winbindd version 3.0.4-2.3E started. Copyright The Samba Team 2000-2004 lp_load: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" doing parameter workgroup = AD doing parameter netbios name = STAGE1 handle_netbios_name: set global_myname to: STAGE1 doing parameter interfaces = 10.32.1.90 doing parameter realm = AD.COLORCON.COM doing parameter security = ADS doing parameter encrypt passwords = Yes doing parameter update encrypted = Yes doing parameter min protocol = NT1 doing parameter local master = No doing parameter wins server = 10.32.2.63 10.32.2.64 doing parameter printing = cups doing parameter winbind uid = 10000-20000 doing parameter winbind gid = 10000-20000 doing parameter winbind use default domain = yes doing parameter password server = * pm_process() returned Yes lp_servicenumber: couldn't find homes adding IPC service adding IPC service set_server_role: role = ROLE_DOMAIN_MEMBER Attempting to register new charset UCS-2LE Registered charset UCS-2LE Attempting to register new charset UTF8 Registered charset UTF8 Attempting to register new charset ASCII Registered charset ASCII Attempting to register new charset 646 Registered charset 646 Attempting to register new charset ISO-8859-1 Registered charset ISO-8859-1 Attempting to register new charset UCS2-HEX Registered charset UCS2-HEX Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE ms_fnmatch(10.32.1.90,eth0) -> -1 ms_fnmatch(10.32.1.90,lo) -> -1 added interface ip=10.32.1.90 bcast=10.32.31.255 nmask=255.255.224.0 Netbios name list:- my_netbios_names[0]="STAGE1" ms_fnmatch(10.32.1.90,eth0) -> -1 ms_fnmatch(10.32.1.90,lo) -> -1 added interface ip=10.32.1.90 bcast=10.32.31.255 nmask=255.255.224.0 Opening cache file at /var/cache/samba/gencache.tdb namecache_enable: enabling netbios namecache, timeout 660 seconds smb_register_idmap: Successfully added idmap backend 'ldap' smb_register_idmap: Successfully added idmap backend 'tdb' db_idmap_init: Opening tdbfile /var/cache/samba/winbindd_idmap.tdb fcntl_lock 10 13 0 1 1 fcntl_lock: Lock call successful Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED add_trusted_domain: AD is an NT4 domain Added domain AD AD.COLORCON.COM S-0-0 ads_dc_name: domain=AD ads_find_dc: looking for realm 'AD.COLORCON.COM' get_sorted_dc_list: attempting lookup using [ads] internal_resolve_name: looking up AD.COLORCON.COM#1c Returning valid cache entry: key = NBT/AD.COLORCON.COM#1C, value = 10.64.2.61:389,10.64.2.62:389,10.32.2.61:389, timeout = Tue May 18 10:49:24 2004 name AD.COLORCON.COM#1C found. Adding 3 DC's from auto lookup remove_duplicate_addrs2: looking for duplicate address/port pairs get_dc_list: returning 3 ip addresses in an unordered list get_dc_list: 10.64.2.61:389 10.64.2.62:389 10.32.2.61:389 ads_try_connect: trying ldap server '10.32.2.61' port 389 Connected to LDAP server 10.32.2.61 got ldap server name wep-ad-dc1@AD.COLORCON.COM, using bind path: dc=AD,dc=COLORCON,dc=COM time offset is 173 seconds ads_dc_name: using server='WEP-AD-DC1' IP=10.32.2.61 IPC$ connections done anonymously secrets_named_mutex: got mutex for WEP-AD-DC1 Connecting to host=WEP-AD-DC1 Connecting to 10.32.2.61 at port 445 socket option SO_KEEPALIVE = 0 socket option SO_REUSEADDR = 0 socket option SO_BROADCAST = 0 socket option TCP_NODELAY = 1 socket option IPTOS_LOWDELAY = 0 socket option IPTOS_THROUGHPUT = 0 socket option SO_SNDBUF = 16384 socket option SO_RCVBUF = 87380 socket option SO_SNDLOWAT = 1 socket option SO_RCVLOWAT = 1 socket option SO_SNDTIMEO = 0 socket option SO_RCVTIMEO = 0 write_socket(13,183) write_socket(13,183) wrote 183 got smb length of 184 size=184 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=2230 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 8 (0x8) smb_vwv[ 1]=12807 (0x3207) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 65 (0x41) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 243 (0xF3) smb_vwv[11]= 5248 (0x1480) smb_vwv[12]=35306 (0x89EA) smb_vwv[13]=59292 (0xE79C) smb_vwv[14]=50236 (0xC43C) smb_vwv[15]=61441 (0xF001) smb_vwv[16]= 0 (0x0) smb_bcc=115 [000] 04 5C D6 7C 02 83 73 4C A5 9B 60 95 8F CE 72 B5 .\.|..sL ..`...r. [010] 60 61 06 06 2B 06 01 05 05 02 A0 57 30 55 A0 30 `a..+... ...W0U.0 [020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. .......* [030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H...... ..*.H... [040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... [050] A3 21 30 1F A0 1D 1B 1B 77 65 70 2D 61 64 2D 64 .!0..... wep-ad-d [060] 63 31 24 40 41 44 2E 43 4F 4C 4F 52 43 4F 4E 2E c1$@AD.C OLORCON. [070] 43 4F 4D COM size=184 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=2230 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 8 (0x8) smb_vwv[ 1]=12807 (0x3207) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 65 (0x41) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 243 (0xF3) smb_vwv[11]= 5248 (0x1480) smb_vwv[12]=35306 (0x89EA) smb_vwv[13]=59292 (0xE79C) smb_vwv[14]=50236 (0xC43C) smb_vwv[15]=61441 (0xF001) smb_vwv[16]= 0 (0x0) smb_bcc=115 [000] 04 5C D6 7C 02 83 73 4C A5 9B 60 95 8F CE 72 B5 .\.|..sL ..`...r. [010] 60 61 06 06 2B 06 01 05 05 02 A0 57 30 55 A0 30 `a..+... ...W0U.0 [020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. .......* [030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H...... ..*.H... [040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... [050] A3 21 30 1F A0 1D 1B 1B 77 65 70 2D 61 64 2D 64 .!0..... wep-ad-d [060] 63 31 24 40 41 44 2E 43 4F 4C 4F 52 43 4F 4E 2E c1$@AD.C OLORCON. [070] 43 4F 4D COM Serverzone is 14400 connecting to WEP-AD-DC1 from STAGE1 with kerberos principal [STAGE1$@AD.COLORCON.COM] Doing spnego session setup (blob length=115) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got principal=wep-ad-dc1$@AD.COLORCON.COM Doing kerberos session setup Advancing clock by 173 seconds to cope with clock skew Ticket in ccache[MEMORY:cliconnect] expiration Tue, 18 May 2004 20:48:40 GMT Ticket (wep-ad-dc1$@AD.COLORCON.COM) in ccache (MEMORY:cliconnect) is valid until: (Tue, 18 May 2004 20:48:40 GMT - 1084927720) Got KRB5 session key of length 8 SMB signing enabled! cli_simple_set_signing: user_session_key [000] E6 A1 EF 46 92 A1 2C D0 ...F..,. cli_simple_set_signing: NULL response_data simple_packet_signature: sequence number 0 client_sign_outgoing_message: sent SMB signature of [000] 8C 00 2B 1C BF 28 35 FC ..+..(5. store_sequence_for_reply: stored seq = 1 mid = 2 write_socket(13,1220) write_socket(13,1220) wrote 1220 got smb length of 143 size=143 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=2230 smb_uid=4099 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 143 (0x8F) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 26 (0x1A) smb_bcc=100 [000] A1 18 30 16 A0 03 0A 01 00 A1 0B 06 09 2A 86 48 ..0..... .....*.H [010] 82 F7 12 01 02 02 A2 02 04 00 04 57 00 69 00 6E ........ ...W.i.n [020] 00 64 00 6F 00 77 00 73 00 20 00 35 00 2E 00 30 .d.o.w.s . .5...0 [030] 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 ...W.i.n .d.o.w.s [040] 00 20 00 32 00 30 00 30 00 30 00 20 00 4C 00 41 . .2.0.0 .0. .L.A [050] 00 4E 00 20 00 4D 00 61 00 6E 00 61 00 67 00 65 .N. .M.a .n.a.g.e [060] 00 72 00 00 .r.. get_sequence_for_reply: found seq = 1 mid = 2 simple_packet_signature: sequence number 1 client_check_incoming_message: seq 1: got good SMB signature of [000] 6B 3E 20 8C C0 A7 17 84 k> ..... size=143 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=2230 smb_uid=4099 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 143 (0x8F) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 26 (0x1A) smb_bcc=100 [000] A1 18 30 16 A0 03 0A 01 00 A1 0B 06 09 2A 86 48 ..0..... .....*.H [010] 82 F7 12 01 02 02 A2 02 04 00 04 57 00 69 00 6E ........ ...W.i.n [020] 00 64 00 6F 00 77 00 73 00 20 00 35 00 2E 00 30 .d.o.w.s . .5...0 [030] 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 ...W.i.n .d.o.w.s [040] 00 20 00 32 00 30 00 30 00 30 00 20 00 4C 00 41 . .2.0.0 .0. .L.A [050] 00 4E 00 20 00 4D 00 61 00 6E 00 61 00 67 00 65 .N. .M.a .n.a.g.e [060] 00 72 00 00 .r.. simple_packet_signature: sequence number 2 client_sign_outgoing_message: sent SMB signature of [000] 86 41 64 77 C4 1D 78 3C .Adw..x< store_sequence_for_reply: stored seq = 3 mid = 3 write_socket(13,88) write_socket(13,88) wrote 88 got smb length of 48 size=48 smb_com=0x75 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=30721 smb_pid=2230 smb_uid=4099 smb_mid=3 smt_wct=3 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 1 (0x1) smb_bcc=7 [000] 49 50 43 00 00 00 00 IPC.... get_sequence_for_reply: found seq = 3 mid = 3 simple_packet_signature: sequence number 3 client_check_incoming_message: seq 3: got good SMB signature of [000] 3E 4B DF 75 A9 8C 82 19 >K.u.... cli_init_creds: user domain secrets_named_mutex: released mutex for WEP-AD-DC1 simple_packet_signature: sequence number 4 client_sign_outgoing_message: sent SMB signature of [000] 9E EA AD 49 A8 0B 6D 5B ...I..m[ store_sequence_for_reply: stored seq = 5 mid = 4 write_socket(13,104) write_socket(13,104) wrote 104 got smb length of 103 size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=30721 smb_pid=2230 smb_uid=4099 smb_mid=4 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 768 (0x300) smb_vwv[ 3]= 256 (0x100) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 get_sequence_for_reply: found seq = 5 mid = 4 simple_packet_signature: sequence number 5 client_check_incoming_message: seq 5: got good SMB signature of [000] 1D 35 DE 85 83 BB 86 82 .5...... Bind RPC Pipe[3]: \PIPE\lsarpc Bind Abstract Syntax: [000] 6A 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5 j(.9.... ....O... [010] 00 00 00 00 .... Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]...... ....+.H` [010] 02 00 00 00 .... 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0b 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0048 000a auth_len : 0000 000c call_id : 00000001 000010 smb_io_rpc_hdr_rb 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00000000 0018 num_elements: 00000001 001c context_id : 0000 001e num_syntaxes: 01 00001f smb_io_rpc_iface 000020 smb_io_uuid uuid 0020 data : 3919286a 0024 data : b10c 0026 data : 11d0 0028 data : 9b a8 002a data : 00 c0 4f d9 2e f5 0030 version: 00000000 000034 smb_io_rpc_iface 000034 smb_io_uuid uuid 0034 data : 8a885d04 0038 data : 1ceb 003a data : 11c9 003c data : 9f e8 003e data : 08 00 2b 10 48 60 0044 version: 00000002 rpc_api_pipe: fnum:3 size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=30721 smb_pid=2230 smb_uid=4099 smb_mid=5 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]= 3 (0x3) smb_bcc=87 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 01 00 00 00 B8 .......H ........ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 6A ........ .......j [030] 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5 00 (.9..... ...O.... [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ [050] 10 48 60 02 00 00 00 .H`.... simple_packet_signature: sequence number 6 client_sign_outgoing_message: sent SMB signature of [000] 63 96 59 7D FA 60 13 BA c.Y}.`.. store_sequence_for_reply: stored seq = 7 mid = 5 write_socket(13,158) write_socket(13,158) wrote 158 cli_signing_trans_start: storing mid = 5, reply_seq_num = 7, send_seq_num = 6 data->send_seq_num = 8 got smb length of 124 size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=30721 smb_pid=2230 smb_uid=4099 smb_mid=5 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 ........ .D...... [010] 00 B8 10 B8 10 17 28 06 00 0C 00 5C 50 49 50 45 ......(. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... simple_packet_signature: sequence number 7 client_check_incoming_message: seq 7: got good SMB signature of [000] D8 22 0F E9 F7 4C 3E 5F ."...L>_ size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=30721 smb_pid=2230 smb_uid=4099 smb_mid=5 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 ........ .D...... [010] 00 B8 10 B8 10 17 28 06 00 0C 00 5C 50 49 50 45 ......(. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... cli_signing_trans_stop: freeing mid = 5, reply_seq_num = 7, send_seq_num = 6 data->send_seq_num = 8 rpc_check_hdr: rdata->data_size = 68 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000001 rpc_api_pipe: len left: 0 smbtrans read: 68 rpc_api_pipe: fragment first and last both set rpc_pipe_bind: rpc_api_pipe returned OK. 000010 smb_io_rpc_hdr_ba 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00062817 000018 smb_io_rpc_addr_str 0018 len: 000c 001a str: \PIPE\lsass. 000026 smb_io_rpc_results 0028 num_results: 01 002c result : 0000 002e reason : 0000 000030 smb_io_rpc_iface 000030 smb_io_uuid uuid 0030 data : 8a885d04 0034 data : 1ceb 0036 data : 11c9 0038 data : 9f e8 003a data : 08 00 2b 10 48 60 0040 version: 00000002 bind_rpc_pipe: accepted! 000000 ds_io_q_getprimdominfo 0000 level: 0001 create_rpc_request: opnum: 0x0 data_len: 0x1a create_rpc_request: data_len: 1a auth_len: 0 alloc_hint: a 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 001a 000a auth_len : 0000 000c call_id : 00000002 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 0000000a 0014 context_id: 0000 0016 opnum : 0000 rpc_api_pipe: fnum:3 size=108 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=30721 smb_pid=2230 smb_uid=4099 smb_mid=6 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 26 (0x1A) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 26 (0x1A) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]= 3 (0x3) smb_bcc=41 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 1A 00 00 00 02 00 00 00 0A ........ ........ [020] 00 00 00 00 00 00 00 01 00 ........ . simple_packet_signature: sequence number 8 client_sign_outgoing_message: sent SMB signature of [000] 7A A9 08 02 60 26 EE A6 z...`&.. store_sequence_for_reply: stored seq = 9 mid = 6 write_socket(13,112) write_socket(13,112) wrote 112 cli_signing_trans_start: storing mid = 6, reply_seq_num = 9, send_seq_num = 8 data->send_seq_num = 10 got smb length of 236 size=236 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=30721 smb_pid=2230 smb_uid=4099 smb_mid=6 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 180 (0xB4) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 180 (0xB4) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=181 [000] 00 05 00 02 03 10 00 00 00 B4 00 00 00 02 00 00 ........ ........ [010] 00 9C 00 00 00 00 00 00 00 E8 6C 4F 0D 01 00 00 ........ ..lO.... [020] 00 04 00 00 00 01 00 00 01 28 B9 49 0D 18 FA 16 ........ .(.I.... [030] 00 B8 53 16 00 CE FA 73 7F 7A 2E 02 4B 8E B7 1D ..S....s .z..K... [040] 41 DF 58 72 1E 03 00 00 00 00 00 00 00 03 00 00 A.Xr.... ........ [050] 00 41 00 44 00 00 00 00 00 10 00 00 00 00 00 00 .A.D.... ........ [060] 00 10 00 00 00 61 00 64 00 2E 00 63 00 6F 00 6C .....a.d ...c.o.l [070] 00 6F 00 72 00 63 00 6F 00 6E 00 2E 00 63 00 6F .o.r.c.o .n...c.o [080] 00 6D 00 00 00 10 00 00 00 00 00 00 00 10 00 00 .m...... ........ [090] 00 61 00 64 00 2E 00 63 00 6F 00 6C 00 6F 00 72 .a.d...c .o.l.o.r [0A0] 00 63 00 6F 00 6E 00 2E 00 63 00 6F 00 6D 00 00 .c.o.n.. .c.o.m.. [0B0] 00 00 00 00 00 ..... simple_packet_signature: sequence number 9 client_check_incoming_message: seq 9: got good SMB signature of [000] B9 A2 48 5E 53 A2 EB F7 ..H^S... size=236 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=30721 smb_pid=2230 smb_uid=4099 smb_mid=6 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 180 (0xB4) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 180 (0xB4) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=181 [000] 00 05 00 02 03 10 00 00 00 B4 00 00 00 02 00 00 ........ ........ [010] 00 9C 00 00 00 00 00 00 00 E8 6C 4F 0D 01 00 00 ........ ..lO.... [020] 00 04 00 00 00 01 00 00 01 28 B9 49 0D 18 FA 16 ........ .(.I.... [030] 00 B8 53 16 00 CE FA 73 7F 7A 2E 02 4B 8E B7 1D ..S....s .z..K... [040] 41 DF 58 72 1E 03 00 00 00 00 00 00 00 03 00 00 A.Xr.... ........ [050] 00 41 00 44 00 00 00 00 00 10 00 00 00 00 00 00 .A.D.... ........ [060] 00 10 00 00 00 61 00 64 00 2E 00 63 00 6F 00 6C .....a.d ...c.o.l [070] 00 6F 00 72 00 63 00 6F 00 6E 00 2E 00 63 00 6F .o.r.c.o .n...c.o [080] 00 6D 00 00 00 10 00 00 00 00 00 00 00 10 00 00 .m...... ........ [090] 00 61 00 64 00 2E 00 63 00 6F 00 6C 00 6F 00 72 .a.d...c .o.l.o.r [0A0] 00 63 00 6F 00 6E 00 2E 00 63 00 6F 00 6D 00 00 .c.o.n.. .c.o.m.. [0B0] 00 00 00 00 00 ..... cli_signing_trans_stop: freeing mid = 6, reply_seq_num = 9, send_seq_num = 8 data->send_seq_num = 10 rpc_check_hdr: rdata->data_size = 180 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 00b4 000a auth_len : 0000 000c call_id : 00000002 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 0000009c 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 rpc_api_pipe: len left: 0 smbtrans read: 180 rpc_api_pipe: fragment first and last both set 000018 ds_io_r_getprimdominfo 0018 ptr: 0d4f6ce8 001c level: 0001 001e unknown0: 0000 0020 machine_role: 0004 0022 unknown: 0000 0024 flags: 01000001 0028 netbios_ptr: 0d49b928 002c dnsname_ptr: 0016fa18 0030 forestname_ptr: 001653b8 000034 smb_io_uuid domain_guid 0034 data : 7f73face 0038 data : 2e7a 003a data : 4b02 003c data : 8e b7 003e data : 1d 41 df 58 72 1e 000044 smb_io_unistr2 netbios_domain 0044 uni_max_len: 00000003 0048 offset : 00000000 004c uni_str_len: 00000003 0050 buffer : A.D... 000058 smb_io_unistr2 dns_domain 0058 uni_max_len: 00000010 005c offset : 00000000 0060 uni_str_len: 00000010 0064 buffer : a.d...c.o.l.o.r.c.o.n...c.o.m... 000084 smb_io_unistr2 forest_domain 0084 uni_max_len: 00000010 0088 offset : 00000000 008c uni_str_len: 00000010 0090 buffer : a.d...c.o.l.o.r.c.o.n...c.o.m... 00b0 status: NT_STATUS_OK simple_packet_signature: sequence number 10 client_sign_outgoing_message: sent SMB signature of [000] 04 85 68 ED AF 2C 2E 04 ..h..,.. store_sequence_for_reply: stored seq = 11 mid = 7 write_socket(13,45) write_socket(13,45) wrote 45 got smb length of 35 size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=30721 smb_pid=2230 smb_uid=4099 smb_mid=7 smt_wct=0 smb_bcc=0 get_sequence_for_reply: found seq = 11 mid = 7 simple_packet_signature: sequence number 11 client_check_incoming_message: seq 11: got good SMB signature of [000] 76 35 DB E6 1F 46 04 61 v5...F.a simple_packet_signature: sequence number 12 client_sign_outgoing_message: sent SMB signature of [000] E8 DD 32 E5 22 17 8D 50 ..2."..P store_sequence_for_reply: stored seq = 13 mid = 8 write_socket(13,104) write_socket(13,104) wrote 104 got smb length of 103 size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=30721 smb_pid=2230 smb_uid=4099 smb_mid=8 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 1024 (0x400) smb_vwv[ 3]= 256 (0x100) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 get_sequence_for_reply: found seq = 13 mid = 8 simple_packet_signature: sequence number 13 client_check_incoming_message: seq 13: got good SMB signature of [000] D7 05 95 55 9F FB 5A 34 ...U..Z4 Bind RPC Pipe[4]: \PIPE\lsarpc Bind Abstract Syntax: [000] 78 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB xW4.4... ...#Eg.. [010] 00 00 00 00 .... Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]...... ....+.H` [010] 02 00 00 00 .... 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0b 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0048 000a auth_len : 0000 000c call_id : 00000003 000010 smb_io_rpc_hdr_rb 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00000000 0018 num_elements: 00000001 001c context_id : 0000 001e num_syntaxes: 01 00001f smb_io_rpc_iface 000020 smb_io_uuid uuid 0020 data : 12345778 0024 data : 1234 0026 data : abcd 0028 data : ef 00 002a data : 01 23 45 67 89 ab 0030 version: 00000000 000034 smb_io_rpc_iface 000034 smb_io_uuid uuid 0034 data : 8a885d04 0038 data : 1ceb 003a data : 11c9 003c data : 9f e8 003e data : 08 00 2b 10 48 60 0044 version: 00000002 rpc_api_pipe: fnum:4 size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=30721 smb_pid=2230 smb_uid=4099 smb_mid=9 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]= 4 (0x4) smb_bcc=87 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 03 00 00 00 B8 .......H ........ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 ........ .......x [030] 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB 00 W4.4.... ..#Eg... [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ [050] 10 48 60 02 00 00 00 .H`.... simple_packet_signature: sequence number 14 client_sign_outgoing_message: sent SMB signature of [000] 29 9E 51 3A 6E A3 1E FB ).Q:n... store_sequence_for_reply: stored seq = 15 mid = 9 write_socket(13,158) write_socket(13,158) wrote 158 cli_signing_trans_start: storing mid = 9, reply_seq_num = 15, send_seq_num = 14 data->send_seq_num = 16 got smb length of 124 size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=30721 smb_pid=2230 smb_uid=4099 smb_mid=9 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 03 00 00 ........ .D...... [010] 00 B8 10 B8 10 18 28 06 00 0C 00 5C 50 49 50 45 ......(. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 01 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... simple_packet_signature: sequence number 15 client_check_incoming_message: seq 15: got good SMB signature of [000] E5 C9 90 EF 21 B5 0A F0 ....!... size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=30721 smb_pid=2230 smb_uid=4099 smb_mid=9 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 03 00 00 ........ .D...... [010] 00 B8 10 B8 10 18 28 06 00 0C 00 5C 50 49 50 45 ......(. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 01 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... cli_signing_trans_stop: freeing mid = 9, reply_seq_num = 15, send_seq_num = 14 data->send_seq_num = 16 rpc_check_hdr: rdata->data_size = 68 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000003 rpc_api_pipe: len left: 0 smbtrans read: 68 rpc_api_pipe: fragment first and last both set rpc_pipe_bind: rpc_api_pipe returned OK. 000010 smb_io_rpc_hdr_ba 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00062818 000018 smb_io_rpc_addr_str 0018 len: 000c 001a str: \PIPE\lsass. 000026 smb_io_rpc_results 0028 num_results: 01 002c result : 0000 002e reason : 0000 000030 smb_io_rpc_iface 000030 smb_io_uuid uuid 0030 data : 8a885d04 0034 data : 1ceb 0036 data : 11c9 0038 data : 9f e8 003a data : 08 00 2b 10 48 60 0040 version: 00000002 bind_rpc_pipe: accepted! init_lsa_sec_qos init_q_open_pol2: attr:0 da:33554432 init_lsa_obj_attr 000000 lsa_io_q_open_pol2 0000 ptr : 00000001 000004 smb_io_unistr2 0004 uni_max_len: 0000000d 0008 offset : 00000000 000c uni_str_len: 0000000d 0010 buffer : \.\.W.E.P.-.A.D.-.D.C.1... 00002a lsa_io_obj_attr 002c len : 00000018 0030 ptr_root_dir: 00000000 0034 ptr_obj_name: 00000000 0038 attributes : 00000000 003c ptr_sec_desc: 00000000 0040 ptr_sec_qos : 00000001 000044 lsa_io_obj_qos sec_qos 0044 len : 0000000c 0048 sec_imp_level : 0002 004a sec_ctxt_mode : 01 004b effective_only: 00 lsa_io_sec_qos: length c does not match size 8 004c des_access: 02000000 create_rpc_request: opnum: 0x2c data_len: 0x68 create_rpc_request: data_len: 68 auth_len: 0 alloc_hint: 58 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0068 000a auth_len : 0000 000c call_id : 00000004 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000058 0014 context_id: 0000 0016 opnum : 002c rpc_api_pipe: fnum:4 size=186 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=30721 smb_pid=2230 smb_uid=4099 smb_mid=10 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 104 (0x68) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 104 (0x68) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]= 4 (0x4) smb_bcc=119 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 68 00 00 00 04 00 00 00 58 .......h .......X [020] 00 00 00 00 00 2C 00 01 00 00 00 0D 00 00 00 00 .....,.. ........ [030] 00 00 00 0D 00 00 00 5C 00 5C 00 57 00 45 00 50 .......\ .\.W.E.P [040] 00 2D 00 41 00 44 00 2D 00 44 00 43 00 31 00 00 .-.A.D.- .D.C.1.. [050] 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [060] 00 00 00 00 00 00 00 01 00 00 00 0C 00 00 00 02 ........ ........ [070] 00 01 00 00 00 00 02 ....... simple_packet_signature: sequence number 16 client_sign_outgoing_message: sent SMB signature of [000] E0 95 15 93 52 15 1C C3 ....R... store_sequence_for_reply: stored seq = 17 mid = 10 write_socket(13,190) write_socket(13,190) wrote 190 cli_signing_trans_start: storing mid = 10, reply_seq_num = 17, send_seq_num = 16 data->send_seq_num = 18 got smb length of 104 size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=30721 smb_pid=2230 smb_uid=4099 smb_mid=10 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [000] 00 05 00 02 03 10 00 00 00 30 00 00 00 04 00 00 ........ .0...... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 5F 1D 40 ........ ....._.@ [020] 31 65 22 9F 4D AD C3 F3 3C E2 F4 28 5A 00 00 00 1e".M... <..(Z... [030] 00 . simple_packet_signature: sequence number 17 client_check_incoming_message: seq 17: got good SMB signature of [000] F5 E1 7C 2D E1 0F 50 08 ..|-..P. size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=30721 smb_pid=2230 smb_uid=4099 smb_mid=10 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [000] 00 05 00 02 03 10 00 00 00 30 00 00 00 04 00 00 ........ .0...... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 5F 1D 40 ........ ....._.@ [020] 31 65 22 9F 4D AD C3 F3 3C E2 F4 28 5A 00 00 00 1e".M... <..(Z... [030] 00 . cli_signing_trans_stop: freeing mid = 10, reply_seq_num = 17, send_seq_num = 16 data->send_seq_num = 18 rpc_check_hdr: rdata->data_size = 48 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0030 000a auth_len : 0000 000c call_id : 00000004 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 00000018 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 rpc_api_pipe: len left: 0 smbtrans read: 48 rpc_api_pipe: fragment first and last both set 000018 lsa_io_r_open_pol2 000018 smb_io_pol_hnd 0018 data1: 00000000 001c data2: 31401d5f 0020 data3: 2265 0022 data4: 4d9f 0024 data5: ad c3 f3 3c e2 f4 28 5a 002c status: NT_STATUS_OK init_q_query2 000000 lsa_io_q_query_info2 000000 smb_io_pol_hnd pol 0000 data1: 00000000 0004 data2: 31401d5f 0008 data3: 2265 000a data4: 4d9f 000c data5: ad c3 f3 3c e2 f4 28 5a 0014 info_class: 000c create_rpc_request: opnum: 0x2e data_len: 0x2e create_rpc_request: data_len: 2e auth_len: 0 alloc_hint: 1e 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 002e 000a auth_len : 0000 000c call_id : 00000005 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 0000001e 0014 context_id: 0000 0016 opnum : 002e rpc_api_pipe: fnum:4 size=128 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=30721 smb_pid=2230 smb_uid=4099 smb_mid=11 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 46 (0x2E) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 46 (0x2E) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]= 4 (0x4) smb_bcc=61 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 2E 00 00 00 05 00 00 00 1E ........ ........ [020] 00 00 00 00 00 2E 00 00 00 00 00 5F 1D 40 31 65 ........ ..._.@1e [030] 22 9F 4D AD C3 F3 3C E2 F4 28 5A 0C 00 ".M...<. .(Z.. simple_packet_signature: sequence number 18 client_sign_outgoing_message: sent SMB signature of [000] AD F7 01 F7 70 2E D0 F8 ....p... store_sequence_for_reply: stored seq = 19 mid = 11 write_socket(13,132) write_socket(13,132) wrote 132 cli_signing_trans_start: storing mid = 11, reply_seq_num = 19, send_seq_num = 18 data->send_seq_num = 20 got smb length of 268 size=268 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=30721 smb_pid=2230 smb_uid=4099 smb_mid=11 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 212 (0xD4) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 212 (0xD4) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=213 [000] 00 05 00 02 03 10 00 00 00 D4 00 00 00 05 00 00 ........ ........ [010] 00 BC 00 00 00 00 00 00 00 60 0F 10 00 0C 00 00 ........ .`...... [020] 00 04 00 06 00 28 B9 49 0D 1E 00 20 00 B8 53 16 .....(.I ... ..S. [030] 00 1E 00 20 00 88 0C 13 00 CE FA 73 7F 7A 2E 02 ... .... ...s.z.. [040] 4B 8E B7 1D 41 DF 58 72 1E 80 5C 13 00 03 00 00 K...A.Xr ..\..... [050] 00 00 00 00 00 02 00 00 00 41 00 44 00 10 00 00 ........ .A.D.... [060] 00 00 00 00 00 0F 00 00 00 61 00 64 00 2E 00 63 ........ .a.d...c [070] 00 6F 00 6C 00 6F 00 72 00 63 00 6F 00 6E 00 2E .o.l.o.r .c.o.n.. [080] 00 63 00 6F 00 6D 00 00 00 10 00 00 00 00 00 00 .c.o.m.. ........ [090] 00 0F 00 00 00 61 00 64 00 2E 00 63 00 6F 00 6C .....a.d ...c.o.l [0A0] 00 6F 00 72 00 63 00 6F 00 6E 00 2E 00 63 00 6F .o.r.c.o .n...c.o [0B0] 00 6D 00 00 00 04 00 00 00 01 04 00 00 00 00 00 .m...... ........ [0C0] 05 15 00 00 00 FD 37 42 40 4F 75 88 21 43 17 0A ......7B @Ou.!C.. [0D0] 32 00 00 00 00 2.... simple_packet_signature: sequence number 19 client_check_incoming_message: seq 19: got good SMB signature of [000] EB D8 4D 24 7F 38 D5 09 ..M$.8.. size=268 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=30721 smb_pid=2230 smb_uid=4099 smb_mid=11 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 212 (0xD4) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 212 (0xD4) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=213 [000] 00 05 00 02 03 10 00 00 00 D4 00 00 00 05 00 00 ........ ........ [010] 00 BC 00 00 00 00 00 00 00 60 0F 10 00 0C 00 00 ........ .`...... [020] 00 04 00 06 00 28 B9 49 0D 1E 00 20 00 B8 53 16 .....(.I ... ..S. [030] 00 1E 00 20 00 88 0C 13 00 CE FA 73 7F 7A 2E 02 ... .... ...s.z.. [040] 4B 8E B7 1D 41 DF 58 72 1E 80 5C 13 00 03 00 00 K...A.Xr ..\..... [050] 00 00 00 00 00 02 00 00 00 41 00 44 00 10 00 00 ........ .A.D.... [060] 00 00 00 00 00 0F 00 00 00 61 00 64 00 2E 00 63 ........ .a.d...c [070] 00 6F 00 6C 00 6F 00 72 00 63 00 6F 00 6E 00 2E .o.l.o.r .c.o.n.. [080] 00 63 00 6F 00 6D 00 00 00 10 00 00 00 00 00 00 .c.o.m.. ........ [090] 00 0F 00 00 00 61 00 64 00 2E 00 63 00 6F 00 6C .....a.d ...c.o.l [0A0] 00 6F 00 72 00 63 00 6F 00 6E 00 2E 00 63 00 6F .o.r.c.o .n...c.o [0B0] 00 6D 00 00 00 04 00 00 00 01 04 00 00 00 00 00 .m...... ........ [0C0] 05 15 00 00 00 FD 37 42 40 4F 75 88 21 43 17 0A ......7B @Ou.!C.. [0D0] 32 00 00 00 00 2.... cli_signing_trans_stop: freeing mid = 11, reply_seq_num = 19, send_seq_num = 18 data->send_seq_num = 20 rpc_check_hdr: rdata->data_size = 212 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 00d4 000a auth_len : 0000 000c call_id : 00000005 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 000000bc 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 rpc_api_pipe: len left: 0 smbtrans read: 212 rpc_api_pipe: fragment first and last both set 000018 lsa_io_r_query_info2 0018 ptr: 00100f60 001c info_class: 000c 00001e lsa_io_dns_dom_info info12 000020 smb_io_unihdr nb_name 0020 uni_str_len: 0004 0022 uni_max_len: 0006 0024 buffer : 0d49b928 000028 smb_io_unihdr dns_name 0028 uni_str_len: 001e 002a uni_max_len: 0020 002c buffer : 001653b8 000030 smb_io_unihdr forest 0030 uni_str_len: 001e 0032 uni_max_len: 0020 0034 buffer : 00130c88 000038 smb_io_uuid dom_guid 0038 data : 7f73face 003c data : 2e7a 003e data : 4b02 0040 data : 8e b7 0042 data : 1d 41 df 58 72 1e 0048 dom_sid: 00135c80 00004c smb_io_unistr2 nb_name 004c uni_max_len: 00000003 0050 offset : 00000000 0054 uni_str_len: 00000002 0058 buffer : A.D. 00005c smb_io_unistr2 dns_name 005c uni_max_len: 00000010 0060 offset : 00000000 0064 uni_str_len: 0000000f 0068 buffer : a.d...c.o.l.o.r.c.o.n...c.o.m. 000086 smb_io_unistr2 forest 0088 uni_max_len: 00000010 008c offset : 00000000 0090 uni_str_len: 0000000f 0094 buffer : a.d...c.o.l.o.r.c.o.n...c.o.m. 0000b2 smb_io_dom_sid2 dom_sid 00b4 num_auths: 00000004 0000b8 smb_io_dom_sid sid 00b8 sid_rev_num: 01 00b9 num_auths : 04 00ba id_auth[0] : 00 00bb id_auth[1] : 00 00bc id_auth[2] : 00 00bd id_auth[3] : 00 00be id_auth[4] : 00 00bf id_auth[5] : 05 00c0 sub_auths : 00000015 404237fd 2188754f 320a1743 00d0 status: NT_STATUS_OK simple_packet_signature: sequence number 20 client_sign_outgoing_message: sent SMB signature of [000] 06 BC BA A0 63 35 C2 3D ....c5.