No. Time Source Destination Protocol Length Info 83 10.090624000 10.200.7.132 10.200.7.60 KRB5 117 AS-REP Frame 83: 117 bytes on wire (936 bits), 117 bytes captured (936 bits) Arrival Time: Jun 19, 2015 15:49:58.020503000 CEST Epoch Time: 1434721798.020503000 seconds [Time delta from previous captured frame: 0.000146000 seconds] [Time delta from previous displayed frame: 0.000146000 seconds] [Time since reference or first frame: 10.090624000 seconds] Frame Number: 83 Frame Length: 117 bytes (936 bits) Capture Length: 117 bytes (936 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:kerberos] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: RealtekU_49:2f:ca (52:54:00:49:2f:ca), Dst: RealtekU_cd:67:ca (52:54:00:cd:67:ca) Destination: RealtekU_cd:67:ca (52:54:00:cd:67:ca) Address: RealtekU_cd:67:ca (52:54:00:cd:67:ca) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default) Source: RealtekU_49:2f:ca (52:54:00:49:2f:ca) Address: RealtekU_49:2f:ca (52:54:00:49:2f:ca) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default) Type: IP (0x0800) Internet Protocol Version 4, Src: 10.200.7.132 (10.200.7.132), Dst: 10.200.7.60 (10.200.7.60) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 103 Identification: 0x6282 (25218) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x73bf [correct] [Good: True] [Bad: False] Source: 10.200.7.132 (10.200.7.132) Destination: 10.200.7.60 (10.200.7.60) Transmission Control Protocol, Src Port: kerberos (88), Dst Port: 49193 (49193), Seq: 1461, Ack: 309, Len: 63 Source port: kerberos (88) Destination port: 49193 (49193) [Stream index: 25] Sequence number: 1461 (relative sequence number) [Next sequence number: 1524 (relative sequence number)] Acknowledgement number: 309 (relative ack number) Header length: 20 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgement: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 256 [Calculated window size: 256] [Window size scaling factor: -1 (unknown)] Checksum: 0x6c07 [validation disabled] [Good Checksum: False] [Bad Checksum: False] [SEQ/ACK analysis] [Bytes in flight: 1523] [PDU Size: 1523] TCP segment data (63 bytes) [2 Reassembled TCP Segments (1523 bytes): #82(1460), #83(63)] [Frame: 82, payload: 0-1459 (1460 bytes)] [Frame: 83, payload: 1460-1522 (63 bytes)] [Segment count: 2] [Reassembled TCP length: 1523] Kerberos AS-REP Record Mark: 1519 bytes 0... .... .... .... .... .... .... .... = Reserved: Not set .000 0000 0000 0000 0000 0101 1110 1111 = Record Length: 1519 Pvno: 5 MSG Type: AS-REP (11) padata: PA-ENCTYPE-INFO2 Type: PA-ENCTYPE-INFO2 (19) Value: 302b3029a003020112a1221b2057324b31322e5445535468... aes256-cts-hmac-sha1-96 Encryption type: aes256-cts-hmac-sha1-96 (18) Salt: 57324b31322e54455354686f737477696e3770726f2e7732... Client Realm: W2K12.TEST Client Name (Principal): WIN7PRO$ Name-type: Principal (1) Name: WIN7PRO$ Ticket Tkt-vno: 5 Realm: W2K12.TEST Server Name (Service and Instance): krbtgt/W2K12.TEST Name-type: Service and Instance (2) Name: krbtgt Name: W2K12.TEST enc-part aes256-cts-hmac-sha1-96 Encryption type: aes256-cts-hmac-sha1-96 (18) Kvno: 2 enc-part: d36a34d9d4ef52d7a26e4047370f0b4654cf56e4ce2a667e... [Decrypted using: keytab principal krbtgt@W2K12.TEST] EncTicketPart Padding: 0 Ticket Flags (Forwardable, Renewable, Initial, Pre-Auth) .1.. .... .... .... .... .... .... .... = Forwardable: FORWARDABLE tickets are allowed/requested ..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket ...0 .... .... .... .... .... .... .... = Proxiable: Do NOT use proxiable tickets .... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied .... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated .... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated .... ...0 .... .... .... .... .... .... = Invalid: This ticket is NOT invalid .... .... 1... .... .... .... .... .... = Renewable: This ticket is RENEWABLE .... .... .1.. .... .... .... .... .... = Initial: This ticket was granted by AS and not TGT protocol .... .... ..1. .... .... .... .... .... = Pre-Auth: The client was PRE-AUTHenticated .... .... ...0 .... .... .... .... .... = HW-Auth: The client was NOT authenticated using hardware .... .... .... 0... .... .... .... .... = Transited Policy Checked: Kdc has NOT performed transited policy checking .... .... .... .0.. .... .... .... .... = Ok As Delegate: This ticket is NOT ok as a delegated ticket key aes256-cts-hmac-sha1-96 Key type: aes256-cts-hmac-sha1-96 (18) Key value: caea21374411d71271776a527cae19aa1acdb577f3cc6aac... Client Realm: W2K12.TEST Client Name (Principal): WIN7PRO$ Name-type: Principal (1) Name: WIN7PRO$ TransitedEncoding 0 Type: Unknown (0) Contents: Authtime: 2015-06-19 13:49:58 (UTC) Start time: 2015-06-19 13:49:58 (UTC) End time: 2015-06-19 23:49:58 (UTC) Renew-till: 2015-06-26 13:49:58 (UTC) AuthorizationData AD-IF-RELEVANT Type: AD-IF-RELEVANT (1) Data: 308202d2308202cea00402020080a18202c4048202c00500... IF_RELEVANT AD-Win2k-PAC Type: AD-Win2k-PAC (128) Data: 050000000000000001000000d00100005800000000000000... Num Entries: 5 Version: 0 Type: Logon Info (1) Size: 464 Offset: 88 PAC_LOGON_INFO: 01100800ccccccccc00100000000000000000200a4ea64d0... MES header Version: 1 DREP Byte order: Little-endian (1) HDR Length: 8 Fill bytes: 0xcccccccc Blob Length: 448 PAC_LOGON_INFO: Referent ID: 0x00020000 Logon Time: Jun 19, 2015 15:49:51.183530000 CEST Logoff Time: Infinity (absolute time) Kickoff Time: Infinity (absolute time) PWD Last Set: Jun 19, 2015 15:36:16.423953100 CEST PWD Can Change: Jun 20, 2015 15:36:16.423953100 CEST PWD Must Change: Infinity (absolute time) Acct Name: WIN7PRO$ Length: 16 Size: 16 Character Array: WIN7PRO$ Referent ID: 0x00020004 Max Count: 8 Offset: 0 Actual Count: 8 Acct Name: WIN7PRO$ Full Name Length: 0 Size: 0 Character Array Referent ID: 0x00020008 Max Count: 0 Offset: 0 Actual Count: 0 Logon Script Length: 0 Size: 0 Character Array Referent ID: 0x0002000c Max Count: 0 Offset: 0 Actual Count: 0 Profile Path Length: 0 Size: 0 Character Array Referent ID: 0x00020010 Max Count: 0 Offset: 0 Actual Count: 0 Home Dir Length: 0 Size: 0 Character Array Referent ID: 0x00020014 Max Count: 0 Offset: 0 Actual Count: 0 Dir Drive Length: 0 Size: 0 Character Array Referent ID: 0x00020018 Max Count: 0 Offset: 0 Actual Count: 0 Logon Count: 6 Bad PW Count: 0 User RID: 1109 Group RID: 515 Num RIDs: 1 GROUP_MEMBERSHIP_ARRAY Referent ID: 0x0002001c Max Count: 1 GROUP_MEMBERSHIP: Group RID: 515 Attributes: 0x00000007 .... .... .... .... .... .... .... .1.. = Enabled: The enabled bit is SET .... .... .... .... .... .... .... ..1. = Enabled By Default: The ENABLED_BY_DEFAULT bit is SET .... .... .... .... .... .... .... ...1 = Mandatory: The MANDATORY bit is SET User Flags: 0x00000020 .... .... .... .... .... ..0. .... .... = Resource Groups: The resource_groups is NOT set .... .... .... .... .... .... ..1. .... = Extra SIDs: The EXTRA_SIDS bit is SET User Session Key: 00000000000000000000000000000000 Server: WIN-M1LHUHEJFSI Length: 30 Size: 32 Character Array: WIN-M1LHUHEJFSI Referent ID: 0x00020020 Max Count: 16 Offset: 0 Actual Count: 15 Server: WIN-M1LHUHEJFSI Domain: W2K12 Length: 10 Size: 12 Character Array: W2K12 Referent ID: 0x00020024 Max Count: 6 Offset: 0 Actual Count: 5 Domain: W2K12 SID pointer: SID pointer Referent ID: 0x00020028 Count: 4 Domain SID: S-1-5-21-4081652553-1298243908-2397940796 (Domain SID) Revision: 1 Num Auth: 4 Authority: 5 Subauthorities: 21-4081652553-1298243908-2397940796 Dummy1 Long: 0x00000000 Dummy2 Long: 0x00000000 User Account Control: 0x00000080 .... .... .... ...0 .... .... .... .... = Don't Require PreAuth: This account REQUIRES preauthentication .... .... .... .... 