From bc21be8c2b30d2006ef7334a069c5131201f4587 Mon Sep 17 00:00:00 2001
From: Ronnie Sahlberg <ronnie_sahlberg@ozemail.com.au>
Date: Fri, 5 Mar 2004 23:12:10 +0000
Subject: Kerberos contain a structure that is VERY similar to
 VALIDATE_SAM_INFO2 so declare it here. This substructure in the w2k kerberos
 PAC structure is called PAC_LOGIN_INFO and might actually exist inside the
 netlogon interface as well?

svn path=/trunk/; revision=10322
---
 packet-dcerpc-netlogon.c | 152 ++++++++++++++++++++++++++++++++++++++++++++++-
 packet-dcerpc-netlogon.h |   9 ++-
 2 files changed, 159 insertions(+), 2 deletions(-)

diff --git a/packet-dcerpc-netlogon.c b/packet-dcerpc-netlogon.c
index d7433ae993..78ed0a32fa 100644
--- a/packet-dcerpc-netlogon.c
+++ b/packet-dcerpc-netlogon.c
@@ -3,7 +3,7 @@
  * Copyright 2001,2003 Tim Potter <tpot@samba.org>
  *  2002 structure and command dissectors by Ronnie Sahlberg
  *
- * $Id: packet-dcerpc-netlogon.c,v 1.96 2004/01/19 20:10:34 jmayer Exp $
+ * $Id: packet-dcerpc-netlogon.c,v 1.97 2004/03/05 23:12:09 sahlberg Exp $
  *
  * Ethereal - Network traffic analyzer
  * By Gerald Combs <gerald@ethereal.com>
@@ -122,6 +122,8 @@ static int hf_netlogon_group_rid = -1;
 static int hf_netlogon_logon_srv = -1;
 static int hf_netlogon_principal = -1;
 static int hf_netlogon_logon_dom = -1;
+static int hf_netlogon_resourcegroupdomainsid = -1;
+static int hf_netlogon_resourcegroupcount = -1;
 static int hf_netlogon_downlevel_domain_name = -1;
 static int hf_netlogon_dns_domain_name = -1;
 static int hf_netlogon_domain_name = -1;
@@ -1122,6 +1124,146 @@ netlogon_dissect_VALIDATION_SAM_INFO2(tvbuff_t *tvb, int offset,
 
 
 