= store_sequence_for_reply: stored seq = 21 mid = 12 write_socket(13,45) write_socket(13,45) wrote 45 got smb length of 35 size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=30721 smb_pid=2230 smb_uid=4099 smb_mid=12 smt_wct=0 smb_bcc=0 get_sequence_for_reply: found seq = 21 mid = 12 simple_packet_signature: sequence number 21 client_check_incoming_message: seq 21: got good SMB signature of [000] 0B 28 B2 35 B9 E1 0E EC .(.5.... simple_packet_signature: sequence number 22 client_sign_outgoing_message: sent SMB signature of [000] A3 6B F4 22 01 5C 85 D2 .k.".\.. store_sequence_for_reply: stored seq = 23 mid = 13 write_socket(13,39) write_socket(13,39) wrote 39 got smb length of 35 size=35 smb_com=0x71 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=30721 smb_pid=2230 smb_uid=4099 smb_mid=13 smt_wct=0 smb_bcc=0 get_sequence_for_reply: found seq = 23 mid = 13 simple_packet_signature: sequence number 23 client_check_incoming_message: seq 23: got good SMB signature of [000] 2E C4 18 9C 81 F6 7A 41 ......zA alternate_name: [Cached] - doing backend query for info for domain AD ads: alternate_name ads_find_dc: looking for realm 'ad.colorcon.com' get_sorted_dc_list: attempting lookup using [ads] internal_resolve_name: looking up ad.colorcon.com#1c Returning valid cache entry: key = NBT/AD.COLORCON.COM#1C, value = 10.64.2.61:389,10.64.2.62:389,10.32.2.61:389, timeout = Tue May 18 10:49:24 2004 name ad.colorcon.com#1C found. Adding 3 DC's from auto lookup remove_duplicate_addrs2: looking for duplicate address/port pairs get_dc_list: returning 3 ip addresses in an unordered list get_dc_list: 10.64.2.61:389 10.64.2.62:389 10.32.2.61:389 ads_try_connect: trying ldap server '10.32.2.61' port 389 Connected to LDAP server 10.32.2.61 got ldap server name wep-ad-dc1@AD.COLORCON.COM, using bind path: dc=AD,dc=COLORCON,dc=COM time offset is 173 seconds Found SASL mechanism GSS-SPNEGO got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got principal=wep-ad-dc1$@AD.COLORCON.COM krb5_cc_get_principal failed (No credentials cache found) Advancing clock by 173 seconds to cope with clock skew Ticket in ccache[MEMORY:winbind_ccache] expiration Tue, 18 May 2004 20:51:33 GMT Ticket (wep-ad-dc1$@AD.COLORCON.COM) in ccache (MEMORY:winbind_ccache) is valid until: (Tue, 18 May 2004 20:51:33 GMT - 1084927893) Got KRB5 session key of length 8 Found alternate name 'AD' for realm 'AD.COLORCON.COM' scanning trusted domain list trusted_domains: [Cached] - doing backend query for info for domain AD ads: trusted_domains ads_dc_name: domain=AD ads_find_dc: looking for realm 'AD.COLORCON.COM' get_sorted_dc_list: attempting lookup using [ads] internal_resolve_name: looking up AD.COLORCON.COM#1c Returning valid cache entry: key = NBT/AD.COLORCON.COM#1C, value = 10.64.2.61:389,10.64.2.62:389,10.32.2.61:389, timeout = Tue May 18 10:49:24 2004 name AD.COLORCON.COM#1C found. Adding 3 DC's from auto lookup remove_duplicate_addrs2: looking for duplicate address/port pairs get_dc_list: returning 3 ip addresses in an unordered list get_dc_list: 10.64.2.61:389 10.64.2.62:389 10.32.2.61:389 ads_try_connect: trying ldap server '10.32.2.61' port 389 Connected to LDAP server 10.32.2.61 got ldap server name wep-ad-dc1@AD.COLORCON.COM, using bind path: dc=AD,dc=COLORCON,dc=COM time offset is 173 seconds ads_dc_name: using server='WEP-AD-DC1' IP=10.32.2.61 IPC$ connections done anonymously secrets_named_mutex: got mutex for WEP-AD-DC1 Connecting to host=WEP-AD-DC1 Connecting to 10.32.2.61 at port 445 socket option SO_KEEPALIVE = 0 socket option SO_REUSEADDR = 0 socket option SO_BROADCAST = 0 socket option TCP_NODELAY = 1 socket option IPTOS_LOWDELAY = 0 socket option IPTOS_THROUGHPUT = 0 socket option SO_SNDBUF = 16384 socket option SO_RCVBUF = 87380 socket option SO_SNDLOWAT = 1 socket option SO_RCVLOWAT = 1 socket option SO_SNDTIMEO = 0 socket option SO_RCVTIMEO = 0 write_socket(16,183) write_socket(16,183) wrote 183 got smb length of 184 size=184 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=2230 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 8 (0x8) smb_vwv[ 1]=12807 (0x3207) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 65 (0x41) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 243 (0xF3) smb_vwv[11]=61056 (0xEE80) smb_vwv[12]= 9442 (0x24E2) smb_vwv[13]=59293 (0xE79D) smb_vwv[14]=50236 (0xC43C) smb_vwv[15]=61441 (0xF001) smb_vwv[16]= 0 (0x0) smb_bcc=115 [000] 04 5C D6 7C 02 83 73 4C A5 9B 60 95 8F CE 72 B5 .\.|..sL ..`...r. [010] 60 61 06 06 2B 06 01 05 05 02 A0 57 30 55 A0 30 `a..+... ...W0U.0 [020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. .......* [030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H...... ..*.H... [040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... [050] A3 21 30 1F A0 1D 1B 1B 77 65 70 2D 61 64 2D 64 .!0..... wep-ad-d [060] 63 31 24 40 41 44 2E 43 4F 4C 4F 52 43 4F 4E 2E c1$@AD.C OLORCON. [070] 43 4F 4D COM size=184 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=2230 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 8 (0x8) smb_vwv[ 1]=12807 (0x3207) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 65 (0x41) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 243 (0xF3) smb_vwv[11]=61056 (0xEE80) smb_vwv[12]= 9442 (0x24E2) smb_vwv[13]=59293 (0xE79D) smb_vwv[14]=50236 (0xC43C) smb_vwv[15]=61441 (0xF001) smb_vwv[16]= 0 (0x0) smb_bcc=115 [000] 04 5C D6 7C 02 83 73 4C A5 9B 60 95 8F CE 72 B5 .\.|..sL ..`...r. [010] 60 61 06 06 2B 06 01 05 05 02 A0 57 30 55 A0 30 `a..+... ...W0U.0 [020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. .......* [030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H...... ..*.H... [040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... [050] A3 21 30 1F A0 1D 1B 1B 77 65 70 2D 61 64 2D 64 .!0..... wep-ad-d [060] 63 31 24 40 41 44 2E 43 4F 4C 4F 52 43 4F 4E 2E c1$@AD.C OLORCON. [070] 43 4F 4D COM connecting to WEP-AD-DC1 from STAGE1 with kerberos principal [STAGE1$@AD.COLORCON.COM] Doing spnego session setup (blob length=115) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got principal=wep-ad-dc1$@AD.COLORCON.COM Doing kerberos session setup Advancing clock by 173 seconds to cope with clock skew Ticket in ccache[MEMORY:cliconnect] expiration Tue, 18 May 2004 20:48:41 GMT Ticket (wep-ad-dc1$@AD.COLORCON.COM) in ccache (MEMORY:cliconnect) is valid until: (Tue, 18 May 2004 20:48:41 GMT - 1084927721) Got KRB5 session key of length 8 SMB signing enabled! cli_simple_set_signing: user_session_key [000] 70 5E D0 2C 2F A1 5B 34 p^.,/.[4 cli_simple_set_signing: NULL response_data simple_packet_signature: sequence number 0 client_sign_outgoing_message: sent SMB signature of [000] 4E ED F1 E3 7E C7 F7 EA N...~... store_sequence_for_reply: stored seq = 1 mid = 2 write_socket(16,1220) write_socket(16,1220) wrote 1220 got smb length of 143 size=143 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=2230 smb_uid=53249 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 143 (0x8F) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 26 (0x1A) smb_bcc=100 [000] A1 18 30 16 A0 03 0A 01 00 A1 0B 06 09 2A 86 48 ..0..... .....*.H [010] 82 F7 12 01 02 02 A2 02 04 00 04 57 00 69 00 6E ........ ...W.i.n [020] 00 64 00 6F 00 77 00 73 00 20 00 35 00 2E 00 30 .d.o.w.s . .5...0 [030] 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 ...W.i.n .d.o.w.s [040] 00 20 00 32 00 30 00 30 00 30 00 20 00 4C 00 41 . .2.0.0 .0. .L.A [050] 00 4E 00 20 00 4D 00 61 00 6E 00 61 00 67 00 65 .N. .M.a .n.a.g.e [060] 00 72 00 00 .r.. get_sequence_for_reply: found seq = 1 mid = 2 simple_packet_signature: sequence number 1 client_check_incoming_message: seq 1: got good SMB signature of [000] 1A A2 41 1A 6B CA 20 60 ..A.k. ` size=143 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=2230 smb_uid=53249 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 143 (0x8F) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 26 (0x1A) smb_bcc=100 [000] A1 18 30 16 A0 03 0A 01 00 A1 0B 06 09 2A 86 48 ..0..... .....*.H [010] 82 F7 12 01 02 02 A2 02 04 00 04 57 00 69 00 6E ........ ...W.i.n [020] 00 64 00 6F 00 77 00 73 00 20 00 35 00 2E 00 30 .d.o.w.s . .5...0 [030] 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 ...W.i.n .d.o.w.s [040] 00 20 00 32 00 30 00 30 00 30 00 20 00 4C 00 41 . .2.0.0 .0. .L.A [050] 00 4E 00 20 00 4D 00 61 00 6E 00 61 00 67 00 65 .N. .M.a .n.a.g.e [060] 00 72 00 00 .r.. simple_packet_signature: sequence number 2 client_sign_outgoing_message: sent SMB signature of [000] 37 1C 04 9C 98 3F 90 38 7....?.8 store_sequence_for_reply: stored seq = 3 mid = 3 write_socket(16,88) write_socket(16,88) wrote 88 got smb length of 48 size=48 smb_com=0x75 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=47107 smb_pid=2230 smb_uid=53249 smb_mid=3 smt_wct=3 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 1 (0x1) smb_bcc=7 [000] 49 50 43 00 00 00 00 IPC.... get_sequence_for_reply: found seq = 3 mid = 3 simple_packet_signature: sequence number 3 client_check_incoming_message: seq 3: got good SMB signature of [000] 50 A4 53 0C B5 84 90 D9 P.S..... cli_init_creds: user domain secrets_named_mutex: released mutex for WEP-AD-DC1 Using cleartext machine password simple_packet_signature: sequence number 4 client_sign_outgoing_message: sent SMB signature of [000] BE 42 09 BE 67 3B C2 A8 .B..g;.. store_sequence_for_reply: stored seq = 5 mid = 4 write_socket(16,108) write_socket(16,108) wrote 108 got smb length of 103 size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=47107 smb_pid=2230 smb_uid=53249 smb_mid=4 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 1024 (0x400) smb_vwv[ 3]= 384 (0x180) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 get_sequence_for_reply: found seq = 5 mid = 4 simple_packet_signature: sequence number 5 client_check_incoming_message: seq 5: got good SMB signature of [000] B3 CC 41 A6 D1 56 B7 EF ..A..V.. Bind RPC Pipe[8004]: \PIPE\NETLOGON Bind Abstract Syntax: [000] 78 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB xV4.4... ...#Eg.. [010] 01 00 00 00 .... Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]...... ....+.H` [010] 02 00 00 00 .... 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0b 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0048 000a auth_len : 0000 000c call_id : 00000006 000010 smb_io_rpc_hdr_rb 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00000000 0018 num_elements: 00000001 001c context_id : 0000 001e num_syntaxes: 01 00001f smb_io_rpc_iface 000020 smb_io_uuid uuid 0020 data : 12345678 0024 data : 1234 0026 data : abcd 0028 data : ef 00 002a data : 01 23 45 67 cf fb 0030 version: 00000001 000034 smb_io_rpc_iface 000034 smb_io_uuid uuid 0034 data : 8a885d04 0038 data : 1ceb 003a data : 11c9 003c data : 9f e8 003e data : 08 00 2b 10 48 60 0044 version: 00000002 rpc_api_pipe: fnum:8004 size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=47107 smb_pid=2230 smb_uid=53249 smb_mid=5 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32772 (0x8004) smb_bcc=87 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 06 00 00 00 B8 .......H ........ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 ........ .......x [030] 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB 01 V4.4.... ..#Eg... [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ [050] 10 48 60 02 00 00 00 .H`.... simple_packet_signature: sequence number 6 client_sign_outgoing_message: sent SMB signature of [000] F3 33 E2 73 A4 0A FB 72 .3.s...r store_sequence_for_reply: stored seq = 7 mid = 5 write_socket(16,158) write_socket(16,158) wrote 158 cli_signing_trans_start: storing mid = 5, reply_seq_num = 7, send_seq_num = 6 data->send_seq_num = 8 got smb length of 124 size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=47107 smb_pid=2230 smb_uid=53249 smb_mid=5 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 06 00 00 ........ .D...... [010] 00 B8 10 B8 10 19 28 06 00 0C 00 5C 50 49 50 45 ......(. ...\PIPE [020] 5C 6C 73 61 73 73 00 49 0D 01 00 00 00 00 00 00 \lsass.I ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... simple_packet_signature: sequence number 7 client_check_incoming_message: seq 7: got good SMB signature of [000] 69 A6 34 49 F7 ED 4F 10 i.4I..O. size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=47107 smb_pid=2230 smb_uid=53249 smb_mid=5 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 06 00 00 ........ .D...... [010] 00 B8 10 B8 10 19 28 06 00 0C 00 5C 50 49 50 45 ......(. ...\PIPE [020] 5C 6C 73 61 73 73 00 49 0D 01 00 00 00 00 00 00 \lsass.I ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... cli_signing_trans_stop: freeing mid = 5, reply_seq_num = 7, send_seq_num = 6 data->send_seq_num = 8 rpc_check_hdr: rdata->data_size = 68 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000006 rpc_api_pipe: len left: 0 smbtrans read: 68 rpc_api_pipe: fragment first and last both set rpc_pipe_bind: rpc_api_pipe returned OK. 000010 smb_io_rpc_hdr_ba 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00062819 000018 smb_io_rpc_addr_str 0018 len: 000c 001a str: \PIPE\lsass. 000026 smb_io_rpc_results 0028 num_results: 01 002c result : 0000 002e reason : 0000 000030 smb_io_rpc_iface 000030 smb_io_uuid uuid 0030 data : 8a885d04 0034 data : 1ceb 0036 data : 11c9 0038 data : 9f e8 003a data : 08 00 2b 10 48 60 0040 version: 00000002 bind_rpc_pipe: accepted! cli_net_req_chal: LSA Request Challenge from STAGE1 to WEP-AD-DC1: F8FBD7DD330B7ADC init_q_req_chal: 621 init_q_req_chal: 630 000000 net_io_q_req_chal 0000 undoc_buffer: 00000001 000004 smb_io_unistr2 0004 uni_max_len: 0000000d 0008 offset : 00000000 000c uni_str_len: 0000000d 0010 buffer : \.\.W.E.P.-.A.D.-.D.C.1... 00002a smb_io_unistr2 002c uni_max_len: 00000007 0030 offset : 00000000 0034 uni_str_len: 00000007 0038 buffer : S.T.A.G.E.1... 000046 smb_io_chal 0046 data: f8 fb d7 dd 33 0b 7a dc create_rpc_request: opnum: 0x4 data_len: 0x66 create_rpc_request: data_len: 66 auth_len: 0 alloc_hint: 56 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0066 000a auth_len : 0000 000c call_id : 00000007 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000056 0014 context_id: 0000 0016 opnum : 0004 rpc_api_pipe: fnum:8004 size=184 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=47107 smb_pid=2230 smb_uid=53249 smb_mid=6 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 102 (0x66) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 102 (0x66) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32772 (0x8004) smb_bcc=117 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 66 00 00 00 07 00 00 00 56 .......f .......V [020] 00 00 00 00 00 04 00 01 00 00 00 0D 00 00 00 00 ........ ........ [030] 00 00 00 0D 00 00 00 5C 00 5C 00 57 00 45 00 50 .......\ .\.W.E.P [040] 00 2D 00 41 00 44 00 2D 00 44 00 43 00 31 00 00 .-.A.D.- .D.C.1.. [050] 00 00 00 07 00 00 00 00 00 00 00 07 00 00 00 53 ........ .......S [060] 00 54 00 41 00 47 00 45 00 31 00 00 00 F8 FB D7 .T.A.G.E .1...... [070] DD 33 0B 7A DC .3.z. simple_packet_signature: sequence number 8 client_sign_outgoing_message: sent SMB signature of [000] 16 CA 09 93 15 79 0C E5 .....y.. store_sequence_for_reply: stored seq = 9 mid = 6 write_socket(16,188) write_socket(16,188) wrote 188 cli_signing_trans_start: storing mid = 6, reply_seq_num = 9, send_seq_num = 8 data->send_seq_num = 10 got smb length of 92 size=92 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=47107 smb_pid=2230 smb_uid=53249 smb_mid=6 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 36 (0x24) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 36 (0x24) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=37 [000] 00 05 00 02 03 10 00 00 00 24 00 00 00 07 00 00 ........ .$...... [010] 00 0C 00 00 00 00 00 00 00 E6 87 AC DD F5 EE 37 ........ .......7 [020] 6D 00 00 00 00 m.... simple_packet_signature: sequence number 9 client_check_incoming_message: seq 9: got good SMB signature of [000] 65 93 8B B7 15 4E FC A8 e....N.. size=92 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=47107 smb_pid=2230 smb_uid=53249 smb_mid=6 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 36 (0x24) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 36 (0x24) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=37 [000] 00 05 00 02 03 10 00 00 00 24 00 00 00 07 00 00 ........ .$...... [010] 00 0C 00 00 00 00 00 00 00 E6 87 AC DD F5 EE 37 ........ .......7 [020] 6D 00 00 00 00 m.... cli_signing_trans_stop: freeing mid = 6, reply_seq_num = 9, send_seq_num = 8 data->send_seq_num = 10 rpc_check_hdr: rdata->data_size = 36 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0024 000a auth_len : 0000 000c call_id : 00000007 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 0000000c 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 rpc_api_pipe: len left: 0 smbtrans read: 36 rpc_api_pipe: fragment first and last both set 000018 net_io_r_req_chal 000018 smb_io_chal 0018 data: e6 87 ac dd f5 ee 37 6d 0020 status: NT_STATUS_OK cred_session_key clnt_chal: F8FBD7DD330B7ADC srv_chal : E687ACDDF5EE376D clnt+srv : DE8384BB28FAB149 sess_key : 78591449649F06CC cred_create sess_key : 78591449649F06CC stor_cred: F8FBD7DD330B7ADC timestamp: 0 timecred : F8FBD7DD330B7ADC calc_cred: B97B7E3A55DA32B7 cli_net_auth2: srv:\\WEP-AD-DC1 acct:STAGE1$ sc:2 mc: STAGE1 chal B97B7E3A55DA32B7 neg: 400701ff init_q_auth_2: 742 make_log_info 1336 init_q_auth_2: 748 000000 net_io_q_auth_2 000000 smb_io_log_info 0000 undoc_buffer: 00000001 000004 smb_io_unistr2 unistr2 0004 uni_max_len: 0000000d 0008 offset : 00000000 000c uni_str_len: 0000000d 0010 buffer : \.\.W.E.P.-.A.D.-.D.C.1... 00002a smb_io_unistr2 unistr2 002c uni_max_len: 00000008 0030 offset : 00000000 0034 uni_str_len: 00000008 0038 buffer : S.T.A.G.E.1.$... 0048 sec_chan: 0002 00004a smb_io_unistr2 unistr2 004c uni_max_len: 00000007 0050 offset : 00000000 0054 uni_str_len: 00000007 0058 buffer : S.T.A.G.E.1... 000066 smb_io_chal 0066 data: b9 7b 7e 3a 55 da 32 b7 00006e net_io_neg_flags 0070 neg_flags: 400701ff create_rpc_request: opnum: 0xf data_len: 0x8c create_rpc_request: data_len: 8c auth_len: 0 alloc_hint: 7c 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 008c 000a auth_len : 0000 000c call_id : 00000008 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 0000007c 0014 context_id: 0000 0016 opnum : 000f rpc_api_pipe: fnum:8004 size=222 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=47107 smb_pid=2230 smb_uid=53249 smb_mid=7 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 140 (0x8C) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 140 (0x8C) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32772 (0x8004) smb_bcc=155 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 8C 00 00 00 08 00 00 00 7C ........ .......| [020] 00 00 00 00 00 0F 00 01 00 00 00 0D 00 00 00 00 ........ ........ [030] 00 00 00 0D 00 00 00 5C 00 5C 00 57 00 45 00 50 .......\ .\.W.E.P [040] 00 2D 00 41 00 44 00 2D 00 44 00 43 00 31 00 00 .-.A.D.- .D.C.1.. [050] 00 00 00 08 00 00 00 00 00 00 00 08 00 00 00 53 ........ .......S [060] 00 54 00 41 00 47 00 45 00 31 00 24 00 00 00 02 .T.A.G.E .1.$.... [070] 00 00 00 07 00 00 00 00 00 00 00 07 00 00 00 53 ........ .......S [080] 00 54 00 41 00 47 00 45 00 31 00 00 00 B9 7B 7E .T.A.G.E .1....{~ [090] 3A 55 DA 32 B7 00 00 FF 01 07 40 :U.2.... ..@ simple_packet_signature: sequence number 10 client_sign_outgoing_message: sent SMB signature of [000] DD 91 B6 13 36 4E 27 EA ....6N'. store_sequence_for_reply: stored seq = 11 mid = 7 write_socket(16,226) write_socket(16,226) wrote 226 cli_signing_trans_start: storing mid = 7, reply_seq_num = 11, send_seq_num = 10 data->send_seq_num = 12 got smb length of 96 size=96 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=47107 smb_pid=2230 smb_uid=53249 smb_mid=7 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 40 (0x28) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 40 (0x28) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=41 [000] 00 05 00 02 03 10 00 00 00 28 00 00 00 08 00 00 ........ .(...... [010] 00 10 00 00 00 00 00 00 00 C8 7D C8 81 17 42 BE ........ ..}...B. [020] F7 FF 01 07 40 00 00 00 00 ....@... . simple_packet_signature: sequence number 11 client_check_incoming_message: seq 11: got good SMB signature of [000] 52 4B D8 D9 91 51 DD 1A RK...Q.. size=96 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=47107 smb_pid=2230 smb_uid=53249 smb_mid=7 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 40 (0x28) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 40 (0x28) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=41 [000] 00 05 00 02 03 10 00 00 00 28 00 00 00 08 00 00 ........ .(...... [010] 00 10 00 00 00 00 00 00 00 C8 7D C8 81 17 42 BE ........ ..}...B. [020] F7 FF 01 07 40 00 00 00 00 ....@... . cli_signing_trans_stop: freeing mid = 7, reply_seq_num = 11, send_seq_num = 10 data->send_seq_num = 12 rpc_check_hdr: rdata->data_size = 40 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0028 000a auth_len : 0000 000c call_id : 00000008 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 00000010 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 rpc_api_pipe: len left: 0 smbtrans read: 40 rpc_api_pipe: fragment first and last both set 000018 net_io_r_auth_2 000018 smb_io_chal 0018 data: c8 7d c8 81 17 42 be f7 000020 net_io_neg_flags 0020 neg_flags: 400701ff 0024 status: NT_STATUS_OK cred_create sess_key : 78591449649F06CC stor_cred: E687ACDDF5EE376D timestamp: 0 timecred : E687ACDDF5EE376D calc_cred: C87DC8811742BEF7 cred_assert challenge : C87DC8811742BEF7 calculated: C87DC8811742BEF7 credentials check ok simple_packet_signature: sequence number 12 client_sign_outgoing_message: sent SMB signature of [000] 37 3B 00 AE 5D 84 71 46 7;..].qF store_sequence_for_reply: stored seq = 13 mid = 8 write_socket(16,108) write_socket(16,108) wrote 108 got smb length of 103 size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=47107 smb_pid=2230 smb_uid=53249 smb_mid=8 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 768 (0x300) smb_vwv[ 3]= 384 (0x180) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 get_sequence_for_reply: found seq = 13 mid = 8 simple_packet_signature: sequence number 13 client_check_incoming_message: seq 13: got good SMB signature of [000] 3B 23 D0 66 83 EF 35 39 ;#.f..59 Bind RPC Pipe[8003]: \PIPE\NETLOGON Bind Abstract Syntax: [000] 78 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB xV4.4... ...#Eg.. [010] 01 00 00 00 .... Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]...... ....+.H` [010] 02 00 00 00 .... 000000 smb_io_rpc_hdr_auth hdr_auth 0000 auth_type : 44 0001 auth_level : 05 0002 padding : 00 0003 reserved : 00 0004 auth_context : 00000001 000008 smb_io_rpc_auth_netsec_neg netsec_neg 0008 type1: 00000000 000c type2: 00000003 [000] 41 44 AD [000] 53 54 41 47 45 31 STAGE1 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0b 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0062 000a auth_len : 0012 000c call_id : 00000009 000010 smb_io_rpc_hdr_rb 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00000000 0018 num_elements: 00000001 001c context_id : 0000 001e num_syntaxes: 01 00001f smb_io_rpc_iface 000020 smb_io_uuid uuid 0020 data : 12345678 0024 data : 1234 0026 data : abcd 0028 data : ef 00 002a data : 01 23 45 67 cf fb 0030 version: 00000001 000034 smb_io_rpc_iface 000034 smb_io_uuid uuid 0034 data : 8a885d04 0038 data : 1ceb 003a data : 11c9 003c data : 9f e8 003e data : 08 00 2b 10 48 60 0044 version: 00000002 rpc_api_pipe: fnum:8003 size=180 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=47107 smb_pid=2230 smb_uid=53249 smb_mid=9 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 98 (0x62) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 98 (0x62) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32771 (0x8003) smb_bcc=113 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 62 00 12 00 09 00 00 00 B8 .......b ........ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 ........ .......x [030] 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB 01 V4.4.... ..#Eg... [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ [050] 10 48 60 02 00 00 00 44 05 00 00 01 00 00 00 00 .H`....D ........ [060] 00 00 00 03 00 00 00 41 44 00 53 54 41 47 45 31 .......A D.STAGE1 [070] 00 . simple_packet_signature: sequence number 14 client_sign_outgoing_message: sent SMB signature of [000] 0D A3 AE D7 4F 9A 30 09 ....O.0. store_sequence_for_reply: stored seq = 15 mid = 9 write_socket(16,184) write_socket(16,184) wrote 184 cli_signing_trans_start: storing mid = 9, reply_seq_num = 15, send_seq_num = 14 data->send_seq_num = 16 got smb length of 144 size=144 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=47107 smb_pid=2230 smb_uid=53249 smb_mid=9 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 88 (0x58) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 88 (0x58) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=89 [000] 00 05 00 0C 03 10 00 00 00 58 00 0C 00 09 00 00 ........ .X...... [010] 00 B8 10 B8 10 1A 28 06 00 0C 00 5C 50 49 50 45 ......(. ...\PIPE [020] 5C 6C 73 61 73 73 00 FF 59 01 00 00 00 00 00 00 \lsass.. Y....... [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 44 05 00 00 01 00 00 00 01 00 00 `....D.. ........ [050] 00 00 00 00 00 00 A9 3D 6C .......= l simple_packet_signature: sequence number 15 client_check_incoming_message: seq 15: got good SMB signature of [000] 3B E2 4D 1A FE 32 52 EE ;.M..2R. size=144 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=47107 smb_pid=2230 smb_uid=53249 smb_mid=9 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 88 (0x58) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 88 (0x58) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=89 [000] 00 05 00 0C 03 10 00 00 00 58 00 0C 00 09 00 00 ........ .X...... [010] 00 B8 10 B8 10 1A 28 06 00 0C 00 5C 50 49 50 45 ......(. ...\PIPE [020] 5C 6C 73 61 73 73 00 FF 59 01 00 00 00 00 00 00 \lsass.. Y....... [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 44 05 00 00 01 00 00 00 01 00 00 `....D.. ........ [050] 00 00 00 00 00 00 A9 3D 6C .......= l cli_signing_trans_stop: freeing mid = 9, reply_seq_num = 15, send_seq_num = 14 data->send_seq_num = 16 rpc_check_hdr: rdata->data_size = 88 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0058 000a auth_len : 000c 000c call_id : 00000009 rpc_api_pipe: len left: 0 smbtrans read: 88 rpc_auth_pipe: pkt_type: 12 len: 88 auth_len: 12 NTLMSSP No schannel Yes sign Yes seal No rpc_auth_pipe: packet: 000000 smb_io_rpc_hdr_auth auth_hdr 0000 auth_type : 44 0001 auth_level : 05 0002 padding : 00 0003 reserved : 00 0004 auth_context : 00000001 rpc_api_pipe: fragment first and last both set rpc_pipe_bind: rpc_api_pipe returned OK. 000010 smb_io_rpc_hdr_ba 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 0006281a 000018 smb_io_rpc_addr_str 0018 len: 000c 001a str: \PIPE\lsass. 000026 smb_io_rpc_results 0028 num_results: 01 002c result : 0000 002e reason : 0000 000030 smb_io_rpc_iface 000030 smb_io_uuid uuid 0030 data : 8a885d04 0034 data : 1ceb 0036 data : 11c9 0038 data : 9f e8 003a data : 08 00 2b 10 48 60 0040 version: 00000002 bind_rpc_pipe: accepted! 000000 ds_io_q_enum_domain_trusts 0000 server_ptr: 00000001 000004 smb_io_unistr2 server 0004 uni_max_len: 0000000b 0008 offset : 00000000 000c uni_str_len: 0000000b 0010 buffer : W.E.P.-.A.D.-.D.C.1... 0028 flags: 00000003 000030 smb_io_rpc_hdr_auth hdr_auth 0030 auth_type : 44 0031 auth_level : 05 0032 padding : 04 0033 reserved : 00 0034 auth_context : 00000001 SCHANNEL seq_num=0 SCHANNEL: netsec_encode seq_num=0 data_len=48 000038 smb_io_rpc_auth_netsec_chk 0038 sig : 77 00 ff ff ff ff 00 00 0040 seq_num: d4 fd 49 d6 a9 dd e6 1b 0048 packet_digest: 8e 43 b7 c8 83 05 48 60 0050 confounder: de 13 93 62 cd 08 7e b3 create_rpc_request: opnum: 0x28 data_len: 0x70 create_rpc_request: data_len: 70 auth_len: 20 alloc_hint: 38 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0070 000a auth_len : 0020 000c call_id : 0000000a 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000038 0014 context_id: 0000 0016 opnum : 0028 rpc_api_pipe: fnum:8003 size=194 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=47107 smb_pid=2230 smb_uid=53249 smb_mid=10 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 112 (0x70) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 112 (0x70) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32771 (0x8003) smb_bcc=127 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 70 00 20 00 0A 00 00 00 38 .......p . .....8 [020] 00 00 00 00 00 28 00 01 00 00 00 0B 00 00 00 00 .....(.. ........ [030] 00 00 00 0B 00 00 00 57 00 45 00 50 00 2D 00 41 .......W .E.P.-.A [040] 00 44 00 2D 00 44 00 43 00 31 00 00 00 00 00 03 .D.-.D.C .1...... [050] 00 00 00 00 00 00 00 44 05 04 00 01 00 00 00 77 .......D .......w [060] 00 FF FF FF FF 00 00 D4 FD 49 D6 A9 DD E6 1B 8E ........ .I...... [070] 43 B7 C8 83 05 48 60 DE 13 93 62 CD 08 7E B3 C....H`. ..b..~. simple_packet_signature: sequence number 16 client_sign_outgoing_message: sent SMB signature of [000] 69 51 85 97 D6 26 71 FC iQ...&q. store_sequence_for_reply: stored seq = 17 mid = 10 write_socket(16,198) write_socket(16,198) wrote 198 cli_signing_trans_start: storing mid = 10, reply_seq_num = 17, send_seq_num = 16 data->send_seq_num = 18 got smb length of 808 size=808 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=47107 smb_pid=2230 smb_uid=53249 smb_mid=10 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 752 (0x2F0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 752 (0x2F0) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=753 [000] 00 05 00 02 03 10 00 00 00 F0 02 20 00 0A 00 00 ........ ... .... [010] 00 B0 02 00 00 00 00 00 00 05 00 00 00 F8 EB 50 ........ .......P [020] 0D 05 00 00 00 EC EC 50 0D F6 EC 50 0D 23 00 00 .......P ...P.#.. [030] 00 04 00 00 00 02 00 00 00 00 00 00 00 D4 EC 50 ........ .......P [040] 0D A8 5E CE 45 03 5E AD 49 AF 23 14 EA 4F 11 43 ..^.E.^. I.#..O.C [050] 13 38 ED 50 0D 3E ED 50 0D 23 00 00 00 04 00 00 .8.P.>.P .#...... [060] 00 02 00 00 00 00 00 00 00 20 ED 50 0D 22 E9 0F ........ . .P.".. [070] C8 AA 15 50 4F 9B 3F 3D 75 43 90 CD 94 7C ED 50 ...PO.?= uC...|.P [080] 0D 82 ED 50 0D 23 00 00 00 04 00 00 00 02 00 00 ...P.#.. ........ [090] 00 00 00 00 00 64 ED 50 0D 4D B9 58 7C 17 8E 5A .....d.P .M.X|..Z [0A0] 48 8C 2A 72 87 47 25 FD 4D C0 ED 50 0D 00 00 00 H.*r.G%. M..P.... [0B0] 00 22 00 00 00 00 00 00 00 01 00 00 00 04 00 00 ."...... ........ [0C0] 01 A8 ED 50 0D 00 00 00 00 00 00 00 00 00 00 00 ...P.... ........ [0D0] 00 00 00 00 00 E4 ED 50 0D EA ED 50 0D 1D 00 00 .......P ...P.... [0E0] 00 00 00 00 00 02 00 00 00 00 00 00 00 CC ED 50 ........ .......P [0F0] 0D CE FA 73 7F 7A 2E 02 4B 8E B7 1D 41 DF 58 72 ...s.z.. K...A.Xr [100] 1E 05 00 00 00 00 00 00 00 05 00 00 00 45 00 4D ........ .....E.M [110] 00 45 00 41 00 00 00 00 00 15 00 00 00 00 00 00 .E.A.... ........ [120] 00 15 00 00 00 65 00 6D 00 65 00 61 00 2E 00 61 .....e.m .e.a...a [130] 00 64 00 2E 00 63 00 6F 00 6C 00 6F 00 72 00 63 .d...c.o .l.o.r.c [140] 00 6F 00 6E 00 2E 00 63 00 6F 00 6D 00 00 00 00 .o.n...c .o.m.... [150] 00 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 ........ ........ [160] 00 A8 37 D6 65 43 17 0A 32 28 B3 A1 2E 03 00 00 ..7.eC.. 2(...... [170] 00 00 00 00 00 03 00 00 00 41 00 50 00 00 00 00 ........ .A.P.... [180] 00 13 00 00 00 00 00 00 00 13 00 00 00 61 00 70 ........ .....a.p [190] 00 2E 00 61 00 64 00 2E 00 63 00 6F 00 6C 00 6F ...a.d.. .c.o.l.o [1A0] 00 72 00 63 00 6F 00 6E 00 2E 00 63 00 6F 00 6D .r.c.o.n ...c.o.m [1B0] 00 00 00 00 00 04 00 00 00 01 04 00 00 00 00 00 ........ ........ [1C0] 05 15 00 00 00 CD 7C 41 66 F5 36 45 49 43 17 0A ......|A f.6EIC.. [1D0] 32 03 00 00 00 00 00 00 00 03 00 00 00 4E 00 41 2....... .....N.A [1E0] 00 00 00 00 00 13 00 00 00 00 00 00 00 13 00 00 ........ ........ [1F0] 00 6E 00 61 00 2E 00 61 00 64 00 2E 00 63 00 6F .n.a...a .d...c.o simple_packet_signature: sequence number 17 client_check_incoming_message: seq 17: got good SMB signature of [000] 6B 53 4E 80 99 0C 55 0C kSN...U. size=808 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=47107 smb_pid=2230 smb_uid=53249 smb_mid=10 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 752 (0x2F0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 752 (0x2F0) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=753 [000] 00 05 00 02 03 10 00 00 00 F0 02 20 00 0A 00 00 ........ ... .... [010] 00 B0 02 00 00 00 00 00 00 05 00 00 00 F8 EB 50 ........ .......P [020] 0D 05 00 00 00 EC EC 50 0D F6 EC 50 0D 23 00 00 .......P ...P.#.. [030] 00 04 00 00 00 02 00 00 00 00 00 00 00 D4 EC 50 ........ .......P [040] 0D A8 5E CE 45 03 5E AD 49 AF 23 14 EA 4F 11 43 ..^.E.^. I.#..O.C [050] 13 38 ED 50 0D 3E ED 50 0D 23 00 00 00 04 00 00 .8.P.>.P .#...... [060] 00 02 00 00 00 00 00 00 00 20 ED 50 0D 22 E9 0F ........ . .P.".. [070] C8 AA 15 50 4F 9B 3F 3D 75 43 90 CD 94 7C ED 50 ...PO.?= uC...|.P [080] 0D 82 ED 50 0D 23 00 00 00 04 00 00 00 02 00 00 ...P.#.. ........ [090] 00 00 00 00 00 64 ED 50 0D 4D B9 58 7C 17 8E 5A .....d.P .M.X|..Z [0A0] 48 8C 2A 72 87 47 25 FD 4D C0 ED 50 0D 00 00 00 H.*r.G%. M..P.... [0B0] 00 22 00 00 00 00 00 00 00 01 00 00 00 04 00 00 ."...... ........ [0C0] 01 A8 ED 50 0D 00 00 00 00 00 00 00 00 00 00 00 ...P.... ........ [0D0] 00 00 00 00 00 E4 ED 50 0D EA ED 50 0D 1D 00 00 .......P ...P.... [0E0] 00 00 00 00 00 02 00 00 00 00 00 00 00 CC ED 50 ........ .......P [0F0] 0D CE FA 73 7F 7A 2E 02 4B 8E B7 1D 41 DF 58 72 ...s.z.. K...A.Xr [100] 1E 05 00 00 00 00 00 00 00 05 00 00 00 45 00 4D ........ .....E.M [110] 00 45 00 41 00 00 00 00 00 15 00 00 00 00 00 00 .E.A.... ........ [120] 00 15 00 00 00 65 00 6D 00 65 00 61 00 2E 00 61 .....e.m .e.a...a [130] 00 64 00 2E 00 63 00 6F 00 6C 00 6F 00 72 00 63 .d...c.o .l.o.r.c [140] 00 6F 00 6E 00 2E 00 63 00 6F 00 6D 00 00 00 00 .o.n...c .o.m.... [150] 00 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 ........ ........ [160] 00 A8 37 D6 65 43 17 0A 32 28 B3 A1 2E 03 00 00 ..7.eC.. 2(...... [170] 00 00 00 00 00 03 00 00 00 41 00 50 00 00 00 00 ........ .A.P.... [180] 00 13 00 00 00 00 00 00 00 13 00 00 00 61 00 70 ........ .....a.p [190] 00 2E 00 61 00 64 00 2E 00 63 00 6F 00 6C 00 6F ...a.d.. .c.o.l.o [1A0] 00 72 00 63 00 6F 00 6E 00 2E 00 63 00 6F 00 6D .r.c.o.n ...c.o.m [1B0] 00 00 00 00 00 04 00 00 00 01 04 00 00 00 00 00 ........ ........ [1C0] 05 15 00 00 00 CD 7C 41 66 F5 36 45 49 43 17 0A ......|A f.6EIC.. [1D0] 32 03 00 00 00 00 00 00 00 03 00 00 00 4E 00 41 2....... .....N.A [1E0] 00 00 00 00 00 13 00 00 00 00 00 00 00 13 00 00 ........ ........ [1F0] 00 6E 00 61 00 2E 00 61 00 64 00 2E 00 63 00 6F .n.a...a .d...c.o cli_signing_trans_stop: freeing mid = 10, reply_seq_num = 17, send_seq_num = 16 data->send_seq_num = 18 rpc_check_hdr: rdata->data_size = 752 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 02f0 000a auth_len : 0020 000c call_id : 0000000a 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 000002b0 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 rpc_api_pipe: len left: 0 smbtrans read: 752 rpc_auth_pipe: pkt_type: 2 len: 752 auth_len: 32 NTLMSSP No schannel Yes sign Yes seal No rpc_auth_pipe: packet: 000000 smb_io_rpc_hdr_auth auth_hdr 0000 auth_type : 44 0001 auth_level : 05 0002 padding : 00 0003 reserved : 00 0004 auth_context : 00000001 000008 smb_io_rpc_auth_netsec_chk schannel_auth_sign 0008 sig : 77 00 ff ff ff ff 00 00 0010 seq_num: 78 1b e2 64 9f dd 65 ae 0018 packet_digest: fb 3c ce 39 7d 08 33 be 0020 confounder: 00 00 00 00 00 00 00 00 SCHANNEL: netsec_encode seq_num=1 data_len=688 SCHANNEL: netsec_decode seq_num=1 data_len=688 rpc_api_pipe: fragment first and last both set 000018 ds_io_r_enum_domain_trusts 0018 num_domains: 00000005 00001c ds_io_dom_trusts_ctr domains 001c ptr: 0d50ebf8 0020 max_count: 00000005 000024 ds_io_dom_trusts_ctr domain_trusts 0024 netbios_ptr: 0d50ecec 0028 dns_ptr: 0d50ecf6 002c flags: 00000023 0030 parent_index: 00000004 0034 trust_type: 00000002 0038 trust_attributes: 00000000 003c sid_ptr: 0d50ecd4 000040 smb_io_uuid guid 0040 data : 45ce5ea8 0044 data : 5e03 0046 data : 49ad 0048 data : af 23 004a data : 14 ea 4f 11 43 13 000050 ds_io_dom_trusts_ctr domain_trusts 0050 netbios_ptr: 0d50ed38 0054 dns_ptr: 0d50ed3e 0058 flags: 00000023 005c parent_index: 00000004 0060 trust_type: 00000002 0064 trust_attributes: 00000000 0068 sid_ptr: 0d50ed20 00006c smb_io_uuid guid 006c data : c80fe922 0070 data : 15aa 0072 data : 4f50 0074 data : 9b 3f 0076 data : 3d 75 43 90 cd 94 00007c ds_io_dom_trusts_ctr domain_trusts 007c netbios_ptr: 0d50ed7c 0080 dns_ptr: 0d50ed82 0084 flags: 00000023 0088 parent_index: 00000004 008c trust_type: 00000002 0090 trust_attributes: 00000000 0094 sid_ptr: 0d50ed64 000098 smb_io_uuid guid 0098 data : 7c58b94d 009c data : 8e17 009e data : 485a 00a0 data : 8c 2a 00a2 data : 72 87 47 25 fd 4d 0000a8 ds_io_dom_trusts_ctr domain_trusts 00a8 netbios_ptr: 0d50edc0 00ac dns_ptr: 00000000 00b0 flags: 00000022 00b4 parent_index: 00000000 00b8 trust_type: 00000001 00bc trust_attributes: 01000004 00c0 sid_ptr: 0d50eda8 0000c4 smb_io_uuid guid 00c4 data : 00000000 00c8 data : 0000 00ca data : 0000 00cc data : 00 00 00ce data : 00 00 00 00 00 00 0000d4 ds_io_dom_trusts_ctr domain_trusts 00d4 netbios_ptr: 0d50ede4 00d8 dns_ptr: 0d50edea 00dc flags: 0000001d 00e0 parent_index: 00000000 00e4 trust_type: 00000002 00e8 trust_attributes: 00000000 00ec sid_ptr: 0d50edcc 0000f0 smb_io_uuid guid 00f0 data : 7f73face 00f4 data : 2e7a 00f6 data : 4b02 00f8 data : 8e b7 00fa data : 1d 41 df 58 72 1e 000100 smb_io_unistr2 netbios_domain 0100 uni_max_len: 00000005 0104 offset : 00000000 0108 uni_str_len: 00000005 010c buffer : E.M.E.A... 000118 smb_io_unistr2 dns_domain 0118 uni_max_len: 00000015 011c offset : 00000000 0120 uni_str_len: 00000015 0124 buffer : e.m.e.a...a.d...c.o.l.o.r.c.o.n...c.o.m... 000150 smb_io_dom_sid2 sid 0150 num_auths: 00000004 000154 smb_io_dom_sid sid 0154 sid_rev_num: 01 0155 num_auths : 04 0156 id_auth[0] : 00 0157 id_auth[1] : 00 0158 id_auth[2] : 00 0159 id_auth[3] : 00 015a id_auth[4] : 00 015b id_auth[5] : 05 015c sub_auths : 00000015 65d637a8 320a1743 2ea1b328 00016c smb_io_unistr2 netbios_domain 016c uni_max_len: 00000003 0170 offset : 00000000 0174 uni_str_len: 00000003 0178 buffer : A.P... 000180 smb_io_unistr2 dns_domain 0180 uni_max_len: 00000013 0184 offset : 00000000 0188 uni_str_len: 00000013 018c buffer : a.p...a.d...c.o.l.o.r.c.o.n...c.o.m... 0001b4 smb_io_dom_sid2 sid 01b4 num_auths: 00000004 0001b8 smb_io_dom_sid sid 01b8 sid_rev_num: 01 01b9 num_auths : 04 01ba id_auth[0] : 00 01bb id_auth[1] : 00 01bc id_auth[2] : 00 01bd id_auth[3] : 00 01be id_auth[4] : 00 01bf id_auth[5] : 05 01c0 sub_auths : 00000015 66417ccd 494536f5 320a1743 0001d0 smb_io_unistr2 netbios_domain 01d0 uni_max_len: 00000003 01d4 offset : 00000000 01d8 uni_str_len: 00000003 01dc buffer : N.A... 0001e4 smb_io_unistr2 dns_domain 01e4 uni_max_len: 00000013 01e8 offset : 00000000 01ec uni_str_len: 00000013 01f0 buffer : n.a...a.d...c.o.l.o.r.c.o.n...c.o.m... 000218 smb_io_dom_sid2 sid 0218 num_auths: 00000004 00021c smb_io_dom_sid sid 021c sid_rev_num: 01 021d num_auths : 04 021e id_auth[0] : 00 021f id_auth[1] : 00 0220 id_auth[2] : 00 0221 id_auth[3] : 00 0222 id_auth[4] : 00 0223 id_auth[5] : 05 0224 sub_auths : 00000015 74d97781 773ce092 6b635f23 000234 smb_io_unistr2 netbios_domain 0234 uni_max_len: 00000005 0238 offset : 00000000 023c uni_str_len: 00000005 0240 buffer : C.C.U.S... 00024c smb_io_unistr2 - NULL dns_domain 00024c smb_io_dom_sid2 sid 024c num_auths: 00000004 000250 smb_io_dom_sid sid 0250 sid_rev_num: 01 0251 num_auths : 04 0252 id_auth[0] : 00 0253 id_auth[1] : 00 0254 id_auth[2] : 00 0255 id_auth[3] : 00 0256 id_auth[4] : 00 0257 id_auth[5] : 05 0258 sub_auths : 00000015 21280f89 21c44c28 5baa187b 000268 smb_io_unistr2 netbios_domain 0268 uni_max_len: 00000003 026c offset : 00000000 0270 uni_str_len: 00000003 0274 buffer : A.D... 00027c smb_io_unistr2 dns_domain 027c uni_max_len: 00000010 0280 offset : 00000000 0284 uni_str_len: 00000010 0288 buffer : a.d...c.o.l.o.r.c.o.n...c.o.m... 0002a8 smb_io_dom_sid2 sid 02a8 num_auths: 00000004 0002ac smb_io_dom_sid sid 02ac sid_rev_num: 01 02ad num_auths : 04 02ae id_auth[0] : 00 02af id_auth[1] : 00 02b0 id_auth[2] : 00 02b1 id_auth[3] : 00 02b2 id_auth[4] : 00 02b3 id_auth[5] : 05 02b4 sub_auths : 00000015 404237fd 2188754f 320a1743 02c4 status: NT_STATUS_OK simple_packet_signature: sequence number 18 client_sign_outgoing_message: sent SMB signature of [000] 45 88 AB 41 4E 8C FD E3 E..AN... store_sequence_for_reply: stored seq = 19 mid = 11 write_socket(16,45) write_socket(16,45) wrote 45 got smb length of 35 size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=47107 smb_pid=2230 smb_uid=53249 smb_mid=11 smt_wct=0 smb_bcc=0 get_sequence_for_reply: found seq = 19 mid = 11 simple_packet_signature: sequence number 19 client_check_incoming_message: seq 19: got good SMB signature of [000] 78 F3 E0 31 68 47 8B 64 x..1hG.d simple_packet_signature: sequence number 20 client_sign_outgoing_message: sent SMB signature of [000] 15 3D 5E 3C BC A7 E3 E4 .=^<.... store_sequence_for_reply: stored seq = 21 mid = 12 write_socket(16,45) write_socket(16,45) wrote 45 got smb length of 35 size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=47107 smb_pid=2230 smb_uid=53249 smb_mid=12 smt_wct=0 smb_bcc=0 get_sequence_for_reply: found seq = 21 mid = 12 simple_packet_signature: sequence number 21 client_check_incoming_message: seq 21: got good SMB signature of [000] 46 78 77 D4 C0 1E DC 38 Fxw....8 simple_packet_signature: sequence number 22 client_sign_outgoing_message: sent SMB signature of [000] 88 B4 80 DB A9 DF 1F 21 .......! store_sequence_for_reply: stored seq = 23 mid = 13 write_socket(16,39) write_socket(16,39) wrote 39 got smb length of 35 size=35 smb_com=0x71 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=47107 smb_pid=2230 smb_uid=53249 smb_mid=13 smt_wct=0 smb_bcc=0 get_sequence_for_reply: found seq = 23 mid = 13 simple_packet_signature: sequence number 23 client_check_incoming_message: seq 23: got good SMB signature of [000] 81 2D 82 BA EA A3 9E 18 .-...... Found domain EMEA add_trusted_domain: EMEA is an NT4 domain Added domain EMEA emea.ad.colorcon.com S-1-5-21-1708537768-839522115-782349096 trustdom_store: storing SID S-1-5-21-1708537768-839522115-782349096 of domain EMEA Adding cache entry with key = TDOM/EMEA.AD.COLORCON.COM; value = S-1-5-21-1708537768-839522115-782349096 and timeout = Tue May 18 10:53:41 2004 (300 seconds ahead) Adding cache entry with key = TDOM/EMEA; value = S-1-5-21-1708537768-839522115-782349096 and timeout = Tue May 18 10:53:41 2004 (300 seconds ahead) Found domain AP add_trusted_domain: AP is an NT4 domain Added domain AP ap.ad.colorcon.com S-1-5-21-1715567821-1229272821-839522115 trustdom_store: storing SID S-1-5-21-1715567821-1229272821-839522115 of domain AP Adding cache entry with key = TDOM/AP.AD.COLORCON.COM; value = S-1-5-21-1715567821-1229272821-839522115 and timeout = Tue May 18 10:53:41 2004 (300 seconds ahead) Adding cache entry with key = TDOM/AP; value = S-1-5-21-1715567821-1229272821-839522115 and timeout = Tue May 18 10:53:41 2004 (300 seconds ahead) Found domain NA add_trusted_domain: NA is an NT4 domain Added domain NA na.ad.colorcon.com S-1-5-21-1960408961-2000478354-1801674531 trustdom_store: storing SID S-1-5-21-1960408961-2000478354-1801674531 of domain NA Adding cache entry with key = TDOM/NA.AD.COLORCON.COM; value = S-1-5-21-1960408961-2000478354-1801674531 and timeout = Tue May 18 10:53:41 2004 (300 seconds ahead) Adding cache entry with key = TDOM/NA; value = S-1-5-21-1960408961-2000478354-1801674531 and timeout = Tue May 18 10:53:41 2004 (300 seconds ahead) Found domain CCUS add_trusted_domain: CCUS is an NT4 domain Added domain CCUS S-1-5-21-556273545-566512680-1537874043 trustdom_store: storing SID S-1-5-21-556273545-566512680-1537874043 of domain CCUS Adding cache entry with key = TDOM/CCUS; value = S-1-5-21-556273545-566512680-1537874043 and timeout = Tue May 18 10:53:41 2004 (300 seconds ahead) Found domain AD trustdom_store: storing SID S-1-5-21-1078081533-562591055-839522115 of domain AD Adding cache entry with key = TDOM/AD.COLORCON.COM; value = S-1-5-21-1078081533-562591055-839522115 and timeout = Tue May 18 10:53:41 2004 (300 seconds ahead) Adding cache entry with key = TDOM/AD; value = S-1-5-21-1078081533-562591055-839522115 and timeout = Tue May 18 10:53:41 2004 (300 seconds ahead) add_trusted_domain: BUILTIN is an NT4 domain Added domain BUILTIN S-1-5-32 add_trusted_domain: STAGE1 is an NT4 domain Added domain STAGE1 S-1-5-21-1517240271-3033396884-2545237836 scanning trusted domain list trusted_domains: [Cached] - doing backend query for info for domain AD ads: trusted_domains ads_dc_name: domain=AD ads_find_dc: looking for realm 'AD.COLORCON.COM' get_sorted_dc_list: attempting lookup using [ads] internal_resolve_name: looking up AD.COLORCON.COM#1c Returning valid cache entry: key = NBT/AD.COLORCON.COM#1C, value = 10.64.2.61:389,10.64.2.62:389,10.32.2.61:389, timeout = Tue May 18 10:49:24 2004 name AD.COLORCON.COM#1C found. Adding 3 DC's from auto lookup remove_duplicate_addrs2: looking for duplicate address/port pairs get_dc_list: returning 3 ip addresses in an unordered list get_dc_list: 10.64.2.61:389 10.64.2.62:389 10.32.2.61:389 ads_try_connect: trying ldap server '10.32.2.61' port 389 Connected to LDAP server 10.32.2.61 got ldap server name wep-ad-dc1@AD.COLORCON.COM, using bind path: dc=AD,dc=COLORCON,dc=COM time offset is 173 seconds ads_dc_name: using server='WEP-AD-DC1' IP=10.32.2.61 IPC$ connections done anonymously secrets_named_mutex: got mutex for WEP-AD-DC1 Connecting to host=WEP-AD-DC1 Connecting to 10.32.2.61 at port 445 socket option SO_KEEPALIVE = 0 socket option SO_REUSEADDR = 0 socket option SO_BROADCAST = 0 socket option TCP_NODELAY = 1 socket option IPTOS_LOWDELAY = 0 socket option IPTOS_THROUGHPUT = 0 socket option SO_SNDBUF = 16384 socket option SO_RCVBUF = 87380 socket option SO_SNDLOWAT = 1 socket option SO_RCVLOWAT = 1 socket option SO_SNDTIMEO = 0 socket option SO_RCVTIMEO = 0 write_socket(16,183) write_socket(16,183) wrote 183 got smb length of 184 size=184 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=2230 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 8 (0x8) smb_vwv[ 1]=12807 (0x3207) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 65 (0x41) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 243 (0xF3) smb_vwv[11]=34944 (0x8880) smb_vwv[12]=29584 (0x7390) smb_vwv[13]=59293 (0xE79D) smb_vwv[14]=50236 (0xC43C) smb_vwv[15]=61441 (0xF001) smb_vwv[16]= 0 (0x0) smb_bcc=115 [000] 04 5C D6 7C 02 83 73 4C A5 9B 60 95 8F CE 72 B5 .\.|..sL ..`...r. [010] 60 61 06 06 2B 06 01 05 05 02 A0 57 30 55 A0 30 `a..+... ...W0U.0 [020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. .......* [030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H...... ..*.H... [040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... [050] A3 21 30 1F A0 1D 1B 1B 77 65 70 2D 61 64 2D 64 .!0..... wep-ad-d [060] 63 31 24 40 41 44 2E 43 4F 4C 4F 52 43 4F 4E 2E c1$@AD.C OLORCON. [070] 43 4F 4D COM size=184 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=2230 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 8 (0x8) smb_vwv[ 1]=12807 (0x3207) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 65 (0x41) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 243 (0xF3) smb_vwv[11]=34944 (0x8880) smb_vwv[12]=29584 (0x7390) smb_vwv[13]=59293 (0xE79D) smb_vwv[14]=50236 (0xC43C) smb_vwv[15]=61441 (0xF001) smb_vwv[16]= 0 (0x0) smb_bcc=115 [000] 04 5C D6 7C 02 83 73 4C A5 9B 60 95 8F CE 72 B5 .\.|..sL ..`...r. [010] 60 61 06 06 2B 06 01 05 05 02 A0 57 30 55 A0 30 `a..+... ...W0U.0 [020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. .......* [030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H...... ..*.H... [040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... [050] A3 21 30 1F A0 1D 1B 1B 77 65 70 2D 61 64 2D 64 .!0..... wep-ad-d [060] 63 31 24 40 41 44 2E 43 4F 4C 4F 52 43 4F 4E 2E c1$@AD.C OLORCON. [070] 43 4F 4D COM connecting to WEP-AD-DC1 from STAGE1 with kerberos principal [STAGE1$@AD.COLORCON.COM] Doing spnego session setup (blob length=115) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got principal=wep-ad-dc1$@AD.COLORCON.COM Doing kerberos session setup Advancing clock by 173 seconds to cope with clock skew Ticket in ccache[MEMORY:cliconnect] expiration Tue, 18 May 2004 20:48:41 GMT Ticket (wep-ad-dc1$@AD.COLORCON.COM) in ccache (MEMORY:cliconnect) is valid until: (Tue, 18 May 2004 20:48:41 GMT - 1084927721) Got KRB5 session key of length 8 SMB signing enabled! cli_simple_set_signing: user_session_key [000] E0 0B FB 79 8A 34 AE 15 ...y.4.. cli_simple_set_signing: NULL response_data simple_packet_signature: sequence number 0 client_sign_outgoing_message: sent SMB signature of [000] 41 DF B6 01 85 C4 12 6E A......n store_sequence_for_reply: stored seq = 1 mid = 2 write_socket(16,1220) write_socket(16,1220) wrote 1220 got smb length of 143 size=143 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=2230 smb_uid=26627 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 143 (0x8F) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 26 (0x1A) smb_bcc=100 [000] A1 18 30 16 A0 03 0A 01 00 A1 0B 06 09 2A 86 48 ..0..... .....*.H [010] 82 F7 12 01 02 02 A2 02 04 00 04 57 00 69 00 6E ........ ...W.i.n [020] 00 64 00 6F 00 77 00 73 00 20 00 35 00 2E 00 30 .d.o.w.s . .5...0 [030] 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 ...W.i.n .d.o.w.s [040] 00 20 00 32 00 30 00 30 00 30 00 20 00 4C 00 41 . .2.0.0 .0. .L.A [050] 00 4E 00 20 00 4D 00 61 00 6E 00 61 00 67 00 65 .N. .M.a .n.a.g.e [060] 00 72 00 00 .r.. get_sequence_for_reply: found seq = 1 mid = 2 simple_packet_signature: sequence number 1 client_check_incoming_message: seq 1: got good SMB signature of [000] 08 E6 53 17 B5 9D 82 FA ..S..... size=143 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=2230 smb_uid=26627 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 143 (0x8F) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 26 (0x1A) smb_bcc=100 [000] A1 18 30 16 A0 03 0A 01 00 A1 0B 06 09 2A 86 48 ..0..... .....*.H [010] 82 F7 12 01 02 02 A2 02 04 00 04 57 00 69 00 6E ........ ...W.i.n [020] 00 64 00 6F 00 77 00 73 00 20 00 35 00 2E 00 30 .d.o.w.s . .5...0 [030] 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 ...W.i.n .d.o.w.s [040] 00 20 00 32 00 30 00 30 00 30 00 20 00 4C 00 41 . .2.0.0 .0. .L.A [050] 00 4E 00 20 00 4D 00 61 00 6E 00 61 00 67 00 65 .N. .M.a .n.a.g.e [060] 00 72 00 00 .r.. simple_packet_signature: sequence number 2 client_sign_outgoing_message: sent SMB signature of [000] 59 23 2B 63 DF 6B 1E EE Y#+c.k.. store_sequence_for_reply: stored seq = 3 mid = 3 write_socket(16,88) write_socket(16,88) wrote 88 got smb length of 48 size=48 smb_com=0x75 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=14342 smb_pid=2230 smb_uid=26627 smb_mid=3 smt_wct=3 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 1 (0x1) smb_bcc=7 [000] 49 50 43 00 00 00 00 IPC.... get_sequence_for_reply: found seq = 3 mid = 3 simple_packet_signature: sequence number 3 client_check_incoming_message: seq 3: got good SMB signature of [000] 63 D5 16 79 4C EE C5 49 c..yL..I cli_init_creds: user domain secrets_named_mutex: released mutex for WEP-AD-DC1 Using cleartext machine password simple_packet_signature: sequence number 4 client_sign_outgoing_message: sent SMB signature of [000] E3 62 B5 0F 28 53 5E 14 .b..(S^. store_sequence_for_reply: stored seq = 5 mid = 4 write_socket(16,108) write_socket(16,108) wrote 108 got smb length of 103 size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=14342 smb_pid=2230 smb_uid=26627 smb_mid=4 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 3072 (0xC00) smb_vwv[ 3]= 384 (0x180) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 get_sequence_for_reply: found seq = 5 mid = 4 simple_packet_signature: sequence number 5 client_check_incoming_message: seq 5: got good SMB signature of [000] 14 EF 2B FF 5E 53 18 23 ..+.^S.# Bind RPC Pipe[800c]: \PIPE\NETLOGON Bind Abstract Syntax: [000] 78 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB xV4.4... ...#Eg.. [010] 01 00 00 00 .... Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]...... ....+.H` [010] 02 00 00 00 .... 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0b 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0048 000a auth_len : 0000 000c call_id : 0000000b 000010 smb_io_rpc_hdr_rb 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00000000 0018 num_elements: 00000001 001c context_id : 0000 001e num_syntaxes: 01 00001f smb_io_rpc_iface 000020 smb_io_uuid uuid 0020 data : 12345678 0024 data : 1234 0026 data : abcd 0028 data : ef 00 002a data : 01 23 45 67 cf fb 0030 version: 00000001 000034 smb_io_rpc_iface 000034 smb_io_uuid uuid 0034 data : 8a885d04 0038 data : 1ceb 003a data : 11c9 003c data : 9f e8 003e data : 08 00 2b 10 48 60 0044 version: 00000002 rpc_api_pipe: fnum:800c size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=14342 smb_pid=2230 smb_uid=26627 smb_mid=5 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32780 (0x800C) smb_bcc=87 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 0B 00 00 00 B8 .......H ........ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 ........ .......x [030] 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB 01 V4.4.... ..#Eg... [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ [050] 10 48 60 02 00 00 00 .H`.... simple_packet_signature: sequence number 6 client_sign_outgoing_message: sent SMB signature of [000] 72 EF BB 22 77 8B F2 18 r.."w... store_sequence_for_reply: stored seq = 7 mid = 5 write_socket(16,158) write_socket(16,158) wrote 158 cli_signing_trans_start: storing mid = 5, reply_seq_num = 7, send_seq_num = 6 data->send_seq_num = 8 got smb length of 124 size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=14342 smb_pid=2230 smb_uid=26627 smb_mid=5 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 0B 00 00 ........ .D...... [010] 00 B8 10 B8 10 1B 28 06 00 0C 00 5C 50 49 50 45 ......(. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... simple_packet_signature: sequence number 7 client_check_incoming_message: seq 7: got good SMB signature of [000] 3F BC 5B B0 C2 CC 24 8B ?.[...$. size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=14342 smb_pid=2230 smb_uid=26627 smb_mid=5 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 0B 00 00 ........ .D...... [010] 00 B8 10 B8 10 1B 28 06 00 0C 00 5C 50 49 50 45 ......(. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... cli_signing_trans_stop: freeing mid = 5, reply_seq_num = 7, send_seq_num = 6 data->send_seq_num = 8 rpc_check_hdr: rdata->data_size = 68 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 0000000b rpc_api_pipe: len left: 0 smbtrans read: 68 rpc_api_pipe: fragment first and last both set rpc_pipe_bind: rpc_api_pipe returned OK. 000010 smb_io_rpc_hdr_ba 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 0006281b 000018 smb_io_rpc_addr_str 0018 len: 000c 001a str: \PIPE\lsass. 000026 smb_io_rpc_results 0028 num_results: 01 002c result : 0000 002e reason : 0000 000030 smb_io_rpc_iface 000030 smb_io_uuid uuid 0030 data : 8a885d04 0034 data : 1ceb 0036 data : 11c9 0038 data : 9f e8 003a data : 08 00 2b 10 48 60 0040 version: 00000002 bind_rpc_pipe: accepted! cli_net_req_chal: LSA Request Challenge from STAGE1 to WEP-AD-DC1: E11E0898F89DB814 init_q_req_chal: 621 init_q_req_chal: 630 000000 net_io_q_req_chal 0000 undoc_buffer: 00000001 000004 smb_io_unistr2 0004 uni_max_len: 0000000d 0008 offset : 00000000 000c uni_str_len: 0000000d 0010 buffer : \.\.W.E.P.-.A.D.-.D.C.1... 00002a smb_io_unistr2 002c uni_max_len: 00000007 0030 offset : 00000000 0034 uni_str_len: 00000007 0038 buffer : S.T.A.G.E.1... 000046 smb_io_chal 0046 data: e1 1e 08 98 f8 9d b8 14 create_rpc_request: opnum: 0x4 data_len: 0x66 create_rpc_request: data_len: 66 auth_len: 0 alloc_hint: 56 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0066 000a auth_len : 0000 000c call_id : 0000000c 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000056 0014 context_id: 0000 0016 opnum : 0004 rpc_api_pipe: fnum:800c size=184 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=14342 smb_pid=2230 smb_uid=26627 smb_mid=6 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 102 (0x66) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 102 (0x66) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32780 (0x800C) smb_bcc=117 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 66 00 00 00 0C 00 00 00 56 .......f .......V [020] 00 00 00 00 00 04 00 01 00 00 00 0D 00 00 00 00 ........ ........ [030] 00 00 00 0D 00 00 00 5C 00 5C 00 57 00 45 00 50 .......\ .\.W.E.P [040] 00 2D 00 41 00 44 00 2D 00 44 00 43 00 31 00 00 .-.A.D.- .D.C.1.. [050] 00 00 00 07 00 00 00 00 00 00 00 07 00 00 00 53 ........ .......S [060] 00 54 00 41 00 47 00 45 00 31 00 00 00 E1 1E 08 .T.A.G.E .1...... [070] 98 F8 9D B8 14 ..... simple_packet_signature: sequence number 8 client_sign_outgoing_message: sent SMB signature of [000] 40 01 E8 7D 5D A9 FC 2A @..}]..* store_sequence_for_reply: stored seq = 9 mid = 6 write_socket(16,188) write_socket(16,188) wrote 188 cli_signing_trans_start: storing mid = 6, reply_seq_num = 9, send_seq_num = 8 data->send_seq_num = 10 got smb length of 92 size=92 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=14342 smb_pid=2230 smb_uid=26627 smb_mid=6 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 36 (0x24) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 36 (0x24) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=37 [000] 00 05 00 02 03 10 00 00 00 24 00 00 00 0C 00 00 ........ .$...... [010] 00 0C 00 00 00 00 00 00 00 43 9C DF C5 88 A6 04 ........ .C...... [020] 77 00 00 00 00 w.... simple_packet_signature: sequence number 9 client_check_incoming_message: seq 9: got good SMB signature of [000] 21 66 A4 A1 85 36 C7 8C !f...6.. size=92 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=14342 smb_pid=2230 smb_uid=26627 smb_mid=6 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 36 (0x24) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 36 (0x24) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=37 [000] 00 05 00 02 03 10 00 00 00 24 00 00 00 0C 00 00 ........ .$...... [010] 00 0C 00 00 00 00 00 00 00 43 9C DF C5 88 A6 04 ........ .C...... [020] 77 00 00 00 00 w.... cli_signing_trans_stop: freeing mid = 6, reply_seq_num = 9, send_seq_num = 8 data->send_seq_num = 10 rpc_check_hdr: rdata->data_size = 36 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0024 000a auth_len : 0000 000c call_id : 0000000c 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 0000000c 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 rpc_api_pipe: len left: 0 smbtrans read: 36 rpc_api_pipe: fragment first and last both set 000018 net_io_r_req_chal 000018 smb_io_chal 0018 data: 43 9c df c5 88 a6 04 77 0020 status: NT_STATUS_OK cred_session_key clnt_chal: E11E0898F89DB814 srv_chal : 439CDFC588A60477 clnt+srv : 24BBE75D8044BD8B sess_key : 75A1A3CD4C7E8D2A cred_create sess_key : 75A1A3CD4C7E8D2A stor_cred: E11E0898F89DB814 timestamp: 0 timecred : E11E0898F89DB814 calc_cred: D5941004027CA323 cli_net_auth2: srv:\\WEP-AD-DC1 acct:STAGE1$ sc:2 mc: STAGE1 chal D5941004027CA323 neg: 400701ff init_q_auth_2: 742 make_log_info 1336 init_q_auth_2: 748 000000 net_io_q_auth_2 000000 smb_io_log_info 0000 undoc_buffer: 00000001 000004 smb_io_unistr2 unistr2 0004 uni_max_len: 0000000d 0008 offset : 00000000 000c uni_str_len: 0000000d 0010 buffer : \.\.W.E.P.-.A.D.-.D.C.1... 00002a smb_io_unistr2 unistr2 002c uni_max_len: 00000008 0030 offset : 00000000 0034 uni_str_len: 00000008 0038 buffer : S.T.A.G.E.1.$... 0048 sec_chan: 0002 00004a smb_io_unistr2 unistr2 004c uni_max_len: 00000007 0050 offset : 00000000 0054 uni_str_len: 00000007 0058 buffer : S.T.A.G.E.1... 000066 smb_io_chal 0066 data: d5 94 10 04 02 7c a3 23 00006e net_io_neg_flags 0070 neg_flags: 400701ff create_rpc_request: opnum: 0xf data_len: 0x8c create_rpc_request: data_len: 8c auth_len: 0 alloc_hint: 7c 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 008c 000a auth_len : 0000 000c call_id : 0000000d 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 0000007c 0014 context_id: 0000 0016 opnum : 000f rpc_api_pipe: fnum:800c size=222 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=14342 smb_pid=2230 smb_uid=26627 smb_mid=7 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 140 (0x8C) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 140 (0x8C) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32780 (0x800C) smb_bcc=155 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 8C 00 00 00 0D 00 00 00 7C ........ .......| [020] 00 00 00 00 00 0F 00 01 00 00 00 0D 00 00 00 00 ........ ........ [030] 00 00 00 0D 00 00 00 5C 00 5C 00 57 00 45 00 50 .......\ .\.W.E.P [040] 00 2D 00 41 00 44 00 2D 00 44 00 43 00 31 00 00 .-.A.D.- .D.C.1.. [050] 00 00 00 08 00 00 00 00 00 00 00 08 00 00 00 53 ........ .......S [060] 00 54 00 41 00 47 00 45 00 31 00 24 00 00 00 02 .T.A.G.E .1.$.... [070] 00 00 00 07 00 00 00 00 00 00 00 07 00 00 00 53 ........ .......S [080] 00 54 00 41 00 47 00 45 00 31 00 00 00 D5 94 10 .T.A.G.E .1...... [090] 04 02 7C A3 23 00 00 FF 01 07 40 ..|.#... ..@ simple_packet_signature: sequence number 10 client_sign_outgoing_message: sent SMB signature of [000] 5B FF C6 EB A9 0F AD BC [....... store_sequence_for_reply: stored seq = 11 mid = 7 write_socket(16,226) write_socket(16,226) wrote 226 cli_signing_trans_start: storing mid = 7, reply_seq_num = 11, send_seq_num = 10 data->send_seq_num = 12 got smb length of 96 size=96 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=14342 smb_pid=2230 smb_uid=26627 smb_mid=7 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 40 (0x28) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 40 (0x28) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=41 [000] 00 05 00 02 03 10 00 00 00 28 00 00 00 0D 00 00 ........ .(...... [010] 00 10 00 00 00 00 00 00 00 2E 71 C4 D0 93 76 C7 ........ ..q...v. [020] 59 FF 01 07 40 00 00 00 00 Y...@... . simple_packet_signature: sequence number 11 client_check_incoming_message: seq 11: got good SMB signature of [000] BD 67 D9 68 1F A0 FB C8 .g.h.... size=96 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=14342 smb_pid=2230 smb_uid=26627 smb_mid=7 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 40 (0x28) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 40 (0x28) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=41 [000] 00 05 00 02 03 10 00 00 00 28 00 00 00 0D 00 00 ........ .(...... [010] 00 10 00 00 00 00 00 00 00 2E 71 C4 D0 93 76 C7 ........ ..q...v. [020] 59 FF 01 07 40 00 00 00 00 Y...@... . cli_signing_trans_stop: freeing mid = 7, reply_seq_num = 11, send_seq_num = 10 data->send_seq_num = 12 rpc_check_hdr: rdata->data_size = 40 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0028 000a auth_len : 0000 000c call_id : 0000000d 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 00000010 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 rpc_api_pipe: len left: 0 smbtrans read: 40 rpc_api_pipe: fragment first and last both set 000018 net_io_r_auth_2 000018 smb_io_chal 0018 data: 2e 71 c4 d0 93 76 c7 59 000020 net_io_neg_flags 0020 neg_flags: 400701ff 0024 status: NT_STATUS_OK cred_create sess_key : 75A1A3CD4C7E8D2A stor_cred: 439CDFC588A60477 timestamp: 0 timecred : 439CDFC588A60477 calc_cred: 2E71C4D09376C759 cred_assert challenge : 2E71C4D09376C759 calculated: 2E71C4D09376C759 credentials check ok simple_packet_signature: sequence number 12 client_sign_outgoing_message: sent SMB signature of [000] 5A 27 2E 39 D7 A4 98 75 Z'.9...u store_sequence_for_reply: stored seq = 13 mid = 8 write_socket(16,108) write_socket(16,108) wrote 108 got smb length of 103 size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=14342 smb_pid=2230 smb_uid=26627 smb_mid=8 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 2560 (0xA00) smb_vwv[ 3]= 384 (0x180) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 get_sequence_for_reply: found seq = 13 mid = 8 simple_packet_signature: sequence number 13 client_check_incoming_message: seq 13: got good SMB signature of [000] E7 B6 D3 FE 0C 11 CA 67 .......g Bind RPC Pipe[800a]: \PIPE\NETLOGON Bind Abstract Syntax: [000] 78 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB xV4.4... ...#Eg.. [010] 01 00 00 00 .... Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]...... ....+.H` [010] 02 00 00 00 .... 000000 smb_io_rpc_hdr_auth hdr_auth 0000 auth_type : 44 0001 auth_level : 05 0002 padding : 00 0003 reserved : 00 0004 auth_context : 00000001 000008 smb_io_rpc_auth_netsec_neg netsec_neg 0008 type1: 00000000 000c type2: 00000003 [000] 41 44 AD [000] 53 54 41 47 45 31 STAGE1 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0b 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0062 000a auth_len : 0012 000c call_id : 0000000e 000010 smb_io_rpc_hdr_rb 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00000000 0018 num_elements: 00000001 001c context_id : 0000 001e num_syntaxes: 01 00001f smb_io_rpc_iface 000020 smb_io_uuid uuid 0020 data : 12345678 0024 data : 1234 0026 data : abcd 0028 data : ef 00 002a data : 01 23 45 67 cf fb 0030 version: 00000001 000034 smb_io_rpc_iface 000034 smb_io_uuid uuid 0034 data : 8a885d04 0038 data : 1ceb 003a data : 11c9 003c data : 9f e8 003e data : 08 00 2b 10 48 60 0044 version: 00000002 rpc_api_pipe: fnum:800a size=180 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=14342 smb_pid=2230 smb_uid=26627 smb_mid=9 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 98 (0x62) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 98 (0x62) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32778 (0x800A) smb_bcc=113 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 62 00 12 00 0E 00 00 00 B8 .......b ........ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 ........ .......x [030] 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB 01 V4.4.... ..#Eg... [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ [050] 10 48 60 02 00 00 00 44 05 00 00 01 00 00 00 00 .H`....D ........ [060] 00 00 00 03 00 00 00 41 44 00 53 54 41 47 45 31 .......A D.STAGE1 [070] 00 . simple_packet_signature: sequence number 14 client_sign_outgoing_message: sent SMB signature of [000] BE DC AA 37 7A 71 6F 5F ...7zqo_ store_sequence_for_reply: stored seq = 15 mid = 9 write_socket(16,184) write_socket(16,184) wrote 184 cli_signing_trans_start: storing mid = 9, reply_seq_num = 15, send_seq_num = 14 data->send_seq_num = 16 got smb length of 144 size=144 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=14342 smb_pid=2230 smb_uid=26627 smb_mid=9 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 88 (0x58) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 88 (0x58) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=89 [000] 00 05 00 0C 03 10 00 00 00 58 00 0C 00 0E 00 00 ........ .X...... [010] 00 B8 10 B8 10 1C 28 06 00 0C 00 5C 50 49 50 45 ......(. ...\PIPE [020] 5C 6C 73 61 73 73 00 50 0D 01 00 00 00 00 00 00 \lsass.P ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 44 05 00 00 01 00 00 00 01 00 00 `....D.. ........ [050] 00 00 00 00 00 00 ED 50 0D .......P . simple_packet_signature: sequence number 15 client_check_incoming_message: seq 15: got good SMB signature of [000] 1F 25 53 E2 8E 0D 59 72 .%S...Yr size=144 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=14342 smb_pid=2230 smb_uid=26627 smb_mid=9 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 88 (0x58) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 88 (0x58) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=89 [000] 00 05 00 0C 03 10 00 00 00 58 00 0C 00 0E 00 00 ........ .X...... [010] 00 B8 10 B8 10 1C 28 06 00 0C 00 5C 50 49 50 45 ......(. ...\PIPE [020] 5C 6C 73 61 73 73 00 50 0D 01 00 00 00 00 00 00 \lsass.P ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 44 05 00 00 01 00 00 00 01 00 00 `....D.. ........ [050] 00 00 00 00 00 00 ED 50 0D .......P . cli_signing_trans_stop: freeing mid = 9, reply_seq_num = 15, send_seq_num = 14 data->send_seq_num = 16 rpc_check_hdr: rdata->data_size = 88 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0058 000a auth_len : 000c 000c call_id : 0000000e rpc_api_pipe: len left: 0 smbtrans read: 88 rpc_auth_pipe: pkt_type: 12 len: 88 auth_len: 12 NTLMSSP No schannel Yes sign Yes seal No rpc_auth_pipe: packet: 000000 smb_io_rpc_hdr_auth auth_hdr 0000 auth_type : 44 0001 auth_level : 05 0002 padding : 00 0003 reserved : 00 0004 auth_context : 00000001 rpc_api_pipe: fragment first and last both set rpc_pipe_bind: rpc_api_pipe returned OK. 000010 smb_io_rpc_hdr_ba 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 0006281c 000018 smb_io_rpc_addr_str 0018 len: 000c 001a str: \PIPE\lsass. 000026 smb_io_rpc_results 0028 num_results: 01 002c result : 0000 002e reason : 0000 000030 smb_io_rpc_iface 000030 smb_io_uuid uuid 0030 data : 8a885d04 0034 data : 1ceb 0036 data : 11c9 0038 data : 9f e8 003a data : 08 00 2b 10 48 60 0040 version: 00000002 bind_rpc_pipe: accepted! 000000 ds_io_q_enum_domain_trusts 0000 server_ptr: 00000001 000004 smb_io_unistr2 server 0004 uni_max_len: 0000000b 0008 offset : 00000000 000c uni_str_len: 0000000b 0010 buffer : W.E.P.-.A.D.-.D.C.1... 0028 flags: 00000003 000030 smb_io_rpc_hdr_auth hdr_auth 0030 auth_type : 44 0031 auth_level : 05 0032 padding : 04 0033 reserved : 00 0034 auth_context : 00000001 SCHANNEL seq_num=0 SCHANNEL: netsec_encode seq_num=0 data_len=48 000038 smb_io_rpc_auth_netsec_chk 0038 sig : 77 00 ff ff ff ff 00 00 0040 seq_num: fa 6c 30 43 eb 9f 1a 3a 0048 packet_digest: 55 30 dc 71 e5 c8 c9 74 0050 confounder: 34 51 3d 9c f6 8b d7 83 create_rpc_request: opnum: 0x28 data_len: 0x70 create_rpc_request: data_len: 70 auth_len: 20 alloc_hint: 38 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0070 000a auth_len : 0020 000c call_id : 0000000f 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000038 0014 context_id: 0000 0016 opnum : 0028 rpc_api_pipe: fnum:800a size=194 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=14342 smb_pid=2230 smb_uid=26627 smb_mid=10 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 112 (0x70) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 112 (0x70) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32778 (0x800A) smb_bcc=127 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 70 00 20 00 0F 00 00 00 38 .......p . .....8 [020] 00 00 00 00 00 28 00 01 00 00 00 0B 00 00 00 00 .....(.. ........ [030] 00 00 00 0B 00 00 00 57 00 45 00 50 00 2D 00 41 .......W .E.P.-.A [040] 00 44 00 2D 00 44 00 43 00 31 00 00 00 00 00 03 .D.-.D.C .1...... [050] 00 00 00 00 00 00 00 44 05 04 00 01 00 00 00 77 .......D .......w [060] 00 FF FF FF FF 00 00 FA 6C 30 43 EB 9F 1A 3A 55 ........ l0C...:U [070] 30 DC 71 E5 C8 C9 74 34 51 3D 9C F6 8B D7 83 0.q...t4 Q=..... simple_packet_signature: sequence number 16 client_sign_outgoing_message: sent SMB signature of [000] 67 7B A9 07 4F 45 AC 8E g{..OE.. store_sequence_for_reply: stored seq = 17 mid = 10 write_socket(16,198) write_socket(16,198) wrote 198 cli_signing_trans_start: storing mid = 10, reply_seq_num = 17, send_seq_num = 16 data->send_seq_num = 18 got smb length of 808 size=808 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=14342 smb_pid=2230 smb_uid=26627 smb_mid=10 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 752 (0x2F0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 752 (0x2F0) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=753 [000] 00 05 00 02 03 10 00 00 00 F0 02 20 00 0F 00 00 ........ ... .... [010] 00 B0 02 00 00 00 00 00 00 05 00 00 00 F8 EB 50 ........ .......P [020] 0D 05 00 00 00 EC EC 50 0D F6 EC 50 0D 23 00 00 .......P ...P.#.. [030] 00 04 00 00 00 02 00 00 00 00 00 00 00 D4 EC 50 ........ .......P [040] 0D A8 5E CE 45 03 5E AD 49 AF 23 14 EA 4F 11 43 ..^.E.^. I.#..O.C [050] 13 38 ED 50 0D 3E ED 50 0D 23 00 00 00 04 00 00 .8.P.>.P .#...... [060] 00 02 00 00 00 00 00 00 00 20 ED 50 0D 22 E9 0F ........ . .P.".. [070] C8 AA 15 50 4F 9B 3F 3D 75 43 90 CD 94 7C ED 50 ...PO.?= uC...|.P [080] 0D 82 ED 50 0D 23 00 00 00 04 00 00 00 02 00 00 ...P.#.. ........ [090] 00 00 00 00 00 64 ED 50 0D 4D B9 58 7C 17 8E 5A .....d.P .M.X|..Z [0A0] 48 8C 2A 72 87 47 25 FD 4D C0 ED 50 0D 00 00 00 H.*r.G%. M..P.... [0B0] 00 22 00 00 00 00 00 00 00 01 00 00 00 04 00 00 ."...... ........ [0C0] 01 A8 ED 50 0D 00 00 00 00 00 00 00 00 00 00 00 ...P.... ........ [0D0] 00 00 00 00 00 E4 ED 50 0D EA ED 50 0D 1D 00 00 .......P ...P.... [0E0] 00 00 00 00 00 02 00 00 00 00 00 00 00 CC ED 50 ........ .......P [0F0] 0D CE FA 73 7F 7A 2E 02 4B 8E B7 1D 41 DF 58 72 ...s.z.. K...A.Xr [100] 1E 05 00 00 00 00 00 00 00 05 00 00 00 45 00 4D ........ .....E.M [110] 00 45 00 41 00 00 00 00 00 15 00 00 00 00 00 00 .E.A.... ........ [120] 00 15 00 00 00 65 00 6D 00 65 00 61 00 2E 00 61 .....e.m .e.a...a [130] 00 64 00 2E 00 63 00 6F 00 6C 00 6F 00 72 00 63 .d...c.o .l.o.r.c [140] 00 6F 00 6E 00 2E 00 63 00 6F 00 6D 00 00 00 00 .o.n...c .o.m.... [150] 00 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 ........ ........ [160] 00 A8 37 D6 65 43 17 0A 32 28 B3 A1 2E 03 00 00 ..7.eC.. 2(...... [170] 00 00 00 00 00 03 00 00 00 41 00 50 00 00 00 00 ........ .A.P.... [180] 00 13 00 00 00 00 00 00 00 13 00 00 00 61 00 70 ........ .....a.p [190] 00 2E 00 61 00 64 00 2E 00 63 00 6F 00 6C 00 6F ...a.d.. .c.o.l.o [1A0] 00 72 00 63 00 6F 00 6E 00 2E 00 63 00 6F 00 6D .r.c.o.n ...c.o.m [1B0] 00 00 00 00 00 04 00 00 00 01 04 00 00 00 00 00 ........ ........ [1C0] 05 15 00 00 00 CD 7C 41 66 F5 36 45 49 43 17 0A ......|A f.6EIC.. [1D0] 32 03 00 00 00 00 00 00 00 03 00 00 00 4E 00 41 2....... .....N.A [1E0] 00 00 00 00 00 13 00 00 00 00 00 00 00 13 00 00 ........ ........ [1F0] 00 6E 00 61 00 2E 00 61 00 64 00 2E 00 63 00 6F .n.a...a .d...c.o simple_packet_signature: sequence number 17 client_check_incoming_message: seq 17: got good SMB signature of [000] 99 73 CC 8D 27 BA 4F 72 .s..'.Or size=808 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=14342 smb_pid=2230 smb_uid=26627 smb_mid=10 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 752 (0x2F0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 752 (0x2F0) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=753 [000] 00 05 00 02 03 10 00 00 00 F0 02 20 00 0F 00 00 ........ ... .... [010] 00 B0 02 00 00 00 00 00 00 05 00 00 00 F8 EB 50 ........ .......P [020] 0D 05 00 00 00 EC EC 50 0D F6 EC 50 0D 23 00 00 .......P ...P.#.. [030] 00 04 00 00 00 02 00 00 00 00 00 00 00 D4 EC 50 ........ .......P [040] 0D A8 5E CE 45 03 5E AD 49 AF 23 14 EA 4F 11 43 ..^.E.^. I.#..O.C [050] 13 38 ED 50 0D 3E ED 50 0D 23 00 00 00 04 00 00 .8.P.>.P .#...... [060] 00 02 00 00 00 00 00 00 00 20 ED 50 0D 22 E9 0F ........ . .P.".. [070] C8 AA 15 50 4F 9B 3F 3D 75 43 90 CD 94 7C ED 50 ...PO.?= uC...|.P [080] 0D 82 ED 50 0D 23 00 00 00 04 00 00 00 02 00 00 ...P.#.. ........ [090] 00 00 00 00 00 64 ED 50 0D 4D B9 58 7C 17 8E 5A .....d.P .M.X|..Z [0A0] 48 8C 2A 72 87 47 25 FD 4D C0 ED 50 0D 00 00 00 H.*r.G%. M..P.... [0B0] 00 22 00 00 00 00 00 00 00 01 00 00 00 04 00 00 ."...... ........ [0C0] 01 A8 ED 50 0D 00 00 00 00 00 00 00 00 00 00 00 ...P.... ........ [0D0] 00 00 00 00 00 E4 ED 50 0D EA ED 50 0D 1D 00 00 .......P ...P.... [0E0] 00 00 00 00 00 02 00 00 00 00 00 00 00 CC ED 50 ........ .......P [0F0] 0D CE FA 73 7F 7A 2E 02 4B 8E B7 1D 41 DF 58 72 ...s.z.. K...A.Xr [100] 1E 05 00 00 00 00 00 00 00 05 00 00 00 45 00 4D ........ .....E.M [110] 00 45 00 41 00 00 00 00 00 15 00 00 00 00 00 00 .E.A.... ........ [120] 00 15 00 00 00 65 00 6D 00 65 00 61 00 2E 00 61 .....e.m .e.a...a [130] 00 64 00 2E 00 63 00 6F 00 6C 00 6F 00 72 00 63 .d...c.o .l.o.r.c [140] 00 6F 00 6E 00 2E 00 63 00 6F 00 6D 00 00 00 00 .o.n...c .o.m.... [150] 00 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 ........ ........ [160] 00 A8 37 D6 65 43 17 0A 32 28 B3 A1 2E 03 00 00 ..7.eC.. 2(...... [170] 00 00 00 00 00 03 00 00 00 41 00 50 00 00 00 00 ........ .A.P.... [180] 00 13 00 00 00 00 00 00 00 13 00 00 00 61 00 70 ........ .....a.p [190] 00 2E 00 61 00 64 00 2E 00 63 00 6F 00 6C 00 6F ...a.d.. .c.o.l.o [1A0] 00 72 00 63 00 6F 00 6E 00 2E 00 63 00 6F 00 6D .r.c.o.n ...c.o.m [1B0] 00 00 00 00 00 04 00 00 00 01 04 00 00 00 00 00 ........ ........ [1C0] 05 15 00 00 00 CD 7C 41 66 F5 36 45 49 43 17 0A ......|A f.6EIC.. [1D0] 32 03 00 00 00 00 00 00 00 03 00 00 00 4E 00 41 2....... .....N.A [1E0] 00 00 00 00 00 13 00 00 00 00 00 00 00 13 00 00 ........ ........ [1F0] 00 6E 00 61 00 2E 00 61 00 64 00 2E 00 63 00 6F .n.a...a .d...c.o cli_signing_trans_stop: freeing mid = 10, reply_seq_num = 17, send_seq_num = 16 data->send_seq_num = 18 rpc_check_hdr: rdata->data_size = 752 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 02f0 000a auth_len : 0020 000c call_id : 0000000f 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 000002b0 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 rpc_api_pipe: len left: 0 smbtrans read: 752 rpc_auth_pipe: pkt_type: 2 len: 752 auth_len: 32 NTLMSSP No schannel Yes sign Yes seal No rpc_auth_pipe: packet: 000000 smb_io_rpc_hdr_auth auth_hdr 0000 auth_type : 44 0001 auth_level : 05 0002 padding : 00 0003 reserved : 00 0004 auth_context : 00000001 000008 smb_io_rpc_auth_netsec_chk schannel_auth_sign 0008 sig : 77 00 ff ff ff ff 00 00 0010 seq_num: a6 d9 9e 2a a7 87 f7 bb 0018 packet_digest: 3b 0e 8f bf 80 87 fb 20 0020 confounder: 00 00 00 00 00 00 00 00 SCHANNEL: netsec_encode seq_num=1 data_len=688 SCHANNEL: netsec_decode seq_num=1 data_len=688 rpc_api_pipe: fragment first and last both set 000018 ds_io_r_enum_domain_trusts 0018 num_domains: 00000005 00001c ds_io_dom_trusts_ctr domains 001c ptr: 0d50ebf8 0020 max_count: 00000005 000024 ds_io_dom_trusts_ctr domain_trusts 0024 netbios_ptr: 0d50ecec 0028 dns_ptr: 0d50ecf6 002c flags: 00000023 0030 parent_index: 00000004 0034 trust_type: 00000002 0038 trust_attributes: 00000000 003c sid_ptr: 0d50ecd4 000040 smb_io_uuid guid 0040 data : 45ce5ea8 0044 data : 5e03 0046 data : 49ad 0048 data : af 23 004a data : 14 ea 4f 11 43 13 000050 ds_io_dom_trusts_ctr domain_trusts 0050 netbios_ptr: 0d50ed38 0054 dns_ptr: 0d50ed3e 0058 flags: 00000023 005c parent_index: 00000004 0060 trust_type: 00000002 0064 trust_attributes: 00000000 0068 sid_ptr: 0d50ed20 00006c smb_io_uuid guid 006c data : c80fe922 0070 data : 15aa 0072 data : 4f50 0074 data : 9b 3f 0076 data : 3d 75 43 90 cd 94 00007c ds_io_dom_trusts_ctr domain_trusts 007c netbios_ptr: 0d50ed7c 0080 dns_ptr: 0d50ed82 0084 flags: 00000023 0088 parent_index: 00000004 008c trust_type: 00000002 0090 trust_attributes: 00000000 0094 sid_ptr: 0d50ed64 000098 smb_io_uuid guid 0098 data : 7c58b94d 009c data : 8e17 009e data : 485a 00a0 data : 8c 2a 00a2 data : 72 87 47 25 fd 4d 0000a8 ds_io_dom_trusts_ctr domain_trusts 00a8 netbios_ptr: 0d50edc0 00ac dns_ptr: 00000000 00b0 flags: 00000022 00b4 parent_index: 00000000 00b8 trust_type: 00000001 00bc trust_attributes: 01000004 00c0 sid_ptr: 0d50eda8 0000c4 smb_io_uuid guid 00c4 data : 00000000 00c8 data : 0000 00ca data : 0000 00cc data : 00 00 00ce data : 00 00 00 00 00 00 0000d4 ds_io_dom_trusts_ctr domain_trusts 00d4 netbios_ptr: 0d50ede4 00d8 dns_ptr: 0d50edea 00dc flags: 0000001d 00e0 parent_index: 00000000 00e4 trust_type: 00000002 00e8 trust_attributes: 00000000 00ec sid_ptr: 0d50edcc 0000f0 smb_io_uuid guid 00f0 data : 7f73face 00f4 data : 2e7a 00f6 data : 4b02 00f8 data : 8e b7 00fa data : 1d 41 df 58 72 1e 000100 smb_io_unistr2 netbios_domain 0100 uni_max_len: 00000005 0104 offset : 00000000 0108 uni_str_len: 00000005 010c buffer : E.M.E.A... 000118 smb_io_unistr2 dns_domain 0118 uni_max_len: 00000015 011c offset : 00000000 0120 uni_str_len: 00000015 0124 buffer : e.m.e.a...a.d...c.o.l.o.r.c.o.n...c.o.m... 000150 smb_io_dom_sid2 sid 0150 num_auths: 00000004 000154 smb_io_dom_sid sid 0154 sid_rev_num: 01 0155 num_auths : 04 0156 id_auth[0] : 00 0157 id_auth[1] : 00 0158 id_auth[2] : 00 0159 id_auth[3] : 00 015a id_auth[4] : 00 015b id_auth[5] : 05 015c sub_auths : 00000015 65d637a8 320a1743 2ea1b328 00016c smb_io_unistr2 netbios_domain 016c uni_max_len: 00000003 0170 offset : 00000000 0174 uni_str_len: 00000003 0178 buffer : A.P... 000180 smb_io_unistr2 dns_domain 0180 uni_max_len: 00000013 0184 offset : 00000000 0188 uni_str_len: 00000013 018c buffer : a.p...a.d...c.o.l.o.r.c.o.n...c.o.m... 0001b4 smb_io_dom_sid2 sid 01b4 num_auths: 00000004 0001b8 smb_io_dom_sid sid 01b8 sid_rev_num: 01 01b9 num_auths : 04 01ba id_auth[0] : 00 01bb id_auth[1] : 00 01bc id_auth[2] : 00 01bd id_auth[3] : 00 01be id_auth[4] : 00 01bf id_auth[5] : 05 01c0 sub_auths : 00000015 66417ccd 494536f5 320a1743 0001d0 smb_io_unistr2 netbios_domain 01d0 uni_max_len: 00000003 01d4 offset : 00000000 01d8 uni_str_len: 00000003 01dc buffer : N.A... 0001e4 smb_io_unistr2 dns_domain 01e4 uni_max_len: 00000013 01e8 offset : 00000000 01ec uni_str_len: 00000013 01f0 buffer : n.a...a.d...c.o.l.o.r.c.o.n...c.o.m... 000218 smb_io_dom_sid2 sid 0218 num_auths: 00000004 00021c smb_io_dom_sid sid 021c sid_rev_num: 01 021d num_auths : 04 021e id_auth[0] : 00 021f id_auth[1] : 00 0220 id_auth[2] : 00 0221 id_auth[3] : 00 0222 id_auth[4] : 00 0223 id_auth[5] : 05 0224 sub_auths : 00000015 74d97781 773ce092 6b635f23 000234 smb_io_unistr2 netbios_domain 0234 uni_max_len: 00000005 0238 offset : 00000000 023c uni_str_len: 00000005 0240 buffer : C.C.U.S... 00024c smb_io_unistr2 - NULL dns_domain 00024c smb_io_dom_sid2 sid 024c num_auths: 00000004 000250 smb_io_dom_sid sid 0250 sid_rev_num: 01 0251 num_auths : 04 0252 id_auth[0] : 00 0253 id_auth[1] : 00 0254 id_auth[2] : 00 0255 id_auth[3] : 00 0256 id_auth[4] : 00 0257 id_auth[5] : 05 0258 sub_auths : 00000015 21280f89 21c44c28 5baa187b 000268 smb_io_unistr2 netbios_domain 0268 uni_max_len: 00000003 026c offset : 00000000 0270 uni_str_len: 00000003 0274 buffer : A.D... 00027c smb_io_unistr2 dns_domain 027c uni_max_len: 00000010 0280 offset : 00000000 0284 uni_str_len: 00000010 0288 buffer : a.d...c.o.l.o.r.c.o.n...c.o.m... 0002a8 smb_io_dom_sid2 sid 02a8 num_auths: 00000004 0002ac smb_io_dom_sid sid 02ac sid_rev_num: 01 02ad num_auths : 04 02ae id_auth[0] : 00 02af id_auth[1] : 00 02b0 id_auth[2] : 00 02b1 id_auth[3] : 00 02b2 id_auth[4] : 00 02b3 id_auth[5] : 05 02b4 sub_auths : 00000015 404237fd 2188754f 320a1743 02c4 status: NT_STATUS_OK simple_packet_signature: sequence number 18 client_sign_outgoing_message: sent SMB signature of [000] 20 A3 DF 17 B5 D7 CF 1C ....... store_sequence_for_reply: stored seq = 19 mid = 11 write_socket(16,45) write_socket(16,45) wrote 45 got smb length of 35 size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=14342 smb_pid=2230 smb_uid=26627 smb_mid=11 smt_wct=0 smb_bcc=0 get_sequence_for_reply: found seq = 19 mid = 11 simple_packet_signature: sequence number 19 client_check_incoming_message: seq 19: got good SMB signature of [000] 2E 58 A1 AD AC 58 7D 81 .X...X}. simple_packet_signature: sequence number 20 client_sign_outgoing_message: sent SMB signature of [000] 52 00 CB A8 A4 A6 48 88 R.....H. store_sequence_for_reply: stored seq = 21 mid = 12 write_socket(16,45) write_socket(16,45) wrote 45 got smb length of 35 size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=14342 smb_pid=2230 smb_uid=26627 smb_mid=12 smt_wct=0 smb_bcc=0 get_sequence_for_reply: found seq = 21 mid = 12 simple_packet_signature: sequence number 21 client_check_incoming_message: seq 21: got good SMB signature of [000] 88 7A 1C B9 A3 DB 1A 69 .z.....i simple_packet_signature: sequence number 22 client_sign_outgoing_message: sent SMB signature of [000] A2 4E AE 4A 1C 15 5B 27 .N.J..[' store_sequence_for_reply: stored seq = 23 mid = 13 write_socket(16,39) write_socket(16,39) wrote 39 got smb length of 35 size=35 smb_com=0x71 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=14342 smb_pid=2230 smb_uid=26627 smb_mid=13 smt_wct=0 smb_bcc=0 get_sequence_for_reply: found seq = 23 mid = 13 simple_packet_signature: sequence number 23 client_check_incoming_message: seq 23: got good SMB signature of [000] B5 94 D5 86 37 19 F9 02 ....7... Found domain EMEA trustdom_store: storing SID S-1-5-21-1708537768-839522115-782349096 of domain EMEA Adding cache entry with key = TDOM/EMEA.AD.COLORCON.COM; value = S-1-5-21-1708537768-839522115-782349096 and timeout = Tue May 18 10:53:41 2004 (299 seconds ahead) Adding cache entry with key = TDOM/EMEA; value = S-1-5-21-1708537768-839522115-782349096 and timeout = Tue May 18 10:53:41 2004 (299 seconds ahead) Found domain AP trustdom_store: storing SID S-1-5-21-1715567821-1229272821-839522115 of domain AP Adding cache entry with key = TDOM/AP.AD.COLORCON.COM; value = S-1-5-21-1715567821-1229272821-839522115 and timeout = Tue May 18 10:53:41 2004 (299 seconds ahead) Adding cache entry with key = TDOM/AP; value = S-1-5-21-1715567821-1229272821-839522115 and timeout = Tue May 18 10:53:41 2004 (299 seconds ahead) Found domain NA trustdom_store: storing SID S-1-5-21-1960408961-2000478354-1801674531 of domain NA Adding cache entry with key = TDOM/NA.AD.COLORCON.COM; value = S-1-5-21-1960408961-2000478354-1801674531 and timeout = Tue May 18 10:53:41 2004 (299 seconds ahead) Adding cache entry with key = TDOM/NA; value = S-1-5-21-1960408961-2000478354-1801674531 and timeout = Tue May 18 10:53:41 2004 (299 seconds ahead) Found domain CCUS trustdom_store: storing SID S-1-5-21-556273545-566512680-1537874043 of domain CCUS Adding cache entry with key = TDOM/CCUS; value = S-1-5-21-556273545-566512680-1537874043 and timeout = Tue May 18 10:53:41 2004 (299 seconds ahead) Found domain AD trustdom_store: storing SID S-1-5-21-1078081533-562591055-839522115 of domain AD Adding cache entry with key = TDOM/AD.COLORCON.COM; value = S-1-5-21-1078081533-562591055-839522115 and timeout = Tue May 18 10:53:41 2004 (299 seconds ahead) Adding cache entry with key = TDOM/AD; value = S-1-5-21-1078081533-562591055-839522115 and timeout = Tue May 18 10:53:41 2004 (299 seconds ahead) open_winbindd_socket: opened socket fd 16 open_winbindd_priv_socket: opened socket fd 18 accepted socket 19 client_read: read 1824 bytes. Need 0 more for a full request. process_request: request fn INTERFACE_VERSION [ 2231]: request interface version client_write: wrote 1300 bytes. client_read: read 1824 bytes. Need 0 more for a full request. process_request: request fn WINBINDD_PRIV_PIPE_DIR [ 2231]: request location of privileged pipe client_write: wrote 1300 bytes. client_write: need to write 37 extra data bytes. client_write: wrote 37 bytes. client_write: client_write: complete response written. accepted socket 20 client_read: read 0 bytes. Need 1824 more for a full request. read failed on sock 19, pid 2231: EOF client_read: read 1824 bytes. Need 0 more for a full request. process_request: request fn INFO [ 2231]: request misc info client_write: wrote 1300 bytes. client_read: read 1824 bytes. Need 0 more for a full request. process_request: request fn LOOKUPNAME [ 2231]: lookupname AD\Universal-ACL-InternetAccess name_to_sid: [Cached] - doing backend query for name for domain AD rpc: name_to_sid name=Universal-ACL-InternetAccess name_to_sid [rpc] Universal-ACL-InternetAccess for domain AD ads_dc_name: domain=AD ads_find_dc: looking for realm 'AD.COLORCON.COM' get_sorted_dc_list: attempting lookup using [ads] internal_resolve_name: looking up AD.COLORCON.COM#1c Returning valid cache entry: key = NBT/AD.COLORCON.COM#1C, value = 10.64.2.61:389,10.64.2.62:389,10.32.2.61:389, timeout = Tue May 18 10:49:24 2004 name AD.COLORCON.COM#1C found. Adding 3 DC's from auto lookup remove_duplicate_addrs2: looking for duplicate address/port pairs get_dc_list: returning 3 ip addresses in an unordered list get_dc_list: 10.64.2.61:389 10.64.2.62:389 10.32.2.61:389 ads_try_connect: trying ldap server '10.32.2.61' port 389 Connected to LDAP server 10.32.2.61 got ldap server name wep-ad-dc1@AD.COLORCON.COM, using bind path: dc=AD,dc=COLORCON,dc=COM time offset is 173 seconds ads_dc_name: using server='WEP-AD-DC1' IP=10.32.2.61 IPC$ connections done anonymously secrets_named_mutex: got mutex for WEP-AD-DC1 Connecting to host=WEP-AD-DC1 Connecting to 10.32.2.61 at port 445 socket option SO_KEEPALIVE = 0 socket option SO_REUSEADDR = 0 socket option SO_BROADCAST = 0 socket option TCP_NODELAY = 1 socket option IPTOS_LOWDELAY = 0 socket option IPTOS_THROUGHPUT = 0 socket option SO_SNDBUF = 16384 socket option SO_RCVBUF = 87380 socket option SO_SNDLOWAT = 1 socket option SO_RCVLOWAT = 1 socket option SO_SNDTIMEO = 0 socket option SO_RCVTIMEO = 0 write_socket(19,183) write_socket(19,183) wrote 183 got smb length of 184 size=184 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=2230 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 8 (0x8) smb_vwv[ 1]=12807 (0x3207) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 65 (0x41) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 243 (0xF3) smb_vwv[11]= 2688 (0xA80) smb_vwv[12]=38283 (0x958B) smb_vwv[13]=59295 (0xE79F) smb_vwv[14]=50236 (0xC43C) smb_vwv[15]=61441 (0xF001) smb_vwv[16]= 0 (0x0) smb_bcc=115 [000] 04 5C D6 7C 02 83 73 4C A5 9B 60 95 8F CE 72 B5 .\.|..sL ..`...r. [010] 60 61 06 06 2B 06 01 05 05 02 A0 57 30 55 A0 30 `a..+... ...W0U.0 [020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. .......* [030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H...... ..*.H... [040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... [050] A3 21 30 1F A0 1D 1B 1B 77 65 70 2D 61 64 2D 64 .!0..... wep-ad-d [060] 63 31 24 40 41 44 2E 43 4F 4C 4F 52 43 4F 4E 2E c1$@AD.C OLORCON. [070] 43 4F 4D COM size=184 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=2230 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 8 (0x8) smb_vwv[ 1]=12807 (0x3207) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 65 (0x41) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 243 (0xF3) smb_vwv[11]= 2688 (0xA80) smb_vwv[12]=38283 (0x958B) smb_vwv[13]=59295 (0xE79F) smb_vwv[14]=50236 (0xC43C) smb_vwv[15]=61441 (0xF001) smb_vwv[16]= 0 (0x0) smb_bcc=115 [000] 04 5C D6 7C 02 83 73 4C A5 9B 60 95 8F CE 72 B5 .\.|..sL ..`...r. [010] 60 61 06 06 2B 06 01 05 05 02 A0 57 30 55 A0 30 `a..+... ...W0U.0 [020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. .......* [030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H...... ..*.H... [040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... [050] A3 21 30 1F A0 1D 1B 1B 77 65 70 2D 61 64 2D 64 .!0..... wep-ad-d [060] 63 31 24 40 41 44 2E 43 4F 4C 4F 52 43 4F 4E 2E c1$@AD.C OLORCON. [070] 43 4F 4D COM connecting to WEP-AD-DC1 from STAGE1 with kerberos principal [STAGE1$@AD.COLORCON.COM] Doing spnego session setup (blob length=115) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got principal=wep-ad-dc1$@AD.COLORCON.COM Doing kerberos session setup Advancing clock by 173 seconds to cope with clock skew Ticket in ccache[MEMORY:cliconnect] expiration Tue, 18 May 2004 20:48:45 GMT Ticket (wep-ad-dc1$@AD.COLORCON.COM) in ccache (MEMORY:cliconnect) is valid until: (Tue, 18 May 2004 20:48:45 GMT - 1084927725) Got KRB5 session key of length 8 SMB signing enabled! cli_simple_set_signing: user_session_key [000] 01 F4 29 46 85 10 F1 34 ..)F...4 cli_simple_set_signing: NULL response_data simple_packet_signature: sequence number 0 client_sign_outgoing_message: sent SMB signature of [000] D8 96 B9 25 14 8A D5 8E ...%.... store_sequence_for_reply: stored seq = 1 mid = 2 write_socket(19,1220) write_socket(19,1220) wrote 1220 got smb length of 143 size=143 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=2230 smb_uid=8193 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 143 (0x8F) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 26 (0x1A) smb_bcc=100 [000] A1 18 30 16 A0 03 0A 01 00 A1 0B 06 09 2A 86 48 ..0..... .....*.H [010] 82 F7 12 01 02 02 A2 02 04 00 04 57 00 69 00 6E ........ ...W.i.n [020] 00 64 00 6F 00 77 00 73 00 20 00 35 00 2E 00 30 .d.o.w.s . .5...0 [030] 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 ...W.i.n .d.o.w.s [040] 00 20 00 32 00 30 00 30 00 30 00 20 00 4C 00 41 . .2.0.0 .0. .L.A [050] 00 4E 00 20 00 4D 00 61 00 6E 00 61 00 67 00 65 .N. .M.a .n.a.g.e [060] 00 72 00 00 .r.. get_sequence_for_reply: found seq = 1 mid = 2 simple_packet_signature: sequence number 1 client_check_incoming_message: seq 1: got good SMB signature of [000] B9 BE 86 49 C7 DC 3C B8 ...I..<. size=143 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=2230 smb_uid=8193 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 143 (0x8F) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 26 (0x1A) smb_bcc=100 [000] A1 18 30 16 A0 03 0A 01 00 A1 0B 06 09 2A 86 48 ..0..... .....*.H [010] 82 F7 12 01 02 02 A2 02 04 00 04 57 00 69 00 6E ........ ...W.i.n [020] 00 64 00 6F 00 77 00 73 00 20 00 35 00 2E 00 30 .d.o.w.s . .5...0 [030] 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 ...W.i.n .d.o.w.s [040] 00 20 00 32 00 30 00 30 00 30 00 20 00 4C 00 41 . .2.0.0 .0. .L.A [050] 00 4E 00 20 00 4D 00 61 00 6E 00 61 00 67 00 65 .N. .M.a .n.a.g.e [060] 00 72 00 00 .r.. simple_packet_signature: sequence number 2 client_sign_outgoing_message: sent SMB signature of [000] 78 3C 85 1C 1A F0 B9 1A x<...... store_sequence_for_reply: stored seq = 3 mid = 3 write_socket(19,88) write_socket(19,88) wrote 88 got smb length of 48 size=48 smb_com=0x75 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=38916 smb_pid=2230 smb_uid=8193 smb_mid=3 smt_wct=3 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 1 (0x1) smb_bcc=7 [000] 49 50 43 00 00 00 00 IPC.... get_sequence_for_reply: found seq = 3 mid = 3 simple_packet_signature: sequence number 3 client_check_incoming_message: seq 3: got good SMB signature of [000] 59 3F 41 C2 57 00 B7 2A Y?A.W..* cli_init_creds: user domain secrets_named_mutex: released mutex for WEP-AD-DC1 Using cleartext machine password simple_packet_signature: sequence number 4 client_sign_outgoing_message: sent SMB signature of [000] 8D 1B EC A0 81 59 AB EB .....Y.. store_sequence_for_reply: stored seq = 5 mid = 4 write_socket(19,108) write_socket(19,108) wrote 108 got smb length of 103 size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=38916 smb_pid=2230 smb_uid=8193 smb_mid=4 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 256 (0x100) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 get_sequence_for_reply: found seq = 5 mid = 4 simple_packet_signature: sequence number 5 client_check_incoming_message: seq 5: got good SMB signature of [000] 8B 1A 58 61 55 4D C8 85 ..XaUM.. Bind RPC Pipe[1]: \PIPE\NETLOGON Bind Abstract Syntax: [000] 78 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB xV4.4... ...