 53 00 74 00 61 00 6E 00 64 00 61 .8. .S.t .a.n.d.a [190] 00 72 00 64 00 20 00 36 00 2E 00 30 00 00 00 .r.d. .6 ...0... [2007/12/14 15:53:05.467706, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.467759, 5, pid=6050] lib/util.c:show_msg(582) size=458 smb_com=0x73 smb_rcls=22 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=6050 smb_uid=6144 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 458 (0x1CA) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 221 (0xDD) smb_bcc=415 [2007/12/14 15:53:05.467930, 10, pid=6050] lib/util.c:dump_data(2192) [000] A1 81 DA 30 81 D7 A0 03 0A 01 01 A1 0C 06 0A 2B ¡.Ú0.× . ...¡...+ [010] 06 01 04 01 82 37 02 02 0A A2 81 C1 04 81 BE 4E .....7.. .¢.Á..¾N [020] 54 4C 4D 53 53 50 00 02 00 00 00 04 00 04 00 38 TLMSSP.. .......8 [030] 00 00 00 15 82 89 62 D4 90 68 8A B4 D7 A3 83 00 ......bÔ .h.´×£.. [040] 00 00 00 00 00 00 00 82 00 82 00 3C 00 00 00 06 ........ ...<.... [050] 00 71 17 00 00 00 0F 4D 00 4D 00 02 00 04 00 4D .q.....M .M.....M [060] 00 4D 00 01 00 0E 00 57 00 49 00 4E 00 32 00 30 .M.....W .I.N.2.0 [070] 00 30 00 38 00 04 00 14 00 6D 00 6D 00 2E 00 70 .0.8.... .m.m...p [080] 00 72 00 69 00 76 00 61 00 74 00 65 00 03 00 24 .r.i.v.a .t.e...$ [090] 00 77 00 69 00 6E 00 32 00 30 00 30 00 38 00 2E .w.i.n.2 .0.0.8.. [0A0] 00 6D 00 6D 00 2E 00 70 00 72 00 69 00 76 00 61 .m.m...p .r.i.v.a [0B0] 00 74 00 65 00 05 00 14 00 6D 00 6D 00 2E 00 70 .t.e.... .m.m...p [0C0] 00 72 00 69 00 76 00 61 00 74 00 65 00 07 00 08 .r.i.v.a .t.e.... [0D0] 00 E0 76 1B FC 60 3E C8 01 00 00 00 00 57 00 69 .àv.ü`>È .....W.i [0E0] 00 6E 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 .n.d.o.w .s. .S.e [0F0] 00 72 00 76 00 65 00 72 00 20 00 28 00 52 00 29 .r.v.e.r . .(.R.) [100] 00 20 00 32 00 30 00 30 00 38 00 20 00 53 00 74 . .2.0.0 .8. .S.t [110] 00 61 00 6E 00 64 00 61 00 72 00 64 00 20 00 36 .a.n.d.a .r.d. .6 [120] 00 30 00 30 00 31 00 20 00 53 00 65 00 72 00 76 .0.0.1. .S.e.r.v [130] 00 69 00 63 00 65 00 20 00 50 00 61 00 63 00 6B .i.c.e. .P.a.c.k [140] 00 20 00 31 00 2C 00 20 00 76 00 2E 00 36 00 36 . .1.,. .v...6.6 [150] 00 37 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 .7...W.i .n.d.o.w [160] 00 73 00 20 00 53 00 65 00 72 00 76 00 65 00 72 .s. .S.e .r.v.e.r [170] 00 20 00 28 00 52 00 29 00 20 00 32 00 30 00 30 . .(.R.) . .2.0.0 [180] 00 38 00 20 00 53 00 74 00 61 00 6E 00 64 00 61 .8. .S.t .a.n.d.a [190] 00 72 00 64 00 20 00 36 00 2E 00 30 00 00 00 .r.d. .6 ...0... [2007/12/14 15:53:05.468929, 3, pid=6050] libsmb/ntlmssp.c:ntlmssp_client_challenge(1021) Got challenge flags: [2007/12/14 15:53:05.468966, 3, pid=6050] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0x62898215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_CHAL_TARGET_INFO NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH [2007/12/14 15:53:05.469105, 3, pid=6050] libsmb/ntlmssp.c:ntlmssp_client_challenge(1043) NTLMSSP: Set final flags: [2007/12/14 15:53:05.469138, 3, pid=6050] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0x60088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH [2007/12/14 15:53:05.469313, 5, pid=6050] libsmb/ntlmssp.c:ntlmssp_client_challenge(1115) NTLMSSP challenge set by NTLM2 [2007/12/14 15:53:05.469348, 5, pid=6050] libsmb/ntlmssp.c:ntlmssp_client_challenge(1116) challenge is: [2007/12/14 15:53:05.469380, 5, pid=6050] lib/util.c:dump_data(2192) [000] 32 AA 49 57 10 3A 32 14 2ªIW.:2. [2007/12/14 15:53:05.469720, 3, pid=6050] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(337) NTLMSSP Sign/Seal - Initialising with flags: [2007/12/14 15:53:05.469760, 3, pid=6050] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0x60088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH [2007/12/14 15:53:05.469888, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,270) [2007/12/14 15:53:05.469975, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,270) wrote 270 [2007/12/14 15:53:05.471850, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 246 [2007/12/14 15:53:05.471967, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.472030, 5, pid=6050] lib/util.c:show_msg(582) size=246 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=6050 smb_uid=6144 smb_mid=3 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 246 (0xF6) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 9 (0x9) smb_bcc=203 [2007/12/14 15:53:05.472173, 10, pid=6050] lib/util.c:dump_data(2192) [000] A1 07 30 05 A0 03 0A 01 00 57 00 69 00 6E 00 64 ¡.0. ... .W.i.n.d [010] 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 00 76 .o.w.s. .S.e.r.v [020] 00 65 00 72 00 20 00 28 00 52 00 29 00 20 00 32 .e.r. .( .R.). .2 [030] 00 30 00 30 00 38 00 20 00 53 00 74 00 61 00 6E .0.0.8. .S.t.a.n [040] 00 64 00 61 00 72 00 64 00 20 00 36 00 30 00 30 .d.a.r.d . .6.0.0 [050] 00 31 00 20 00 53 00 65 00 72 00 76 00 69 00 63 .1. .S.e .r.v.i.c [060] 00 65 00 20 00 50 00 61 00 63 00 6B 00 20 00 31 .e. .P.a .c.k. .1 [070] 00 2C 00 20 00 76 00 2E 00 36 00 36 00 37 00 00 .,. .v.. .6.6.7.. [080] 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 .W.i.n.d .o.w.s. [090] 00 53 00 65 00 72 00 76 00 65 00 72 00 20 00 28 .S.e.r.v .e.r. .( [0A0] 00 52 00 29 00 20 00 32 00 30 00 30 00 38 00 20 .R.). .2 .0.0.8. [0B0] 00 53 00 74 00 61 00 6E 00 64 00 61 00 72 00 64 .S.t.a.n .d.a.r.d [0C0] 00 20 00 36 00 2E 00 30 00 00 00 . .6...0 ... [2007/12/14 15:53:05.472641, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.472685, 5, pid=6050] lib/util.c:show_msg(582) size=246 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=6050 smb_uid=6144 smb_mid=3 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 246 (0xF6) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 9 (0x9) smb_bcc=203 [2007/12/14 15:53:05.472836, 10, pid=6050] lib/util.c:dump_data(2192) [000] A1 07 30 05 A0 03 0A 01 00 57 00 69 00 6E 00 64 ¡.0. ... .W.i.n.d [010] 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 00 76 .o.w.s. .S.e.r.v [020] 00 65 00 72 00 20 00 28 00 52 00 29 00 20 00 32 .e.r. .( .R.). .2 [030] 00 30 00 30 00 38 00 20 00 53 00 74 00 61 00 6E .0.0.8. .S.t.a.n [040] 00 64 00 61 00 72 00 64 00 20 00 36 00 30 00 30 .d.a.r.d . .6.0.0 [050] 00 31 00 20 00 53 00 65 00 72 00 76 00 69 00 63 .1. .S.e .r.v.i.c [060] 00 65 00 20 00 50 00 61 00 63 00 6B 00 20 00 31 .e. .P.a .c.k. .1 [070] 00 2C 00 20 00 76 00 2E 00 36 00 36 00 37 00 00 .,. .v.. .6.6.7.. [080] 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 .W.i.n.d .o.w.s. [090] 00 53 00 65 00 72 00 76 00 65 00 72 00 20 00 28 .S.e.r.v .e.r. .( [0A0] 00 52 00 29 00 20 00 32 00 30 00 30 00 38 00 20 .R.). .2 .0.0.8. [0B0] 00 53 00 74 00 61 00 6E 00 64 00 61 00 72 00 64 .S.t.a.n .d.a.r.d [0C0] 00 20 00 36 00 2E 00 30 00 00 00 . .6...0 ... [2007/12/14 15:53:05.473380, 5, pid=6050] libsmb/smb_signing.c:set_smb_signing_real_common(125) Mandatory SMB signing enabled! [2007/12/14 15:53:05.473418, 5, pid=6050] libsmb/smb_signing.c:set_smb_signing_real_common(129) SMB signing enabled! [2007/12/14 15:53:05.473481, 10, pid=6050] libsmb/smb_signing.c:cli_simple_set_signing(479) cli_simple_set_signing: user_session_key [2007/12/14 15:53:05.473515, 10, pid=6050] lib/util.c:dump_data(2192) [000] F7 75 29 F2 F1 09 A4 E3 FF 7A 49 85 DC 90 F3 39 ÷u)òñ.¤ã ÿzI.Ü.ó9 [2007/12/14 15:53:05.473570, 10, pid=6050] libsmb/smb_signing.c:cli_simple_set_signing(487) cli_simple_set_signing: NULL response_data [2007/12/14 15:53:05.473602, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 0 [2007/12/14 15:53:05.473641, 10, pid=6050] libsmb/smb_signing.c:client_sign_outgoing_message(336) client_sign_outgoing_message: sent SMB signature of [2007/12/14 15:53:05.473692, 10, pid=6050] lib/util.c:dump_data(2192) [000] 42 39 F0 E9 14 ED 04 EC B9ðé.í.ì [2007/12/14 15:53:05.473751, 10, pid=6050] libsmb/smb_signing.c:store_sequence_for_reply(67) store_sequence_for_reply: stored seq = 1 mid = 3 [2007/12/14 15:53:05.473785, 10, pid=6050] libsmb/smb_signing.c:get_sequence_for_reply(80) get_sequence_for_reply: found seq = 1 mid = 3 [2007/12/14 15:53:05.473817, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 1 [2007/12/14 15:53:05.473852, 10, pid=6050] libsmb/smb_signing.c:client_check_incoming_message(419) client_check_incoming_message: seq 1: got good SMB signature of [2007/12/14 15:53:05.473883, 10, pid=6050] lib/util.c:dump_data(2192) [000] B8 30 DF 78 8D 58 5D C4 ¸0ßx.X]Ä [2007/12/14 15:53:05.473979, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 2 [2007/12/14 15:53:05.474017, 10, pid=6050] libsmb/smb_signing.c:client_sign_outgoing_message(336) client_sign_outgoing_message: sent SMB signature of [2007/12/14 15:53:05.474048, 10, pid=6050] lib/util.c:dump_data(2192) [000] 86 15 81 66 1B F6 E2 47 ...f.öâG [2007/12/14 15:53:05.474098, 10, pid=6050] libsmb/smb_signing.c:store_sequence_for_reply(67) store_sequence_for_reply: stored seq = 3 mid = 4 [2007/12/14 15:53:05.474129, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,82) [2007/12/14 15:53:05.474227, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,82) wrote 82 [2007/12/14 15:53:05.474961, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 56 [2007/12/14 15:53:05.475056, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.475083, 5, pid=6050] lib/util.c:show_msg(582) size=56 smb_com=0x75 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=4 smt_wct=7 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 56 (0x38) smb_vwv[ 2]= 1 (0x1) smb_vwv[ 3]=65535 (0xFFFF) smb_vwv[ 4]= 31 (0x1F) smb_vwv[ 5]=65535 (0xFFFF) smb_vwv[ 6]= 31 (0x1F) smb_bcc=7 [2007/12/14 15:53:05.475245, 10, pid=6050] lib/util.c:dump_data(2192) [000] 49 50 43 00 00 00 00 IPC.... [2007/12/14 15:53:05.475309, 10, pid=6050] libsmb/smb_signing.c:get_sequence_for_reply(80) get_sequence_for_reply: found seq = 3 mid = 4 [2007/12/14 15:53:05.475342, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 3 [2007/12/14 15:53:05.475376, 10, pid=6050] libsmb/smb_signing.c:client_check_incoming_message(419) client_check_incoming_message: seq 3: got good SMB signature of [2007/12/14 15:53:05.475408, 10, pid=6050] lib/util.c:dump_data(2192) [000] 69 65 34 36 B6 E5 D9 3C ie46¶åÙ< [2007/12/14 15:53:05.475460, 10, pid=6050] libsmb/clientgen.c:cli_init_creds(415) cli_init_creds: user Administrator domain MM [2007/12/14 15:53:05.475531, 10, pid=6050] libsmb/namequery.c:saf_store(75) saf_store: domain = [MM], server = [WIN2008], expire = [1197644885] [2007/12/14 15:53:05.475577, 10, pid=6050] lib/gencache.c:gencache_set(138) Adding cache entry with key = SAF/DOMAIN/MM; value = WIN2008 and timeout = Fri Dec 14 16:08:05 2007 (900 seconds ahead) [2007/12/14 15:53:05.475693, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 4 [2007/12/14 15:53:05.475736, 10, pid=6050] libsmb/smb_signing.c:client_sign_outgoing_message(336) client_sign_outgoing_message: sent SMB signature of [2007/12/14 15:53:05.475769, 10, pid=6050] lib/util.c:dump_data(2192) [000] 3E 30 17 75 91 E8 34 6A >0.u.è4j [2007/12/14 15:53:05.475819, 10, pid=6050] libsmb/smb_signing.c:store_sequence_for_reply(67) store_sequence_for_reply: stored seq = 5 mid = 5 [2007/12/14 15:53:05.475851, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,104) [2007/12/14 15:53:05.475935, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,104) wrote 104 [2007/12/14 15:53:05.476773, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 103 [2007/12/14 15:53:05.476842, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.476867, 5, pid=6050] lib/util.c:show_msg(582) size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=5 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 384 (0x180) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 [2007/12/14 15:53:05.477279, 10, pid=6050] libsmb/smb_signing.c:get_sequence_for_reply(80) get_sequence_for_reply: found seq = 5 mid = 5 [2007/12/14 15:53:05.477314, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 5 [2007/12/14 15:53:05.477350, 10, pid=6050] libsmb/smb_signing.c:client_check_incoming_message(419) client_check_incoming_message: seq 5: got good SMB signature of [2007/12/14 15:53:05.477409, 10, pid=6050] lib/util.c:dump_data(2192) [000] 6D 3D C8 4E 49 B3 E7 31 m=ÈNI³ç1 [2007/12/14 15:53:05.477462, 5, pid=6050] rpc_client/cli_pipe.c:rpc_pipe_bind(2045) Bind RPC Pipe[8000]: \lsarpc auth_type 0, auth_level 0 [2007/12/14 15:53:05.477495, 5, pid=6050] rpc_client/cli_pipe.c:valid_pipe_name(1648) Bind Abstract Syntax: [000] 78 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB xW4.4.Í« ï..#Eg.« [010] 00 00 00 00 .... [2007/12/14 15:53:05.477622, 5, pid=6050] rpc_client/cli_pipe.c:valid_pipe_name(1651) Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]..ë.É. .è..+.H` [010] 02 00 00 00 .... [2007/12/14 15:53:05.477765, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr hdr [2007/12/14 15:53:05.477840, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.477879, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.477911, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 0b [2007/12/14 15:53:05.477965, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.477999, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.478031, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.478063, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.478096, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.478159, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0048 [2007/12/14 15:53:05.478195, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.478227, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000008 [2007/12/14 15:53:05.478289, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_rb [2007/12/14 15:53:05.478324, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_bba [2007/12/14 15:53:05.478357, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0010 max_tsize: 10b8 [2007/12/14 15:53:05.478389, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0012 max_rsize: 10b8 [2007/12/14 15:53:05.478421, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0014 assoc_gid: 00000000 [2007/12/14 15:53:05.478454, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0018 num_contexts: 01 [2007/12/14 15:53:05.478487, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 001c context_id : 0000 [2007/12/14 15:53:05.478519, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 001e num_transfer_syntaxes: 01 [2007/12/14 15:53:05.478551, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 00001f smb_io_rpc_iface [2007/12/14 15:53:05.478584, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000020 smb_io_uuid uuid [2007/12/14 15:53:05.478644, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0020 data : 12345778 [2007/12/14 15:53:05.478697, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0024 data : 1234 [2007/12/14 15:53:05.478736, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0026 data : abcd [2007/12/14 15:53:05.478770, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 0028 data : ef 00 [2007/12/14 15:53:05.478806, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 002a data : 01 23 45 67 89 ab [2007/12/14 15:53:05.478844, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0030 version: 00000000 [2007/12/14 15:53:05.478877, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000034 smb_io_rpc_iface [2007/12/14 15:53:05.478909, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000034 smb_io_uuid uuid [2007/12/14 15:53:05.478941, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0034 data : 8a885d04 [2007/12/14 15:53:05.478973, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0038 data : 1ceb [2007/12/14 15:53:05.479005, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 003a data : 11c9 [2007/12/14 15:53:05.479037, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 003c data : 9f e8 [2007/12/14 15:53:05.479139, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 003e data : 08 00 2b 10 48 60 [2007/12/14 15:53:05.479181, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0044 version: 00000002 [2007/12/14 15:53:05.479214, 5, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(769) rpc_api_pipe: Remote machine WIN2008 pipe \lsarpc fnum 0x8000 [2007/12/14 15:53:05.479251, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.479274, 5, pid=6050] lib/util.c:show_msg(582) size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=6 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32768 (0x8000) smb_bcc=87 [2007/12/14 15:53:05.479546, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 08 00 00 00 B8 .......H .......¸ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 .¸...... .......x [030] 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB 00 W4.4.Í«ï ..#Eg.«. [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]..ë .É..è..+ [050] 10 48 60 02 00 00 00 .H`.... [2007/12/14 15:53:05.479700, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 6 [2007/12/14 15:53:05.479743, 10, pid=6050] libsmb/smb_signing.c:client_sign_outgoing_message(336) client_sign_outgoing_message: sent SMB signature of [2007/12/14 15:53:05.479775, 10, pid=6050] lib/util.c:dump_data(2192) [000] C7 29 2D 3A 28 7C 5B 89 Ç)-:(|[. [2007/12/14 15:53:05.479824, 10, pid=6050] libsmb/smb_signing.c:store_sequence_for_reply(67) store_sequence_for_reply: stored seq = 7 mid = 6 [2007/12/14 15:53:05.479855, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,158) [2007/12/14 15:53:05.479941, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,158) wrote 158 [2007/12/14 15:53:05.480767, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 124 [2007/12/14 15:53:05.480857, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.480885, 5, pid=6050] lib/util.c:show_msg(582) size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=6 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [2007/12/14 15:53:05.481071, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 08 00 00 ........ .D...... [010] 00 B8 10 B8 10 5F 98 00 00 0C 00 5C 70 69 70 65 .¸.¸._.. ...\pipe [020] 5C 6C 73 61 73 73 00 00 01 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..ë.É ..è..+.H [040] 60 02 00 00 00 `.... [2007/12/14 15:53:05.481236, 10, pid=6050] libsmb/smb_signing.c:get_sequence_for_reply(80) get_sequence_for_reply: found seq = 7 mid = 6 [2007/12/14 15:53:05.481269, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 7 [2007/12/14 15:53:05.481332, 10, pid=6050] libsmb/smb_signing.c:client_check_incoming_message(419) client_check_incoming_message: seq 7: got good SMB signature of [2007/12/14 15:53:05.481371, 10, pid=6050] lib/util.c:dump_data(2192) [000] FC 4F 69 7C 04 C5 26 35 üOi|.Å&5 [2007/12/14 15:53:05.481433, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.481456, 5, pid=6050] lib/util.c:show_msg(582) size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=6 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [2007/12/14 15:53:05.481647, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 08 00 00 ........ .D...... [010] 00 B8 10 B8 10 5F 98 00 00 0C 00 5C 70 69 70 65 .¸.¸._.. ...\pipe [020] 5C 6C 73 61 73 73 00 00 01 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..ë.É ..è..