osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity
wireshark/epan/dissectors/packet-dcerpc-netlogon.c

9732 lines
380 KiB
C
Raw Blame History

/* packet-dcerpc-netlogon.c
* Routines for SMB \PIPE\NETLOGON packet disassembly
* Copyright 2001,2003 Tim Potter <tpot@samba.org>
* 2002 structure and command dissectors by Ronnie Sahlberg
*
* Wireshark - Network traffic analyzer
* By Gerald Combs <gerald@wireshark.org>
* Copyright 1998 Gerald Combs
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#include "config.h"
#include <epan/packet.h>
#include <epan/expert.h>
#include <wsutil/wsgcrypt.h>
#include <wsutil/wslog.h>
/* for dissect_mscldap_string */
#include "packet-ldap.h"
#include "packet-dcerpc.h"
#include "packet-dcerpc-nt.h"
#include "packet-dcerpc-netlogon.h"
#include "packet-windows-common.h"
#include "packet-dcerpc-lsa.h"
#include "packet-ntlmssp.h"
#include "packet-dcerpc-misc.h"
/* for keytab format */
#include <epan/asn1.h>
#include "packet-kerberos.h"
/* for routines to read the keytab file */
#include "read_keytab_file.h"
/* for decoding */
void proto_register_dcerpc_netlogon(void);
void proto_reg_handoff_dcerpc_netlogon(void);
#ifdef DEBUG_NETLOGON
#include <stdio.h>
#define debugprintf(...) fprintf(stderr,__VA_ARGS__)
static void printnbyte(const guint8* tab,int nb,const char* txt,const char* txt2)
{
int i=0;
debugprintf("%s ",txt);
for(i=0;i<nb;i++)
{
debugprintf("%02X ",*(tab+i));
}
debugprintf("%s",txt2);
}
#else
#define debugprintf(...)
static void printnbyte(const guint8* tab _U_,int nb _U_,const char* txt _U_,const char* txt2 _U_) {}
#endif
#define NETLOGON_FLAG_80000000 0x80000000
#define NETLOGON_FLAG_40000000 0x40000000
#define NETLOGON_FLAG_20000000 0x20000000
#define NETLOGON_FLAG_10000000 0x10000000
#define NETLOGON_FLAG_8000000 0x8000000
#define NETLOGON_FLAG_4000000 0x4000000
#define NETLOGON_FLAG_2000000 0x2000000
#define NETLOGON_FLAG_AES 0x1000000
#define NETLOGON_FLAG_800000 0x800000
#define NETLOGON_FLAG_400000 0x400000
#define NETLOGON_FLAG_200000 0x200000
#define NETLOGON_FLAG_100000 0x100000
#define NETLOGON_FLAG_80000 0x80000
#define NETLOGON_FLAG_40000 0x40000
#define NETLOGON_FLAG_20000 0x20000
#define NETLOGON_FLAG_10000 0x10000
#define NETLOGON_FLAG_8000 0x8000
#define NETLOGON_FLAG_STRONGKEY 0x4000
#define NETLOGON_FLAG_2000 0x2000
#define NETLOGON_FLAG_1000 0x1000
#define NETLOGON_FLAG_800 0x800
#define NETLOGON_FLAG_400 0x400
#define NETLOGON_FLAG_200 0x200
#define NETLOGON_FLAG_100 0x100
#define NETLOGON_FLAG_80 0x80
#define NETLOGON_FLAG_40 0x40
#define NETLOGON_FLAG_20 0x20
#define NETLOGON_FLAG_10 0x10
#define NETLOGON_FLAG_8 0x8
#define NETLOGON_FLAG_4 0x4
#define NETLOGON_FLAG_2 0x2
#define NETLOGON_FLAG_1 0x1
static wmem_map_t *netlogon_auths=NULL;
#if 0
static wmem_map_t *schannel_auths;
#endif
static gint hf_netlogon_TrustedDomainName_string = -1;
static gint hf_netlogon_UserName_string = -1;
static gint DomainInfo_sid = -1;
static gint DnsDomainInfo_sid = -1;
static gint DnsDomainInfo_domain_guid = -1;
static gint DnsDomainInfo_dns_domain = -1;
static gint DnsDomainInfo_dns_forest = -1;
static gint DnsDomainInfo_name = -1;
static int hf_client_challenge = -1;
static int hf_server_rid = -1;
static int hf_server_challenge = -1;
static int hf_client_credential = -1;
static int hf_server_credential = -1;
static int proto_dcerpc_netlogon = -1;
static int hf_netlogon_logon_dnslogondomainname = -1;
static int hf_netlogon_logon_upn = -1;
static int hf_netlogon_group_attrs_mandatory = -1;
static int hf_netlogon_group_attrs_enabled_by_default = -1;
static int hf_netlogon_group_attrs_enabled = -1;
static int hf_netlogon_opnum = -1;
static int hf_netlogon_data_length = -1;
static int hf_netlogon_extraflags = -1;
static int hf_netlogon_extra_flags_root_forest = -1;
static int hf_netlogon_trust_flags_dc_firsthop = -1;
static int hf_netlogon_trust_flags_rodc_to_dc = -1;
static int hf_netlogon_trust_flags_rodc_ntlm = -1;
static int hf_netlogon_package_name = -1;
static int hf_netlogon_rc = -1;
static int hf_netlogon_dos_rc = -1;
static int hf_netlogon_werr_rc = -1;
static int hf_netlogon_len = -1;
static int hf_netlogon_sensitive_data_flag = -1;
static int hf_netlogon_sensitive_data_len = -1;
static int hf_netlogon_sensitive_data = -1;
static int hf_netlogon_security_information = -1;
static int hf_netlogon_dummy = -1;
static int hf_netlogon_neg_flags = -1;
/* static int hf_netlogon_neg_flags_80000000 = -1; */
static int hf_netlogon_neg_flags_40000000 = -1;
static int hf_netlogon_neg_flags_20000000 = -1;
/* static int hf_netlogon_neg_flags_10000000 = -1; */
/* static int hf_netlogon_neg_flags_8000000 = -1; */
/* static int hf_netlogon_neg_flags_4000000 = -1; */
/* static int hf_netlogon_neg_flags_2000000 = -1; */
static int hf_netlogon_neg_flags_1000000 = -1;
/* static int hf_netlogon_neg_flags_800000 = -1; */
/* static int hf_netlogon_neg_flags_400000 = -1; */
static int hf_netlogon_neg_flags_200000 = -1;
static int hf_netlogon_neg_flags_100000 = -1;
static int hf_netlogon_neg_flags_80000 = -1;
static int hf_netlogon_neg_flags_40000 = -1;
static int hf_netlogon_neg_flags_20000 = -1;
static int hf_netlogon_neg_flags_10000 = -1;
static int hf_netlogon_neg_flags_8000 = -1;
static int hf_netlogon_neg_flags_4000 = -1;
static int hf_netlogon_neg_flags_2000 = -1;
static int hf_netlogon_neg_flags_1000 = -1;
static int hf_netlogon_neg_flags_800 = -1;
static int hf_netlogon_neg_flags_400 = -1;
static int hf_netlogon_neg_flags_200 = -1;
static int hf_netlogon_neg_flags_100 = -1;
static int hf_netlogon_neg_flags_80 = -1;
static int hf_netlogon_neg_flags_40 = -1;
static int hf_netlogon_neg_flags_20 = -1;
static int hf_netlogon_neg_flags_10 = -1;
static int hf_netlogon_neg_flags_8 = -1;
static int hf_netlogon_neg_flags_4 = -1;
static int hf_netlogon_neg_flags_2 = -1;
static int hf_netlogon_neg_flags_1 = -1;
static int hf_netlogon_minworkingsetsize = -1;
static int hf_netlogon_maxworkingsetsize = -1;
static int hf_netlogon_pagedpoollimit = -1;
static int hf_netlogon_pagefilelimit = -1;
static int hf_netlogon_timelimit = -1;
static int hf_netlogon_nonpagedpoollimit = -1;
/* static int hf_netlogon_pac_size = -1; */
/* static int hf_netlogon_pac_data = -1; */
/* static int hf_netlogon_auth_size = -1; */
/* static int hf_netlogon_auth_data = -1; */
static int hf_netlogon_cipher_len = -1;
static int hf_netlogon_cipher_maxlen = -1;
static int hf_netlogon_cipher_current_data = -1;
static int hf_netlogon_cipher_current_set_time = -1;
static int hf_netlogon_cipher_old_data = -1;
static int hf_netlogon_cipher_old_set_time = -1;
static int hf_netlogon_priv = -1;
static int hf_netlogon_privilege_entries = -1;
static int hf_netlogon_privilege_control = -1;
static int hf_netlogon_privilege_name = -1;
static int hf_netlogon_systemflags = -1;
static int hf_netlogon_pdc_connection_status = -1;
static int hf_netlogon_tc_connection_status = -1;
static int hf_netlogon_restart_state = -1;
static int hf_netlogon_attrs = -1;
static int hf_netlogon_lsapolicy_len = -1;
/* static int hf_netlogon_lsapolicy_referentid = -1; */
/* static int hf_netlogon_lsapolicy_pointer = -1; */
static int hf_netlogon_count = -1;
static int hf_netlogon_entries = -1;
static int hf_netlogon_minpasswdlen = -1;
static int hf_netlogon_passwdhistorylen = -1;
static int hf_netlogon_level16 = -1;
static int hf_netlogon_validation_level = -1;
static int hf_netlogon_reference = -1;
static int hf_netlogon_next_reference = -1;
static int hf_netlogon_timestamp = -1;
static int hf_netlogon_level = -1;
static int hf_netlogon_challenge = -1;
static int hf_netlogon_reserved = -1;
static int hf_netlogon_audit_retention_period = -1;
static int hf_netlogon_auditing_mode = -1;
static int hf_netlogon_max_audit_event_count = -1;
static int hf_netlogon_event_audit_option = -1;
static int hf_netlogon_unknown_string = -1;
static int hf_netlogon_trust_extension = -1;
static int hf_netlogon_trust_max = -1;
static int hf_netlogon_trust_offset = -1;
static int hf_netlogon_trust_len = -1;
static int hf_netlogon_dummy_string = -1;
static int hf_netlogon_dummy_string2 = -1;
static int hf_netlogon_dummy_string3 = -1;
static int hf_netlogon_dummy_string4 = -1;
static int hf_netlogon_dummy_string5 = -1;
static int hf_netlogon_dummy_string6 = -1;
static int hf_netlogon_dummy_string7 = -1;
static int hf_netlogon_dummy_string8 = -1;
static int hf_netlogon_dummy_string9 = -1;
static int hf_netlogon_dummy_string10 = -1;
static int hf_netlogon_unknown_short = -1;
static int hf_netlogon_unknown_long = -1;
static int hf_netlogon_dummy1_long = -1;
static int hf_netlogon_dummy2_long = -1;
static int hf_netlogon_dummy3_long = -1;
static int hf_netlogon_dummy4_long = -1;
static int hf_netlogon_dummy5_long = -1;
static int hf_netlogon_dummy6_long = -1;
static int hf_netlogon_dummy7_long = -1;
static int hf_netlogon_dummy8_long = -1;
static int hf_netlogon_dummy9_long = -1;
static int hf_netlogon_dummy10_long = -1;
static int hf_netlogon_unknown_char = -1;
static int hf_netlogon_logon_time = -1;
static int hf_netlogon_logoff_time = -1;
static int hf_netlogon_last_logoff_time = -1;
static int hf_netlogon_kickoff_time = -1;
static int hf_netlogon_pwd_age = -1;
static int hf_netlogon_pwd_last_set_time = -1;
static int hf_netlogon_pwd_can_change_time = -1;
static int hf_netlogon_pwd_must_change_time = -1;
static int hf_netlogon_nt_chal_resp = -1;
static int hf_netlogon_lm_chal_resp = -1;
static int hf_netlogon_credential = -1;
static int hf_netlogon_acct_name = -1;
static int hf_netlogon_acct_desc = -1;
static int hf_netlogon_group_desc = -1;
static int hf_netlogon_full_name = -1;
static int hf_netlogon_comment = -1;
static int hf_netlogon_parameters = -1;
static int hf_netlogon_logon_script = -1;
static int hf_netlogon_profile_path = -1;
static int hf_netlogon_home_dir = -1;
static int hf_netlogon_dir_drive = -1;
static int hf_netlogon_logon_count = -1;
static int hf_netlogon_logon_count16 = -1;
static int hf_netlogon_bad_pw_count = -1;
static int hf_netlogon_bad_pw_count16 = -1;
static int hf_netlogon_user_rid = -1;
static int hf_netlogon_alias_rid = -1;
static int hf_netlogon_group_rid = -1;
static int hf_netlogon_logon_srv = -1;
/* static int hf_netlogon_principal = -1; */
static int hf_netlogon_logon_dom = -1;
static int hf_netlogon_resourcegroupcount = -1;
static int hf_netlogon_accountdomaingroupcount = -1;
static int hf_netlogon_domaingroupcount = -1;
static int hf_netlogon_membership_domains_count = -1;
static int hf_netlogon_downlevel_domain_name = -1;
static int hf_netlogon_dns_domain_name = -1;
static int hf_netlogon_ad_client_dns_name = -1;
static int hf_netlogon_domain_name = -1;
static int hf_netlogon_domain_create_time = -1;
static int hf_netlogon_domain_modify_time = -1;
static int hf_netlogon_modify_count = -1;
static int hf_netlogon_db_modify_time = -1;
static int hf_netlogon_db_create_time = -1;
static int hf_netlogon_oem_info = -1;
static int hf_netlogon_serial_number = -1;
static int hf_netlogon_num_rids = -1;
static int hf_netlogon_num_trusts = -1;
static int hf_netlogon_num_controllers = -1;
static int hf_netlogon_num_sid = -1;
static int hf_netlogon_computer_name = -1;
static int hf_netlogon_site_name = -1;
static int hf_netlogon_trusted_dc_name = -1;
static int hf_netlogon_dc_name = -1;
static int hf_netlogon_dc_site_name = -1;
static int hf_netlogon_dns_forest_name = -1;
static int hf_netlogon_dc_address = -1;
static int hf_netlogon_dc_address_type = -1;
static int hf_netlogon_client_site_name = -1;
static int hf_netlogon_workstation = -1;
static int hf_netlogon_workstation_site_name = -1;
static int hf_netlogon_os_version = -1;
static int hf_netlogon_workstation_os = -1;
static int hf_netlogon_workstation_flags = -1;
static int hf_netlogon_supportedenctypes = -1;
static int hf_netlogon_workstations = -1;
static int hf_netlogon_workstation_fqdn = -1;
static int hf_netlogon_group_name = -1;
static int hf_netlogon_alias_name = -1;
static int hf_netlogon_country = -1;
static int hf_netlogon_codepage = -1;
static int hf_netlogon_flags = -1;
static int hf_netlogon_trust_attribs = -1;
static int hf_netlogon_trust_attribs_non_transitive = -1;
static int hf_netlogon_trust_attribs_uplevel_only = -1;
static int hf_netlogon_trust_attribs_quarantined_domain = -1;
static int hf_netlogon_trust_attribs_forest_transitive = -1;
static int hf_netlogon_trust_attribs_cross_organization = -1;
static int hf_netlogon_trust_attribs_within_forest = -1;
static int hf_netlogon_trust_attribs_treat_as_external = -1;
static int hf_netlogon_trust_type = -1;
static int hf_netlogon_trust_flags = -1;
static int hf_netlogon_trust_flags_inbound = -1;
static int hf_netlogon_trust_flags_outbound = -1;
static int hf_netlogon_trust_flags_in_forest = -1;
static int hf_netlogon_trust_flags_native_mode = -1;
static int hf_netlogon_trust_flags_primary = -1;
static int hf_netlogon_trust_flags_tree_root = -1;
static int hf_netlogon_trust_parent_index = -1;
static int hf_netlogon_user_account_control = -1;
static int hf_netlogon_user_account_control_dont_require_preauth = -1;
static int hf_netlogon_user_account_control_use_des_key_only = -1;
static int hf_netlogon_user_account_control_not_delegated = -1;
static int hf_netlogon_user_account_control_trusted_for_delegation = -1;
static int hf_netlogon_user_account_control_smartcard_required = -1;
static int hf_netlogon_user_account_control_encrypted_text_password_allowed = -1;
static int hf_netlogon_user_account_control_account_auto_locked = -1;
static int hf_netlogon_user_account_control_dont_expire_password = -1;
static int hf_netlogon_user_account_control_server_trust_account = -1;
static int hf_netlogon_user_account_control_workstation_trust_account = -1;
static int hf_netlogon_user_account_control_interdomain_trust_account = -1;
static int hf_netlogon_user_account_control_mns_logon_account = -1;
static int hf_netlogon_user_account_control_normal_account = -1;
static int hf_netlogon_user_account_control_temp_duplicate_account = -1;
static int hf_netlogon_user_account_control_password_not_required = -1;
static int hf_netlogon_user_account_control_home_directory_required = -1;
static int hf_netlogon_user_account_control_account_disabled = -1;
static int hf_netlogon_user_flags = -1;
static int hf_netlogon_user_flags_extra_sids = -1;
static int hf_netlogon_user_flags_resource_groups = -1;
static int hf_netlogon_auth_flags = -1;
static int hf_netlogon_pwd_expired = -1;
static int hf_netlogon_nt_pwd_present = -1;
static int hf_netlogon_lm_pwd_present = -1;
static int hf_netlogon_code = -1;
static int hf_netlogon_database_id = -1;
static int hf_netlogon_sync_context = -1;
static int hf_netlogon_max_size = -1;
static int hf_netlogon_max_log_size = -1;
static int hf_netlogon_dns_host = -1;
static int hf_netlogon_acct_expiry_time = -1;
static int hf_netlogon_encrypted_lm_owf_password = -1;
static int hf_netlogon_lm_owf_password = -1;
static int hf_netlogon_nt_owf_password = -1;
static int hf_netlogon_param_ctrl = -1;
static int hf_netlogon_logon_id = -1;
static int hf_netlogon_num_deltas = -1;
static int hf_netlogon_user_session_key = -1;
static int hf_netlogon_blob_size = -1;
static int hf_netlogon_blob = -1;
static int hf_netlogon_logon_attempts = -1;
static int hf_netlogon_authoritative = -1;
static int hf_netlogon_secure_channel_type = -1;
static int hf_netlogon_logonsrv_handle = -1;
static int hf_netlogon_delta_type = -1;
static int hf_netlogon_get_dcname_request_flags = -1;
static int hf_netlogon_get_dcname_request_flags_force_rediscovery = -1;
static int hf_netlogon_get_dcname_request_flags_directory_service_required = -1;
static int hf_netlogon_get_dcname_request_flags_directory_service_preferred = -1;
static int hf_netlogon_get_dcname_request_flags_gc_server_required = -1;
static int hf_netlogon_get_dcname_request_flags_pdc_required = -1;
static int hf_netlogon_get_dcname_request_flags_background_only = -1;
static int hf_netlogon_get_dcname_request_flags_ip_required = -1;
static int hf_netlogon_get_dcname_request_flags_kdc_required = -1;
static int hf_netlogon_get_dcname_request_flags_timeserv_required = -1;
static int hf_netlogon_get_dcname_request_flags_writable_required = -1;
static int hf_netlogon_get_dcname_request_flags_good_timeserv_preferred = -1;
static int hf_netlogon_get_dcname_request_flags_avoid_self = -1;
static int hf_netlogon_get_dcname_request_flags_only_ldap_needed = -1;
static int hf_netlogon_get_dcname_request_flags_is_flat_name = -1;
static int hf_netlogon_get_dcname_request_flags_is_dns_name = -1;
static int hf_netlogon_get_dcname_request_flags_return_dns_name = -1;
static int hf_netlogon_get_dcname_request_flags_return_flat_name = -1;
static int hf_netlogon_dc_flags = -1;
static int hf_netlogon_dc_flags_pdc_flag = -1;
static int hf_netlogon_dc_flags_gc_flag = -1;
static int hf_netlogon_dc_flags_ldap_flag = -1;
static int hf_netlogon_dc_flags_ds_flag = -1;
static int hf_netlogon_dc_flags_kdc_flag = -1;
static int hf_netlogon_dc_flags_timeserv_flag = -1;
static int hf_netlogon_dc_flags_closest_flag = -1;
static int hf_netlogon_dc_flags_writable_flag = -1;
static int hf_netlogon_dc_flags_good_timeserv_flag = -1;
static int hf_netlogon_dc_flags_ndnc_flag = -1;
static int hf_netlogon_dc_flags_dns_controller_flag = -1;
static int hf_netlogon_dc_flags_dns_domain_flag = -1;
static int hf_netlogon_dc_flags_dns_forest_flag = -1;
/* static int hf_netlogon_dnsdomaininfo = -1; */
static int hf_netlogon_s4u2proxytarget = -1;
static int hf_netlogon_transitedlistsize = -1;
static int hf_netlogon_transited_service = -1;
static int hf_netlogon_logon_duration = -1;
static int hf_netlogon_time_created = -1;
static gint ett_nt_counted_longs_as_string = -1;
static gint ett_dcerpc_netlogon = -1;
static gint ett_group_attrs = -1;
static gint ett_user_flags = -1;
static gint ett_user_account_control = -1;
static gint ett_QUOTA_LIMITS = -1;
static gint ett_IDENTITY_INFO = -1;
static gint ett_DELTA_ENUM = -1;
static gint ett_authenticate_flags = -1;
static gint ett_CYPHER_VALUE = -1;
static gint ett_UNICODE_MULTI = -1;
static gint ett_DOMAIN_CONTROLLER_INFO = -1;
static gint ett_UNICODE_STRING_512 = -1;
static gint ett_TYPE_50 = -1;
static gint ett_TYPE_52 = -1;
static gint ett_DELTA_ID_UNION = -1;
static gint ett_TYPE_44 = -1;
static gint ett_DELTA_UNION = -1;
static gint ett_LM_OWF_PASSWORD = -1;
static gint ett_NT_OWF_PASSWORD = -1;
static gint ett_GROUP_MEMBERSHIP = -1;
static gint ett_BLOB = -1;
static gint ett_DS_DOMAIN_TRUSTS = -1;
static gint ett_LSA_POLICY_INFO = -1;
static gint ett_DOMAIN_TRUST_INFO = -1;
static gint ett_trust_flags = -1;
static gint ett_trust_attribs = -1;
static gint ett_get_dcname_request_flags = -1;
static gint ett_dc_flags = -1;
static gint ett_wstr_LOGON_IDENTITY_INFO_string = -1;
static gint ett_domain_group_memberships = -1;
static gint ett_domains_group_memberships = -1;
static expert_field ei_netlogon_auth_nthash = EI_INIT;
static expert_field ei_netlogon_session_key = EI_INIT;
typedef struct _netlogon_auth_vars {
guint64 client_challenge;
guint64 server_challenge;
md4_pass nthash;
int auth_fd_num;
guint8 session_key[16];
guint8 encryption_key[16];
guint8 sequence[16];
guint32 flags;
guint64 seq;
guint64 confounder;
guint8 private_type;
gboolean can_decrypt;
char* client_name;
int start;
int next_start;
struct _netlogon_auth_vars *next;
} netlogon_auth_vars;
typedef struct _seen_packet {
gboolean isseen;
guint32 num;
} seen_packet;
static seen_packet seen;
static e_guid_t uuid_dcerpc_netlogon = {
0x12345678, 0x1234, 0xabcd,
{ 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0xcf, 0xfb }
};
static guint16 ver_dcerpc_netlogon = 1;
static gint dissect_dcerpc_8bytes (tvbuff_t *tvb, gint offset, packet_info *pinfo _U_,
proto_tree *tree, guint8 *drep,
int hfindex, guint64 *pdata)
{
guint64 data;
data = ((drep[0] & DREP_LITTLE_ENDIAN)
? tvb_get_letoh64 (tvb, offset)
: tvb_get_ntoh64 (tvb, offset));
/* These fields are FT_BYTES, hence the byte order doesn't matter */
if (tree) {
proto_tree_add_item(tree, hfindex, tvb, offset, 8, ENC_NA);
}
if (pdata)
*pdata = data;
return offset+8;
}
static const true_false_string user_account_control_dont_require_preauth= {
"This account DOESN'T_REQUIRE_PREAUTHENTICATION",
"This account REQUIRES preauthentication",
};
static const true_false_string user_account_control_use_des_key_only= {
"This account must USE_DES_KEY_ONLY for passwords",
"This account does NOT have to use_des_key_only",
};
static const true_false_string user_account_control_not_delegated= {
"This account is NOT_DELEGATED",
"This might have been delegated",
};
static const true_false_string user_account_control_trusted_for_delegation= {
"This account is TRUSTED_FOR_DELEGATION",
"This account is NOT trusted_for_delegation",
};
static const true_false_string user_account_control_smartcard_required= {
"This account REQUIRES_SMARTCARD to authenticate",
"This account does NOT require_smartcard to authenticate",
};
static const true_false_string user_account_control_encrypted_text_password_allowed= {
"This account allows ENCRYPTED_TEXT_PASSWORD",
"This account does NOT allow encrypted_text_password",
};
static const true_false_string user_account_control_account_auto_locked= {
"This account is AUTO_LOCKED",
"This account is NOT auto_locked",
};
static const true_false_string user_account_control_dont_expire_password= {
"This account DOESN'T_EXPIRE_PASSWORDs",
"This account might expire_passwords",
};
static const true_false_string user_account_control_server_trust_account= {
"This account is a SERVER_TRUST_ACCOUNT",
"This account is NOT a server_trust_account",
};
static const true_false_string user_account_control_workstation_trust_account= {
"This account is a WORKSTATION_TRUST_ACCOUNT",
"This account is NOT a workstation_trust_account",
};
static const true_false_string user_account_control_interdomain_trust_account= {
"This account is an INTERDOMAIN_TRUST_ACCOUNT",
"This account is NOT an interdomain_trust_account",
};
static const true_false_string user_account_control_mns_logon_account= {
"This account is a MNS_LOGON_ACCOUNT",
"This account is NOT a mns_logon_account",
};
static const true_false_string user_account_control_normal_account= {
"This account is a NORMAL_ACCOUNT",
"This account is NOT a normal_account",
};
static const true_false_string user_account_control_temp_duplicate_account= {
"This account is a TEMP_DUPLICATE_ACCOUNT",
"This account is NOT a temp_duplicate_account",
};
static const true_false_string user_account_control_password_not_required= {
"This account REQUIRES_NO_PASSWORD",
"This account REQUIRES a password",
};
static const true_false_string user_account_control_home_directory_required= {
"This account REQUIRES_HOME_DIRECTORY",
"This account does NOT require_home_directory",
};
static const true_false_string user_account_control_account_disabled= {
"This account is DISABLED",
"This account is NOT disabled",
};
typedef struct _netlogon_auth_key {
/*
* For now we only match the client and server ip
* addresses, as keys can be used across tcp connections.
*
* Also note that ServerChallenge and ServerAuthenticate
* can be on different tcp connections!
*
* TODO:
* * We could have a challenge table indexed by client, server
* and computer name
* * A good ServerAuthenticate could fill a session key table
* indexed by computer name.
* * A DCERPC bind/alter context could lookup the session key table
* and copy the session key to the DCERPC connection/auth_context.