#Eg.. [010] 01 00 00 00 .... Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]...... ....+.H` [010] 02 00 00 00 .... 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0b 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0048 000a auth_len : 0000 000c call_id : 00000010 000010 smb_io_rpc_hdr_rb 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00000000 0018 num_elements: 00000001 001c context_id : 0000 001e num_syntaxes: 01 00001f smb_io_rpc_iface 000020 smb_io_uuid uuid 0020 data : 12345678 0024 data : 1234 0026 data : abcd 0028 data : ef 00 002a data : 01 23 45 67 cf fb 0030 version: 00000001 000034 smb_io_rpc_iface 000034 smb_io_uuid uuid 0034 data : 8a885d04 0038 data : 1ceb 003a data : 11c9 003c data : 9f e8 003e data : 08 00 2b 10 48 60 0044 version: 00000002 rpc_api_pipe: fnum:1 size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=38916 smb_pid=2230 smb_uid=8193 smb_mid=5 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]= 1 (0x1) smb_bcc=87 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 10 00 00 00 B8 .......H ........ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 ........ .......x [030] 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB 01 V4.4.... ..#Eg... [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ [050] 10 48 60 02 00 00 00 .H`.... simple_packet_signature: sequence number 6 client_sign_outgoing_message: sent SMB signature of [000] 9B 2A A8 65 20 4A 59 DE .*.e JY. store_sequence_for_reply: stored seq = 7 mid = 5 write_socket(19,158) write_socket(19,158) wrote 158 cli_signing_trans_start: storing mid = 5, reply_seq_num = 7, send_seq_num = 6 data->send_seq_num = 8 got smb length of 124 size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=38916 smb_pid=2230 smb_uid=8193 smb_mid=5 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 10 00 00 ........ .D...... [010] 00 B8 10 B8 10 1D 28 06 00 0C 00 5C 50 49 50 45 ......(. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... simple_packet_signature: sequence number 7 client_check_incoming_message: seq 7: got good SMB signature of [000] B1 FB 96 7F E7 0F 6B FD ......k. size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=38916 smb_pid=2230 smb_uid=8193 smb_mid=5 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 10 00 00 ........ .D...... [010] 00 B8 10 B8 10 1D 28 06 00 0C 00 5C 50 49 50 45 ......(. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... cli_signing_trans_stop: freeing mid = 5, reply_seq_num = 7, send_seq_num = 6 data->send_seq_num = 8 rpc_check_hdr: rdata->data_size = 68 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000010 rpc_api_pipe: len left: 0 smbtrans read: 68 rpc_api_pipe: fragment first and last both set rpc_pipe_bind: rpc_api_pipe returned OK. 000010 smb_io_rpc_hdr_ba 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 0006281d 000018 smb_io_rpc_addr_str 0018 len: 000c 001a str: \PIPE\lsass. 000026 smb_io_rpc_results 0028 num_results: 01 002c result : 0000 002e reason : 0000 000030 smb_io_rpc_iface 000030 smb_io_uuid uuid 0030 data : 8a885d04 0034 data : 1ceb 0036 data : 11c9 0038 data : 9f e8 003a data : 08 00 2b 10 48 60 0040 version: 00000002 bind_rpc_pipe: accepted! cli_net_req_chal: LSA Request Challenge from STAGE1 to WEP-AD-DC1: E3F2B620DF77D82B init_q_req_chal: 621 init_q_req_chal: 630 000000 net_io_q_req_chal 0000 undoc_buffer: 00000001 000004 smb_io_unistr2 0004 uni_max_len: 0000000d 0008 offset : 00000000 000c uni_str_len: 0000000d 0010 buffer : \.\.W.E.P.-.A.D.-.D.C.1... 00002a smb_io_unistr2 002c uni_max_len: 00000007 0030 offset : 00000000 0034 uni_str_len: 00000007 0038 buffer : S.T.A.G.E.1... 000046 smb_io_chal 0046 data: e3 f2 b6 20 df 77 d8 2b create_rpc_request: opnum: 0x4 data_len: 0x66 create_rpc_request: data_len: 66 auth_len: 0 alloc_hint: 56 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0066 000a auth_len : 0000 000c call_id : 00000011 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000056 0014 context_id: 0000 0016 opnum : 0004 rpc_api_pipe: fnum:1 size=184 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=38916 smb_pid=2230 smb_uid=8193 smb_mid=6 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 102 (0x66) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 102 (0x66) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]= 1 (0x1) smb_bcc=117 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 66 00 00 00 11 00 00 00 56 .......f .......V [020] 00 00 00 00 00 04 00 01 00 00 00 0D 00 00 00 00 ........ ........ [030] 00 00 00 0D 00 00 00 5C 00 5C 00 57 00 45 00 50 .......\ .\.W.E.P [040] 00 2D 00 41 00 44 00 2D 00 44 00 43 00 31 00 00 .-.A.D.- .D.C.1.. [050] 00 00 00 07 00 00 00 00 00 00 00 07 00 00 00 53 ........ .......S [060] 00 54 00 41 00 47 00 45 00 31 00 00 00 E3 F2 B6 .T.A.G.E .1...... [070] 20 DF 77 D8 2B .w.+ simple_packet_signature: sequence number 8 client_sign_outgoing_message: sent SMB signature of [000] 30 61 97 E9 6C B0 EA E2 0a..l... store_sequence_for_reply: stored seq = 9 mid = 6 write_socket(19,188) write_socket(19,188) wrote 188 cli_signing_trans_start: storing mid = 6, reply_seq_num = 9, send_seq_num = 8 data->send_seq_num = 10 got smb length of 92 size=92 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=38916 smb_pid=2230 smb_uid=8193 smb_mid=6 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 36 (0x24) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 36 (0x24) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=37 [000] 00 05 00 02 03 10 00 00 00 24 00 00 00 11 00 00 ........ .$...... [010] 00 0C 00 00 00 00 00 00 00 A0 7F C6 1A 97 F9 94 ........ ........ [020] 37 00 00 00 00 7.... simple_packet_signature: sequence number 9 client_check_incoming_message: seq 9: got good SMB signature of [000] 46 77 CA DC CD D2 BA 34 Fw.....4 size=92 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=38916 smb_pid=2230 smb_uid=8193 smb_mid=6 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 36 (0x24) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 36 (0x24) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=37 [000] 00 05 00 02 03 10 00 00 00 24 00 00 00 11 00 00 ........ .$...... [010] 00 0C 00 00 00 00 00 00 00 A0 7F C6 1A 97 F9 94 ........ ........ [020] 37 00 00 00 00 7.... cli_signing_trans_stop: freeing mid = 6, reply_seq_num = 9, send_seq_num = 8 data->send_seq_num = 10 rpc_check_hdr: rdata->data_size = 36 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0024 000a auth_len : 0000 000c call_id : 00000011 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 0000000c 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 rpc_api_pipe: len left: 0 smbtrans read: 36 rpc_api_pipe: fragment first and last both set 000018 net_io_r_req_chal 000018 smb_io_chal 0018 data: a0 7f c6 1a 97 f9 94 37 0020 status: NT_STATUS_OK cred_session_key clnt_chal: E3F2B620DF77D82B srv_chal : A07FC61A97F99437 clnt+srv : 83727D3B76716D63 sess_key : 835B30074B51F3C7 cred_create sess_key : 835B30074B51F3C7 stor_cred: E3F2B620DF77D82B timestamp: 0 timecred : E3F2B620DF77D82B calc_cred: D04800381E9ED5FB cli_net_auth2: srv:\\WEP-AD-DC1 acct:STAGE1$ sc:2 mc: STAGE1 chal D04800381E9ED5FB neg: 400701ff init_q_auth_2: 742 make_log_info 1336 init_q_auth_2: 748 000000 net_io_q_auth_2 000000 smb_io_log_info 0000 undoc_buffer: 00000001 000004 smb_io_unistr2 unistr2 0004 uni_max_len: 0000000d 0008 offset : 00000000 000c uni_str_len: 0000000d 0010 buffer : \.\.W.E.P.-.A.D.-.D.C.1... 00002a smb_io_unistr2 unistr2 002c uni_max_len: 00000008 0030 offset : 00000000 0034 uni_str_len: 00000008 0038 buffer : S.T.A.G.E.1.$... 0048 sec_chan: 0002 00004a smb_io_unistr2 unistr2 004c uni_max_len: 00000007 0050 offset : 00000000 0054 uni_str_len: 00000007 0058 buffer : S.T.A.G.E.1... 000066 smb_io_chal 0066 data: d0 48 00 38 1e 9e d5 fb 00006e net_io_neg_flags 0070 neg_flags: 400701ff create_rpc_request: opnum: 0xf data_len: 0x8c create_rpc_request: data_len: 8c auth_len: 0 alloc_hint: 7c 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 008c 000a auth_len : 0000 000c call_id : 00000012 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 0000007c 0014 context_id: 0000 0016 opnum : 000f rpc_api_pipe: fnum:1 size=222 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=38916 smb_pid=2230 smb_uid=8193 smb_mid=7 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 140 (0x8C) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 140 (0x8C) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]= 1 (0x1) smb_bcc=155 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 8C 00 00 00 12 00 00 00 7C ........ .......| [020] 00 00 00 00 00 0F 00 01 00 00 00 0D 00 00 00 00 ........ ........ [030] 00 00 00 0D 00 00 00 5C 00 5C 00 57 00 45 00 50 .......\ .\.W.E.P [040] 00 2D 00 41 00 44 00 2D 00 44 00 43 00 31 00 00 .-.A.D.- .D.C.1.. [050] 00 00 00 08 00 00 00 00 00 00 00 08 00 00 00 53 ........ .......S [060] 00 54 00 41 00 47 00 45 00 31 00 24 00 00 00 02 .T.A.G.E .1.$.... [070] 00 00 00 07 00 00 00 00 00 00 00 07 00 00 00 53 ........ .......S [080] 00 54 00 41 00 47 00 45 00 31 00 00 00 D0 48 00 .T.A.G.E .1....H. [090] 38 1E 9E D5 FB 00 00 FF 01 07 40 8....... ..@ simple_packet_signature: sequence number 10 client_sign_outgoing_message: sent SMB signature of [000] 19 B5 E1 14 07 42 88 88 .....B.. store_sequence_for_reply: stored seq = 11 mid = 7 write_socket(19,226) write_socket(19,226) wrote 226 cli_signing_trans_start: storing mid = 7, reply_seq_num = 11, send_seq_num = 10 data->send_seq_num = 12 got smb length of 96 size=96 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=38916 smb_pid=2230 smb_uid=8193 smb_mid=7 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 40 (0x28) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 40 (0x28) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=41 [000] 00 05 00 02 03 10 00 00 00 28 00 00 00 12 00 00 ........ .(...... [010] 00 10 00 00 00 00 00 00 00 24 4B 57 77 78 F9 BD ........ .$KWwx.. [020] C5 FF 01 07 40 00 00 00 00 ....@... . simple_packet_signature: sequence number 11 client_check_incoming_message: seq 11: got good SMB signature of [000] 7A B8 58 00 18 AD 3E 4D z.X...>M size=96 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=38916 smb_pid=2230 smb_uid=8193 smb_mid=7 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 40 (0x28) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 40 (0x28) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=41 [000] 00 05 00 02 03 10 00 00 00 28 00 00 00 12 00 00 ........ .(...... [010] 00 10 00 00 00 00 00 00 00 24 4B 57 77 78 F9 BD ........ .$KWwx.. [020] C5 FF 01 07 40 00 00 00 00 ....@... . cli_signing_trans_stop: freeing mid = 7, reply_seq_num = 11, send_seq_num = 10 data->send_seq_num = 12 rpc_check_hdr: rdata->data_size = 40 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0028 000a auth_len : 0000 000c call_id : 00000012 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 00000010 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 rpc_api_pipe: len left: 0 smbtrans read: 40 rpc_api_pipe: fragment first and last both set 000018 net_io_r_auth_2 000018 smb_io_chal 0018 data: 24 4b 57 77 78 f9 bd c5 000020 net_io_neg_flags 0020 neg_flags: 400701ff 0024 status: NT_STATUS_OK cred_create sess_key : 835B30074B51F3C7 stor_cred: A07FC61A97F99437 timestamp: 0 timecred : A07FC61A97F99437 calc_cred: 244B577778F9BDC5 cred_assert challenge : 244B577778F9BDC5 calculated: 244B577778F9BDC5 credentials check ok simple_packet_signature: sequence number 12 client_sign_outgoing_message: sent SMB signature of [000] B3 EF DD F8 43 1D DC 5D ....C..] store_sequence_for_reply: stored seq = 13 mid = 8 write_socket(19,104) write_socket(19,104) wrote 104 got smb length of 103 size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=38916 smb_pid=2230 smb_uid=8193 smb_mid=8 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 1536 (0x600) smb_vwv[ 3]= 256 (0x100) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 get_sequence_for_reply: found seq = 13 mid = 8 simple_packet_signature: sequence number 13 client_check_incoming_message: seq 13: got good SMB signature of [000] 92 4D 02 DB DF 55 8B EB .M...U.. Bind RPC Pipe[6]: \PIPE\lsarpc Bind Abstract Syntax: [000] 78 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB xW4.4... ...#Eg.. [010] 00 00 00 00 .... Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]...... ....+.H` [010] 02 00 00 00 .... 000000 smb_io_rpc_hdr_auth hdr_auth 0000 auth_type : 44 0001 auth_level : 05 0002 padding : 00 0003 reserved : 00 0004 auth_context : 00000001 000008 smb_io_rpc_auth_netsec_neg netsec_neg 0008 type1: 00000000 000c type2: 00000003 [000] 41 44 AD [000] 53 54 41 47 45 31 STAGE1 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0b 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0062 000a auth_len : 0012 000c call_id : 00000013 000010 smb_io_rpc_hdr_rb 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00000000 0018 num_elements: 00000001 001c context_id : 0000 001e num_syntaxes: 01 00001f smb_io_rpc_iface 000020 smb_io_uuid uuid 0020 data : 12345778 0024 data : 1234 0026 data : abcd 0028 data : ef 00 002a data : 01 23 45 67 89 ab 0030 version: 00000000 000034 smb_io_rpc_iface 000034 smb_io_uuid uuid 0034 data : 8a885d04 0038 data : 1ceb 003a data : 11c9 003c data : 9f e8 003e data : 08 00 2b 10 48 60 0044 version: 00000002 rpc_api_pipe: fnum:6 size=180 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=38916 smb_pid=2230 smb_uid=8193 smb_mid=9 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 98 (0x62) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 98 (0x62) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]= 6 (0x6) smb_bcc=113 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 62 00 12 00 13 00 00 00 B8 .......b ........ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 ........ .......x [030] 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB 00 W4.4.... ..#Eg... [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ [050] 10 48 60 02 00 00 00 44 05 00 00 01 00 00 00 00 .H`....D ........ [060] 00 00 00 03 00 00 00 41 44 00 53 54 41 47 45 31 .......A D.STAGE1 [070] 00 . simple_packet_signature: sequence number 14 client_sign_outgoing_message: sent SMB signature of [000] A7 8F B0 AC AE EF 93 C0 ........ store_sequence_for_reply: stored seq = 15 mid = 9 write_socket(19,184) write_socket(19,184) wrote 184 cli_signing_trans_start: storing mid = 9, reply_seq_num = 15, send_seq_num = 14 data->send_seq_num = 16 got smb length of 144 size=144 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=38916 smb_pid=2230 smb_uid=8193 smb_mid=9 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 88 (0x58) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 88 (0x58) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=89 [000] 00 05 00 0C 03 10 00 00 00 58 00 0C 00 13 00 00 ........ .X...... [010] 00 B8 10 B8 10 1E 28 06 00 0C 00 5C 50 49 50 45 ......(. ...\PIPE [020] 5C 6C 73 61 73 73 00 50 0D 01 00 00 00 00 00 00 \lsass.P ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 44 05 00 00 01 00 00 00 01 00 00 `....D.. ........ [050] 00 00 00 00 00 00 ED 50 0D .......P . simple_packet_signature: sequence number 15 client_check_incoming_message: seq 15: got good SMB signature of [000] C3 AB CB 41 50 F2 1C AB ...AP... size=144 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=38916 smb_pid=2230 smb_uid=8193 smb_mid=9 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 88 (0x58) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 88 (0x58) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=89 [000] 00 05 00 0C 03 10 00 00 00 58 00 0C 00 13 00 00 ........ .X...... [010] 00 B8 10 B8 10 1E 28 06 00 0C 00 5C 50 49 50 45 ......(. ...\PIPE [020] 5C 6C 73 61 73 73 00 50 0D 01 00 00 00 00 00 00 \lsass.P ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 44 05 00 00 01 00 00 00 01 00 00 `....D.. ........ [050] 00 00 00 00 00 00 ED 50 0D .......P . cli_signing_trans_stop: freeing mid = 9, reply_seq_num = 15, send_seq_num = 14 data->send_seq_num = 16 rpc_check_hdr: rdata->data_size = 88 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0058 000a auth_len : 000c 000c call_id : 00000013 rpc_api_pipe: len left: 0 smbtrans read: 88 rpc_auth_pipe: pkt_type: 12 len: 88 auth_len: 12 NTLMSSP No schannel Yes sign Yes seal No rpc_auth_pipe: packet: 000000 smb_io_rpc_hdr_auth auth_hdr 0000 auth_type : 44 0001 auth_level : 05 0002 padding : 00 0003 reserved : 00 0004 auth_context : 00000001 rpc_api_pipe: fragment first and last both set rpc_pipe_bind: rpc_api_pipe returned OK. 000010 smb_io_rpc_hdr_ba 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 0006281e 000018 smb_io_rpc_addr_str 0018 len: 000c 001a str: \PIPE\lsass. 000026 smb_io_rpc_results 0028 num_results: 01 002c result : 0000 002e reason : 0000 000030 smb_io_rpc_iface 000030 smb_io_uuid uuid 0030 data : 8a885d04 0034 data : 1ceb 0036 data : 11c9 0038 data : 9f e8 003a data : 08 00 2b 10 48 60 0040 version: 00000002 bind_rpc_pipe: accepted! init_open_pol: attr:0 da:33554432 init_lsa_obj_attr 000000 lsa_io_q_open_pol 0000 ptr : 00000001 0004 system_name: 005c 000008 lsa_io_obj_attr 0008 len : 00000018 000c ptr_root_dir: 00000000 0010 ptr_obj_name: 00000000 0014 attributes : 00000000 0018 ptr_sec_desc: 00000000 001c ptr_sec_qos : 00000000 0020 des_access: 02000000 000028 smb_io_rpc_hdr_auth hdr_auth 0028 auth_type : 44 0029 auth_level : 05 002a padding : 04 002b reserved : 00 002c auth_context : 00000001 SCHANNEL seq_num=0 SCHANNEL: netsec_encode seq_num=0 data_len=40 000030 smb_io_rpc_auth_netsec_chk 0030 sig : 77 00 ff ff ff ff 00 00 0038 seq_num: e5 53 af 31 ee d8 d3 fb 0040 packet_digest: d6 45 e7 84 72 7e f7 a1 0048 confounder: ad 86 05 21 04 2c a9 8f create_rpc_request: opnum: 0x6 data_len: 0x68 create_rpc_request: data_len: 68 auth_len: 20 alloc_hint: 30 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0068 000a auth_len : 0020 000c call_id : 00000014 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000030 0014 context_id: 0000 0016 opnum : 0006 rpc_api_pipe: fnum:6 size=186 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=38916 smb_pid=2230 smb_uid=8193 smb_mid=10 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 104 (0x68) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 104 (0x68) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]= 6 (0x6) smb_bcc=119 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 68 00 20 00 14 00 00 00 30 .......h . .....0 [020] 00 00 00 00 00 06 00 01 00 00 00 5C 00 00 00 18 ........ ...\.... [030] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [040] 00 00 00 00 00 00 00 00 00 00 02 00 00 00 00 44 ........ .......D [050] 05 04 00 01 00 00 00 77 00 FF FF FF FF 00 00 E5 .......w ........ [060] 53 AF 31 EE D8 D3 FB D6 45 E7 84 72 7E F7 A1 AD S.1..... E..r~... [070] 86 05 21 04 2C A9 8F ..!.,.. simple_packet_signature: sequence number 16 client_sign_outgoing_message: sent SMB signature of [000] C2 71 82 FB AD DB 28 20 .q....( store_sequence_for_reply: stored seq = 17 mid = 10 write_socket(19,190) write_socket(19,190) wrote 190 cli_signing_trans_start: storing mid = 10, reply_seq_num = 17, send_seq_num = 16 data->send_seq_num = 18 got smb length of 152 size=152 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=38916 smb_pid=2230 smb_uid=8193 smb_mid=10 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 96 (0x60) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 96 (0x60) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=97 [000] 00 05 00 02 03 10 00 00 00 60 00 20 00 14 00 00 ........ .`. .... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 CC F0 66 ........ .......f [020] 31 CC 96 4A 41 AD 09 96 4B DA FC 4E 4D 00 00 00 1..JA... K..NM... [030] 00 04 5D 88 8A EB 1C C9 11 44 05 08 00 01 00 00 ..]..... .D...... [040] 00 77 00 FF FF FF FF 00 00 E4 04 6D 53 AB 0A 08 .w...... ...mS... [050] 75 94 89 DE 76 42 7D A0 6C 00 00 00 00 00 00 00 u...vB}. l....... [060] 00 . simple_packet_signature: sequence number 17 client_check_incoming_message: seq 17: got good SMB signature of [000] A4 32 68 EB BE A9 92 BC .2h..... size=152 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=38916 smb_pid=2230 smb_uid=8193 smb_mid=10 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 96 (0x60) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 96 (0x60) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=97 [000] 00 05 00 02 03 10 00 00 00 60 00 20 00 14 00 00 ........ .`. .... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 CC F0 66 ........ .......f [020] 31 CC 96 4A 41 AD 09 96 4B DA FC 4E 4D 00 00 00 1..JA... K..NM... [030] 00 04 5D 88 8A EB 1C C9 11 44 05 08 00 01 00 00 ..]..... .D...... [040] 00 77 00 FF FF FF FF 00 00 E4 04 6D 53 AB 0A 08 .w...... ...mS... [050] 75 94 89 DE 76 42 7D A0 6C 00 00 00 00 00 00 00 u...vB}. l....... [060] 00 . cli_signing_trans_stop: freeing mid = 10, reply_seq_num = 17, send_seq_num = 16 data->send_seq_num = 18 rpc_check_hdr: rdata->data_size = 96 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0060 000a auth_len : 0020 000c call_id : 00000014 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 00000018 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 rpc_api_pipe: len left: 0 smbtrans read: 96 rpc_auth_pipe: pkt_type: 2 len: 96 auth_len: 32 NTLMSSP No schannel Yes sign Yes seal No rpc_auth_pipe: packet: 000000 smb_io_rpc_hdr_auth auth_hdr 0000 auth_type : 44 0001 auth_level : 05 0002 padding : 08 0003 reserved : 00 0004 auth_context : 00000001 000008 smb_io_rpc_auth_netsec_chk schannel_auth_sign 0008 sig : 77 00 ff ff ff ff 00 00 0010 seq_num: e4 04 6d 53 ab 0a 08 75 0018 packet_digest: 94 89 de 76 42 7d a0 6c 0020 confounder: 00 00 00 00 00 00 00 00 SCHANNEL: netsec_encode seq_num=1 data_len=32 SCHANNEL: netsec_decode seq_num=1 data_len=32 rpc_api_pipe: fragment first and last both set 000018 lsa_io_r_open_pol 000018 smb_io_pol_hnd 0018 data1: 00000000 001c data2: 3166f0cc 0020 data3: 96cc 0022 data4: 414a 0024 data5: ad 09 96 4b da fc 4e 4d 002c status: NT_STATUS_OK init_q_lookup_names 000000 lsa_io_q_lookup_names 000000 smb_io_pol_hnd 0000 data1: 00000000 0004 data2: 3166f0cc 0008 data3: 96cc 000a data4: 414a 000c data5: ad 09 96 4b da fc 4e 4d 0014 num_entries : 00000001 0018 num_entries2 : 00000001 00001c smb_io_unihdr hdr_name 001c uni_str_len: 003e 001e uni_max_len: 003e 0020 buffer : 00000001 000024 smb_io_unistr2 dom_name 0024 uni_max_len: 0000001f 0028 offset : 00000000 002c uni_str_len: 0000001f 0030 buffer : A.D.\.U.n.i.v.e.r.s.a.l.-.A.C.L.-.I.n.t.e.r.n.e.t.A.c.c.e.s.s. 0070 num_trans_entries : 00000000 0074 ptr_trans_sids : 00000000 0078 lookup_level : 00000001 007c mapped_count : 00000000 000080 smb_io_rpc_hdr_auth hdr_auth 0080 auth_type : 44 0081 auth_level : 05 0082 padding : 00 0083 reserved : 00 0084 auth_context : 00000001 SCHANNEL seq_num=2 SCHANNEL: netsec_encode seq_num=2 data_len=128 000088 smb_io_rpc_auth_netsec_chk 0088 sig : 77 00 ff ff ff ff 00 00 0090 seq_num: 2a 3c 3b f7 10 a9 0a bc 0098 packet_digest: d4 65 11 cf ef ad df 88 00a0 confounder: 8d 5d e2 3b 2b 27 78 78 create_rpc_request: opnum: 0xe data_len: 0xc0 create_rpc_request: data_len: c0 auth_len: 20 alloc_hint: 88 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 00c0 000a auth_len : 0020 000c call_id : 00000015 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000088 0014 context_id: 0000 0016 opnum : 000e rpc_api_pipe: fnum:6 size=274 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=38916 smb_pid=2230 smb_uid=8193 smb_mid=11 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 192 (0xC0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 192 (0xC0) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]= 6 (0x6) smb_bcc=207 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 C0 00 20 00 15 00 00 00 88 ........ . ...... [020] 00 00 00 00 00 0E 00 00 00 00 00 CC F0 66 31 CC ........ .....f1. [030] 96 4A 41 AD 09 96 4B DA FC 4E 4D 01 00 00 00 01 .JA...K. .NM..... [040] 00 00 00 3E 00 3E 00 01 00 00 00 1F 00 00 00 00 ...>.>.. ........ [050] 00 00 00 1F 00 00 00 41 00 44 00 5C 00 55 00 6E .......A .D.\.U.n [060] 00 69 00 76 00 65 00 72 00 73 00 61 00 6C 00 2D .i.v.e.r .s.a.l.- [070] 00 41 00 43 00 4C 00 2D 00 49 00 6E 00 74 00 65 .A.C.L.- .I.n.t.e [080] 00 72 00 6E 00 65 00 74 00 41 00 63 00 63 00 65 .r.n.e.t .A.c.c.e [090] 00 73 00 73 00 00 00 00 00 00 00 00 00 00 00 01 .s.s.... ........ [0A0] 00 00 00 00 00 00 00 44 05 00 00 01 00 00 00 77 .......D .......w [0B0] 00 FF FF FF FF 00 00 2A 3C 3B F7 10 A9 0A BC D4 .......* <;...... [0C0] 65 11 CF EF AD DF 88 8D 5D E2 3B 2B 27 78 78 e....... ].;+'xx simple_packet_signature: sequence number 18 client_sign_outgoing_message: sent SMB signature of [000] B1 C0 F9 CC E5 B8 14 76 .......v store_sequence_for_reply: stored seq = 19 mid = 11 write_socket(19,278) write_socket(19,278) wrote 278 cli_signing_trans_start: storing mid = 11, reply_seq_num = 19, send_seq_num = 18 data->send_seq_num = 20 got smb length of 232 size=232 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=38916 smb_pid=2230 smb_uid=8193 smb_mid=11 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 176 (0xB0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 176 (0xB0) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=177 [000] 00 05 00 02 03 10 00 00 00 B0 00 20 00 15 00 00 ........ ... .... [010] 00 6C 00 00 00 00 00 00 00 30 EE 4C 0D 01 00 00 .l...... .0.L.... [020] 00 40 EF 50 0D 20 00 00 00 01 00 00 00 04 00 06 .@.P. .. ........ [030] 00 A8 01 10 00 60 80 10 00 03 00 00 00 00 00 00 .....`.. ........ [040] 00 02 00 00 00 41 00 44 00 04 00 00 00 01 04 00 .....A.D ........ [050] 00 00 00 00 05 15 00 00 00 FD 37 42 40 4F 75 88 ........ ..7B@Ou. [060] 21 43 17 0A 32 01 00 00 00 A0 EF 4D 0D 01 00 00 !C..2... ...M.... [070] 00 02 00 6C 00 5B 04 00 00 00 00 00 00 01 00 00 ...l.[.. ........ [080] 00 00 00 00 00 6D 00 00 00 44 05 04 00 01 00 00 .....m.. .D...... [090] 00 77 00 FF FF FF FF 00 00 6F 93 92 FA 61 EE 25 .w...... .o...a.% [0A0] A7 91 82 4B 18 2D 81 B4 A2 00 00 00 00 00 00 00 ...K.-.. ........ [0B0] 00 . simple_packet_signature: sequence number 19 client_check_incoming_message: seq 19: got good SMB signature of [000] 2C 22 F3 DA B9 D5 9A 9F ,"...... size=232 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=38916 smb_pid=2230 smb_uid=8193 smb_mid=11 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 176 (0xB0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 176 (0xB0) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=177 [000] 00 05 00 02 03 10 00 00 00 B0 00 20 00 15 00 00 ........ ... .... [010] 00 6C 00 00 00 00 00 00 00 30 EE 4C 0D 01 00 00 .l...... .0.L.... [020] 00 40 EF 50 0D 20 00 00 00 01 00 00 00 04 00 06 .@.P. .. ........ [030] 00 A8 01 10 00 60 80 10 00 03 00 00 00 00 00 00 .....`.. ........ [040] 00 02 00 00 00 41 00 44 00 04 00 00 00 01 04 00 .....A.D ........ [050] 00 00 00 00 05 15 00 00 00 FD 37 42 40 4F 75 88 ........ ..7B@Ou. [060] 21 43 17 0A 32 01 00 00 00 A0 EF 4D 0D 01 00 00 !C..2... ...M.... [070] 00 02 00 6C 00 5B 04 00 00 00 00 00 00 01 00 00 ...l.[.. ........ [080] 00 00 00 00 00 6D 00 00 00 44 05 04 00 01 00 00 .....m.. .D...... [090] 00 77 00 FF FF FF FF 00 00 6F 93 92 FA 61 EE 25 .w...... .o...a.% [0A0] A7 91 82 4B 18 2D 81 B4 A2 00 00 00 00 00 00 00 ...K.-.. ........ [0B0] 00 . cli_signing_trans_stop: freeing mid = 11, reply_seq_num = 19, send_seq_num = 18 data->send_seq_num = 20 rpc_check_hdr: rdata->data_size = 176 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 00b0 000a auth_len : 0020 000c call_id : 00000015 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 0000006c 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 rpc_api_pipe: len left: 0 smbtrans read: 176 rpc_auth_pipe: pkt_type: 2 len: 176 auth_len: 32 NTLMSSP No schannel Yes sign Yes seal No rpc_auth_pipe: packet: 000000 smb_io_rpc_hdr_auth auth_hdr 0000 auth_type : 44 0001 auth_level : 05 0002 padding : 04 0003 reserved : 00 0004 auth_context : 00000001 000008 smb_io_rpc_auth_netsec_chk schannel_auth_sign 0008 sig : 77 00 ff ff ff ff 00 00 0010 seq_num: 6f 93 92 fa 61 ee 25 a7 0018 packet_digest: 91 82 4b 18 2d 81 b4 a2 0020 confounder: 00 00 00 00 00 00 00 00 SCHANNEL: netsec_encode seq_num=3 data_len=112 SCHANNEL: netsec_decode seq_num=3 data_len=112 rpc_api_pipe: fragment first and last both set 000018 lsa_io_r_lookup_names 0018 ptr_dom_ref: 0d4cee30 00001c lsa_io_dom_r_ref 001c num_ref_doms_1: 00000001 0020 ptr_ref_dom : 0d50ef40 0024 max_entries : 00000020 0028 num_ref_doms_2: 00000001 00002c smb_io_unihdr dom_ref[0] 002c uni_str_len: 0004 002e uni_max_len: 0006 0030 buffer : 001001a8 0034 sid_ptr[0] : 00108060 000038 smb_io_unistr2 dom_ref[0] 0038 uni_max_len: 00000003 003c offset : 00000000 0040 uni_str_len: 00000002 0044 buffer : A.D. 000048 smb_io_dom_sid2 sid_ptr[0] 0048 num_auths: 00000004 00004c smb_io_dom_sid sid 004c sid_rev_num: 01 004d num_auths : 04 004e id_auth[0] : 00 004f id_auth[1] : 00 0050 id_auth[2] : 00 0051 id_auth[3] : 00 0052 id_auth[4] : 00 0053 id_auth[5] : 05 0054 sub_auths : 00000015 404237fd 2188754f 320a1743 0064 num_entries: 00000001 0068 ptr_entries: 0d4defa0 006c num_entries2: 00000001 000070 smb_io_dom_rid2 0070 type : 02 0074 rid : 0000045b 0078 rid_idx: 00000000 007c mapped_count: 00000001 0080 status : NT_STATUS_OK client_write: wrote 1300 bytes. client_read: read 1824 bytes. Need 0 more for a full request. process_request: request fn PAM_AUTH [ 2231]: pam auth NA\jschmo is_myname("NA") returns 0 Using cleartext machine password ads_dc_name: domain=AD ads_find_dc: looking for realm 'AD.COLORCON.COM' get_sorted_dc_list: attempting lookup using [ads] internal_resolve_name: looking up AD.COLORCON.COM#1c Returning valid cache entry: key = NBT/AD.COLORCON.COM#1C, value = 10.64.2.61:389,10.64.2.62:389,10.32.2.61:389, timeout = Tue May 18 10:49:24 2004 name AD.COLORCON.COM#1C found. Adding 3 DC's from auto lookup remove_duplicate_addrs2: looking for duplicate address/port pairs get_dc_list: returning 3 ip addresses in an unordered list get_dc_list: 10.64.2.61:389 10.64.2.62:389 10.32.2.61:389 ads_try_connect: trying ldap server '10.32.2.61' port 389 Connected to LDAP server 10.32.2.61 got ldap server name wep-ad-dc1@AD.COLORCON.COM, using bind path: dc=AD,dc=COLORCON,dc=COM time offset is 174 seconds ads_dc_name: using server='WEP-AD-DC1' IP=10.32.2.61 IPC$ connections done anonymously secrets_named_mutex: got mutex for WEP-AD-DC1 Connecting to host=WEP-AD-DC1 Connecting to 10.32.2.61 at port 445 socket option SO_KEEPALIVE = 0 socket option SO_REUSEADDR = 0 socket option SO_BROADCAST = 0 socket option TCP_NODELAY = 1 socket option IPTOS_LOWDELAY = 0 socket option IPTOS_THROUGHPUT = 0 socket option SO_SNDBUF = 16384 socket option SO_RCVBUF = 87380 socket option SO_SNDLOWAT = 1 socket option SO_RCVLOWAT = 1 socket option SO_SNDTIMEO = 0 socket option SO_RCVTIMEO = 0 write_socket(21,183) write_socket(21,183) wrote 183 got smb length of 184 size=184 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=2230 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 8 (0x8) smb_vwv[ 1]=12807 (0x3207) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 65 (0x41) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 243 (0xF3) smb_vwv[11]=19072 (0x4A80) smb_vwv[12]=57814 (0xE1D6) smb_vwv[13]=59295 (0xE79F) smb_vwv[14]=50236 (0xC43C) smb_vwv[15]=61441 (0xF001) smb_vwv[16]= 0 (0x0) smb_bcc=115 [000] 04 5C D6 7C 02 83 73 4C A5 9B 60 95 8F CE 72 B5 .