+.H [040] 60 02 00 00 00 `.... [2007/12/14 15:53:05.481871, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr rpc_hdr [2007/12/14 15:53:05.481907, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.481939, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.481971, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 0c [2007/12/14 15:53:05.482139, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.482170, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.482202, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.482233, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.482298, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.482330, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0044 [2007/12/14 15:53:05.482362, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.482394, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000008 [2007/12/14 15:53:05.482427, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(842) rpc_api_pipe: got PDU len of 68 at offset 0 [2007/12/14 15:53:05.482461, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(893) rpc_api_pipe: Remote machine WIN2008 pipe \lsarpc fnum 0x8000 returned 68 bytes. [2007/12/14 15:53:05.482494, 3, pid=6050] rpc_client/cli_pipe.c:rpc_pipe_bind(2082) rpc_pipe_bind: Remote machine WIN2008 pipe \lsarpc fnum 0x8000 bind request returned ok. [2007/12/14 15:53:05.482527, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr hdr [2007/12/14 15:53:05.482558, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.482590, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.482621, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 0c [2007/12/14 15:53:05.482678, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.482712, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.482787, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.482823, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.482854, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.482886, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0044 [2007/12/14 15:53:05.482917, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.482949, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000008 [2007/12/14 15:53:05.483025, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_ba [2007/12/14 15:53:05.483059, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_bba [2007/12/14 15:53:05.483090, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0010 max_tsize: 10b8 [2007/12/14 15:53:05.483122, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0012 max_rsize: 10b8 [2007/12/14 15:53:05.483154, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0014 assoc_gid: 0000985f [2007/12/14 15:53:05.483185, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000018 smb_io_rpc_addr_str [2007/12/14 15:53:05.483217, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0018 len: 000c [2007/12/14 15:53:05.483282, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 001a str: \pipe\lsass. [2007/12/14 15:53:05.483324, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000026 smb_io_rpc_results [2007/12/14 15:53:05.483356, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0028 num_results: 01 [2007/12/14 15:53:05.483388, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 002c result : 0000 [2007/12/14 15:53:05.483420, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 002e reason : 0000 [2007/12/14 15:53:05.483452, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000030 smb_io_rpc_iface [2007/12/14 15:53:05.483484, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000030 smb_io_uuid uuid [2007/12/14 15:53:05.483516, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0030 data : 8a885d04 [2007/12/14 15:53:05.483547, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0034 data : 1ceb [2007/12/14 15:53:05.483579, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0036 data : 11c9 [2007/12/14 15:53:05.483611, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 0038 data : 9f e8 [2007/12/14 15:53:05.483644, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 003a data : 08 00 2b 10 48 60 [2007/12/14 15:53:05.483699, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0040 version: 00000002 [2007/12/14 15:53:05.483767, 5, pid=6050] rpc_client/cli_pipe.c:check_bind_response(1702) check_bind_response: accepted! [2007/12/14 15:53:05.483801, 10, pid=6050] rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2278) cli_rpc_pipe_open_noauth: opened pipe \lsarpc to machine WIN2008 and bound anonymously. [2007/12/14 15:53:05.483835, 5, pid=6050] rpc_parse/parse_lsa.c:init_lsa_sec_qos(184) init_lsa_sec_qos [2007/12/14 15:53:05.483866, 5, pid=6050] rpc_parse/parse_lsa.c:init_q_open_pol(303) init_open_pol: attr:0 da:33554432 [2007/12/14 15:53:05.483898, 5, pid=6050] rpc_parse/parse_lsa.c:init_lsa_obj_attr(235) init_lsa_obj_attr [2007/12/14 15:53:05.483978, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 lsa_io_q_open_pol [2007/12/14 15:53:05.484016, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0000 ptr : 00000001 [2007/12/14 15:53:05.484049, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0004 system_name: 005c [2007/12/14 15:53:05.484081, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000008 lsa_io_obj_attr [2007/12/14 15:53:05.484114, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0008 len : 00000018 [2007/12/14 15:53:05.484145, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c ptr_root_dir: 00000000 [2007/12/14 15:53:05.484180, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 ptr_obj_name: 00000000 [2007/12/14 15:53:05.484244, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0014 attributes : 00000000 [2007/12/14 15:53:05.484279, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0018 ptr_sec_desc: 00000000 [2007/12/14 15:53:05.484312, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 001c ptr_sec_qos : 00000001 [2007/12/14 15:53:05.484380, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000020 lsa_io_obj_qos sec_qos [2007/12/14 15:53:05.484414, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0020 len : 0000000c [2007/12/14 15:53:05.484447, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0024 sec_imp_level : 0002 [2007/12/14 15:53:05.484479, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0026 sec_ctxt_mode : 01 [2007/12/14 15:53:05.484512, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0027 effective_only: 00 [2007/12/14 15:53:05.484544, 3, pid=6050] rpc_parse/parse_lsa.c:lsa_io_sec_qos(223) lsa_io_sec_qos: length c does not match size 8 [2007/12/14 15:53:05.484576, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0028 des_access: 02000000 [2007/12/14 15:53:05.484722, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr hdr [2007/12/14 15:53:05.484764, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.484836, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.484871, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 00 [2007/12/14 15:53:05.484903, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.484935, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.484967, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.484999, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.485031, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.485063, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0044 [2007/12/14 15:53:05.485095, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.485127, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000009 [2007/12/14 15:53:05.485160, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_req hdr_req [2007/12/14 15:53:05.485225, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 0000002c [2007/12/14 15:53:05.485260, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:53:05.485292, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0016 opnum : 0006 [2007/12/14 15:53:05.485325, 5, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(769) rpc_api_pipe: Remote machine WIN2008 pipe \lsarpc fnum 0x8000 [2007/12/14 15:53:05.485361, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.485384, 5, pid=6050] lib/util.c:show_msg(582) size=150 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=7 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 68 (0x44) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32768 (0x8000) smb_bcc=83 [2007/12/14 15:53:05.485614, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 44 00 00 00 09 00 00 00 2C .......D ......., [020] 00 00 00 00 00 06 00 01 00 00 00 5C 00 00 00 18 ........ ...\.... [030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [040] 00 00 00 01 00 00 00 0C 00 00 00 02 00 01 00 00 ........ ........ [050] 00 00 02 ... [2007/12/14 15:53:05.485874, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 8 [2007/12/14 15:53:05.485950, 10, pid=6050] libsmb/smb_signing.c:client_sign_outgoing_message(336) client_sign_outgoing_message: sent SMB signature of [2007/12/14 15:53:05.486070, 10, pid=6050] lib/util.c:dump_data(2192) [000] F1 DB DE 65 18 50 1A 49 ñÛÞe.P.I [2007/12/14 15:53:05.486126, 10, pid=6050] libsmb/smb_signing.c:store_sequence_for_reply(67) store_sequence_for_reply: stored seq = 9 mid = 7 [2007/12/14 15:53:05.486185, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,154) [2007/12/14 15:53:05.486277, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,154) wrote 154 [2007/12/14 15:53:05.486791, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 104 [2007/12/14 15:53:05.486894, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.486923, 5, pid=6050] lib/util.c:show_msg(582) size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=7 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [2007/12/14 15:53:05.487108, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 30 00 00 00 09 00 00 ........ .0...... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 D0 7F 9B ........ .....Ð.. [020] C8 CF 7F EF 4D B5 E4 55 61 F0 91 F0 68 00 00 00 ÈÏ.ïMµäU að.ðh... [030] 00 . [2007/12/14 15:53:05.487241, 10, pid=6050] libsmb/smb_signing.c:get_sequence_for_reply(80) get_sequence_for_reply: found seq = 9 mid = 7 [2007/12/14 15:53:05.487273, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 9 [2007/12/14 15:53:05.487309, 10, pid=6050] libsmb/smb_signing.c:client_check_incoming_message(419) client_check_incoming_message: seq 9: got good SMB signature of [2007/12/14 15:53:05.487371, 10, pid=6050] lib/util.c:dump_data(2192) [000] D7 CE 26 B0 DB 47 04 46 ×Î&°ÛG.F [2007/12/14 15:53:05.487426, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.487449, 5, pid=6050] lib/util.c:show_msg(582) size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=7 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [2007/12/14 15:53:05.487638, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 30 00 00 00 09 00 00 ........ .0...... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 D0 7F 9B ........ .....Ð.. [020] C8 CF 7F EF 4D B5 E4 55 61 F0 91 F0 68 00 00 00 ÈÏ.ïMµäU að.ðh... [030] 00 . [2007/12/14 15:53:05.487702, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr rpc_hdr [2007/12/14 15:53:05.487833, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.487868, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.487900, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 02 [2007/12/14 15:53:05.487932, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.487963, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.487995, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.488027, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.488073, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.488105, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0030 [2007/12/14 15:53:05.488137, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.488169, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000009 [2007/12/14 15:53:05.488264, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_resp rpc_hdr_resp [2007/12/14 15:53:05.488299, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 00000018 [2007/12/14 15:53:05.488331, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:53:05.488363, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0016 cancel_ct : 00 [2007/12/14 15:53:05.488394, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0017 reserved : 00 [2007/12/14 15:53:05.488427, 10, pid=6050] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(576) cli_pipe_validate_current_pdu: got pdu len 48, data_len 24, ss_len 0 [2007/12/14 15:53:05.488461, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(842) rpc_api_pipe: got PDU len of 48 at offset 0 [2007/12/14 15:53:05.488495, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(893) rpc_api_pipe: Remote machine WIN2008 pipe \lsarpc fnum 0x8000 returned 48 bytes. [2007/12/14 15:53:05.488529, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 lsa_io_r_open_pol [2007/12/14 15:53:05.488562, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_pol_hnd [2007/12/14 15:53:05.488594, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0000 handle_type: 00000000 [2007/12/14 15:53:05.488626, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000004 smb_io_uuid uuid [2007/12/14 15:53:05.488680, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0004 data : c89b7fd0 [2007/12/14 15:53:05.488755, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 data : 7fcf [2007/12/14 15:53:05.488790, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a data : 4def [2007/12/14 15:53:05.488845, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 000c data : b5 e4 [2007/12/14 15:53:05.488881, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 000e data : 55 61 f0 91 f0 68 [2007/12/14 15:53:05.488919, 5, pid=6050] rpc_parse/parse_prs.c:prs_ntstatus(777) 0014 status: NT_STATUS_OK [2007/12/14 15:53:05.488953, 5, pid=6050] rpc_parse/parse_lsa.c:init_q_query(487) init_q_query [2007/12/14 15:53:05.488990, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 lsa_io_q_query [2007/12/14 15:53:05.489022, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_pol_hnd [2007/12/14 15:53:05.489055, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0000 handle_type: 00000000 [2007/12/14 15:53:05.489087, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000004 smb_io_uuid uuid [2007/12/14 15:53:05.489723, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0004 data : c89b7fd0 [2007/12/14 15:53:05.489763, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 data : 7fcf [2007/12/14 15:53:05.489795, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a data : 4def [2007/12/14 15:53:05.489827, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 000c data : b5 e4 [2007/12/14 15:53:05.489861, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 000e data : 55 61 f0 91 f0 68 [2007/12/14 15:53:05.489898, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 info_class: 0005 [2007/12/14 15:53:05.490006, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr hdr [2007/12/14 15:53:05.490045, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.490115, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.490149, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 00 [2007/12/14 15:53:05.490181, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.490212, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.490244, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.490276, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.490307, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.490339, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 002e [2007/12/14 15:53:05.490371, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.490435, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 0000000a [2007/12/14 15:53:05.490469, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_req hdr_req [2007/12/14 15:53:05.490501, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 00000016 [2007/12/14 15:53:05.490533, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:53:05.490565, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0016 opnum : 0007 [2007/12/14 15:53:05.490597, 5, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(769) rpc_api_pipe: Remote machine WIN2008 pipe \lsarpc fnum 0x8000 [2007/12/14 15:53:05.490634, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.490677, 5, pid=6050] lib/util.c:show_msg(582) size=128 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=8 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 46 (0x2E) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 46 (0x2E) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32768 (0x8000) smb_bcc=61 [2007/12/14 15:53:05.490946, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 2E 00 00 00 0A 00 00 00 16 ........ ........ [020] 00 00 00 00 00 07 00 00 00 00 00 D0 7F 9B C8 CF ........ ...Ð..ÈÏ [030] 7F EF 4D B5 E4 55 61 F0 91 F0 68 05 00 .ïMµäUað .ðh.. [2007/12/14 15:53:05.491096, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 10 [2007/12/14 15:53:05.491131, 10, pid=6050] libsmb/smb_signing.c:client_sign_outgoing_message(336) client_sign_outgoing_message: sent SMB signature of [2007/12/14 15:53:05.491162, 10, pid=6050] lib/util.c:dump_data(2192) [000] DA 88 14 57 EE B1 39 BF Ú..Wî±9¿ [2007/12/14 15:53:05.491213, 10, pid=6050] libsmb/smb_signing.c:store_sequence_for_reply(67) store_sequence_for_reply: stored seq = 11 mid = 8 [2007/12/14 15:53:05.491245, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,132) [2007/12/14 15:53:05.491344, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,132) wrote 132 [2007/12/14 15:53:05.491817, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 148 [2007/12/14 15:53:05.491898, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.491924, 5, pid=6050] lib/util.c:show_msg(582) size=148 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=8 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 92 (0x5C) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 92 (0x5C) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=93 [2007/12/14 15:53:05.492253, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 5C 00 00 00 0A 00 00 ........ .\...... [010] 00 44 00 00 00 00 00 00 00 00 00 02 00 05 00 00 .D...... ........ [020] 00 04 00 06 00 04 00 02 00 08 00 02 00 03 00 00 ........ ........ [030] 00 00 00 00 00 02 00 00 00 4D 00 4D 00 04 00 00 ........ .M.M.... [040] 00 01 04 00 00 00 00 00 05 15 00 00 00 D0 C2 54 ........ .....ÐÂT [050] 8B 0C F8 91 62 2F 75 AA ED 00 00 00 00 ..ø.b/uª í.... [2007/12/14 15:53:05.492459, 10, pid=6050] libsmb/smb_signing.c:get_sequence_for_reply(80) get_sequence_for_reply: found seq = 11 mid = 8 [2007/12/14 15:53:05.492492, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 11 [2007/12/14 15:53:05.492561, 10, pid=6050] libsmb/smb_signing.c:client_check_incoming_message(419) client_check_incoming_message: seq 11: got good SMB signature of [2007/12/14 15:53:05.492597, 10, pid=6050] lib/util.c:dump_data(2192) [000] D4 EA 50 3F 6E 6C DE D9 ÔêP?nlÞÙ [2007/12/14 15:53:05.492647, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.492689, 5, pid=6050] lib/util.c:show_msg(582) size=148 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=8 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 92 (0x5C) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 92 (0x5C) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=93 [2007/12/14 15:53:05.492886, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 5C 00 00 00 0A 00 00 ........ .\...... [010] 00 44 00 00 00 00 00 00 00 00 00 02 00 05 00 00 .D...... ........ [020] 00 04 00 06 00 04 00 02 00 08 00 02 00 03 00 00 ........ ........ [030] 00 00 00 00 00 02 00 00 00 4D 00 4D 00 04 00 00 ........ .M.M.... [040] 00 01 04 00 00 00 00 00 05 15 00 00 00 D0 C2 54 ........ .....ÐÂT [050] 8B 0C F8 91 62 2F 75 AA ED 00 00 00 00 ..