*/
address client;
address server;
} netlogon_auth_key;
static gint
netlogon_auth_equal (gconstpointer k1, gconstpointer k2)
{
const netlogon_auth_key *key1 = (const netlogon_auth_key *)k1;
const netlogon_auth_key *key2 = (const netlogon_auth_key *)k2;
return (addresses_equal(&key1->client,&key2->client) && addresses_equal(&key1->server,&key2->server));
}
static guint
netlogon_auth_hash (gconstpointer k)
{
const netlogon_auth_key *key1 = (const netlogon_auth_key *)k;
guint hash_val1 = 0;
hash_val1 = add_address_to_hash(hash_val1, &key1->client);
hash_val1 = add_address_to_hash(hash_val1, &key1->server);
return hash_val1;
}
static int
netlogon_dissect_EXTRA_FLAGS(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, guint8 *drep)
{
guint32 mask;
static int * const extraflags[] = {
&hf_netlogon_extra_flags_root_forest,
&hf_netlogon_trust_flags_dc_firsthop,
&hf_netlogon_trust_flags_rodc_to_dc,
&hf_netlogon_trust_flags_rodc_ntlm,
NULL
};
if(di->conformant_run){
/*just a run to handle conformant arrays, nothing to dissect */
return offset;
}
offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
-1, &mask);
proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset-4, hf_netlogon_extraflags, ett_trust_flags, extraflags, mask, BMT_NO_APPEND);
return offset;
}
struct LOGON_INFO_STATE;
struct LOGON_INFO_STATE_CB {
struct LOGON_INFO_STATE *state;
ntlmssp_blob *response;
const guint8 **name_ptr;
int name_levels;
};
struct LOGON_INFO_STATE {
packet_info *pinfo;
proto_tree *tree;
guint8 server_challenge[8];
ntlmssp_blob nt_response;
ntlmssp_blob lm_response;
ntlmssp_header_t ntlmssph;
struct LOGON_INFO_STATE_CB domain_cb, acct_cb, host_cb, nt_cb, lm_cb;
};
static void dissect_LOGON_INFO_STATE_finish(struct LOGON_INFO_STATE *state)
{
if (state->ntlmssph.acct_name != NULL &&
state->nt_response.length >= 24 &&
state->lm_response.length >= 24)
{
if (state->ntlmssph.domain_name == NULL) {
state->ntlmssph.domain_name = "";
}
if (state->ntlmssph.host_name == NULL) {
state->ntlmssph.host_name = "";
}
ntlmssp_create_session_key(state->pinfo,
state->tree,
&state->ntlmssph,
0, /* NTLMSSP_ flags */
state->server_challenge,
NULL, /* encryptedsessionkey */
&state->nt_response,
&state->lm_response);
}
}
static void dissect_ndr_lm_nt_byte_array(packet_info *pinfo,
proto_tree *tree,
proto_item *item _U_,
dcerpc_info *di,
tvbuff_t *tvb,
int start_offset,
int end_offset,
void *callback_args)
{
struct LOGON_INFO_STATE_CB *cb_ref = (struct LOGON_INFO_STATE_CB *)callback_args;
struct LOGON_INFO_STATE *state = NULL;
int offset = start_offset;
guint64 tmp;
guint16 len;
if (cb_ref == NULL) {
return;
}
state = cb_ref->state;
if (di->conformant_run) {
/* just a run to handle conformant arrays, no scalars to dissect */
return;
}
/* NDR array header */
ALIGN_TO_5_BYTES
if (di->call_data->flags & DCERPC_IS_NDR64) {
offset += 3 * 8;
} else {
offset += 3 * 4;
}
tmp = end_offset - offset;
if (tmp > NTLMSSP_BLOB_MAX_SIZE) {
tmp = NTLMSSP_BLOB_MAX_SIZE;
}
len = (guint16)tmp;
cb_ref->response->length = len;
cb_ref->response->contents = (guint8 *)tvb_memdup(pinfo->pool, tvb, offset, len);
if (len > 24) {
dissect_ntlmv2_response(tvb, pinfo, tree, offset, len);
}
dissect_LOGON_INFO_STATE_finish(state);
}
static int
dissect_ndr_lm_nt_hash_cb(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep, int hf_index,
dcerpc_callback_fnct_t *callback,
void *callback_args)
{
guint16 len, size;
/* Structure starts with short, but is aligned for longs */
ALIGN_TO_4_BYTES;
if (di->conformant_run)
return offset;
#if 0
struct {
short len;
short size;
[size_is(size/2), length_is(len/2), ptr] unsigned short *string;
} HASH;
#endif
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_nt_cs_len, &len);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_nt_cs_size, &size);
offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, tree, di, drep,
dissect_ndr_byte_array, NDR_POINTER_UNIQUE,
"Bytes Array", hf_index, callback, callback_args);
return offset;
}
static int
dissect_ndr_lm_nt_hash_helper(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep, int hf_index,
struct LOGON_INFO_STATE_CB *cb_ref)
{
proto_tree *subtree;
subtree = proto_tree_add_subtree(
tree, tvb, offset, 0, ett_LM_OWF_PASSWORD, NULL,
proto_registrar_get_name(hf_index));
return dissect_ndr_lm_nt_hash_cb(
tvb, offset, pinfo, subtree, di, drep, hf_index,
dissect_ndr_lm_nt_byte_array, cb_ref);
}
static int
netlogon_dissect_USER_ACCOUNT_CONTROL(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, guint8 *drep)
{
guint32 mask;
static int * const uac[] = {
&hf_netlogon_user_account_control_dont_require_preauth,
&hf_netlogon_user_account_control_use_des_key_only,
&hf_netlogon_user_account_control_not_delegated,
&hf_netlogon_user_account_control_trusted_for_delegation,
&hf_netlogon_user_account_control_smartcard_required,
&hf_netlogon_user_account_control_encrypted_text_password_allowed,
&hf_netlogon_user_account_control_account_auto_locked,
&hf_netlogon_user_account_control_dont_expire_password,
&hf_netlogon_user_account_control_server_trust_account,
&hf_netlogon_user_account_control_workstation_trust_account,
&hf_netlogon_user_account_control_interdomain_trust_account,
&hf_netlogon_user_account_control_mns_logon_account,
&hf_netlogon_user_account_control_normal_account,
&hf_netlogon_user_account_control_temp_duplicate_account,
&hf_netlogon_user_account_control_password_not_required,
&hf_netlogon_user_account_control_home_directory_required,
&hf_netlogon_user_account_control_account_disabled,
NULL
};
if(di->conformant_run){
/*just a run to handle conformant arrays, nothing to dissect */
return offset;
}
offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
-1, &mask);
proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset-4, hf_netlogon_user_account_control, ett_user_account_control, uac, mask, BMT_NO_APPEND);
return offset;
}
static int
netlogon_dissect_LOGONSRV_HANDLE(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Server Handle",
hf_netlogon_logonsrv_handle, 0);
return offset;
}
/*
* IDL typedef struct {
* IDL [unique][string] wchar_t *effective_name;
* IDL long priv;
* IDL long auth_flags;
* IDL long logon_count;
* IDL long bad_pw_count;
* IDL long last_logon;
* IDL long last_logoff;
* IDL long logoff_time;
* IDL long kickoff_time;
* IDL long password_age;
* IDL long pw_can_change;
* IDL long pw_must_change;
* IDL [unique][string] wchar_t *computer;
* IDL [unique][string] wchar_t *domain;
* IDL [unique][string] wchar_t *script_path;
* IDL long reserved;
*/
static int
netlogon_dissect_VALIDATION_UAS_INFO(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
if(di->conformant_run){
/*just a run to handle conformant arrays, nothing to dissect */
return offset;
}
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Effective Account",
hf_netlogon_acct_name, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_priv, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_auth_flags, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logon_count, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_bad_pw_count, NULL);
offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_logon_time, NULL);
offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_last_logoff_time, NULL);
offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_logoff_time, NULL);
offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_kickoff_time, NULL);
offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_pwd_age, NULL);
offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_pwd_can_change_time, NULL);
offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_pwd_must_change_time, NULL);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Computer", hf_netlogon_computer_name, 0);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Script", hf_netlogon_logon_script, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
return offset;
}
/*
* IDL long NetrLogonUasLogon(
* IDL [in][unique][string] wchar_t *ServerName,
* IDL [in][ref][string] wchar_t *UserName,
* IDL [in][ref][string] wchar_t *Workstation,
* IDL [out][unique] VALIDATION_UAS_INFO *info
* IDL );
*/
static int
netlogon_dissect_netrlogonuaslogon_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_REF, "Account", hf_netlogon_acct_name, CB_STR_COL_INFO);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
return offset;
}
static int
netlogon_dissect_netrlogonuaslogon_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_VALIDATION_UAS_INFO, NDR_POINTER_UNIQUE,
"VALIDATION_UAS_INFO", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dos_rc, NULL);
return offset;
}
/*
* IDL typedef struct {
* IDL long duration;
* IDL short logon_count;
* IDL } LOGOFF_UAS_INFO;
*/
static int
netlogon_dissect_LOGOFF_UAS_INFO(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
guint32 duration;
if(di->conformant_run){
/*just a run to handle conformant arrays, nothing to dissect */
return offset;
}
duration = tvb_get_guint32(tvb, offset, DREP_ENC_INTEGER(drep));
proto_tree_add_uint_format_value(tree, hf_netlogon_logon_duration, tvb, offset, 4, duration, "unknown time format");
offset+= 4;
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logon_count16, NULL);
return offset;
}
/*
* IDL long NetrLogonUasLogoff(
* IDL [in][unique][string] wchar_t *ServerName,
* IDL [in][ref][string] wchar_t *UserName,
* IDL [in][ref][string] wchar_t *Workstation,
* IDL [out][ref] LOGOFF_UAS_INFO *info
* IDL );
*/
static int
netlogon_dissect_netrlogonuaslogoff_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_REF, "Account", hf_netlogon_acct_name, CB_STR_COL_INFO);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
return offset;
}
static int
netlogon_dissect_netrlogonuaslogoff_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_LOGOFF_UAS_INFO, NDR_POINTER_REF,
"LOGOFF_UAS_INFO", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dos_rc, NULL);
return offset;
}
static int
netlogon_dissect_BYTE_byte(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_char, NULL);
return offset;
}
static int
netlogon_dissect_BYTE_array(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_BYTE_byte);
return offset;
}
static void cb_wstr_LOGON_IDENTITY_INFO(packet_info *pinfo, proto_tree *tree,
proto_item *item, dcerpc_info *di,
tvbuff_t *tvb,
int start_offset, int end_offset,
void *callback_args)
{
dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
struct LOGON_INFO_STATE_CB *cb_ref =
(struct LOGON_INFO_STATE_CB *)callback_args;
struct LOGON_INFO_STATE *state = cb_ref->state;
cb_wstr_postprocess(pinfo, tree, item, di, tvb, start_offset, end_offset,
GINT_TO_POINTER(cb_ref->name_levels));
if (*cb_ref->name_ptr == NULL) {
*cb_ref->name_ptr = (const guint8 *)dcv->private_data;
}
dissect_LOGON_INFO_STATE_finish(state);
}
static int
dissect_ndr_wstr_LOGON_IDENTITY_INFO(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep,
int hf_index, int levels,
struct LOGON_INFO_STATE_CB *cb_ref)
{
proto_item *item = NULL;
proto_tree *subtree = NULL;
if (cb_ref == NULL) {
return dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_index, levels);
}
subtree = proto_tree_add_subtree(tree, tvb, offset, 0,
ett_wstr_LOGON_IDENTITY_INFO_string, &item,
proto_registrar_get_name(hf_index));
/*
* Add 2 levels, so that the string gets attached to the
* "Character Array" top-level item and to the top-level item
* added above.
*/
cb_ref->name_levels = 2 + levels;
cb_ref->name_levels |= CB_STR_SAVE;
return dissect_ndr_counted_string_cb(tvb, offset, pinfo, subtree, di, drep,
hf_index, cb_wstr_LOGON_IDENTITY_INFO, cb_ref);
}
/*
* IDL typedef struct {
* IDL UNICODESTRING LogonDomainName;
* IDL long ParameterControl;
* IDL uint64 LogonID;
* IDL UNICODESTRING UserName;
* IDL UNICODESTRING Workstation;
* IDL } LOGON_IDENTITY_INFO;
*/
static int
netlogon_dissect_LOGON_IDENTITY_INFO(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree,
dcerpc_info *di, guint8 *drep,
struct LOGON_INFO_STATE *state)
{
struct LOGON_INFO_STATE_CB *domain_cb = NULL;
struct LOGON_INFO_STATE_CB *acct_cb = NULL;
struct LOGON_INFO_STATE_CB *host_cb = NULL;
proto_item *item=NULL;
proto_tree *tree=NULL;
int old_offset=offset;
if (state != NULL) {
domain_cb = &state->domain_cb;
acct_cb = &state->acct_cb;
host_cb = &state->host_cb;
}
if(parent_tree){
tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
ett_IDENTITY_INFO, &item, "IDENTITY_INFO:");
}
/* XXX: It would be nice to get the domain and account name
displayed in COL_INFO. */
offset = dissect_ndr_wstr_LOGON_IDENTITY_INFO(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logon_dom, 0, domain_cb);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_param_ctrl, NULL);
offset = dissect_ndr_duint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logon_id, NULL);
offset = dissect_ndr_wstr_LOGON_IDENTITY_INFO(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_acct_name, 1, acct_cb);
offset = dissect_ndr_wstr_LOGON_IDENTITY_INFO(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_workstation, 0, host_cb);
#ifdef REMOVED
/* NetMon does not recognize these bytes. I'll comment them out until someone complains */
/* XXX 8 extra bytes here */
/* there were 8 extra bytes, either here or in NETWORK_INFO that does not match
the idl file. Could be a bug in either the NETLOGON implementation or in the
idl file.
*/
offset = netlogon_dissect_8_unknown_bytes(tvb, offset, pinfo, tree, di, drep);
#endif
proto_item_set_len(item, offset-old_offset);
return offset;
}
/*
* IDL typedef struct {
* IDL char password[16];
* IDL } LM_OWF_PASSWORD;
*/
static int
netlogon_dissect_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
packet_info *pinfo _U_, proto_tree *parent_tree,
dcerpc_info *di, guint8 *drep _U_)
{
proto_item *item=NULL;
proto_tree *tree=NULL;
if(di->conformant_run){
/*just a run to handle conformant arrays, nothing to dissect.*/
return offset;
}
if(parent_tree){
tree = proto_tree_add_subtree(parent_tree, tvb, offset, 16,
ett_LM_OWF_PASSWORD, &item, "LM_OWF_PASSWORD:");
}
proto_tree_add_item(tree, hf_netlogon_lm_owf_password, tvb, offset, 16,
ENC_NA);
offset += 16;
return offset;
}
/*
* IDL typedef struct {
* IDL char password[16];
* IDL } NT_OWF_PASSWORD;
*/
static int
netlogon_dissect_NT_OWF_PASSWORD(tvbuff_t *tvb, int offset,
packet_info *pinfo _U_, proto_tree *parent_tree,
dcerpc_info *di, guint8 *drep _U_)
{
proto_item *item=NULL;
proto_tree *tree=NULL;
if(di->conformant_run){
/*just a run to handle conformant arrays, nothing to dissect.*/
return offset;
}
if(parent_tree){
tree = proto_tree_add_subtree(parent_tree, tvb, offset, 16,
ett_NT_OWF_PASSWORD, &item, "NT_OWF_PASSWORD:");
}
proto_tree_add_item(tree, hf_netlogon_nt_owf_password, tvb, offset, 16,
ENC_NA);
offset += 16;
return offset;
}
/*
* IDL typedef struct {
* IDL LOGON_IDENTITY_INFO identity_info;
* IDL LM_OWF_PASSWORD lmpassword;
* IDL NT_OWF_PASSWORD ntpassword;
* IDL } INTERACTIVE_INFO;
*/
static int
netlogon_dissect_INTERACTIVE_INFO(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
pinfo, tree, di, drep,
NULL);
offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
pinfo, tree, di, drep);
offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
pinfo, tree, di, drep);
return offset;
}
/*
* IDL typedef struct {
* IDL char chl[8];
* IDL } CHALLENGE;
*/
static int
netlogon_dissect_CHALLENGE(tvbuff_t *tvb, int offset,
packet_info *pinfo _U_, proto_tree *tree,
dcerpc_info *di, guint8 *drep _U_)
{
if(di->conformant_run){
/*just a run to handle conformant arrays, nothing to dissect.*/
return offset;
}
proto_tree_add_item(tree, hf_netlogon_challenge, tvb, offset, 8,
ENC_NA);
offset += 8;
return offset;
}
static int
netlogon_dissect_NETWORK_INFO(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
struct LOGON_INFO_STATE *state =
(struct LOGON_INFO_STATE *)di->private_data;
int last_offset;
struct LOGON_INFO_STATE_CB *nt_cb = NULL;
struct LOGON_INFO_STATE_CB *lm_cb = NULL;
if (state == NULL) {
state = wmem_new0(pinfo->pool, struct LOGON_INFO_STATE);
state->ntlmssph = (ntlmssp_header_t) { .type = NTLMSSP_AUTH, };
state->domain_cb.state = state;
state->domain_cb.name_ptr = &state->ntlmssph.domain_name;
state->acct_cb.state = state;
state->acct_cb.name_ptr = &state->ntlmssph.acct_name;
state->host_cb.state = state;
state->host_cb.name_ptr = &state->ntlmssph.host_name;
state->nt_cb.state = state;
state->nt_cb.response = &state->nt_response;
state->lm_cb.state = state;
state->lm_cb.response = &state->lm_response;
di->private_data = state;
}
state->pinfo = pinfo;
state->tree = tree;
offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
pinfo, tree, di, drep,
state);
last_offset = offset;
offset = netlogon_dissect_CHALLENGE(tvb, offset,
pinfo, tree, di, drep);
if (offset == (last_offset + 8)) {
tvb_memcpy(tvb, state->server_challenge, last_offset, 8);
nt_cb = &state->nt_cb;
lm_cb = &state->lm_cb;
}
offset = dissect_ndr_lm_nt_hash_helper(tvb,offset,pinfo, tree, di, drep,
hf_netlogon_nt_chal_resp,
nt_cb);
offset = dissect_ndr_lm_nt_hash_helper(tvb,offset,pinfo, tree, di, drep,
hf_netlogon_lm_chal_resp,
lm_cb);
return offset;
}
/*
* IDL typedef struct {
* IDL LOGON_IDENTITY_INFO logon_info;
* IDL LM_OWF_PASSWORD lmpassword;
* IDL NT_OWF_PASSWORD ntpassword;
* IDL } SERVICE_INFO;
*/
static int
netlogon_dissect_SERVICE_INFO(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
pinfo, tree, di, drep,
NULL);
offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
pinfo, tree, di, drep);
offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
pinfo, tree, di, drep);
return offset;
}
static int
netlogon_dissect_GENERIC_INFO(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
pinfo, tree, di, drep,
NULL);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_package_name, 0|CB_STR_SAVE);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_data_length, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_BYTE_array, NDR_POINTER_REF,
"Logon Data", -1);
return offset;
}
/*
* IDL typedef [switch_type(short)] union {
* IDL [case(1)][unique] INTERACTIVE_INFO *iinfo;
* IDL [case(2)][unique] NETWORK_INFO *ninfo;
* IDL [case(3)][unique] SERVICE_INFO *sinfo;
* IDL } LEVEL;
*/
static int
netlogon_dissect_LEVEL(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
guint16 level = 0;
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_level16, &level);
ALIGN_TO_4_BYTES;
switch(level){
case 1:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_INTERACTIVE_INFO, NDR_POINTER_UNIQUE,
"INTERACTIVE_INFO:", -1);
break;
case 2:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_NETWORK_INFO, NDR_POINTER_UNIQUE,
"NETWORK_INFO:", -1);
break;
case 3:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_SERVICE_INFO, NDR_POINTER_UNIQUE,
"SERVICE_INFO:", -1);
break;
case 4:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_GENERIC_INFO, NDR_POINTER_UNIQUE,
"GENERIC_INFO:", -1);
break;
case 5:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_INTERACTIVE_INFO, NDR_POINTER_UNIQUE,
"INTERACTIVE_TRANSITIVE_INFO:", -1);
break;
case 6:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_NETWORK_INFO, NDR_POINTER_UNIQUE,
"NETWORK_TRANSITIVE_INFO", -1);
break;
case 7:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_SERVICE_INFO, NDR_POINTER_UNIQUE,
"SERVICE_TRANSITIVE_INFO", -1);
break;
}
return offset;
}
/*
* IDL typedef struct {
* IDL char cred[8];
* IDL } CREDENTIAL;
*/
static int
netlogon_dissect_CREDENTIAL(tvbuff_t *tvb, int offset,
packet_info *pinfo _U_, proto_tree *tree,
dcerpc_info *di, guint8 *drep _U_)
{
if(di->conformant_run){
/*just a run to handle conformant arrays, nothing to dissect.*/
return offset;
}
proto_tree_add_item(tree, hf_netlogon_credential, tvb, offset, 8,
ENC_NA);
offset += 8;
return offset;
}
/*
* IDL typedef struct {
* IDL CREDENTIAL cred;
* IDL long timestamp;
* IDL } AUTHENTICATOR;
*/
static int
netlogon_dissect_AUTHENTICATOR(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
if(di->conformant_run){
/*just a run to handle conformant arrays, nothing to dissect */
return offset;
}
offset = netlogon_dissect_CREDENTIAL(tvb, offset,
pinfo, tree, di, drep);
/*
* XXX - this appears to be a UNIX time_t in some credentials, but
* appears to be random junk in other credentials.
* For example, it looks like a UNIX time_t in "credential"
* AUTHENTICATORs, but like random junk in "return_authenticator"
* AUTHENTICATORs.
*/
ALIGN_TO_4_BYTES;
proto_tree_add_item(tree, hf_netlogon_timestamp, tvb, offset, 4, ENC_TIME_SECS|ENC_LITTLE_ENDIAN);
offset+= 4;
return offset;
}
static const true_false_string group_attrs_mandatory = {
"The MANDATORY bit is SET",
"The mandatory bit is NOT set",
};
static const true_false_string group_attrs_enabled_by_default = {
"The ENABLED_BY_DEFAULT bit is SET",
"The enabled_by_default bit is NOT set",
};
static const true_false_string group_attrs_enabled = {
"The enabled bit is SET",
"The enabled bit is NOT set",
};
static int
netlogon_dissect_GROUP_MEMBERSHIP_ATTRIBUTES(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, guint8 *drep)
{
guint32 mask;
static int * const attr[] = {
&hf_netlogon_group_attrs_enabled,
&hf_netlogon_group_attrs_enabled_by_default,
&hf_netlogon_group_attrs_mandatory,
NULL
};
if(di->conformant_run){
/*just a run to handle conformant arrays, nothing to dissect */
return offset;
}
offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
-1, &mask);
proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset-4, hf_netlogon_attrs, ett_group_attrs, attr, mask, BMT_NO_APPEND);
return offset;
}
/*
* IDL typedef struct {
* IDL long user_id;
* IDL long attributes;
* IDL } GROUP_MEMBERSHIP;
*/
static int
netlogon_dissect_GROUP_MEMBERSHIP(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree,
dcerpc_info *di, guint8 *drep)
{
proto_item *item=NULL;
proto_tree *tree=NULL;
if(parent_tree){
tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
ett_GROUP_MEMBERSHIP, &item, "GROUP_MEMBERSHIP:");
}
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_group_rid, NULL);
offset = netlogon_dissect_GROUP_MEMBERSHIP_ATTRIBUTES(tvb, offset,
pinfo, tree, di, drep);
return offset;
}
static int
netlogon_dissect_GROUP_MEMBERSHIP_ARRAY(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_GROUP_MEMBERSHIP);
return offset;
}
/*
* IDL typedef struct {
* IDL char user_session_key[16];
* IDL } USER_SESSION_KEY;
*/
static int
netlogon_dissect_USER_SESSION_KEY(tvbuff_t *tvb, int offset,
packet_info *pinfo _U_, proto_tree *tree,
dcerpc_info *di, guint8 *drep _U_)
{
if(di->conformant_run){
/*just a run to handle conformant arrays, nothing to dissect.*/
return offset;
}
proto_tree_add_item(tree, hf_netlogon_user_session_key, tvb, offset, 16,
ENC_NA);
offset += 16;
return offset;
}
static const true_false_string user_flags_extra_sids= {
"The EXTRA_SIDS bit is SET",
"The extra_sids is NOT set",
};
static const true_false_string user_flags_resource_groups= {
"The RESOURCE_GROUPS bit is SET",
"The resource_groups is NOT set",
};
static int
netlogon_dissect_USER_FLAGS(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, guint8 *drep)
{
guint32 mask;
static int * const flags[] = {
&hf_netlogon_user_flags_resource_groups,
&hf_netlogon_user_flags_extra_sids,
NULL
};
if(di->conformant_run){
/*just a run to handle conformant arrays, nothing to dissect */
return offset;
}
offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
-1, &mask);
proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset-4, hf_netlogon_user_flags, ett_user_flags, flags, mask, BMT_NO_APPEND);
return offset;
}
static int
netlogon_dissect_GROUP_MEMBERSHIPS(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep,
int hf_count, const char *array_name)
{
guint32 rgc;
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_count, &rgc);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
array_name, -1);
return offset;
}
static int
netlogon_dissect_DOMAIN_GROUP_MEMBERSHIPS(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree,
dcerpc_info *di, guint8 *drep,
int hf_count, const char *name)
{
proto_item *item=NULL;
proto_tree *tree=NULL;
int old_offset=offset;
if(parent_tree){
tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
ett_domain_group_memberships,
&item, name);
}
offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
offset = netlogon_dissect_GROUP_MEMBERSHIPS(tvb, offset,
pinfo, tree,
di, drep,
hf_count,
"GroupIDs");
proto_item_set_len(item, offset-old_offset);
return offset;
}
static int
netlogon_dissect_DOMAIN_GROUP_MEMBERSHIPS_WRAPPER(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
return netlogon_dissect_DOMAIN_GROUP_MEMBERSHIPS(tvb, offset,
pinfo, tree,
di, drep,
hf_netlogon_domaingroupcount,
"DomainGroupIDs");
}
static int
netlogon_dissect_DOMAIN_GROUP_MEMBERSHIP_ARRAY(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DOMAIN_GROUP_MEMBERSHIPS_WRAPPER);
return offset;
}
static int
netlogon_dissect_DOMAINS_GROUP_MEMBERSHIPS(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree,
dcerpc_info *di, guint8 *drep,
int hf_count, const char *name)
{
proto_item *item=NULL;
proto_tree *tree=NULL;
int old_offset=offset;
guint32 rgc;
if(parent_tree){
tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
ett_domains_group_memberships,
&item, name);
}
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_count, &rgc);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DOMAIN_GROUP_MEMBERSHIP_ARRAY,
NDR_POINTER_UNIQUE,
name, -1);
proto_item_set_len(item, offset-old_offset);
return offset;
}
/*
* IDL typedef struct {
* IDL uint64 LogonTime;
* IDL uint64 LogoffTime;
* IDL uint64 KickOffTime;
* IDL uint64 PasswdLastSet;
* IDL uint64 PasswdCanChange;
* IDL uint64 PasswdMustChange;
* IDL unicodestring effectivename;
* IDL unicodestring fullname;
* IDL unicodestring logonscript;
* IDL unicodestring profilepath;
* IDL unicodestring homedirectory;
* IDL unicodestring homedirectorydrive;
* IDL short LogonCount;
* IDL short BadPasswdCount;
* IDL long userid;
* IDL long primarygroup;
* IDL long groupcount;
* IDL [unique][size_is(groupcount)] GROUP_MEMBERSHIP *groupids;
* IDL long userflags;
* IDL USER_SESSION_KEY key;
* IDL unicodestring logonserver;
* IDL unicodestring domainname;
* IDL [unique] SID logondomainid;
* IDL long expansionroom[2];
* IDL long useraccountcontrol;
* IDL long expansionroom[7];
* IDL } VALIDATION_SAM_INFO;
*/
static int
netlogon_dissect_VALIDATION_SAM_INFO(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logon_time);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logoff_time);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_kickoff_time);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_pwd_last_set_time);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_pwd_can_change_time);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_pwd_must_change_time);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_acct_name, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_full_name, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logon_script, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_profile_path, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_home_dir, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dir_drive, 0);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logon_count16, NULL);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_bad_pw_count16, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_user_rid, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_group_rid, NULL);
offset = netlogon_dissect_GROUP_MEMBERSHIPS(tvb, offset,
pinfo, tree, di, drep,
hf_netlogon_num_rids,
"GroupIDs");
offset = netlogon_dissect_USER_FLAGS(tvb, offset,
pinfo, tree, di, drep);
offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logon_srv, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logon_dom, 0);
offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy1_long, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy2_long, NULL);
offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy4_long, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy5_long, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy6_long, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy7_long, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy8_long, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy9_long, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy10_long, NULL);
return offset;
}
/*
* IDL typedef struct {
* IDL uint64 LogonTime;
* IDL uint64 LogoffTime;
* IDL uint64 KickOffTime;
* IDL uint64 PasswdLastSet;
* IDL uint64 PasswdCanChange;
* IDL uint64 PasswdMustChange;
* IDL unicodestring effectivename;
* IDL unicodestring fullname;
* IDL unicodestring logonscript;
* IDL unicodestring profilepath;
* IDL unicodestring homedirectory;
* IDL unicodestring homedirectorydrive;
* IDL short LogonCount;
* IDL short BadPasswdCount;
* IDL long userid;
* IDL long primarygroup;
* IDL long groupcount;
* IDL [unique] GROUP_MEMBERSHIP *groupids;
* IDL long userflags;
* IDL USER_SESSION_KEY key;
* IDL unicodestring logonserver;
* IDL unicodestring domainname;
* IDL [unique] SID logondomainid;
* IDL long expansionroom[2];
* IDL long useraccountcontrol;
* IDL long expansionroom[7];
* IDL long sidcount;
* IDL [unique] SID_AND_ATTRIBS;
* IDL } VALIDATION_SAM_INFO2;
*/
static int
netlogon_dissect_VALIDATION_SAM_INFO2(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_VALIDATION_SAM_INFO(tvb,offset,pinfo,tree,di,drep);
#if 0
int i;
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logon_time);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logoff_time);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_kickoff_time);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_pwd_last_set_time);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_pwd_can_change_time);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_pwd_must_change_time);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_acct_name, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_full_name, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logon_script, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_profile_path, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_home_dir, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dir_drive, 0);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logon_count16, NULL);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_bad_pw_count16, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_user_rid, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_group_rid, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_num_rids, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
"GROUP_MEMBERSHIP_ARRAY", -1);
offset = netlogon_dissect_USER_FLAGS(tvb, offset,
pinfo, tree, di, drep);
offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logon_srv, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logon_dom, 0);
offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
for(i=0;i<2;i++){
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_long, NULL);
}
offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
pinfo, tree, di, drep);
for(i=0;i<7;i++){
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_long, NULL);
}
#endif
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_num_sid, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
"SID_AND_ATTRIBUTES_ARRAY:", -1);
return offset;
}
static int
netlogon_dissect_VALIDATION_SAM_INFO4(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_VALIDATION_SAM_INFO2(tvb,offset,pinfo,tree,di,drep);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logon_dnslogondomainname, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logon_upn, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy_string, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy_string2, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy_string3, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy_string4, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy_string5, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy_string6, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy_string7, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy_string8, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy_string9, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy_string10, 0);
return offset;
}
/*
* IDL typedef struct {
* IDL uint64 LogonTime;
* IDL uint64 LogoffTime;
* IDL uint64 KickOffTime;
* IDL uint64 PasswdLastSet;
* IDL uint64 PasswdCanChange;
* IDL uint64 PasswdMustChange;
* IDL unicodestring effectivename;
* IDL unicodestring fullname;
* IDL unicodestring logonscript;
* IDL unicodestring profilepath;
* IDL unicodestring homedirectory;
* IDL unicodestring homedirectorydrive;
* IDL short LogonCount;
* IDL short BadPasswdCount;
* IDL long userid;
* IDL long primarygroup;
* IDL long groupcount;
* IDL [unique] GROUP_MEMBERSHIP *groupids;
* IDL long userflags;
* IDL USER_SESSION_KEY key;
* IDL unicodestring logonserver;
* IDL unicodestring domainname;
* IDL [unique] SID logondomainid;
* IDL long expansionroom[2];
* IDL long useraccountcontrol;
* IDL long expansionroom[7];
* IDL long sidcount;
* IDL [unique] SID_AND_ATTRIBS;
* IDL [unique] SID resourcegroupdomainsid;
* IDL long resourcegroupcount;
qqq
* IDL } PAC_LOGON_INFO;
*/
int
netlogon_dissect_PAC_LOGON_INFO(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_VALIDATION_SAM_INFO(tvb,offset,pinfo,tree,di, drep);
#if 0
int i;
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logon_time);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logoff_time);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_kickoff_time);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_pwd_last_set_time);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_pwd_can_change_time);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_pwd_must_change_time);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_acct_name, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_full_name, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logon_script, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_profile_path, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_home_dir, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dir_drive, 0);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logon_count16, NULL);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_bad_pw_count16, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_user_rid, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_group_rid, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_num_rids, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
"GROUP_MEMBERSHIP_ARRAY", -1);
offset = netlogon_dissect_USER_FLAGS(tvb, offset,
pinfo, tree, di, drep);
offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logon_srv, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logon_dom, 0);
offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
for(i=0;i<2;i++){
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_long, NULL);
}
offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
pinfo, tree, di, drep);
for(i=0;i<7;i++){
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_long, NULL);
}
#endif
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_num_sid, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
"SID_AND_ATTRIBUTES_ARRAY:", -1);
offset = netlogon_dissect_DOMAIN_GROUP_MEMBERSHIPS(tvb, offset,
pinfo, tree, di, drep,
hf_netlogon_resourcegroupcount,
"ResourceGroupIDs");
return offset;
}
static int
netlogon_dissect_S4U_Transited_Service_name(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_transited_service, 1);
return offset;
}
static int
netlogon_dissect_S4U_Transited_Services_array(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_S4U_Transited_Service_name);
return offset;
}
int
netlogon_dissect_PAC_S4U_DELEGATION_INFO(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_s4u2proxytarget, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_transitedlistsize, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_S4U_Transited_Services_array, NDR_POINTER_UNIQUE,
"S4UTransitedServices", -1);
return offset;
}
/*
* IDL typedef struct {
* IDL long UserId;
* IDL long PrimaryGroupId;
* IDL SID AccountDomainId;
* IDL long AccountGroupCount;
* IDL [size_is(AccountGroupCount)] PGROUP_MEMBERSHIP AccountGroupIds;
* IDL ULONG SidCount;
* IDL [size_is(SidCount)] PKERB_SID_AND_ATTRIBUTES ExtraSids;
* IDL ULONG DomainGroupCount;
* IDL [size_is(DomainGroupCount)] PDOMAIN_GROUP_MEMBERSHIP DomainGroup;
* IDL } PAC_DEVICE_INFO;
*/
int
netlogon_dissect_PAC_DEVICE_INFO(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_user_rid, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_group_rid, NULL);
offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
offset = netlogon_dissect_GROUP_MEMBERSHIPS(tvb, offset,
pinfo, tree, di, drep,
hf_netlogon_accountdomaingroupcount,
"AccountDomainGroupIds");
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_num_sid, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
"ExtraSids:SID_AND_ATTRIBUTES_ARRAY:", -1);
offset = netlogon_dissect_DOMAINS_GROUP_MEMBERSHIPS(tvb, offset,
pinfo, tree, di, drep,
hf_netlogon_membership_domains_count,
"ExtraDomain Membership Array");
return offset;
}
#if 0
static int
netlogon_dissect_PAC(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep _U_)
{
guint32 pac_size;
if(di->conformant_run){
return offset;
}
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_pac_size, &pac_size);
proto_tree_add_item(tree, hf_netlogon_pac_data, tvb, offset, pac_size,
ENC_NA);
offset += pac_size;
return offset;
}
static int
netlogon_dissect_AUTH(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep _U_)
{
guint32 auth_size;
if(di->conformant_run){
return offset;
}
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_auth_size, &auth_size);
proto_tree_add_item(tree, hf_netlogon_auth_data, tvb, offset, auth_size,
ENC_NA);
offset += auth_size;
return offset;
}
#endif
static int
netlogon_dissect_VALIDATION_GENERIC_INFO2 (tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_data_length, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_BYTE_array, NDR_POINTER_REF,
"Validation Data", -1);
return offset;
}
/*
* IDL typedef struct {
* IDL long pac_size
* IDL [unique][size_is(pac_size)] char *pac;
* IDL UNICODESTRING logondomain;
* IDL UNICODESTRING logonserver;
* IDL UNICODESTRING principalname;
* IDL long auth_size;
* IDL [unique][size_is(auth_size)] char *auth;
* IDL USER_SESSION_KEY user_session_key;
* IDL long expansionroom[2];
* IDL long useraccountcontrol;
* IDL long expansionroom[7];
* IDL UNICODESTRING dummy1;
* IDL UNICODESTRING dummy2;
* IDL UNICODESTRING dummy3;
* IDL UNICODESTRING dummy4;
* IDL } VALIDATION_PAC_INFO;
*/
#if 0 /* Not used (anymore ?) */
static int
netlogon_dissect_VALIDATION_PAC_INFO(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
int i;
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_pac_size, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_PAC, NDR_POINTER_UNIQUE, "PAC:", -1);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logon_dom, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logon_srv, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_principal, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_auth_size, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTH, NDR_POINTER_UNIQUE, "AUTH:", -1);
offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
pinfo, tree, di, drep);
for(i=0;i<2;i++){
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_long, NULL);
}
offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
pinfo, tree, di, drep);
for(i=0;i<7;i++){