\.|..sL ..`...r. [010] 60 61 06 06 2B 06 01 05 05 02 A0 57 30 55 A0 30 `a..+... ...W0U.0 [020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. .......* [030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H...... ..*.H... [040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... [050] A3 21 30 1F A0 1D 1B 1B 77 65 70 2D 61 64 2D 64 .!0..... wep-ad-d [060] 63 31 24 40 41 44 2E 43 4F 4C 4F 52 43 4F 4E 2E c1$@AD.C OLORCON. [070] 43 4F 4D COM size=184 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=2230 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 8 (0x8) smb_vwv[ 1]=12807 (0x3207) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 65 (0x41) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 243 (0xF3) smb_vwv[11]=19072 (0x4A80) smb_vwv[12]=57814 (0xE1D6) smb_vwv[13]=59295 (0xE79F) smb_vwv[14]=50236 (0xC43C) smb_vwv[15]=61441 (0xF001) smb_vwv[16]= 0 (0x0) smb_bcc=115 [000] 04 5C D6 7C 02 83 73 4C A5 9B 60 95 8F CE 72 B5 .\.|..sL ..`...r. [010] 60 61 06 06 2B 06 01 05 05 02 A0 57 30 55 A0 30 `a..+... ...W0U.0 [020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. .......* [030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H...... ..*.H... [040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... [050] A3 21 30 1F A0 1D 1B 1B 77 65 70 2D 61 64 2D 64 .!0..... wep-ad-d [060] 63 31 24 40 41 44 2E 43 4F 4C 4F 52 43 4F 4E 2E c1$@AD.C OLORCON. [070] 43 4F 4D COM connecting to WEP-AD-DC1 from STAGE1 with kerberos principal [STAGE1$@AD.COLORCON.COM] Doing spnego session setup (blob length=115) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got principal=wep-ad-dc1$@AD.COLORCON.COM Doing kerberos session setup Advancing clock by 173 seconds to cope with clock skew Ticket in ccache[MEMORY:cliconnect] expiration Tue, 18 May 2004 20:48:45 GMT Ticket (wep-ad-dc1$@AD.COLORCON.COM) in ccache (MEMORY:cliconnect) is valid until: (Tue, 18 May 2004 20:48:45 GMT - 1084927725) Got KRB5 session key of length 8 SMB signing enabled! cli_simple_set_signing: user_session_key [000] 9B B3 37 52 86 AB CE DA ..7R.... cli_simple_set_signing: NULL response_data simple_packet_signature: sequence number 0 client_sign_outgoing_message: sent SMB signature of [000] 00 3B A5 92 3A B0 DB 66 .;..:..f store_sequence_for_reply: stored seq = 1 mid = 2 write_socket(21,1220) write_socket(21,1220) wrote 1220 got smb length of 143 size=143 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=2230 smb_uid=36865 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 143 (0x8F) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 26 (0x1A) smb_bcc=100 [000] A1 18 30 16 A0 03 0A 01 00 A1 0B 06 09 2A 86 48 ..0..... .....*.H [010] 82 F7 12 01 02 02 A2 02 04 00 04 57 00 69 00 6E ........ ...W.i.n [020] 00 64 00 6F 00 77 00 73 00 20 00 35 00 2E 00 30 .d.o.w.s . .5...0 [030] 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 ...W.i.n .d.o.w.s [040] 00 20 00 32 00 30 00 30 00 30 00 20 00 4C 00 41 . .2.0.0 .0. .L.A [050] 00 4E 00 20 00 4D 00 61 00 6E 00 61 00 67 00 65 .N. .M.a .n.a.g.e [060] 00 72 00 00 .r.. get_sequence_for_reply: found seq = 1 mid = 2 simple_packet_signature: sequence number 1 client_check_incoming_message: seq 1: got good SMB signature of [000] CF A9 85 69 7F F7 34 65 ...i..4e size=143 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=2230 smb_uid=36865 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 143 (0x8F) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 26 (0x1A) smb_bcc=100 [000] A1 18 30 16 A0 03 0A 01 00 A1 0B 06 09 2A 86 48 ..0..... .....*.H [010] 82 F7 12 01 02 02 A2 02 04 00 04 57 00 69 00 6E ........ ...W.i.n [020] 00 64 00 6F 00 77 00 73 00 20 00 35 00 2E 00 30 .d.o.w.s . .5...0 [030] 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 ...W.i.n .d.o.w.s [040] 00 20 00 32 00 30 00 30 00 30 00 20 00 4C 00 41 . .2.0.0 .0. .L.A [050] 00 4E 00 20 00 4D 00 61 00 6E 00 61 00 67 00 65 .N. .M.a .n.a.g.e [060] 00 72 00 00 .r.. simple_packet_signature: sequence number 2 client_sign_outgoing_message: sent SMB signature of [000] 92 AD 51 B9 0E 79 2E 71 ..Q..y.q store_sequence_for_reply: stored seq = 3 mid = 3 write_socket(21,88) write_socket(21,88) wrote 88 got smb length of 48 size=48 smb_com=0x75 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=3 smt_wct=3 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 1 (0x1) smb_bcc=7 [000] 49 50 43 00 00 00 00 IPC.... get_sequence_for_reply: found seq = 3 mid = 3 simple_packet_signature: sequence number 3 client_check_incoming_message: seq 3: got good SMB signature of [000] 38 63 45 8E B9 A9 34 12 8cE...4. cli_init_creds: user domain secrets_named_mutex: released mutex for WEP-AD-DC1 Using cleartext machine password simple_packet_signature: sequence number 4 client_sign_outgoing_message: sent SMB signature of [000] 9D 7D EC DF 0A 72 D7 18 .}...r.. store_sequence_for_reply: stored seq = 5 mid = 4 write_socket(21,108) write_socket(21,108) wrote 108 got smb length of 103 size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=4 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 320 (0x140) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 get_sequence_for_reply: found seq = 5 mid = 4 simple_packet_signature: sequence number 5 client_check_incoming_message: seq 5: got good SMB signature of [000] 84 4D 8B 64 6C 45 C0 3D .M.dlE.= Bind RPC Pipe[4000]: \PIPE\NETLOGON Bind Abstract Syntax: [000] 78 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB xV4.4... ...#Eg.. [010] 01 00 00 00 .... Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]...... ....+.H` [010] 02 00 00 00 .... 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0b 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0048 000a auth_len : 0000 000c call_id : 00000016 000010 smb_io_rpc_hdr_rb 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00000000 0018 num_elements: 00000001 001c context_id : 0000 001e num_syntaxes: 01 00001f smb_io_rpc_iface 000020 smb_io_uuid uuid 0020 data : 12345678 0024 data : 1234 0026 data : abcd 0028 data : ef 00 002a data : 01 23 45 67 cf fb 0030 version: 00000001 000034 smb_io_rpc_iface 000034 smb_io_uuid uuid 0034 data : 8a885d04 0038 data : 1ceb 003a data : 11c9 003c data : 9f e8 003e data : 08 00 2b 10 48 60 0044 version: 00000002 rpc_api_pipe: fnum:4000 size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=5 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=16384 (0x4000) smb_bcc=87 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 16 00 00 00 B8 .......H ........ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 ........ .......x [030] 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB 01 V4.4.... ..#Eg... [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ [050] 10 48 60 02 00 00 00 .H`.... simple_packet_signature: sequence number 6 client_sign_outgoing_message: sent SMB signature of [000] B6 89 A7 DD CE 6C F5 16 .....l.. store_sequence_for_reply: stored seq = 7 mid = 5 write_socket(21,158) write_socket(21,158) wrote 158 cli_signing_trans_start: storing mid = 5, reply_seq_num = 7, send_seq_num = 6 data->send_seq_num = 8 got smb length of 124 size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=5 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 16 00 00 ........ .D...... [010] 00 B8 10 B8 10 1F 28 06 00 0C 00 5C 50 49 50 45 ......(. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... simple_packet_signature: sequence number 7 client_check_incoming_message: seq 7: got good SMB signature of [000] E5 67 81 A7 93 5A 35 28 .g...Z5( size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=5 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 16 00 00 ........ .D...... [010] 00 B8 10 B8 10 1F 28 06 00 0C 00 5C 50 49 50 45 ......(. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... cli_signing_trans_stop: freeing mid = 5, reply_seq_num = 7, send_seq_num = 6 data->send_seq_num = 8 rpc_check_hdr: rdata->data_size = 68 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000016 rpc_api_pipe: len left: 0 smbtrans read: 68 rpc_api_pipe: fragment first and last both set rpc_pipe_bind: rpc_api_pipe returned OK. 000010 smb_io_rpc_hdr_ba 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 0006281f 000018 smb_io_rpc_addr_str 0018 len: 000c 001a str: \PIPE\lsass. 000026 smb_io_rpc_results 0028 num_results: 01 002c result : 0000 002e reason : 0000 000030 smb_io_rpc_iface 000030 smb_io_uuid uuid 0030 data : 8a885d04 0034 data : 1ceb 0036 data : 11c9 0038 data : 9f e8 003a data : 08 00 2b 10 48 60 0040 version: 00000002 bind_rpc_pipe: accepted! cli_net_req_chal: LSA Request Challenge from STAGE1 to WEP-AD-DC1: 2850982AFD1DF8F3 init_q_req_chal: 621 init_q_req_chal: 630 000000 net_io_q_req_chal 0000 undoc_buffer: 00000001 000004 smb_io_unistr2 0004 uni_max_len: 0000000d 0008 offset : 00000000 000c uni_str_len: 0000000d 0010 buffer : \.\.W.E.P.-.A.D.-.D.C.1... 00002a smb_io_unistr2 002c uni_max_len: 00000007 0030 offset : 00000000 0034 uni_str_len: 00000007 0038 buffer : S.T.A.G.E.1... 000046 smb_io_chal 0046 data: 28 50 98 2a fd 1d f8 f3 create_rpc_request: opnum: 0x4 data_len: 0x66 create_rpc_request: data_len: 66 auth_len: 0 alloc_hint: 56 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0066 000a auth_len : 0000 000c call_id : 00000017 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000056 0014 context_id: 0000 0016 opnum : 0004 rpc_api_pipe: fnum:4000 size=184 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=6 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 102 (0x66) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 102 (0x66) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=16384 (0x4000) smb_bcc=117 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 66 00 00 00 17 00 00 00 56 .......f .......V [020] 00 00 00 00 00 04 00 01 00 00 00 0D 00 00 00 00 ........ ........ [030] 00 00 00 0D 00 00 00 5C 00 5C 00 57 00 45 00 50 .......\ .\.W.E.P [040] 00 2D 00 41 00 44 00 2D 00 44 00 43 00 31 00 00 .-.A.D.- .D.C.1.. [050] 00 00 00 07 00 00 00 00 00 00 00 07 00 00 00 53 ........ .......S [060] 00 54 00 41 00 47 00 45 00 31 00 00 00 28 50 98 .T.A.G.E .1...(P. [070] 2A FD 1D F8 F3 *.... simple_packet_signature: sequence number 8 client_sign_outgoing_message: sent SMB signature of [000] B7 DF 91 CC B6 D1 A5 57 .......W store_sequence_for_reply: stored seq = 9 mid = 6 write_socket(21,188) write_socket(21,188) wrote 188 cli_signing_trans_start: storing mid = 6, reply_seq_num = 9, send_seq_num = 8 data->send_seq_num = 10 got smb length of 92 size=92 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=6 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 36 (0x24) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 36 (0x24) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=37 [000] 00 05 00 02 03 10 00 00 00 24 00 00 00 17 00 00 ........ .$...... [010] 00 0C 00 00 00 00 00 00 00 99 F0 8E DF B5 A2 98 ........ ........ [020] E0 00 00 00 00 ..... simple_packet_signature: sequence number 9 client_check_incoming_message: seq 9: got good SMB signature of [000] BF FD C2 59 AA D1 98 9B ...Y.... size=92 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=6 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 36 (0x24) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 36 (0x24) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=37 [000] 00 05 00 02 03 10 00 00 00 24 00 00 00 17 00 00 ........ .$...... [010] 00 0C 00 00 00 00 00 00 00 99 F0 8E DF B5 A2 98 ........ ........ [020] E0 00 00 00 00 ..... cli_signing_trans_stop: freeing mid = 6, reply_seq_num = 9, send_seq_num = 8 data->send_seq_num = 10 rpc_check_hdr: rdata->data_size = 36 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0024 000a auth_len : 0000 000c call_id : 00000017 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 0000000c 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 rpc_api_pipe: len left: 0 smbtrans read: 36 rpc_api_pipe: fragment first and last both set 000018 net_io_r_req_chal 000018 smb_io_chal 0018 data: 99 f0 8e df b5 a2 98 e0 0020 status: NT_STATUS_OK cred_session_key clnt_chal: 2850982AFD1DF8F3 srv_chal : 99F08EDFB5A298E0 clnt+srv : C140270AB2C090D4 sess_key : E7BEFDB68299D69A cred_create sess_key : E7BEFDB68299D69A stor_cred: 2850982AFD1DF8F3 timestamp: 0 timecred : 2850982AFD1DF8F3 calc_cred: F0D95ED1ECEFC2D6 cli_net_auth2: srv:\\WEP-AD-DC1 acct:STAGE1$ sc:2 mc: STAGE1 chal F0D95ED1ECEFC2D6 neg: 400701ff init_q_auth_2: 742 make_log_info 1336 init_q_auth_2: 748 000000 net_io_q_auth_2 000000 smb_io_log_info 0000 undoc_buffer: 00000001 000004 smb_io_unistr2 unistr2 0004 uni_max_len: 0000000d 0008 offset : 00000000 000c uni_str_len: 0000000d 0010 buffer : \.\.W.E.P.-.A.D.-.D.C.1... 00002a smb_io_unistr2 unistr2 002c uni_max_len: 00000008 0030 offset : 00000000 0034 uni_str_len: 00000008 0038 buffer : S.T.A.G.E.1.$... 0048 sec_chan: 0002 00004a smb_io_unistr2 unistr2 004c uni_max_len: 00000007 0050 offset : 00000000 0054 uni_str_len: 00000007 0058 buffer : S.T.A.G.E.1... 000066 smb_io_chal 0066 data: f0 d9 5e d1 ec ef c2 d6 00006e net_io_neg_flags 0070 neg_flags: 400701ff create_rpc_request: opnum: 0xf data_len: 0x8c create_rpc_request: data_len: 8c auth_len: 0 alloc_hint: 7c 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 008c 000a auth_len : 0000 000c call_id : 00000018 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 0000007c 0014 context_id: 0000 0016 opnum : 000f rpc_api_pipe: fnum:4000 size=222 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=7 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 140 (0x8C) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 140 (0x8C) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=16384 (0x4000) smb_bcc=155 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 8C 00 00 00 18 00 00 00 7C ........ .......| [020] 00 00 00 00 00 0F 00 01 00 00 00 0D 00 00 00 00 ........ ........ [030] 00 00 00 0D 00 00 00 5C 00 5C 00 57 00 45 00 50 .......\ .\.W.E.P [040] 00 2D 00 41 00 44 00 2D 00 44 00 43 00 31 00 00 .-.A.D.- .D.C.1.. [050] 00 00 00 08 00 00 00 00 00 00 00 08 00 00 00 53 ........ .......S [060] 00 54 00 41 00 47 00 45 00 31 00 24 00 00 00 02 .T.A.G.E .1.$.... [070] 00 00 00 07 00 00 00 00 00 00 00 07 00 00 00 53 ........ .......S [080] 00 54 00 41 00 47 00 45 00 31 00 00 00 F0 D9 5E .T.A.G.E .1.....^ [090] D1 EC EF C2 D6 00 00 FF 01 07 40 ........ ..@ simple_packet_signature: sequence number 10 client_sign_outgoing_message: sent SMB signature of [000] 40 A8 F7 3B 69 41 89 25 @..;iA.% store_sequence_for_reply: stored seq = 11 mid = 7 write_socket(21,226) write_socket(21,226) wrote 226 cli_signing_trans_start: storing mid = 7, reply_seq_num = 11, send_seq_num = 10 data->send_seq_num = 12 got smb length of 96 size=96 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=7 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 40 (0x28) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 40 (0x28) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=41 [000] 00 05 00 02 03 10 00 00 00 28 00 00 00 18 00 00 ........ .(...... [010] 00 10 00 00 00 00 00 00 00 0A E0 0D ED B4 6B F3 ........ ......k. [020] AC FF 01 07 40 00 00 00 00 ....@... . simple_packet_signature: sequence number 11 client_check_incoming_message: seq 11: got good SMB signature of [000] FA 63 58 8A C8 19 0E 5A .cX....Z size=96 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=7 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 40 (0x28) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 40 (0x28) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=41 [000] 00 05 00 02 03 10 00 00 00 28 00 00 00 18 00 00 ........ .(...... [010] 00 10 00 00 00 00 00 00 00 0A E0 0D ED B4 6B F3 ........ ......k. [020] AC FF 01 07 40 00 00 00 00 ....@... . cli_signing_trans_stop: freeing mid = 7, reply_seq_num = 11, send_seq_num = 10 data->send_seq_num = 12 rpc_check_hdr: rdata->data_size = 40 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0028 000a auth_len : 0000 000c call_id : 00000018 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 00000010 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 rpc_api_pipe: len left: 0 smbtrans read: 40 rpc_api_pipe: fragment first and last both set 000018 net_io_r_auth_2 000018 smb_io_chal 0018 data: 0a e0 0d ed b4 6b f3 ac 000020 net_io_neg_flags 0020 neg_flags: 400701ff 0024 status: NT_STATUS_OK cred_create sess_key : E7BEFDB68299D69A stor_cred: 99F08EDFB5A298E0 timestamp: 0 timecred : 99F08EDFB5A298E0 calc_cred: 0AE00DEDB46BF3AC cred_assert challenge : 0AE00DEDB46BF3AC calculated: 0AE00DEDB46BF3AC credentials check ok simple_packet_signature: sequence number 12 client_sign_outgoing_message: sent SMB signature of [000] 95 4C 58 10 08 33 46 AD .LX..3F. store_sequence_for_reply: stored seq = 13 mid = 8 write_socket(21,108) write_socket(21,108) wrote 108 got smb length of 103 size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=8 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 3072 (0xC00) smb_vwv[ 3]= 384 (0x180) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 get_sequence_for_reply: found seq = 13 mid = 8 simple_packet_signature: sequence number 13 client_check_incoming_message: seq 13: got good SMB signature of [000] AA 9E AA 57 2E 06 6C DE ...W..l. Bind RPC Pipe[800c]: \PIPE\NETLOGON Bind Abstract Syntax: [000] 78 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB xV4.4... ...#Eg.. [010] 01 00 00 00 .... Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]...... ....+.H` [010] 02 00 00 00 .... 000000 smb_io_rpc_hdr_auth hdr_auth 0000 auth_type : 44 0001 auth_level : 05 0002 padding : 00 0003 reserved : 00 0004 auth_context : 00000001 000008 smb_io_rpc_auth_netsec_neg netsec_neg 0008 type1: 00000000 000c type2: 00000003 [000] 41 44 AD [000] 53 54 41 47 45 31 STAGE1 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0b 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0062 000a auth_len : 0012 000c call_id : 00000019 000010 smb_io_rpc_hdr_rb 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00000000 0018 num_elements: 00000001 001c context_id : 0000 001e num_syntaxes: 01 00001f smb_io_rpc_iface 000020 smb_io_uuid uuid 0020 data : 12345678 0024 data : 1234 0026 data : abcd 0028 data : ef 00 002a data : 01 23 45 67 cf fb 0030 version: 00000001 000034 smb_io_rpc_iface 000034 smb_io_uuid uuid 0034 data : 8a885d04 0038 data : 1ceb 003a data : 11c9 003c data : 9f e8 003e data : 08 00 2b 10 48 60 0044 version: 00000002 rpc_api_pipe: fnum:800c size=180 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=9 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 98 (0x62) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 98 (0x62) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32780 (0x800C) smb_bcc=113 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 62 00 12 00 19 00 00 00 B8 .......b ........ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 ........ .......x [030] 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB 01 V4.4.... ..#Eg... [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ [050] 10 48 60 02 00 00 00 44 05 00 00 01 00 00 00 00 .H`....D ........ [060] 00 00 00 03 00 00 00 41 44 00 53 54 41 47 45 31 .......A D.STAGE1 [070] 00 . simple_packet_signature: sequence number 14 client_sign_outgoing_message: sent SMB signature of [000] 1B 9D C3 CF CC 82 C9 6A .......j store_sequence_for_reply: stored seq = 15 mid = 9 write_socket(21,184) write_socket(21,184) wrote 184 cli_signing_trans_start: storing mid = 9, reply_seq_num = 15, send_seq_num = 14 data->send_seq_num = 16 got smb length of 144 size=144 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=9 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 88 (0x58) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 88 (0x58) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=89 [000] 00 05 00 0C 03 10 00 00 00 58 00 0C 00 19 00 00 ........ .X...... [010] 00 B8 10 B8 10 20 28 06 00 0C 00 5C 50 49 50 45 ..... (. ...\PIPE [020] 5C 6C 73 61 73 73 00 89 A4 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 44 05 00 00 01 00 00 00 01 00 00 `....D.. ........ [050] 00 00 00 00 00 00 A3 56 85 .......V . simple_packet_signature: sequence number 15 client_check_incoming_message: seq 15: got good SMB signature of [000] CD A1 42 70 7B 86 46 E1 ..Bp{.F. size=144 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=9 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 88 (0x58) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 88 (0x58) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=89 [000] 00 05 00 0C 03 10 00 00 00 58 00 0C 00 19 00 00 ........ .X...... [010] 00 B8 10 B8 10 20 28 06 00 0C 00 5C 50 49 50 45 ..... (. ...\PIPE [020] 5C 6C 73 61 73 73 00 89 A4 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 44 05 00 00 01 00 00 00 01 00 00 `....D.. ........ [050] 00 00 00 00 00 00 A3 56 85 .......V . cli_signing_trans_stop: freeing mid = 9, reply_seq_num = 15, send_seq_num = 14 data->send_seq_num = 16 rpc_check_hdr: rdata->data_size = 88 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0058 000a auth_len : 000c 000c call_id : 00000019 rpc_api_pipe: len left: 0 smbtrans read: 88 rpc_auth_pipe: pkt_type: 12 len: 88 auth_len: 12 NTLMSSP No schannel Yes sign Yes seal No rpc_auth_pipe: packet: 000000 smb_io_rpc_hdr_auth auth_hdr 0000 auth_type : 44 0001 auth_level : 05 0002 padding : 00 0003 reserved : 00 0004 auth_context : 00000001 rpc_api_pipe: fragment first and last both set rpc_pipe_bind: rpc_api_pipe returned OK. 000010 smb_io_rpc_hdr_ba 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00062820 000018 smb_io_rpc_addr_str 0018 len: 000c 001a str: \PIPE\lsass. 000026 smb_io_rpc_results 0028 num_results: 01 002c result : 0000 002e reason : 0000 000030 smb_io_rpc_iface 000030 smb_io_uuid uuid 0030 data : 8a885d04 0034 data : 1ceb 0036 data : 11c9 0038 data : 9f e8 003a data : 08 00 2b 10 48 60 0040 version: 00000002 bind_rpc_pipe: accepted! secrets_named_mutex: got mutex for NETLOGON\WEP-AD-DC1 simple_packet_signature: sequence number 16 client_sign_outgoing_message: sent SMB signature of [000] C5 4A F4 BE 67 97 88 E0 .J..g... store_sequence_for_reply: stored seq = 17 mid = 10 write_socket(21,45) write_socket(21,45) wrote 45 got smb length of 35 size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=10 smt_wct=0 smb_bcc=0 get_sequence_for_reply: found seq = 17 mid = 10 simple_packet_signature: sequence number 17 client_check_incoming_message: seq 17: got good SMB signature of [000] 7D 22 88 80 A2 9B 66 DF }"....f. cli_net_req_chal: LSA Request Challenge from STAGE1 to WEP-AD-DC1: E5F7842024A51967 init_q_req_chal: 621 init_q_req_chal: 630 000000 net_io_q_req_chal 0000 undoc_buffer: 00000001 000004 smb_io_unistr2 0004 uni_max_len: 0000000d 0008 offset : 00000000 000c uni_str_len: 0000000d 0010 buffer : \.\.W.E.P.-.A.D.-.D.C.1... 00002a smb_io_unistr2 002c uni_max_len: 00000007 0030 offset : 00000000 0034 uni_str_len: 00000007 0038 buffer : S.T.A.G.E.1... 000046 smb_io_chal 0046 data: e5 f7 84 20 24 a5 19 67 000050 smb_io_rpc_hdr_auth hdr_auth 0050 auth_type : 44 0051 auth_level : 05 0052 padding : 02 0053 reserved : 00 0054 auth_context : 00000001 SCHANNEL seq_num=0 SCHANNEL: netsec_encode seq_num=0 data_len=80 000058 smb_io_rpc_auth_netsec_chk 0058 sig : 77 00 ff ff ff ff 00 00 0060 seq_num: 6d 62 4f 5c a1 b7 40 d1 0068 packet_digest: 18 cd b2 cf a2 c4 85 7c 0070 confounder: b6 8c 54 4e fd 36 7a b6 create_rpc_request: opnum: 0x4 data_len: 0x90 create_rpc_request: data_len: 90 auth_len: 20 alloc_hint: 58 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0090 000a auth_len : 0020 000c call_id : 0000001a 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000058 0014 context_id: 0000 0016 opnum : 0004 rpc_api_pipe: fnum:800c size=226 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=11 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 144 (0x90) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 144 (0x90) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32780 (0x800C) smb_bcc=159 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 90 00 20 00 1A 00 00 00 58 ........ . .....X [020] 00 00 00 00 00 04 00 01 00 00 00 0D 00 00 00 00 ........ ........ [030] 00 00 00 0D 00 00 00 5C 00 5C 00 57 00 45 00 50 .......\ .\.W.E.P [040] 00 2D 00 41 00 44 00 2D 00 44 00 43 00 31 00 00 .-.A.D.- .D.C.1.. [050] 00 00 00 07 00 00 00 00 00 00 00 07 00 00 00 53 ........ .......S [060] 00 54 00 41 00 47 00 45 00 31 00 00 00 E5 F7 84 .T.A.G.E .1...... [070] 20 24 A5 19 67 00 00 44 05 02 00 01 00 00 00 77 $..g..D .......w [080] 00 FF FF FF FF 00 00 6D 62 4F 5C A1 B7 40 D1 18 .......m bO\..@.. [090] CD B2 CF A2 C4 85 7C B6 8C 54 4E FD 36 7A B6 ......|. .TN.6z. simple_packet_signature: sequence number 18 client_sign_outgoing_message: sent SMB signature of [000] AC 6F 1A DE B7 1A 5D 00 .o....]. store_sequence_for_reply: stored seq = 19 mid = 11 write_socket(21,230) write_socket(21,230) wrote 230 cli_signing_trans_start: storing mid = 11, reply_seq_num = 19, send_seq_num = 18 data->send_seq_num = 20 got smb length of 136 size=136 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=11 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 80 (0x50) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 80 (0x50) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=81 [000] 00 05 00 02 03 10 00 00 00 50 00 20 00 1A 00 00 ........ .P. .... [010] 00 0C 00 00 00 00 00 00 00 54 F5 78 C9 FC 12 AB ........ .T.x.... [020] 21 00 00 00 00 00 00 00 00 44 05 04 00 01 00 00 !....... .D...... [030] 00 77 00 FF FF FF FF 00 00 2B 90 5F 2A 5C 8D 74 .w...... .+._*\.t [040] C4 D3 81 16 B3 12 E4 3D D7 00 00 00 00 00 00 00 .......= ........ [050] 00 . simple_packet_signature: sequence number 19 client_check_incoming_message: seq 19: got good SMB signature of [000] A4 50 F6 1B 01 63 67 6B .P...cgk size=136 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=11 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 80 (0x50) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 80 (0x50) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=81 [000] 00 05 00 02 03 10 00 00 00 50 00 20 00 1A 00 00 ........ .P. .... [010] 00 0C 00 00 00 00 00 00 00 54 F5 78 C9 FC 12 AB ........ .T.x.... [020] 21 00 00 00 00 00 00 00 00 44 05 04 00 01 00 00 !....... .D...... [030] 00 77 00 FF FF FF FF 00 00 2B 90 5F 2A 5C 8D 74 .w...... .+._*\.t [040] C4 D3 81 16 B3 12 E4 3D D7 00 00 00 00 00 00 00 .......= ........ [050] 00 . cli_signing_trans_stop: freeing mid = 11, reply_seq_num = 19, send_seq_num = 18 data->send_seq_num = 20 rpc_check_hdr: rdata->data_size = 80 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0050 000a auth_len : 0020 000c call_id : 0000001a 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 0000000c 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 rpc_api_pipe: len left: 0 smbtrans read: 80 rpc_auth_pipe: pkt_type: 2 len: 80 auth_len: 32 NTLMSSP No schannel Yes sign Yes seal No rpc_auth_pipe: packet: 000000 smb_io_rpc_hdr_auth auth_hdr 0000 auth_type : 44 0001 auth_level : 05 0002 padding : 04 0003 reserved : 00 0004 auth_context : 00000001 000008 smb_io_rpc_auth_netsec_chk schannel_auth_sign 0008 sig : 77 00 ff ff ff ff 00 00 0010 seq_num: 2b 90 5f 2a 5c 8d 74 c4 0018 packet_digest: d3 81 16 b3 12 e4 3d d7 0020 confounder: 00 00 00 00 00 00 00 00 SCHANNEL: netsec_encode seq_num=1 data_len=16 SCHANNEL: netsec_decode seq_num=1 data_len=16 rpc_api_pipe: fragment first and last both set 000018 net_io_r_req_chal 000018 smb_io_chal 0018 data: 54 f5 78 c9 fc 12 ab 21 0020 status: NT_STATUS_OK cred_session_key clnt_chal: E5F7842024A51967 srv_chal : 54F578C9FC12AB21 clnt+srv : 39EDFDE920B8C488 sess_key : 1BC63C6F7E1435AC cred_create sess_key : 1BC63C6F7E1435AC stor_cred: E5F7842024A51967 timestamp: 0 timecred : E5F7842024A51967 calc_cred: 0AF8CDEC385FF2DF cli_net_auth2: srv:\\WEP-AD-DC1 acct:STAGE1$ sc:2 mc: STAGE1 chal 0AF8CDEC385FF2DF neg: 400701ff init_q_auth_2: 742 make_log_info 1336 init_q_auth_2: 748 000000 net_io_q_auth_2 000000 smb_io_log_info 0000 undoc_buffer: 00000001 000004 smb_io_unistr2 unistr2 0004 uni_max_len: 0000000d 0008 offset : 00000000 000c uni_str_len: 0000000d 0010 buffer : \.\.W.E.P.-.A.D.-.D.C.1... 00002a smb_io_unistr2 unistr2 002c uni_max_len: 00000008 0030 offset : 00000000 0034 uni_str_len: 00000008 0038 buffer : S.T.A.G.E.1.$... 0048 sec_chan: 0002 00004a smb_io_unistr2 unistr2 004c uni_max_len: 00000007 0050 offset : 00000000 0054 uni_str_len: 00000007 0058 buffer : S.T.A.G.E.1... 000066 smb_io_chal 0066 data: 0a f8 cd ec 38 5f f2 df 00006e net_io_neg_flags 0070 neg_flags: 400701ff 000078 smb_io_rpc_hdr_auth hdr_auth 0078 auth_type : 44 0079 auth_level : 05 007a padding : 04 007b reserved : 00 007c auth_context : 00000001 SCHANNEL seq_num=2 SCHANNEL: netsec_encode seq_num=2 data_len=120 000080 smb_io_rpc_auth_netsec_chk 0080 sig : 77 00 ff ff ff ff 00 00 0088 seq_num: 06 fb b8 d1 12 ad 16 51 0090 packet_digest: d0 dd 4a cf bb 1c a1 b1 0098 confounder: b1 35 c5 f2 ed 01 46 e1 create_rpc_request: opnum: 0xf data_len: 0xb8 create_rpc_request: data_len: b8 auth_len: 20 alloc_hint: 80 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 00b8 000a auth_len : 0020 000c call_id : 0000001b 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000080 0014 context_id: 0000 0016 opnum : 000f rpc_api_pipe: fnum:800c size=266 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=12 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 184 (0xB8) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 184 (0xB8) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32780 (0x800C) smb_bcc=199 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 B8 00 20 00 1B 00 00 00 80 ........ . ...... [020] 00 00 00 00 00 0F 00 01 00 00 00 0D 00 00 00 00 ........ ........ [030] 00 00 00 0D 00 00 00 5C 00 5C 00 57 00 45 00 50 .......\ .\.W.E.P [040] 00 2D 00 41 00 44 00 2D 00 44 00 43 00 31 00 00 .-.A.D.- .D.C.1.. [050] 00 00 00 08 00 00 00 00 00 00 00 08 00 00 00 53 ........ .......S [060] 00 54 00 41 00 47 00 45 00 31 00 24 00 00 00 02 .T.A.G.E .1.$.... [070] 00 00 00 07 00 00 00 00 00 00 00 07 00 00 00 53 ........ .......S [080] 00 54 00 41 00 47 00 45 00 31 00 00 00 0A F8 CD .T.A.G.E .1...... [090] EC 38 5F F2 DF 00 00 FF 01 07 40 00 00 00 00 44 .8_..... ..@....D [0A0] 05 04 00 01 00 00 00 77 00 FF FF FF FF 00 00 06 .......w ........ [0B0] FB B8 D1 12 AD 16 51 D0 DD 4A CF BB 1C A1 B1 B1 ......Q. .J...... [0C0] 35 C5 F2 ED 01 46 E1 5....F. simple_packet_signature: sequence number 20 client_sign_outgoing_message: sent SMB signature of [000] 47 BC 5E A5 D3 11 5C 80 G.^...\. store_sequence_for_reply: stored seq = 21 mid = 12 write_socket(21,270) write_socket(21,270) wrote 270 cli_signing_trans_start: storing mid = 12, reply_seq_num = 21, send_seq_num = 20 data->send_seq_num = 22 got smb length of 136 size=136 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=12 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 80 (0x50) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 80 (0x50) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=81 [000] 00 05 00 02 03 10 00 00 00 50 00 20 00 1B 00 00 ........ .P. .... [010] 00 10 00 00 00 00 00 00 00 47 02 C8 64 87 CF 35 ........ .G..d..5 [020] 0C FF 01 07 40 00 00 00 00 44 05 00 00 01 00 00 ....@... .D...... [030] 00 77 00 FF FF FF FF 00 00 F5 59 3D 84 BB DB 05 .w...... ..Y=.... [040] F3 2C 9C B1 0F 07 E8 EB 70 00 00 00 00 00 00 00 .,...... p....... [050] 00 . simple_packet_signature: sequence number 21 client_check_incoming_message: seq 21: got good SMB signature of [000] 94 69 32 7F E4 7F 33 DE .i2...3. size=136 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=12 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 80 (0x50) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 80 (0x50) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=81 [000] 00 05 00 02 03 10 00 00 00 50 00 20 00 1B 00 00 ........ .P. .... [010] 00 10 00 00 00 00 00 00 00 47 02 C8 64 87 CF 35 ........ .G..d..5 [020] 0C FF 01 07 40 00 00 00 00 44 05 00 00 01 00 00 ....@... .D...... [030] 00 77 00 FF FF FF FF 00 00 F5 59 3D 84 BB DB 05 .w...... ..Y=.... [040] F3 2C 9C B1 0F 07 E8 EB 70 00 00 00 00 00 00 00 .,...... p....... [050] 00 . cli_signing_trans_stop: freeing mid = 12, reply_seq_num = 21, send_seq_num = 20 data->send_seq_num = 22 rpc_check_hdr: rdata->data_size = 80 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0050 000a auth_len : 0020 000c call_id : 0000001b 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 00000010 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 rpc_api_pipe: len left: 0 smbtrans read: 80 rpc_auth_pipe: pkt_type: 2 len: 80 auth_len: 32 NTLMSSP No schannel Yes sign Yes seal No rpc_auth_pipe: packet: 000000 smb_io_rpc_hdr_auth auth_hdr 0000 auth_type : 44 0001 auth_level : 05 0002 padding : 00 0003 reserved : 00 0004 auth_context : 00000001 000008 smb_io_rpc_auth_netsec_chk schannel_auth_sign 0008 sig : 77 00 ff ff ff ff 00 00 0010 seq_num: f5 59 3d 84 bb db 05 f3 0018 packet_digest: 2c 9c b1 0f 07 e8 eb 70 0020 confounder: 00 00 00 00 00 00 00 00 SCHANNEL: netsec_encode seq_num=3 data_len=16 SCHANNEL: netsec_decode seq_num=3 data_len=16 rpc_api_pipe: fragment first and last both set 000018 net_io_r_auth_2 000018 smb_io_chal 0018 data: 47 02 c8 64 87 cf 35 0c 000020 net_io_neg_flags 0020 neg_flags: 400701ff 0024 status: NT_STATUS_OK cred_create sess_key : 1BC63C6F7E1435AC stor_cred: 54F578C9FC12AB21 timestamp: 0 timecred : 54F578C9FC12AB21 calc_cred: 4702C86487CF350C cred_assert challenge : 4702C86487CF350C calculated: 4702C86487CF350C credentials check ok simple_packet_signature: sequence number 22 client_sign_outgoing_message: sent SMB signature of [000] AF 4F 9A DE B8 2C 16 2C .O...,., store_sequence_for_reply: stored seq = 23 mid = 13 write_socket(21,108) write_socket(21,108) wrote 108 got smb length of 103 size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=13 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 3328 (0xD00) smb_vwv[ 3]= 384 (0x180) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 get_sequence_for_reply: found seq = 23 mid = 13 simple_packet_signature: sequence number 23 client_check_incoming_message: seq 23: got good SMB signature of [000] 97 7E 2F 9C F4 13 7F 53 .~/....S Bind RPC Pipe[800d]: \PIPE\NETLOGON Bind Abstract Syntax: [000] 78 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB xV4.4... ...#Eg.. [010] 01 00 00 00 .... Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]...... ....+.H` [010] 02 00 00 00 .... 000000 smb_io_rpc_hdr_auth hdr_auth 0000 auth_type : 44 0001 auth_level : 06 0002 padding : 00 0003 reserved : 00 0004 auth_context : 00000001 000008 smb_io_rpc_auth_netsec_neg netsec_neg 0008 type1: 00000000 000c type2: 00000003 [000] 41 44 AD [000] 53 54 41 47 45 31 STAGE1 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0b 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0062 000a auth_len : 0012 000c call_id : 0000001c 000010 smb_io_rpc_hdr_rb 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00000000 0018 num_elements: 00000001 001c context_id : 0000 001e num_syntaxes: 01 00001f smb_io_rpc_iface 000020 smb_io_uuid uuid 0020 data : 12345678 0024 data : 1234 0026 data : abcd 0028 data : ef 00 002a data : 01 23 45 67 cf fb 0030 version: 00000001 000034 smb_io_rpc_iface 000034 smb_io_uuid uuid 0034 data : 8a885d04 0038 data : 1ceb 003a data : 11c9 003c data : 9f e8 003e data : 08 00 2b 10 48 60 0044 version: 00000002 rpc_api_pipe: fnum:800d size=180 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=14 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 98 (0x62) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 98 (0x62) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32781 (0x800D) smb_bcc=113 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 62 00 12 00 1C 00 00 00 B8 .......b ........ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 ........ .......x [030] 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB 01 V4.4.... ..#Eg... [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ [050] 10 48 60 02 00 00 00 44 06 00 00 01 00 00 00 00 .H`....D ........ [060] 00 00 00 03 00 00 00 41 44 00 53 54 41 47 45 31 .......A D.STAGE1 [070] 00 . simple_packet_signature: sequence number 24 client_sign_outgoing_message: sent SMB signature of [000] D0 F6 28 F6 48 C5 2B BC ..(.H.+. store_sequence_for_reply: stored seq = 25 mid = 14 write_socket(21,184) write_socket(21,184) wrote 184 cli_signing_trans_start: storing mid = 14, reply_seq_num = 25, send_seq_num = 24 data->send_seq_num = 26 got smb length of 144 size=144 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=14 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 88 (0x58) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 88 (0x58) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=89 [000] 00 05 00 0C 03 10 00 00 00 58 00 0C 00 1C 00 00 ........ .X...... [010] 00 B8 10 B8 10 21 28 06 00 0C 00 5C 50 49 50 45 .....!(. ...\PIPE [020] 5C 6C 73 61 73 73 00 CD AB 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 44 06 00 00 01 00 00 00 01 00 00 `....D.. ........ [050] 00 00 00 00 00 00 00 00 00 ........ . simple_packet_signature: sequence number 25 client_check_incoming_message: seq 25: got good SMB signature of [000] 42 4D 9F 15 26 5B 7C 17 BM..&[|. size=144 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=14 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 88 (0x58) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 88 (0x58) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=89 [000] 00 05 00 0C 03 10 00 00 00 58 00 0C 00 1C 00 00 ........ .X...... [010] 00 B8 10 B8 10 21 28 06 00 0C 00 5C 50 49 50 45 .....!(. ...\PIPE [020] 5C 6C 73 61 73 73 00 CD AB 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 44 06 00 00 01 00 00 00 01 00 00 `....D.. ........ [050] 00 00 00 00 00 00 00 00 00 ........ . cli_signing_trans_stop: freeing mid = 14, reply_seq_num = 25, send_seq_num = 24 data->send_seq_num = 26 rpc_check_hdr: rdata->data_size = 88 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0058 000a auth_len : 000c 000c call_id : 0000001c rpc_api_pipe: len left: 0 smbtrans read: 88 rpc_auth_pipe: pkt_type: 12 len: 88 auth_len: 12 NTLMSSP No schannel Yes sign Yes seal Yes rpc_auth_pipe: packet: 000000 smb_io_rpc_hdr_auth auth_hdr 0000 auth_type : 44 0001 auth_level : 06 0002 padding : 00 0003 reserved : 00 0004 auth_context : 00000001 rpc_api_pipe: fragment first and last both set rpc_pipe_bind: rpc_api_pipe returned OK. 000010 smb_io_rpc_hdr_ba 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00062821 000018 smb_io_rpc_addr_str 0018 len: 000c 001a str: \PIPE\lsass. 000026 smb_io_rpc_results 0028 num_results: 01 002c result : 0000 002e reason : 0000 000030 smb_io_rpc_iface 000030 smb_io_uuid uuid 0030 data : 8a885d04 0034 data : 1ceb 0036 data : 11c9 0038 data : 9f e8 003a data : 08 00 2b 10 48 60 0040 version: 00000002 bind_rpc_pipe: accepted! secrets_named_mutex: released mutex for NETLOGON\WEP-AD-DC1 cred_create sess_key : 1BC63C6F7E1435AC stor_cred: 0AF8CDEC385FF2DF timestamp: 40aa224e timecred : 581A782D385FF2DF calc_cred: 15FC78D35F18D9E1 init_id_info2: 1125 make_logon_id: 1515 init_sam_info: 1231 make_clnt_info: 1430 init_clnt_srv: 1275 000000 net_io_q_sam_logon 000000 smb_io_sam_info 000000 smb_io_clnt_info2 000000 smb_io_clnt_srv 0000 undoc_buffer : 00000001 000004 smb_io_unistr2 unistr2 0004 uni_max_len: 0000000d 0008 offset : 00000000 000c uni_str_len: 0000000d 0010 buffer : \.\.W.E.P.-.A.D.-.D.C.1... 002c undoc_buffer2: 00000001 000030 smb_io_unistr2 unistr2 0030 uni_max_len: 00000007 0034 offset : 00000000 0038 uni_str_len: 00000007 003c buffer : S.T.A.G.E.1... 004c ptr_cred: 00000001 000050 smb_io_cred 000050 smb_io_chal 0050 data: 15 fc 78 d3 5f 18 d9 e1 000058 smb_io_utime 0058 time: 40aa224e 005c ptr_rtn_cred : 00000001 000060 smb_io_cred 000060 smb_io_chal 0060 data: 00 00 00 00 00 00 00 00 000068 smb_io_utime 0068 time: 00000000 006c logon_level : 0002 00006e smb_io_sam_info logon_info 006e switch_value : 0002 000070 net_io_id_info2 0070 ptr_id_info2: 00000001 000074 smb_io_unihdr unihdr 0074 uni_str_len: 0004 0076 uni_max_len: 0004 0078 buffer : 00000001 007c param_ctrl: 00000000 000080 smb_io_logon_id 0080 low : 0000dead 0084 high: 0000beef 000088 smb_io_unihdr unihdr 0088 uni_str_len: 000c 008a uni_max_len: 000c 008c buffer : 00000001 000090 smb_io_unihdr unihdr 0090 uni_str_len: 0010 0092 uni_max_len: 0010 0094 buffer : 00000001 0098 lm_chal: ee fc 7a 3a 8c 26 9d 29 0000a0 smb_io_strhdr hdr_nt_chal_resp 00a0 str_str_len: 0018 00a2 str_max_len: 0018 00a4 buffer : 00000001 0000a8 smb_io_strhdr hdr_lm_chal_resp 00a8 str_str_len: 0018 00aa str_max_len: 0018 00ac buffer : 00000001 0000b0 smb_io_unistr2 uni_domain_name 00b0 uni_max_len: 00000002 00b4 offset : 00000000 00b8 uni_str_len: 00000002 00bc buffer : N.A. 0000c0 smb_io_unistr2 uni_user_name 00c0 uni_max_len: 00000006 00c4 offset : 00000000 00c8 uni_str_len: 00000006 00cc buffer : j.s.c.h.m.o. 0000d8 smb_io_unistr2 uni_wksta_name 00d8 uni_max_len: 00000008 00dc offset : 00000000 00e0 uni_str_len: 00000008 00e4 buffer : \.\.S.T.A.G.E.1. 0000f4 smb_io_string2 nt_chal_resp 00f4 str_max_len: 00000018 00f8 offset : 00000000 00fc str_str_len: 00000018 0100 buffer : Is..+..lYG.......\bR..`. 000118 smb_io_string2 lm_chal_resp 0118 str_max_len: 00000018 011c offset : 00000000 0120 str_str_len: 00000018 0124 buffer : .p...f..._ f^..0a.].I..n 013c validation_level: 0003 000140 smb_io_rpc_hdr_auth hdr_auth 0140 auth_type : 44 0141 auth_level : 06 0142 padding : 02 0143 reserved : 00 0144 auth_context : 00000001 SCHANNEL seq_num=0 SCHANNEL: netsec_encode seq_num=0 data_len=320 000148 smb_io_rpc_auth_netsec_chk 0148 sig : 77 00 7a 00 ff ff 00 00 0150 seq_num: 39 54 cc be 73 a9 4e 60 0158 packet_digest: 1a 87 e9 6c 67 32 14 15 0160 confounder: 6b 13 7d a6 2f f4 fd d0 create_rpc_request: opnum: 0x2 data_len: 0x180 create_rpc_request: data_len: 180 auth_len: 20 alloc_hint: 148 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0180 000a auth_len : 0020 000c call_id : 0000001d 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000148 0014 context_id: 0000 0016 opnum : 0002 rpc_api_pipe: fnum:800d size=466 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=15 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 384 (0x180) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 384 (0x180) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32781 (0x800D) smb_bcc=399 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 80 01 20 00 1D 00 00 00 48 ........ . .....H [020] 01 00 00 00 00 02 00 3E 33 9C DB 8A 33 5A 55 49 .......> 3...3ZUI [030] CB A0 8D 51 A2 9D 15 8C E6 3B C3 C0 F5 47 D3 19 ...Q.... .;...G.. [040] 1C 54 B8 23 24 5B F1 12 EF 07 75 25 DE 26 40 89 .T.#$[.. ..u%.&@. [050] 52 E0 EA 7A 6C 56 62 4B 24 6E 80 4F 90 75 E4 48 R..zlVbK $n.O.u.H [060] B1 A9 2D 98 88 F8 E9 08 E2 ED AC 1B BB 0C F1 F5 ..-..... ........ [070] 81 85 56 8C D7 2C 1D 0F 11 D3 88 C6 19 51 AA F2 ..V..,.. .....Q.. [080] 4D 19 8F C8 ED DD BB 0C 6C B2 0D 7A 1B 16 CC 6A M....... l..z...j [090] E9 08 73 C9 51 78 41 83 9E DA 54 0D 22 C6 2C 35 ..s.QxA. ..T.".,5 [0A0] 06 CC 08 AD B9 ED 96 7F 9B 2E 20 ED 6D 6B 4F F0 ........ .. .mkO. [0B0] D4 E6 6C 13 3E 1C 37 FC 5A 06 33 41 AF AE BC 79 ..l.>.7. Z.3A...y [0C0] C9 D7 0F ED 94 F1 49 EF FC B3 9B F5 09 21 AF 01 ......I. .....!.. [0D0] A7 D3 CB 98 C3 AA A5 B2 B5 C3 41 18 49 8D 70 C3 ........ ..A.I.p. [0E0] 78 42 69 F0 1C F2 A5 E3 56 3B 7E 4F 9D CF 86 AA xBi..... V;~O.... [0F0] 46 4E 31 B6 61 DF 1D 41 34 D8 55 2E 47 8F 8B D7 FN1.a..A 4.U.G... [100] 23 CF DC 2F 11 41 29 A5 FA 39 26 1D A2 D0 BB AA #../.A). .9&..... [110] 18 57 84 0E 96 70 81 BD 2A 59 FD CE CB 5A FF 68 .W...p.. *Y...Z.h [120] 91 43 AD 9E A2 DF 8D 90 F8 B6 23 A1 16 57 52 0D .C...... ..#..WR. [130] 2A 1B 06 5C 68 80 E5 4D 1B 7B B2 4D EA 6B 09 F7 *..\h..M .{.M.k.. [140] DA C0 51 92 A6 3C E4 31 85 3F 52 50 C3 FC D6 C7 ..Q..<.1 .?RP.... [150] 3D B9 41 1B 4C F4 B7 31 B1 91 08 22 4D 07 8D 7A =.A.L..1 ..."M..z [160] AB C4 F2 0B A4 4C 80 44 06 02 00 01 00 00 00 77 .....L.D .......w [170] 00 7A 00 FF FF 00 00 39 54 CC BE 73 A9 4E 60 1A .z.....9 T..s.N`. [180] 87 E9 6C 67 32 14 15 6B 13 7D A6 2F F4 FD D0 ..lg2..k .}./... simple_packet_signature: sequence number 26 client_sign_outgoing_message: sent SMB signature of [000] 82 9F 98 8C 6F B2 F2 5A ....o..Z store_sequence_for_reply: stored seq = 27 mid = 15 write_socket(21,470) write_socket(21,470) wrote 470 cli_signing_trans_start: storing mid = 15, reply_seq_num = 27, send_seq_num = 26 data->send_seq_num = 28 got smb length of 600 size=600 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=15 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 544 (0x220) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 544 (0x220) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=545 [000] 00 05 00 02 03 10 00 00 00 20 02 20 00 1D 00 00 ........ . . .... [010] 00 E0 01 00 00 00 00 00 00 70 0C 47 3B CB AF A4 ........ .p.G;... [020] D4 95 79 DD 32 6B F6 19 96 43 9E B7 EE 1A 1C A5 ..y.2k.. .C...... [030] A1 1A E8 FD EF 72 30 B1 2E B0 F6 F1 8E 91 12 51 .....r0. .......Q [040] C8 AD 78 36 19 6F A0 9B B0 94 89 9E B6 23 42 55 ..x6.o.. .....#BU [050] B8 21 0F 59 0D 42 03 12 BC 4F B5 71 32 57 CC B1 .!.Y.B.. .O.q2W.. [060] 9E 2F 36 11 47 D0 8D 55 25 FE 78 A4 62 81 7F C4 ./6.G..U %.x.b... [070] 70 EA B6 4D 31 A9 55 EB C8 67 93 42 74 CB AD EE p..M1.U. .g.Bt... [080] F6 AC FE B3 66 0B B7 F2 18 63 49 96 53 25 2E A7 ....f... .cI.S%.. [090] D9 7C F8 FD 72 4C DE F7 8B CF 86 F7 DD 93 BD 68 .|..rL.. .......h [0A0] C0 30 49 73 8F 5F 34 23 0E 80 1D 35 A3 B2 00 44 .0Is._4# ...5...D [0B0] 7D 12 43 23 4F C6 98 82 B5 2B 81 1B 6A 06 06 70 }.C#O... .+..j..p [0C0] D8 3E 93 64 24 8C 2A 0B 5E 5F 3D 14 31 AE 7E 39 .>.d$.*. ^_=.1.~9 [0D0] EF E4 66 CB 26 42 2D 3E 4B 7D F2 8E 91 A0 40 FF ..f.&B-> K}....@. [0E0] 12 83 55 2E D0 DE B2 53 BF 4D D6 B7 78 68 3D 22 ..U....S .M..xh=" [0F0] 6D BF 22 0C 3E CB E0 A3 C8 21 8F 66 88 D4 B2 8F m.".>... .!.f.... [100] 83 9A C8 FD DF 4B 31 08 56 7F 76 6F EA A5 C7 C3 .....K1. V.vo.... [110] 2E AC FF 65 71 40 0A 1E 32 01 6A 13 42 4A 29 8B ...eq@.. 2.j.BJ). [120] 49 E9 49 65 6B 71 52 AF 7B 64 7F 86 D0 CA 5D 7D I.IekqR. {d....]} [130] DC E8 7B CE 35 22 40 97 D6 02 02 C3 8F C4 7B D1 ..{.5"@. ......{. [140] 47 5E 7C 5B 9D CA 84 1F FD 4D 71 9A B6 56 E1 14 G^|[.... .Mq..V.. [150] 3C 5B 53 DA 44 9D 61 23 26 7A 19 56 17 E8 8B 63 <[S.D.a# &z.V...c [160] E4 CB F1 4A 29 3D 38 AC 0B E8 89 A5 4E 71 B0 FB ...J)=8. ....Nq.. [170] 7D CD 40 DE D9 BE 17 B2 F0 98 02 01 33 82 6B F0 }.@..... ....3.k. [180] F2 C2 13 05 CE 90 DB 3E 01 40 F4 3A A4 FA EF 01 .......> .@.:.... [190] 4B 6D A8 3E 47 83 F1 12 61 DE 59 1A 1D 2A 1B CD Km.>G... a.Y..*.. [1A0] EA C6 72 9F A0 C5 4A EE F1 78 45 3B 6A 36 F2 C6 ..r...J. .xE;j6.. [1B0] 8A B8 5E 67 F7 04 69 D0 23 42 64 1D 64 0D 51 D0 ..^g..i. #Bd.d.Q. [1C0] FE 77 AD 1E C1 22 86 B9 E0 13 35 61 4B E8 8A 28 .w...".. ..5aK..( [1D0] 15 04 9E 94 4A C8 A7 1F AE 0A 48 83 30 BB 60 4D ....J... ..H.0.`M [1E0] BD 3F 33 01 F6 23 85 C7 F1 E5 26 7B 3D 0F 87 F5 .?3..#.. ..&{=... [1F0] D5 07 CD 46 96 2F 0C 6A EA 44 06 00 00 01 00 00 ...F./.j .D...... simple_packet_signature: sequence number 27 client_check_incoming_message: seq 27: got good SMB signature of [000] 51 30 D5 9F 9A B1 74 44 Q0....tD size=600 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=15 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 544 (0x220) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 544 (0x220) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=545 [000] 00 05 00 02 03 10 00 00 00 20 02 20 00 1D 00 00 ........ . . .... [010] 00 E0 01 00 00 00 00 00 00 70 0C 47 3B CB AF A4 ........ .p.G;... [020] D4 95 79 DD 32 6B F6 19 96 43 9E B7 EE 1A 1C A5 ..y.2k.. .C...... [030] A1 1A E8 FD EF 72 30 B1 2E B0 F6 F1 8E 91 12 51 .....r0. .......Q [040] C8 AD 78 36 19 6F A0 9B B0 94 89 9E B6 23 42 55 ..x6.o.. .....#BU [050] B8 21 0F 59 0D 42 03 12 BC 4F B5 71 32 57 CC B1 .!.Y.B.. .O.q2W.. [060] 9E 2F 36 11 47 D0 8D 55 25 FE 78 A4 62 81 7F C4 ./6.G..U %.x.b... [070] 70 EA B6 4D 31 A9 55 EB C8 67 93 42 74 CB AD EE p..M1.U. .g.Bt... [080] F6 AC FE B3 66 0B B7 F2 18 63 49 96 53 25 2E A7 ....f... .cI.S%.. [090] D9 7C F8 FD 72 4C DE F7 8B CF 86 F7 DD 93 BD 68 .|..rL.. .......h [0A0] C0 30 49 73 8F 5F 34 23 0E 80 1D 35 A3 B2 00 44 .0Is._4# ...5...D [0B0] 7D 12 43 23 4F C6 98 82 B5 2B 81 1B 6A 06 06 70 }.C#O... .+..j..p [0C0] D8 3E 93 64 24 8C 2A 0B 5E 5F 3D 14 31 AE 7E 39 .>.d$.*. ^_=.1.~9 [0D0] EF E4 66 CB 26 42 2D 3E 4B 7D F2 8E 91 A0 40 FF ..f.&B-> K}....@. [0E0] 12 83 55 2E D0 DE B2 53 BF 4D D6 B7 78 68 3D 22 ..U....S .M..xh=" [0F0] 6D BF 22 0C 3E CB E0 A3 C8 21 8F 66 88 D4 B2 8F m.".>... .!.f.... [100] 83 9A C8 FD DF 4B 31 08 56 7F 76 6F EA A5 C7 C3 .....K1. V.vo.... [110] 2E AC FF 65 71 40 0A 1E 32 01 6A 13 42 4A 29 8B ...eq@.. 2.j.BJ). [120] 49 E9 49 65 6B 71 52 AF 7B 64 7F 86 D0 CA 5D 7D I.IekqR. {d....]} [130] DC E8 7B CE 35 22 40 97 D6 02 02 C3 8F C4 7B D1 ..{.5"@. ......{. [140] 47 5E 7C 5B 9D CA 84 1F FD 4D 71 9A B6 56 E1 14 G^|[.... .Mq..V.. [150] 3C 5B 53 DA 44 9D 61 23 26 7A 19 56 17 E8 8B 63 <[S.D.a# &z.V...c [160] E4 CB F1 4A 29 3D 38 AC 0B E8 89 A5 4E 71 B0 FB ...J)=8. ....Nq.. [170] 7D CD 40 DE D9 BE 17 B2 F0 98 02 01 33 82 6B F0 }.@..... ....3.k. [180] F2 C2 13 05 CE 90 DB 3E 01 40 F4 3A A4 FA EF 01 .......> .@.:.... [190] 4B 6D A8 3E 47 83 F1 12 61 DE 59 1A 1D 2A 1B CD Km.>G... a.Y..*.. [1A0] EA C6 72 9F A0 C5 4A EE F1 78 45 3B 6A 36 F2 C6 ..r...J. .xE;j6.. [1B0] 8A B8 5E 67 F7 04 69 D0 23 42 64 1D 64 0D 51 D0 ..^g..i. #Bd.d.Q. [1C0] FE 77 AD 1E C1 22 86 B9 E0 13 35 61 4B E8 8A 28 .w...".. ..5aK..( [1D0] 15 04 9E 94 4A C8 A7 1F AE 0A 48 83 30 BB 60 4D ....J... ..H.0.`M [1E0] BD 3F 33 01 F6 23 85 C7 F1 E5 26 7B 3D 0F 87 F5 .?3..#.. ..&{=... [1F0] D5 07 CD 46 96 2F 0C 6A EA 44 06 00 00 01 00 00 ...F./.j .D...... cli_signing_trans_stop: freeing mid = 15, reply_seq_num = 27, send_seq_num = 26 data->send_seq_num = 28 rpc_check_hdr: rdata->data_size = 544 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0220 000a auth_len : 0020 000c call_id : 0000001d 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 000001e0 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 rpc_api_pipe: len left: 0 smbtrans read: 544 rpc_auth_pipe: pkt_type: 2 len: 544 auth_len: 32 NTLMSSP No schannel Yes sign Yes seal Yes rpc_auth_pipe: packet: 000000 smb_io_rpc_hdr_auth auth_hdr 0000 auth_type : 44 0001 auth_level : 06 0002 padding : 00 0003 reserved : 00 0004 auth_context : 00000001 000008 smb_io_rpc_auth_netsec_chk schannel_auth_sign 0008 sig : 77 00 7a 00 ff ff 00 00 0010 seq_num: f3 85 91 f8 1c 76 c8 ba 0018 packet_digest: c2 82 74 f7 4b a5 ea fc 0020 confounder: fe 82 4d 26 d7 a2 43 b7 SCHANNEL: netsec_encode seq_num=1 data_len=480 SCHANNEL: netsec_decode seq_num=1 data_len=480 rpc_api_pipe: fragment first and last both set 000018 net_io_r_sam_logon 0018 buffer_creds: 0009c990 00001c smb_io_cred 00001c smb_io_chal 001c data: 57 9d 60 52 8e 23 1c 50 000024 smb_io_utime 0024 time: 00000000 0028 switch_value: 0003 00002c net_io_user_info3 002c ptr_user_info : 0d4ff050 000030 smb_io_time logon time 0030 low : 82f1c47b 0034 high: 01c43916 000038 smb_io_time logoff time 0038 low : ffffffff 003c high: 7fffffff 000040 smb_io_time kickoff time 0040 low : ffffffff 0044 high: 7fffffff 000048 smb_io_time last set time 0048 low : c09254c1 004c high: 01c4385c 000050 smb_io_time can change time 0050 low : 68b3d4c1 0054 high: 01c44038 000058 smb_io_time must change time 0058 low : b15b54c1 005c high: 01c46782 000060 smb_io_unihdr hdr_user_name 0060 uni_str_len: 000c 0062 uni_max_len: 000e 0064 buffer : 0d4ff1b4 000068 smb_io_unihdr hdr_full_name 0068 uni_str_len: 0000 006a uni_max_len: 0000 006c buffer : 00000000 000070 smb_io_unihdr hdr_logon_script 0070 uni_str_len: 0000 0072 uni_max_len: 0000 0074 buffer : 00000000 000078 smb_io_unihdr hdr_profile_path 0078 uni_str_len: 0000 007a uni_max_len: 0000 007c buffer : 00000000 000080 smb_io_unihdr hdr_home_dir 0080 uni_str_len: 0000 0082 uni_max_len: 0000 0084 buffer : 00000000 000088 smb_io_unihdr hdr_dir_drive 0088 uni_str_len: 0000 008a uni_max_len: 0000 008c buffer : 00000000 0090 logon_count : 0039 0092 bad_pw_count : 0000 0094 user_rid : 0000089f 0098 group_rid : 00000201 009c num_groups : 00000007 00a0 buffer_groups : 0d4ff11c 00a4 user_flgs : 00000120 00a8 user_sess_key: c6 9a 5d 40 81 b4 2b a4 db 2c 78 45 b8 7e d5 e7 0000b8 smb_io_unihdr hdr_logon_srv 00b8 uni_str_len: 0014 00ba uni_max_len: 0016 00bc buffer : 0d4ff1c2 0000c0 smb_io_unihdr hdr_logon_dom 00c0 uni_str_len: 0004 00c2 uni_max_len: 0006 00c4 buffer : 0d4ff1d8 00c8 buffer_dom_id : 0d4ff19c 00cc padding : 57 3f 92 a9 80 74 5e 73 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00f4 num_other_sids: 00000002 00f8 buffer_other_sids: 0d4ff154 0000fc smb_io_unistr2 uni_user_name 00fc uni_max_len: 00000007 0100 offset : 00000000 0104 uni_str_len: 00000006 0108 buffer : j.s.c.h.m.o. 000114 smb_io_unistr2 - NULL uni_full_name 000114 smb_io_unistr2 - NULL uni_logon_script 000114 smb_io_unistr2 - NULL uni_profile_path 000114 smb_io_unistr2 - NULL uni_home_dir 000114 smb_io_unistr2 - NULL uni_dir_drive 0114 num_groups2 : 00000007 000118 smb_io_gid 0118 g_rid: 00000cbd 011c attr : 00000007 000120 smb_io_gid 0120 g_rid: 00000a36 0124 attr : 00000007 000128 smb_io_gid 0128 g_rid: 00000cef 012c attr : 00000007 000130 smb_io_gid 0130 g_rid: 000008e9 0134 attr : 00000007 000138 smb_io_gid 0138 g_rid: 000008f5 013c attr : 00000007 000140 smb_io_gid 0140 g_rid: 00000201 0144 attr : 00000007 000148 smb_io_gid 0148 g_rid: 00000fc0 014c attr : 00000007 000150 smb_io_unistr2 uni_logon_srv 0150 uni_max_len: 0000000b 0154 offset : 00000000 0158 uni_str_len: 0000000a 015c buffer : W.E.P.-.N.A.-.D.C.2. 000170 smb_io_unistr2 uni_logon_dom 0170 uni_max_len: 00000003 0174 offset : 00000000 0178 uni_str_len: 00000002 017c buffer : N.A. 000180 smb_io_dom_sid2 0180 num_auths: 00000004 000184 smb_io_dom_sid sid 0184 sid_rev_num: 01 0185 num_auths : 04 0186 id_auth[0] : 00 0187 id_auth[1] : 00 0188 id_auth[2] : 00 0189 id_auth[3] : 00 018a id_auth[4] : 00 018b id_auth[5] : 05 018c sub_auths : 00000015 74d97781 773ce092 6b635f23 019c num_other_groups: 00000002 0001a0 smb_io_gid 01a0 g_rid: 0d4ff164 01a4 attr : 00000007 0001a8 smb_io_gid 01a8 g_rid: 0d4ff180 01ac attr : 00000007 0001b0 smb_io_dom_sid2 01b0 num_auths: 00000005 0001b4 smb_io_dom_sid sid 01b4 sid_rev_num: 01 01b5 num_auths : 05 01b6 id_auth[0] : 00 01b7 id_auth[1] : 00 01b8 id_auth[2] : 00 01b9 id_auth[3] : 00 01ba id_auth[4] : 00 01bb id_auth[5] : 05 01bc sub_auths : 00000015 404237fd 2188754f 320a1743 0000045b 0001d0 smb_io_dom_sid2 01d0 num_auths: 00000005 0001d4 smb_io_dom_sid sid 01d4 sid_rev_num: 01 01d5 num_auths : 05 01d6 id_auth[0] : 00 01d7 id_auth[1] : 00 01d8 id_auth[2] : 00 01d9 id_auth[3] : 00 01da id_auth[4] : 00 01db id_auth[5] : 05 01dc sub_auths : 00000015 404237fd 2188754f 320a1743 00000465 01f0 auth_resp : 00000001 01f4 status : NT_STATUS_OK clnt_deal_with_creds: 148 cred_create sess_key : 1BC63C6F7E1435AC stor_cred: 0AF8CDEC385FF2DF timestamp: 40aa224f timecred : 591A782D385FF2DF calc_cred: 579D60528E231C50 cred_assert challenge : 579D60528E231C50 calculated: 579D60528E231C50 credentials check ok new clnt cred: 591A782D385FF2DF netsamlogon_cache_store: SID [S-1-5-21-1960408961-2000478354-1801674531-2207] 0000 timestamp: 40aa224e 000004 net_io_user_info3 0004 ptr_user_info : 0d4ff050 000008 smb_io_time logon time 0008 low : 82f1c47b 000c high: 01c43916 000010 smb_io_time logoff time 0010 low : ffffffff 0014 high: 7fffffff 000018 smb_io_time kickoff time 0018 low : ffffffff 001c high: 7fffffff 000020 smb_io_time last set time 0020 low : c09254c1 0024 high: 01c4385c 000028 smb_io_time can change time 0028 low : 68b3d4c1 002c high: 01c44038 000030 smb_io_time must change time 0030 low : b15b54c1 0034 high: 01c46782 000038 smb_io_unihdr hdr_user_name 0038 uni_str_len: 000c 003a uni_max_len: 000e 003c buffer : 0d4ff1b4 000040 smb_io_unihdr hdr_full_name 0040 uni_str_len: 0000 0042 uni_max_len: 0000 0044 buffer : 00000000 000048 smb_io_unihdr hdr_logon_script 0048 uni_str_len: 0000 004a uni_max_len: 0000 004c buffer : 00000000 000050 smb_io_unihdr hdr_profile_path 0050 uni_str_len: 0000 0052 uni_max_len: 0000 0054 buffer : 00000000 000058 smb_io_unihdr hdr_home_dir 0058 uni_str_len: 0000 005a uni_max_len: 0000 005c buffer : 00000000 000060 smb_io_unihdr hdr_dir_drive 0060 uni_str_len: 0000 0062 uni_max_len: 0000 0064 buffer : 00000000 0068 logon_count : 0039 006a bad_pw_count : 0000 006c user_rid : 0000089f 0070 group_rid : 00000201 0074 num_groups : 00000007 0078 buffer_groups : 0d4ff11c 007c user_flgs : 00000120 0080 user_sess_key: ad e4 79 89 5e e9 05 49 74 c4 f3 6c 78 cb 76 e2 000090 smb_io_unihdr hdr_logon_srv 0090 uni_str_len: 0014 0092 uni_max_len: 0016 0094 buffer : 0d4ff1c2 000098 smb_io_unihdr hdr_logon_dom 0098 uni_str_len: 0004 009a uni_max_len: 0006 009c buffer : 0d4ff1d8 00a0 buffer_dom_id : 0d4ff19c 00a4 padding : 3c 41 b6 60 5f 29 70 9e bf e8 8b 29 c0 b5 a3 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00cc num_other_sids: 00000002 00d0 buffer_other_sids: 0d4ff154 0000d4 smb_io_unistr2 uni_user_name 00d4 uni_max_len: 00000007 00d8 offset : 00000000 00dc uni_str_len: 00000006 00e0 buffer : j.s.c.h.m.o. 0000ec smb_io_unistr2 - NULL uni_full_name 0000ec smb_io_unistr2 - NULL uni_logon_script 0000ec smb_io_unistr2 - NULL uni_profile_path 0000ec smb_io_unistr2 - NULL uni_home_dir 0000ec smb_io_unistr2 - NULL uni_dir_drive 00ec num_groups2 : 00000007 0000f0 smb_io_gid 00f0 g_rid: 00000cbd 00f4 attr : 00000007 0000f8 smb_io_gid 00f8 g_rid: 00000a36 00fc attr : 00000007 000100 smb_io_gid 0100 g_rid: 00000cef 0104 attr : 00000007 000108 smb_io_gid 0108 g_rid: 000008e9 010c attr : 00000007 000110 smb_io_gid 0110 g_rid: 000008f5 0114 attr : 00000007 000118 smb_io_gid 0118 g_rid: 00000201 011c attr : 00000007 000120 smb_io_gid 0120 g_rid: 00000fc0 0124 attr : 00000007 000128 smb_io_unistr2 uni_logon_srv 0128 uni_max_len: 0000000b 012c offset : 00000000 0130 uni_str_len: 0000000a 0134 buffer : W.E.P.-.N.A.-.D.C.2. 000148 smb_io_unistr2 uni_logon_dom 0148 uni_max_len: 00000003 014c offset : 00000000 0150 uni_str_len: 00000002 0154 buffer : N.A. 000158 smb_io_dom_sid2 0158 num_auths: 00000004 00015c smb_io_dom_sid sid 015c sid_rev_num: 01 015d num_auths : 04 015e id_auth[0] : 00 015f id_auth[1] : 00 0160 id_auth[2] : 00 0161 id_auth[3] : 00 0162 id_auth[4] : 00 0163 id_auth[5] : 05 0164 sub_auths : 00000015 74d97781 773ce092 6b635f23 0174 num_other_groups: 00000002 000178 smb_io_gid 0178 g_rid: 0d4ff164 017c attr : 00000007 000180 smb_io_gid 0180 g_rid: 0d4ff180 0184 attr : 00000007 000188 smb_io_dom_sid2 0188 num_auths: 00000005 00018c smb_io_dom_sid sid 018c sid_rev_num: 01 018d num_auths : 05 018e id_auth[0] : 00 018f id_auth[1] : 00 0190 id_auth[2] : 00 0191 id_auth[3] : 00 0192 id_auth[4] : 00 0193 id_auth[5] : 05 0194 sub_auths : 00000015 404237fd 2188754f 320a1743 0000045b 0001a8 smb_io_dom_sid2 01a8 num_auths: 00000005 0001ac smb_io_dom_sid sid 01ac sid_rev_num: 01 01ad num_auths : 05 01ae id_auth[0] : 00 01af id_auth[1] : 00 01b0 id_auth[2] : 00 01b1 id_auth[3] : 00 01b2 id_auth[4] : 00 01b3 id_auth[5] : 05 01b4 sub_auths : 00000015 404237fd 2188754f 320a1743 00000465 init_r_getdcname 000000 net_io_q_getdcname 0000 ptr_logon_server: 00000001 000004 smb_io_unistr2 logon_server 0004 uni_max_len: 0000000d 0008 offset : 00000000 000c uni_str_len: 0000000d 0010 buffer : \.\.W.E.P.-.A.D.-.D.C.1... 002c ptr_domainname: 00000001 000030 smb_io_unistr2 domainname 0030 uni_max_len: 00000003 0034 offset : 00000000 0038 uni_str_len: 00000003 003c buffer : N.A... 000048 smb_io_rpc_hdr_auth hdr_auth 0048 auth_type : 44 0049 auth_level : 06 004a padding : 06 004b reserved : 00 004c auth_context : 00000001 SCHANNEL seq_num=2 SCHANNEL: netsec_encode seq_num=2 data_len=72 000050 smb_io_rpc_auth_netsec_chk 0050 sig : 77 00 7a 00 ff ff 00 00 0058 seq_num: 5b a3 a6 c5 55 a3 8e df 0060 packet_digest: 7a 47 c7 50 08 77 d1 ea 0068 confounder: d3 95 62 79 c8 15 77 56 create_rpc_request: opnum: 0xd data_len: 0x88 create_rpc_request: data_len: 88 auth_len: 20 alloc_hint: 50 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0088 000a auth_len : 0020 000c call_id : 0000001e 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000050 0014 context_id: 0000 0016 opnum : 000d rpc_api_pipe: fnum:800d size=218 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=16 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 136 (0x88) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 136 (0x88) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32781 (0x800D) smb_bcc=151 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 88 00 20 00 1E 00 00 00 50 ........ . .....P [020] 00 00 00 00 00 0D 00 5C 28 B2 47 B0 59 90 86 D8 .......\ (.G.Y... [030] D2 21 EC B1 B9 62 A0 AB A7 9A 0C 94 FF 0B 55 19 .!...b.. ......U. [040] CE E4 14 D9 D1 5C F0 63 F9 79 33 1D 33 66 7C 44 .....\.c .y3.3f|D [050] 42 53 A1 C7 A2 80 1D F2 9C 9D A5 FA 87 7A 3D 9F BS...... .....z=. [060] E0 04 02 BC 00 55 3B B0 F4 AE A3 98 D1 14 34 44 .....U;. ......4D [070] 06 06 00 01 00 00 00 77 00 7A 00 FF FF 00 00 5B .......w .z.....[ [080] A3 A6 C5 55 A3 8E DF 7A 47 C7 50 08 77 D1 EA D3 ...U...z G.P.w... [090] 95 62 79 C8 15 77 56 .by..wV simple_packet_signature: sequence number 28 client_sign_outgoing_message: sent SMB signature of [000] FE 65 F1 66 38 33 B2 69 .e.f83.i store_sequence_for_reply: stored seq = 29 mid = 16 write_socket(21,222) write_socket(21,222) wrote 222 cli_signing_trans_start: storing mid = 16, reply_seq_num = 29, send_seq_num = 28 data->send_seq_num = 30 got smb length of 168 size=168 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=16 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 112 (0x70) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 112 (0x70) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=113 [000] 00 05 00 02 03 10 00 00 00 70 00 20 00 1E 00 00 ........ .p. .... [010] 00 30 00 00 00 00 00 00 00 B5 A2 9F 5B CA FA 29 .0...... ....[..) [020] 61 C2 1A A9 AA 26 0F F4 44 2C CF 01 FB 21 AC FC a....&.. D,...!.. [030] 19 71 16 08 CB 97 9E 3B 2D 6F AE 7D 41 6F A7 29 .q.....; -o.}Ao.) [040] 63 57 F1 C3 B8 43 88 A9 25 44 06 00 00 01 00 00 cW...C.. %D...... [050] 00 77 00 7A 00 FF FF 00 00 12 46 20 21 29 43 97 .w.z.... ..F !)C. [060] C1 46 A1 46 4F 06 D3 4D C2 E6 08 89 FB 91 28 FC .F.FO..M ......(. [070] 81 . simple_packet_signature: sequence number 29 client_check_incoming_message: seq 29: got good SMB signature of [000] 8F 4D F6 3A 73 E3 BF 80 .M.:s... size=168 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=16388 smb_pid=2230 smb_uid=36865 smb_mid=16 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 112 (0x70) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 112 (0x70) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=113 [000] 00 05 00 02 03 10 00 00 00 70 00 20 00 1E 00 00 ........ .p. .... [010] 00 30 00 00 00 00 00 00 00 B5 A2 9F 5B CA FA 29 .0...... ....[..) [020] 61 C2 1A A9 AA 26 0F F4 44 2C CF 01 FB 21 AC FC a....&.. D,...!.. [030] 19 71 16 08 CB 97 9E 3B 2D 6F AE 7D 41 6F A7 29 .q.....; -o.