ø.b/uª í.... [2007/12/14 15:53:05.493148, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr rpc_hdr [2007/12/14 15:53:05.493185, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.493217, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.493249, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 02 [2007/12/14 15:53:05.493281, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.493313, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.493345, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.493377, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.493409, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.493441, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 005c [2007/12/14 15:53:05.493473, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.493537, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 0000000a [2007/12/14 15:53:05.493573, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_resp rpc_hdr_resp [2007/12/14 15:53:05.493606, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 00000044 [2007/12/14 15:53:05.493638, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:53:05.493688, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0016 cancel_ct : 00 [2007/12/14 15:53:05.493773, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0017 reserved : 00 [2007/12/14 15:53:05.493809, 10, pid=6050] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(576) cli_pipe_validate_current_pdu: got pdu len 92, data_len 68, ss_len 0 [2007/12/14 15:53:05.493844, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(842) rpc_api_pipe: got PDU len of 92 at offset 0 [2007/12/14 15:53:05.493928, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(893) rpc_api_pipe: Remote machine WIN2008 pipe \lsarpc fnum 0x8000 returned 136 bytes. [2007/12/14 15:53:05.493965, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 lsa_io_r_query [2007/12/14 15:53:05.494032, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0000 dom_ptr: 00020000 [2007/12/14 15:53:05.494066, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000004 lsa_io_query_info_ctr [2007/12/14 15:53:05.494098, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0004 info_class: 0005 [2007/12/14 15:53:05.494131, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000008 lsa_io_dom_query_3 [2007/12/14 15:53:05.494163, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 uni_dom_max_len: 0004 [2007/12/14 15:53:05.494195, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a uni_dom_str_len: 0006 [2007/12/14 15:53:05.494227, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c buffer_dom_name: 00020004 [2007/12/14 15:53:05.494259, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 buffer_dom_sid : 00020008 [2007/12/14 15:53:05.494291, 8, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000014 smb_io_unistr2 unistr2 [2007/12/14 15:53:05.494324, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0014 uni_max_len: 00000003 [2007/12/14 15:53:05.494356, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0018 offset : 00000000 [2007/12/14 15:53:05.494387, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 001c uni_str_len: 00000002 [2007/12/14 15:53:05.494421, 5, pid=6050] rpc_parse/parse_prs.c:dbg_rw_punival(950) 0020 buffer : M.M. [2007/12/14 15:53:05.494458, 8, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000024 smb_io_dom_sid2 [2007/12/14 15:53:05.494522, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0024 num_auths: 00000004 [2007/12/14 15:53:05.494555, 9, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000028 smb_io_dom_sid sid [2007/12/14 15:53:05.494587, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0028 sid_rev_num: 01 [2007/12/14 15:53:05.494620, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0029 num_auths : 04 [2007/12/14 15:53:05.494674, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 002a id_auth[0] : 00 [2007/12/14 15:53:05.494709, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 002b id_auth[1] : 00 [2007/12/14 15:53:05.494748, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 002c id_auth[2] : 00 [2007/12/14 15:53:05.494780, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 002d id_auth[3] : 00 [2007/12/14 15:53:05.494813, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 002e id_auth[4] : 00 [2007/12/14 15:53:05.494845, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 002f id_auth[5] : 05 [2007/12/14 15:53:05.494877, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32s(1005) 0030 sub_auths : 00000015 8b54c2d0 6291f80c edaa752f [2007/12/14 15:53:05.494915, 5, pid=6050] rpc_parse/parse_prs.c:prs_ntstatus(777) 0040 status: NT_STATUS_OK lsa_Close: struct lsa_Close in: struct lsa_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : c89b7fd0-7fcf-4def-b5e4-5561f091f068 [2007/12/14 15:53:05.495126, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr hdr [2007/12/14 15:53:05.495163, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.495195, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.495227, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 00 [2007/12/14 15:53:05.495259, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.495291, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.495323, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.495354, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.495386, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.495418, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 002c [2007/12/14 15:53:05.495481, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.495517, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 0000000b [2007/12/14 15:53:05.495549, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_req hdr_req [2007/12/14 15:53:05.495623, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 00000014 [2007/12/14 15:53:05.495676, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:53:05.495710, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0016 opnum : 0000 [2007/12/14 15:53:05.495773, 5, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(769) rpc_api_pipe: Remote machine WIN2008 pipe \lsarpc fnum 0x8000 [2007/12/14 15:53:05.495811, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.495834, 5, pid=6050] lib/util.c:show_msg(582) size=126 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=9 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 44 (0x2C) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 44 (0x2C) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32768 (0x8000) smb_bcc=59 [2007/12/14 15:53:05.496228, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 2C 00 00 00 0B 00 00 00 14 ......., ........ [020] 00 00 00 00 00 00 00 00 00 00 00 D0 7F 9B C8 CF ........ ...Ð..ÈÏ [030] 7F EF 4D B5 E4 55 61 F0 91 F0 68 .ïMµäUað .ðh [2007/12/14 15:53:05.496376, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 12 [2007/12/14 15:53:05.496412, 10, pid=6050] libsmb/smb_signing.c:client_sign_outgoing_message(336) client_sign_outgoing_message: sent SMB signature of [2007/12/14 15:53:05.496472, 10, pid=6050] lib/util.c:dump_data(2192) [000] EB 60 4B 6E B5 1C F2 F4 ë`Knµ.òô [2007/12/14 15:53:05.496523, 10, pid=6050] libsmb/smb_signing.c:store_sequence_for_reply(67) store_sequence_for_reply: stored seq = 13 mid = 9 [2007/12/14 15:53:05.496554, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,130) [2007/12/14 15:53:05.496673, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,130) wrote 130 [2007/12/14 15:53:05.497485, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 104 [2007/12/14 15:53:05.497548, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.497707, 5, pid=6050] lib/util.c:show_msg(582) size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=9 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [2007/12/14 15:53:05.497938, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 30 00 00 00 0B 00 00 ........ .0...... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [030] 00 . [2007/12/14 15:53:05.498074, 10, pid=6050] libsmb/smb_signing.c:get_sequence_for_reply(80) get_sequence_for_reply: found seq = 13 mid = 9 [2007/12/14 15:53:05.498106, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 13 [2007/12/14 15:53:05.498142, 10, pid=6050] libsmb/smb_signing.c:client_check_incoming_message(419) client_check_incoming_message: seq 13: got good SMB signature of [2007/12/14 15:53:05.498174, 10, pid=6050] lib/util.c:dump_data(2192) [000] FA 27 7D 90 B3 3F CA 38 ú'}.³?Ê8 [2007/12/14 15:53:05.498224, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.498247, 5, pid=6050] lib/util.c:show_msg(582) size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=9 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [2007/12/14 15:53:05.498468, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 30 00 00 00 0B 00 00 ........ .0...... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [030] 00 . [2007/12/14 15:53:05.498618, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr rpc_hdr [2007/12/14 15:53:05.498652, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.498703, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.498742, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 02 [2007/12/14 15:53:05.498776, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.498807, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.498840, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.498903, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.498938, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.498969, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0030 [2007/12/14 15:53:05.499002, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.499034, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 0000000b [2007/12/14 15:53:05.499067, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_resp rpc_hdr_resp [2007/12/14 15:53:05.499100, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 00000018 [2007/12/14 15:53:05.499132, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:53:05.499164, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0016 cancel_ct : 00 [2007/12/14 15:53:05.499233, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0017 reserved : 00 [2007/12/14 15:53:05.499267, 10, pid=6050] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(576) cli_pipe_validate_current_pdu: got pdu len 48, data_len 24, ss_len 0 [2007/12/14 15:53:05.499301, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(842) rpc_api_pipe: got PDU len of 48 at offset 0 [2007/12/14 15:53:05.499335, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(893) rpc_api_pipe: Remote machine WIN2008 pipe \lsarpc fnum 0x8000 returned 48 bytes. lsa_Close: struct lsa_Close out: struct lsa_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK [2007/12/14 15:53:05.499500, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 14 [2007/12/14 15:53:05.499536, 10, pid=6050] libsmb/smb_signing.c:client_sign_outgoing_message(336) client_sign_outgoing_message: sent SMB signature of [2007/12/14 15:53:05.499568, 10, pid=6050] lib/util.c:dump_data(2192) [000] AC D2 8A 5C 3C 30 82 DE ¬Ò.\<0.Þ [2007/12/14 15:53:05.499618, 10, pid=6050] libsmb/smb_signing.c:store_sequence_for_reply(67) store_sequence_for_reply: stored seq = 15 mid = 10 [2007/12/14 15:53:05.499650, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,45) [2007/12/14 15:53:05.499740, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,45) wrote 45 [2007/12/14 15:53:05.500482, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 35 [2007/12/14 15:53:05.500542, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.500567, 5, pid=6050] lib/util.c:show_msg(582) size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=10 smt_wct=0 smb_bcc=0 [2007/12/14 15:53:05.500693, 10, pid=6050] libsmb/smb_signing.c:get_sequence_for_reply(80) get_sequence_for_reply: found seq = 15 mid = 10 [2007/12/14 15:53:05.500732, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 15 [2007/12/14 15:53:05.500768, 10, pid=6050] libsmb/smb_signing.c:client_check_incoming_message(419) client_check_incoming_message: seq 15: got good SMB signature of [2007/12/14 15:53:05.500834, 10, pid=6050] lib/util.c:dump_data(2192) [000] 44 22 E1 3B CA 7E FC 6F D"á;Ê~üo [2007/12/14 15:53:05.500888, 10, pid=6050] libsmb/clientgen.c:cli_rpc_pipe_close(553) cli_rpc_pipe_close: closed pipe \lsarpc to machine WIN2008 [2007/12/14 15:53:05.500931, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 16 [2007/12/14 15:53:05.500965, 10, pid=6050] libsmb/smb_signing.c:client_sign_outgoing_message(336) client_sign_outgoing_message: sent SMB signature of [2007/12/14 15:53:05.500997, 10, pid=6050] lib/util.c:dump_data(2192) [000] 38 2A 06 58 8F 4D 73 61 8*.X.Msa [2007/12/14 15:53:05.501046, 10, pid=6050] libsmb/smb_signing.c:store_sequence_for_reply(67) store_sequence_for_reply: stored seq = 17 mid = 11 [2007/12/14 15:53:05.501079, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,100) [2007/12/14 15:53:05.501159, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,100) wrote 100 [2007/12/14 15:53:05.501774, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 103 [2007/12/14 15:53:05.501838, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.501863, 5, pid=6050] lib/util.c:show_msg(582) size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=11 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 384 (0x180) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 [2007/12/14 15:53:05.502296, 10, pid=6050] libsmb/smb_signing.c:get_sequence_for_reply(80) get_sequence_for_reply: found seq = 17 mid = 11 [2007/12/14 15:53:05.502331, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 17 [2007/12/14 15:53:05.502365, 10, pid=6050] libsmb/smb_signing.c:client_check_incoming_message(419) client_check_incoming_message: seq 17: got good SMB signature of [2007/12/14 15:53:05.502397, 10, pid=6050] lib/util.c:dump_data(2192) [000] 2E D2 C2 F7 7E 46 1F 3E .ÒÂ÷~F.> [2007/12/14 15:53:05.502483, 5, pid=6050] rpc_client/cli_pipe.c:rpc_pipe_bind(2045) Bind RPC Pipe[8001]: \samr auth_type 0, auth_level 0 [2007/12/14 15:53:05.502516, 5, pid=6050] rpc_client/cli_pipe.c:valid_pipe_name(1648) Bind Abstract Syntax: [000] 78 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AC xW4.4.Í« ï..#Eg.¬ [010] 01 00 00 00 .... [2007/12/14 15:53:05.502593, 5, pid=6050] rpc_client/cli_pipe.c:valid_pipe_name(1651) Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]..ë.É. .è..+.H` [010] 02 00 00 00 .... [2007/12/14 15:53:05.502692, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr hdr [2007/12/14 15:53:05.502871, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.502941, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.502975, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 0b [2007/12/14 15:53:05.503007, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.503038, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.503070, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.503102, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.503134, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.503166, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0048 [2007/12/14 15:53:05.503198, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.503230, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 0000000c [2007/12/14 15:53:05.503262, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_rb [2007/12/14 15:53:05.503295, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_bba [2007/12/14 15:53:05.503326, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0010 max_tsize: 10b8 [2007/12/14 15:53:05.503359, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0012 max_rsize: 10b8 [2007/12/14 15:53:05.503428, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0014 assoc_gid: 00000000 [2007/12/14 15:53:05.503460, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0018 num_contexts: 01 [2007/12/14 15:53:05.503529, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 001c context_id : 0000 [2007/12/14 15:53:05.503563, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 001e num_transfer_syntaxes: 01 [2007/12/14 15:53:05.503595, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 00001f smb_io_rpc_iface [2007/12/14 15:53:05.503627, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000020 smb_io_uuid uuid [2007/12/14 15:53:05.503677, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0020 data : 12345778 [2007/12/14 15:53:05.503816, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0024 data : 1234 [2007/12/14 15:53:05.503849, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0026 data : abcd [2007/12/14 15:53:05.503914, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 0028 data : ef 00 [2007/12/14 15:53:05.503951, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 002a data : 01 23 45 67 89 ac [2007/12/14 15:53:05.503988, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0030 version: 00000001 [2007/12/14 15:53:05.504020, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000034 smb_io_rpc_iface [2007/12/14 15:53:05.504052, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000034 smb_io_uuid uuid [2007/12/14 15:53:05.504085, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0034 data : 8a885d04 [2007/12/14 15:53:05.504117, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0038 data : 1ceb [2007/12/14 15:53:05.504149, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 003a data : 11c9 [2007/12/14 15:53:05.504181, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 003c data : 9f e8 [2007/12/14 15:53:05.504215, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 003e data : 08 00 2b 10 48 60 [2007/12/14 15:53:05.504253, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0044 version: 00000002 [2007/12/14 15:53:05.504287, 5, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(769) rpc_api_pipe: Remote machine WIN2008 pipe \samr fnum 0x8001 [2007/12/14 15:53:05.504323, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.504346, 5, pid=6050] lib/util.c:show_msg(582) size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=12 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32769 (0x8001) smb_bcc=87 [2007/12/14 15:53:05.504609, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 0C 00 00 00 B8 .......H .......¸ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 .¸...... .......x [030] 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AC 01 W4.4.Í«ï ..#Eg.¬. [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]..ë .É..è..+ [050] 10 48 60 02 00 00 00 .H`.... [2007/12/14 15:53:05.504726, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 18 [2007/12/14 15:53:05.504768, 10, pid=6050] libsmb/smb_signing.c:client_sign_outgoing_message(336) client_sign_outgoing_message: sent SMB signature of [2007/12/14 15:53:05.504800, 10, pid=6050] lib/util.c:dump_data(2192) [000] 70 B0 D6 FA CB 15 07 11 p°ÖúË... [2007/12/14 15:53:05.504854, 10, pid=6050] libsmb/smb_signing.c:store_sequence_for_reply(67) store_sequence_for_reply: stored seq = 19 mid = 12 [2007/12/14 15:53:05.504921, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,158) [2007/12/14 15:53:05.505012, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,158) wrote 158 [2007/12/14 15:53:05.505803, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 124 [2007/12/14 15:53:05.505888, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.505950, 5, pid=6050] lib/util.c:show_msg(582) size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=12 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [2007/12/14 15:53:05.506138, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 0C 00 00 ........ .D...... [010] 00 B8 10 B8 10 60 98 00 00 0C 00 5C 70 69 70 65 .¸.¸.`.. ...\pipe [020] 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..ë.É ..è..+.H [040] 60 02 00 00 00 `.... [2007/12/14 15:53:05.506313, 10, pid=6050] libsmb/smb_signing.c:get_sequence_for_reply(80) get_sequence_for_reply: found seq = 19 mid = 12 [2007/12/14 15:53:05.506346, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 19 [2007/12/14 15:53:05.506384, 10, pid=6050] libsmb/smb_signing.c:client_check_incoming_message(419) client_check_incoming_message: seq 19: got good SMB signature of [2007/12/14 15:53:05.506446, 10, pid=6050] lib/util.c:dump_data(2192) [000] 8E AB EB 3C 17 21 EF 60 .«ë<.!ï` [2007/12/14 15:53:05.506519, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.506544, 5, pid=6050] lib/util.c:show_msg(582) size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=12 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [2007/12/14 15:53:05.506693, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 0C 00 00 ........ .D...... [010] 00 B8 10 B8 10 60 98 00 00 0C 00 5C 70 69 70 65 .¸.¸.`.. ...\pipe [020] 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..ë.É ..è..