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_long, NULL);
}
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
return offset;
}
#endif
/*
* IDL typedef [switch_type(short)] union {
* IDL [case(1)][unique] VALIDATION_UAS *uas;
* IDL [case(2)][unique] VALIDATION_SAM_INFO *sam;
* IDL [case(3)][unique] VALIDATION_SAM_INFO2 *sam2;
* IDL [case(4)][unique] VALIDATION_GENERIC_INFO *generic;
* IDL [case(5)][unique] VALIDATION_GENERIC_INFO *generic2;
* IDL [case(5)][unique] VALIDATION_GENERIC_INFO *generic2;
* IDL [case(6)][unique] VALIDATION_SAM_INFO4 *sam4;
* IDL } VALIDATION;
*/
static int
netlogon_dissect_VALIDATION(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
guint16 level = 0;
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_validation_level, &level);
ALIGN_TO_4_BYTES;
switch(level){
case 1:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_VALIDATION_UAS_INFO, NDR_POINTER_UNIQUE,
"VALIDATION_UAS_INFO:", -1);
break;
case 2:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_VALIDATION_SAM_INFO, NDR_POINTER_UNIQUE,
"VALIDATION_SAM_INFO:", -1);
break;
case 3:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_VALIDATION_SAM_INFO2, NDR_POINTER_UNIQUE,
"VALIDATION_SAM_INFO2:", -1);
break;
case 4:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_VALIDATION_GENERIC_INFO2, NDR_POINTER_UNIQUE,
"VALIDATION_INFO:", -1);
break;
case 5:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_VALIDATION_GENERIC_INFO2, NDR_POINTER_UNIQUE,
"VALIDATION_INFO2:", -1);
break;
case 6:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_VALIDATION_SAM_INFO4, NDR_POINTER_UNIQUE,
"VALIDATION_SAM_INFO4:", -1);
break;
}
return offset;
}
/*
* IDL long NetrLogonSamLogonWithFlags(
* IDL [in][unique][string] wchar_t *ServerName,
* IDL [in][unique][string] wchar_t *Workstation,
* IDL [in][unique] AUTHENTICATOR *credential,
* IDL [in][out][unique] AUTHENTICATOR *returnauthenticator,
* IDL [in] short LogonLevel,
* IDL [in][ref] LOGON_LEVEL *logonlevel,
* IDL [in] short ValidationLevel,
* IDL [out][ref] VALIDATION *validation,
* IDL [out][ref] boolean Authorative
* IDL [in][out] unsigned long ExtraFlags
* IDL );
*/
static int
netlogon_dissect_netrlogonsamlogonflags_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Computer Name",
hf_netlogon_computer_name, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
"AUTHENTICATOR: credential", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
"AUTHENTICATOR: return_authenticator", -1);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_level16, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_LEVEL, NDR_POINTER_REF,
"LEVEL: LogonLevel", -1);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_validation_level, NULL);
offset = netlogon_dissect_EXTRA_FLAGS(tvb, offset, pinfo, tree, di, drep);
return offset;
}
static int
netlogon_dissect_netrlogonsamlogonflags_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
"AUTHENTICATOR: return_authenticator", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_VALIDATION, NDR_POINTER_REF,
"VALIDATION:", -1);
offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_authoritative, NULL);
offset = netlogon_dissect_EXTRA_FLAGS(tvb, offset, pinfo, tree, di, drep);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
return offset;
}
/*
* IDL long NetrLogonSamLogon(
* IDL [in][unique][string] wchar_t *ServerName,
* IDL [in][unique][string] wchar_t *Workstation,
* IDL [in][unique] AUTHENTICATOR *credential,
* IDL [in][out][unique] AUTHENTICATOR *returnauthenticator,
* IDL [in] short LogonLevel,
* IDL [in][ref] LOGON_LEVEL *logonlevel,
* IDL [in] short ValidationLevel,
* IDL [out][ref] VALIDATION *validation,
* IDL [out][ref] boolean Authorative
* IDL );
*/
static int
netlogon_dissect_netrlogonsamlogon_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Computer Name",
hf_netlogon_computer_name, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
"AUTHENTICATOR: credential", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
"AUTHENTICATOR: return_authenticator", -1);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_level16, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_LEVEL, NDR_POINTER_REF,
"LEVEL: LogonLevel", -1);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_validation_level, NULL);
return offset;
}
static int
netlogon_dissect_netrlogonsamlogon_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
"AUTHENTICATOR: return_authenticator", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_VALIDATION, NDR_POINTER_REF,
"VALIDATION:", -1);
offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_authoritative, NULL);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
return offset;
}
/*
* IDL long NetrLogonSamLogoff(
* IDL [in][unique][string] wchar_t *ServerName,
* IDL [in][unique][string] wchar_t *ComputerName,
* IDL [in][unique] AUTHENTICATOR credential,
* IDL [in][unique] AUTHENTICATOR return_authenticator,
* IDL [in] short logon_level,
* IDL [in][ref] LEVEL logoninformation
* IDL );
*/
static int
netlogon_dissect_netrlogonsamlogoff_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Computer Name",
hf_netlogon_computer_name, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
"AUTHENTICATOR: credential", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
"AUTHENTICATOR: return_authenticator", -1);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_level16, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_LEVEL, NDR_POINTER_REF,
"LEVEL: logoninformation", -1);
return offset;
}
static int
netlogon_dissect_netrlogonsamlogoff_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
"AUTHENTICATOR: return_authenticator", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
return offset;
}
static void generate_hash_key(packet_info *pinfo,unsigned char is_server,netlogon_auth_key *key)
{
if(is_server) {
copy_address_shallow(&key->server,&pinfo->src);
copy_address_shallow(&key->client,&pinfo->dst);
}
else {
copy_address_shallow(&key->server,&pinfo->dst);
copy_address_shallow(&key->client,&pinfo->src);
}
}
/*
* IDL long NetrServerReqChallenge(
* IDL [in][unique][string] wchar_t *ServerName,
* IDL [in][ref][string] wchar_t *ComputerName,
* IDL [in][ref] CREDENTIAL client_credential,
* IDL [out][ref] CREDENTIAL server_credential
* IDL );
*/
static int
netlogon_dissect_netrserverreqchallenge_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
/*int oldoffset = offset;*/
netlogon_auth_vars *vars;
netlogon_auth_vars *existing_vars;
netlogon_auth_key key;
guint8 tab[8] = { 0,0,0,0,0,0,0,0};
dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset, pinfo, tree, di, drep);
offset = dissect_ndr_pointer_cb(
tvb, offset, pinfo, tree, di, drep,
dissect_ndr_wchar_cvstring, NDR_POINTER_REF,
"Computer Name", hf_netlogon_computer_name,
cb_wstr_postprocess,
GINT_TO_POINTER(CB_STR_COL_INFO |CB_STR_SAVE | 1));
debugprintf("1)Len %d offset %d txt %s\n",(int) strlen((char *)dcv->private_data),offset,(char*)dcv->private_data);
vars = wmem_new0(wmem_file_scope(), netlogon_auth_vars);
vars->client_name = wmem_strdup(wmem_file_scope(), (const guint8 *)dcv->private_data);
debugprintf("2)Len %d offset %d txt %s\n",(int) strlen((char *)dcv->private_data),offset,vars->client_name);
offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, tree, drep,
hf_client_challenge,&vars->client_challenge);
memcpy(tab,&vars->client_challenge,8);
vars->start = pinfo->num;
vars->next_start = -1;
vars->next = NULL;
generate_hash_key(pinfo,0,&key);
existing_vars = (netlogon_auth_vars *)wmem_map_lookup(netlogon_auths, &key);
if (!existing_vars) {
netlogon_auth_key *k = (netlogon_auth_key *)wmem_memdup(wmem_file_scope(), &key, sizeof(netlogon_auth_key));
copy_address_wmem(wmem_file_scope(), &k->client, &key.client);
copy_address_wmem(wmem_file_scope(), &k->server, &key.server);
debugprintf("Adding initial vars with this start packet = %d\n",vars->start);
wmem_map_insert(netlogon_auths, k, vars);
}
else {
while(existing_vars->next != NULL && existing_vars->start < vars->start) {
debugprintf("Looping to find existing vars ...\n");
existing_vars = existing_vars->next;
}
if(existing_vars->next != NULL || existing_vars->start == vars->start) {
debugprintf("It seems that I already record this vars start packet = %d\n",vars->start);
wmem_free(wmem_file_scope(), vars);
}
else {
debugprintf("Adding a new entry with this start packet = %d\n",vars->start);
existing_vars->next_start = pinfo->num;
existing_vars->next = vars;
}
}
return offset;
}
static int
netlogon_dissect_netrserverreqchallenge_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
netlogon_auth_vars *vars;
netlogon_auth_key key;
guint64 server_challenge;
generate_hash_key(pinfo,1,&key);
vars = (netlogon_auth_vars *)wmem_map_lookup(netlogon_auths,(gconstpointer*) &key);
offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, tree, drep,
hf_server_challenge, &server_challenge);
/*offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
"CREDENTIAL: server credential", -1);*/
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
if(vars != NULL) {
while(vars !=NULL && vars->next_start != -1 && vars->next_start < (int)pinfo->num )
{
vars = vars->next;
debugprintf("looping challenge reply... %d %d \n", vars->next_start, pinfo->num);
}
if(vars == NULL)
{
debugprintf("Something strange happened while searching for challenge_reply\n");
}
else
{
vars->server_challenge = server_challenge;
}
}
/*
else
{
debugprintf("Vars not found in challenge reply\n");
}
*/
return offset;
}
static int
netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_secure_channel_type, NULL);
return offset;
}
/*
* IDL long NetrServerAuthenticate(
* IDL [in][unique][string] wchar_t *ServerName,
* IDL [in][ref][string] wchar_t *UserName,
* IDL [in] short secure_challenge_type,
* IDL [in][ref][string] wchar_t *ComputerName,
* IDL [in][ref] CREDENTIAL client_challenge,
* IDL [out][ref] CREDENTIAL server_challenge
* IDL );
*/
static int
netlogon_dissect_netrserverauthenticate_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, CB_STR_COL_INFO);
offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, CB_STR_COL_INFO);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
"CREDENTIAL: client challenge", -1);
return offset;
}
static int
netlogon_dissect_netrserverauthenticate023_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo,
proto_tree *tree,
dcerpc_info *di,
guint8 *drep,
int version);
static int
netlogon_dissect_netrserverauthenticate_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
return netlogon_dissect_netrserverauthenticate023_reply(tvb,offset,pinfo,tree,di,drep,0);
}
/*
* IDL typedef struct {
* IDL char encrypted_password[16];
* IDL } ENCRYPTED_LM_OWF_PASSWORD;
*/
static int
netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
packet_info *pinfo _U_, proto_tree *tree,
dcerpc_info *di, guint8 *drep _U_)
{
if(di->conformant_run){
/*just a run to handle conformant arrays, nothing to dissect.*/
return offset;
}
proto_tree_add_item(tree, hf_netlogon_encrypted_lm_owf_password, tvb, offset, 16,
ENC_NA);
offset += 16;
return offset;
}
/*
* IDL long NetrServerPasswordSet(
* IDL [in][unique][string] wchar_t *ServerName,
* IDL [in][ref][string] wchar_t *UserName,
* IDL [in] short secure_challenge_type,
* IDL [in][ref][string] wchar_t *ComputerName,
* IDL [in][ref] AUTHENTICATOR credential,
* IDL [in][ref] LM_OWF_PASSWORD UasNewPassword,
* IDL [out][ref] AUTHENTICATOR return_authenticator
* IDL );
*/
static int
netlogon_dissect_netrserverpasswordset_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, 0);
offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
"AUTHENTICATOR: credential", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD, NDR_POINTER_REF,
"ENCRYPTED_LM_OWF_PASSWORD: hashed_pwd", -1);
return offset;
}
static int
netlogon_dissect_netrserverpasswordset_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
"AUTHENTICATOR: return_authenticator", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
return offset;
}
/*
* IDL typedef struct {
* IDL [unique][string] wchar_t *UserName;
* IDL UNICODESTRING dummy1;
* IDL UNICODESTRING dummy2;
* IDL UNICODESTRING dummy3;
* IDL UNICODESTRING dummy4;
* IDL long dummy5;
* IDL long dummy6;
* IDL long dummy7;
* IDL long dummy8;
* IDL } DELTA_DELETE_USER;
*/
static int
netlogon_dissect_DELTA_DELETE_USER(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Account Name", hf_netlogon_acct_name, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
return offset;
}
/*
* IDL typedef struct {
* IDL bool SensitiveDataFlag;
* IDL long DataLength;
* IDL [unique][size_is(DataLength)] char *SensitiveData;
* IDL } USER_PRIVATE_INFO;
*/
static int
netlogon_dissect_SENSITIVE_DATA(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
guint32 data_len;
if(di->conformant_run){
/*just a run to handle conformant arrays, nothing to dissect */
return offset;
}
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_sensitive_data_len, &data_len);
proto_tree_add_item(tree, hf_netlogon_sensitive_data, tvb, offset,
data_len, ENC_NA);
offset += data_len;
return offset;
}
static int
netlogon_dissect_USER_PRIVATE_INFO(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_sensitive_data_flag, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_sensitive_data_len, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_SENSITIVE_DATA, NDR_POINTER_UNIQUE,
"SENSITIVE_DATA", -1);
return offset;
}
/*
* IDL typedef struct {
* IDL UNICODESTRING UserName;
* IDL UNICODESTRING FullName;
* IDL long UserID;
* IDL long PrimaryGroupID;
* IDL UNICODESTRING HomeDir;
* IDL UNICODESTRING HomeDirDrive;
* IDL UNICODESTRING LogonScript;
* IDL UNICODESTRING Comment;
* IDL UNICODESTRING Workstations;
* IDL NTTIME LastLogon;
* IDL NTTIME LastLogoff;
* IDL LOGON_HOURS logonhours;
* IDL short BadPwCount;
* IDL short LogonCount;
* IDL NTTIME PwLastSet;
* IDL NTTIME AccountExpires;
* IDL long AccountControl;
* IDL LM_OWF_PASSWORD lmpw;
* IDL NT_OWF_PASSWORD ntpw;
* IDL bool NTPwPresent;
* IDL bool LMPwPresent;
* IDL bool PwExpired;
* IDL UNICODESTRING UserComment;
* IDL UNICODESTRING Parameters;
* IDL short CountryCode;
* IDL short CodePage;
* IDL USER_PRIVATE_INFO user_private_info;
* IDL long SecurityInformation;
* IDL LSA_SECURITY_DESCRIPTOR sec_desc;
* IDL UNICODESTRING dummy1;
* IDL UNICODESTRING dummy2;
* IDL UNICODESTRING dummy3;
* IDL UNICODESTRING dummy4;
* IDL long dummy5;
* IDL long dummy6;
* IDL long dummy7;
* IDL long dummy8;
* IDL } DELTA_USER;
*/
static int
netlogon_dissect_DELTA_USER(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_acct_name, 3);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_full_name, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_user_rid, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_group_rid, NULL);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_home_dir, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dir_drive, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logon_script, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_acct_desc, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_workstations, 0);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logon_time);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logoff_time);
offset = dissect_ndr_nt_LOGON_HOURS(tvb, offset, pinfo, tree, di, drep);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_bad_pw_count16, NULL);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logon_count16, NULL);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_pwd_last_set_time);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_acct_expiry_time);
offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, di, drep);
offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
pinfo, tree, di, drep);
offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_nt_pwd_present, NULL);
offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_lm_pwd_present, NULL);
offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_pwd_expired, NULL);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_comment, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_parameters, 0);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_country, NULL);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_codepage, NULL);
offset = netlogon_dissect_USER_PRIVATE_INFO(tvb, offset, pinfo, tree,
di, drep);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_security_information, NULL);
offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
return offset;
}
/*
* IDL typedef struct {
* IDL UNICODESTRING DomainName;
* IDL UNICODESTRING OEMInfo;
* IDL NTTIME forcedlogoff;
* IDL short minpasswdlen;
* IDL short passwdhistorylen;
* IDL NTTIME pwd_must_change_time;
* IDL NTTIME pwd_can_change_time;
* IDL NTTIME domain_modify_time;
* IDL NTTIME domain_create_time;
* IDL long SecurityInformation;
* IDL LSA_SECURITY_DESCRIPTOR sec_desc;
* IDL UNICODESTRING dummy1;
* IDL UNICODESTRING dummy2;
* IDL UNICODESTRING dummy3;
* IDL UNICODESTRING dummy4;
* IDL long dummy5;
* IDL long dummy6;
* IDL long dummy7;
* IDL long dummy8;
* IDL } DELTA_DOMAIN;
*/
static int
netlogon_dissect_DELTA_DOMAIN(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_domain_name, 3);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_oem_info, 0);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_kickoff_time);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_minpasswdlen, NULL);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_passwdhistorylen, NULL);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_pwd_must_change_time);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_pwd_can_change_time);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_domain_modify_time);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_domain_create_time);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_security_information, NULL);
offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
return offset;
}
/*
* IDL typedef struct {
* IDL UNICODESTRING groupname;
* IDL GROUP_MEMBERSHIP group_membership;
* IDL UNICODESTRING comment;
* IDL long SecurityInformation;
* IDL LSA_SECURITY_DESCRIPTOR sec_desc;
* IDL UNICODESTRING dummy1;
* IDL UNICODESTRING dummy2;
* IDL UNICODESTRING dummy3;
* IDL UNICODESTRING dummy4;
* IDL long dummy5;
* IDL long dummy6;
* IDL long dummy7;
* IDL long dummy8;
* IDL } DELTA_GROUP;
*/
static int
netlogon_dissect_DELTA_GROUP(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_group_name, 3);
offset = netlogon_dissect_GROUP_MEMBERSHIP(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_group_desc, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_security_information, NULL);
offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
return offset;
}
/*
* IDL typedef struct {
* IDL UNICODESTRING OldName;
* IDL UNICODESTRING NewName;
* IDL UNICODESTRING dummy1;
* IDL UNICODESTRING dummy2;
* IDL UNICODESTRING dummy3;
* IDL UNICODESTRING dummy4;
* IDL long dummy5;
* IDL long dummy6;
* IDL long dummy7;
* IDL long dummy8;
* IDL } DELTA_RENAME;
*/
static int
netlogon_dissect_DELTA_RENAME(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
di->hf_index, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
di->hf_index, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
return offset;
}
static int
netlogon_dissect_RID(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_user_rid, NULL);
return offset;
}
static int
netlogon_dissect_RID_array(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_RID);
return offset;
}
static int
netlogon_dissect_ATTRIB(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_attrs, NULL);
return offset;
}
static int
netlogon_dissect_ATTRIB_array(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_ATTRIB);
return offset;
}
/*
* IDL typedef struct {
* IDL [unique][size_is(num_rids)] long *rids;
* IDL [unique][size_is(num_rids)] long *attribs;
* IDL long num_rids;
* IDL long dummy1;
* IDL long dummy2;
* IDL long dummy3;
* IDL long dummy4;
* IDL } DELTA_GROUP_MEMBER;
*/
static int
netlogon_dissect_DELTA_GROUP_MEMBER(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_RID_array, NDR_POINTER_UNIQUE,
"RIDs:", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_ATTRIB_array, NDR_POINTER_UNIQUE,
"Attribs:", -1);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_num_rids, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
return offset;
}
/*
* IDL typedef struct {
* IDL UNICODESTRING alias_name;
* IDL long rid;
* IDL long SecurityInformation;
* IDL LSA_SECURITY_DESCRIPTOR sec_desc;
* IDL UNICODESTRING dummy1;
* IDL UNICODESTRING dummy2;
* IDL UNICODESTRING dummy3;
* IDL UNICODESTRING dummy4;
* IDL long dummy5;
* IDL long dummy6;
* IDL long dummy7;
* IDL long dummy8;
* IDL } DELTA_ALIAS;
*/
static int
netlogon_dissect_DELTA_ALIAS(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_alias_name, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_alias_rid, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_security_information, NULL);
offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
return offset;
}
/*
* IDL typedef struct {
* IDL [unique] SID_ARRAY sids;
* IDL long dummy1;
* IDL long dummy2;
* IDL long dummy3;
* IDL long dummy4;
* IDL } DELTA_ALIAS_MEMBER;
*/
static int
netlogon_dissect_DELTA_ALIAS_MEMBER(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_nt_PSID_ARRAY(tvb, offset, pinfo, tree, di, drep);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
return offset;
}
static int
netlogon_dissect_EVENT_AUDIT_OPTION(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_event_audit_option, NULL);
return offset;
}
static int
netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_EVENT_AUDIT_OPTION);
return offset;
}
/*
* IDL typedef struct {
* IDL long pagedpoollimit;
* IDL long nonpagedpoollimit;
* IDL long minimumworkingsetsize;
* IDL long maximumworkingsetsize;
* IDL long pagefilelimit;
* IDL NTTIME timelimit;
* IDL } QUOTA_LIMITS;
*/
static int
netlogon_dissect_QUOTA_LIMITS(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree,
dcerpc_info *di, guint8 *drep)
{
proto_item *item=NULL;
proto_tree *tree=NULL;
int old_offset=offset;
if(parent_tree){
tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
ett_QUOTA_LIMITS, &item, "QUOTA_LIMTS:");
}
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_pagedpoollimit, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_nonpagedpoollimit, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_minworkingsetsize, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_maxworkingsetsize, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_pagefilelimit, NULL);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_timelimit);
proto_item_set_len(item, offset-old_offset);
return offset;
}
/*
* IDL typedef struct {
* IDL long maxlogsize;
* IDL NTTIME auditretentionperiod;
* IDL bool auditingmode;
* IDL long maxauditeventcount;
* IDL [unique][size_is(maxauditeventcount)] long *eventauditoptions;
* IDL UNICODESTRING primarydomainname;
* IDL [unique] SID *sid;
* IDL QUOTA_LIMITS quota_limits;
* IDL NTTIME db_modify_time;
* IDL NTTIME db_create_time;
* IDL long SecurityInformation;
* IDL LSA_SECURITY_DESCRIPTOR sec_desc;
* IDL UNICODESTRING dummy1;
* IDL UNICODESTRING dummy2;
* IDL UNICODESTRING dummy3;
* IDL UNICODESTRING dummy4;
* IDL long dummy5;
* IDL long dummy6;
* IDL long dummy7;
* IDL long dummy8;
* IDL } DELTA_POLICY;
*/
static int
netlogon_dissect_DELTA_POLICY(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_max_log_size, NULL);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_audit_retention_period);
offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_auditing_mode, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_max_audit_event_count, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY, NDR_POINTER_UNIQUE,
"Event Audit Options:", -1);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_domain_name, 0);
offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_db_modify_time);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_db_create_time);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_security_information, NULL);
offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
return offset;
}
static int
netlogon_dissect_CONTROLLER(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dc_name, 0);
return offset;
}
static int
netlogon_dissect_CONTROLLER_ARRAY(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_CONTROLLER);
return offset;
}
/*
* IDL typedef struct {
* IDL UNICODESTRING DomainName;
* IDL long num_controllers;
* IDL [unique][size_is(num_controllers)] UNICODESTRING *controller_names;
* IDL long SecurityInformation;
* IDL LSA_SECURITY_DESCRIPTOR sec_desc;
* IDL UNICODESTRING dummy1;
* IDL UNICODESTRING dummy2;
* IDL UNICODESTRING dummy3;
* IDL UNICODESTRING dummy4;
* IDL long dummy5;
* IDL long dummy6;
* IDL long dummy7;
* IDL long dummy8;
* IDL } DELTA_TRUSTED_DOMAINS;
*/
static int
netlogon_dissect_DELTA_TRUSTED_DOMAINS(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_domain_name, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_num_controllers, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_CONTROLLER_ARRAY, NDR_POINTER_UNIQUE,
"Domain Controllers:", -1);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_security_information, NULL);
offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
return offset;
}
static int
netlogon_dissect_PRIV_ATTR(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_attrs, NULL);
return offset;
}
static int
netlogon_dissect_PRIV_ATTR_ARRAY(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_PRIV_ATTR);
return offset;
}
static int
netlogon_dissect_PRIV_NAME(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_privilege_name, 1);
return offset;
}
static int
netlogon_dissect_PRIV_NAME_ARRAY(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_PRIV_NAME);
return offset;
}
/*
* IDL typedef struct {
* IDL long privilegeentries;
* IDL long provolegecontrol;
* IDL [unique][size_is(privilege_entries)] long *privilege_attrib;
* IDL [unique][size_is(privilege_entries)] UNICODESTRING *privilege_name;
* IDL QUOTALIMITS quotalimits;
* IDL long SecurityInformation;
* IDL LSA_SECURITY_DESCRIPTOR sec_desc;
* IDL UNICODESTRING dummy1;
* IDL UNICODESTRING dummy2;
* IDL UNICODESTRING dummy3;
* IDL UNICODESTRING dummy4;
* IDL long dummy5;
* IDL long dummy6;
* IDL long dummy7;
* IDL long dummy8;
* IDL } DELTA_ACCOUNTS;
*/
static int
netlogon_dissect_DELTA_ACCOUNTS(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_privilege_entries, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_privilege_control, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_PRIV_ATTR_ARRAY, NDR_POINTER_UNIQUE,
"PRIV_ATTR_ARRAY:", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_PRIV_NAME_ARRAY, NDR_POINTER_UNIQUE,
"PRIV_NAME_ARRAY:", -1);
offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_systemflags, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_security_information, NULL);
offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
return offset;
}
/*
* IDL typedef struct {
* IDL long len;
* IDL long maxlen;
* IDL [unique][size_is(maxlen)][length_is(len)] char *cipher_data;
* IDL } CIPHER_VALUE;
*/
static int
netlogon_dissect_CIPHER_VALUE_DATA(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
guint32 data_len;
if(di->conformant_run){
/*just a run to handle conformant arrays, nothing to dissect */
return offset;
}
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
hf_netlogon_cipher_maxlen, NULL);
/* skip offset */
offset += 4;
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
hf_netlogon_cipher_len, &data_len);
proto_tree_add_item(tree, di->hf_index, tvb, offset,
data_len, ENC_NA);
offset += data_len;
return offset;
}
static int
netlogon_dissect_CIPHER_VALUE(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree,
dcerpc_info *di, guint8 *drep, const char *name, int hf_index)
{
proto_item *item=NULL;
proto_tree *tree=NULL;
int old_offset=offset;
if(parent_tree){
tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
ett_CYPHER_VALUE, &item, name);
}
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
hf_netlogon_cipher_len, NULL);
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
hf_netlogon_cipher_maxlen, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_CIPHER_VALUE_DATA, NDR_POINTER_UNIQUE,
name, hf_index);
proto_item_set_len(item, offset-old_offset);
return offset;
}
/*
* IDL typedef struct {
* IDL CIPHER_VALUE current_cipher;
* IDL NTTIME current_cipher_set_time;
* IDL CIPHER_VALUE old_cipher;
* IDL NTTIME old_cipher_set_time;
* IDL long SecurityInformation;
* IDL LSA_SECURITY_DESCRIPTOR sec_desc;
* IDL UNICODESTRING dummy1;
* IDL UNICODESTRING dummy2;
* IDL UNICODESTRING dummy3;
* IDL UNICODESTRING dummy4;
* IDL long dummy5;
* IDL long dummy6;
* IDL long dummy7;
* IDL long dummy8;
* IDL } DELTA_SECRET;
*/
static int
netlogon_dissect_DELTA_SECRET(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
pinfo, tree, di, drep,
"CIPHER_VALUE: current cipher value",
hf_netlogon_cipher_current_data);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_cipher_current_set_time);
offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
pinfo, tree, di, drep,
"CIPHER_VALUE: old cipher value",
hf_netlogon_cipher_old_data);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_cipher_old_set_time);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_security_information, NULL);
offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
return offset;
}
/*
* IDL typedef struct {
* IDL long low_value;
* IDL long high_value;
* } MODIFIED_COUNT;
*/
static int
netlogon_dissect_MODIFIED_COUNT(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_duint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_modify_count, NULL);
return offset;
}
#define DT_DELTA_DOMAIN 1
#define DT_DELTA_GROUP 2
#define DT_DELTA_DELETE_GROUP 3
#define DT_DELTA_RENAME_GROUP 4
#define DT_DELTA_USER 5
#define DT_DELTA_DELETE_USER 6
#define DT_DELTA_RENAME_USER 7
#define DT_DELTA_GROUP_MEMBER 8
#define DT_DELTA_ALIAS 9
#define DT_DELTA_DELETE_ALIAS 10
#define DT_DELTA_RENAME_ALIAS 11
#define DT_DELTA_ALIAS_MEMBER 12
#define DT_DELTA_POLICY 13
#define DT_DELTA_TRUSTED_DOMAINS 14
#define DT_DELTA_DELETE_TRUST 15
#define DT_DELTA_ACCOUNTS 16
#define DT_DELTA_DELETE_ACCOUNT 17
#define DT_DELTA_SECRET 18
#define DT_DELTA_DELETE_SECRET 19
#define DT_DELTA_DELETE_GROUP2 20
#define DT_DELTA_DELETE_USER2 21
#define DT_MODIFIED_COUNT 22
static const value_string delta_type_vals[] = {
{ DT_DELTA_DOMAIN, "Domain" },
{ DT_DELTA_GROUP, "Group" },
{ DT_DELTA_DELETE_GROUP, "Delete Group" },
{ DT_DELTA_RENAME_GROUP, "Rename Group" },
{ DT_DELTA_USER, "User" },
{ DT_DELTA_DELETE_USER, "Delete User" },
{ DT_DELTA_RENAME_USER, "Rename User" },
{ DT_DELTA_GROUP_MEMBER, "Group Member" },
{ DT_DELTA_ALIAS, "Alias" },
{ DT_DELTA_DELETE_ALIAS, "Delete Alias" },
{ DT_DELTA_RENAME_ALIAS, "Rename Alias" },
{ DT_DELTA_ALIAS_MEMBER, "Alias Member" },
{ DT_DELTA_POLICY, "Policy" },
{ DT_DELTA_TRUSTED_DOMAINS, "Trusted Domains" },
{ DT_DELTA_DELETE_TRUST, "Delete Trust" },
{ DT_DELTA_ACCOUNTS, "Accounts" },
{ DT_DELTA_DELETE_ACCOUNT, "Delete Account" },
{ DT_DELTA_SECRET, "Secret" },
{ DT_DELTA_DELETE_SECRET, "Delete Secret" },
{ DT_DELTA_DELETE_GROUP2, "Delete Group2" },
{ DT_DELTA_DELETE_USER2, "Delete User2" },
{ DT_MODIFIED_COUNT, "Modified Count" },
{ 0, NULL }
};
/*
* IDL typedef [switch_type(short)] union {
* IDL [case(1)][unique] DELTA_DOMAIN *domain;
* IDL [case(2)][unique] DELTA_GROUP *group;
* IDL [case(3)][unique] rid only ;
* IDL [case(4)][unique] DELTA_RENAME_GROUP *rename_group;
* IDL [case(5)][unique] DELTA_USER *user;
* IDL [case(6)][unique] rid only ;
* IDL [case(7)][unique] DELTA_RENAME_USER *rename_user;
* IDL [case(8)][unique] DELTA_GROUP_MEMBER *group_member;
* IDL [case(9)][unique] DELTA_ALIAS *alias;
* IDL [case(10)][unique] rid only ;
* IDL [case(11)][unique] DELTA_RENAME_ALIAS *alias;
* IDL [case(12)][unique] DELTA_ALIAS_MEMBER *alias_member;
* IDL [case(13)][unique] DELTA_POLICY *policy;
* IDL [case(14)][unique] DELTA_TRUSTED_DOMAINS *trusted_domains;
* IDL [case(15)][unique] PSID ;
* IDL [case(16)][unique] DELTA_ACCOUNTS *accounts;
* IDL [case(17)][unique] PSID ;
* IDL [case(18)][unique] DELTA_SECRET *secret;
* IDL [case(19)][unique] string;
* IDL [case(20)][unique] DELTA_DELETE_GROUP2 *delete_group;
* IDL [case(21)][unique] DELTA_DELETE_USER2 *delete_user;
* IDL [case(22)][unique] MODIFIED_COUNT *modified_count;
* IDL } DELTA_UNION;
*/
static int
netlogon_dissect_DELTA_UNION(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree,
dcerpc_info *di, guint8 *drep)
{
proto_item *item=NULL;
proto_tree *tree=NULL;
int old_offset=offset;
guint16 level = 0;
if(parent_tree){
tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
ett_DELTA_UNION, &item, "DELTA_UNION:");
}
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_delta_type, &level);
ALIGN_TO_4_BYTES;
switch(level){
case 1:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DELTA_DOMAIN, NDR_POINTER_UNIQUE,
"DELTA_DOMAIN:", -1);
break;
case 2:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DELTA_GROUP, NDR_POINTER_UNIQUE,
"DELTA_GROUP:", -1);
break;
case 4:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
"DELTA_RENAME_GROUP:", hf_netlogon_group_name);
break;
case 5:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DELTA_USER, NDR_POINTER_UNIQUE,
"DELTA_USER:", -1);
break;
case 7:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
"DELTA_RENAME_USER:", hf_netlogon_acct_name);
break;
case 8:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DELTA_GROUP_MEMBER, NDR_POINTER_UNIQUE,
"DELTA_GROUP_MEMBER:", -1);
break;
case 9:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DELTA_ALIAS, NDR_POINTER_UNIQUE,
"DELTA_ALIAS:", -1);
break;
case 11:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
"DELTA_RENAME_ALIAS:", hf_netlogon_alias_name);
break;
case 12:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DELTA_ALIAS_MEMBER, NDR_POINTER_UNIQUE,
"DELTA_ALIAS_MEMBER:", -1);
break;
case 13:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DELTA_POLICY, NDR_POINTER_UNIQUE,
"DELTA_POLICY:", -1);
break;
case 14:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DELTA_TRUSTED_DOMAINS, NDR_POINTER_UNIQUE,
"DELTA_TRUSTED_DOMAINS:", -1);
break;
case 16:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DELTA_ACCOUNTS, NDR_POINTER_UNIQUE,
"DELTA_ACCOUNTS:", -1);
break;
case 18:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DELTA_SECRET, NDR_POINTER_UNIQUE,
"DELTA_SECRET:", -1);
break;
case 20:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
"DELTA_DELETE_GROUP:", -1);
break;
case 21:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
"DELTA_DELETE_USER:", -1);
break;
case 22:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_UNIQUE,
"MODIFIED_COUNT:", -1);
break;
}
proto_item_set_len(item, offset-old_offset);
return offset;
}
/* IDL XXX must verify this one, especially 13-19
* IDL typedef [switch_type(short)] union {
* IDL [case(1)] long rid;
* IDL [case(2)] long rid;
* IDL [case(3)] long rid;
* IDL [case(4)] long rid;
* IDL [case(5)] long rid;
* IDL [case(6)] long rid;
* IDL [case(7)] long rid;
* IDL [case(8)] long rid;
* IDL [case(9)] long rid;
* IDL [case(10)] long rid;
* IDL [case(11)] long rid;
* IDL [case(12)] long rid;
* IDL [case(13)] [unique] SID *sid;
* IDL [case(14)] [unique] SID *sid;
* IDL [case(15)] [unique] SID *sid;
* IDL [case(16)] [unique] SID *sid;
* IDL [case(17)] [unique] SID *sid;
* IDL [case(18)] [unique][string] wchar_t *Name ;
* IDL [case(19)] [unique][string] wchar_t *Name ;
* IDL [case(20)] long rid;
* IDL [case(21)] long rid;
* IDL } DELTA_ID_UNION;
*/
static int
netlogon_dissect_DELTA_ID_UNION(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree,
dcerpc_info *di, guint8 *drep)
{
proto_item *item=NULL;
proto_tree *tree=NULL;
int old_offset=offset;
guint16 level = 0;
if(parent_tree){
tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
ett_DELTA_ID_UNION, &item, "DELTA_ID_UNION:");
}
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_delta_type, &level);
ALIGN_TO_4_BYTES;
switch(level){
case 1:
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_group_rid, NULL);
break;
case 2:
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_user_rid, NULL);
break;
case 3:
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_user_rid, NULL);
break;
case 4:
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_user_rid, NULL);
break;
case 5:
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_user_rid, NULL);
break;
case 6:
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_user_rid, NULL);
break;
case 7:
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_user_rid, NULL);
break;
case 8:
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_user_rid, NULL);
break;
case 9:
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_user_rid, NULL);
break;
case 10:
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_user_rid, NULL);
break;
case 11:
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_user_rid, NULL);
break;
case 12:
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_user_rid, NULL);
break;
case 13:
offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
break;
case 14:
offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
break;
case 15:
offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
break;
case 16:
offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
break;
case 17:
offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
break;
case 18:
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
tree, di, drep, NDR_POINTER_UNIQUE, "unknown",
hf_netlogon_unknown_string, 0);
break;
case 19:
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
tree, di, drep, NDR_POINTER_UNIQUE, "unknown",
hf_netlogon_unknown_string, 0);
break;
case 20:
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_user_rid, NULL);
break;
case 21:
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_user_rid, NULL);
break;
}
proto_item_set_len(item, offset-old_offset);
return offset;
}
/*
* IDL typedef struct {
* IDL short delta_type;
* IDL DELTA_ID_UNION delta_id_union;
* IDL DELTA_UNION delta_union;
* IDL } DELTA_ENUM;
*/
static int
netlogon_dissect_DELTA_ENUM(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree,
dcerpc_info *di, guint8 *drep)
{
proto_item *item=NULL;
proto_tree *tree=NULL;
int old_offset=offset;
guint16 type;
if(parent_tree){
tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
ett_DELTA_ENUM, &item, "DELTA_ENUM:");
}
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_delta_type, &type);
proto_item_append_text(item, "%s", val_to_str(
type, delta_type_vals, "Unknown"));
offset = netlogon_dissect_DELTA_ID_UNION(tvb, offset,
pinfo, tree, di, drep);
offset = netlogon_dissect_DELTA_UNION(tvb, offset,
pinfo, tree, di, drep);
proto_item_set_len(item, offset-old_offset);
return offset;
}
static int
netlogon_dissect_DELTA_ENUM_array(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DELTA_ENUM);
return offset;
}
/*
* IDL typedef struct {
* IDL long num_deltas;
* IDL [unique][size_is(num_deltas)] DELTA_ENUM *delta_enum;
* IDL } DELTA_ENUM_ARRAY;
*/
static int
netlogon_dissect_DELTA_ENUM_ARRAY(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_num_deltas, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DELTA_ENUM_array, NDR_POINTER_UNIQUE,
"DELTA_ENUM: deltas", -1);
return offset;
}
/*
* IDL long NetrDatabaseDeltas(
* IDL [in][string][ref] wchar_t *logonserver, # REF!!!
