INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 tevent: 10 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 tevent: 10 Processing section "[global]" doing parameter workgroup = FRISKDEMO doing parameter realm = FRISKDEMO.LOCAL doing parameter include = /etc/samba/frisk-krb5.conf doing parameter dedicated keytab file = /etc/krb5.keytab doing parameter kerberos method = secrets and keytab doing parameter preferred master = no doing parameter domain master = No doing parameter password server = * doing parameter security = ADS doing parameter include = /etc/samba/frisk-krb5-ad-logins.conf doing parameter ldap timeout = 300 doing parameter dns proxy = no doing parameter log file = /var/log/samba/log.%m doing parameter syslog = 0 WARNING: The "syslog" option is deprecated doing parameter panic action = /usr/share/samba/panic-action %d doing parameter server role = standalone server doing parameter passdb backend = tdbsam doing parameter obey pam restrictions = yes doing parameter passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . doing parameter idmap config * : range = 10000-4000000000 doing parameter idmap config * : backend = tdb pm_process() returned Yes lp_servicenumber: couldn't find homes directory_create_or_exist_strict: invalid ownership on directory /var/run/samba/msg.lock messaging_init: Could not create lock directory: No such file or directory lp_load_ex: refreshing parameters Freeing parametrics: Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 tevent: 10 Processing section "[global]" doing parameter workgroup = FRISKDEMO doing parameter realm = FRISKDEMO.LOCAL doing parameter include = /etc/samba/frisk-krb5.conf doing parameter dedicated keytab file = /etc/krb5.keytab doing parameter kerberos method = secrets and keytab doing parameter preferred master = no doing parameter domain master = No doing parameter password server = * doing parameter security = ADS doing parameter include = /etc/samba/frisk-krb5-ad-logins.conf doing parameter ldap timeout = 300 doing parameter dns proxy = no doing parameter log file = /var/log/samba/log.%m doing parameter syslog = 0 WARNING: The "syslog" option is deprecated doing parameter panic action = /usr/share/samba/panic-action %d doing parameter server role = standalone server doing parameter passdb backend = tdbsam doing parameter obey pam restrictions = yes doing parameter passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . doing parameter idmap config * : range = 10000-4000000000 doing parameter idmap config * : backend = tdb pm_process() returned Yes lp_servicenumber: couldn't find homes Netbios name list:- my_netbios_names[0]="TEST" added interface bond0 ip=10.10.11.14 bcast=10.10.11.255 netmask=255.255.255.0 Connecting to 10.10.11.1 at port 445 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 168960 SO_RCVBUF = 372480 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 Doing spnego session setup (blob length=120) got OID=1.3.6.1.4.1.311.2.2.30 got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.2.840.113554.1.2.2.3 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178@please_ignore GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Starting GENSEC mechanism spnego Starting GENSEC submechanism ntlmssp negotiate: struct NEGOTIATE_MESSAGE Signature : 'NTLMSSP' MessageType : NtLmNegotiate (1) NegotiateFlags : 0x62088215 (1644724757) 1: NTLMSSP_NEGOTIATE_UNICODE 0: NTLMSSP_NEGOTIATE_OEM 1: NTLMSSP_REQUEST_TARGET 1: NTLMSSP_NEGOTIATE_SIGN 0: NTLMSSP_NEGOTIATE_SEAL 0: NTLMSSP_NEGOTIATE_DATAGRAM 0: NTLMSSP_NEGOTIATE_LM_KEY 0: NTLMSSP_NEGOTIATE_NETWARE 1: NTLMSSP_NEGOTIATE_NTLM 0: NTLMSSP_NEGOTIATE_NT_ONLY 0: NTLMSSP_ANONYMOUS 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN 0: NTLMSSP_TARGET_TYPE_DOMAIN 0: NTLMSSP_TARGET_TYPE_SERVER 0: NTLMSSP_TARGET_TYPE_SHARE 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY 0: NTLMSSP_NEGOTIATE_IDENTIFY 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY 0: NTLMSSP_NEGOTIATE_TARGET_INFO 1: NTLMSSP_NEGOTIATE_VERSION 1: NTLMSSP_NEGOTIATE_128 1: NTLMSSP_NEGOTIATE_KEY_EXCH 0: NTLMSSP_NEGOTIATE_56 DomainNameLen : 0x0000 (0) DomainNameMaxLen : 0x0000 (0) DomainName : * DomainName : '' WorkstationLen : 0x0000 (0) WorkstationMaxLen : 0x0000 (0) Workstation : * Workstation : '' Version: struct ntlmssp_VERSION ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6) ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1) ProductBuild : 0x0000 (0) Reserved: ARRAY(3) [0] : 0x00 (0) [1] : 0x00 (0) [2] : 0x00 (0) NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15) Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_TARGET_TYPE_DOMAIN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH ntlmssp_check_packet: NTLMSSP signature OK ! NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH signed SMB2 message signed SMB2 message signed SMB2 message Bind RPC Pipe: host 10.10.11.1 auth_type 0, auth_level 1 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND (11) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0048 (72) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 11) bind: struct dcerpc_bind max_xmit_frag : 0x10b8 (4280) max_recv_frag : 0x10b8 (4280) assoc_group_id : 0x00000000 (0) num_contexts : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ctx_list context_id : 0x0000 (0) num_transfer_syntaxes : 0x01 (1) abstract_syntax: struct ndr_syntax_id uuid : 12345778-1234-abcd-ef00-0123456789ab if_version : 0x00000000 (0) transfer_syntaxes: ARRAY(1) transfer_syntaxes: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 52 