+.H [040] 60 02 00 00 00 `.... [2007/12/14 15:53:05.506997, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr rpc_hdr [2007/12/14 15:53:05.507034, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.507068, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.507100, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 0c [2007/12/14 15:53:05.507132, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.507164, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.507196, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.507229, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.507260, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.507293, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0044 [2007/12/14 15:53:05.507353, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.507412, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 0000000c [2007/12/14 15:53:05.507446, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(842) rpc_api_pipe: got PDU len of 68 at offset 0 [2007/12/14 15:53:05.507481, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(893) rpc_api_pipe: Remote machine WIN2008 pipe \samr fnum 0x8001 returned 68 bytes. [2007/12/14 15:53:05.507514, 3, pid=6050] rpc_client/cli_pipe.c:rpc_pipe_bind(2082) rpc_pipe_bind: Remote machine WIN2008 pipe \samr fnum 0x8001 bind request returned ok. [2007/12/14 15:53:05.507547, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr hdr [2007/12/14 15:53:05.507580, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.507612, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.507643, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 0c [2007/12/14 15:53:05.507693, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.507731, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.507764, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.507826, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.507862, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.507893, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0044 [2007/12/14 15:53:05.507925, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.507957, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 0000000c [2007/12/14 15:53:05.507990, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_ba [2007/12/14 15:53:05.508022, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_bba [2007/12/14 15:53:05.508054, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0010 max_tsize: 10b8 [2007/12/14 15:53:05.508086, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0012 max_rsize: 10b8 [2007/12/14 15:53:05.508118, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0014 assoc_gid: 00009860 [2007/12/14 15:53:05.508150, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000018 smb_io_rpc_addr_str [2007/12/14 15:53:05.508182, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0018 len: 000c [2007/12/14 15:53:05.508215, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 001a str: \pipe\lsass. [2007/12/14 15:53:05.508256, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000026 smb_io_rpc_results [2007/12/14 15:53:05.508320, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0028 num_results: 01 [2007/12/14 15:53:05.508354, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 002c result : 0000 [2007/12/14 15:53:05.508386, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 002e reason : 0000 [2007/12/14 15:53:05.508418, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000030 smb_io_rpc_iface [2007/12/14 15:53:05.508451, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000030 smb_io_uuid uuid [2007/12/14 15:53:05.508483, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0030 data : 8a885d04 [2007/12/14 15:53:05.508515, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0034 data : 1ceb [2007/12/14 15:53:05.508547, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0036 data : 11c9 [2007/12/14 15:53:05.508579, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 0038 data : 9f e8 [2007/12/14 15:53:05.508613, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 003a data : 08 00 2b 10 48 60 [2007/12/14 15:53:05.508674, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0040 version: 00000002 [2007/12/14 15:53:05.508763, 5, pid=6050] rpc_client/cli_pipe.c:check_bind_response(1702) check_bind_response: accepted! [2007/12/14 15:53:05.508831, 10, pid=6050] rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2278) cli_rpc_pipe_open_noauth: opened pipe \samr to machine WIN2008 and bound anonymously. [2007/12/14 15:53:05.508907, 10, pid=6050] rpc_client/cli_samr.c:rpccli_samr_connect(35) cli_samr_connect to WIN2008 [2007/12/14 15:53:05.509000, 5, pid=6050] rpc_parse/parse_samr.c:init_samr_q_connect(7029) init_samr_q_connect [2007/12/14 15:53:05.509204, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 samr_io_q_connect [2007/12/14 15:53:05.509243, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0000 ptr_srv_name: 00000001 [2007/12/14 15:53:05.509308, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000004 smb_io_unistr2 [2007/12/14 15:53:05.509342, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0004 uni_max_len: 00000008 [2007/12/14 15:53:05.509375, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0008 offset : 00000000 [2007/12/14 15:53:05.509407, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c uni_str_len: 00000008 [2007/12/14 15:53:05.509442, 5, pid=6050] rpc_parse/parse_prs.c:dbg_rw_punival(950) 0010 buffer : W.I.N.2.0.0.8... [2007/12/14 15:53:05.509486, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0020 access_mask: 02000000 [2007/12/14 15:53:05.509563, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr hdr [2007/12/14 15:53:05.509601, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.509633, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.509684, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 00 [2007/12/14 15:53:05.509722, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.509795, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.509831, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.509863, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.509896, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.509928, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 003c [2007/12/14 15:53:05.509960, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.509992, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 0000000d [2007/12/14 15:53:05.510025, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_req hdr_req [2007/12/14 15:53:05.510058, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 00000024 [2007/12/14 15:53:05.510090, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:53:05.510123, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0016 opnum : 0039 [2007/12/14 15:53:05.510156, 5, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(769) rpc_api_pipe: Remote machine WIN2008 pipe \samr fnum 0x8001 [2007/12/14 15:53:05.510192, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.510216, 5, pid=6050] lib/util.c:show_msg(582) size=142 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=13 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 60 (0x3C) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 60 (0x3C) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32769 (0x8001) smb_bcc=75 [2007/12/14 15:53:05.510529, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 3C 00 00 00 0D 00 00 00 24 .......< .......$ [020] 00 00 00 00 00 39 00 01 00 00 00 08 00 00 00 00 .....9.. ........ [030] 00 00 00 08 00 00 00 57 00 49 00 4E 00 32 00 30 .......W .I.N.2.0 [040] 00 30 00 38 00 00 00 00 00 00 02 .0.8.... ... [2007/12/14 15:53:05.510767, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 20 [2007/12/14 15:53:05.510810, 10, pid=6050] libsmb/smb_signing.c:client_sign_outgoing_message(336) client_sign_outgoing_message: sent SMB signature of [2007/12/14 15:53:05.510842, 10, pid=6050] lib/util.c:dump_data(2192) [000] E8 EC 96 C1 30 B1 FD CC èì.Á0±ýÌ [2007/12/14 15:53:05.510932, 10, pid=6050] libsmb/smb_signing.c:store_sequence_for_reply(67) store_sequence_for_reply: stored seq = 21 mid = 13 [2007/12/14 15:53:05.510966, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,146) [2007/12/14 15:53:05.511060, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,146) wrote 146 [2007/12/14 15:53:05.511799, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 104 [2007/12/14 15:53:05.511876, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.511902, 5, pid=6050] lib/util.c:show_msg(582) size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=13 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [2007/12/14 15:53:05.512122, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 30 00 00 00 0D 00 00 ........ .0...... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 F6 22 84 ........ .....ö". [020] 21 D7 08 AB 41 AB BE 75 BF 4C 18 BF C5 00 00 00 !×.«A«¾u ¿L.¿Å... [030] 00 . [2007/12/14 15:53:05.512260, 10, pid=6050] libsmb/smb_signing.c:get_sequence_for_reply(80) get_sequence_for_reply: found seq = 21 mid = 13 [2007/12/14 15:53:05.512293, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 21 [2007/12/14 15:53:05.512329, 10, pid=6050] libsmb/smb_signing.c:client_check_incoming_message(419) client_check_incoming_message: seq 21: got good SMB signature of [2007/12/14 15:53:05.512362, 10, pid=6050] lib/util.c:dump_data(2192) [000] 1F 80 7D 7A B6 16 7F E7 ..}z¶..ç [2007/12/14 15:53:05.512412, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.512435, 5, pid=6050] lib/util.c:show_msg(582) size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=13 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [2007/12/14 15:53:05.512675, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 30 00 00 00 0D 00 00 ........ .0...... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 F6 22 84 ........ .....ö". [020] 21 D7 08 AB 41 AB BE 75 BF 4C 18 BF C5 00 00 00 !×.«A«¾u ¿L.¿Å... [030] 00 . [2007/12/14 15:53:05.512834, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr rpc_hdr [2007/12/14 15:53:05.512869, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.512917, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.512950, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 02 [2007/12/14 15:53:05.512982, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.513014, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.513046, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.513111, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.513143, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.513175, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0030 [2007/12/14 15:53:05.513207, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.513240, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 0000000d [2007/12/14 15:53:05.513273, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_resp rpc_hdr_resp [2007/12/14 15:53:05.513306, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 00000018 [2007/12/14 15:53:05.513361, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:53:05.513395, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0016 cancel_ct : 00 [2007/12/14 15:53:05.513427, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0017 reserved : 00 [2007/12/14 15:53:05.513459, 10, pid=6050] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(576) cli_pipe_validate_current_pdu: got pdu len 48, data_len 24, ss_len 0 [2007/12/14 15:53:05.513494, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(842) rpc_api_pipe: got PDU len of 48 at offset 0 [2007/12/14 15:53:05.513528, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(893) rpc_api_pipe: Remote machine WIN2008 pipe \samr fnum 0x8001 returned 48 bytes. [2007/12/14 15:53:05.513700, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 samr_io_r_connect [2007/12/14 15:53:05.513748, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_pol_hnd connect_pol [2007/12/14 15:53:05.513781, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0000 handle_type: 00000000 [2007/12/14 15:53:05.513813, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000004 smb_io_uuid uuid [2007/12/14 15:53:05.513845, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0004 data : 218422f6 [2007/12/14 15:53:05.513877, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 data : 08d7 [2007/12/14 15:53:05.513909, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a data : 41ab [2007/12/14 15:53:05.513941, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 000c data : ab be [2007/12/14 15:53:05.514001, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 000e data : 75 bf 4c 18 bf c5 [2007/12/14 15:53:05.514044, 5, pid=6050] rpc_parse/parse_prs.c:prs_ntstatus(777) 0014 status: NT_STATUS_OK [2007/12/14 15:53:05.514109, 10, pid=6050] rpc_client/cli_samr.c:rpccli_samr_open_domain(148) cli_samr_open_domain with sid S-1-5-21-2337587920-1653733388-3987371311 [2007/12/14 15:53:05.514180, 5, pid=6050] rpc_parse/parse_samr.c:init_samr_q_open_domain(247) samr_init_samr_q_open_domain [2007/12/14 15:53:05.514255, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 samr_io_q_open_domain [2007/12/14 15:53:05.514290, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_pol_hnd pol [2007/12/14 15:53:05.514354, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0000 handle_type: 00000000 [2007/12/14 15:53:05.514388, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000004 smb_io_uuid uuid [2007/12/14 15:53:05.514420, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0004 data : 218422f6 [2007/12/14 15:53:05.514507, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 data : 08d7 [2007/12/14 15:53:05.514541, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a data : 41ab [2007/12/14 15:53:05.514573, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 000c data : ab be [2007/12/14 15:53:05.514608, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 000e data : 75 bf 4c 18 bf c5 [2007/12/14 15:53:05.514646, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0014 flags: 02000000 [2007/12/14 15:53:05.514691, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000018 smb_io_dom_sid2 sid [2007/12/14 15:53:05.514733, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0018 num_auths: 00000004 [2007/12/14 15:53:05.514766, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 00001c smb_io_dom_sid sid [2007/12/14 15:53:05.514799, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 001c sid_rev_num: 01 [2007/12/14 15:53:05.514831, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 001d num_auths : 04 [2007/12/14 15:53:05.514863, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 001e id_auth[0] : 00 [2007/12/14 15:53:05.514896, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 001f id_auth[1] : 00 [2007/12/14 15:53:05.514961, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0020 id_auth[2] : 00 [2007/12/14 15:53:05.514995, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0021 id_auth[3] : 00 [2007/12/14 15:53:05.515028, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0022 id_auth[4] : 00 [2007/12/14 15:53:05.515060, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0023 id_auth[5] : 05 [2007/12/14 15:53:05.515092, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32s(1005) 0024 sub_auths : 00000015 8b54c2d0 6291f80c edaa752f [2007/12/14 15:53:05.515173, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr hdr [2007/12/14 15:53:05.515210, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.515243, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.515274, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 00 [2007/12/14 15:53:05.515306, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.515338, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.515370, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.515429, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.515467, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.515500, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 004c [2007/12/14 15:53:05.515531, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.515563, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 0000000e [2007/12/14 15:53:05.515595, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_req hdr_req [2007/12/14 15:53:05.515627, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 00000034 [2007/12/14 15:53:05.515676, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:53:05.515714, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0016 opnum : 0007 [2007/12/14 15:53:05.515748, 5, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(769) rpc_api_pipe: Remote machine WIN2008 pipe \samr fnum 0x8001 [2007/12/14 15:53:05.515824, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.515849, 5, pid=6050] lib/util.c:show_msg(582) size=158 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=14 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 76 (0x4C) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 76 (0x4C) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32769 (0x8001) smb_bcc=91 [2007/12/14 15:53:05.516139, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 4C 00 00 00 0E 00 00 00 34 .......L .......4 [020] 00 00 00 00 00 07 00 00 00 00 00 F6 22 84 21 D7 ........ ...ö".!× [030] 08 AB 41 AB BE 75 BF 4C 18 BF C5 00 00 00 02 04 .«A«¾u¿L .¿Å..... [040] 00 00 00 01 04 00 00 00 00 00 05 15 00 00 00 D0 ........ .......Ð [050] C2 54 8B 0C F8 91 62 2F 75 AA ED ÂT..ø.b/ uªí [2007/12/14 15:53:05.516346, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 22 [2007/12/14 15:53:05.516408, 10, pid=6050] libsmb/smb_signing.c:client_sign_outgoing_message(336) client_sign_outgoing_message: sent SMB signature of [2007/12/14 15:53:05.516445, 10, pid=6050] lib/util.c:dump_data(2192) [000] 47 C0 C0 DA 7A 2F 47 9E GÀÀÚz/G. [2007/12/14 15:53:05.516493, 10, pid=6050] libsmb/smb_signing.c:store_sequence_for_reply(67) store_sequence_for_reply: stored seq = 23 mid = 14 [2007/12/14 15:53:05.516525, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,162) [2007/12/14 15:53:05.516614, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,162) wrote 162 [2007/12/14 15:53:05.517842, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 104 [2007/12/14 15:53:05.517942, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.517968, 5, pid=6050] lib/util.c:show_msg(582) size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=14 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [2007/12/14 15:53:05.518190, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 30 00 00 00 0E 00 00 ........ .0...... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 9A 3D 01 ........ ......=. [020] 67 18 BE E6 42 A7 86 17 63 7D EE 70 6C 00 00 00 g.¾æB§.. c}îpl... [030] 00 . [2007/12/14 15:53:05.518330, 10, pid=6050] libsmb/smb_signing.c:get_sequence_for_reply(80) get_sequence_for_reply: found seq = 23 mid = 14 [2007/12/14 15:53:05.518362, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 23 [2007/12/14 15:53:05.518400, 10, pid=6050] libsmb/smb_signing.c:client_check_incoming_message(419) client_check_incoming_message: seq 23: got good SMB signature of [2007/12/14 15:53:05.518431, 10, pid=6050] lib/util.c:dump_data(2192) [000] 3C 98 80 F2 D3 EF 4B D7 <..òÓïK× [2007/12/14 15:53:05.518480, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.518502, 5, pid=6050] lib/util.c:show_msg(582) size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=14 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [2007/12/14 15:53:05.518693, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 30 00 00 00 0E 00 00 ........ .0...... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 9A 3D 01 ........ ......=. [020] 67 18 BE E6 42 A7 86 17 63 7D EE 70 6C 00 00 00 g.