* IDL [in][string][ref] wchar_t *computername,
* IDL [in][ref] AUTHENTICATOR credential,
* IDL [in][out][ref] AUTHENTICATOR return_authenticator,
* IDL [in] long database_id,
* IDL [in][out][ref] MODIFIED_COUNT domain_modify_count,
* IDL [in] long preferredmaximumlength,
* IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
* IDL );
*/
static int
netlogon_dissect_netrdatabasedeltas_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
"AUTHENTICATOR: credential", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
"AUTHENTICATOR: return_authenticator", -1);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_database_id, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
"MODIFIED_COUNT: domain modified count", -1);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_max_size, NULL);
return offset;
}
static int
netlogon_dissect_netrdatabasedeltas_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
"AUTHENTICATOR: return_authenticator", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
"MODIFIED_COUNT: domain modified count", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
"DELTA_ENUM_ARRAY: deltas", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
return offset;
}
/*
* IDL long NetrDatabaseSync(
* IDL [in][string][ref] wchar_t *logonserver, # REF!!!
* IDL [in][string][ref] wchar_t *computername,
* IDL [in][ref] AUTHENTICATOR credential,
* IDL [in][out][ref] AUTHENTICATOR return_authenticator,
* IDL [in] long database_id,
* IDL [in][out][ref] long sync_context,
* IDL [in] long preferredmaximumlength,
* IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
* IDL );
*/
static int
netlogon_dissect_netrdatabasesync_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
"AUTHENTICATOR: credential", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
"AUTHENTICATOR: return_authenticator", -1);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_database_id, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_sync_context, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_max_size, NULL);
return offset;
}
static int
netlogon_dissect_netrdatabasesync_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
"AUTHENTICATOR: return_authenticator", -1);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_sync_context, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
"DELTA_ENUM_ARRAY: deltas", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
return offset;
}
/*
* IDL typedef struct {
* IDL char computer_name[16];
* IDL long timecreated;
* IDL long serial_number;
* IDL } UAS_INFO_0;
*/
static int
netlogon_dissect_UAS_INFO_0(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
guint32 time_created;
if(di->conformant_run){
/*just a run to handle conformant arrays, nothing to dissect */
return offset;
}
proto_tree_add_item(tree, hf_netlogon_computer_name, tvb, offset, 16, ENC_ASCII);
offset += 16;
time_created = tvb_get_guint32(tvb, offset, DREP_ENC_INTEGER(drep));
proto_tree_add_uint_format_value(tree, hf_netlogon_time_created, tvb, offset, 4, time_created, "unknown time format");
offset+= 4;
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_serial_number, NULL);
return offset;
}
/*
* IDL long NetrAccountDeltas(
* IDL [in][string][unique] wchar_t *logonserver,
* IDL [in][string][ref] wchar_t *computername,
* IDL [in][ref] AUTHENTICATOR credential,
* IDL [in][out][ref] AUTHENTICATOR return_authenticator,
* IDL [out][ref][size_is(count_returned)] char *Buffer,
* IDL [out][ref] long count_returned,
* IDL [out][ref] long total_entries,
* IDL [in][out][ref] UAS_INFO_0 recordid,
* IDL [in][long] count,
* IDL [in][long] level,
* IDL [in][long] buffersize,
* IDL );
*/
static int
netlogon_dissect_netraccountdeltas_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
"AUTHENTICATOR: credential", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
"AUTHENTICATOR: return_authenticator", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
"UAS_INFO_0: RecordID", -1);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_count, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_level, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_max_size, NULL);
return offset;
}
static int
netlogon_dissect_netraccountdeltas_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
"AUTHENTICATOR: return_authenticator", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_BYTE_array, NDR_POINTER_REF,
"BYTE_array: Buffer", -1);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_count, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_entries, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
"UAS_INFO_0: RecordID", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
return offset;
}
/*
* IDL long NetrAccountSync(
* IDL [in][string][unique] wchar_t *logonserver,
* IDL [in][string][ref] wchar_t *computername,
* IDL [in][ref] AUTHENTICATOR credential,
* IDL [in][out][ref] AUTHENTICATOR return_authenticator,
* IDL [out][ref][size_is(count_returned)] char *Buffer,
* IDL [out][ref] long count_returned,
* IDL [out][ref] long total_entries,
* IDL [out][ref] long next_reference,
* IDL [in][long] reference,
* IDL [in][long] level,
* IDL [in][long] buffersize,
* IDL [in][out][ref] UAS_INFO_0 recordid,
* IDL );
*/
static int
netlogon_dissect_netraccountsync_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
"AUTHENTICATOR: credential", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
"AUTHENTICATOR: return_authenticator", -1);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reference, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_level, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_max_size, NULL);
return offset;
}
static int
netlogon_dissect_netraccountsync_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
"AUTHENTICATOR: return_authenticator", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_BYTE_array, NDR_POINTER_REF,
"BYTE_array: Buffer", -1);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_count, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_entries, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_next_reference, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
"UAS_INFO_0: RecordID", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
return offset;
}
/*
* IDL long NetrGetDcName(
* IDL [in][ref][string] wchar_t *logon_server,
* IDL [in][unique][string] wchar_t *domainname,
* IDL [out][unique][string] wchar_t *dcname,
* IDL };
*/
static int
netlogon_dissect_netrgetdcname_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
return offset;
}
static int
netlogon_dissect_netrgetdcname_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
return offset;
}
/*
* IDL typedef struct {
* IDL long flags;
* IDL long pdc_connection_status;
* IDL } NETLOGON_INFO_1;
*/
static int
netlogon_dissect_NETLOGON_INFO_1(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_flags, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_pdc_connection_status, NULL);
return offset;
}
/*
* IDL typedef struct {
* IDL long flags;
* IDL long pdc_connection_status;
* IDL [unique][string] wchar_t trusted_dc_name;
* IDL long tc_connection_status;
* IDL } NETLOGON_INFO_2;
*/
static int
netlogon_dissect_NETLOGON_INFO_2(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_flags, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_pdc_connection_status, NULL);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Trusted DC Name",
hf_netlogon_trusted_dc_name, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_tc_connection_status, NULL);
return offset;
}
/*
* IDL typedef struct {
* IDL long flags;
* IDL long logon_attempts;
* IDL long reserved;
* IDL long reserved;
* IDL long reserved;
* IDL long reserved;
* IDL long reserved;
* IDL } NETLOGON_INFO_3;
*/
static int
netlogon_dissect_NETLOGON_INFO_3(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_flags, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_logon_attempts, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_reserved, NULL);
return offset;
}
/*
* IDL typedef [switch_type(long)] union {
* IDL [case(1)] [unique] NETLOGON_INFO_1 *i1;
* IDL [case(2)] [unique] NETLOGON_INFO_2 *i2;
* IDL [case(3)] [unique] NETLOGON_INFO_3 *i3;
* IDL } CONTROL_QUERY_INFORMATION;
*/
static int
netlogon_dissect_CONTROL_QUERY_INFORMATION(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
guint32 level = 0;
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_level, &level);
ALIGN_TO_4_BYTES;
switch(level){
case 1:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_NETLOGON_INFO_1, NDR_POINTER_UNIQUE,
"NETLOGON_INFO_1:", -1);
break;
case 2:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_NETLOGON_INFO_2, NDR_POINTER_UNIQUE,
"NETLOGON_INFO_2:", -1);
break;
case 3:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_NETLOGON_INFO_3, NDR_POINTER_UNIQUE,
"NETLOGON_INFO_3:", -1);
break;
}
return offset;
}
/*
* IDL long NetrLogonControl(
* IDL [in][string][unique] wchar_t *logonserver,
* IDL [in] long function_code,
* IDL [in] long level,
* IDL [out][ref] CONTROL_QUERY_INFORMATION
* IDL );
*/
static int
netlogon_dissect_netrlogoncontrol_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_code, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_level, NULL);
return offset;
}
static int
netlogon_dissect_netrlogoncontrol_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
"CONTROL_QUERY_INFORMATION:", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dos_rc, NULL);
return offset;
}
/*
* IDL long NetrGetAnyDCName(
* IDL [in][unique][string] wchar_t *logon_server,
* IDL [in][unique][string] wchar_t *domainname,
* IDL [out][unique][string] wchar_t *dcname,
* IDL };
*/
static int
netlogon_dissect_netrgetanydcname_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Server Handle",
hf_netlogon_logonsrv_handle, 0);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
return offset;
}
static int
netlogon_dissect_netrgetanydcname_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dos_rc, NULL);
return offset;
}
/*
* IDL typedef [switch_type(long)] union {
* IDL [case(5)] [unique][string] wchar_t *unknown;
* IDL [case(6)] [unique][string] wchar_t *unknown;
* IDL [case(0xfffe)] long unknown;
* IDL [case(7)] [unique][string] wchar_t *unknown;
* IDL } CONTROL_DATA_INFORMATION;
*/
/* XXX
* According to muddle this is what CONTROL_DATA_INFORMATION is supposed
* to look like. However NetMon does not recognize any such informationlevels.
*
* I'll leave it as CONTROL_DATA_INFORMATION with no informationlevels
* until someone has any source of better authority to call upon.
*/
static int
netlogon_dissect_CONTROL_DATA_INFORMATION(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
guint32 level = 0;
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_level, &level);
ALIGN_TO_4_BYTES;
switch(level){
case 5:
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
tree, di, drep, NDR_POINTER_UNIQUE, "Trusted Domain Name",
hf_netlogon_TrustedDomainName_string, 0);
break;
case 6:
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
tree, di, drep, NDR_POINTER_UNIQUE, "Trusted Domain Name",
hf_netlogon_TrustedDomainName_string, 0);
break;
case 0xfffe:
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_long, NULL);
break;
case 8:
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
tree, di, drep, NDR_POINTER_UNIQUE, "UserName",
hf_netlogon_UserName_string, 0);
break;
}
return offset;
}
/*
* IDL long NetrLogonControl2(
* IDL [in][string][unique] wchar_t *logonserver,
* IDL [in] long function_code,
* IDL [in] long level,
* IDL [in][ref] CONTROL_DATA_INFORMATION *data,
* IDL [out][ref] CONTROL_QUERY_INFORMATION *query
* IDL );
*/
static int
netlogon_dissect_netrlogoncontrol2_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_code, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_level, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
"CONTROL_DATA_INFORMATION: ", -1);
return offset;
}
static int
netlogon_dissect_netrlogoncontrol2_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
guint32 status;
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
"CONTROL_QUERY_INFORMATION:", -1);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_netlogon_werr_rc, &status);
if (status != 0)
col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str_ext(status, &WERR_errors_ext, "Unknown WERR error 0x%08x"));
return offset;
}
/*
* IDL long NetrDatabaseSync2(
* IDL [in][string][ref] wchar_t *logonserver, # REF!!!
* IDL [in][string][ref] wchar_t *computername,
* IDL [in][ref] AUTHENTICATOR credential,
* IDL [in][out][ref] AUTHENTICATOR return_authenticator,
* IDL [in] long database_id,
* IDL [in] short restart_state,
* IDL [in][out][ref] long *sync_context,
* IDL [in] long preferredmaximumlength,
* IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
* IDL );
*/
static int
netlogon_dissect_netrdatabasesync2_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
"AUTHENTICATOR: credential", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
"AUTHENTICATOR: return_authenticator", -1);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_database_id, NULL);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_restart_state, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_sync_context, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_max_size, NULL);
return offset;
}
static int
netlogon_dissect_netrdatabasesync2_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
"AUTHENTICATOR: return_authenticator", -1);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_sync_context, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
"DELTA_ENUM_ARRAY: deltas", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
return offset;
}
/*
* IDL long NetrDatabaseRedo(
* IDL [in][string][ref] wchar_t *logonserver, # REF!!!
* IDL [in][string][ref] wchar_t *computername,
* IDL [in][ref] AUTHENTICATOR credential,
* IDL [in][out][ref] AUTHENTICATOR return_authenticator,
* IDL [in][ref][size_is(change_log_entry_size)] char *change_log_entry,
* IDL [in] long change_log_entry_size,
* IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
* IDL );
*/
static int
netlogon_dissect_netrdatabaseredo_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
"AUTHENTICATOR: credential", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
"AUTHENTICATOR: return_authenticator", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_BYTE_array, NDR_POINTER_REF,
"Change log entry: ", -1);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_max_log_size, NULL);
return offset;
}
static int
netlogon_dissect_netrdatabaseredo_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
"AUTHENTICATOR: return_authenticator", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
"DELTA_ENUM_ARRAY: deltas", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
return offset;
}
/*
* IDL long NetrLogonControl2Ex(
* IDL [in][string][unique] wchar_t *logonserver,
* IDL [in] long function_code,
* IDL [in] long level,
* IDL [in][ref] CONTROL_DATA_INFORMATION *data,
* IDL [out][ref] CONTROL_QUERY_INFORMATION *query
* IDL );
*/
static int
netlogon_dissect_netrlogoncontrol2ex_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_code, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_level, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
"CONTROL_DATA_INFORMATION: ", -1);
return offset;
}
static int
netlogon_dissect_netrlogoncontrol2ex_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
"CONTROL_QUERY_INFORMATION:", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dos_rc, NULL);
return offset;
}
static const value_string trust_type_vals[] = {
{ 1, "NT4 Domain" },
{ 2, "AD Domain" },
{ 3, "MIT Kerberos realm" },
{ 4, "DCE realm" },
{ 0, NULL }
};
#define DS_INET_ADDRESS 1
#define DS_NETBIOS_ADDRESS 2
static const value_string dc_address_types[] = {
{ DS_INET_ADDRESS, "IP/DNS name" },
{ DS_NETBIOS_ADDRESS, "NetBIOS name" },
{ 0, NULL}
};
#define RQ_ROOT_FOREST 0x0001
#define RQ_DC_XFOREST 0x0002
#define RQ_RODC_DIF_DOMAIN 0x0004
#define RQ_NTLM_FROM_RODC 0x0008
#define DS_DOMAIN_IN_FOREST 0x0001
#define DS_DOMAIN_DIRECT_OUTBOUND 0x0002
#define DS_DOMAIN_TREE_ROOT 0x0004
#define DS_DOMAIN_PRIMARY 0x0008
#define DS_DOMAIN_NATIVE_MODE 0x0010
#define DS_DOMAIN_DIRECT_INBOUND 0x0020
static const true_false_string trust_inbound = {
"There is a DIRECT INBOUND trust for the servers domain",
"There is NO direct inbound trust for the servers domain"
};
static const true_false_string trust_outbound = {
"There is a DIRECT OUTBOUND trust for this domain",
"There is NO direct outbound trust for this domain"
};
static const true_false_string trust_in_forest = {
"The domain is a member IN the same FOREST as the queried server",
"The domain is NOT a member of the queried servers domain"
};
static const true_false_string trust_native_mode = {
"The primary domain is a NATIVE MODE w2k domain",
"The primary is NOT a native mode w2k domain"
};
static const true_false_string trust_primary = {
"The domain is the PRIMARY domain of the queried server",
"The domain is NOT the primary domain of the queried server"
};
static const true_false_string trust_tree_root = {
"The domain is the ROOT of a domain TREE",
"The domain is NOT a root of a domain tree"
};
static int
netlogon_dissect_DOMAIN_TRUST_FLAGS(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, guint8 *drep)
{
guint32 mask;
static int * const flags[] = {
&hf_netlogon_trust_flags_inbound,
&hf_netlogon_trust_flags_native_mode,
&hf_netlogon_trust_flags_primary,
&hf_netlogon_trust_flags_tree_root,
&hf_netlogon_trust_flags_outbound,
&hf_netlogon_trust_flags_in_forest,
NULL
};
if(di->conformant_run){
/*just a run to handle conformant arrays, nothing to dissect */
return offset;
}
offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
-1, &mask);
proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset-4, hf_netlogon_trust_flags, ett_trust_flags, flags, mask, BMT_NO_APPEND);
return offset;
}
static const true_false_string trust_attribs_non_transitive = {
"This is a NON TRANSITIVE trust relation",
"This is a normal trust"
};
static const true_false_string trust_attribs_uplevel_only = {
"This is an UPLEVEL ONLY trust relation",
"This is a normal trust"
};
static const true_false_string trust_attribs_quarantined_domain = {
"This is a QUARANTINED DOMAIN (so don't expect lookupsids to work)",
"This is a normal trust"
};
static const true_false_string trust_attribs_forest_transitive = {
"This is a FOREST TRANSITIVE trust",
"This is a normal trust"
};
static const true_false_string trust_attribs_cross_organization = {
"This is a CROSS ORGANIZATION trust",
"This is a normal trust"
};
static const true_false_string trust_attribs_within_forest = {
"This is a WITHIN FOREST trust",
"This is a normal trust"
};
static const true_false_string trust_attribs_treat_as_external = {
"TREAT this trust AS an EXTERNAL trust",
"This is a normal trust"
};
static int
netlogon_dissect_DOMAIN_TRUST_ATTRIBS(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, guint8 *drep)
{
guint32 mask;
static int * const attr[] = {
&hf_netlogon_trust_attribs_treat_as_external,
&hf_netlogon_trust_attribs_within_forest,
&hf_netlogon_trust_attribs_cross_organization,
&hf_netlogon_trust_attribs_forest_transitive,
&hf_netlogon_trust_attribs_quarantined_domain,
&hf_netlogon_trust_attribs_uplevel_only,
&hf_netlogon_trust_attribs_non_transitive,
NULL
};
if(di->conformant_run){
/*just a run to handle conformant arrays, nothing to dissect */
return offset;
}
offset = dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
-1, &mask);
proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset-4, hf_netlogon_trust_attribs, ett_trust_attribs, attr, mask, BMT_NO_APPEND);
return offset;
}
#define DS_FORCE_REDISCOVERY 0x00000001
#define DS_DIRECTORY_SERVICE_REQUIRED 0x00000010
#define DS_DIRECTORY_SERVICE_PREFERRED 0x00000020
#define DS_GC_SERVER_REQUIRED 0x00000040
#define DS_PDC_REQUIRED 0x00000080
#define DS_BACKGROUND_ONLY 0x00000100
#define DS_IP_REQUIRED 0x00000200
#define DS_KDC_REQUIRED 0x00000400
#define DS_TIMESERV_REQUIRED 0x00000800
#define DS_WRITABLE_REQUIRED 0x00001000
#define DS_GOOD_TIMESERV_PREFERRED 0x00002000
#define DS_AVOID_SELF 0x00004000
#define DS_ONLY_LDAP_NEEDED 0x00008000
#define DS_IS_FLAT_NAME 0x00010000
#define DS_IS_DNS_NAME 0x00020000
#define DS_RETURN_DNS_NAME 0x40000000
#define DS_RETURN_FLAT_NAME 0x80000000
static const true_false_string get_dcname_request_flags_force_rediscovery = {
"FORCE REDISCOVERY of any cached data",
"You may return cached data"
};
static const true_false_string get_dcname_request_flags_directory_service_required = {
"DIRECTORY SERVICE is REQUIRED on the server",
"We do NOT require directory service servers"
};
static const true_false_string get_dcname_request_flags_directory_service_preferred = {
"DIRECTORY SERVICE servers are PREFERRED",
"We do NOT have a preference for directory service servers"
};
static const true_false_string get_dcname_request_flags_gc_server_required = {
"GC SERVER is REQUIRED",
"gc server is NOT required"
};
static const true_false_string get_dcname_request_flags_pdc_required = {
"PDC SERVER is REQUIRED",
"pdc server is NOT required"
};
static const true_false_string get_dcname_request_flags_background_only = {
"Only return cached data, even if it has expired",
"Return cached data unless it has expired"
};
static const true_false_string get_dcname_request_flags_ip_required = {
"IP address is REQUIRED",
"ip address is NOT required"
};
static const true_false_string get_dcname_request_flags_kdc_required = {
"KDC server is REQUIRED",
"kdc server is NOT required"
};
static const true_false_string get_dcname_request_flags_timeserv_required = {
"TIMESERV service is REQUIRED",
"timeserv service is NOT required"
};
static const true_false_string get_dcname_request_flags_writable_required = {
"the returned dc MUST be WRITEABLE",
"a read-only dc may be returned"
};
static const true_false_string get_dcname_request_flags_good_timeserv_preferred = {
"GOOD TIMESERV servers are PREFERRED",
"we do NOT have a preference for good timeserv servers"
};
static const true_false_string get_dcname_request_flags_avoid_self = {
"do NOT return self as dc; return someone else",
"you may return yourSELF as the dc"
};
static const true_false_string get_dcname_request_flags_only_ldap_needed = {
"we ONLY NEED LDAP; you don't have to return a dc",
"we need a normal dc; an ldap only server will not do"
};
static const true_false_string get_dcname_request_flags_is_flat_name = {
"the name we specify is a NetBIOS name",
"the name we specify is NOT a NetBIOS name"
};
static const true_false_string get_dcname_request_flags_is_dns_name = {
"the name we specify is a DNS name",
"the name we specify is NOT a dns name"
};
static const true_false_string get_dcname_request_flags_return_dns_name = {
"return a DNS name",
"you may return a NON-dns name"
};
static const true_false_string get_dcname_request_flags_return_flat_name = {
"return a NetBIOS name",
"you may return a NON-NetBIOS name"
};
static int
netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, guint8 *drep)
{
guint32 mask;
static int * const flags[] = {
&hf_netlogon_get_dcname_request_flags_return_flat_name,
&hf_netlogon_get_dcname_request_flags_return_dns_name,
&hf_netlogon_get_dcname_request_flags_is_flat_name,
&hf_netlogon_get_dcname_request_flags_is_dns_name,
&hf_netlogon_get_dcname_request_flags_only_ldap_needed,
&hf_netlogon_get_dcname_request_flags_avoid_self,
&hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
&hf_netlogon_get_dcname_request_flags_writable_required,
&hf_netlogon_get_dcname_request_flags_timeserv_required,
&hf_netlogon_get_dcname_request_flags_kdc_required,
&hf_netlogon_get_dcname_request_flags_ip_required,
&hf_netlogon_get_dcname_request_flags_background_only,
&hf_netlogon_get_dcname_request_flags_pdc_required,
&hf_netlogon_get_dcname_request_flags_gc_server_required,
&hf_netlogon_get_dcname_request_flags_directory_service_preferred,
&hf_netlogon_get_dcname_request_flags_directory_service_required,
&hf_netlogon_get_dcname_request_flags_force_rediscovery,
NULL
};
if(di->conformant_run){
/*just a run to handle conformant arrays, nothing to dissect */
return offset;
}
offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep, -1, &mask);
proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset-4, hf_netlogon_get_dcname_request_flags, ett_get_dcname_request_flags, flags, mask, BMT_NO_APPEND);
return offset;
}
#define DS_PDC_FLAG 0x00000001
#define DS_GC_FLAG 0x00000004
#define DS_LDAP_FLAG 0x00000008
#define DS_DS_FLAG 0x00000010
#define DS_KDC_FLAG 0x00000020
#define DS_TIMESERV_FLAG 0x00000040
#define DS_CLOSEST_FLAG 0x00000080
#define DS_WRITABLE_FLAG 0x00000100
#define DS_GOOD_TIMESERV_FLAG 0x00000200
#define DS_NDNC_FLAG 0x00000400
#define DS_DNS_CONTROLLER_FLAG 0x20000000
#define DS_DNS_DOMAIN_FLAG 0x40000000
#define DS_DNS_FOREST_FLAG 0x80000000
static const true_false_string dc_flags_pdc_flag = {
"this is the PDC of the domain",
"this is NOT the pdc of the domain"
};
static const true_false_string dc_flags_gc_flag = {
"this is the GC of the forest",
"this is NOT the gc of the forest"
};
static const true_false_string dc_flags_ldap_flag = {
"this is an LDAP server",
"this is NOT an ldap server"
};
static const true_false_string dc_flags_ds_flag = {
"this is a DS server",
"this is NOT a ds server"
};
static const true_false_string dc_flags_kdc_flag = {
"this is a KDC server",
"this is NOT a kdc server"
};
static const true_false_string dc_flags_timeserv_flag = {
"this is a TIMESERV server",
"this is NOT a timeserv server"
};
static const true_false_string dc_flags_closest_flag = {
"this is the CLOSEST server",
"this is NOT the closest server"
};
static const true_false_string dc_flags_writable_flag = {
"this server has a WRITABLE ds database",
"this server has a READ-ONLY ds database"
};
static const true_false_string dc_flags_good_timeserv_flag = {
"this server is a GOOD TIMESERV server",
"this is NOT a good timeserv server"
};
static const true_false_string dc_flags_ndnc_flag = {
"NDNC is set",
"ndnc is NOT set"
};
static const true_false_string dc_flags_dns_controller_flag = {
"DomainControllerName is a DNS name",
"DomainControllerName is NOT a dns name"
};
static const true_false_string dc_flags_dns_domain_flag = {
"DomainName is a DNS name",
"DomainName is NOT a dns name"
};
static const true_false_string dc_flags_dns_forest_flag = {
"DnsForestName is a DNS name",
"DnsForestName is NOT a dns name"
};
static int
netlogon_dissect_DC_FLAGS(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, guint8 *drep)
{
guint32 mask;
proto_item *item;
static int * const flags[] = {
&hf_netlogon_dc_flags_dns_forest_flag,
&hf_netlogon_dc_flags_dns_domain_flag,
&hf_netlogon_dc_flags_dns_controller_flag,
&hf_netlogon_dc_flags_ndnc_flag,
&hf_netlogon_dc_flags_good_timeserv_flag,
&hf_netlogon_dc_flags_writable_flag,
&hf_netlogon_dc_flags_closest_flag,
&hf_netlogon_dc_flags_timeserv_flag,
&hf_netlogon_dc_flags_kdc_flag,
&hf_netlogon_dc_flags_ds_flag,
&hf_netlogon_dc_flags_ldap_flag,
&hf_netlogon_dc_flags_gc_flag,
&hf_netlogon_dc_flags_pdc_flag,
NULL
};
if(di->conformant_run){
/*just a run to handle conformant arrays, nothing to dissect */
return offset;
}
offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep, -1, &mask);
item = proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset-4, hf_netlogon_dc_flags, ett_dc_flags, flags, mask, BMT_NO_APPEND);
if (mask==0x0000ffff)
proto_item_append_text(item, " PING (mask==0x0000ffff)");
return offset;
}
static int
netlogon_dissect_pointer_long(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
di->hf_index, NULL);
return offset;
}
#if 0
static int
netlogon_dissect_pointer_char(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
di->hf_index, NULL);
return offset;
}
#endif
static int
netlogon_dissect_UNICODE_MULTI_byte(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_char, NULL);
return offset;
}
static int
netlogon_dissect_UNICODE_MULTI_array(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_UNICODE_MULTI_byte);
return offset;
}
static int
netlogon_dissect_UNICODE_MULTI(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree,
dcerpc_info *di, guint8 *drep)
{
proto_item *item=NULL;
proto_tree *tree=NULL;
int old_offset=offset;
if(parent_tree){
tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
ett_UNICODE_MULTI, &item, "UNICODE_MULTI:");
}
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_len, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_UNICODE_MULTI_array, NDR_POINTER_UNIQUE,
"unknown", hf_netlogon_unknown_string);
proto_item_set_len(item, offset-old_offset);
return offset;
}
static int
netlogon_dissect_DOMAIN_CONTROLLER_INFO(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree,
dcerpc_info *di, guint8 *drep)
{
proto_item *item=NULL;
proto_tree *tree=NULL;
int old_offset=offset;
if(parent_tree){
tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
ett_DOMAIN_CONTROLLER_INFO, &item, "DOMAIN_CONTROLLER_INFO:");
}
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "DC Name", hf_netlogon_dc_name, 0);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "DC Address", hf_netlogon_dc_address, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dc_address_type, NULL);
offset = dissect_nt_GUID(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Logon Domain", hf_netlogon_logon_dom, 0);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "DNS Forest", hf_netlogon_dns_forest_name, 0);
offset = netlogon_dissect_DC_FLAGS(tvb, offset, pinfo, tree, di, drep);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "DC Site", hf_netlogon_dc_site_name, 0);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Client Site",
hf_netlogon_client_site_name, 0);
proto_item_set_len(item, offset-old_offset);
return offset;
}
static int
dissect_ndr_trust_extension(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
guint32 len,max;
if(di->conformant_run){
return offset;
}
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_trust_max, &max);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_trust_offset, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_trust_len, &len);
if( max * 2 == 16 ) {
offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, di, drep);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_trust_parent_index, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_trust_type, NULL);
offset = netlogon_dissect_DOMAIN_TRUST_ATTRIBS(tvb, offset, pinfo, tree, di, drep);
}
/* else do something scream shout .... */
return offset;
}
static int
netlogon_dissect_BLOB_array(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
guint32 len;
if(di->conformant_run){
return offset;
}
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_blob_size, &len);
proto_tree_add_item(tree, hf_netlogon_blob, tvb, offset, len,
ENC_NA);
offset += len;
return offset;
}
static int
dissect_ndr_ulongs_as_counted_string(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep, int hf_index)
{
guint16 len, size;
gboolean add_subtree = TRUE; /* Manage room for evolution*/
proto_item *item;
proto_tree *subtree = tree;
if (add_subtree) {
subtree = proto_tree_add_subtree(
tree, tvb, offset, 0, ett_nt_counted_longs_as_string, &item,
proto_registrar_get_name(hf_index));
}
/* Structure starts with short, but is aligned for longs */
ALIGN_TO_4_BYTES;
if (di->conformant_run)
return offset;
/*
struct {
short len;
short size;
[size_is(size/2), length_is(len/2), ptr] unsigned short *string;
} UNICODE_STRING;
*/
offset = dissect_ndr_uint16(tvb, offset, pinfo, subtree, di, drep,
hf_nt_cs_len, &len);
offset = dissect_ndr_uint16(tvb, offset, pinfo, subtree, di, drep,
hf_nt_cs_size, &size);
offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, subtree, di, drep,
dissect_ndr_trust_extension, NDR_POINTER_UNIQUE,
"Buffer", hf_index,NULL,NULL);
return offset;
}
static int
DomainInfo_sid_(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = lsarpc_dissect_struct_dom_sid2(tvb, offset, pinfo, tree, di, drep, DomainInfo_sid, 0);
return offset;
}
static int
dissect_element_lsa_DnsDomainInfo_sid(tvbuff_t *tvb , int offset , packet_info *pinfo , proto_tree *tree , dcerpc_info *di, guint8 *drep )
{
offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, di, drep, DomainInfo_sid_, NDR_POINTER_UNIQUE, "Pointer to Sid (dom_sid2)",DnsDomainInfo_sid);
return offset;
}
static int
dissect_element_lsa_DnsDomainInfo_domain_guid(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep )
{
offset = dissect_ndr_uuid_t(tvb, offset, pinfo, tree, di, drep, DnsDomainInfo_domain_guid, NULL);
return offset;
}
static int dissect_part_DnsDomainInfo(tvbuff_t *tvb , int offset, packet_info *pinfo, proto_tree *tree , dcerpc_info *di, guint8 *drep, int hf_index _U_, guint32 param _U_)
{
offset = lsarpc_dissect_struct_lsa_StringLarge(tvb, offset, pinfo, tree, di, drep, DnsDomainInfo_name, 0);
offset = lsarpc_dissect_struct_lsa_StringLarge(tvb,offset, pinfo, tree, di, drep, DnsDomainInfo_dns_domain, 0);
offset = lsarpc_dissect_struct_lsa_StringLarge(tvb,offset, pinfo, tree, di, drep, DnsDomainInfo_dns_forest, 0);
offset = dissect_element_lsa_DnsDomainInfo_domain_guid(tvb, offset, pinfo, tree, di, drep);
offset = dissect_element_lsa_DnsDomainInfo_sid(tvb, offset, pinfo, tree, di, drep);
return offset;
}
static int
netlogon_dissect_ONE_DOMAIN_INFO(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree,
dcerpc_info *di, guint8 *drep)
{
proto_item *item=NULL;
proto_tree *tree=NULL;
int old_offset=offset;
if(parent_tree){
tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
ett_DOMAIN_TRUST_INFO, &item, "ONE_DOMAIN_INFO");
}
/*hf_netlogon_dnsdomaininfo*/
offset = dissect_part_DnsDomainInfo(tvb, offset, pinfo, tree, di, drep, 0, 0);
/* It is structed as a string but it's not ... it's 4 ulong */
offset = dissect_ndr_ulongs_as_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_trust_extension);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy_string2, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy_string3, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy_string4, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy1_long, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy2_long, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy3_long, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy4_long, NULL);
proto_item_set_len(item, offset-old_offset);
return offset;
}
static int
netlogon_dissect_DOMAIN_TRUST_INFO(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_ONE_DOMAIN_INFO);
return offset;
}
static int
netlogon_dissect_LSA_POLICY_INFO(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep )
{
proto_item *item=NULL;
proto_tree *subtree=NULL;
guint32 len;
if(di->conformant_run){
return offset;
}
if(tree){
subtree = proto_tree_add_subtree(tree, tvb, offset, 0,
ett_LSA_POLICY_INFO, &item, "LSA Policy");
}
offset = dissect_ndr_uint32(tvb, offset, pinfo, subtree, di, drep,
hf_netlogon_lsapolicy_len, &len);
offset = dissect_ndr_pointer(tvb, offset, pinfo, subtree, di, drep,
netlogon_dissect_BLOB_array, NDR_POINTER_UNIQUE,
"Pointer:", -1);
return offset;
}
static int
netlogon_dissect_WORKSTATION_INFO(tvbuff_t *tvb , int offset ,
packet_info *pinfo , proto_tree *tree ,
dcerpc_info *di, guint8 *drep )
{
/* This is not the good way to do it ... it stinks ...