}Ao.) [040] 63 57 F1 C3 B8 43 88 A9 25 44 06 00 00 01 00 00 cW...C.. %D...... [050] 00 77 00 7A 00 FF FF 00 00 12 46 20 21 29 43 97 .w.z.... ..F !)C. [060] C1 46 A1 46 4F 06 D3 4D C2 E6 08 89 FB 91 28 FC .F.FO..M ......(. [070] 81 . cli_signing_trans_stop: freeing mid = 16, reply_seq_num = 29, send_seq_num = 28 data->send_seq_num = 30 rpc_check_hdr: rdata->data_size = 112 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0070 000a auth_len : 0020 000c call_id : 0000001e 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 00000030 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 rpc_api_pipe: len left: 0 smbtrans read: 112 rpc_auth_pipe: pkt_type: 2 len: 112 auth_len: 32 NTLMSSP No schannel Yes sign Yes seal Yes rpc_auth_pipe: packet: 000000 smb_io_rpc_hdr_auth auth_hdr 0000 auth_type : 44 0001 auth_level : 06 0002 padding : 00 0003 reserved : 00 0004 auth_context : 00000001 000008 smb_io_rpc_auth_netsec_chk schannel_auth_sign 0008 sig : 77 00 7a 00 ff ff 00 00 0010 seq_num: 12 46 20 21 29 43 97 c1 0018 packet_digest: 46 a1 46 4f 06 d3 4d c2 0020 confounder: e6 08 89 fb 91 28 fc 81 SCHANNEL: netsec_encode seq_num=3 data_len=48 SCHANNEL: netsec_decode seq_num=3 data_len=48 rpc_api_pipe: fragment first and last both set 000018 net_io_r_getdcname 0018 ptr_dcname: 00141010 00001c smb_io_unistr2 dcname 001c uni_max_len: 0000000d 0020 offset : 00000000 0024 uni_str_len: 0000000d 0028 buffer : \.\.W.E.P.-.N.A.-.D.C.2... 0042 status: NT_STATUS_OK internal_resolve_name: looking up WEP-NA-DC2#20 Returning valid cache entry: key = NBT/WEP-NA-DC2#20, value = 10.32.2.64:0, timeout = Tue May 18 10:49:35 2004 name WEP-NA-DC2#20 found. IPC$ connections done anonymously secrets_named_mutex: got mutex for WEP-NA-DC2 Connecting to host=WEP-NA-DC2 Connecting to 10.32.2.64 at port 445 socket option SO_KEEPALIVE = 0 socket option SO_REUSEADDR = 0 socket option SO_BROADCAST = 0 socket option TCP_NODELAY = 1 socket option IPTOS_LOWDELAY = 0 socket option IPTOS_THROUGHPUT = 0 socket option SO_SNDBUF = 16384 socket option SO_RCVBUF = 87380 socket option SO_SNDLOWAT = 1 socket option SO_RCVLOWAT = 1 socket option SO_SNDTIMEO = 0 socket option SO_RCVTIMEO = 0 write_socket(22,183) write_socket(22,183) wrote 183 got smb length of 187 size=187 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=2230 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 8 (0x8) smb_vwv[ 1]=12807 (0x3207) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 65 (0x41) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 243 (0xF3) smb_vwv[11]=49792 (0xC280) smb_vwv[12]=14900 (0x3A34) smb_vwv[13]=59296 (0xE7A0) smb_vwv[14]=50236 (0xC43C) smb_vwv[15]=61441 (0xF001) smb_vwv[16]= 0 (0x0) smb_bcc=118 [000] 6C 7A 9B 53 65 B1 39 4B 88 0C 3B 2E 4D 5D 9F 87 lz.Se.9K ..;.M].. [010] 60 64 06 06 2B 06 01 05 05 02 A0 5A 30 58 A0 30 `d..+... ...Z0X.0 [020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. .......* [030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H...... ..*.H... [040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... [050] A3 24 30 22 A0 20 1B 1E 77 65 70 2D 6E 61 2D 64 .$0". .. wep-na-d [060] 63 32 24 40 4E 41 2E 41 44 2E 43 4F 4C 4F 52 43 c2$@NA.A D.COLORC [070] 4F 4E 2E 43 4F 4D ON.COM size=187 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=2230 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 8 (0x8) smb_vwv[ 1]=12807 (0x3207) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 65 (0x41) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 243 (0xF3) smb_vwv[11]=49792 (0xC280) smb_vwv[12]=14900 (0x3A34) smb_vwv[13]=59296 (0xE7A0) smb_vwv[14]=50236 (0xC43C) smb_vwv[15]=61441 (0xF001) smb_vwv[16]= 0 (0x0) smb_bcc=118 [000] 6C 7A 9B 53 65 B1 39 4B 88 0C 3B 2E 4D 5D 9F 87 lz.Se.9K ..;.M].. [010] 60 64 06 06 2B 06 01 05 05 02 A0 5A 30 58 A0 30 `d..+... ...Z0X.0 [020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. .......* [030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H...... ..*.H... [040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... [050] A3 24 30 22 A0 20 1B 1E 77 65 70 2D 6E 61 2D 64 .$0". .. wep-na-d [060] 63 32 24 40 4E 41 2E 41 44 2E 43 4F 4C 4F 52 43 c2$@NA.A D.COLORC [070] 4F 4E 2E 43 4F 4D ON.COM connecting to WEP-NA-DC2 from STAGE1 with kerberos principal [STAGE1$@AD.COLORCON.COM] Doing spnego session setup (blob length=118) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got principal=wep-na-dc2$@NA.AD.COLORCON.COM Doing kerberos session setup Advancing clock by 173 seconds to cope with clock skew Ticket in ccache[MEMORY:cliconnect] expiration Tue, 18 May 2004 20:48:46 GMT Ticket (wep-na-dc2$@NA.AD.COLORCON.COM) in ccache (MEMORY:cliconnect) is valid until: (Tue, 18 May 2004 20:48:46 GMT - 1084927726) Got KRB5 session key of length 8 SMB signing enabled! cli_simple_set_signing: user_session_key [000] 02 6B 83 16 1F 26 6B CB .k...&k. cli_simple_set_signing: NULL response_data simple_packet_signature: sequence number 0 client_sign_outgoing_message: sent SMB signature of [000] D6 7B 32 DC B5 23 D5 20 .{2..#. store_sequence_for_reply: stored seq = 1 mid = 2 write_socket(22,1224) write_socket(22,1224) wrote 1224 got smb length of 143 size=143 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=2230 smb_uid=4097 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 143 (0x8F) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 26 (0x1A) smb_bcc=100 [000] A1 18 30 16 A0 03 0A 01 00 A1 0B 06 09 2A 86 48 ..0..... .....*.H [010] 82 F7 12 01 02 02 A2 02 04 00 00 57 00 69 00 6E ........ ...W.i.n [020] 00 64 00 6F 00 77 00 73 00 20 00 35 00 2E 00 30 .d.o.w.s . .5...0 [030] 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 ...W.i.n .d.o.w.s [040] 00 20 00 32 00 30 00 30 00 30 00 20 00 4C 00 41 . .2.0.0 .0. .L.A [050] 00 4E 00 20 00 4D 00 61 00 6E 00 61 00 67 00 65 .N. .M.a .n.a.g.e [060] 00 72 00 00 .r.. get_sequence_for_reply: found seq = 1 mid = 2 simple_packet_signature: sequence number 1 client_check_incoming_message: seq 1: got good SMB signature of [000] A5 DF 1C AC 02 4C 66 66 .....Lff size=143 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=2230 smb_uid=4097 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 143 (0x8F) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 26 (0x1A) smb_bcc=100 [000] A1 18 30 16 A0 03 0A 01 00 A1 0B 06 09 2A 86 48 ..0..... .....*.H [010] 82 F7 12 01 02 02 A2 02 04 00 00 57 00 69 00 6E ........ ...W.i.n [020] 00 64 00 6F 00 77 00 73 00 20 00 35 00 2E 00 30 .d.o.w.s . .5...0 [030] 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 ...W.i.n .d.o.w.s [040] 00 20 00 32 00 30 00 30 00 30 00 20 00 4C 00 41 . .2.0.0 .0. .L.A [050] 00 4E 00 20 00 4D 00 61 00 6E 00 61 00 67 00 65 .N. .M.a .n.a.g.e [060] 00 72 00 00 .r.. simple_packet_signature: sequence number 2 client_sign_outgoing_message: sent SMB signature of [000] F5 61 AE 72 0E C4 DC 87 .a.r.... store_sequence_for_reply: stored seq = 3 mid = 3 write_socket(22,88) write_socket(22,88) wrote 88 got smb length of 48 size=48 smb_com=0x75 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=2230 smb_uid=4097 smb_mid=3 smt_wct=3 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 1 (0x1) smb_bcc=7 [000] 49 50 43 00 00 00 00 IPC.... get_sequence_for_reply: found seq = 3 mid = 3 simple_packet_signature: sequence number 3 client_check_incoming_message: seq 3: got good SMB signature of [000] 51 2D F4 BE 2D 5E 6A 8F Q-..-^j. cli_init_creds: user domain secrets_named_mutex: released mutex for WEP-NA-DC2 simple_packet_signature: sequence number 4 client_sign_outgoing_message: sent SMB signature of [000] 02 A4 04 3F BB 6E 8F D3 ...?.n.. store_sequence_for_reply: stored seq = 5 mid = 4 write_socket(22,104) write_socket(22,104) wrote 104 got smb length of 103 size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=2230 smb_uid=4097 smb_mid=4 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 512 (0x200) smb_vwv[ 3]= 320 (0x140) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 get_sequence_for_reply: found seq = 5 mid = 4 simple_packet_signature: sequence number 5 client_check_incoming_message: seq 5: got good SMB signature of [000] E1 46 8B EB F7 92 B3 45 .F.....E Bind RPC Pipe[4002]: \PIPE\lsarpc Bind Abstract Syntax: [000] 6A 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5 j(.9.... ....O... [010] 00 00 00 00 .... Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]...... ....+.H` [010] 02 00 00 00 .... 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0b 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0048 000a auth_len : 0000 000c call_id : 0000001f 000010 smb_io_rpc_hdr_rb 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00000000 0018 num_elements: 00000001 001c context_id : 0000 001e num_syntaxes: 01 00001f smb_io_rpc_iface 000020 smb_io_uuid uuid 0020 data : 3919286a 0024 data : b10c 0026 data : 11d0 0028 data : 9b a8 002a data : 00 c0 4f d9 2e f5 0030 version: 00000000 000034 smb_io_rpc_iface 000034 smb_io_uuid uuid 0034 data : 8a885d04 0038 data : 1ceb 003a data : 11c9 003c data : 9f e8 003e data : 08 00 2b 10 48 60 0044 version: 00000002 rpc_api_pipe: fnum:4002 size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2053 smb_pid=2230 smb_uid=4097 smb_mid=5 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=16386 (0x4002) smb_bcc=87 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 1F 00 00 00 B8 .......H ........ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 6A ........ .......j [030] 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5 00 (.9..... ...O.... [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ [050] 10 48 60 02 00 00 00 .H`.... simple_packet_signature: sequence number 6 client_sign_outgoing_message: sent SMB signature of [000] CB 11 9B ED 4D 7E 00 6E ....M~.n store_sequence_for_reply: stored seq = 7 mid = 5 write_socket(22,158) write_socket(22,158) wrote 158 cli_signing_trans_start: storing mid = 5, reply_seq_num = 7, send_seq_num = 6 data->send_seq_num = 8 got smb length of 124 size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=2230 smb_uid=4097 smb_mid=5 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 1F 00 00 ........ .D...... [010] 00 B8 10 B8 10 34 5F 13 00 0C 00 5C 50 49 50 45 .....4_. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... simple_packet_signature: sequence number 7 client_check_incoming_message: seq 7: got good SMB signature of [000] 05 F0 E2 A6 31 50 04 08 ....1P.. size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=2230 smb_uid=4097 smb_mid=5 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 1F 00 00 ........ .D...... [010] 00 B8 10 B8 10 34 5F 13 00 0C 00 5C 50 49 50 45 .....4_. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... cli_signing_trans_stop: freeing mid = 5, reply_seq_num = 7, send_seq_num = 6 data->send_seq_num = 8 rpc_check_hdr: rdata->data_size = 68 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 0000001f rpc_api_pipe: len left: 0 smbtrans read: 68 rpc_api_pipe: fragment first and last both set rpc_pipe_bind: rpc_api_pipe returned OK. 000010 smb_io_rpc_hdr_ba 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00135f34 000018 smb_io_rpc_addr_str 0018 len: 000c 001a str: \PIPE\lsass. 000026 smb_io_rpc_results 0028 num_results: 01 002c result : 0000 002e reason : 0000 000030 smb_io_rpc_iface 000030 smb_io_uuid uuid 0030 data : 8a885d04 0034 data : 1ceb 0036 data : 11c9 0038 data : 9f e8 003a data : 08 00 2b 10 48 60 0040 version: 00000002 bind_rpc_pipe: accepted! 000000 ds_io_q_getprimdominfo 0000 level: 0001 create_rpc_request: opnum: 0x0 data_len: 0x1a create_rpc_request: data_len: 1a auth_len: 0 alloc_hint: a 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 001a 000a auth_len : 0000 000c call_id : 00000020 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 0000000a 0014 context_id: 0000 0016 opnum : 0000 rpc_api_pipe: fnum:4002 size=108 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2053 smb_pid=2230 smb_uid=4097 smb_mid=6 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 26 (0x1A) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 26 (0x1A) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=16386 (0x4002) smb_bcc=41 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 1A 00 00 00 20 00 00 00 0A ........ ... .... [020] 00 00 00 00 00 00 00 01 00 ........ . simple_packet_signature: sequence number 8 client_sign_outgoing_message: sent SMB signature of [000] 64 6C 94 D0 26 D6 3A 5A dl..&.:Z store_sequence_for_reply: stored seq = 9 mid = 6 write_socket(22,112) write_socket(22,112) wrote 112 cli_signing_trans_start: storing mid = 6, reply_seq_num = 9, send_seq_num = 8 data->send_seq_num = 10 got smb length of 244 size=244 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=2230 smb_uid=4097 smb_mid=6 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 188 (0xBC) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 188 (0xBC) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=189 [000] 00 05 00 02 03 10 00 00 00 BC 00 00 00 20 00 00 ........ ..... .. [010] 00 A4 00 00 00 00 00 00 00 F8 50 36 02 01 00 00 ........ ..P6.... [020] 00 04 00 00 00 01 00 00 01 38 BD 0F 00 10 3E 2E ........ .8....>. [030] 0D 80 F2 35 02 4D B9 58 7C 17 8E 5A 48 8C 2A 72 ...5.M.X |..ZH.*r [040] 87 47 25 FD 4D 03 00 00 00 00 00 00 00 03 00 00 .G%.M... ........ [050] 00 4E 00 41 00 00 00 00 00 13 00 00 00 00 00 00 .N.A.... ........ [060] 00 13 00 00 00 6E 00 61 00 2E 00 61 00 64 00 2E .....n.a ...a.d.. [070] 00 63 00 6F 00 6C 00 6F 00 72 00 63 00 6F 00 6E .c.o.l.o .r.c.o.n [080] 00 2E 00 63 00 6F 00 6D 00 00 00 00 00 10 00 00 ...c.o.m ........ [090] 00 00 00 00 00 10 00 00 00 61 00 64 00 2E 00 63 ........ .a.d...c [0A0] 00 6F 00 6C 00 6F 00 72 00 63 00 6F 00 6E 00 2E .o.l.o.r .c.o.n.. [0B0] 00 63 00 6F 00 6D 00 00 00 00 00 00 00 .c.o.m.. ..... simple_packet_signature: sequence number 9 client_check_incoming_message: seq 9: got good SMB signature of [000] 7E 85 57 C5 06 01 42 69 ~.W...Bi size=244 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=2230 smb_uid=4097 smb_mid=6 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 188 (0xBC) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 188 (0xBC) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=189 [000] 00 05 00 02 03 10 00 00 00 BC 00 00 00 20 00 00 ........ ..... .. [010] 00 A4 00 00 00 00 00 00 00 F8 50 36 02 01 00 00 ........ ..P6.... [020] 00 04 00 00 00 01 00 00 01 38 BD 0F 00 10 3E 2E ........ .8....>. [030] 0D 80 F2 35 02 4D B9 58 7C 17 8E 5A 48 8C 2A 72 ...5.M.X |..ZH.*r [040] 87 47 25 FD 4D 03 00 00 00 00 00 00 00 03 00 00 .G%.M... ........ [050] 00 4E 00 41 00 00 00 00 00 13 00 00 00 00 00 00 .N.A.... ........ [060] 00 13 00 00 00 6E 00 61 00 2E 00 61 00 64 00 2E .....n.a ...a.d.. [070] 00 63 00 6F 00 6C 00 6F 00 72 00 63 00 6F 00 6E .c.o.l.o .r.c.o.n [080] 00 2E 00 63 00 6F 00 6D 00 00 00 00 00 10 00 00 ...c.o.m ........ [090] 00 00 00 00 00 10 00 00 00 61 00 64 00 2E 00 63 ........ .a.d...c [0A0] 00 6F 00 6C 00 6F 00 72 00 63 00 6F 00 6E 00 2E .o.l.o.r .c.o.n.. [0B0] 00 63 00 6F 00 6D 00 00 00 00 00 00 00 .c.o.m.. ..... cli_signing_trans_stop: freeing mid = 6, reply_seq_num = 9, send_seq_num = 8 data->send_seq_num = 10 rpc_check_hdr: rdata->data_size = 188 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 00bc 000a auth_len : 0000 000c call_id : 00000020 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 000000a4 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 rpc_api_pipe: len left: 0 smbtrans read: 188 rpc_api_pipe: fragment first and last both set 000018 ds_io_r_getprimdominfo 0018 ptr: 023650f8 001c level: 0001 001e unknown0: 0000 0020 machine_role: 0004 0022 unknown: 0000 0024 flags: 01000001 0028 netbios_ptr: 000fbd38 002c dnsname_ptr: 0d2e3e10 0030 forestname_ptr: 0235f280 000034 smb_io_uuid domain_guid 0034 data : 7c58b94d 0038 data : 8e17 003a data : 485a 003c data : 8c 2a 003e data : 72 87 47 25 fd 4d 000044 smb_io_unistr2 netbios_domain 0044 uni_max_len: 00000003 0048 offset : 00000000 004c uni_str_len: 00000003 0050 buffer : N.A... 000058 smb_io_unistr2 dns_domain 0058 uni_max_len: 00000013 005c offset : 00000000 0060 uni_str_len: 00000013 0064 buffer : n.a...a.d...c.o.l.o.r.c.o.n...c.o.m... 00008c smb_io_unistr2 forest_domain 008c uni_max_len: 00000010 0090 offset : 00000000 0094 uni_str_len: 00000010 0098 buffer : a.d...c.o.l.o.r.c.o.n...c.o.m... 00b8 status: NT_STATUS_OK simple_packet_signature: sequence number 10 client_sign_outgoing_message: sent SMB signature of [000] A6 90 B6 D3 80 92 F1 16 ........ store_sequence_for_reply: stored seq = 11 mid = 7 write_socket(22,45) write_socket(22,45) wrote 45 got smb length of 35 size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=2230 smb_uid=4097 smb_mid=7 smt_wct=0 smb_bcc=0 get_sequence_for_reply: found seq = 11 mid = 7 simple_packet_signature: sequence number 11 client_check_incoming_message: seq 11: got good SMB signature of [000] FB 73 41 2E 21 AE 8A B6 .sA.!... simple_packet_signature: sequence number 12 client_sign_outgoing_message: sent SMB signature of [000] 3D 55 99 CC 89 0F 65 AF =U....e. store_sequence_for_reply: stored seq = 13 mid = 8 write_socket(22,104) write_socket(22,104) wrote 104 got smb length of 103 size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=2230 smb_uid=4097 smb_mid=8 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 768 (0x300) smb_vwv[ 3]= 320 (0x140) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 get_sequence_for_reply: found seq = 13 mid = 8 simple_packet_signature: sequence number 13 client_check_incoming_message: seq 13: got good SMB signature of [000] 1E 2E 51 B5 13 9A 60 BA ..Q...`. Bind RPC Pipe[4003]: \PIPE\lsarpc Bind Abstract Syntax: [000] 78 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB xW4.4... ...#Eg.. [010] 00 00 00 00 .... Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]...... ....+.H` [010] 02 00 00 00 .... 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0b 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0048 000a auth_len : 0000 000c call_id : 00000021 000010 smb_io_rpc_hdr_rb 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00000000 0018 num_elements: 00000001 001c context_id : 0000 001e num_syntaxes: 01 00001f smb_io_rpc_iface 000020 smb_io_uuid uuid 0020 data : 12345778 0024 data : 1234 0026 data : abcd 0028 data : ef 00 002a data : 01 23 45 67 89 ab 0030 version: 00000000 000034 smb_io_rpc_iface 000034 smb_io_uuid uuid 0034 data : 8a885d04 0038 data : 1ceb 003a data : 11c9 003c data : 9f e8 003e data : 08 00 2b 10 48 60 0044 version: 00000002 rpc_api_pipe: fnum:4003 size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2053 smb_pid=2230 smb_uid=4097 smb_mid=9 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=16387 (0x4003) smb_bcc=87 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 21 00 00 00 B8 .......H ...!.... [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 ........ .......x [030] 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB 00 W4.4.... ..#Eg... [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ [050] 10 48 60 02 00 00 00 .H`.... simple_packet_signature: sequence number 14 client_sign_outgoing_message: sent SMB signature of [000] 06 03 D0 6C 07 00 85 35 ...l...5 store_sequence_for_reply: stored seq = 15 mid = 9 write_socket(22,158) write_socket(22,158) wrote 158 cli_signing_trans_start: storing mid = 9, reply_seq_num = 15, send_seq_num = 14 data->send_seq_num = 16 got smb length of 124 size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=2230 smb_uid=4097 smb_mid=9 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 21 00 00 ........ .D...!.. [010] 00 B8 10 B8 10 35 5F 13 00 0C 00 5C 50 49 50 45 .....5_. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 01 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... simple_packet_signature: sequence number 15 client_check_incoming_message: seq 15: got good SMB signature of [000] 98 64 9E DD EE 34 69 6A .d...4ij size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=2230 smb_uid=4097 smb_mid=9 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 21 00 00 ........ .D...!.. [010] 00 B8 10 B8 10 35 5F 13 00 0C 00 5C 50 49 50 45 .....5_. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 01 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... cli_signing_trans_stop: freeing mid = 9, reply_seq_num = 15, send_seq_num = 14 data->send_seq_num = 16 rpc_check_hdr: rdata->data_size = 68 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000021 rpc_api_pipe: len left: 0 smbtrans read: 68 rpc_api_pipe: fragment first and last both set rpc_pipe_bind: rpc_api_pipe returned OK. 000010 smb_io_rpc_hdr_ba 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00135f35 000018 smb_io_rpc_addr_str 0018 len: 000c 001a str: \PIPE\lsass. 000026 smb_io_rpc_results 0028 num_results: 01 002c result : 0000 002e reason : 0000 000030 smb_io_rpc_iface 000030 smb_io_uuid uuid 0030 data : 8a885d04 0034 data : 1ceb 0036 data : 11c9 0038 data : 9f e8 003a data : 08 00 2b 10 48 60 0040 version: 00000002 bind_rpc_pipe: accepted! init_lsa_sec_qos init_q_open_pol2: attr:0 da:33554432 init_lsa_obj_attr 000000 lsa_io_q_open_pol2 0000 ptr : 00000001 000004 smb_io_unistr2 0004 uni_max_len: 0000000d 0008 offset : 00000000 000c uni_str_len: 0000000d 0010 buffer : \.\.W.E.P.-.N.A.-.D.C.2... 00002a lsa_io_obj_attr 002c len : 00000018 0030 ptr_root_dir: 00000000 0034 ptr_obj_name: 00000000 0038 attributes : 00000000 003c ptr_sec_desc: 00000000 0040 ptr_sec_qos : 00000001 000044 lsa_io_obj_qos sec_qos 0044 len : 0000000c 0048 sec_imp_level : 0002 004a sec_ctxt_mode : 01 004b effective_only: 00 lsa_io_sec_qos: length c does not match size 8 004c des_access: 02000000 create_rpc_request: opnum: 0x2c data_len: 0x68 create_rpc_request: data_len: 68 auth_len: 0 alloc_hint: 58 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0068 000a auth_len : 0000 000c call_id : 00000022 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000058 0014 context_id: 0000 0016 opnum : 002c rpc_api_pipe: fnum:4003 size=186 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2053 smb_pid=2230 smb_uid=4097 smb_mid=10 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 104 (0x68) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 104 (0x68) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=16387 (0x4003) smb_bcc=119 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 68 00 00 00 22 00 00 00 58 .......h ..."...X [020] 00 00 00 00 00 2C 00 01 00 00 00 0D 00 00 00 00 .....,.. ........ [030] 00 00 00 0D 00 00 00 5C 00 5C 00 57 00 45 00 50 .......\ .\.W.E.P [040] 00 2D 00 4E 00 41 00 2D 00 44 00 43 00 32 00 00 .-.N.A.- .D.C.2.. [050] 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [060] 00 00 00 00 00 00 00 01 00 00 00 0C 00 00 00 02 ........ ........ [070] 00 01 00 00 00 00 02 ....... simple_packet_signature: sequence number 16 client_sign_outgoing_message: sent SMB signature of [000] 24 AC 38 E0 F5 FF 05 E3 $.8..... store_sequence_for_reply: stored seq = 17 mid = 10 write_socket(22,190) write_socket(22,190) wrote 190 cli_signing_trans_start: storing mid = 10, reply_seq_num = 17, send_seq_num = 16 data->send_seq_num = 18 got smb length of 104 size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=2230 smb_uid=4097 smb_mid=10 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [000] 00 05 00 02 03 10 00 00 00 30 00 00 00 22 00 00 ........ .0...".. [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 2C B1 42 ........ .....,.B [020] 4A 43 CF 1A 4D A0 9F A9 75 56 C3 4B 14 00 00 00 JC..M... uV.K.... [030] 00 . simple_packet_signature: sequence number 17 client_check_incoming_message: seq 17: got good SMB signature of [000] FA 8B D1 6E F0 A4 56 09 ...n..V. size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=2230 smb_uid=4097 smb_mid=10 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [000] 00 05 00 02 03 10 00 00 00 30 00 00 00 22 00 00 ........ .0...".. [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 2C B1 42 ........ .....,.B [020] 4A 43 CF 1A 4D A0 9F A9 75 56 C3 4B 14 00 00 00 JC..M... uV.K.... [030] 00 . cli_signing_trans_stop: freeing mid = 10, reply_seq_num = 17, send_seq_num = 16 data->send_seq_num = 18 rpc_check_hdr: rdata->data_size = 48 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0030 000a auth_len : 0000 000c call_id : 00000022 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 00000018 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 rpc_api_pipe: len left: 0 smbtrans read: 48 rpc_api_pipe: fragment first and last both set 000018 lsa_io_r_open_pol2 000018 smb_io_pol_hnd 0018 data1: 00000000 001c data2: 4a42b12c 0020 data3: cf43 0022 data4: 4d1a 0024 data5: a0 9f a9 75 56 c3 4b 14 002c status: NT_STATUS_OK init_q_query2 000000 lsa_io_q_query_info2 000000 smb_io_pol_hnd pol 0000 data1: 00000000 0004 data2: 4a42b12c 0008 data3: cf43 000a data4: 4d1a 000c data5: a0 9f a9 75 56 c3 4b 14 0014 info_class: 000c create_rpc_request: opnum: 0x2e data_len: 0x2e create_rpc_request: data_len: 2e auth_len: 0 alloc_hint: 1e 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 002e 000a auth_len : 0000 000c call_id : 00000023 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 0000001e 0014 context_id: 0000 0016 opnum : 002e rpc_api_pipe: fnum:4003 size=128 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2053 smb_pid=2230 smb_uid=4097 smb_mid=11 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 46 (0x2E) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 46 (0x2E) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=16387 (0x4003) smb_bcc=61 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 2E 00 00 00 23 00 00 00 1E ........ ...#.... [020] 00 00 00 00 00 2E 00 00 00 00 00 2C B1 42 4A 43 ........ ...,.BJC [030] CF 1A 4D A0 9F A9 75 56 C3 4B 14 0C 00 ..M...uV .K... simple_packet_signature: sequence number 18 client_sign_outgoing_message: sent SMB signature of [000] D6 FB CF 01 29 29 E1 34 ....)).4 store_sequence_for_reply: stored seq = 19 mid = 11 write_socket(22,132) write_socket(22,132) wrote 132 cli_signing_trans_start: storing mid = 11, reply_seq_num = 19, send_seq_num = 18 data->send_seq_num = 20 got smb length of 272 size=272 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=2230 smb_uid=4097 smb_mid=11 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 216 (0xD8) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 216 (0xD8) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=217 [000] 00 05 00 02 03 10 00 00 00 D8 00 00 00 23 00 00 ........ .....#.. [010] 00 C0 00 00 00 00 00 00 00 30 AD 2C 0D 0C 00 00 ........ .0.,.... [020] 00 04 00 06 00 38 BD 0F 00 24 00 26 00 F8 50 36 .....8.. .$.&..P6 [030] 02 1E 00 20 00 80 F2 35 02 4D B9 58 7C 17 8E 5A ... ...5 .M.X|..Z [040] 48 8C 2A 72 87 47 25 FD 4D 78 71 12 00 03 00 00 H.*r.G%. Mxq..... [050] 00 00 00 00 00 02 00 00 00 4E 00 41 00 13 00 00 ........ .N.A.... [060] 00 00 00 00 00 12 00 00 00 6E 00 61 00 2E 00 61 ........ .n.a...a [070] 00 64 00 2E 00 63 00 6F 00 6C 00 6F 00 72 00 63 .d...c.o .l.o.r.c [080] 00 6F 00 6E 00 2E 00 63 00 6F 00 6D 00 10 00 00 .o.n...c .o.m.... [090] 00 00 00 00 00 0F 00 00 00 61 00 64 00 2E 00 63 ........ .a.d...c [0A0] 00 6F 00 6C 00 6F 00 72 00 63 00 6F 00 6E 00 2E .o.l.o.r .c.o.n.. [0B0] 00 63 00 6F 00 6D 00 00 00 04 00 00 00 01 04 00 .c.o.m.. ........ [0C0] 00 00 00 00 05 15 00 00 00 81 77 D9 74 92 E0 3C ........ ..w.t..< [0D0] 77 23 5F 63 6B 00 00 00 00 w#_ck... . simple_packet_signature: sequence number 19 client_check_incoming_message: seq 19: got good SMB signature of [000] 86 CC 14 3D 94 FB B3 E7 ...=.... size=272 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=2230 smb_uid=4097 smb_mid=11 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 216 (0xD8) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 216 (0xD8) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=217 [000] 00 05 00 02 03 10 00 00 00 D8 00 00 00 23 00 00 ........ .....#.. [010] 00 C0 00 00 00 00 00 00 00 30 AD 2C 0D 0C 00 00 ........ .0.,.... [020] 00 04 00 06 00 38 BD 0F 00 24 00 26 00 F8 50 36 .....8.. .$.&..P6 [030] 02 1E 00 20 00 80 F2 35 02 4D B9 58 7C 17 8E 5A ... ...5 .M.X|..Z [040] 48 8C 2A 72 87 47 25 FD 4D 78 71 12 00 03 00 00 H.*r.G%. Mxq..... [050] 00 00 00 00 00 02 00 00 00 4E 00 41 00 13 00 00 ........ .N.A.... [060] 00 00 00 00 00 12 00 00 00 6E 00 61 00 2E 00 61 ........ .n.a...a [070] 00 64 00 2E 00 63 00 6F 00 6C 00 6F 00 72 00 63 .d...c.o .l.o.r.c [080] 00 6F 00 6E 00 2E 00 63 00 6F 00 6D 00 10 00 00 .o.n...c .o.m.... [090] 00 00 00 00 00 0F 00 00 00 61 00 64 00 2E 00 63 ........ .a.d...c [0A0] 00 6F 00 6C 00 6F 00 72 00 63 00 6F 00 6E 00 2E .o.l.o.r .c.o.n.. [0B0] 00 63 00 6F 00 6D 00 00 00 04 00 00 00 01 04 00 .c.o.m.. ........ [0C0] 00 00 00 00 05 15 00 00 00 81 77 D9 74 92 E0 3C ........ ..w.t..< [0D0] 77 23 5F 63 6B 00 00 00 00 w#_ck... . cli_signing_trans_stop: freeing mid = 11, reply_seq_num = 19, send_seq_num = 18 data->send_seq_num = 20 rpc_check_hdr: rdata->data_size = 216 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 00d8 000a auth_len : 0000 000c call_id : 00000023 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 000000c0 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 rpc_api_pipe: len left: 0 smbtrans read: 216 rpc_api_pipe: fragment first and last both set 000018 lsa_io_r_query_info2 0018 ptr: 0d2cad30 001c info_class: 000c 00001e lsa_io_dns_dom_info info12 000020 smb_io_unihdr nb_name 0020 uni_str_len: 0004 0022 uni_max_len: 0006 0024 buffer : 000fbd38 000028 smb_io_unihdr dns_name 0028 uni_str_len: 0024 002a uni_max_len: 0026 002c buffer : 023650f8 000030 smb_io_unihdr forest 0030 uni_str_len: 001e 0032 uni_max_len: 0020 0034 buffer : 0235f280 000038 smb_io_uuid dom_guid 0038 data : 7c58b94d 003c data : 8e17 003e data : 485a 0040 data : 8c 2a 0042 data : 72 87 47 25 fd 4d 0048 dom_sid: 00127178 00004c smb_io_unistr2 nb_name 004c uni_max_len: 00000003 0050 offset : 00000000 0054 uni_str_len: 00000002 0058 buffer : N.A. 00005c smb_io_unistr2 dns_name 005c uni_max_len: 00000013 0060 offset : 00000000 0064 uni_str_len: 00000012 0068 buffer : n.a...a.d...c.o.l.o.r.c.o.n...c.o.m. 00008c smb_io_unistr2 forest 008c uni_max_len: 00000010 0090 offset : 00000000 0094 uni_str_len: 0000000f 0098 buffer : a.d...c.o.l.o.r.c.o.n...c.o.m. 0000b6 smb_io_dom_sid2 dom_sid 00b8 num_auths: 00000004 0000bc smb_io_dom_sid sid 00bc sid_rev_num: 01 00bd num_auths : 04 00be id_auth[0] : 00 00bf id_auth[1] : 00 00c0 id_auth[2] : 00 00c1 id_auth[3] : 00 00c2 id_auth[4] : 00 00c3 id_auth[5] : 05 00c4 sub_auths : 00000015 74d97781 773ce092 6b635f23 00d4 status: NT_STATUS_OK simple_packet_signature: sequence number 20 client_sign_outgoing_message: sent SMB signature of [000] AB C2 2B 72 8E 62 CC 53 ..+r.b.S store_sequence_for_reply: stored seq = 21 mid = 12 write_socket(22,45) write_socket(22,45) wrote 45 got smb length of 35 size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=2230 smb_uid=4097 smb_mid=12 smt_wct=0 smb_bcc=0 get_sequence_for_reply: found seq = 21 mid = 12 simple_packet_signature: sequence number 21 client_check_incoming_message: seq 21: got good SMB signature of [000] CF 86 BF B6 CC 58 01 D6 .....X.. simple_packet_signature: sequence number 22 client_sign_outgoing_message: sent SMB signature of [000] 51 87 50 BB 36 1F 99 89 Q.P.6... store_sequence_for_reply: stored seq = 23 mid = 13 write_socket(22,39) write_socket(22,39) wrote 39 got smb length of 35 size=35 smb_com=0x71 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2053 smb_pid=2230 smb_uid=4097 smb_mid=13 smt_wct=0 smb_bcc=0 get_sequence_for_reply: found seq = 23 mid = 13 simple_packet_signature: sequence number 23 client_check_incoming_message: seq 23: got good SMB signature of [000] 89 9A 45 D3 44 62 3C 58 ..E.Db