diff options
-rw-r--r-- | packet-dcerpc-netlogon.c | 432 |
1 files changed, 240 insertions, 192 deletions
diff --git a/packet-dcerpc-netlogon.c b/packet-dcerpc-netlogon.c index 2fa5adea2a..df7b5a51d0 100644 --- a/packet-dcerpc-netlogon.c +++ b/packet-dcerpc-netlogon.c @@ -3,7 +3,7 @@ * Copyright 2001, Tim Potter <tpot@samba.org> * 2002 structure and command dissectors by Ronnie Sahlberg * - * $Id: packet-dcerpc-netlogon.c,v 1.41 2002/07/08 12:53:28 sahlberg Exp $ + * $Id: packet-dcerpc-netlogon.c,v 1.42 2002/07/08 14:01:46 sahlberg Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs <gerald@ethereal.com> @@ -70,10 +70,13 @@ static int hf_netlogon_systemflags = -1; static int hf_netlogon_status = -1; static int hf_netlogon_attrs = -1; static int hf_netlogon_count = -1; +static int hf_netlogon_entries = -1; static int hf_netlogon_minpasswdlen = -1; static int hf_netlogon_passwdhistorylen = -1; static int hf_netlogon_level16 = -1; static int hf_netlogon_validation_level = -1; +static int hf_netlogon_reference = -1; +static int hf_netlogon_next_reference = -1; static int hf_netlogon_level = -1; static int hf_netlogon_challenge = -1; static int hf_netlogon_reserved = -1; @@ -92,7 +95,6 @@ static int hf_netlogon_kickoff_time = -1; static int hf_netlogon_pwd_last_set_time = -1; static int hf_netlogon_pwd_can_change_time = -1; static int hf_netlogon_pwd_must_change_time = -1; -static int hf_netlogon_timestamp = -1; static int hf_netlogon_nt_chal_resp = -1; static int hf_netlogon_lm_chal_resp = -1; static int hf_netlogon_credential = -1; @@ -125,6 +127,7 @@ static int hf_netlogon_modify_count = -1; static int hf_netlogon_db_modify_time = -1; static int hf_netlogon_db_create_time = -1; static int hf_netlogon_oem_info = -1; +static int hf_netlogon_serial_number = -1; static int hf_netlogon_trusted_domain_name = -1; static int hf_netlogon_num_rids = -1; static int hf_netlogon_num_controllers = -1; @@ -182,7 +185,6 @@ static gint ett_QUOTA_LIMITS = -1; static gint ett_IDENTITY_INFO = -1; static gint ett_DELTA_ENUM = -1; static gint ett_CYPHER_VALUE = -1; -static gint ett_TYPE_36 = -1; static gint ett_NETLOGON_INFO_1 = -1; static gint ett_NETLOGON_INFO_2 = -1; static gint ett_NETLOGON_INFO_3 = -1; @@ -727,11 +729,19 @@ netlogon_dissect_AUTHENTICATOR(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, char *drep) { + dcerpc_info *di; + + di=pinfo->private_data; + if(di->conformant_run){ + /*just a run to handle conformant arrays, nothing to dissect */ + return offset; + } + offset = netlogon_dissect_CREDENTIAL(tvb, offset, pinfo, tree, drep); - offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, - hf_netlogon_timestamp, NULL); + proto_tree_add_text(tree, tvb, offset, 4, "Timestamp: unknown time format"); + offset+= 4; return offset; } @@ -3206,6 +3216,215 @@ netlogon_dissect_netlogondatabasesync_reply(tvbuff_t *tvb, int offset, return offset; } +/* + * IDL typedef struct { + * IDL char computer_name[16]; + * IDL long timecreated; + * IDL long serial_number; + * IDL } UAS_INFO_0; + */ +static int +netlogon_dissect_UAS_INFO_0(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, + char *drep) +{ + dcerpc_info *di; + + di=pinfo->private_data; + if(di->conformant_run){ + /*just a run to handle conformant arrays, nothing to dissect */ + return offset; + } + + proto_tree_add_item(tree, hf_netlogon_computer_name, tvb, offset, 16, FALSE); + offset += 16; + + proto_tree_add_text(tree, tvb, offset, 4, "Time Created: unknown time format"); + offset+= 4; + + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, + hf_netlogon_serial_number, NULL); + + return offset; +} + + +static int +netlogon_dissect_BYTE_byte(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, + char *drep) +{ + offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep, + hf_netlogon_unknown_char, NULL); + + return offset; +} + +static int +netlogon_dissect_BYTE_array(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, + char *drep) +{ + offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep, + netlogon_dissect_BYTE_byte); + + return offset; +} + +/* + * IDL long NetAccountDelta( + * IDL [in][string][unique] wchar_t *logonserver, + * IDL [in][string][ref] wchar_t *computername, + * IDL [in][ref] AUTHENTICATOR credential, + * IDL [in][out][ref] AUTHENTICATOR return_authenticator, + * IDL [out][ref][size_is(count_returned)] char *Buffer, + * IDL [out][ref] long count_returned, + * IDL [out][ref] long total_entries, + * IDL [in][out][ref] UAS_INFO_0 recordid, + * IDL [in][long] count, + * IDL [in][long] level, + * IDL [in][long] buffersize, + * IDL ); + */ +static int +netlogon_dissect_netlogonaccountdeltas_rqst(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, char *drep) +{ + offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset, + pinfo, tree, drep); + + offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, + dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF, + "Computer Name", hf_netlogon_computer_name, 0); + + offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, + netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF, + "AUTHENTICATOR: credential", -1, 0); + + offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, + netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF, + "AUTHENTICATOR: return_authenticator", -1, 0); + + offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, + netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF, + "UAS_INFO_0: RecordID", -1, 0); + + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, + hf_netlogon_count, NULL); + + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, + hf_netlogon_level, NULL); + + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, + hf_netlogon_max_size, NULL); + + return