* but after half of a day fighting against wireshark and ndr ...
* I decided to keep this hack ...
* At least data are correctly displayed without invented ints ...
*/
offset = netlogon_dissect_LSA_POLICY_INFO(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Workstation FQDN",
hf_netlogon_workstation_fqdn, 0);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Workstation Site",
hf_netlogon_workstation_site_name, 0);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Dummy 1", hf_netlogon_dummy_string, 0);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Dummy 2", hf_netlogon_dummy_string2, 0);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Dummy 3", hf_netlogon_dummy_string3, 0);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Dummy 4", hf_netlogon_dummy_string4, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_os_version, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_workstation_os, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy_string3, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy_string4, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_workstation_flags, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy2_long, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy3_long, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy4_long, NULL);
return offset;
}
static int
netlogon_dissect_WORKSTATION_INFORMATION(tvbuff_t *tvb , int offset ,
packet_info *pinfo , proto_tree *tree ,
dcerpc_info *di, guint8 *drep ) {
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_WORKSTATION_INFO, NDR_POINTER_UNIQUE,
"WORKSTATION INFO", -1);
return offset;
}
static int
netlogon_dissect_DOMAIN_INFO(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_ONE_DOMAIN_INFO(tvb, offset, pinfo, tree, di, drep);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_num_trusts, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DOMAIN_TRUST_INFO, NDR_POINTER_UNIQUE,
"DOMAIN_TRUST_ARRAY: Trusted domains", -1);
offset = netlogon_dissect_LSA_POLICY_INFO(tvb,offset,pinfo, tree,di,drep);
/* offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_num_trusts, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DOMAIN_TRUST_INFO, NDR_POINTER_UNIQUE,
"LSA Policy", -1);
*/
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_ad_client_dns_name, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy_string2, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy_string3, 0);
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy_string4, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_workstation_flags, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_supportedenctypes, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy3_long, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dummy4_long, NULL);
return offset;
}
static int
netlogon_dissect_DOMAIN_INFORMATION(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
guint32 level = 0;
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_level, &level);
ALIGN_TO_4_BYTES;
switch(level){
case 1:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DOMAIN_INFO, NDR_POINTER_UNIQUE,
"DOMAIN_INFO", -1);
break;
}
return offset;
}
static int
netlogon_dissect_UNICODE_STRING_512(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree,
dcerpc_info *di, guint8 *drep)
{
proto_item *item=NULL;
proto_tree *tree=NULL;
int old_offset=offset;
int i;
if(parent_tree){
tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
ett_UNICODE_STRING_512, &item, "UNICODE_STRING_512:");
}
for(i=0;i<512;i++){
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_short, NULL);
}
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_long, NULL);
proto_item_set_len(item, offset-old_offset);
return offset;
}
static int
netlogon_dissect_element_844_byte(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_char, NULL);
return offset;
}
static int
netlogon_dissect_element_844_array(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_element_844_byte);
return offset;
}
static int
netlogon_dissect_TYPE_50(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree,
dcerpc_info *di, guint8 *drep)
{
proto_item *item=NULL;
proto_tree *tree=NULL;
int old_offset=offset;
if(parent_tree){
tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
ett_TYPE_50, &item, "TYPE_50:");
}
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_long, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_element_844_array, NDR_POINTER_UNIQUE,
"unknown", hf_netlogon_unknown_string);
proto_item_set_len(item, offset-old_offset);
return offset;
}
static int
netlogon_dissect_TYPE_50_ptr(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_TYPE_50, NDR_POINTER_UNIQUE,
"TYPE_50 pointer: unknown_TYPE_50", -1);
return offset;
}
static int
netlogon_dissect_DS_DOMAIN_TRUSTS(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, guint8 *drep)
{
guint32 tmp;
proto_item *item=NULL;
proto_tree *tree=NULL;
int old_offset=offset;
if(parent_tree){
tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
ett_DS_DOMAIN_TRUSTS, NULL, "DS_DOMAIN_TRUSTS");
}
/* name */
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "NetBIOS Name",
hf_netlogon_downlevel_domain_name, 0);
/* domain */
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "DNS Domain Name",
hf_netlogon_dns_domain_name, 0);
offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, di, drep);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_trust_parent_index, &tmp);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_trust_type, &tmp);
offset = netlogon_dissect_DOMAIN_TRUST_ATTRIBS(tvb, offset, pinfo, tree, di, drep);
/* SID pointer */
offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
/* GUID */
offset = dissect_nt_GUID(tvb, offset, pinfo, tree, di, drep);
proto_item_set_len(item, offset-old_offset);
return offset;
}
static int
netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DS_DOMAIN_TRUSTS);
return offset;
}
static int
netlogon_dissect_element_865_byte(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_char, NULL);
return offset;
}
static int
netlogon_dissect_element_865_array(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_element_865_byte);
return offset;
}
static int
netlogon_dissect_element_866_byte(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_char, NULL);
return offset;
}
static int
netlogon_dissect_element_866_array(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_element_866_byte);
return offset;
}
static int
netlogon_dissect_TYPE_52(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree,
dcerpc_info *di, guint8 *drep)
{
proto_item *item=NULL;
proto_tree *tree=NULL;
int old_offset=offset;
if(parent_tree){
tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
ett_TYPE_52, &item, "TYPE_52:");
}
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_long, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_element_865_array, NDR_POINTER_UNIQUE,
"unknown", hf_netlogon_unknown_string);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_element_866_array, NDR_POINTER_UNIQUE,
"unknown", hf_netlogon_unknown_string);
proto_item_set_len(item, offset-old_offset);
return offset;
}
static int
netlogon_dissect_TYPE_52_ptr(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_TYPE_52, NDR_POINTER_UNIQUE,
"TYPE_52 pointer: unknown_TYPE_52", -1);
return offset;
}
static int
netlogon_dissect_TYPE_44(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree,
dcerpc_info *di, guint8 *drep)
{
proto_item *item=NULL;
proto_tree *tree=NULL;
int old_offset=offset;
guint32 level = 0;
if(parent_tree){
tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
ett_TYPE_44, &item, "TYPE_44:");
}
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_level, &level);
ALIGN_TO_4_BYTES;
switch(level){
case 1:
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_long, NULL);
break;
}
proto_item_set_len(item, offset-old_offset);
return offset;
}
static int
netlogon_dissect_WORKSTATION_BUFFER(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
dcerpc_info *di, guint8 *drep)
{
guint32 level;
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_level, &level);
if (level == 2) {
/* Specs are not very clear (as usual ...) it seems that the
* structure in both case is a NETLOGON_WORKSTATION_INFO
* but in this case only the LSA POLICY INFO will contain
* something
*/
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_WORKSTATION_INFORMATION, NDR_POINTER_UNIQUE,
"LSA POLICY INFO", -1);
}
else {
if (level == 1) {
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_WORKSTATION_INFORMATION, NDR_POINTER_UNIQUE,
"WORKSTATION INFORMATION", -1);}
}
return offset;
}
static int
netlogon_dissect_netrenumeratetrusteddomains_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
return offset;
}
static int
netlogon_dissect_netrenumeratetrusteddomains_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_UNICODE_MULTI, NDR_POINTER_REF,
"UNICODE_MULTI pointer: trust_dom_name_list", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dos_rc, NULL);
return offset;
}
static int
netlogon_dissect_dsrgetdcname_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
dissect_nt_GUID, NDR_POINTER_UNIQUE,
"GUID pointer: domain_guid", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
dissect_nt_GUID, NDR_POINTER_UNIQUE,
"GUID pointer: site_guid", -1);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_flags, NULL);
return offset;
}
static int
netlogon_dissect_dsrgetdcname_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
"DOMAIN_CONTROLLER_INFO:", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dos_rc, NULL);
return offset;
}
static int
netlogon_dissect_netrlogondummyroutine1_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "unknown string",
hf_netlogon_unknown_string, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
"AUTHENTICATOR: credential", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
"AUTHENTICATOR: return_authenticator", -1);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_long, NULL);
return offset;
}
static int
netlogon_dissect_netrlogondummyroutine1_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
"AUTHENTICATOR: return_authenticator", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_TYPE_44, NDR_POINTER_UNIQUE,
"TYPE_44 pointer: unknown_TYPE_44", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
return offset;
}
static int
netlogon_dissect_netrlogonsetservicebits_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_long, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_long, NULL);
return offset;
}
static int
netlogon_dissect_netrlogonsetservicebits_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
return offset;
}
static int
netlogon_dissect_netrlogongettrustrid_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "unknown string",
hf_netlogon_unknown_string, 0);
return offset;
}
static int
netlogon_dissect_netrlogongettrustrid_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
"ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
return offset;
}
static int
netlogon_dissect_netrlogoncomputeserverdigest_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_long, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
"BYTE pointer: unknown_BYTE", -1);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_long, NULL);
return offset;
}
static int
netlogon_dissect_BYTE_16_array(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
int i;
for(i=0;i<16;i++){
offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_char, NULL);
}
return offset;
}
static int
netlogon_dissect_netrlogoncomputeserverdigest_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
"BYTE pointer: unknown_BYTE", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
return offset;
}
static int
netlogon_dissect_netrlogoncomputeclientdigest_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "unknown string",
hf_netlogon_unknown_string, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
"BYTE pointer: unknown_BYTE", -1);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_long, NULL);
return offset;
}
static int
netlogon_dissect_netrlogoncomputeclientdigest_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
"BYTE pointer: unknown_BYTE", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
return offset;
}
static int netlogon_dissect_neg_options(tvbuff_t *tvb,proto_tree *tree,guint32 flags,int offset)
{
static int * const hf_flags[] = {
#if 0
&hf_netlogon_neg_flags_80000000,
#endif
&hf_netlogon_neg_flags_40000000,
&hf_netlogon_neg_flags_20000000,
#if 0
&hf_netlogon_neg_flags_10000000,
&hf_netlogon_neg_flags_8000000,
&hf_netlogon_neg_flags_4000000,
&hf_netlogon_neg_flags_2000000,
&hf_netlogon_neg_flags_800000,
&hf_netlogon_neg_flags_400000,
#endif
&hf_netlogon_neg_flags_1000000,
&hf_netlogon_neg_flags_200000,
&hf_netlogon_neg_flags_100000,
&hf_netlogon_neg_flags_80000,
&hf_netlogon_neg_flags_40000,
&hf_netlogon_neg_flags_20000,
&hf_netlogon_neg_flags_10000,
&hf_netlogon_neg_flags_8000,
&hf_netlogon_neg_flags_4000,
&hf_netlogon_neg_flags_2000,
&hf_netlogon_neg_flags_1000,
&hf_netlogon_neg_flags_800,
&hf_netlogon_neg_flags_400,
&hf_netlogon_neg_flags_200,
&hf_netlogon_neg_flags_100,
&hf_netlogon_neg_flags_80,
&hf_netlogon_neg_flags_40,
&hf_netlogon_neg_flags_20,
&hf_netlogon_neg_flags_10,
&hf_netlogon_neg_flags_8,
&hf_netlogon_neg_flags_4,
&hf_netlogon_neg_flags_2,
&hf_netlogon_neg_flags_1,
NULL
};
proto_tree_add_bitmask_value_with_flags(tree, tvb, offset, hf_netlogon_neg_flags, ett_authenticate_flags, hf_flags, flags, BMT_NO_APPEND);
return 0;
}
static int
netlogon_dissect_netrserverauthenticate3_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
guint32 flags;
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_REF, "Acct Name", hf_netlogon_acct_name, 0);
offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, tree, drep,
hf_client_credential, NULL);
#if 0
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
"Client Challenge", -1);
#endif
#if 0
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_neg_flags, NULL);
#endif
ALIGN_TO_4_BYTES;
flags = tvb_get_letohl (tvb, offset);
netlogon_dissect_neg_options(tvb,tree,flags,offset);
seen.isseen = FALSE;
seen.num = 0;
offset +=4;
return offset;
}
/*
* IDL long NetrServerAuthenticate2(
* IDL [in][string][unique] wchar_t *logonserver,
* IDL [in][ref][string] wchar_t *username,
* IDL [in] short secure_channel_type,
* IDL [in][ref][string] wchar_t *computername,
* IDL [in][ref] CREDENTIAL *client_chal,
* IDL [out][ref] CREDENTIAL *server_chal,
* IDL [in][out][ref] long *negotiate_flags,
* IDL );
*/
static int
netlogon_dissect_netrserverauthenticate2_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
return netlogon_dissect_netrserverauthenticate3_rqst(tvb,offset,pinfo,tree,di,drep);
}
static int
netlogon_dissect_netrserverauthenticate023_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo,
proto_tree *tree,
dcerpc_info *di,
guint8 *drep,
int version)
{
guint32 flags = 0;
netlogon_auth_vars *vars;
netlogon_auth_key key;
guint64 server_cred;
offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, tree, drep,
hf_server_credential, &server_cred);
if (version >= 2) {
flags = tvb_get_letohl (tvb, offset);
netlogon_dissect_neg_options(tvb,tree,flags,offset);
offset +=4;
}
ALIGN_TO_4_BYTES;
if (version >= 3) {
offset = dissect_dcerpc_uint32(tvb, offset, pinfo, tree, drep,
hf_server_rid, NULL);
}
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
generate_hash_key(pinfo, 1 , &key);
vars = (netlogon_auth_vars *)wmem_map_lookup(netlogon_auths, &key);
if(vars != NULL) {
debugprintf("Found some vars (ie. server/client challenges), let's see if I can get a session key\n");
while(vars != NULL && vars->next_start != -1 && vars->next_start < (int) pinfo->num ) {
debugprintf("looping auth reply...\n");
vars = vars->next;
}
if(vars == NULL ) {
debugprintf("Something strange happened while searching for authenticate_reply\n");
}
else {
md4_pass *pass_list=NULL;
const md4_pass *used_md4 = NULL;
const char *used_method = NULL;
guint32 list_size = 0;
unsigned int i = 0;
md4_pass password;
guint8 session_key[16];
int found = 0;
vars->flags = flags;
vars->can_decrypt = FALSE;
list_size = get_md4pass_list(pinfo->pool, &pass_list);
debugprintf("Found %d passwords \n",list_size);
if( flags & NETLOGON_FLAG_AES )
{
guint8 salt_buf[16] = { 0 };
guint8 sha256[HASH_SHA2_256_LENGTH];
guint64 calculated_cred;
memcpy(&salt_buf[0], (guint8*)&vars->client_challenge, 8);
memcpy(&salt_buf[8], (guint8*)&vars->server_challenge, 8);
used_method = "AES";
printnbyte((guint8*)&vars->client_challenge,8,"Client challenge:","\n");
printnbyte((guint8*)&vars->server_challenge,8,"Server challenge:","\n");
printnbyte((guint8*)&server_cred,8,"Server creds:","\n");
for(i=0;i<list_size;i++)
{
used_md4 = &pass_list[i];
password = pass_list[i];
printnbyte((guint8*)&password, 16,"NTHASH:","\n");
if (!ws_hmac_buffer(GCRY_MD_SHA256, sha256, salt_buf, sizeof(salt_buf), (guint8*) &password, 16)) {
gcry_error_t err;
gcry_cipher_hd_t cipher_hd = NULL;
guint8 iv[16] = { 0 };
/* truncate the session key to 16 bytes */
memcpy(session_key, sha256, 16);
printnbyte((guint8*)session_key, 16,"Session Key","\n");
/* Open the cipher */
err = gcry_cipher_open(&cipher_hd, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CFB8, 0);
if (err != 0) {
ws_warning("GCRY: cipher open %s/%s\n", gcry_strsource(err), gcry_strerror(err));
break;
}
/* Set the initial value */
err = gcry_cipher_setiv(cipher_hd, iv, sizeof(iv));
if (err != 0) {
ws_warning("GCRY: setiv %s/%s\n", gcry_strsource(err), gcry_strerror(err));
gcry_cipher_close(cipher_hd);
break;
}
/* Set the key */
err = gcry_cipher_setkey(cipher_hd, session_key, 16);
if (err != 0) {
ws_warning("GCRY: setkey %s/%s\n", gcry_strsource(err), gcry_strerror(err));
gcry_cipher_close(cipher_hd);
break;
}
calculated_cred = 0x1234567812345678;
err = gcry_cipher_encrypt(cipher_hd,
(guint8 *)&calculated_cred, 8,
(const guint8 *)&vars->server_challenge, 8);
if (err != 0) {
ws_warning("GCRY: encrypt %s/%s\n", gcry_strsource(err), gcry_strerror(err));
gcry_cipher_close(cipher_hd);
break;
}
/* Done with the cipher */
gcry_cipher_close(cipher_hd);
printnbyte((guint8*)&calculated_cred,8,"Calculated creds:","\n");
if(calculated_cred==server_cred) {
found = 1;
break;
}
}
}
} else if ( flags & NETLOGON_FLAG_STRONGKEY ) {
guint8 zeros[4] = { 0 };
guint8 md5[HASH_MD5_LENGTH];
gcry_md_hd_t md5_handle;
guint8 buf[8] = { 0 };
guint64 calculated_cred;
used_method = "MD5";
if (!gcry_md_open(&md5_handle, GCRY_MD_MD5, 0)) {
gcry_md_write(md5_handle, zeros, 4);
gcry_md_write(md5_handle, (guint8*)&vars->client_challenge, 8);
gcry_md_write(md5_handle, (guint8*)&vars->server_challenge, 8);
memcpy(md5, gcry_md_read(md5_handle, 0), 16);
gcry_md_close(md5_handle);
}
printnbyte(md5,8,"MD5:","\n");
printnbyte((guint8*)&vars->client_challenge,8,"Client challenge:","\n");
printnbyte((guint8*)&vars->server_challenge,8,"Server challenge:","\n");
printnbyte((guint8*)&server_cred,8,"Server creds:","\n");
for(i=0;i<list_size;i++)
{
used_md4 = &pass_list[i];
password = pass_list[i];
if (!ws_hmac_buffer(GCRY_MD_MD5, session_key, md5, HASH_MD5_LENGTH, (guint8*) &password, 16)) {
crypt_des_ecb(buf,(unsigned char*)&vars->server_challenge,session_key);
crypt_des_ecb((unsigned char*)&calculated_cred,buf,session_key+7);
printnbyte((guint8*)&calculated_cred,8,"Calculated creds:","\n");
if(calculated_cred==server_cred) {
found = 1;
break;
}
}
}
}
else
{
/*Not implemented*/
debugprintf("Else case not implemented\n");
memset(session_key,0,16);
}
if(found) {
vars->nthash = *used_md4;
vars->auth_fd_num = pinfo->num;
memcpy(&vars->session_key,session_key,16);
debugprintf("Found the good session key !\n");
expert_add_info_format(pinfo, proto_tree_get_parent(tree),
&ei_netlogon_auth_nthash,
"%s authenticated using %s (%02x%02x%02x%02x...)",
used_method, used_md4->key_origin,
used_md4->md4[0] & 0xFF, used_md4->md4[1] & 0xFF,
used_md4->md4[2] & 0xFF, used_md4->md4[3] & 0xFF);
expert_add_info_format(pinfo, proto_tree_get_parent(tree),
&ei_netlogon_session_key,
"session key ("
"%02x%02x%02x%02x"
"%02x%02x%02x%02x"
"%02x%02x%02x%02x"
"%02x%02x%02x%02x"
")",
session_key[0] & 0xFF, session_key[1] & 0xFF,
session_key[2] & 0xFF, session_key[3] & 0xFF,
session_key[4] & 0xFF, session_key[5] & 0xFF,
session_key[6] & 0xFF, session_key[7] & 0xFF,
session_key[8] & 0xFF, session_key[9] & 0xFF,
session_key[10] & 0xFF, session_key[11] & 0xFF,
session_key[12] & 0xFF, session_key[13] & 0xFF,
session_key[14] & 0xFF, session_key[15] & 0xFF);
}
else {
debugprintf("Session key not found !\n");
memset(&vars->session_key,0,16);
}
}
}
return offset;
}
static int
netlogon_dissect_netrserverauthenticate3_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
return netlogon_dissect_netrserverauthenticate023_reply(tvb,offset,pinfo,tree,di,drep,3);
}
static int
netlogon_dissect_netrserverauthenticate2_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
return netlogon_dissect_netrserverauthenticate023_reply(tvb,offset,pinfo,tree,di,drep,2);
}
static int
netlogon_dissect_dsrgetdcnameex_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
dissect_nt_GUID, NDR_POINTER_UNIQUE,
"GUID pointer: domain_guid", -1);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Site Name", hf_netlogon_site_name, 0);
offset = netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvb, offset, pinfo, tree, di, drep);
return offset;
}
static int
netlogon_dissect_dsrgetdcnameex_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
"DOMAIN_CONTROLLER_INFO:", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
return offset;
}
static int
netlogon_dissect_dsrgetsitename_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
return offset;
}
static int
netlogon_dissect_dsrgetsitename_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
/* XXX hmmm this does not really look like a UNIQUE pointer but
will do for now. I think it is really a 32bit integer followed by
a REF pointer to a unicode string */
offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, tree, di, drep,
dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE, "Site Name",
hf_netlogon_site_name, cb_wstr_postprocess,
GINT_TO_POINTER(CB_STR_COL_INFO | 1));
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dos_rc, NULL);
return offset;
}
static int
netlogon_dissect_netrlogongetdomaininfo_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
/* Unlike the other NETLOGON RPCs, this is not a unique pointer. */
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_REF, "Server Handle", hf_netlogon_computer_name, 0);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Computer Name",
hf_netlogon_computer_name, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
"AUTHENTICATOR: client", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
"AUTHENTICATOR: return_authenticator", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_WORKSTATION_BUFFER, NDR_POINTER_REF,
"WORKSTATION_BUFFER", -1);
return offset;
}
static int
netlogon_dissect_netrlogongetdomaininfo_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
"AUTHENTICATOR: return_authenticator", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DOMAIN_INFORMATION, NDR_POINTER_REF,
"DOMAIN_INFORMATION", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
return offset;
}
static int
netlogon_dissect_netrserverpasswordset2_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "unknown string",
hf_netlogon_unknown_string, 0);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_short, NULL);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "unknown string",
hf_netlogon_unknown_string, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
"AUTHENTICATOR: credential", -1);
offset = netlogon_dissect_UNICODE_STRING_512(tvb, offset,
pinfo, tree, di, drep);
return offset;
}
static int
netlogon_dissect_netrserverpasswordset2_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
"AUTHENTICATOR: return_authenticator", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
return offset;
}
static int
netlogon_dissect_netrserverpasswordget_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Acct Name", hf_netlogon_acct_name, 0);
offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Computer Name",
hf_netlogon_computer_name, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
"AUTHENTICATOR: credential", -1);
return offset;
}
static int
netlogon_dissect_netrserverpasswordget_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
"AUTHENTICATOR: return_authenticator", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_LM_OWF_PASSWORD, NDR_POINTER_REF,
"LM_OWF_PASSWORD pointer: server_pwd", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
return offset;
}
static int
netlogon_dissect_netrlogonsendtosam_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "unknown string",
hf_netlogon_unknown_string, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
"AUTHENTICATOR: credential", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
"BYTE pointer: unknown_BYTE", -1);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_long, NULL);
return offset;
}
static int
netlogon_dissect_netrlogonsendtosam_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
"AUTHENTICATOR: return_authenticator", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
return offset;
}
static int
netlogon_dissect_dsraddresstositenamesw_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_long, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
"BYTE pointer: unknown_BYTE", -1);
return offset;
}
static int
netlogon_dissect_dsraddresstositenamesw_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_TYPE_50_ptr, NDR_POINTER_UNIQUE,
"TYPE_50** pointer: unknown_TYPE_50", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
return offset;
}
static int
netlogon_dissect_dsrgetdcnameex2_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Client Account",
hf_netlogon_acct_name, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_long, NULL);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Client Account",
hf_netlogon_logon_dom, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
dissect_nt_GUID, NDR_POINTER_UNIQUE,
"Domain GUID:", -1);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Client Site",
hf_netlogon_site_name, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_long, NULL);
return offset;
}
static int
netlogon_dissect_dsrgetdcnameex2_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
"DOMAIN_CONTROLLER_INFO:", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dos_rc, NULL);
return offset;
}
static int
netlogon_dissect_netrlogongettimeserviceparentdomain_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
return offset;
}
static int
netlogon_dissect_netrlogongettimeserviceparentdomain_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "unknown string",
hf_netlogon_unknown_string, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
"ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
return offset;
}
static int
netlogon_dissect_netrenumeratetrusteddomainsex_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
return offset;
}
static int
netlogon_dissect_netrenumeratetrusteddomainsex_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_entries, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
"DS_DOMAIN_TRUSTS_ARRAY:", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
return offset;
}
static int
netlogon_dissect_dsraddresstositenamesexw_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_long, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
"BYTE pointer: unknown_BYTE", -1);
return offset;
}
static int
netlogon_dissect_dsraddresstositenamesexw_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_TYPE_52_ptr, NDR_POINTER_UNIQUE,
"TYPE_52 pointer: unknown_TYPE_52", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
return offset;
}
static int
netlogon_dissect_site_name_item(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_counted_string_cb(
tvb, offset, pinfo, tree, di, drep, hf_netlogon_site_name,
cb_wstr_postprocess,
GINT_TO_POINTER(CB_STR_COL_INFO | 1));
return offset;
}
static int
netlogon_dissect_site_name_array(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_site_name_item);
return offset;
}
static int
netlogon_dissect_site_names(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_count, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_site_name_array, NDR_POINTER_UNIQUE,
"Site name array", -1);
return offset;
}
static int
netlogon_dissect_dsrgetdcsitecoveragew_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
return offset;
}
static int
netlogon_dissect_dsrgetdcsitecoveragew_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_site_names, NDR_POINTER_UNIQUE,
"Site names", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
return offset;
}
static int
netlogon_dissect_netrlogonsamlogonex_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "LogonServer",
hf_netlogon_computer_name, 0);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Computer Name",
hf_netlogon_computer_name, 0);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_level16, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_LEVEL, NDR_POINTER_REF,
"LEVEL: LogonLevel", -1);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_validation_level, NULL);
offset = netlogon_dissect_EXTRA_FLAGS(tvb, offset, pinfo, tree, di, drep);
#if 0
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "unknown string",
hf_netlogon_unknown_string, 0);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "unknown string",
hf_netlogon_unknown_string, 0);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_short, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_LEVEL, NDR_POINTER_UNIQUE,
"LEVEL pointer: unknown_NETLOGON_LEVEL", -1);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_unknown_short, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
"ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
#endif
return offset;
}
static int
netlogon_dissect_netrlogonsamlogonex_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_VALIDATION, NDR_POINTER_REF,
"VALIDATION:", -1);
offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_authoritative, NULL);
offset = netlogon_dissect_EXTRA_FLAGS(tvb, offset, pinfo, tree, di, drep);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
#if 0
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_VALIDATION, NDR_POINTER_UNIQUE,
"VALIDATION: unknown_NETLOGON_VALIDATION", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_pointer_char, NDR_POINTER_UNIQUE,
"BOOLEAN pointer: unknown_BOOLEAN", hf_netlogon_unknown_char);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
"ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
#endif
return offset;
}
static int
netlogon_dissect_dsrenumeratedomaintrusts_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, di, drep);
return offset;
}
static int
netlogon_dissect_dsrenumeratedomaintrusts_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_entries, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
"DS_DOMAIN_TRUSTS_ARRAY:", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_dos_rc, NULL);
return offset;
}
static int
netlogon_dissect_dsrderegisterdnshostrecords_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, di, drep);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
dissect_nt_GUID, NDR_POINTER_UNIQUE,
"GUID pointer: domain_guid", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
dissect_nt_GUID, NDR_POINTER_UNIQUE,
"GUID pointer: dsa_guid", -1);
offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
NDR_POINTER_REF, "dns_host", hf_netlogon_dns_host, 0);
return offset;
}
static int
netlogon_dissect_dsrderegisterdnshostrecords_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
{
offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
hf_netlogon_rc, NULL);
return offset;
}
/* Dissect secure channel stuff */
static int hf_netlogon_secchan_nl_message_type = -1;
static int hf_netlogon_secchan_nl_message_flags = -1;
static int hf_netlogon_secchan_nl_message_flags_nb_domain = -1;
static int hf_netlogon_secchan_nl_message_flags_nb_host = -1;
static int hf_netlogon_secchan_nl_message_flags_dns_domain = -1;
static int hf_netlogon_secchan_nl_message_flags_dns_host = -1;
static int hf_netlogon_secchan_nl_message_flags_nb_host_utf8 = -1;
static int hf_netlogon_secchan_nl_nb_domain = -1;
static int hf_netlogon_secchan_nl_nb_host = -1;
static int hf_netlogon_secchan_nl_dns_domain = -1;
static int hf_netlogon_secchan_nl_dns_host = -1;
static int hf_netlogon_secchan_nl_nb_host_utf8 = -1;
static gint ett_secchan_verf = -1;
static gint ett_secchan_nl_auth_message = -1;
static gint ett_secchan_nl_auth_message_flags = -1;
static const value_string nl_auth_types[] = {
{ 0x00000000, "Request"},
{ 0x00000001, "Response"},
{ 0, NULL }
};
/* MS-NRPC : 2.2.1.3.1 NL_AUTH_MESSAGE */
static int dissect_secchan_nl_auth_message(tvbuff_t *tvb, int offset,
packet_info *pinfo,
proto_tree *tree, dcerpc_info *di _U_, guint8 *drep)
{
proto_item *item = NULL;
proto_tree *subtree = NULL;
guint32 messagetype;
guint64 messageflags;
static int * const flag_fields[] = {
&hf_netlogon_secchan_nl_message_flags_nb_domain,
&hf_netlogon_secchan_nl_message_flags_nb_host,
&hf_netlogon_secchan_nl_message_flags_dns_domain,
&hf_netlogon_secchan_nl_message_flags_dns_host,
&hf_netlogon_secchan_nl_message_flags_nb_host_utf8,
NULL
};
int len;
if (tree) {
subtree = proto_tree_add_subtree(
tree, tvb, offset, -1, ett_secchan_nl_auth_message, &item,
"Secure Channel NL_AUTH_MESSAGE");
}
/* We can't use the NDR routines as the DCERPC call data hasn't
been initialised since we haven't made a DCERPC call yet, just
a bind request. */
/* Type */
offset = dissect_dcerpc_uint32(
tvb, offset, pinfo, subtree, drep,
hf_netlogon_secchan_nl_message_type, &messagetype);
/* Flags */
proto_tree_add_bitmask_ret_uint64(subtree, tvb, offset,
hf_netlogon_secchan_nl_message_flags,
ett_secchan_nl_auth_message_flags,
flag_fields,
(drep[0] & DREP_LITTLE_ENDIAN) ?