+
+
+/*
+ * IDL typedef struct {
+ * IDL   uint64 LogonTime;
+ * IDL   uint64 LogoffTime;
+ * IDL   uint64 KickOffTime;
+ * IDL   uint64 PasswdLastSet;
+ * IDL   uint64 PasswdCanChange;
+ * IDL   uint64 PasswdMustChange;
+ * IDL   unicodestring effectivename;
+ * IDL   unicodestring fullname;
+ * IDL   unicodestring logonscript;
+ * IDL   unicodestring profilepath;
+ * IDL   unicodestring homedirectory;
+ * IDL   unicodestring homedirectorydrive;
+ * IDL   short LogonCount;
+ * IDL   short BadPasswdCount;
+ * IDL   long userid;
+ * IDL   long primarygroup;
+ * IDL   long groupcount;
+ * IDL   [unique] GROUP_MEMBERSHIP *groupids;
+ * IDL   long userflags;
+ * IDL   USER_SESSION_KEY key;
+ * IDL   unicodestring logonserver;
+ * IDL   unicodestring domainname;
+ * IDL   [unique] SID logondomainid;
+ * IDL   long expansionroom[10];
+ * IDL   long sidcount;
+ * IDL   [unique] SID_AND_ATTRIBS;
+ * IDL   [unique] SID resourcegroupdomainsid;
+ * IDL   long resourcegroupcount;
+qqq
+ * IDL } PAC_LOGON_INFO;
+ */
+int
+netlogon_dissect_PAC_LOGON_INFO(tvbuff_t *tvb, int offset,
+			packet_info *pinfo, proto_tree *tree,
+			guint8 *drep)
+{
+	int i;
+	guint32 rgc;
+
+	offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
+		hf_netlogon_logon_time);
+
+	offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
+		hf_netlogon_logoff_time);
+
+	offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
+		hf_netlogon_kickoff_time);
+
+	offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
+		hf_netlogon_pwd_last_set_time);
+
+	offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
+		hf_netlogon_pwd_can_change_time);
+
+	offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
+		hf_netlogon_pwd_must_change_time);
+
+	offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
+		hf_netlogon_acct_name, 0);
+
+	offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
+		hf_netlogon_full_name, 0);
+
+	offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
+		hf_netlogon_logon_script, 0);
+
+	offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
+		hf_netlogon_profile_path, 0);
+
+	offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
+		hf_netlogon_home_dir, 0);
+
+	offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
+		hf_netlogon_dir_drive, 0);
+
+	offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
+		hf_netlogon_logon_count16, NULL);
+
+	offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
+		hf_netlogon_bad_pw_count16, NULL);
+
+	offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+		hf_netlogon_user_rid, NULL);
+
+	offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+		hf_netlogon_group_rid, NULL);
+
+	offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+		hf_netlogon_num_rids, NULL);
+
+        offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+		netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
+		"GROUP_MEMBERSHIP_ARRAY", -1);
+
+	offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+		hf_netlogon_user_flags, NULL);
+
+	offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
+		pinfo, tree, drep);
+
+	offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
+		hf_netlogon_logon_srv, 0);
+
+	offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
+		hf_netlogon_logon_dom, 0);
+
+	offset = dissect_ndr_nt_PSID(tvb, offset,
+		pinfo, tree, drep, -1);
+
+	for(i=0;i<10;i++){
+		offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+			hf_netlogon_unknown_long, NULL);
+	}
+
+	offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+		hf_netlogon_num_other_groups, NULL);
+
+        offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+		dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
+		"SID_AND_ATTRIBUTES_ARRAY:", -1);
+
+	offset = dissect_ndr_nt_PSID(tvb, offset,
+		pinfo, tree, drep, hf_netlogon_resourcegroupdomainsid);
+
+	offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+		hf_netlogon_resourcegroupcount, &rgc);
+
+        offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+		netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
+		"ResourceGroupIDs", -1);
+
+	return offset;
+}
+
+
+
 static int
 netlogon_dissect_PAC(tvbuff_t *tvb, int offset,
 			packet_info *pinfo, proto_tree *tree,
@@ -6465,6 +6607,14 @@ static hf_register_info hf[] = {
 		{ "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
 		NULL, 0, "Domain", HFILL }},
 
+	{ &hf_netlogon_resourcegroupdomainsid,
+		{ "ResourceGroupDomainSID", "netlogon.resourcegroupdomainsid", FT_STRING, BASE_NONE,
+		NULL, 0, "Resource Group Domain SID", HFILL }},
+
+	{ &hf_netlogon_resourcegroupcount,
+		{ "ResourceGroup count", "netlogon.resourcegroupcount", FT_UINT32, BASE_DEC,
+		NULL, 0, "Number of Resource Groups", HFILL }},
+
 	{ &hf_netlogon_computer_name,
 		{ "Computer Name", "netlogon.computer_name", FT_STRING, BASE_NONE,
 		NULL, 0, "Computer Name", HFILL }},
diff --git a/packet-dcerpc-netlogon.h b/packet-dcerpc-netlogon.h
index ad931f13b7..b97237e5e5 100644
--- a/packet-dcerpc-netlogon.h
+++ b/packet-dcerpc-netlogon.h
@@ -2,7 +2,7 @@
  * Routines for SMB \PIPE\NETLOGON packet disassembly
  * Copyright 2001,2003 Tim Potter <tpot@samba.org>
  *
- * $Id: packet-dcerpc-netlogon.h,v 1.16 2003/09/27 23:48:04 sahlberg Exp $
+ * $Id: packet-dcerpc-netlogon.h,v 1.17 2004/03/05 23:12:10 sahlberg Exp $
  *
  * Ethereal - Network traffic analyzer
  * By Gerald Combs <gerald@ethereal.com>
@@ -80,4 +80,11 @@
 #define SEC_CHAN_DOMAIN  4
 #define SEC_CHAN_BDC     6
 
+
+/* needed to decrypt PAC_LOGON_INFO in kerberos */
+int 
+netlogon_dissect_PAC_LOGON_INFO(tvbuff_t *tvb, int offset,
+			packet_info *pinfo, proto_tree *tree,
+			guint8 *drep);
+
 #endif /* packet-dcerpc-netlogon.h */
-- 
cgit v1.2.3