¾æB§.. c}îpl... [030] 00 . [2007/12/14 15:53:05.518892, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr rpc_hdr [2007/12/14 15:53:05.518930, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.518993, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.519027, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 02 [2007/12/14 15:53:05.519058, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.519090, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.519121, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.519152, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.519183, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.519215, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0030 [2007/12/14 15:53:05.519247, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.519279, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 0000000e [2007/12/14 15:53:05.519311, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_resp rpc_hdr_resp [2007/12/14 15:53:05.519343, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 00000018 [2007/12/14 15:53:05.519374, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:53:05.519406, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0016 cancel_ct : 00 [2007/12/14 15:53:05.519458, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0017 reserved : 00 [2007/12/14 15:53:05.519497, 10, pid=6050] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(576) cli_pipe_validate_current_pdu: got pdu len 48, data_len 24, ss_len 0 [2007/12/14 15:53:05.519532, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(842) rpc_api_pipe: got PDU len of 48 at offset 0 [2007/12/14 15:53:05.519566, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(893) rpc_api_pipe: Remote machine WIN2008 pipe \samr fnum 0x8001 returned 48 bytes. [2007/12/14 15:53:05.519600, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 samr_io_r_open_domain [2007/12/14 15:53:05.519634, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_pol_hnd domain_pol [2007/12/14 15:53:05.519683, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0000 handle_type: 00000000 [2007/12/14 15:53:05.519721, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000004 smb_io_uuid uuid [2007/12/14 15:53:05.519755, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0004 data : 67013d9a [2007/12/14 15:53:05.519787, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 data : be18 [2007/12/14 15:53:05.519819, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a data : 42e6 [2007/12/14 15:53:05.519851, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 000c data : a7 86 [2007/12/14 15:53:05.519886, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 000e data : 17 63 7d ee 70 6c [2007/12/14 15:53:05.519974, 5, pid=6050] rpc_parse/parse_prs.c:prs_ntstatus(777) 0014 status: NT_STATUS_OK [2007/12/14 15:53:05.520050, 10, pid=6050] rpc_client/cli_samr.c:rpccli_samr_create_dom_user(1653) cli_samr_create_dom_user sarge26$ [2007/12/14 15:53:05.520088, 5, pid=6050] rpc_parse/parse_samr.c:init_samr_q_create_user(5177) samr_init_samr_q_create_user [2007/12/14 15:53:05.520133, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 samr_io_q_create_user [2007/12/14 15:53:05.520206, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_pol_hnd domain_pol [2007/12/14 15:53:05.520266, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0000 handle_type: 00000000 [2007/12/14 15:53:05.520299, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000004 smb_io_uuid uuid [2007/12/14 15:53:05.520331, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0004 data : 67013d9a [2007/12/14 15:53:05.520363, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 data : be18 [2007/12/14 15:53:05.520395, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a data : 42e6 [2007/12/14 15:53:05.520455, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 000c data : a7 86 [2007/12/14 15:53:05.520491, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 000e data : 17 63 7d ee 70 6c [2007/12/14 15:53:05.520529, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000014 smb_io_unihdr hdr_name [2007/12/14 15:53:05.520561, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 uni_str_len: 0010 [2007/12/14 15:53:05.520594, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0016 uni_max_len: 0010 [2007/12/14 15:53:05.520627, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0018 buffer : 00000001 [2007/12/14 15:53:05.520677, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 00001c smb_io_unistr2 uni_name [2007/12/14 15:53:05.520716, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 001c uni_max_len: 00000008 [2007/12/14 15:53:05.520749, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0020 offset : 00000000 [2007/12/14 15:53:05.520782, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0024 uni_str_len: 00000008 [2007/12/14 15:53:05.520815, 5, pid=6050] rpc_parse/parse_prs.c:dbg_rw_punival(950) 0028 buffer : s.a.r.g.e.2.6.$. [2007/12/14 15:53:05.520858, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0038 acb_info : 00000080 [2007/12/14 15:53:05.520891, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 003c access_mask: e005000b [2007/12/14 15:53:05.521040, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr hdr [2007/12/14 15:53:05.521079, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.521112, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.521144, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 00 [2007/12/14 15:53:05.521176, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.521208, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.521240, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.521272, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.521304, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.521337, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0058 [2007/12/14 15:53:05.521369, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.521433, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 0000000f [2007/12/14 15:53:05.521468, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_req hdr_req [2007/12/14 15:53:05.521500, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 00000040 [2007/12/14 15:53:05.521533, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:53:05.521565, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0016 opnum : 0032 [2007/12/14 15:53:05.521598, 5, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(769) rpc_api_pipe: Remote machine WIN2008 pipe \samr fnum 0x8001 [2007/12/14 15:53:05.521690, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.521721, 5, pid=6050] lib/util.c:show_msg(582) size=170 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=15 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 88 (0x58) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 88 (0x58) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32769 (0x8001) smb_bcc=103 [2007/12/14 15:53:05.521987, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 58 00 00 00 0F 00 00 00 40 .......X .......@ [020] 00 00 00 00 00 32 00 00 00 00 00 9A 3D 01 67 18 .....2.. ....=.g. [030] BE E6 42 A7 86 17 63 7D EE 70 6C 10 00 10 00 01 ¾æB§..c} îpl..... [040] 00 00 00 08 00 00 00 00 00 00 00 08 00 00 00 73 ........ .......s [050] 00 61 00 72 00 67 00 65 00 32 00 36 00 24 00 80 .a.r.g.e .2.6.$.. [060] 00 00 00 0B 00 05 E0 ......à [2007/12/14 15:53:05.522231, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 24 [2007/12/14 15:53:05.522266, 10, pid=6050] libsmb/smb_signing.c:client_sign_outgoing_message(336) client_sign_outgoing_message: sent SMB signature of [2007/12/14 15:53:05.522299, 10, pid=6050] lib/util.c:dump_data(2192) [000] DC FF CA 09 27 9C DA AD ÜÿÊ.'.Ú­ [2007/12/14 15:53:05.522348, 10, pid=6050] libsmb/smb_signing.c:store_sequence_for_reply(67) store_sequence_for_reply: stored seq = 25 mid = 15 [2007/12/14 15:53:05.522410, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,174) [2007/12/14 15:53:05.522504, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,174) wrote 174 [2007/12/14 15:53:05.522842, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 112 [2007/12/14 15:53:05.522930, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.522956, 5, pid=6050] lib/util.c:show_msg(582) size=112 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=15 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 56 (0x38) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 56 (0x38) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=57 [2007/12/14 15:53:05.523140, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 38 00 00 00 0F 00 00 ........ .8...... [010] 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . ...... ........ [020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [030] 00 00 00 00 00 63 00 00 C0 .....c.. À [2007/12/14 15:53:05.523347, 10, pid=6050] libsmb/smb_signing.c:get_sequence_for_reply(80) get_sequence_for_reply: found seq = 25 mid = 15 [2007/12/14 15:53:05.523382, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 25 [2007/12/14 15:53:05.523419, 10, pid=6050] libsmb/smb_signing.c:client_check_incoming_message(419) client_check_incoming_message: seq 25: got good SMB signature of [2007/12/14 15:53:05.523451, 10, pid=6050] lib/util.c:dump_data(2192) [000] B6 6A 0A AA 94 AE B8 5B ¶j.ª.®¸[ [2007/12/14 15:53:05.523499, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.523521, 5, pid=6050] lib/util.c:show_msg(582) size=112 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=15 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 56 (0x38) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 56 (0x38) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=57 [2007/12/14 15:53:05.523718, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 38 00 00 00 0F 00 00 ........ .8...... [010] 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . ...... ........ [020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [030] 00 00 00 00 00 63 00 00 C0 .....c.. À [2007/12/14 15:53:05.523867, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr rpc_hdr [2007/12/14 15:53:05.523901, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.523933, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.523964, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 02 [2007/12/14 15:53:05.523995, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.524026, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.524058, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.524089, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.524120, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.524184, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0038 [2007/12/14 15:53:05.524218, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.524249, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 0000000f [2007/12/14 15:53:05.524282, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_resp rpc_hdr_resp [2007/12/14 15:53:05.524315, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 00000020 [2007/12/14 15:53:05.524346, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:53:05.524377, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0016 cancel_ct : 00 [2007/12/14 15:53:05.524409, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0017 reserved : 00 [2007/12/14 15:53:05.524440, 10, pid=6050] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(576) cli_pipe_validate_current_pdu: got pdu len 56, data_len 32, ss_len 0 [2007/12/14 15:53:05.524474, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(842) rpc_api_pipe: got PDU len of 56 at offset 0 [2007/12/14 15:53:05.524508, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(893) rpc_api_pipe: Remote machine WIN2008 pipe \samr fnum 0x8001 returned 64 bytes. [2007/12/14 15:53:05.524581, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 samr_io_r_create_user [2007/12/14 15:53:05.524616, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_pol_hnd user_pol [2007/12/14 15:53:05.524700, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0000 handle_type: 00000000 [2007/12/14 15:53:05.524734, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000004 smb_io_uuid uuid [2007/12/14 15:53:05.524766, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0004 data : 00000000 [2007/12/14 15:53:05.524798, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 data : 0000 [2007/12/14 15:53:05.524830, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a data : 0000 [2007/12/14 15:53:05.524862, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 000c data : 00 00 [2007/12/14 15:53:05.524897, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 000e data : 00 00 00 00 00 00 [2007/12/14 15:53:05.524970, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0014 access_granted: 00000000 [2007/12/14 15:53:05.525006, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0018 user_rid : 00000000 [2007/12/14 15:53:05.525038, 5, pid=6050] rpc_parse/parse_prs.c:prs_ntstatus(777) 001c status: NT_STATUS_USER_EXISTS [2007/12/14 15:53:05.525088, 10, pid=6050] rpc_client/cli_samr.c:rpccli_samr_lookup_names(1593) cli_samr_lookup_names [2007/12/14 15:53:05.525180, 5, pid=6050] rpc_parse/parse_samr.c:init_samr_q_lookup_names(4823) init_samr_q_lookup_names [2007/12/14 15:53:05.525235, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 samr_io_q_lookup_names [2007/12/14 15:53:05.525269, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_pol_hnd pol [2007/12/14 15:53:05.525301, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0000 handle_type: 00000000 [2007/12/14 15:53:05.525334, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000004 smb_io_uuid uuid [2007/12/14 15:53:05.525365, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0004 data : 67013d9a [2007/12/14 15:53:05.525398, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 data : be18 [2007/12/14 15:53:05.525430, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a data : 42e6 [2007/12/14 15:53:05.525462, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 000c data : a7 86 [2007/12/14 15:53:05.525496, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 000e data : 17 63 7d ee 70 6c [2007/12/14 15:53:05.525533, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0014 num_names1: 00000001 [2007/12/14 15:53:05.525565, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0018 flags : 000003e8 [2007/12/14 15:53:05.525626, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 001c ptr : 00000000 [2007/12/14 15:53:05.525682, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0020 num_names2: 00000001 [2007/12/14 15:53:05.525720, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000024 smb_io_unihdr [2007/12/14 15:53:05.525754, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0024 uni_str_len: 0010 [2007/12/14 15:53:05.525806, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0026 uni_max_len: 0010 [2007/12/14 15:53:05.525838, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0028 buffer : 00000001 [2007/12/14 15:53:05.525870, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 00002c smb_io_unistr2 [2007/12/14 15:53:05.525902, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 002c uni_max_len: 00000008 [2007/12/14 15:53:05.525934, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0030 offset : 00000000 [2007/12/14 15:53:05.525966, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0034 uni_str_len: 00000008 [2007/12/14 15:53:05.525999, 5, pid=6050] rpc_parse/parse_prs.c:dbg_rw_punival(950) 0038 buffer : s.a.r.g.e.2.6.$. [2007/12/14 15:53:05.526048, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr hdr [2007/12/14 15:53:05.526230, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.526266, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.526297, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 00 [2007/12/14 15:53:05.526329, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.526361, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.526393, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.526425, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.526457, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.526527, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0060 [2007/12/14 15:53:05.526563, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.526629, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000010 [2007/12/14 15:53:05.526681, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_req hdr_req [2007/12/14 15:53:05.526719, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 00000048 [2007/12/14 15:53:05.526753, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:53:05.526785, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0016 opnum : 0011 [2007/12/14 15:53:05.526818, 5, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(769) rpc_api_pipe: Remote machine WIN2008 pipe \samr fnum 0x8001 [2007/12/14 15:53:05.526854, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.526877, 5, pid=6050] lib/util.c:show_msg(582) size=178 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=16 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 96 (0x60) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 96 (0x60) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32769 (0x8001) smb_bcc=111 [2007/12/14 15:53:05.527144, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 60 00 00 00 10 00 00 00 48 .......` .......H [020] 00 00 00 00 00 11 00 00 00 00 00 9A 3D 01 67 18 ........ ....=.g. [030] BE E6 42 A7 86 17 63 7D EE 70 6C 01 00 00 00 E8 ¾æB§..c} îpl....è [040] 03 00 00 00 00 00 00 01 00 00 00 10 00 10 00 01 ........ ........ [050] 00 00 00 08 00 00 00 00 00 00 00 08 00 00 00 73 ........ .......s [060] 00 61 00 72 00 67 00 65 00 32 00 36 00 24 00 .a.r.g.e .2.6.$. [2007/12/14 15:53:05.527431, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 26 [2007/12/14 15:53:05.527468, 10, pid=6050] libsmb/smb_signing.c:client_sign_outgoing_message(336) client_sign_outgoing_message: sent SMB signature of [2007/12/14 15:53:05.527499, 10, pid=6050] lib/util.c:dump_data(2192) [000] 0D 9C 92 D1 5F A3 36 F8 ...Ñ_£6ø [2007/12/14 15:53:05.527570, 10, pid=6050] libsmb/smb_signing.c:store_sequence_for_reply(67) store_sequence_for_reply: stored seq = 27 mid = 16 [2007/12/14 15:53:05.527608, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,182) [2007/12/14 15:53:05.527714, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,182) wrote 182 [2007/12/14 15:53:05.528786, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 116 [2007/12/14 15:53:05.528897, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.528922, 5, pid=6050] lib/util.c:show_msg(582) size=116 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=16 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 60 (0x3C) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 60 (0x3C) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=61 [2007/12/14 15:53:05.529105, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 3C 00 00 00 10 00 00 ........ .<...... [010] 00 24 00 00 00 00 00 00 00 01 00 00 00 00 00 02 .$...... ........ [020] 00 01 00 00 00 4F 04 00 00 01 00 00 00 04 00 02 .....O.. ........ [030] 00 01 00 00 00 01 00 00 00 00 00 00 00 ........ ..... [2007/12/14 15:53:05.529263, 10, pid=6050] libsmb/smb_signing.c:get_sequence_for_reply(80) get_sequence_for_reply: found seq = 27 mid = 16 [2007/12/14 15:53:05.529328, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 27 [2007/12/14 15:53:05.529366, 10, pid=6050] libsmb/smb_signing.c:client_check_incoming_message(419) client_check_incoming_message: seq 27: got good SMB signature of [2007/12/14 15:53:05.529398, 10, pid=6050] lib/util.c:dump_data(2192) [000] A9 DF D3 92 3C 6B 47 5E ©ßÓ. 5 e0 82 bd 07 55 06 5f ff 7e 76 31 9f b6 42 e5 7f bb 9f 6f 6e 82 74 7a d6 bf f5 37 80 29 cd 2a 77 59 be fb e7 f3 01 2e 52 53 2c 6f ae e1 ad 97 2b 12 58 5e 58 e4 ef ab 58 cb b5 ae e1 71 0f 02 e1 9f 42 89 db 7f 3f 10 13 ad e4 91 0c 74 e7 16 e0 6f 5f b8 bb ab ba 32 99 9d 4f 1a 1b a8 b4 58 8d 70 62 66 eb 15 aa 59 4a 50 2f 1d 70 43 70 5e 1d 57 e7 c7 5a a1 c4 51 66 08 78 08 95 3a b7 25 5c f9 f7 cf 8b 6b d4 e9 46 ff 27 99 71 a2 48 a7 07 d5 8d ca 60 01 17 dd fa e6 66 ac d5 fb cd 2e c3 bf f2 3c d7 0f 51 42 53 9e cb 97 ed ae c1 b5 1b 1d 1f 32 4f 74 53 e5 82 [2007/12/14 15:53:05.537736, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 021c pw_len: 18 [2007/12/14 15:53:05.537777, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr hdr [2007/12/14 15:53:05.537810, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.537843, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.537911, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 00 [2007/12/14 15:53:05.537944, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.537976, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.538008, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.538039, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.538071, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.538102, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0235 [2007/12/14 15:53:05.538134, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.538196, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000012 [2007/12/14 15:53:05.538228, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_req hdr_req [2007/12/14 15:53:05.538260, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 0000021d [2007/12/14 15:53:05.538291, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:53:05.538323, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0016 opnum : 003a [2007/12/14 15:53:05.538397, 5, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(769) rpc_api_pipe: Remote machine WIN2008 pipe \samr fnum 0x8001 [2007/12/14 15:53:05.538435, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.538458, 5, pid=6050] lib/util.c:show_msg(582) size=647 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=18 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 565 (0x235) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 565 (0x235) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32769 (0x8001) smb_bcc=580 [2007/12/14 15:53:05.538741, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 35 02 00 00 12 00 00 00 1D .......5 ........ [020] 02 00 00 00 00 3A 00 00 00 00 00 B7 9C 52 B3 2E .....:.. ...·.R³. [030] 4B FA 42 A1 98 13 90 77 0C D3 F3 18 00 18 00 10 KúB¡...w .Óó..... [040] F4 F3 F1 BA FD B3 DB B1 64 58 28 4C C7 7A CC 4E ôóñºý³Û± dX(LÇzÌN [050] D7 F0 41 A4 82 B1 31 DE DE 45 01 07 B4 5F 1A 65 ×ðA¤.±1Þ ÞE..´_.e [060] D5 39 6A 53 B9 A8 06 07 48 4F DE D0 78 9F FB CC Õ9jS¹¨.. HOÞÐx.