ENC_LITTLE_ENDIAN :
ENC_BIG_ENDIAN,
&messageflags);
offset += 4;
/* Buffer */
/* netbios domain name */
if (messageflags&0x00000001) {
len = tvb_strsize(tvb, offset);
proto_tree_add_item(subtree, hf_netlogon_secchan_nl_nb_domain, tvb, offset, len, ENC_ASCII);
offset += len;
}
/* netbios host name */
if (messageflags&0x00000002) {
len = tvb_strsize(tvb, offset);
proto_tree_add_item(subtree, hf_netlogon_secchan_nl_nb_host, tvb, offset, len, ENC_ASCII);
offset += len;
}
/* DNS domain name */
if (messageflags&0x00000004) {
int old_offset=offset;
char *str;
offset=dissect_mscldap_string(tvb, offset, 255, &str);
proto_tree_add_string(subtree, hf_netlogon_secchan_nl_dns_domain, tvb, old_offset, offset-old_offset, str);
}
/* DNS host name */
if (messageflags&0x00000008) {
int old_offset=offset;
char *str;
offset=dissect_mscldap_string(tvb, offset, 255, &str);
proto_tree_add_string(subtree, hf_netlogon_secchan_nl_dns_host, tvb, old_offset, offset-old_offset, str);
}
/* NetBios host name (UTF8) */
if (messageflags&0x00000010) {
int old_offset=offset;
char *str;
offset=dissect_mscldap_string(tvb, offset, 255, &str);
proto_tree_add_string(subtree, hf_netlogon_secchan_nl_nb_host_utf8, tvb, old_offset, offset-old_offset, str);
}
return offset;
}
/* Subdissectors */
static dcerpc_sub_dissector dcerpc_netlogon_dissectors[] = {
{ NETLOGON_NETRLOGONUASLOGON, "NetrLogonUasLogon",
netlogon_dissect_netrlogonuaslogon_rqst,
netlogon_dissect_netrlogonuaslogon_reply },
{ NETLOGON_NETRLOGONUASLOGOFF, "NetrLogonUasLogoff",
netlogon_dissect_netrlogonuaslogoff_rqst,
netlogon_dissect_netrlogonuaslogoff_reply },
{ NETLOGON_NETRLOGONSAMLOGON, "NetrLogonSamLogon",
netlogon_dissect_netrlogonsamlogon_rqst,
netlogon_dissect_netrlogonsamlogon_reply },
{ NETLOGON_NETRLOGONSAMLOGOFF, "NetrLogonSamLogoff",
netlogon_dissect_netrlogonsamlogoff_rqst,
netlogon_dissect_netrlogonsamlogoff_reply },
{ NETLOGON_NETRSERVERREQCHALLENGE, "NetrServerReqChallenge",
netlogon_dissect_netrserverreqchallenge_rqst,
netlogon_dissect_netrserverreqchallenge_reply },
{ NETLOGON_NETRSERVERAUTHENTICATE, "NetrServerAuthenticate",
netlogon_dissect_netrserverauthenticate_rqst,
netlogon_dissect_netrserverauthenticate_reply },
{ NETLOGON_NETRSERVERPASSWORDSET, "NetrServerPasswordSet",
netlogon_dissect_netrserverpasswordset_rqst,
netlogon_dissect_netrserverpasswordset_reply },
{ NETLOGON_NETRDATABASEDELTAS, "NetrDatabaseDeltas",
netlogon_dissect_netrdatabasedeltas_rqst,
netlogon_dissect_netrdatabasedeltas_reply },
{ NETLOGON_NETRDATABASESYNC, "NetrDatabaseSync",
netlogon_dissect_netrdatabasesync_rqst,
netlogon_dissect_netrdatabasesync_reply },
{ NETLOGON_NETRACCOUNTDELTAS, "NetrAccountDeltas",
netlogon_dissect_netraccountdeltas_rqst,
netlogon_dissect_netraccountdeltas_reply },
{ NETLOGON_NETRACCOUNTSYNC, "NetrAccountSync",
netlogon_dissect_netraccountsync_rqst,
netlogon_dissect_netraccountsync_reply },
{ NETLOGON_NETRGETDCNAME, "NetrGetDCName",
netlogon_dissect_netrgetdcname_rqst,
netlogon_dissect_netrgetdcname_reply },
{ NETLOGON_NETRLOGONCONTROL, "NetrLogonControl",
netlogon_dissect_netrlogoncontrol_rqst,
netlogon_dissect_netrlogoncontrol_reply },
{ NETLOGON_NETRGETANYDCNAME, "NetrGetAnyDCName",
netlogon_dissect_netrgetanydcname_rqst,
netlogon_dissect_netrgetanydcname_reply },
{ NETLOGON_NETRLOGONCONTROL2, "NetrLogonControl2",
netlogon_dissect_netrlogoncontrol2_rqst,
netlogon_dissect_netrlogoncontrol2_reply },
{ NETLOGON_NETRSERVERAUTHENTICATE2, "NetrServerAuthenticate2",
netlogon_dissect_netrserverauthenticate2_rqst,
netlogon_dissect_netrserverauthenticate2_reply },
{ NETLOGON_NETRDATABASESYNC2, "NetrDatabaseSync2",
netlogon_dissect_netrdatabasesync2_rqst,
netlogon_dissect_netrdatabasesync2_reply },
{ NETLOGON_NETRDATABASEREDO, "NetrDatabaseRedo",
netlogon_dissect_netrdatabaseredo_rqst,
netlogon_dissect_netrdatabaseredo_reply },
{ NETLOGON_NETRLOGONCONTROL2EX, "NetrLogonControl2Ex",
netlogon_dissect_netrlogoncontrol2ex_rqst,
netlogon_dissect_netrlogoncontrol2ex_reply },
{ NETLOGON_NETRENUMERATETRUSTEDDOMAINS, "NetrEnumerateTrustedDomains",
netlogon_dissect_netrenumeratetrusteddomains_rqst,
netlogon_dissect_netrenumeratetrusteddomains_reply },
{ NETLOGON_DSRGETDCNAME, "DsrGetDcName",
netlogon_dissect_dsrgetdcname_rqst,
netlogon_dissect_dsrgetdcname_reply },
{ NETLOGON_NETRLOGONDUMMYROUTINE1, "NetrLogonDummyRoutine1",
netlogon_dissect_netrlogondummyroutine1_rqst,
netlogon_dissect_netrlogondummyroutine1_reply },
{ NETLOGON_NETRLOGONSETSERVICEBITS, "NetrLogonSetServiceBits",
netlogon_dissect_netrlogonsetservicebits_rqst,
netlogon_dissect_netrlogonsetservicebits_reply },
{ NETLOGON_NETRLOGONGETTRUSTRID, "NetrLogonGetTrustRid",
netlogon_dissect_netrlogongettrustrid_rqst,
netlogon_dissect_netrlogongettrustrid_reply },
{ NETLOGON_NETRLOGONCOMPUTESERVERDIGEST, "NetrLogonComputeServerDigest",
netlogon_dissect_netrlogoncomputeserverdigest_rqst,
netlogon_dissect_netrlogoncomputeserverdigest_reply },
{ NETLOGON_NETRLOGONCOMPUTECLIENTDIGEST, "NetrLogonComputeClientDigest",
netlogon_dissect_netrlogoncomputeclientdigest_rqst,
netlogon_dissect_netrlogoncomputeclientdigest_reply },
{ NETLOGON_NETRSERVERAUTHENTICATE3, "NetrServerAuthenticate3",
netlogon_dissect_netrserverauthenticate3_rqst,
netlogon_dissect_netrserverauthenticate3_reply },
{ NETLOGON_DSRGETDCNAMEX, "DsrGetDcNameEx",
netlogon_dissect_dsrgetdcnameex_rqst,
netlogon_dissect_dsrgetdcnameex_reply },
{ NETLOGON_DSRGETSITENAME, "DsrGetSiteName",
netlogon_dissect_dsrgetsitename_rqst,
netlogon_dissect_dsrgetsitename_reply },
{ NETLOGON_NETRLOGONGETDOMAININFO, "NetrLogonGetDomainInfo",
netlogon_dissect_netrlogongetdomaininfo_rqst,
netlogon_dissect_netrlogongetdomaininfo_reply },
{ NETLOGON_NETRSERVERPASSWORDSET2, "NetrServerPasswordSet2",
netlogon_dissect_netrserverpasswordset2_rqst,
netlogon_dissect_netrserverpasswordset2_reply },
{ NETLOGON_NETRSERVERPASSWORDGET, "NetrServerPasswordGet",
netlogon_dissect_netrserverpasswordget_rqst,
netlogon_dissect_netrserverpasswordget_reply },
{ NETLOGON_NETRLOGONSENDTOSAM, "NetrLogonSendToSam",
netlogon_dissect_netrlogonsendtosam_rqst,
netlogon_dissect_netrlogonsendtosam_reply },
{ NETLOGON_DSRADDRESSTOSITENAMESW, "DsrAddressToSiteNamesW",
netlogon_dissect_dsraddresstositenamesw_rqst,
netlogon_dissect_dsraddresstositenamesw_reply },
{ NETLOGON_DSRGETDCNAMEEX2, "DsrGetDcNameEx2",
netlogon_dissect_dsrgetdcnameex2_rqst,
netlogon_dissect_dsrgetdcnameex2_reply },
{ NETLOGON_NETRLOGONGETTIMESERVICEPARENTDOMAIN,
"NetrLogonGetTimeServiceParentDomain",
netlogon_dissect_netrlogongettimeserviceparentdomain_rqst,
netlogon_dissect_netrlogongettimeserviceparentdomain_reply },
{ NETLOGON_NETRENUMERATETRUSTEDDOMAINSEX, "NetrEnumerateTrustedDomainsEx",
netlogon_dissect_netrenumeratetrusteddomainsex_rqst,
netlogon_dissect_netrenumeratetrusteddomainsex_reply },
{ NETLOGON_DSRADDRESSTOSITENAMESEXW, "DsrAddressToSiteNamesExW",
netlogon_dissect_dsraddresstositenamesexw_rqst,
netlogon_dissect_dsraddresstositenamesexw_reply },
{ NETLOGON_DSRGETDCSITECOVERAGEW, "DsrGetDcSiteCoverageW",
netlogon_dissect_dsrgetdcsitecoveragew_rqst,
netlogon_dissect_dsrgetdcsitecoveragew_reply },
{ NETLOGON_NETRLOGONSAMLOGONEX, "NetrLogonSamLogonEx",
netlogon_dissect_netrlogonsamlogonex_rqst,
netlogon_dissect_netrlogonsamlogonex_reply },
{ NETLOGON_DSRENUMERATEDOMAINTRUSTS, "DsrEnumerateDomainTrusts",
netlogon_dissect_dsrenumeratedomaintrusts_rqst,
netlogon_dissect_dsrenumeratedomaintrusts_reply },
{ NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DsrDeregisterDnsHostRecords",
netlogon_dissect_dsrderegisterdnshostrecords_rqst,
netlogon_dissect_dsrderegisterdnshostrecords_reply },
{ NETLOGON_NETRSERVERTRUSTPASSWORDSGET, "NetrServerTrustPasswordsGet",
NULL, NULL },
{ NETLOGON_DSRGETFORESTTRUSTINFORMATION, "DsrGetForestTrustInformation",
NULL, NULL },
{ NETLOGON_NETRGETFORESTTRUSTINFORMATION, "NetrGetForestTrustInformation",
NULL, NULL },
{ NETLOGON_NETRLOGONSAMLOGONWITHFLAGS, "NetrLogonSamLogonWithFlags",
netlogon_dissect_netrlogonsamlogonflags_rqst,
netlogon_dissect_netrlogonsamlogonflags_reply },
{ NETLOGON_NETRSERVERGETTRUSTINFO, "NetrServerGetTrustInfo",
NULL, NULL },
{0, NULL, NULL, NULL }
};
static int hf_netlogon_secchan_verf = -1;
static int hf_netlogon_secchan_verf_signalg = -1;
static int hf_netlogon_secchan_verf_sealalg = -1;
static int hf_netlogon_secchan_verf_flag = -1;
static int hf_netlogon_secchan_verf_digest = -1;
static int hf_netlogon_secchan_verf_seq = -1;
static int hf_netlogon_secchan_verf_nonce = -1;
static const value_string sign_algs[] = {
{ 0x0077, "HMAC-MD5"},
{ 0, NULL}
};
static const value_string seal_algs[] = {
{ 0xFFFF, "Not Encrypted"},
{ 0x007A, "RC4"},
{ 0, NULL}
};
static int get_seal_key(const guint8 *session_key,int key_len,guint8* seal_key)
{
guint8 zero_sk[16] = { 0 };
int i = 0;
memset(seal_key,0,16);
if(memcmp(session_key,zero_sk,16)) {
for(i=0;i<key_len;i++) {
seal_key[i] = session_key[i] ^ 0xF0;
}
return 1;
} else {
return 0;
}
}
static guint64 uncrypt_sequence_aes(guint8* session_key,guint64 checksum,guint64 enc_seq,unsigned char is_server _U_)
{
gcry_error_t err;
gcry_cipher_hd_t cipher_hd = NULL;
guint8 iv[16] = { 0 };
memcpy(&iv[0], (guint8*)&checksum, 8);
memcpy(&iv[8], (guint8*)&checksum, 8);
/* Open the cipher */
err = gcry_cipher_open(&cipher_hd, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CFB8, 0);
if (err != 0) {
ws_warning("GCRY: cipher open %s/%s\n", gcry_strsource(err), gcry_strerror(err));
return 0;
}
/* Set the initial value */
err = gcry_cipher_setiv(cipher_hd, iv, sizeof(iv));
if (err != 0) {
ws_warning("GCRY: setiv %s/%s\n", gcry_strsource(err), gcry_strerror(err));
gcry_cipher_close(cipher_hd);
return 0;
}
/* Set the key */
err = gcry_cipher_setkey(cipher_hd, session_key, 16);
if (err != 0) {
ws_warning("GCRY: setkey %s/%s\n", gcry_strsource(err), gcry_strerror(err));
gcry_cipher_close(cipher_hd);
return 0;
}
err = gcry_cipher_decrypt(cipher_hd, (guint8*) &enc_seq, 8, NULL, 0);
if (err != 0) {
ws_warning("GCRY: encrypt %s/%s\n", gcry_strsource(err), gcry_strerror(err));
gcry_cipher_close(cipher_hd);
return 0;
}
/* Done with the cipher */
gcry_cipher_close(cipher_hd);
return enc_seq;
}
static guint64 uncrypt_sequence_strong(guint8* session_key,guint64 checksum,guint64 enc_seq,unsigned char is_server _U_)
{
guint8 zeros[4] = { 0 };
guint8 buf[HASH_MD5_LENGTH];
guint8 key[HASH_MD5_LENGTH];
gcry_cipher_hd_t rc4_handle;
guint8 *p_seq = (guint8*) &enc_seq;
/*guint32 temp;*/
if (ws_hmac_buffer(GCRY_MD_MD5, buf, zeros, 4, session_key, 16)) {
return 0;
}
if (ws_hmac_buffer(GCRY_MD_MD5, key, (guint8*)&checksum, 8, buf, HASH_MD5_LENGTH)) {
return 0;
}
if (!gcry_cipher_open (&rc4_handle, GCRY_CIPHER_ARCFOUR, GCRY_CIPHER_MODE_STREAM, 0)) {
if (!gcry_cipher_setkey(rc4_handle, key, HASH_MD5_LENGTH)) {
gcry_cipher_decrypt(rc4_handle, p_seq, 8, NULL, 0);
}
gcry_cipher_close(rc4_handle);
}
/*temp = *((guint32*)p_seq);
*((guint32*)p_seq) = *((guint32*)p_seq+1);
*((guint32*)p_seq+1) = temp;
if(!is_server) {
*p_seq = *p_seq & 0x7F;
}
*/
return enc_seq;
}
static guint64 uncrypt_sequence(guint32 flags, guint8* session_key,guint64 checksum,guint64 enc_seq,unsigned char is_server _U_)
{
if (flags & NETLOGON_FLAG_AES) {
return uncrypt_sequence_aes(session_key, checksum, enc_seq, is_server);
}
if (flags & NETLOGON_FLAG_STRONGKEY) {
return uncrypt_sequence_strong(session_key, checksum, enc_seq, is_server);
}
return 0;
}
static gcry_error_t prepare_decryption_cipher_aes(netlogon_auth_vars *vars,
gcry_cipher_hd_t *_cipher_hd)
{
gcry_error_t err;
gcry_cipher_hd_t cipher_hd = NULL;
guint64 sequence = vars->seq;
guint8 iv[16] = { 0 };
memcpy(&iv[0], (guint8*)&sequence, 8);
memcpy(&iv[8], (guint8*)&sequence, 8);
/* Open the cipher */
err = gcry_cipher_open(&cipher_hd, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CFB8, 0);
if (err != 0) {
ws_warning("GCRY: cipher open %s/%s\n", gcry_strsource(err), gcry_strerror(err));
return 0;
}
/* Set the initial value */
err = gcry_cipher_setiv(cipher_hd, iv, sizeof(iv));
if (err != 0) {
ws_warning("GCRY: setiv %s/%s\n", gcry_strsource(err), gcry_strerror(err));
gcry_cipher_close(cipher_hd);
return 0;
}
/* Set the key */
err = gcry_cipher_setkey(cipher_hd, vars->encryption_key, 16);
if (err != 0) {
ws_warning("GCRY: setkey %s/%s\n", gcry_strsource(err), gcry_strerror(err));
gcry_cipher_close(cipher_hd);
return 0;
}
*_cipher_hd = cipher_hd;
return 0;
}
static gcry_error_t prepare_decryption_cipher_strong(netlogon_auth_vars *vars,
gcry_cipher_hd_t *_cipher_hd)
{
gcry_error_t err;
gcry_cipher_hd_t cipher_hd = NULL;
guint8 zeros[4] = { 0 };
guint64 sequence = vars->seq;
guint8 tmp[HASH_MD5_LENGTH] = { 0 };
guint8 seal_key[16] = { 0 };
err = ws_hmac_buffer(GCRY_MD_MD5, tmp, zeros, 4, vars->encryption_key, 16);
if (err != 0) {
ws_warning("GCRY: GCRY_MD_MD5 %s/%s\n", gcry_strsource(err), gcry_strerror(err));
return err;
}
err = ws_hmac_buffer(GCRY_MD_MD5, seal_key, (guint8*)&sequence, 8, tmp, HASH_MD5_LENGTH);
if (err != 0) {
ws_warning("GCRY: GCRY_MD_MD5 %s/%s\n", gcry_strsource(err), gcry_strerror(err));
return err;
}
/* Open the cipher */
err = gcry_cipher_open(&cipher_hd, GCRY_CIPHER_ARCFOUR, GCRY_CIPHER_MODE_STREAM, 0);
if (err != 0) {
ws_warning("GCRY: cipher open %s/%s\n", gcry_strsource(err), gcry_strerror(err));
return err;
}
/* Set the key */
err = gcry_cipher_setkey(cipher_hd, seal_key, 16);
if (err != 0) {
ws_warning("GCRY: setkey %s/%s\n", gcry_strsource(err), gcry_strerror(err));
gcry_cipher_close(cipher_hd);
return err;
}
*_cipher_hd = cipher_hd;
return 0;
}
static gcry_error_t prepare_decryption_cipher(netlogon_auth_vars *vars,
gcry_cipher_hd_t *_cipher_hd)
{
*_cipher_hd = NULL;
if (vars->flags & NETLOGON_FLAG_AES) {
return prepare_decryption_cipher_aes(vars, _cipher_hd);
}
if (vars->flags & NETLOGON_FLAG_STRONGKEY) {
return prepare_decryption_cipher_strong(vars, _cipher_hd);
}
return GPG_ERR_UNSUPPORTED_ALGORITHM;
}
static tvbuff_t *
dissect_packet_data(tvbuff_t *tvb ,tvbuff_t *auth_tvb _U_,
int offset , packet_info *pinfo ,dcerpc_auth_info *auth_info _U_,unsigned char is_server)
{
tvbuff_t *buf = NULL;
guint8* decrypted;
netlogon_auth_vars *vars;
netlogon_auth_key key;
/*debugprintf("Dissection of request data offset %d len=%d on packet %d\n",offset,tvb_length_remaining(tvb,offset),pinfo->num);*/
generate_hash_key(pinfo,is_server,&key);
vars = (netlogon_auth_vars *)wmem_map_lookup(netlogon_auths, &key);
if(vars != NULL ) {
while(vars != NULL && vars->next_start != -1 && vars->next_start < (int) pinfo->num ) {
vars = vars->next;
}
if(vars == NULL ) {
debugprintf("Vars not found %d (packet_data)\n",wmem_map_size(netlogon_auths));
return(buf);
}
else {
if(vars->can_decrypt == TRUE) {
gcry_error_t err;
gcry_cipher_hd_t cipher_hd = NULL;
int data_len;
guint64 copyconfounder = vars->confounder;
data_len = tvb_captured_length_remaining(tvb,offset);
if (data_len < 0) {
return NULL;
}
err = prepare_decryption_cipher(vars, &cipher_hd);
if (err != 0) {
ws_warning("GCRY: prepare_decryption_cipher %s/%s\n",
gcry_strsource(err), gcry_strerror(err));
return NULL;
}
gcry_cipher_decrypt(cipher_hd, (guint8*)&copyconfounder, 8, NULL, 0);
decrypted = (guint8*)tvb_memdup(pinfo->pool, tvb, offset,data_len);
if (!(vars->flags & NETLOGON_FLAG_AES)) {
gcry_cipher_reset(cipher_hd);
}
gcry_cipher_decrypt(cipher_hd, decrypted, data_len, NULL, 0);
gcry_cipher_close(cipher_hd);
buf = tvb_new_child_real_data(tvb, decrypted, data_len, data_len);
/* Note: caller does add_new_data_source(...) */
}
else {
debugprintf("Session key not found can't decrypt ...\n");
}
}
} else {
debugprintf("Vars not found %d (packet_data)\n",wmem_map_size(netlogon_auths));
return(buf);
}
return(buf);
}
static tvbuff_t* dissect_request_data(tvbuff_t *header_tvb _U_,
tvbuff_t *payload_tvb,
tvbuff_t *trailer_tvb _U_,
tvbuff_t *auth_tvb,
packet_info *pinfo,
dcerpc_auth_info *auth_info)
{
return dissect_packet_data(payload_tvb,auth_tvb,0,pinfo,auth_info,0);
}
static tvbuff_t* dissect_response_data(tvbuff_t *header_tvb _U_,
tvbuff_t *payload_tvb,
tvbuff_t *trailer_tvb _U_,
tvbuff_t *auth_tvb,
packet_info *pinfo,
dcerpc_auth_info *auth_info)
{
return dissect_packet_data(payload_tvb,auth_tvb,0,pinfo,auth_info,1);
}
/* MS-NRPC 2.2.1.3.2 */
static int
dissect_secchan_verf(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, guint8 *drep, unsigned char is_server)
{
netlogon_auth_vars *vars;
netlogon_auth_key key;
proto_item *vf = NULL;
proto_tree *subtree = NULL;
guint64 encrypted_seq;
guint64 digest = 0;
guint64 confounder = 0;
int update_vars = 0;
generate_hash_key(pinfo,is_server,&key);
vars = (netlogon_auth_vars *)wmem_map_lookup(netlogon_auths,(gconstpointer*) &key);
if( ! (seen.isseen && seen.num == pinfo->num) ) {
/*
* Create a new tree, and split into x components ...