offset; +} +static int +netlogon_dissect_netlogonaccountdeltas_reply(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, char *drep) +{ + offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, + netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF, + "AUTHENTICATOR: return_authenticator", -1, 0); + + offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, + netlogon_dissect_BYTE_array, NDR_POINTER_REF, + "BYTE_array: Buffer", -1, 0); + + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, + hf_netlogon_count, NULL); + + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, + hf_netlogon_entries, NULL); + + offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, + netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF, + "UAS_INFO_0: RecordID", -1, 0); + + offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, + hf_netlogon_rc, NULL); + + return offset; +} + + +/* + * IDL long NetAccountDelta( + * IDL [in][string][unique] wchar_t *logonserver, + * IDL [in][string][ref] wchar_t *computername, + * IDL [in][ref] AUTHENTICATOR credential, + * IDL [in][out][ref] AUTHENTICATOR return_authenticator, + * IDL [out][ref][size_is(count_returned)] char *Buffer, + * IDL [out][ref] long count_returned, + * IDL [out][ref] long total_entries, + * IDL [out][ref] long next_reference, + * IDL [in][long] reference, + * IDL [in][long] level, + * IDL [in][long] buffersize, + * IDL [in][out][ref] UAS_INFO_0 recordid, + * IDL ); + */ +static int +netlogon_dissect_netlogonaccountsync_rqst(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, char *drep) +{ + offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset, + pinfo, tree, drep); + + offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, + dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF, + "Computer Name", hf_netlogon_computer_name, 0); + + offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, + netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF, + "AUTHENTICATOR: credential", -1, 0); + + offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, + netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF, + "AUTHENTICATOR: return_authenticator", -1, 0); + + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, + hf_netlogon_reference, NULL); + + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, + hf_netlogon_level, NULL); + + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, + hf_netlogon_max_size, NULL); + + return offset; +} +static int +netlogon_dissect_netlogonaccountsync_reply(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, char *drep) +{ + offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, + netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF, + "AUTHENTICATOR: return_authenticator", -1, 0); + + offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, + netlogon_dissect_BYTE_array, NDR_POINTER_REF, + "BYTE_array: Buffer", -1, 0); + + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, + hf_netlogon_count, NULL); + + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, + hf_netlogon_entries, NULL); + + offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, + hf_netlogon_next_reference, NULL); + + offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, + netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF, + "UAS_INFO_0: RecordID", -1, 0); + + offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, + hf_netlogon_rc, NULL); + + return offset; +} @@ -3292,37 +3511,6 @@ netlogon_dissect_WCHAR_ptr(tvbuff_t *tvb, int offset, } static int -netlogon_dissect_TYPE_36(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *parent_tree, - char *drep) -{ - proto_item *item=NULL; - proto_tree *tree=NULL; - int old_offset=offset; - int i; - - if(parent_tree){ - item = proto_tree_add_text(parent_tree, tvb, offset, 0, - "TYPE_36:"); - tree = proto_item_add_subtree(item, ett_TYPE_36); - } - - for(i=0;i<16;i++){ - offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep, - hf_netlogon_unknown_char, NULL); - } - - offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, - hf_netlogon_unknown_long, NULL); - - offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, - hf_netlogon_unknown_long, NULL); - - proto_item_set_len(item, offset-old_offset); - return offset; -} - -static int netlogon_dissect_NETLOGON_INFO_1(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *parent_tree, char *drep) @@ -3469,28 +3657,6 @@ netlogon_dissect_UNICODE_MULTI_array(tvbuff_t *tvb, int offset, } static int -netlogon_dissect_BYTE_byte(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, - char *drep) -{ - offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep, - hf_netlogon_unknown_char, NULL); - - return offset; -} - -static int -netlogon_dissect_BYTE_array(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, - char *drep) -{ - offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep, - netlogon_dissect_BYTE_byte); - - return offset; -} - -static int netlogon_dissect_UNICODE_MULTI(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *parent_tree, char *drep) @@ -4278,135 +4444,6 @@ netlogon_dissect_TYPE_47(tvbuff_t *tvb, int offset, static int -netlogon_dissect_netlogonaccountdeltas_rqst(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, char *drep) -{ - offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset, - pinfo, tree, drep); - - offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep, - NDR_POINTER_REF, hf_netlogon_unknown_string, 0); - - offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, - netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF, - "AUTHENTICATOR: credential", -1, 0); - - offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, - netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF, - "AUTHENTICATOR: return_authenticator", -1, 0); - - offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, - netlogon_dissect_TYPE_36, NDR_POINTER_REF, - "TYPE_36 pointer: unknown_TYPE_36", -1, 0); - - offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, - hf_netlogon_unknown_long, NULL); - - offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, - hf_netlogon_unknown_long, NULL); - - offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, - hf_netlogon_unknown_long, NULL); - return offset; -} - - -static int -netlogon_dissect_netlogonaccountdeltas_reply(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, char *drep) -{ - offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, - netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF, - "AUTHENTICATOR: return_authenticator", -1, 0); - - offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, - netlogon_dissect_BYTE_array, NDR_POINTER_REF, - "BYTE_array pointer: unknown_BYTE", -1, 0); - - offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, - netlogon_dissect_pointer_long, NDR_POINTER_REF, - "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0); - - offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, - netlogon_dissect_pointer_long, NDR_POINTER_REF, - "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0); - - offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, - netlogon_dissect_TYPE_36, NDR_POINTER_REF, - "TYPE_36 pointer: unknown_TYPE_36", -1, 0); - - offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, - hf_netlogon_rc, NULL); - - return offset; -} - -static int -netlogon_dissect_netlogonaccountsync_rqst(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, char *drep) -{ - offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset, - pinfo, tree, drep); - - offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep, - NDR_POINTER_REF, hf_netlogon_unknown_string, 0); - - offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, - netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF, - "AUTHENTICATOR: credential", -1, 0); - - offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, - netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF, - "AUTHENTICATOR: return_authenticator", -1, 0); - - offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, - hf_netlogon_unknown_long, NULL); - - offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, - hf_netlogon_unknown_long, NULL); - - offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, - hf_netlogon_unknown_long, NULL); - - return offset; -} - - -static int -netlogon_dissect_netlogonaccountsync_reply(tvbuff_t *tvb, int offset, - packet_info *pinfo, proto_tree *tree, char *drep) -{ - offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, - netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF, - "AUTHENTICATOR: return_authenticator", -1, 0); - - offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, - netlogon_dissect_BYTE_array, NDR_POINTER_REF, - "BYTE_array pointer: unknown_BYTE", -1, 0); - - offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, - netlogon_dissect_pointer_long, NDR_POINTER_REF, - "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0); - - offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, - netlogon_dissect_pointer_long, NDR_POINTER_REF, - "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0); - - offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, - netlogon_dissect_pointer_long, NDR_POINTER_REF, - "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0); - - offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, - netlogon_dissect_TYPE_36, NDR_POINTER_REF, - "TYPE_36 pointer: unknown_TYPE_36", -1, 0); - - offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, - hf_netlogon_rc, NULL); - - return offset; -} - -static int netlogon_dissect_netlogongetdcname_rqst(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, char *drep) { @@ -5785,7 +5822,11 @@ static hf_register_info hf[] = { NULL, 0x0, "Security Information", HFILL }}, { &hf_netlogon_count, { - "Count", "netlogon.count", FT_UINT16, BASE_DEC, + "Count", "netlogon.count", FT_UINT32, BASE_DEC, + NULL, 0x0, "", HFILL }}, + + { &hf_netlogon_entries, { + "Entries", "netlogon.entries", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }}, { &hf_netlogon_credential, { @@ -6157,9 +6198,13 @@ static hf_register_info hf[] = { { "Level", "netlogon.level", FT_UINT32, BASE_DEC, NULL, 0x0, "Which option of the union is represented here", HFILL }}, - { &hf_netlogon_timestamp, - { "Timestamp", "netlogon.timestamp", FT_UINT32, BASE_HEX, - NULL, 0x0, "Some sort of timestamp", HFILL }}, + { &hf_netlogon_reference, + { "Reference", "netlogon.reference", FT_UINT32, BASE_DEC, + NULL, 0x0, "", HFILL }}, + + { &hf_netlogon_next_reference, + { "Next Reference", "netlogon.next_reference", FT_UINT32, BASE_DEC, + NULL, 0x0, "", HFILL }}, { &hf_netlogon_user_rid, { "User RID", "netlogon.rid", FT_UINT32, BASE_DEC, @@ -6253,6 +6298,10 @@ static hf_register_info hf[] = { { "Max Working Set Size", "netlogon.max_working_set_size", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }}, + { &hf_netlogon_serial_number, + { "Serial Number", "netlogon.serial_number", FT_UINT32, BASE_DEC, + NULL, 0x0, "", HFILL }}, + { &hf_netlogon_logon_time, { "Logon Time", "netlogon.logon_time", FT_ABSOLUTE_TIME, BASE_NONE, NULL, 0, "Time for last time this user logged on", HFILL }}, @@ -6317,7 +6366,6 @@ static hf_register_info hf[] = { &ett_QUOTA_LIMITS, &ett_IDENTITY_INFO, &ett_DELTA_ENUM, - &ett_TYPE_36, &ett_NETLOGON_INFO_1, &ett_NETLOGON_INFO_2, &ett_NETLOGON_INFO_3, |