ûÌ [070] 0B 9E D6 DD E2 3A EC 71 D2 78 02 10 EC A5 42 34 ..ÖÝâ:ìq Òx..ì¥B4 [080] E9 07 6D EF 21 73 E1 DA 31 17 AB BF CF 81 13 DF é.mï!sáÚ 1.«¿Ï..ß [090] 88 FC 02 51 B9 E9 2D 1C 37 AE B7 BC 04 E2 05 12 .ü.Q¹é-. 7®·¼.â.. [0A0] 34 D1 85 B3 5C DA 4B A2 5A C0 0C BA C3 29 3E F6 4Ñ.³\ÚK¢ ZÀ.ºÃ)>ö [0B0] 68 F5 A8 20 FE BC 32 E5 32 61 8A 81 B0 97 77 59 hõ¨ þ¼2å 2a..°.wY [0C0] E9 7E 6B 11 74 DE 98 88 97 6D 0E 45 BD D0 A5 9B é~k.tÞ.. .m.E½Ð¥. [0D0] 49 A2 94 37 1A 46 A7 12 AE 1C 7C A1 9C 40 28 D9 I¢.7.F§. ®.|¡.@(Ù [0E0] 22 DF B1 68 BE 37 D3 01 CD AD 5B 23 24 66 E3 23 "ß±h¾7Ó. Í­[#$fã# [0F0] 83 B3 80 2F A8 2C 6B 1E 03 BC 0E 51 84 B7 D2 3E .³./¨,k. .¼.Q.·Ò> [100] D1 59 9D 96 90 A0 DA 0A 37 4E 74 8E 94 2C 0F 18 ÑY... Ú. 7Nt..,.. [110] C3 5C FF 3D 33 A1 2E 3B AF 32 19 CD BE 8C CF 4E Ã\ÿ=3¡.; ¯2.;.ÏN [120] F1 7A A9 D6 1C A4 7B FD F6 13 B5 34 2C CF 55 01 ñz©Ö.¤{ý ö.µ4,ÏU. [130] EE 9A EA 54 E8 27 16 32 B7 35 56 44 6B 3D 32 63 î.êTè'.2 ·5VDk=2c [140] 04 1A 11 EC 17 84 98 21 72 09 BC 39 F7 F3 E4 0C ...ì...! r.¼9÷óä. [150] 7D 4A 26 02 B5 9B 2E 66 1D DD EF 04 41 6E 3B 09 }J&.µ..f .Ýï.An;. [160] 78 0C AF 12 05 BA 4B CE 8B F8 0F EB B9 4C 66 04 x.¯..ºKÎ .ø.ë¹Lf. [170] 0E F0 CE 3B 05 47 CA 26 C3 95 56 55 A7 25 16 3E .ðÎ;.GÊ& Ã.VU§%.> [180] 4B B1 CA 73 27 A9 6B A7 5D 80 75 E0 82 BD 07 55 K±Ês'©k§ ].uà.½.U [190] 06 5F FF 7E 76 31 9F B6 42 E5 7F BB 9F 6F 6E 82 ._ÿ~v1.¶ Bå.».on. [1A0] 74 7A D6 BF F5 37 80 29 CD 2A 77 59 BE FB E7 F3 tzÖ¿õ7.) Í*wY¾ûçó [1B0] 01 2E 52 53 2C 6F AE E1 AD 97 2B 12 58 5E 58 E4 ..RS,o®á ­.+.X^Xä [1C0] EF AB 58 CB B5 AE E1 71 0F 02 E1 9F 42 89 DB 7F ï«X˵®áq ..á.B.Û. [1D0] 3F 10 13 AD E4 91 0C 74 E7 16 E0 6F 5F B8 BB AB ?..­ä..t ç.ào_¸»« [1E0] BA 32 99 9D 4F 1A 1B A8 B4 58 8D 70 62 66 EB 15 º2..O..¨ ´X.pbfë. [1F0] AA 59 4A 50 2F 1D 70 43 70 5E 1D 57 E7 C7 5A A1 ªYJP/.pC p^.WçÇZ¡ [2007/12/14 15:53:05.539853, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 30 [2007/12/14 15:53:05.539933, 10, pid=6050] libsmb/smb_signing.c:client_sign_outgoing_message(336) client_sign_outgoing_message: sent SMB signature of [2007/12/14 15:53:05.539989, 10, pid=6050] lib/util.c:dump_data(2192) [000] 57 EF CD 57 5F 03 B1 A9 WïÍW_.±© [2007/12/14 15:53:05.540043, 10, pid=6050] libsmb/smb_signing.c:store_sequence_for_reply(67) store_sequence_for_reply: stored seq = 31 mid = 18 [2007/12/14 15:53:05.540075, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,651) [2007/12/14 15:53:05.540201, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,651) wrote 651 [2007/12/14 15:53:05.620834, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 84 [2007/12/14 15:53:05.620937, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.621688, 5, pid=6050] lib/util.c:show_msg(582) size=84 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=18 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 28 (0x1C) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 28 (0x1C) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=29 [2007/12/14 15:53:05.621910, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 1C 00 00 00 12 00 00 ........ ........ [010] 00 04 00 00 00 00 00 00 00 00 00 00 00 ........ ..... [2007/12/14 15:53:05.622685, 10, pid=6050] libsmb/smb_signing.c:get_sequence_for_reply(80) get_sequence_for_reply: found seq = 31 mid = 18 [2007/12/14 15:53:05.622737, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 31 [2007/12/14 15:53:05.622780, 10, pid=6050] libsmb/smb_signing.c:client_check_incoming_message(419) client_check_incoming_message: seq 31: got good SMB signature of [2007/12/14 15:53:05.622812, 10, pid=6050] lib/util.c:dump_data(2192) [000] F3 BD 70 25 87 06 31 78 ó½p%..1x [2007/12/14 15:53:05.622861, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.622884, 5, pid=6050] lib/util.c:show_msg(582) size=84 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=18 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 28 (0x1C) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 28 (0x1C) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=29 [2007/12/14 15:53:05.623811, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 1C 00 00 00 12 00 00 ........ ........ [010] 00 04 00 00 00 00 00 00 00 00 00 00 00 ........ ..... [2007/12/14 15:53:05.623904, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr rpc_hdr [2007/12/14 15:53:05.623938, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.623970, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.624692, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 02 [2007/12/14 15:53:05.624726, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.624758, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.624789, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.624821, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.624884, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.624918, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 001c [2007/12/14 15:53:05.624950, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.624982, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000012 [2007/12/14 15:53:05.625691, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_resp rpc_hdr_resp [2007/12/14 15:53:05.625727, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 00000004 [2007/12/14 15:53:05.625758, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:53:05.625790, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0016 cancel_ct : 00 [2007/12/14 15:53:05.625821, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0017 reserved : 00 [2007/12/14 15:53:05.625853, 10, pid=6050] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(576) cli_pipe_validate_current_pdu: got pdu len 28, data_len 4, ss_len 0 [2007/12/14 15:53:05.625888, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(842) rpc_api_pipe: got PDU len of 28 at offset 0 [2007/12/14 15:53:05.625954, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(893) rpc_api_pipe: Remote machine WIN2008 pipe \samr fnum 0x8001 returned 8 bytes. [2007/12/14 15:53:05.626696, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 samr_io_r_set_userinfo [2007/12/14 15:53:05.626736, 5, pid=6050] rpc_parse/parse_prs.c:prs_ntstatus(777) 0000 status: NT_STATUS_OK [2007/12/14 15:53:05.626780, 5, pid=6050] rpc_parse/parse_samr.c:init_sam_user_info16(5446) init_sam_user_info16 [2007/12/14 15:53:05.626813, 10, pid=6050] rpc_client/cli_samr.c:rpccli_samr_set_userinfo2(1748) cli_samr_set_userinfo2 [2007/12/14 15:53:05.626845, 5, pid=6050] rpc_parse/parse_samr.c:init_samr_q_set_userinfo2(6943) init_samr_q_set_userinfo2 [2007/12/14 15:53:05.626892, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 samr_io_q_set_userinfo2 [2007/12/14 15:53:05.626925, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_pol_hnd pol [2007/12/14 15:53:05.626959, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0000 handle_type: 00000000 [2007/12/14 15:53:05.626991, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000004 smb_io_uuid uuid [2007/12/14 15:53:05.627691, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0004 data : b3529cb7 [2007/12/14 15:53:05.627755, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 data : 4b2e [2007/12/14 15:53:05.627787, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a data : 42fa [2007/12/14 15:53:05.627819, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 000c data : a1 98 [2007/12/14 15:53:05.627854, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 000e data : 13 90 77 0c d3 f3 [2007/12/14 15:53:05.627892, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 switch_value: 0010 [2007/12/14 15:53:05.627924, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000016 samr_io_userinfo_ctr ctr [2007/12/14 15:53:05.627957, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0016 switch_value: 0010 [2007/12/14 15:53:05.627990, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000018 samr_io_r_user_info16 [2007/12/14 15:53:05.628688, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0018 acb_info: 00000080 [2007/12/14 15:53:05.628769, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr hdr [2007/12/14 15:53:05.628837, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.628872, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.628904, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 00 [2007/12/14 15:53:05.628936, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.628967, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.629682, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.629716, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.629748, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.629780, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0034 [2007/12/14 15:53:05.629812, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.629844, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000013 [2007/12/14 15:53:05.629876, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_req hdr_req [2007/12/14 15:53:05.629908, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 0000001c [2007/12/14 15:53:05.629962, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:53:05.630681, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0016 opnum : 0025 [2007/12/14 15:53:05.630716, 5, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(769) rpc_api_pipe: Remote machine WIN2008 pipe \samr fnum 0x8001 [2007/12/14 15:53:05.630754, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.630777, 5, pid=6050] lib/util.c:show_msg(582) size=134 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=19 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 52 (0x34) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 52 (0x34) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32769 (0x8001) smb_bcc=67 [2007/12/14 15:53:05.631682, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 34 00 00 00 13 00 00 00 1C .......4 ........ [020] 00 00 00 00 00 25 00 00 00 00 00 B7 9C 52 B3 2E .....%.. ...·.R³. [030] 4B FA 42 A1 98 13 90 77 0C D3 F3 10 00 10 00 80 KúB¡...w .Óó..... [040] 00 00 00 ... [2007/12/14 15:53:05.631891, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 32 [2007/12/14 15:53:05.631928, 10, pid=6050] libsmb/smb_signing.c:client_sign_outgoing_message(336) client_sign_outgoing_message: sent SMB signature of [2007/12/14 15:53:05.631960, 10, pid=6050] lib/util.c:dump_data(2192) [000] 7F 51 19 F3 52 40 21 83 .Q.óR@!. [2007/12/14 15:53:05.632683, 10, pid=6050] libsmb/smb_signing.c:store_sequence_for_reply(67) store_sequence_for_reply: stored seq = 33 mid = 19 [2007/12/14 15:53:05.632718, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,138) [2007/12/14 15:53:05.632787, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,138) wrote 138 [2007/12/14 15:53:05.633822, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 84 [2007/12/14 15:53:05.634698, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.634729, 5, pid=6050] lib/util.c:show_msg(582) size=84 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=19 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 28 (0x1C) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 28 (0x1C) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=29 [2007/12/14 15:53:05.634916, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 1C 00 00 00 13 00 00 ........ ........ [010] 00 04 00 00 00 00 00 00 00 00 00 00 00 ........ ..... [2007/12/14 15:53:05.635679, 10, pid=6050] libsmb/smb_signing.c:get_sequence_for_reply(80) get_sequence_for_reply: found seq = 33 mid = 19 [2007/12/14 15:53:05.635714, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 33 [2007/12/14 15:53:05.635752, 10, pid=6050] libsmb/smb_signing.c:client_check_incoming_message(419) client_check_incoming_message: seq 33: got good SMB signature of [2007/12/14 15:53:05.635817, 10, pid=6050] lib/util.c:dump_data(2192) [000] 8F 4D 6C B2 3B D1 25 1C .Ml²;Ñ%. [2007/12/14 15:53:05.635871, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.635895, 5, pid=6050] lib/util.c:show_msg(582) size=84 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=19 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 28 (0x1C) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 28 (0x1C) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=29 [2007/12/14 15:53:05.636679, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 1C 00 00 00 13 00 00 ........ ........ [010] 00 04 00 00 00 00 00 00 00 00 00 00 00 ........ ..... [2007/12/14 15:53:05.636771, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr rpc_hdr [2007/12/14 15:53:05.636820, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.636890, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.636924, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 02 [2007/12/14 15:53:05.636955, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.637684, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.637718, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.637750, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.637782, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.637845, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 001c [2007/12/14 15:53:05.637877, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.637908, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000013 [2007/12/14 15:53:05.637941, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_resp rpc_hdr_resp [2007/12/14 15:53:05.637973, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 00000004 [2007/12/14 15:53:05.638709, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:53:05.638750, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0016 cancel_ct : 00 [2007/12/14 15:53:05.638781, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0017 reserved : 00 [2007/12/14 15:53:05.638813, 10, pid=6050] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(576) cli_pipe_validate_current_pdu: got pdu len 28, data_len 4, ss_len 0 [2007/12/14 15:53:05.638856, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(842) rpc_api_pipe: got PDU len of 28 at offset 0 [2007/12/14 15:53:05.638891, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(893) rpc_api_pipe: Remote machine WIN2008 pipe \samr fnum 0x8001 returned 8 bytes. [2007/12/14 15:53:05.638925, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 samr_io_r_set_userinfo2 [2007/12/14 15:53:05.638958, 5, pid=6050] rpc_parse/parse_prs.c:prs_ntstatus(777) 0000 status: NT_STATUS_OK [2007/12/14 15:53:05.638992, 10, pid=6050] rpc_client/cli_samr.c:rpccli_samr_close(108) cli_samr_close [2007/12/14 15:53:05.639688, 5, pid=6050] rpc_parse/parse_samr.c:init_samr_q_close_hnd(37) init_samr_q_close_hnd [2007/12/14 15:53:05.639735, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 samr_io_q_close_hnd [2007/12/14 15:53:05.639768, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_pol_hnd pol [2007/12/14 15:53:05.639800, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0000 handle_type: 00000000 [2007/12/14 15:53:05.639862, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000004 smb_io_uuid uuid [2007/12/14 15:53:05.639894, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0004 data : b3529cb7 [2007/12/14 15:53:05.639926, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 data : 4b2e [2007/12/14 15:53:05.639958, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a data : 42fa [2007/12/14 15:53:05.639990, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 000c data : a1 98 [2007/12/14 15:53:05.640689, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 000e data : 13 90 77 0c d3 f3 [2007/12/14 15:53:05.640735, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr hdr [2007/12/14 15:53:05.640768, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.640800, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.640831, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 00 [2007/12/14 15:53:05.640863, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.640895, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.640927, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.641681, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.641715, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.641747, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 002c [2007/12/14 15:53:05.641779, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.641811, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000014 [2007/12/14 15:53:05.641843, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_req hdr_req [2007/12/14 15:53:05.641875, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 00000014 [2007/12/14 15:53:05.641906, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:53:05.641937, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0016 opnum : 0001 [2007/12/14 15:53:05.641970, 5, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(769) rpc_api_pipe: Remote machine WIN2008 pipe \samr fnum 0x8001 [2007/12/14 15:53:05.642683, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.642709, 5, pid=6050] lib/util.c:show_msg(582) size=126 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=20 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 44 (0x2C) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 44 (0x2C) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32769 (0x8001) smb_bcc=59 [2007/12/14 15:53:05.643684, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 2C 00 00 00 14 00 00 00 14 ......., ........ [020] 00 00 00 00 00 01 00 00 00 00 00 B7 9C 52 B3 2E ........ ...·.R³. [030] 4B FA 42 A1 98 13 90 77 0C D3 F3 KúB¡...w .Óó [2007/12/14 15:53:05.643833, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 34 [2007/12/14 15:53:05.643867, 10, pid=6050] libsmb/smb_signing.c:client_sign_outgoing_message(336) client_sign_outgoing_message: sent SMB signature of [2007/12/14 15:53:05.643944, 10, pid=6050] lib/util.c:dump_data(2192) [000] B6 0B 3E 62 73 46 34 08 ¶.>bsF4. [2007/12/14 15:53:05.644687, 10, pid=6050] libsmb/smb_signing.c:store_sequence_for_reply(67) store_sequence_for_reply: stored seq = 35 mid = 20 [2007/12/14 15:53:05.644723, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,130) [2007/12/14 15:53:05.644816, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,130) wrote 130 [2007/12/14 15:53:05.645751, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 104 [2007/12/14 15:53:05.645810, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.645835, 5, pid=6050] lib/util.c:show_msg(582) size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=20 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [2007/12/14 15:53:05.646686, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 30 00 00 00 14 00 00 ........ .0...... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [030] 00 . [2007/12/14 15:53:05.646877, 10, pid=6050] libsmb/smb_signing.c:get_sequence_for_reply(80) get_sequence_for_reply: found seq = 35 mid = 20 [2007/12/14 15:53:05.646910, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 35 [2007/12/14 15:53:05.646946, 10, pid=6050] libsmb/smb_signing.c:client_check_incoming_message(419) client_check_incoming_message: seq 35: got good SMB signature of [2007/12/14 15:53:05.646977, 10, pid=6050] lib/util.c:dump_data(2192) [000] 7E 91 63 E0 E9 D4 63 B3 ~.càéÔc³ [2007/12/14 15:53:05.647688, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.647925, 5, pid=6050] lib/util.c:show_msg(582) size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=20 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [2007/12/14 15:53:05.648683, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 30 00 00 00 14 00 00 ........ .0...... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [030] 00 . [2007/12/14 15:53:05.648836, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr rpc_hdr [2007/12/14 15:53:05.648869, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.648930, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.648961, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 02 [2007/12/14 15:53:05.649680, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.649713, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.649744, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.649775, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.649806, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.649838, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0030 [2007/12/14 15:53:05.649869, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.649908, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000014 [2007/12/14 15:53:05.649941, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_resp rpc_hdr_resp [2007/12/14 15:53:05.649973, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 00000018 [2007/12/14 15:53:05.650709, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:53:05.650750, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0016 cancel_ct : 00 [2007/12/14 15:53:05.650782, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0017 reserved : 00 [2007/12/14 15:53:05.650813, 10, pid=6050] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(576) cli_pipe_validate_current_pdu: got pdu len 48, data_len 24, ss_len 0 [2007/12/14 15:53:05.650848, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(842) rpc_api_pipe: got PDU len of 48 at offset 0 [2007/12/14 15:53:05.650881, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(893) rpc_api_pipe: Remote machine WIN2008 pipe \samr fnum 0x8001 returned 48 bytes. [2007/12/14 15:53:05.650915, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 samr_io_r_close_hnd [2007/12/14 15:53:05.650948, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_pol_hnd pol [2007/12/14 15:53:05.650980, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0000 handle_type: 00000000 [2007/12/14 15:53:05.651684, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000004 smb_io_uuid uuid [2007/12/14 15:53:05.651718, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0004 data : 00000000 [2007/12/14 15:53:05.651750, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 data : 0000 [2007/12/14 15:53:05.651782, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a data : 0000 [2007/12/14 15:53:05.651814, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 000c data : 00 00 [2007/12/14 15:53:05.652724, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 000e data : 00 00 00 00 00 00 [2007/12/14 15:53:05.652766, 5, pid=6050] rpc_parse/parse_prs.c:prs_ntstatus(777) 0014 status: NT_STATUS_OK [2007/12/14 15:53:05.652803, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 36 [2007/12/14 15:53:05.652837, 10, pid=6050] libsmb/smb_signing.c:client_sign_outgoing_message(336) client_sign_outgoing_message: sent SMB signature of [2007/12/14 15:53:05.652869, 10, pid=6050] lib/util.c:dump_data(2192) [000] D5 DD BC 27 72 B8 C5 C4 Õݼ'r¸ÅÄ [2007/12/14 15:53:05.652919, 10, pid=6050] libsmb/smb_signing.c:store_sequence_for_reply(67) store_sequence_for_reply: stored seq = 37 mid = 21 [2007/12/14 15:53:05.653689, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,45) [2007/12/14 15:53:05.653745, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,45) wrote 45 [2007/12/14 15:53:05.654752, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 35 [2007/12/14 15:53:05.654906, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.654935, 5, pid=6050] lib/util.c:show_msg(582) size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=21 smt_wct=0 smb_bcc=0 [2007/12/14 15:53:05.655680, 10, pid=6050] libsmb/smb_signing.c:get_sequence_for_reply(80) get_sequence_for_reply: found seq = 37 mid = 21 [2007/12/14 15:53:05.655716, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 37 [2007/12/14 15:53:05.655749, 10, pid=6050] libsmb/smb_signing.c:client_check_incoming_message(419) client_check_incoming_message: seq 37: got good SMB signature of [2007/12/14 15:53:05.655781, 10, pid=6050] lib/util.c:dump_data(2192) [000] FF 61 3D C6 59 3A 16 CE ÿa=ÆY:.Î [2007/12/14 15:53:05.655833, 10, pid=6050] libsmb/clientgen.c:cli_rpc_pipe_close(553) cli_rpc_pipe_close: closed pipe \samr to machine WIN2008 [2007/12/14 15:53:05.656732, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 38 [2007/12/14 15:53:05.656768, 10, pid=6050] libsmb/smb_signing.c:client_sign_outgoing_message(336) client_sign_outgoing_message: sent SMB signature of [2007/12/14 15:53:05.656800, 10, pid=6050] lib/util.c:dump_data(2192) [000] 6A 3A 70 86 0B 71 B9 39 j:p..q¹9 [2007/12/14 15:53:05.656880, 10, pid=6050] libsmb/smb_signing.c:store_sequence_for_reply(67) store_sequence_for_reply: stored seq = 39 mid = 22 [2007/12/14 15:53:05.656915, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,108) [2007/12/14 15:53:05.657720, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,108) wrote 108 [2007/12/14 15:53:05.657786, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 103 [2007/12/14 15:53:05.657832, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.657857, 5, pid=6050] lib/util.c:show_msg(582) size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=22 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 512 (0x200) smb_vwv[ 3]= 384 (0x180) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 [2007/12/14 15:53:05.659678, 10, pid=6050] libsmb/smb_signing.c:get_sequence_for_reply(80) get_sequence_for_reply: found seq = 39 mid = 22 [2007/12/14 15:53:05.659714, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 39 [2007/12/14 15:53:05.659783, 10, pid=6050] libsmb/smb_signing.c:client_check_incoming_message(419) client_check_incoming_message: seq 39: got good SMB signature of [2007/12/14 15:53:05.659816, 10, pid=6050] lib/util.c:dump_data(2192) [000] 5E E7 4A 2A 8B D6 0B BB ^çJ*.Ö.» [2007/12/14 15:53:05.659894, 5, pid=6050] rpc_client/cli_pipe.c:rpc_pipe_bind(2045) Bind RPC Pipe[8002]: \NETLOGON auth_type 0, auth_level 0 [2007/12/14 15:53:05.659929, 5, pid=6050] rpc_client/cli_pipe.c:valid_pipe_name(1648) Bind Abstract Syntax: [000] 78 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB xV4.4.Í« ï..#EgÏû [010] 01 00 00 00 .... [2007/12/14 15:53:05.660682, 5, pid=6050] rpc_client/cli_pipe.c:valid_pipe_name(1651) Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]..ë.É. .è..+.H` [010] 02 00 00 00 .... [2007/12/14 15:53:05.660764, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr hdr [2007/12/14 15:53:05.660896, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.660936, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.660967, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 0b [2007/12/14 15:53:05.661682, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.661716, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.661748, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.661779, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.661811, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.661843, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0048 [2007/12/14 15:53:05.661876, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.661908, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000015 [2007/12/14 15:53:05.661940, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_rb [2007/12/14 15:53:05.661972, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_bba [2007/12/14 15:53:05.662764, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0010 max_tsize: 10b8 [2007/12/14 15:53:05.662806, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0012 max_rsize: 10b8 [2007/12/14 15:53:05.662838, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0014 assoc_gid: 00000000 [2007/12/14 15:53:05.662870, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0018 num_contexts: 01 [2007/12/14 15:53:05.662903, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 001c context_id : 0000 [2007/12/14 15:53:05.662935, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 001e num_transfer_syntaxes: 01 [2007/12/14 15:53:05.662967, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 00001f smb_io_rpc_iface [2007/12/14 15:53:05.662999, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000020 smb_io_uuid uuid [2007/12/14 15:53:05.663031, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0020 data : 12345678 [2007/12/14 15:53:05.663678, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0024 data : 1234 [2007/12/14 15:53:05.663712, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0026 data : abcd [2007/12/14 15:53:05.663745, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 0028 data : ef 00 [2007/12/14 15:53:05.663814, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 002a data : 01 23 45 67 cf fb [2007/12/14 15:53:05.663852, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0030 version: 00000001 [2007/12/14 15:53:05.663884, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000034 smb_io_rpc_iface [2007/12/14 15:53:05.663916, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000034 smb_io_uuid uuid [2007/12/14 15:53:05.663948, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0034 data : 8a885d04 [2007/12/14 15:53:05.664693, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0038 data : 1ceb [2007/12/14 15:53:05.664730, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 003a data : 11c9 [2007/12/14 15:53:05.664762, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 003c data : 9f e8 [2007/12/14 15:53:05.664796, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 003e data : 08 00 2b 10 48 60 [2007/12/14 15:53:05.664833, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0044 version: 00000002 [2007/12/14 15:53:05.664867, 5, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(769) rpc_api_pipe: Remote machine WIN2008 pipe \NETLOGON fnum 0x8002 [2007/12/14 15:53:05.664936, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.665701, 5, pid=6050] lib/util.c:show_msg(582) size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=23 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32770 (0x8002) smb_bcc=87 [2007/12/14 15:53:05.665940, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 15 00 00 00 B8 .......H .......¸ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 .¸...... .......x [030] 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB 01 V4.4.Í«ï ..#EgÏû. [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]..ë .É..è..+ [050] 10 48 60 02 00 00 00 .H`.... [2007/12/14 15:53:05.666830, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 40 [2007/12/14 15:53:05.666869, 10, pid=6050] libsmb/smb_signing.c:client_sign_outgoing_message(336) client_sign_outgoing_message: sent SMB signature of [2007/12/14 15:53:05.666900, 10, pid=6050] lib/util.c:dump_data(2192) [000] 7E C5 F6 D9 DB B8 D6 95 ~ÅöÙÛ¸Ö. [2007/12/14 15:53:05.666949, 10, pid=6050] libsmb/smb_signing.c:store_sequence_for_reply(67) store_sequence_for_reply: stored seq = 41 mid = 23 [2007/12/14 15:53:05.666981, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,158) [2007/12/14 15:53:05.667706, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,158) wrote 158 [2007/12/14 15:53:05.668736, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 124 [2007/12/14 15:53:05.668792, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.668817, 5, pid=6050] lib/util.c:show_msg(582) size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=23 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [2007/12/14 15:53:05.669672, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 15 00 00 ........ .D...... [010] 00 B8 10 B8 10 61 98 00 00 0C 00 5C 70 69 70 65 .¸.¸.a.. ...\pipe [020] 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..ë.É ..è..+.H [040] 60 02 00 00 00 `.... [2007/12/14 15:53:05.669932, 10, pid=6050] libsmb/smb_signing.c:get_sequence_for_reply(80) get_sequence_for_reply: found seq = 41 mid = 23 [2007/12/14 15:53:05.669967, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 41 [2007/12/14 15:53:05.670677, 10, pid=6050] libsmb/smb_signing.c:client_check_incoming_message(419) client_check_incoming_message: seq 41: got good SMB signature of [2007/12/14 15:53:05.670711, 10, pid=6050] lib/util.c:dump_data(2192) [000] 33 7D 25 38 6A 51 F4 63 3}%8jQôc [2007/12/14 15:53:05.670761, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.670784, 5, pid=6050] lib/util.c:show_msg(582) size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=23 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [2007/12/14 15:53:05.671671, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 15 00 00 ........ .D...... [010] 00 B8 10 B8 10 61 98 00 00 0C 00 5C 70 69 70 65 .¸.¸.a.. ...\pipe [020] 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..ë.É ..è..+.H [040] 60 02 00 00 00 `.... [2007/12/14 15:53:05.671861, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr rpc_hdr [2007/12/14 15:53:05.671895, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.671927, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.671959, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 0c [2007/12/14 15:53:05.672670, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.672736, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.672770, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.672802, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.672834, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.672865, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0044 [2007/12/14 15:53:05.672898, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.672930, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000015 [2007/12/14 15:53:05.672963, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(842) rpc_api_pipe: got PDU len of 68 at offset 0 [2007/12/14 15:53:05.673670, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(893) rpc_api_pipe: Remote machine WIN2008 pipe \NETLOGON fnum 0x8002 returned 68 bytes. [2007/12/14 15:53:05.673706, 3, pid=6050] rpc_client/cli_pipe.c:rpc_pipe_bind(2082) rpc_pipe_bind: Remote machine WIN2008 pipe \NETLOGON fnum 0x8002 bind request returned ok. [2007/12/14 15:53:05.673739, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr hdr [2007/12/14 15:53:05.673771, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.673802, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.673922, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 0c [2007/12/14 15:53:05.673960, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.674669, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.674702, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.674733, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.674765, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.674856, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0044 [2007/12/14 15:53:05.674890, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.674922, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000015 [2007/12/14 15:53:05.674954, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_ba [2007/12/14 15:53:05.675686, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_bba [2007/12/14 15:53:05.675720, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0010 max_tsize: 10b8 [2007/12/14 15:53:05.675752, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0012 max_rsize: 10b8 [2007/12/14 15:53:05.675885, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0014 assoc_gid: 00009861 [2007/12/14 15:53:05.675920, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000018 smb_io_rpc_addr_str [2007/12/14 15:53:05.675952, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0018 len: 000c [2007/12/14 15:53:05.676670, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 001a str: \pipe\lsass. [2007/12/14 15:53:05.676713, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000026 smb_io_rpc_results [2007/12/14 15:53:05.676745, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0028 num_results: 01 [2007/12/14 15:53:05.676778, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 002c result : 0000 [2007/12/14 15:53:05.676839, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 002e reason : 0000 [2007/12/14 15:53:05.676871, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000030 smb_io_rpc_iface [2007/12/14 15:53:05.676903, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000030 smb_io_uuid uuid [2007/12/14 15:53:05.676935, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0030 data : 8a885d04 [2007/12/14 15:53:05.676967, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0034 data : 1ceb [2007/12/14 15:53:05.677674, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0036 data : 11c9 [2007/12/14 15:53:05.677707, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 0038 data : 9f e8 [2007/12/14 15:53:05.677741, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 003a data : 08 00 2b 10 48 60 [2007/12/14 15:53:05.677779, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0040 version: 00000002 [2007/12/14 15:53:05.677811, 5, pid=6050] rpc_client/cli_pipe.c:check_bind_response(1702) check_bind_response: accepted! [2007/12/14 15:53:05.677843, 10, pid=6050] rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2278) cli_rpc_pipe_open_noauth: opened pipe \NETLOGON to machine WIN2008 and bound anonymously. [2007/12/14 15:53:05.677901, 4, pid=6050] rpc_client/cli_netlogon.c:rpccli_net_req_chal(45) cli_net_req_chal: LSA Request Challenge from SARGE26 to \\WIN2008 [2007/12/14 15:53:05.678699, 5, pid=6050] rpc_parse/parse_net.c:init_q_req_chal(762) init_q_req_chal: 762 [2007/12/14 15:53:05.678737, 5, pid=6050] rpc_parse/parse_net.c:init_q_req_chal(771) init_q_req_chal: 771 [2007/12/14 15:53:05.678813, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 net_io_q_req_chal [2007/12/14 15:53:05.678851, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0000 undoc_buffer: 00000001 [2007/12/14 15:53:05.678884, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000004 smb_io_unistr2 [2007/12/14 15:53:05.678917, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0004 uni_max_len: 0000000a [2007/12/14 15:53:05.678949, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0008 offset : 00000000 [2007/12/14 15:53:05.679676, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c uni_str_len: 0000000a [2007/12/14 15:53:05.679711, 5, pid=6050] rpc_parse/parse_prs.c:dbg_rw_punival(950) 0010 buffer : \.\.W.I.N.2.0.0.8... [2007/12/14 15:53:05.679824, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000024 smb_io_unistr2 [2007/12/14 15:53:05.679859, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0024 uni_max_len: 00000008 [2007/12/14 15:53:05.679891, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0028 offset : 00000000 [2007/12/14 15:53:05.679923, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 002c uni_str_len: 00000008 [2007/12/14 15:53:05.679955, 5, pid=6050] rpc_parse/parse_prs.c:dbg_rw_punival(950) 0030 buffer : S.A.R.G.E.2.6... [2007/12/14 15:53:05.680678, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000040 smb_io_chal [2007/12/14 15:53:05.680712, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 0040 data: c3 90 15 15 a9 6b 24 4c [2007/12/14 15:53:05.680793, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr hdr [2007/12/14 15:53:05.680830, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.680862, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.680927, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 00 [2007/12/14 15:53:05.680961, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.681674, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.681707, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.681739, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.681771, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.681803, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0060 [2007/12/14 15:53:05.681836, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.681907, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000016 [2007/12/14 15:53:05.681942, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_req hdr_req [2007/12/14 15:53:05.681974, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 00000048 [2007/12/14 15:53:05.682760, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:53:05.682803, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0016 opnum : 0004 [2007/12/14 15:53:05.682837, 5, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(769) rpc_api_pipe: Remote machine WIN2008 pipe \NETLOGON fnum 0x8002 [2007/12/14 15:53:05.682871, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.682895, 5, pid=6050] lib/util.c:show_msg(582) size=178 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=24 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 96 (0x60) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 96 (0x60) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32770 (0x8002) smb_bcc=111 [2007/12/14 15:53:05.683677, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 60 00 00 00 16 00 00 00 48 .......` .......H [020] 00 00 00 00 00 04 00 01 00 00 00 0A 00 00 00 00 ........ ........ [030] 00 00 00 0A 00 00 00 5C 00 5C 00 57 00 49 00 4E .......\ .