*/
vf = proto_tree_add_item(tree, hf_netlogon_secchan_verf, tvb,
offset, -1, ENC_NA);
subtree = proto_item_add_subtree(vf, ett_secchan_verf);
proto_tree_add_item(subtree, hf_netlogon_secchan_verf_signalg, tvb,
offset, 2, ENC_LITTLE_ENDIAN);
proto_tree_add_item(subtree, hf_netlogon_secchan_verf_sealalg, tvb,
offset+2, 2, ENC_LITTLE_ENDIAN);
/* 2 pad bytes */
proto_tree_add_item(subtree, hf_netlogon_secchan_verf_flag, tvb,
offset+6, 2, ENC_NA);
offset += 8;
offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, subtree, drep,
hf_netlogon_secchan_verf_seq, &encrypted_seq);
offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, subtree, drep,
hf_netlogon_secchan_verf_digest, &digest);
/* In some cases the nonce if the data/signture are encrypted ("integrity/seal in MS language")*/
if (tvb_bytes_exist(tvb, offset, 8)) {
offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, subtree, drep,
hf_netlogon_secchan_verf_nonce, &confounder);
}
update_vars = 1;
}
if( vars != NULL ) {
while(vars != NULL && vars->next_start != -1 && vars->next_start < (int)pinfo->num ) {
vars = vars->next;
}
if(vars == NULL ) {
debugprintf("Vars not found %d (packet_data)\n",wmem_map_size(netlogon_auths));
return(offset);
}
else {
if(update_vars) {
vars->confounder = confounder;
vars->seq = uncrypt_sequence(vars->flags,vars->session_key,digest,encrypted_seq,is_server);
}
if(get_seal_key(vars->session_key,16,vars->encryption_key))
{
vars->can_decrypt = TRUE;
}
else
{
debugprintf("get seal key returned 0\n");
}
if (vars->can_decrypt) {
expert_add_info_format(pinfo, proto_tree_get_parent(subtree),
&ei_netlogon_session_key,
"Using session key learned in frame %d ("
"%02x%02x%02x%02x"
") from %s",
vars->auth_fd_num,
vars->session_key[0] & 0xFF, vars->session_key[1] & 0xFF,
vars->session_key[2] & 0xFF, vars->session_key[3] & 0xFF,
vars->nthash.key_origin);
}
}
}
else
{
debugprintf("Vars not found (is null %d) %d (dissect_verf)\n",vars==NULL,wmem_map_size(netlogon_auths));
}
/*debugprintf("Setting isseen to true, old packet %d new %d\n",seen.num,pinfo->num);*/
seen.isseen = TRUE;
seen.num = pinfo->num;
return offset;
}
static int
dissect_request_secchan_verf(tvbuff_t *tvb, int offset, packet_info *pinfo ,
proto_tree *tree, dcerpc_info *di _U_, guint8 *drep )
{
return dissect_secchan_verf(tvb,offset,pinfo,tree,drep,0);
}
static int
dissect_response_secchan_verf(tvbuff_t *tvb, int offset, packet_info *pinfo ,
proto_tree *tree, dcerpc_info *di _U_, guint8 *drep )
{
return dissect_secchan_verf(tvb,offset,pinfo,tree,drep,1);
}
void
proto_register_dcerpc_netlogon(void)
{
static hf_register_info hf[] = {
{ &hf_netlogon_opnum,
{ "Operation", "netlogon.opnum", FT_UINT16, BASE_DEC,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_rc, {
"Return code", "netlogon.rc", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
&NT_errors_ext, 0x0, "Netlogon return code", HFILL }},
{ &hf_netlogon_dos_rc,
{ "DOS error code", "netlogon.dos.rc", FT_UINT32,
BASE_HEX | BASE_EXT_STRING, &DOS_errors_ext, 0x0, NULL, HFILL}},
{ &hf_netlogon_werr_rc,
{ "WERR error code", "netlogon.werr.rc", FT_UINT32,
BASE_HEX | BASE_EXT_STRING, &WERR_errors_ext, 0x0, NULL, HFILL}},
{ &hf_netlogon_param_ctrl, {
"Param Ctrl", "netlogon.param_ctrl", FT_UINT32, BASE_HEX,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_logon_id, {
"Logon ID", "netlogon.logon_id", FT_UINT64, BASE_DEC,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_modify_count, {
"Modify Count", "netlogon.modify_count", FT_UINT64, BASE_DEC,
NULL, 0x0, "How many times the object has been modified", HFILL }},
{ &hf_netlogon_security_information, {
"Security Information", "netlogon.security_information", FT_UINT32, BASE_DEC,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_count, {
"Count", "netlogon.count", FT_UINT32, BASE_DEC,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_entries, {
"Entries", "netlogon.entries", FT_UINT32, BASE_DEC,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_credential, {
"Credential", "netlogon.credential", FT_BYTES, BASE_NONE,
NULL, 0x0, "Netlogon Credential", HFILL }},
{ &hf_netlogon_challenge, {
"Challenge", "netlogon.challenge", FT_BYTES, BASE_NONE,
NULL, 0x0, "Netlogon challenge", HFILL }},
{ &hf_netlogon_lm_owf_password, {
"LM Pwd", "netlogon.lm_owf_pwd", FT_BYTES, BASE_NONE,
NULL, 0x0, "LanManager OWF Password", HFILL }},
{ &hf_netlogon_user_session_key, {
"User Session Key", "netlogon.user_session_key", FT_BYTES, BASE_NONE,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_encrypted_lm_owf_password, {
"Encrypted LM Pwd", "netlogon.lm_owf_pwd.encrypted", FT_BYTES, BASE_NONE,
NULL, 0x0, "Encrypted LanManager OWF Password", HFILL }},
{ &hf_netlogon_nt_owf_password, {
"NT Pwd", "netlogon.nt_owf_pwd", FT_BYTES, BASE_NONE,
NULL, 0x0, "NT OWF Password", HFILL }},
{ &hf_netlogon_blob, {
"BLOB", "netlogon.blob", FT_BYTES, BASE_NONE,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_len, {
"Len", "netlogon.len", FT_UINT32, BASE_DEC,
NULL, 0, "Length", HFILL }},
{ &hf_netlogon_priv, {
"Priv", "netlogon.priv", FT_UINT32, BASE_DEC,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_privilege_entries, {
"Privilege Entries", "netlogon.privilege_entries", FT_UINT32, BASE_DEC,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_privilege_control, {
"Privilege Control", "netlogon.privilege_control", FT_UINT32, BASE_HEX,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_privilege_name, {
"Privilege Name", "netlogon.privilege_name", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_pdc_connection_status, {
"PDC Connection Status", "netlogon.pdc_connection_status", FT_UINT32, BASE_DEC,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_tc_connection_status, {
"TC Connection Status", "netlogon.tc_connection_status", FT_UINT32, BASE_DEC,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_attrs, {
"Attributes", "netlogon.attrs", FT_UINT32, BASE_HEX,
NULL, 0, NULL, HFILL }},
#if 0
{ &hf_netlogon_lsapolicy_referentid,
{ "Referent ID", "netlogon.lsapolicy.referentID", FT_UINT32, BASE_HEX,
NULL, 0x0, NULL, HFILL }},
#endif
{ &hf_netlogon_lsapolicy_len,
{ "Length", "netlogon.lsapolicy.length", FT_UINT32, BASE_DEC,
NULL, 0x0, "Length of the policy buffer", HFILL }},
#if 0
{ &hf_netlogon_lsapolicy_pointer,
{ "Pointer", "netlogon.lsapolicy.pointer", FT_BYTES, BASE_NONE,
NULL, 0x0, "Pointer to LSA POLICY", HFILL }},
#endif
{ &hf_netlogon_unknown_string,
{ "Unknown string", "netlogon.unknown_string", FT_STRING, BASE_NONE,
NULL, 0, "Unknown string. If you know what this is, contact wireshark developers.", HFILL }},
{ &hf_netlogon_TrustedDomainName_string,
{ "TrustedDomainName", "netlogon.TrustedDomainName", FT_STRING, BASE_NONE,
NULL, 0, "TrustedDomainName string.", HFILL }},
{ &hf_netlogon_UserName_string,
{ "UserName", "netlogon.UserName", FT_STRING, BASE_NONE,
NULL, 0, "UserName string.", HFILL }},
{ &hf_netlogon_dummy_string,
{ "Dummy String", "netlogon.dummy_string", FT_STRING, BASE_NONE,
NULL, 0, "Dummy String. Used is reserved for next evolutions.", HFILL }},
{ &hf_netlogon_trust_extension,
{ "Trust extension", "netlogon.trust.extension", FT_STRING, BASE_NONE,
NULL, 0, "Trusts extension.", HFILL }},
{ &hf_netlogon_trust_offset,
{ "Offset", "netlogon.trust.extension_offset", FT_UINT32, BASE_DEC,
NULL, 0, "Trusts extension.", HFILL }},
{ &hf_netlogon_trust_len,
{ "Length", "netlogon.trust.extension_length", FT_UINT32, BASE_DEC,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_trust_max,
{ "Max Count", "netlogon.trust.extension.maxcount", FT_UINT32, BASE_DEC,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_dummy_string2,
{ "Dummy String2", "netlogon.dummy_string", FT_STRING, BASE_NONE,
NULL, 0, "Dummy String 2. Used is reserved for next evolutions.", HFILL }},
{ &hf_netlogon_dummy_string3,
{ "Dummy String3", "netlogon.dummy_string", FT_STRING, BASE_NONE,
NULL, 0, "Dummy String 3. Used is reserved for next evolutions.", HFILL }},
{ &hf_netlogon_dummy_string4,
{ "Dummy String4", "netlogon.dummy_string", FT_STRING, BASE_NONE,
NULL, 0, "Dummy String 4. Used is reserved for next evolutions.", HFILL }},
{ &hf_netlogon_dummy_string5,
{ "Dummy String5", "netlogon.dummy_string", FT_STRING, BASE_NONE,
NULL, 0, "Dummy String 5. Used is reserved for next evolutions.", HFILL }},
{ &hf_netlogon_dummy_string6,
{ "Dummy String6", "netlogon.dummy_string", FT_STRING, BASE_NONE,
NULL, 0, "Dummy String 6. Used is reserved for next evolutions.", HFILL }},
{ &hf_netlogon_dummy_string7,
{ "Dummy String7", "netlogon.dummy_string", FT_STRING, BASE_NONE,
NULL, 0, "Dummy String 7. Used is reserved for next evolutions.", HFILL }},
{ &hf_netlogon_dummy_string8,
{ "Dummy String8", "netlogon.dummy_string", FT_STRING, BASE_NONE,
NULL, 0, "Dummy String 8. Used is reserved for next evolutions.", HFILL }},
{ &hf_netlogon_dummy_string9,
{ "Dummy String9", "netlogon.dummy_string", FT_STRING, BASE_NONE,
NULL, 0, "Dummy String 9. Used is reserved for next evolutions.", HFILL }},
{ &hf_netlogon_dummy_string10,
{ "Dummy String10", "netlogon.dummy_string", FT_STRING, BASE_NONE,
NULL, 0, "Dummy String 10. Used is reserved for next evolutions.", HFILL }},
{ &hf_netlogon_unknown_long,
{ "Unknown long", "netlogon.unknown.long", FT_UINT32, BASE_HEX,
NULL, 0x0, "Unknown long. If you know what this is, contact wireshark developers.", HFILL }},
{ &hf_netlogon_dummy1_long,
{ "Dummy1 Long", "netlogon.dummy.long1", FT_UINT32, BASE_HEX,
NULL, 0x0, "Dummy long 1. Used is reserved for next evolutions.", HFILL }},
{ &hf_netlogon_dummy2_long,
{ "Dummy2 Long", "netlogon.dummy.long2", FT_UINT32, BASE_HEX,
NULL, 0x0, "Dummy long 2. Used is reserved for next evolutions.", HFILL }},
{ &hf_netlogon_dummy3_long,
{ "Dummy3 Long", "netlogon.dummy.long3", FT_UINT32, BASE_HEX,
NULL, 0x0, "Dummy long 3. Used is reserved for next evolutions.", HFILL }},
{ &hf_netlogon_dummy4_long,
{ "Dummy4 Long", "netlogon.dummy.long4", FT_UINT32, BASE_HEX,
NULL, 0x0, "Dummy long 4. Used is reserved for next evolutions.", HFILL }},
{ &hf_netlogon_dummy5_long,
{ "Dummy5 Long", "netlogon.dummy.long5", FT_UINT32, BASE_HEX,
NULL, 0x0, "Dummy long 5. Used is reserved for next evolutions.", HFILL }},
{ &hf_netlogon_dummy6_long,
{ "Dummy6 Long", "netlogon.dummy.long6", FT_UINT32, BASE_HEX,
NULL, 0x0, "Dummy long 6. Used is reserved for next evolutions.", HFILL }},
{ &hf_netlogon_dummy7_long,
{ "Dummy7 Long", "netlogon.dummy.long7", FT_UINT32, BASE_HEX,
NULL, 0x0, "Dummy long 7. Used is reserved for next evolutions.", HFILL }},
{ &hf_netlogon_dummy8_long,
{ "Dummy8 Long", "netlogon.dummy.long8", FT_UINT32, BASE_HEX,
NULL, 0x0, "Dummy long 8. Used is reserved for next evolutions.", HFILL }},
{ &hf_netlogon_dummy9_long,
{ "Dummy9 Long", "netlogon.dummy.long9", FT_UINT32, BASE_HEX,
NULL, 0x0, "Dummy long 9. Used is reserved for next evolutions.", HFILL }},
{ &hf_netlogon_dummy10_long,
{ "Dummy10 Long", "netlogon.dummy.long10", FT_UINT32, BASE_HEX,
NULL, 0x0, "Dummy long 10. Used is reserved for next evolutions.", HFILL }},
{ &hf_netlogon_supportedenctypes,
{ "Supported Encryption Types", "netlogon.encryption.types", FT_UINT32, BASE_HEX,
NULL, 0x0, "Encryption types", HFILL }},
{ &hf_netlogon_workstation_flags,
{ "Workstation Flags", "netlogon.workstation.flags", FT_UINT32, BASE_HEX,
NULL, 0x0, "Flags", HFILL }},
{ &hf_netlogon_reserved,
{ "Reserved", "netlogon.reserved", FT_UINT32, BASE_HEX,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_unknown_short,
{ "Unknown short", "netlogon.unknown.short", FT_UINT16, BASE_HEX,
NULL, 0x0, "Unknown short. If you know what this is, contact wireshark developers.", HFILL }},
{ &hf_netlogon_unknown_char,
{ "Unknown char", "netlogon.unknown.char", FT_UINT8, BASE_HEX,
NULL, 0x0, "Unknown char. If you know what this is, contact wireshark developers.", HFILL }},
{ &hf_netlogon_acct_expiry_time,
{ "Acct Expiry Time", "netlogon.acct.expiry_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
NULL, 0x0, "When this account will expire", HFILL }},
{ &hf_netlogon_nt_pwd_present,
{ "NT PWD Present", "netlogon.nt_pwd_present", FT_UINT8, BASE_HEX,
NULL, 0x0, "Is NT password present for this account?", HFILL }},
{ &hf_netlogon_lm_pwd_present,
{ "LM PWD Present", "netlogon.lm_pwd_present", FT_UINT8, BASE_HEX,
NULL, 0x0, "Is LanManager password present for this account?", HFILL }},
{ &hf_netlogon_pwd_expired,
{ "PWD Expired", "netlogon.pwd_expired", FT_UINT8, BASE_HEX,
NULL, 0x0, "Whether this password has expired or not", HFILL }},
{ &hf_netlogon_authoritative,
{ "Authoritative", "netlogon.authoritative", FT_UINT8, BASE_DEC,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_sensitive_data_flag,
{ "Sensitive Data", "netlogon.sensitive_data_flag", FT_UINT8, BASE_DEC,
NULL, 0x0, "Sensitive data flag", HFILL }},
{ &hf_netlogon_auditing_mode,
{ "Auditing Mode", "netlogon.auditing_mode", FT_UINT8, BASE_DEC,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_max_audit_event_count,
{ "Max Audit Event Count", "netlogon.max_audit_event_count", FT_UINT32, BASE_DEC,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_event_audit_option,
{ "Event Audit Option", "netlogon.event_audit_option", FT_UINT32, BASE_HEX,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_sensitive_data_len,
{ "Length", "netlogon.sensitive_data_len", FT_UINT32, BASE_DEC,
NULL, 0x0, "Length of sensitive data", HFILL }},
{ &hf_netlogon_nt_chal_resp,
{ "NT Chal resp", "netlogon.nt_chal_resp", FT_BYTES, BASE_NONE,
NULL, 0, "Challenge response for NT authentication", HFILL }},
{ &hf_netlogon_lm_chal_resp,
{ "LM Chal resp", "netlogon.lm_chal_resp", FT_BYTES, BASE_NONE,
NULL, 0, "Challenge response for LM authentication", HFILL }},
{ &hf_netlogon_cipher_len,
{ "Cipher Len", "netlogon.cipher_len", FT_UINT32, BASE_DEC,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_cipher_maxlen,
{ "Cipher Max Len", "netlogon.cipher_maxlen", FT_UINT32, BASE_DEC,
NULL, 0, NULL, HFILL }},
#if 0
{ &hf_netlogon_pac_data,
{ "Pac Data", "netlogon.pac.data", FT_BYTES, BASE_NONE,
NULL, 0, NULL, HFILL }},
#endif
{ &hf_netlogon_sensitive_data,
{ "Data", "netlogon.sensitive_data", FT_BYTES, BASE_NONE,
NULL, 0, "Sensitive Data", HFILL }},
#if 0
{ &hf_netlogon_auth_data,
{ "Auth Data", "netlogon.auth.data", FT_BYTES, BASE_NONE,
NULL, 0, NULL, HFILL }},
#endif
{ &hf_netlogon_cipher_current_data,
{ "Cipher Current Data", "netlogon.cipher_current_data", FT_BYTES, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_cipher_old_data,
{ "Cipher Old Data", "netlogon.cipher_old_data", FT_BYTES, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_acct_name,
{ "Acct Name", "netlogon.acct_name", FT_STRING, BASE_NONE,
NULL, 0, "Account Name", HFILL }},
{ &hf_netlogon_acct_desc,
{ "Acct Desc", "netlogon.acct_desc", FT_STRING, BASE_NONE,
NULL, 0, "Account Description", HFILL }},
{ &hf_netlogon_group_desc,
{ "Group Desc", "netlogon.group_desc", FT_STRING, BASE_NONE,
NULL, 0, "Group Description", HFILL }},
{ &hf_netlogon_full_name,
{ "Full Name", "netlogon.full_name", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_comment,
{ "Comment", "netlogon.comment", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_parameters,
{ "Parameters", "netlogon.parameters", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_logon_script,
{ "Logon Script", "netlogon.logon_script", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_profile_path,
{ "Profile Path", "netlogon.profile_path", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_home_dir,
{ "Home Dir", "netlogon.home_dir", FT_STRING, BASE_NONE,
NULL, 0, "Home Directory", HFILL }},
{ &hf_netlogon_dir_drive,
{ "Dir Drive", "netlogon.dir_drive", FT_STRING, BASE_NONE,
NULL, 0, "Drive letter for home directory", HFILL }},
{ &hf_netlogon_logon_srv,
{ "Server", "netlogon.server", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
#if 0
{ &hf_netlogon_principal,
{ "Principal", "netlogon.principal", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
#endif
{ &hf_netlogon_logon_dom,
{ "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_resourcegroupcount,
{ "ResourceGroup count", "netlogon.resourcegroupcount", FT_UINT32, BASE_DEC,
NULL, 0, "Number of Resource Groups", HFILL }},
{ &hf_netlogon_accountdomaingroupcount,
{ "AccountDomainGroup count", "netlogon.accountdomaingroupcount", FT_UINT32, BASE_DEC,
NULL, 0, "Number of Account Domain Groups", HFILL }},
{ &hf_netlogon_domaingroupcount,
{ "DomainGroup count", "netlogon.domaingroupcount", FT_UINT32, BASE_DEC,
NULL, 0, "Number of Domain Groups", HFILL }},
{ &hf_netlogon_membership_domains_count,
{ "Membership Domains count", "netlogon.membershipsdomainscount", FT_UINT32, BASE_DEC,
NULL, 0, "Number of ExtraDomain Membership Arrays", HFILL }},
{ &hf_netlogon_computer_name,
{ "Computer Name", "netlogon.computer_name", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_site_name,
{ "Site Name", "netlogon.site_name", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_dc_name,
{ "DC Name", "netlogon.dc.name", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_dc_site_name,
{ "DC Site Name", "netlogon.dc.site_name", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_dns_forest_name,
{ "DNS Forest Name", "netlogon.dns.forest_name", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_dc_address,
{ "DC Address", "netlogon.dc.address", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_dc_address_type,
{ "DC Address Type", "netlogon.dc.address_type", FT_UINT32, BASE_DEC,
VALS(dc_address_types), 0, NULL, HFILL }},
{ &hf_netlogon_client_site_name,
{ "Client Site Name", "netlogon.client.site_name", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_workstation_site_name,
{ "Wkst Site Name", "netlogon.wkst.site_name", FT_STRING, BASE_NONE,
NULL, 0, "Workstation Site Name", HFILL }},
{ &hf_netlogon_workstation,
{ "Wkst Name", "netlogon.wkst.name", FT_STRING, BASE_NONE,
NULL, 0, "Workstation Name", HFILL }},
{ &hf_netlogon_os_version,
{ "OS version", "netlogon.os.version", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_workstation_os,
{ "Wkst OS", "netlogon.wkst.os", FT_STRING, BASE_NONE,
NULL, 0, "Workstation OS", HFILL }},
{ &hf_netlogon_workstations,
{ "Workstations", "netlogon.wksts", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_workstation_fqdn,
{ "Wkst FQDN", "netlogon.wkst.fqdn", FT_STRING, BASE_NONE,
NULL, 0, "Workstation FQDN", HFILL }},
{ &hf_netlogon_group_name,
{ "Group Name", "netlogon.group_name", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_alias_name,
{ "Alias Name", "netlogon.alias_name", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_dns_host,
{ "DNS Host", "netlogon.dns_host", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_downlevel_domain_name,
{ "Downlevel Domain", "netlogon.downlevel_domain", FT_STRING, BASE_NONE,
NULL, 0, "Downlevel Domain Name", HFILL }},
{ &hf_netlogon_dns_domain_name,
{ "DNS Domain", "netlogon.dns_domain", FT_STRING, BASE_NONE,
NULL, 0, "DNS Domain Name", HFILL }},
{ &hf_netlogon_ad_client_dns_name,
{ "Client DNS Name", "netlogon.client_dns_name", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_domain_name,
{ "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
NULL, 0, "Domain Name", HFILL }},
{ &hf_netlogon_oem_info,
{ "OEM Info", "netlogon.oem_info", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_trusted_dc_name,
{ "Trusted DC", "netlogon.trusted_dc", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_logon_dnslogondomainname,
{ "DNS Logon Domain name", "netlogon.logon.dnslogondomainname", FT_STRING, BASE_NONE,
NULL, 0, "DNS Name of the logon domain", HFILL }},
{ &hf_netlogon_logon_upn,
{ "UPN", "netlogon.logon.upn", FT_STRING, BASE_NONE,
NULL, 0, "User Principal Name", HFILL }},
{ &hf_netlogon_logonsrv_handle,
{ "Handle", "netlogon.handle", FT_STRING, BASE_NONE,
NULL, 0, "Logon Srv Handle", HFILL }},
{ &hf_netlogon_dummy,
{ "Dummy", "netlogon.dummy", FT_STRING, BASE_NONE,
NULL, 0, "Dummy string", HFILL }},
{ &hf_netlogon_logon_count16,
{ "Logon Count", "netlogon.logon_count16", FT_UINT16, BASE_DEC,
NULL, 0x0, "Number of successful logins", HFILL }},
{ &hf_netlogon_logon_count,
{ "Logon Count", "netlogon.logon_count", FT_UINT32, BASE_DEC,
NULL, 0x0, "Number of successful logins", HFILL }},
{ &hf_netlogon_bad_pw_count16,
{ "Bad PW Count", "netlogon.bad_pw_count16", FT_UINT16, BASE_DEC,
NULL, 0x0, "Number of failed logins", HFILL }},
{ &hf_netlogon_bad_pw_count,
{ "Bad PW Count", "netlogon.bad_pw_count", FT_UINT32, BASE_DEC,
NULL, 0x0, "Number of failed logins", HFILL }},
{ &hf_netlogon_country,
{ "Country", "netlogon.country", FT_UINT16, BASE_DEC | BASE_EXT_STRING,
&ms_country_codes_ext, 0x0, "Country setting for this account", HFILL }},
{ &hf_netlogon_codepage,
{ "Codepage", "netlogon.codepage", FT_UINT16, BASE_DEC,
NULL, 0x0, "Codepage setting for this account", HFILL }},
{ &hf_netlogon_level16,
{ "Level", "netlogon.level16", FT_UINT16, BASE_DEC,
NULL, 0x0, "Which option of the union is represented here", HFILL }},
{ &hf_netlogon_validation_level,
{ "Validation Level", "netlogon.validation_level", FT_UINT16, BASE_DEC,
NULL, 0x0, "Requested level of validation", HFILL }},
{ &hf_netlogon_minpasswdlen,
{ "Min Password Len", "netlogon.min_passwd_len", FT_UINT16, BASE_DEC,
NULL, 0x0, "Minimum length of password", HFILL }},
{ &hf_netlogon_passwdhistorylen,
{ "Passwd History Len", "netlogon.passwd_history_len", FT_UINT16, BASE_DEC,
NULL, 0x0, "Length of password history", HFILL }},
{ &hf_netlogon_secure_channel_type,
{ "Sec Chan Type", "netlogon.sec_chan_type", FT_UINT16, BASE_DEC,
VALS(misc_netr_SchannelType_vals), 0x0, "Secure Channel Type", HFILL }},
{ &hf_netlogon_restart_state,
{ "Restart State", "netlogon.restart_state", FT_UINT16, BASE_DEC,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_delta_type,
{ "Delta Type", "netlogon.delta_type", FT_UINT16, BASE_DEC,
VALS(delta_type_vals), 0x0, NULL, HFILL }},
{ &hf_netlogon_blob_size,
{ "Size", "netlogon.blob.size", FT_UINT32, BASE_DEC,
NULL, 0x0, "Size in bytes of BLOB", HFILL }},
{ &hf_netlogon_code,
{ "Code", "netlogon.code", FT_UINT32, BASE_HEX,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_level,
{ "Level", "netlogon.level", FT_UINT32, BASE_DEC,
NULL, 0x0, "Which option of the union is represented here", HFILL }},
{ &hf_netlogon_reference,
{ "Reference", "netlogon.reference", FT_UINT32, BASE_DEC,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_next_reference,
{ "Next Reference", "netlogon.next_reference", FT_UINT32, BASE_DEC,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_timestamp,
{ "Timestamp", "netlogon.timestamp", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_user_rid,
{ "User RID", "netlogon.rid", FT_UINT32, BASE_DEC,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_alias_rid,
{ "Alias RID", "netlogon.alias_rid", FT_UINT32, BASE_DEC,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_group_rid,
{ "Group RID", "netlogon.group_rid", FT_UINT32, BASE_DEC,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_num_rids,
{ "Num RIDs", "netlogon.num_rids", FT_UINT32, BASE_DEC,
NULL, 0x0, "Number of RIDs", HFILL }},
{ &hf_netlogon_num_controllers,
{ "Num DCs", "netlogon.num_dc", FT_UINT32, BASE_DEC,
NULL, 0x0, "Number of domain controllers", HFILL }},
{ &hf_netlogon_num_sid,
{ "Num Extra SID", "netlogon.num_sid", FT_UINT32, BASE_DEC,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_flags,
{ "Flags", "netlogon.flags", FT_UINT32, BASE_HEX,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_user_account_control,
{ "User Account Control", "netlogon.user_account_control", FT_UINT32, BASE_HEX,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_user_flags,
{ "User Flags", "netlogon.user_flags", FT_UINT32, BASE_HEX,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_auth_flags,
{ "Auth Flags", "netlogon.auth_flags", FT_UINT32, BASE_HEX,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_systemflags,
{ "System Flags", "netlogon.system_flags", FT_UINT32, BASE_HEX,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_database_id,
{ "Database Id", "netlogon.database_id", FT_UINT32, BASE_DEC,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_sync_context,
{ "Sync Context", "netlogon.sync_context", FT_UINT32, BASE_DEC,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_max_size,
{ "Max Size", "netlogon.max_size", FT_UINT32, BASE_DEC,
NULL, 0x0, "Max Size of database", HFILL }},
{ &hf_netlogon_max_log_size,
{ "Max Log Size", "netlogon.max_log_size", FT_UINT32, BASE_DEC,
NULL, 0x0, "Max Size of log", HFILL }},
#if 0
{ &hf_netlogon_pac_size,
{ "Pac Size", "netlogon.pac.size", FT_UINT32, BASE_DEC,
NULL, 0x0, "Size of PacData in bytes", HFILL }},
#endif
#if 0
{ &hf_netlogon_auth_size,
{ "Auth Size", "netlogon.auth.size", FT_UINT32, BASE_DEC,
NULL, 0x0, "Size of AuthData in bytes", HFILL }},
#endif
{ &hf_netlogon_num_deltas,
{ "Num Deltas", "netlogon.num_deltas", FT_UINT32, BASE_DEC,
NULL, 0x0, "Number of SAM Deltas in array", HFILL }},
{ &hf_netlogon_num_trusts,
{ "Num Trusts", "netlogon.num_trusts", FT_UINT32, BASE_DEC,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_logon_attempts,
{ "Logon Attempts", "netlogon.logon_attempts", FT_UINT32, BASE_DEC,
NULL, 0x0, "Number of logon attempts", HFILL }},
{ &hf_netlogon_pagefilelimit,
{ "Page File Limit", "netlogon.page_file_limit", FT_UINT32, BASE_DEC,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_pagedpoollimit,
{ "Paged Pool Limit", "netlogon.paged_pool_limit", FT_UINT32, BASE_DEC,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_nonpagedpoollimit,
{ "Non-Paged Pool Limit", "netlogon.nonpaged_pool_limit", FT_UINT32, BASE_DEC,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_minworkingsetsize,
{ "Min Working Set Size", "netlogon.min_working_set_size", FT_UINT32, BASE_DEC,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_maxworkingsetsize,
{ "Max Working Set Size", "netlogon.max_working_set_size", FT_UINT32, BASE_DEC,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_serial_number,
{ "Serial Number", "netlogon.serial_number", FT_UINT32, BASE_DEC,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_neg_flags,
{ "Negotiation options", "netlogon.neg_flags", FT_UINT32, BASE_HEX,
NULL, 0x0, "Negotiation Flags", HFILL }},
#if 0
{ &hf_netlogon_neg_flags_80000000,
{ "Not used 80000000", "ntlmssp.neg_flags.na8000000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_80000000, "Not used", HFILL }},
#endif
{ &hf_netlogon_neg_flags_40000000,
{ "Authenticated RPC supported", "ntlmssp.neg_flags.na4000000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_40000000, NULL, HFILL }},
{ &hf_netlogon_neg_flags_20000000,
{ "Authenticated RPC via lsass supported", "ntlmssp.neg_flags.na2000000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_20000000, "rpc via lsass", HFILL }},
#if 0
{ &hf_netlogon_neg_flags_10000000,
{ "Not used 10000000", "ntlmssp.neg_flags.na1000000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_10000000, "Not used", HFILL }},
#endif
#if 0
{ &hf_netlogon_neg_flags_8000000,
{ "Not used 8000000", "ntlmssp.neg_flags.na800000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_8000000, "Not used", HFILL }},
#endif
#if 0
{ &hf_netlogon_neg_flags_4000000,
{ "Not used 4000000", "ntlmssp.neg_flags.na400000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_4000000, "Not used", HFILL }},
#endif
#if 0
{ &hf_netlogon_neg_flags_2000000,
{ "Not used 2000000", "ntlmssp.neg_flags.na200000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_2000000, "Not used", HFILL }},
#endif
{ &hf_netlogon_neg_flags_1000000,
{ "AES supported", "ntlmssp.neg_flags.na100000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_AES, "AES", HFILL }},
#if 0
{ &hf_netlogon_neg_flags_800000,
{ "Not used 800000", "ntlmssp.neg_flags.na800000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_800000, "Not used", HFILL }},
#endif
#if 0
{ &hf_netlogon_neg_flags_400000,
{ "Not used 400000", "ntlmssp.neg_flags.na400000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_400000, "AES&SHA2", HFILL }},
#endif
{ &hf_netlogon_neg_flags_200000,
{ "RODC pass-through", "ntlmssp.neg_flags.na200000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_200000, "rodc pt", HFILL }},
{ &hf_netlogon_neg_flags_100000,
{ "NO NT4 emulation", "ntlmssp.neg_flags.na100000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_100000, "No NT4 emu", HFILL }},
{ &hf_netlogon_neg_flags_80000,
{ "Cross forest trust", "ntlmssp.neg_flags.na80000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_80000, NULL, HFILL }},
{ &hf_netlogon_neg_flags_40000,
{ "GetDomainInfo supported", "ntlmssp.neg_flags.na40000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_40000, "GetDomainInfo", HFILL }},
{ &hf_netlogon_neg_flags_20000,
{ "ServerPasswordSet2 supported", "ntlmssp.neg_flags.na20000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_20000, "PasswordSet2", HFILL }},
{ &hf_netlogon_neg_flags_10000,
{ "DNS trusts supported", "ntlmssp.neg_flags.na10000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_10000, "DNS Trusts", HFILL }},
{ &hf_netlogon_neg_flags_8000,
{ "Transitive trusts", "ntlmssp.neg_flags.na8000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_8000, "Transitive trust", HFILL }},
{ &hf_netlogon_neg_flags_4000,
{ "Strong key", "ntlmssp.neg_flags.na4000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_STRONGKEY, NULL, HFILL }},
{ &hf_netlogon_neg_flags_2000,
{ "Avoid replication Auth database", "ntlmssp.neg_flags.na2000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_2000, NULL, HFILL }},
{ &hf_netlogon_neg_flags_1000,
{ "Avoid replication account database", "ntlmssp.neg_flags.na1000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_1000, NULL, HFILL }},
{ &hf_netlogon_neg_flags_800,
{ "Concurrent RPC", "ntlmssp.neg_flags.na800", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_800, NULL, HFILL }},
{ &hf_netlogon_neg_flags_400,
{ "Generic pass-through", "ntlmssp.neg_flags.na400", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_400, NULL, HFILL }},
{ &hf_netlogon_neg_flags_200,
{ "SendToSam", "ntlmssp.neg_flags.na200", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_200, NULL, HFILL }},