0... .... .... .... = Use DES Key Only: This account does NOT have to use_des_key_only .... .... .... .... .0.. .... .... .... = Not Delegated: This might have been delegated .... .... .... .... ..0. .... .... .... = Trusted For Delegation: This account is NOT trusted_for_delegation .... .... .... .... ...0 .... .... .... = SmartCard Required: This account does NOT require_smartcard to authenticate .... .... .... .... .... 0... .... .... = Encrypted Text Password Allowed: This account does NOT allow encrypted_text_password .... .... .... .... .... .0.. .... .... = Account Auto Locked: This account is NOT auto_locked .... .... .... .... .... ..0. .... .... = Don't Expire Password: This account might expire_passwords .... .... .... .... .... ...0 .... .... = Server Trust Account: This account is NOT a server_trust_account .... .... .... .... .... .... 1... .... = Workstation Trust Account: This account is a WORKSTATION_TRUST_ACCOUNT .... .... .... .... .... .... .0.. .... = Interdomain trust Account: This account is NOT an interdomain_trust_account .... .... .... .... .... .... ..0. .... = MNS Logon Account: This account is NOT a mns_logon_account .... .... .... .... .... .... ...0 .... = Normal Account: This account is NOT a normal_account .... .... .... .... .... .... .... 0... = Temp Duplicate Account: This account is NOT a temp_duplicate_account .... .... .... .... .... .... .... .0.. = Password Not Required: This account REQUIRES a password .... .... .... .... .... .... .... ..0. = Home Directory Required: This account does NOT require_home_directory .... .... .... .... .... .... .... ...0 = Account Disabled: This account is NOT disabled Dummy4 Long: 0x00000000 Dummy5 Long: 0x00000000 Dummy6 Long: 0x00000000 Dummy7 Long: 0x00000000 Dummy8 Long: 0x00000000 Dummy9 Long: 0x00000000 Dummy10 Long: 0x00000000 Num Extra SID: 1 SID_AND_ATTRIBUTES_ARRAY: Referent ID: 0x0002002c SID_AND_ATTRIBUTES array: Max Count: 1 SID_AND_ATTRIBUTES: SID pointer: SID pointer Referent ID: 0x00020030 Count: 1 Domain SID: S-1-18-1 () Revision: 1 Num Auth: 1 Authority: 18 Subauthorities: 1 Attributes: 0x00000007 SID pointer: (NULL pointer) SID pointer ResourceGroup count: 0 (NULL pointer) ResourceGroupIDs Type: Client Info Type (10) Size: 26 Offset: 552 PAC_CLIENT_INFO_TYPE: 000775d496aad0011000570049004e003700500052004f00... ClientID: Jun 19, 2015 15:49:58.000000000 CEST Name Length: 16 Name: WIN7PRO$ Type: UPN DNS Info (12) Size: 80 Offset: 584 UPN_DNS_INFO: 26001000140038000100000000000000570049004e003700... UPN Len: 38 UPN Offset: 16 DNS Len: 20 DNS Offset: 56 Flags: 0x00000001 UPN Name: WIN7PRO$@w2k12.test DNS Name: W2K12.TEST Type: Server Checksum (6) Size: 16 Offset: 664 PAC_SERVER_CHECKSUM: 1000000001ce7d4ab96bf02a8504aafe Type: 16 Signature: 01ce7d4ab96bf02a8504aafe Type: Privsvr Checksum (7) Size: 20 Offset: 680 PAC_PRIVSVR_CHECKSUM: 76ffffffcc95c5b04b76a000f69fe50e248d8e84 Type: -138 Signature: cc95c5b04b76a000f69fe50e248d8e84 enc-part aes256-cts-hmac-sha1-96 Encryption type: aes256-cts-hmac-sha1-96 (18) Kvno: 1 enc-part: a4f522f7710fd61e839c15981ac333702ad53c67b4cc7130...