\.W.I.N [040] 00 32 00 30 00 30 00 38 00 00 00 08 00 00 00 00 .2.0.0.8 ........ [050] 00 00 00 08 00 00 00 53 00 41 00 52 00 47 00 45 .......S .A.R.G.E [060] 00 32 00 36 00 00 00 C3 90 15 15 A9 6B 24 4C .2.6...à ...©k$L [2007/12/14 15:53:05.684671, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 42 [2007/12/14 15:53:05.684713, 10, pid=6050] libsmb/smb_signing.c:client_sign_outgoing_message(336) client_sign_outgoing_message: sent SMB signature of [2007/12/14 15:53:05.684744, 10, pid=6050] lib/util.c:dump_data(2192) [000] 25 33 E7 10 FC D3 C5 33 %3ç.üÓÅ3 [2007/12/14 15:53:05.684794, 10, pid=6050] libsmb/smb_signing.c:store_sequence_for_reply(67) store_sequence_for_reply: stored seq = 43 mid = 24 [2007/12/14 15:53:05.684825, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,182) [2007/12/14 15:53:05.685804, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,182) wrote 182 [2007/12/14 15:53:05.685900, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 92 [2007/12/14 15:53:05.685951, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.686696, 5, pid=6050] lib/util.c:show_msg(582) size=92 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=24 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 36 (0x24) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 36 (0x24) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=37 [2007/12/14 15:53:05.686915, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 24 00 00 00 16 00 00 ........ .$...... [010] 00 0C 00 00 00 00 00 00 00 A9 60 3C 9A 8B 95 D2 ........ .©`<...Ò [020] AE 00 00 00 00 ®.... [2007/12/14 15:53:05.687671, 10, pid=6050] libsmb/smb_signing.c:get_sequence_for_reply(80) get_sequence_for_reply: found seq = 43 mid = 24 [2007/12/14 15:53:05.687705, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 43 [2007/12/14 15:53:05.687740, 10, pid=6050] libsmb/smb_signing.c:client_check_incoming_message(419) client_check_incoming_message: seq 43: got good SMB signature of [2007/12/14 15:53:05.687772, 10, pid=6050] lib/util.c:dump_data(2192) [000] E4 39 48 DC 6E 20 39 F0 ä9HÜn 9ð [2007/12/14 15:53:05.687822, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.687845, 5, pid=6050] lib/util.c:show_msg(582) size=92 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=24 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 36 (0x24) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 36 (0x24) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=37 [2007/12/14 15:53:05.688669, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 24 00 00 00 16 00 00 ........ .$...... [010] 00 0C 00 00 00 00 00 00 00 A9 60 3C 9A 8B 95 D2 ........ .©`<...Ò [020] AE 00 00 00 00 ®.... [2007/12/14 15:53:05.688790, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr rpc_hdr [2007/12/14 15:53:05.688824, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.688856, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.688888, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 02 [2007/12/14 15:53:05.688920, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.688952, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.689690, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.689726, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.689779, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.689812, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0024 [2007/12/14 15:53:05.689845, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.689877, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000016 [2007/12/14 15:53:05.690671, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_resp rpc_hdr_resp [2007/12/14 15:53:05.690707, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 0000000c [2007/12/14 15:53:05.690739, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:53:05.690771, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0016 cancel_ct : 00 [2007/12/14 15:53:05.690804, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0017 reserved : 00 [2007/12/14 15:53:05.690836, 10, pid=6050] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(576) cli_pipe_validate_current_pdu: got pdu len 36, data_len 12, ss_len 0 [2007/12/14 15:53:05.690870, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(842) rpc_api_pipe: got PDU len of 36 at offset 0 [2007/12/14 15:53:05.690905, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(893) rpc_api_pipe: Remote machine WIN2008 pipe \NETLOGON fnum 0x8002 returned 24 bytes. [2007/12/14 15:53:05.691671, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 net_io_r_req_chal [2007/12/14 15:53:05.691732, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_chal [2007/12/14 15:53:05.691771, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 0000 data: a9 60 3c 9a 8b 95 d2 ae [2007/12/14 15:53:05.691811, 5, pid=6050] rpc_parse/parse_prs.c:prs_ntstatus(777) 0008 status: NT_STATUS_OK [2007/12/14 15:53:05.691850, 10, pid=6050] libsmb/credentials.c:creds_client_init(289) creds_client_init: neg_flags : 400701ff [2007/12/14 15:53:05.691888, 10, pid=6050] libsmb/credentials.c:creds_client_init(290) creds_client_init: client chal : C3901515A96B244C [2007/12/14 15:53:05.691925, 10, pid=6050] libsmb/credentials.c:creds_client_init(291) creds_client_init: server chal : A9603C9A8B95D2AE [2007/12/14 15:53:05.692676, 5, pid=6050] libsmb/credentials.c:creds_init_64(120) creds_init_64 [2007/12/14 15:53:05.692710, 5, pid=6050] libsmb/credentials.c:creds_init_64(121) clnt_chal_in: C3901515A96B244C [2007/12/14 15:53:05.692746, 5, pid=6050] libsmb/credentials.c:creds_init_64(122) srv_chal_in : A9603C9A8B95D2AE [2007/12/14 15:53:05.692813, 5, pid=6050] libsmb/credentials.c:creds_init_64(123) clnt+srv : 6CF151AF3401F7FA [2007/12/14 15:53:05.692851, 5, pid=6050] libsmb/credentials.c:creds_init_64(124) sess_key_out : E671BE17B8C7033E [2007/12/14 15:53:05.693673, 10, pid=6050] libsmb/credentials.c:creds_client_init(309) creds_client_init: clnt : 926D1E93CF5F1DE6 [2007/12/14 15:53:05.693711, 10, pid=6050] libsmb/credentials.c:creds_client_init(310) creds_client_init: server : D93E3E77131F181D [2007/12/14 15:53:05.693747, 10, pid=6050] libsmb/credentials.c:creds_client_init(311) creds_client_init: seed : 926D1E93CF5F1DE6 [2007/12/14 15:53:05.693782, 4, pid=6050] rpc_client/cli_netlogon.c:rpccli_net_auth2(169) cli_net_auth2: srv:\\WIN2008 acct:SARGE26$ sc:2 mc: SARGE26 neg: 400701ff [2007/12/14 15:53:05.693893, 5, pid=6050] rpc_parse/parse_net.c:init_q_auth_2(883) init_q_auth_2: 883 [2007/12/14 15:53:05.693926, 5, pid=6050] rpc_parse/parse_misc.c:init_log_info(1383) make_log_info 1383 [2007/12/14 15:53:05.693961, 5, pid=6050] rpc_parse/parse_net.c:init_q_auth_2(889) init_q_auth_2: 889 [2007/12/14 15:53:05.694672, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 net_io_q_auth_2 [2007/12/14 15:53:05.694706, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_log_info [2007/12/14 15:53:05.694739, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0000 undoc_buffer: 00000001 [2007/12/14 15:53:05.694808, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000004 smb_io_unistr2 unistr2 [2007/12/14 15:53:05.694844, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0004 uni_max_len: 0000000a [2007/12/14 15:53:05.694877, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0008 offset : 00000000 [2007/12/14 15:53:05.694909, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c uni_str_len: 0000000a [2007/12/14 15:53:05.695714, 5, pid=6050] rpc_parse/parse_prs.c:dbg_rw_punival(950) 0010 buffer : \.\.W.I.N.2.0.0.8... [2007/12/14 15:53:05.695764, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000024 smb_io_unistr2 unistr2 [2007/12/14 15:53:05.695796, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0024 uni_max_len: 00000009 [2007/12/14 15:53:05.695828, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0028 offset : 00000000 [2007/12/14 15:53:05.695860, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 002c uni_str_len: 00000009 [2007/12/14 15:53:05.695893, 5, pid=6050] rpc_parse/parse_prs.c:dbg_rw_punival(950) 0030 buffer : S.A.R.G.E.2.6.$... [2007/12/14 15:53:05.696691, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0042 sec_chan: 0002 [2007/12/14 15:53:05.696730, 7, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000044 smb_io_unistr2 unistr2 [2007/12/14 15:53:05.696763, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0044 uni_max_len: 00000008 [2007/12/14 15:53:05.696795, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0048 offset : 00000000 [2007/12/14 15:53:05.696827, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 004c uni_str_len: 00000008 [2007/12/14 15:53:05.696860, 5, pid=6050] rpc_parse/parse_prs.c:dbg_rw_punival(950) 0050 buffer : S.A.R.G.E.2.6... [2007/12/14 15:53:05.696905, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000060 smb_io_chal [2007/12/14 15:53:05.696938, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 0060 data: 92 6d 1e 93 cf 5f 1d e6 [2007/12/14 15:53:05.697689, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000068 net_io_neg_flags [2007/12/14 15:53:05.697725, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0068 neg_flags: 400701ff [2007/12/14 15:53:05.697800, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr hdr [2007/12/14 15:53:05.697837, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.697870, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.697902, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 00 [2007/12/14 15:53:05.697934, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.697966, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.698667, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.698701, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.698811, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.698847, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0084 [2007/12/14 15:53:05.698880, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.698912, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000017 [2007/12/14 15:53:05.698944, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_req hdr_req [2007/12/14 15:53:05.699670, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 0000006c [2007/12/14 15:53:05.699704, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:53:05.699737, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0016 opnum : 000f [2007/12/14 15:53:05.699809, 5, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(769) rpc_api_pipe: Remote machine WIN2008 pipe \NETLOGON fnum 0x8002 [2007/12/14 15:53:05.699847, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.699870, 5, pid=6050] lib/util.c:show_msg(582) size=214 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=25 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 132 (0x84) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 132 (0x84) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32770 (0x8002) smb_bcc=147 [2007/12/14 15:53:05.700675, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 84 00 00 00 17 00 00 00 6C ........ .......l [020] 00 00 00 00 00 0F 00 01 00 00 00 0A 00 00 00 00 ........ ........ [030] 00 00 00 0A 00 00 00 5C 00 5C 00 57 00 49 00 4E .......\ .\.W.I.N [040] 00 32 00 30 00 30 00 38 00 00 00 09 00 00 00 00 .2.0.0.8 ........ [050] 00 00 00 09 00 00 00 53 00 41 00 52 00 47 00 45 .......S .A.R.G.E [060] 00 32 00 36 00 24 00 00 00 02 00 08 00 00 00 00 .2.6.$.. ........ [070] 00 00 00 08 00 00 00 53 00 41 00 52 00 47 00 45 .......S .A.R.G.E [080] 00 32 00 36 00 00 00 92 6D 1E 93 CF 5F 1D E6 FF .2.6.... m..Ï_.æÿ [090] 01 07 40 ..@ [2007/12/14 15:53:05.701672, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 44 [2007/12/14 15:53:05.701713, 10, pid=6050] libsmb/smb_signing.c:client_sign_outgoing_message(336) client_sign_outgoing_message: sent SMB signature of [2007/12/14 15:53:05.701745, 10, pid=6050] lib/util.c:dump_data(2192) [000] E0 F0 53 F2 86 94 9C 55 àðSò...U [2007/12/14 15:53:05.701793, 10, pid=6050] libsmb/smb_signing.c:store_sequence_for_reply(67) store_sequence_for_reply: stored seq = 45 mid = 25 [2007/12/14 15:53:05.701825, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,218) [2007/12/14 15:53:05.701875, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,218) wrote 218 [2007/12/14 15:53:05.702822, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 96 [2007/12/14 15:53:05.702883, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.702907, 5, pid=6050] lib/util.c:show_msg(582) size=96 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=25 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 40 (0x28) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 40 (0x28) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=41 [2007/12/14 15:53:05.703672, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 28 00 00 00 17 00 00 ........ .(...... [010] 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [020] 00 FF 01 07 40 88 03 00 C0 .ÿ..@... À [2007/12/14 15:53:05.703871, 10, pid=6050] libsmb/smb_signing.c:get_sequence_for_reply(80) get_sequence_for_reply: found seq = 45 mid = 25 [2007/12/14 15:53:05.703907, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 45 [2007/12/14 15:53:05.703942, 10, pid=6050] libsmb/smb_signing.c:client_check_incoming_message(419) client_check_incoming_message: seq 45: got good SMB signature of [2007/12/14 15:53:05.703974, 10, pid=6050] lib/util.c:dump_data(2192) [000] 07 BE 39 E6 4C 39 35 3D .¾9æL95= [2007/12/14 15:53:05.704671, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.704697, 5, pid=6050] lib/util.c:show_msg(582) size=96 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=25 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 40 (0x28) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 40 (0x28) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=41 [2007/12/14 15:53:05.705668, 10, pid=6050] lib/util.c:dump_data(2192) [000] 00 05 00 02 03 10 00 00 00 28 00 00 00 17 00 00 ........ .(...... [010] 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [020] 00 FF 01 07 40 88 03 00 C0 .ÿ..@... À [2007/12/14 15:53:05.705794, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_rpc_hdr rpc_hdr [2007/12/14 15:53:05.705828, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0000 major : 05 [2007/12/14 15:53:05.705860, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0001 minor : 00 [2007/12/14 15:53:05.705892, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0002 pkt_type : 02 [2007/12/14 15:53:05.705924, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0003 flags : 03 [2007/12/14 15:53:05.706665, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0004 pack_type0: 10 [2007/12/14 15:53:05.706752, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0005 pack_type1: 00 [2007/12/14 15:53:05.706785, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0006 pack_type2: 00 [2007/12/14 15:53:05.706817, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0007 pack_type3: 00 [2007/12/14 15:53:05.706849, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0008 frag_len : 0028 [2007/12/14 15:53:05.706881, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 000a auth_len : 0000 [2007/12/14 15:53:05.706913, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 000c call_id : 00000017 [2007/12/14 15:53:05.706946, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000010 smb_io_rpc_hdr_resp rpc_hdr_resp [2007/12/14 15:53:05.707666, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0010 alloc_hint: 00000010 [2007/12/14 15:53:05.707701, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint16(689) 0014 context_id: 0000 [2007/12/14 15:53:05.707733, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0016 cancel_ct : 00 [2007/12/14 15:53:05.707765, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8(624) 0017 reserved : 00 [2007/12/14 15:53:05.707874, 10, pid=6050] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(576) cli_pipe_validate_current_pdu: got pdu len 40, data_len 16, ss_len 0 [2007/12/14 15:53:05.707911, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(842) rpc_api_pipe: got PDU len of 40 at offset 0 [2007/12/14 15:53:05.707944, 10, pid=6050] rpc_client/cli_pipe.c:rpc_api_pipe(893) rpc_api_pipe: Remote machine WIN2008 pipe \NETLOGON fnum 0x8002 returned 32 bytes. [2007/12/14 15:53:05.707979, 5, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 net_io_r_auth_2 [2007/12/14 15:53:05.708677, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000000 smb_io_chal [2007/12/14 15:53:05.708711, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint8s(865) 0000 data: 00 00 00 00 00 00 00 00 [2007/12/14 15:53:05.708751, 6, pid=6050] rpc_parse/parse_prs.c:prs_debug(88) 000008 net_io_neg_flags [2007/12/14 15:53:05.708783, 5, pid=6050] rpc_parse/parse_prs.c:prs_uint32(718) 0008 neg_flags: 400701ff [2007/12/14 15:53:05.708815, 5, pid=6050] rpc_parse/parse_prs.c:prs_ntstatus(777) 000c status: NT_STATUS_DOWNGRADE_DETECTED [2007/12/14 15:53:05.708852, 0, pid=6050] utils/net_rpc_join.c:net_rpc_join_newstyle(370) Error in domain join verification (credential setup failed): NT_STATUS_DOWNGRADE_DETECTED Unable to join domain MM. [2007/12/14 15:53:05.709673, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 46 [2007/12/14 15:53:05.709711, 10, pid=6050] libsmb/smb_signing.c:client_sign_outgoing_message(336) client_sign_outgoing_message: sent SMB signature of [2007/12/14 15:53:05.709743, 10, pid=6050] lib/util.c:dump_data(2192) [000] 8A 6A AF 24 75 2E F9 EA .j¯$u.ùê [2007/12/14 15:53:05.709793, 10, pid=6050] libsmb/smb_signing.c:store_sequence_for_reply(67) store_sequence_for_reply: stored seq = 47 mid = 26 [2007/12/14 15:53:05.709825, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,45) [2007/12/14 15:53:05.710705, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,45) wrote 45 [2007/12/14 15:53:05.710792, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 35 [2007/12/14 15:53:05.710842, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.710899, 5, pid=6050] lib/util.c:show_msg(582) size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=26 smt_wct=0 smb_bcc=0 [2007/12/14 15:53:05.711674, 10, pid=6050] libsmb/smb_signing.c:get_sequence_for_reply(80) get_sequence_for_reply: found seq = 47 mid = 26 [2007/12/14 15:53:05.711709, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 47 [2007/12/14 15:53:05.711742, 10, pid=6050] libsmb/smb_signing.c:client_check_incoming_message(419) client_check_incoming_message: seq 47: got good SMB signature of [2007/12/14 15:53:05.711774, 10, pid=6050] lib/util.c:dump_data(2192) [000] 67 7F 13 F3 77 75 3C 18 g..ówu<. [2007/12/14 15:53:05.711825, 10, pid=6050] libsmb/clientgen.c:cli_rpc_pipe_close(553) cli_rpc_pipe_close: closed pipe \NETLOGON to machine WIN2008 [2007/12/14 15:53:05.711861, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 48 [2007/12/14 15:53:05.711894, 10, pid=6050] libsmb/smb_signing.c:client_sign_outgoing_message(336) client_sign_outgoing_message: sent SMB signature of [2007/12/14 15:53:05.711926, 10, pid=6050] lib/util.c:dump_data(2192) [000] 69 A2 02 51 06 84 3A F9 i¢.Q..:ù [2007/12/14 15:53:05.711976, 10, pid=6050] libsmb/smb_signing.c:store_sequence_for_reply(67) store_sequence_for_reply: stored seq = 49 mid = 27 [2007/12/14 15:53:05.712693, 6, pid=6050] libsmb/clientgen.c:write_socket(255) write_socket(4,39) [2007/12/14 15:53:05.712736, 6, pid=6050] libsmb/clientgen.c:write_socket(258) write_socket(4,39) wrote 39 [2007/12/14 15:53:05.713782, 10, pid=6050] lib/util_sock.c:read_smb_length_return_keepalive(1161) got smb length of 35 [2007/12/14 15:53:05.713835, 5, pid=6050] lib/util.c:show_msg(572) [2007/12/14 15:53:05.713859, 5, pid=6050] lib/util.c:show_msg(582) size=35 smb_com=0x71 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2055 smb_pid=6050 smb_uid=6144 smb_mid=27 smt_wct=0 smb_bcc=0 [2007/12/14 15:53:05.714665, 10, pid=6050] libsmb/smb_signing.c:get_sequence_for_reply(80) get_sequence_for_reply: found seq = 49 mid = 27 [2007/12/14 15:53:05.714701, 10, pid=6050] libsmb/smb_signing.c:simple_packet_signature(270) simple_packet_signature: sequence number 49 [2007/12/14 15:53:05.714734, 10, pid=6050] libsmb/smb_signing.c:client_check_incoming_message(419) client_check_incoming_message: seq 49: got good SMB signature of [2007/12/14 15:53:05.714766, 10, pid=6050] lib/util.c:dump_data(2192) [000] 4F 38 30 73 E5 CF DF 51 O80såÏßQ [2007/12/14 15:53:05.715736, 2, pid=6050] utils/net.c:main(1124) return code = 1