{ &hf_netlogon_neg_flags_100,
{ "Refusal of password change", "ntlmssp.neg_flags.na100", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_100, "PWD change refusal", HFILL }},
{ &hf_netlogon_neg_flags_80,
{ "DatabaseRedo call", "ntlmssp.neg_flags.na80", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_80, NULL, HFILL }},
{ &hf_netlogon_neg_flags_40,
{ "Handle multiple SIDs", "ntlmssp.neg_flags.na40", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_40, NULL, HFILL }},
{ &hf_netlogon_neg_flags_20,
{ "Restarting full DC sync", "ntlmssp.neg_flags.na20", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_20, NULL, HFILL }},
{ &hf_netlogon_neg_flags_10,
{ "BDC handling Changelogs", "ntlmssp.neg_flags.na10", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_10, "BDC Changelog", HFILL }},
{ &hf_netlogon_neg_flags_8,
{ "Promotion count(deprecated)", "ntlmssp.neg_flags.na8", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_8, "Promotion count", HFILL }},
{ &hf_netlogon_neg_flags_4,
{ "RC4 encryption", "ntlmssp.neg_flags.na4", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_4, "RC4", HFILL }},
{ &hf_netlogon_neg_flags_2,
{ "NT3.5 BDC continuous update", "ntlmssp.neg_flags.na2", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_2, "NT3.5", HFILL }},
{ &hf_netlogon_neg_flags_1,
{ "Account lockout", "ntlmssp.neg_flags.na1", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_1, NULL, HFILL }},
{ &hf_netlogon_dc_flags,
{ "Domain Controller Flags", "netlogon.dc.flags", FT_UINT32, BASE_HEX,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_dc_flags_pdc_flag,
{ "PDC", "netlogon.dc.flags.pdc",
FT_BOOLEAN, 32, TFS(&dc_flags_pdc_flag), DS_PDC_FLAG,
"If this server is a PDC", HFILL }},
{ &hf_netlogon_dc_flags_gc_flag,
{ "GC", "netlogon.dc.flags.gc",
FT_BOOLEAN, 32, TFS(&dc_flags_gc_flag), DS_GC_FLAG,
"If this server is a GC", HFILL }},
{ &hf_netlogon_dc_flags_ldap_flag,
{ "LDAP", "netlogon.dc.flags.ldap",
FT_BOOLEAN, 32, TFS(&dc_flags_ldap_flag), DS_LDAP_FLAG,
"If this is an LDAP server", HFILL }},
{ &hf_netlogon_dc_flags_ds_flag,
{ "DS", "netlogon.dc.flags.ds",
FT_BOOLEAN, 32, TFS(&dc_flags_ds_flag), DS_DS_FLAG,
"If this server is a DS", HFILL }},
{ &hf_netlogon_dc_flags_kdc_flag,
{ "KDC", "netlogon.dc.flags.kdc",
FT_BOOLEAN, 32, TFS(&dc_flags_kdc_flag), DS_KDC_FLAG,
"If this is a KDC", HFILL }},
{ &hf_netlogon_dc_flags_timeserv_flag,
{ "Timeserv", "netlogon.dc.flags.timeserv",
FT_BOOLEAN, 32, TFS(&dc_flags_timeserv_flag), DS_TIMESERV_FLAG,
"If this server is a TimeServer", HFILL }},
{ &hf_netlogon_dc_flags_closest_flag,
{ "Closest", "netlogon.dc.flags.closest",
FT_BOOLEAN, 32, TFS(&dc_flags_closest_flag), DS_CLOSEST_FLAG,
"If this is the closest server", HFILL }},
{ &hf_netlogon_dc_flags_writable_flag,
{ "Writable", "netlogon.dc.flags.writable",
FT_BOOLEAN, 32, TFS(&dc_flags_writable_flag), DS_WRITABLE_FLAG,
"If this server can do updates to the database", HFILL }},
{ &hf_netlogon_dc_flags_good_timeserv_flag,
{ "Good Timeserv", "netlogon.dc.flags.good_timeserv",
FT_BOOLEAN, 32, TFS(&dc_flags_good_timeserv_flag), DS_GOOD_TIMESERV_FLAG,
"If this is a Good TimeServer", HFILL }},
{ &hf_netlogon_dc_flags_ndnc_flag,
{ "NDNC", "netlogon.dc.flags.ndnc",
FT_BOOLEAN, 32, TFS(&dc_flags_ndnc_flag), DS_NDNC_FLAG,
"If this is an NDNC server", HFILL }},
{ &hf_netlogon_dc_flags_dns_controller_flag,
{ "DNS Controller", "netlogon.dc.flags.dns_controller",
FT_BOOLEAN, 32, TFS(&dc_flags_dns_controller_flag), DS_DNS_CONTROLLER_FLAG,
"If this server is a DNS Controller", HFILL }},
{ &hf_netlogon_dc_flags_dns_domain_flag,
{ "DNS Domain", "netlogon.dc.flags.dns_domain",
FT_BOOLEAN, 32, TFS(&dc_flags_dns_domain_flag), DS_DNS_DOMAIN_FLAG,
NULL, HFILL }},
{ &hf_netlogon_dc_flags_dns_forest_flag,
{ "DNS Forest", "netlogon.dc.flags.dns_forest",
FT_BOOLEAN, 32, TFS(&dc_flags_dns_forest_flag), DS_DNS_FOREST_FLAG,
NULL, HFILL }},
{ &hf_netlogon_get_dcname_request_flags,
{ "Flags", "netlogon.get_dcname.request.flags", FT_UINT32, BASE_HEX,
NULL, 0x0, "Flags for DSGetDCName request", HFILL }},
{ &hf_netlogon_get_dcname_request_flags_force_rediscovery,
{ "Force Rediscovery", "netlogon.get_dcname.request.flags.force_rediscovery",
FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_force_rediscovery), DS_FORCE_REDISCOVERY,
"Whether to allow the server to returned cached information or not", HFILL }},
{ &hf_netlogon_get_dcname_request_flags_directory_service_required,
{ "DS Required", "netlogon.get_dcname.request.flags.ds_required",
FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_required), DS_DIRECTORY_SERVICE_REQUIRED,
"Whether we require that the returned DC supports w2k or not", HFILL }},
{ &hf_netlogon_get_dcname_request_flags_directory_service_preferred,
{ "DS Preferred", "netlogon.get_dcname.request.flags.ds_preferred",
FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_preferred), DS_DIRECTORY_SERVICE_PREFERRED,
"Whether we prefer the call to return a w2k server (if available)", HFILL }},
{ &hf_netlogon_get_dcname_request_flags_gc_server_required,
{ "GC Required", "netlogon.get_dcname.request.flags.gc_server_required",
FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_gc_server_required), DS_GC_SERVER_REQUIRED,
"Whether we require that the returned DC is a Global Catalog server", HFILL }},
{ &hf_netlogon_get_dcname_request_flags_pdc_required,
{ "PDC Required", "netlogon.get_dcname.request.flags.pdc_required",
FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_pdc_required), DS_PDC_REQUIRED,
"Whether we require the returned DC to be the PDC", HFILL }},
{ &hf_netlogon_get_dcname_request_flags_background_only,
{ "Background Only", "netlogon.get_dcname.request.flags.background_only",
FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_background_only), DS_BACKGROUND_ONLY,
"If we want cached data, even if it may have expired", HFILL }},
{ &hf_netlogon_get_dcname_request_flags_ip_required,
{ "IP Required", "netlogon.get_dcname.request.flags.ip_required",
FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_ip_required), DS_IP_REQUIRED,
"If we require the IP of the DC in the reply", HFILL }},
{ &hf_netlogon_get_dcname_request_flags_kdc_required,
{ "KDC Required", "netlogon.get_dcname.request.flags.kdc_required",
FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_kdc_required), DS_KDC_REQUIRED,
"If we require that the returned server is a KDC", HFILL }},
{ &hf_netlogon_get_dcname_request_flags_timeserv_required,
{ "Timeserv Required", "netlogon.get_dcname.request.flags.timeserv_required",
FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_timeserv_required), DS_TIMESERV_REQUIRED,
"If we require the returned server to be a WindowsTimeServ server", HFILL }},
{ &hf_netlogon_get_dcname_request_flags_writable_required,
{ "Writable Required", "netlogon.get_dcname.request.flags.writable_required",
FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_writable_required), DS_WRITABLE_REQUIRED,
"If we require that the returned server is writable", HFILL }},
{ &hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
{ "Timeserv Preferred", "netlogon.get_dcname.request.flags.good_timeserv_preferred",
FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_good_timeserv_preferred), DS_GOOD_TIMESERV_PREFERRED,
"If we prefer Windows Time Servers", HFILL }},
{ &hf_netlogon_get_dcname_request_flags_avoid_self,
{ "Avoid Self", "netlogon.get_dcname.request.flags.avoid_self",
FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_avoid_self), DS_AVOID_SELF,
"Return another DC than the one we ask", HFILL }},
{ &hf_netlogon_get_dcname_request_flags_only_ldap_needed,
{ "Only LDAP Needed", "netlogon.get_dcname.request.flags.only_ldap_needed",
FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_only_ldap_needed), DS_ONLY_LDAP_NEEDED,
"We just want an LDAP server, it does not have to be a DC", HFILL }},
{ &hf_netlogon_get_dcname_request_flags_is_flat_name,
{ "Is Flat Name", "netlogon.get_dcname.request.flags.is_flat_name",
FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_flat_name), DS_IS_FLAT_NAME,
"If the specified domain name is a NetBIOS name", HFILL }},
{ &hf_netlogon_get_dcname_request_flags_is_dns_name,
{ "Is DNS Name", "netlogon.get_dcname.request.flags.is_dns_name",
FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_dns_name), DS_IS_DNS_NAME,
"If the specified domain name is a DNS name", HFILL }},
{ &hf_netlogon_get_dcname_request_flags_return_dns_name,
{ "Return DNS Name", "netlogon.get_dcname.request.flags.return_dns_name",
FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_dns_name), DS_RETURN_DNS_NAME,
"Only return a DNS name (or an error)", HFILL }},
{ &hf_netlogon_get_dcname_request_flags_return_flat_name,
{ "Return Flat Name", "netlogon.get_dcname.request.flags.return_flat_name",
FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_flat_name), DS_RETURN_FLAT_NAME,
"Only return a NetBIOS name (or an error)", HFILL }},
{ &hf_netlogon_trust_attribs,
{ "Trust Attributes", "netlogon.trust_attribs", FT_UINT32, BASE_HEX,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_trust_attribs_non_transitive,
{ "Non Transitive", "netlogon.trust.attribs.non_transitive", FT_BOOLEAN, 32,
TFS(&trust_attribs_non_transitive), 0x00000001, NULL, HFILL }},
{ &hf_netlogon_trust_attribs_uplevel_only,
{ "Uplevel Only", "netlogon.trust.attribs.uplevel_only", FT_BOOLEAN, 32,
TFS(&trust_attribs_uplevel_only), 0x00000002, NULL, HFILL }},
{ &hf_netlogon_trust_attribs_quarantined_domain,
{ "Quarantined Domain", "netlogon.trust.attribs.quarantined_domain", FT_BOOLEAN, 32,
TFS(&trust_attribs_quarantined_domain), 0x00000004, NULL, HFILL }},
{ &hf_netlogon_trust_attribs_forest_transitive,
{ "Forest Transitive", "netlogon.trust.attribs.forest_transitive", FT_BOOLEAN, 32,
TFS(&trust_attribs_forest_transitive), 0x00000008, NULL, HFILL }},
{ &hf_netlogon_trust_attribs_cross_organization,
{ "Cross Organization", "netlogon.trust.attribs.cross_organization", FT_BOOLEAN, 32,
TFS(&trust_attribs_cross_organization), 0x00000010, NULL, HFILL }},
{ &hf_netlogon_trust_attribs_within_forest,
{ "Within Forest", "netlogon.trust.attribs.within_forest", FT_BOOLEAN, 32,
TFS(&trust_attribs_within_forest), 0x00000020, NULL, HFILL }},
{ &hf_netlogon_trust_attribs_treat_as_external,
{ "Treat As External", "netlogon.trust.attribs.treat_as_external", FT_BOOLEAN, 32,
TFS(&trust_attribs_treat_as_external), 0x00000040, NULL, HFILL }},
{ &hf_netlogon_trust_type,
{ "Trust Type", "netlogon.trust_type", FT_UINT32, BASE_DEC,
VALS(trust_type_vals), 0x0, NULL, HFILL }},
{ &hf_netlogon_extraflags,
{ "Extra Flags", "netlogon.extra_flags", FT_UINT32, BASE_HEX,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_extra_flags_root_forest,
{ "Request passed to DC of root forest", "netlogon.extra.flags.rootdc",
FT_BOOLEAN, 32, TFS(&tfs_set_notset), RQ_ROOT_FOREST,
NULL, HFILL }},
{ &hf_netlogon_trust_flags_dc_firsthop,
{ "DC at the end of the first hop of cross forest", "netlogon.extra.flags.dc_firsthop",
FT_BOOLEAN, 32, TFS(&tfs_set_notset), RQ_DC_XFOREST,
NULL, HFILL }},
{ &hf_netlogon_trust_flags_rodc_to_dc,
{ "Request from a RODC to a DC from another domain", "netlogon.extra.flags.rodc_to_dc",
FT_BOOLEAN, 32, TFS(&tfs_set_notset), RQ_RODC_DIF_DOMAIN,
NULL, HFILL }},
{ &hf_netlogon_trust_flags_rodc_ntlm,
{ "Request is a NTLM auth passed by a RODC", "netlogon.extra.flags.rodc_ntlm",
FT_BOOLEAN, 32, TFS(&tfs_set_notset), RQ_NTLM_FROM_RODC,
NULL, HFILL }},
{ &hf_netlogon_trust_flags,
{ "Trust Flags", "netlogon.trust_flags", FT_UINT32, BASE_HEX,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_trust_flags_inbound,
{ "Inbound Trust", "netlogon.trust.flags.inbound",
FT_BOOLEAN, 32, TFS(&trust_inbound), DS_DOMAIN_DIRECT_INBOUND,
"Inbound trust. Whether the domain directly trusts the queried servers domain", HFILL }},
{ &hf_netlogon_trust_flags_outbound,
{ "Outbound Trust", "netlogon.trust.flags.outbound",
FT_BOOLEAN, 32, TFS(&trust_outbound), DS_DOMAIN_DIRECT_OUTBOUND,
"Outbound Trust. Whether the domain is directly trusted by the servers domain", HFILL }},
{ &hf_netlogon_trust_flags_in_forest,
{ "In Forest", "netlogon.trust.flags.in_forest",
FT_BOOLEAN, 32, TFS(&trust_in_forest), DS_DOMAIN_IN_FOREST,
"Whether this domain is a member of the same forest as the servers domain", HFILL }},
{ &hf_netlogon_trust_flags_native_mode,
{ "Native Mode", "netlogon.trust.flags.native_mode",
FT_BOOLEAN, 32, TFS(&trust_native_mode), DS_DOMAIN_NATIVE_MODE,
"Whether the domain is a w2k native mode domain or not", HFILL }},
{ &hf_netlogon_trust_flags_primary,
{ "Primary", "netlogon.trust.flags.primary",
FT_BOOLEAN, 32, TFS(&trust_primary), DS_DOMAIN_PRIMARY,
"Whether the domain is the primary domain for the queried server or not", HFILL }},
{ &hf_netlogon_trust_flags_tree_root,
{ "Tree Root", "netlogon.trust.flags.tree_root",
FT_BOOLEAN, 32, TFS(&trust_tree_root), DS_DOMAIN_TREE_ROOT,
"Whether the domain is the root of the tree for the queried server", HFILL }},
{ &hf_netlogon_trust_parent_index,
{ "Parent Index", "netlogon.parent_index", FT_UINT32, BASE_HEX,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_logon_time,
{ "Logon Time", "netlogon.logon_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
NULL, 0, "Time for last time this user logged on", HFILL }},
{ &hf_netlogon_kickoff_time,
{ "Kickoff Time", "netlogon.kickoff_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
NULL, 0, "Time when this user will be kicked off", HFILL }},
{ &hf_netlogon_logoff_time,
{ "Logoff Time", "netlogon.logoff_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
NULL, 0, "Time for last time this user logged off", HFILL }},
{ &hf_netlogon_last_logoff_time,
{ "Last Logoff Time", "netlogon.last_logoff_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
NULL, 0, "Time for last time this user logged off", HFILL }},
{ &hf_netlogon_pwd_last_set_time,
{ "PWD Last Set", "netlogon.pwd_last_set_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
NULL, 0, "Last time this users password was changed", HFILL }},
{ &hf_netlogon_pwd_age,
{ "PWD Age", "netlogon.pwd_age", FT_RELATIVE_TIME, BASE_NONE,
NULL, 0, "Time since this users password was changed", HFILL }},
{ &hf_netlogon_pwd_can_change_time,
{ "PWD Can Change", "netlogon.pwd_can_change_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
NULL, 0, "When this users password may be changed", HFILL }},
{ &hf_netlogon_pwd_must_change_time,
{ "PWD Must Change", "netlogon.pwd_must_change_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
NULL, 0, "When this users password must be changed", HFILL }},
{ &hf_netlogon_domain_create_time,
{ "Domain Create Time", "netlogon.domain_create_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
NULL, 0, "Time when this domain was created", HFILL }},
{ &hf_netlogon_domain_modify_time,
{ "Domain Modify Time", "netlogon.domain_modify_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
NULL, 0, "Time when this domain was last modified", HFILL }},
{ &hf_netlogon_db_modify_time,
{ "DB Modify Time", "netlogon.db_modify_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
NULL, 0, "Time when last modified", HFILL }},
{ &hf_netlogon_db_create_time,
{ "DB Create Time", "netlogon.db_create_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
NULL, 0, "Time when created", HFILL }},
{ &hf_netlogon_cipher_current_set_time,
{ "Cipher Current Set Time", "netlogon.cipher_current_set_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
NULL, 0, "Time when current cipher was initiated", HFILL }},
{ &hf_netlogon_cipher_old_set_time,
{ "Cipher Old Set Time", "netlogon.cipher_old_set_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
NULL, 0, "Time when previous cipher was initiated", HFILL }},
{ &hf_netlogon_audit_retention_period,
{ "Audit Retention Period", "netlogon.audit_retention_period", FT_RELATIVE_TIME, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_timelimit,
{ "Time Limit", "netlogon.time_limit", FT_RELATIVE_TIME, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_client_credential,
{ "Client Credential", "netlogon.clientcred", FT_BYTES, BASE_NONE,
NULL, 0x0, NULL, HFILL }},
{ &hf_server_credential,
{ "Server Credential", "netlogon.servercred", FT_BYTES, BASE_NONE,
NULL, 0x0, NULL, HFILL }},
{ &hf_server_rid,
{ "Account RID", "netlogon.serverrid", FT_UINT32, BASE_DEC,
NULL, 0x0, NULL, HFILL }},
{ &hf_client_challenge,
{ "Client Challenge", "netlogon.clientchallenge", FT_BYTES, BASE_NONE,
NULL, 0x0, NULL, HFILL }},
{ &hf_server_challenge,
{ "Server Challenge", "netlogon.serverchallenge", FT_BYTES, BASE_NONE,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_secchan_nl_message_type,
{ "Message Type", "netlogon.secchan.nl_auth_message.message_type", FT_UINT32, BASE_HEX,
VALS(nl_auth_types), 0x0, NULL, HFILL }},
{ &hf_netlogon_secchan_nl_message_flags,
{ "Message Flags", "netlogon.secchan.nl_auth_message.message_flags", FT_UINT32, BASE_HEX,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_secchan_nl_message_flags_nb_domain,
{ "NetBios Domain", "netlogon.secchan.nl_auth_message.message_flags.nb_domain", FT_BOOLEAN, 32,
NULL, 0x00000001, NULL, HFILL }},
{ &hf_netlogon_secchan_nl_message_flags_nb_host,
{ "NetBios Host", "netlogon.secchan.nl_auth_message.message_flags.nb_host", FT_BOOLEAN, 32,
NULL, 0x00000002, NULL, HFILL }},
{ &hf_netlogon_secchan_nl_message_flags_dns_domain,
{ "DNS Domain", "netlogon.secchan.nl_auth_message.message_flags.dns_domain", FT_BOOLEAN, 32,
NULL, 0x00000004, NULL, HFILL }},
{ &hf_netlogon_secchan_nl_message_flags_dns_host,
{ "DNS Host", "netlogon.secchan.nl_auth_message.message_flags.dns_host", FT_BOOLEAN, 32,
NULL, 0x00000008, NULL, HFILL }},
{ &hf_netlogon_secchan_nl_message_flags_nb_host_utf8,
{ "NetBios Host(UTF8)", "netlogon.secchan.nl_auth_message.message_flags.nb_host_utf8", FT_BOOLEAN, 32,
NULL, 0x00000010, NULL, HFILL }},
{ &hf_netlogon_secchan_nl_nb_domain,
{ "NetBios Domain", "netlogon.secchan.nl_auth_message.nb_domain", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_secchan_nl_nb_host,
{ "NetBios Host", "netlogon.secchan.nl_auth_message.nb_host", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_secchan_nl_nb_host_utf8,
{ "NetBios Host(UTF8)", "netlogon.secchan.nl_auth_message.nb_host_utf8", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_secchan_nl_dns_domain,
{ "DNS Domain", "netlogon.secchan.nl_auth_message.dns_domain", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_secchan_nl_dns_host,
{ "DNS Host", "netlogon.secchan.nl_auth_message.dns_host", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_data_length,
{ "Length of Data", "netlogon.data.length", FT_UINT32, BASE_DEC,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_package_name,
{ "SSP Package Name", "netlogon.data.package_name", FT_STRING, BASE_NONE,
NULL, 0, NULL, HFILL }},
{ &hf_netlogon_secchan_verf,
{ "Secure Channel Verifier", "netlogon.secchan.verifier", FT_NONE, BASE_NONE,
NULL, 0x0, "Verifier", HFILL }},
{ &hf_netlogon_secchan_verf_signalg,
{ "Sign algorithm", "netlogon.secchan.signalg", FT_UINT16, BASE_HEX,
VALS(sign_algs), 0, NULL, HFILL }},
{ &hf_netlogon_secchan_verf_sealalg,
{ "Seal algorithm", "netlogon.secchan.sealalg", FT_UINT16, BASE_HEX,
VALS(seal_algs), 0, NULL, HFILL }},
{ &hf_netlogon_secchan_verf_flag,
{ "Flags", "netlogon.secchan.flags", FT_BYTES, BASE_NONE, NULL,
0x0, NULL, HFILL }},
{ &hf_netlogon_secchan_verf_digest,
{ "Packet Digest", "netlogon.secchan.digest", FT_BYTES, BASE_NONE, NULL,
0x0, NULL, HFILL }},
{ &hf_netlogon_secchan_verf_seq,
{ "Sequence No", "netlogon.secchan.seq", FT_BYTES, BASE_NONE, NULL,
0x0, NULL, HFILL }},
{ &hf_netlogon_secchan_verf_nonce,
{ "Nonce", "netlogon.secchan.nonce", FT_BYTES, BASE_NONE, NULL,
0x0, NULL, HFILL }},
{ &hf_netlogon_group_attrs_mandatory,
{ "Mandatory", "netlogon.groups.attrs.mandatory",
FT_BOOLEAN, 32, TFS(&group_attrs_mandatory), 0x00000001,
"The group attributes MANDATORY flag", HFILL }},
{ &hf_netlogon_group_attrs_enabled_by_default,
{ "Enabled By Default", "netlogon.groups.attrs.enabled_by_default",
FT_BOOLEAN, 32, TFS(&group_attrs_enabled_by_default), 0x00000002,
"The group attributes ENABLED_BY_DEFAULT flag", HFILL }},
{ &hf_netlogon_group_attrs_enabled,
{ "Enabled", "netlogon.groups.attrs.enabled",
FT_BOOLEAN, 32, TFS(&group_attrs_enabled), 0x00000004,
"The group attributes ENABLED flag", HFILL }},
{ &hf_netlogon_user_flags_extra_sids,
{ "Extra SIDs", "netlogon.user.flags.extra_sids",
FT_BOOLEAN, 32, TFS(&user_flags_extra_sids), 0x00000020,
"The user flags EXTRA_SIDS", HFILL }},
{ &hf_netlogon_user_flags_resource_groups,
{ "Resource Groups", "netlogon.user.flags.resource_groups",
FT_BOOLEAN, 32, TFS(&user_flags_resource_groups), 0x00000200,
"The user flags RESOURCE_GROUPS", HFILL }},
{ &hf_netlogon_user_account_control_dont_require_preauth,
{ "Don't Require PreAuth", "netlogon.user.account_control.dont_require_preauth",
FT_BOOLEAN, 32, TFS(&user_account_control_dont_require_preauth), 0x00010000,
"The user account control DONT_REQUIRE_PREAUTH flag", HFILL }},
{ &hf_netlogon_user_account_control_use_des_key_only,
{ "Use DES Key Only", "netlogon.user.account_control.use_des_key_only",
FT_BOOLEAN, 32, TFS(&user_account_control_use_des_key_only), 0x00008000,
"The user account control use_des_key_only flag", HFILL }},
{ &hf_netlogon_user_account_control_not_delegated,
{ "Not Delegated", "netlogon.user.account_control.not_delegated",
FT_BOOLEAN, 32, TFS(&user_account_control_not_delegated), 0x00004000,
"The user account control not_delegated flag", HFILL }},
{ &hf_netlogon_user_account_control_trusted_for_delegation,
{ "Trusted For Delegation", "netlogon.user.account_control.trusted_for_delegation",
FT_BOOLEAN, 32, TFS(&user_account_control_trusted_for_delegation), 0x00002000,
"The user account control trusted_for_delegation flag", HFILL }},
{ &hf_netlogon_user_account_control_smartcard_required,
{ "SmartCard Required", "netlogon.user.account_control.smartcard_required",
FT_BOOLEAN, 32, TFS(&user_account_control_smartcard_required), 0x00001000,
"The user account control smartcard_required flag", HFILL }},
{ &hf_netlogon_user_account_control_encrypted_text_password_allowed,
{ "Encrypted Text Password Allowed", "netlogon.user.account_control.encrypted_text_password_allowed",
FT_BOOLEAN, 32, TFS(&user_account_control_encrypted_text_password_allowed), 0x00000800,
"The user account control encrypted_text_password_allowed flag", HFILL }},
{ &hf_netlogon_user_account_control_account_auto_locked,
{ "Account Auto Locked", "netlogon.user.account_control.account_auto_locked",
FT_BOOLEAN, 32, TFS(&user_account_control_account_auto_locked), 0x00000400,
"The user account control account_auto_locked flag", HFILL }},
{ &hf_netlogon_user_account_control_dont_expire_password,
{ "Don't Expire Password", "netlogon.user.account_control.dont_expire_password",
FT_BOOLEAN, 32, TFS(&user_account_control_dont_expire_password), 0x00000200,
"The user account control dont_expire_password flag", HFILL }},
{ &hf_netlogon_user_account_control_server_trust_account,
{ "Server Trust Account", "netlogon.user.account_control.server_trust_account",
FT_BOOLEAN, 32, TFS(&user_account_control_server_trust_account), 0x00000100,
"The user account control server_trust_account flag", HFILL }},
{ &hf_netlogon_user_account_control_workstation_trust_account,
{ "Workstation Trust Account", "netlogon.user.account_control.workstation_trust_account",
FT_BOOLEAN, 32, TFS(&user_account_control_workstation_trust_account), 0x00000080,
"The user account control workstation_trust_account flag", HFILL }},
{ &hf_netlogon_user_account_control_interdomain_trust_account,
{ "Interdomain trust Account", "netlogon.user.account_control.interdomain_trust_account",
FT_BOOLEAN, 32, TFS(&user_account_control_interdomain_trust_account), 0x00000040,
"The user account control interdomain_trust_account flag", HFILL }},
{ &hf_netlogon_user_account_control_mns_logon_account,
{ "MNS Logon Account", "netlogon.user.account_control.mns_logon_account",
FT_BOOLEAN, 32, TFS(&user_account_control_mns_logon_account), 0x00000020,
"The user account control mns_logon_account flag", HFILL }},
{ &hf_netlogon_user_account_control_normal_account,
{ "Normal Account", "netlogon.user.account_control.normal_account",
FT_BOOLEAN, 32, TFS(&user_account_control_normal_account), 0x00000010,
"The user account control normal_account flag", HFILL }},
{ &hf_netlogon_user_account_control_temp_duplicate_account,
{ "Temp Duplicate Account", "netlogon.user.account_control.temp_duplicate_account",
FT_BOOLEAN, 32, TFS(&user_account_control_temp_duplicate_account), 0x00000008,
"The user account control temp_duplicate_account flag", HFILL }},
{ &hf_netlogon_user_account_control_password_not_required,
{ "Password Not Required", "netlogon.user.account_control.password_not_required",
FT_BOOLEAN, 32, TFS(&user_account_control_password_not_required), 0x00000004,
"The user account control password_not_required flag", HFILL }},
{ &hf_netlogon_user_account_control_home_directory_required,
{ "Home Directory Required", "netlogon.user.account_control.home_directory_required",
FT_BOOLEAN, 32, TFS(&user_account_control_home_directory_required), 0x00000002,
"The user account control home_directory_required flag", HFILL }},
{ &hf_netlogon_user_account_control_account_disabled,
{ "Account Disabled", "netlogon.user.account_control.account_disabled",
FT_BOOLEAN, 32, TFS(&user_account_control_account_disabled), 0x00000001,
"The user account control account_disabled flag", HFILL }},
#if 0
{ &hf_netlogon_dnsdomaininfo,
{ "DnsDomainInfo", "netlogon.dnsdomaininfo", FT_NONE, BASE_NONE,
NULL, 0x0, NULL, HFILL }},
#endif
{ &DnsDomainInfo_sid,
{ "Sid", "lsarpc.lsa_DnsDomainInfo.sid", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
{ &DomainInfo_sid,
{ "Sid", "lsarpc.lsa_DomainInfo.sid", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
{ &DnsDomainInfo_domain_guid,
{ "Domain Guid", "lsarpc.lsa_DnsDomainInfo.domain_guid", FT_GUID, BASE_NONE, NULL, 0, NULL, HFILL }},
{ &DnsDomainInfo_dns_forest,
{ "Dns Forest", "lsarpc.lsa_DnsDomainInfo.dns_forest", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
{ &DnsDomainInfo_dns_domain,
{ "Dns Domain", "lsarpc.lsa_DnsDomainInfo.dns_domain", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
{ &DnsDomainInfo_name,
{ "Name", "lsarpc.lsa_DnsDomainInfo.name", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
{ &hf_netlogon_s4u2proxytarget,
{ "S4U2proxyTarget", "netlogon.s4u2proxytarget", FT_STRING, BASE_NONE,
NULL, 0, "Target for constrained delegation using s4u2proxy", HFILL }},
{ &hf_netlogon_transitedlistsize,
{ "TransitedListSize", "netlogon.transited_list_size", FT_UINT32, BASE_HEX,
NULL, 0x0, "Number of elements in the TransitedServices array.", HFILL }},
{ &hf_netlogon_transited_service,
{ "Transited Service", "netlogon.transited_service", FT_STRING, BASE_NONE,
NULL, 0, "S4U2 Transited Service name", HFILL }},
{ &hf_netlogon_logon_duration,
{ "Duration", "netlogon.logon_duration", FT_UINT32, BASE_DEC,
NULL, 0x0, NULL, HFILL }},
{ &hf_netlogon_time_created,
{ "Time Created", "netlogon.time_created", FT_UINT32, BASE_DEC,
NULL, 0x0, NULL, HFILL }},
};
static gint *ett[] = {
&ett_dcerpc_netlogon,
&ett_authenticate_flags,
&ett_CYPHER_VALUE,
&ett_QUOTA_LIMITS,
&ett_IDENTITY_INFO,
&ett_DELTA_ENUM,
&ett_UNICODE_MULTI,
&ett_DOMAIN_CONTROLLER_INFO,
&ett_UNICODE_STRING_512,
&ett_TYPE_50,
&ett_TYPE_52,
&ett_DELTA_ID_UNION,
&ett_TYPE_44,
&ett_DELTA_UNION,
&ett_LM_OWF_PASSWORD,
&ett_NT_OWF_PASSWORD,
&ett_GROUP_MEMBERSHIP,
&ett_DS_DOMAIN_TRUSTS,
&ett_BLOB,
&ett_DOMAIN_TRUST_INFO,
&ett_LSA_POLICY_INFO,
&ett_trust_flags,
&ett_trust_attribs,
&ett_get_dcname_request_flags,
&ett_dc_flags,
&ett_secchan_nl_auth_message,
&ett_secchan_nl_auth_message_flags,
&ett_secchan_verf,
&ett_group_attrs,
&ett_user_flags,
&ett_nt_counted_longs_as_string,
&ett_user_account_control,
&ett_wstr_LOGON_IDENTITY_INFO_string,
&ett_domain_group_memberships,
&ett_domains_group_memberships,
};
static ei_register_info ei[] = {
{ &ei_netlogon_auth_nthash, {
"netlogon.authenticated", PI_SECURITY, PI_CHAT,
"Authenticated NTHASH", EXPFILL
}},
{ &ei_netlogon_session_key, {
"netlogon.sessionkey", PI_SECURITY, PI_CHAT,
"SessionKey", EXPFILL
}},
};
expert_module_t* expert_netlogon;
proto_dcerpc_netlogon = proto_register_protocol("Microsoft Network Logon", "RPC_NETLOGON", "rpc_netlogon");
proto_register_field_array(proto_dcerpc_netlogon, hf, array_length(hf));
proto_register_subtree_array(ett, array_length(ett));
expert_netlogon = expert_register_protocol(proto_dcerpc_netlogon);
expert_register_field_array(expert_netlogon, ei, array_length(ei));
netlogon_auths = wmem_map_new_autoreset(wmem_epan_scope(), wmem_file_scope(), netlogon_auth_hash, netlogon_auth_equal);
#if 0
schannel_auths = wmem_map_new_autoreset(wmem_epan_scope(), wmem_file_scope(), netlogon_auth_hash, netlogon_auth_equal);
#endif
}
static dcerpc_auth_subdissector_fns secchan_auth_fns = {
dissect_secchan_nl_auth_message, /* Bind */
dissect_secchan_nl_auth_message, /* Bind ACK */
NULL, /* AUTH3 */
dissect_request_secchan_verf, /* Request verifier */
dissect_response_secchan_verf, /* Response verifier */
dissect_request_data, /* Request data */
dissect_response_data /* Response data */
};
void
proto_reg_handoff_dcerpc_netlogon(void)
{
/* Register protocol as dcerpc */
seen.isseen = FALSE;
seen.num = 0;
dcerpc_init_uuid(proto_dcerpc_netlogon, ett_dcerpc_netlogon,
&uuid_dcerpc_netlogon, ver_dcerpc_netlogon,
dcerpc_netlogon_dissectors, hf_netlogon_opnum);
register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_INTEGRITY,
DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,
&secchan_auth_fns);
register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_PRIVACY,
DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,
&secchan_auth_fns);
}
/*
* Editor modelines - https://www.wireshark.org/tools/modelines.html
*
* Local variables:
* c-basic-offset: 4
* tab-width: 8
* indent-tabs-mode: nil
* End:
*
* vi: set shiftwidth=4 tabstop=8 expandtab:
* :indentSize=4:tabSize=8:noTabs=true:
*/
View Git Blame Copy Permalink