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND_ACK (12) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0044 (68) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 12) bind_ack: struct dcerpc_bind_ack max_xmit_frag : 0x10b8 (4280) max_recv_frag : 0x10b8 (4280) assoc_group_id : 0x0000e878 (59512) secondary_address_size : 0x000c (12) secondary_address : '\pipe\lsass' _pad1 : DATA_BLOB length=2 [0000] 0A 4C .L num_results : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ack_ctx result : DCERPC_BIND_ACK_RESULT_ACCEPTANCE (0) reason : union dcerpc_bind_ack_reason(case 0) value : DCERPC_BIND_ACK_REASON_NOT_SPECIFIED (0) syntax: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 rpc_api_pipe: got frag len of 68 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 68 bytes. check_bind_response: accepted! cli_rpc_pipe_open_noauth: opened pipe lsarpc to machine 10.10.11.1 and bound anonymously. lsa_OpenPolicy: struct lsa_OpenPolicy in: struct lsa_OpenPolicy system_name : * system_name : 0x005c (92) attr : * attr: struct lsa_ObjectAttribute len : 0x00000018 (24) root_dir : NULL object_name : NULL attributes : 0x00000000 (0) sec_desc : NULL sec_qos : NULL access_mask : 0x02000000 (33554432) 0: LSA_POLICY_VIEW_LOCAL_INFORMATION 0: LSA_POLICY_VIEW_AUDIT_INFORMATION 0: LSA_POLICY_GET_PRIVATE_INFORMATION 0: LSA_POLICY_TRUST_ADMIN 0: LSA_POLICY_CREATE_ACCOUNT 0: LSA_POLICY_CREATE_SECRET 0: LSA_POLICY_CREATE_PRIVILEGE 0: LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS 0: LSA_POLICY_SET_AUDIT_REQUIREMENTS 0: LSA_POLICY_AUDIT_LOG_ADMIN 0: LSA_POLICY_SERVER_ADMIN 0: LSA_POLICY_LOOKUP_NAMES 0: LSA_POLICY_NOTIFICATION &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000002 (2) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000024 (36) context_id : 0x0000 (0) opnum : 0x0006 (6) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000002 (2) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 83 18 B3 E3 6C 00 0A 4B 98 EA 4B 5A ........ l..K..KZ [0010] A1 AA 29 E3 00 00 00 00 ..)..... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. lsa_OpenPolicy: struct lsa_OpenPolicy out: struct lsa_OpenPolicy handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : e3b31883-006c-4b0a-98ea-4b5aa1aa29e3 result : NT_STATUS_OK lsa_QueryInfoPolicy: struct lsa_QueryInfoPolicy in: struct lsa_QueryInfoPolicy handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : e3b31883-006c-4b0a-98ea-4b5aa1aa29e3 level : LSA_POLICY_INFO_ACCOUNT_DOMAIN (5) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000003 (3) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000016 (22) context_id : 0x0000 (0) opnum : 0x0007 (7) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 92 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x006c (108) auth_length : 0x0000 (0) call_id : 0x00000003 (3) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000054 (84) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=84 [0000] 00 00 02 00 05 00 00 00 12 00 14 00 04 00 02 00 ........ ........ [0010] 08 00 02 00 0A 00 00 00 00 00 00 00 09 00 00 00 ........ ........ [0020] 46 00 52 00 49 00 53 00 4B 00 44 00 45 00 4D 00 F.R.I.S. K.D.E.M. [0030] 4F 00 00 00 04 00 00 00 01 04 00 00 00 00 00 05 O....... ........ [0040] 15 00 00 00 9C 35 33 51 19 74 23 9A D3 83 E6 CA .....53Q .t#..... [0050] 00 00 00 00 .... Got pdu len 108, data_len 84 rpc_api_pipe: got frag len of 108 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 84 bytes. lsa_QueryInfoPolicy: struct lsa_QueryInfoPolicy out: struct lsa_QueryInfoPolicy info : * info : * info : union lsa_PolicyInformation(case 5) account_domain: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0012 (18) size : 0x0014 (20) string : * string : 'FRISKDEMO' sid : * sid : S-1-5-21-1362310556-2586014745-3404104659 result : NT_STATUS_OK lsa_Close: struct lsa_Close in: struct lsa_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : e3b31883-006c-4b0a-98ea-4b5aa1aa29e3 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000004 (4) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0000 (0) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000004 (4) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. lsa_Close: struct lsa_Close out: struct lsa_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK signed SMB2 message signed SMB2 message Bind RPC Pipe: host 10.10.11.1 auth_type 0, auth_level 1 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND (11) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0048 (72) auth_length : 0x0000 (0) call_id : 0x00000005 (5) u : union dcerpc_payload(case 11) bind: struct dcerpc_bind max_xmit_frag : 0x10b8 (4280) max_recv_frag : 0x10b8 (4280) assoc_group_id : 0x00000000 (0) num_contexts : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ctx_list context_id : 0x0000 (0) num_transfer_syntaxes : 0x01 (1) abstract_syntax: struct ndr_syntax_id uuid : 12345778-1234-abcd-ef00-0123456789ac if_version : 0x00000001 (1) transfer_syntaxes: ARRAY(1) transfer_syntaxes: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 52 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND_ACK (12) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0044 (68) auth_length : 0x0000 (0) call_id : 0x00000005 (5) u : union dcerpc_payload(case 12) bind_ack: struct dcerpc_bind_ack max_xmit_frag : 0x10b8 (4280) max_recv_frag : 0x10b8 (4280) assoc_group_id : 0x0000e879 (59513) secondary_address_size : 0x000c (12) secondary_address : '\pipe\lsass' _pad1 : DATA_BLOB length=2 [0000] 7A A1 z. num_results : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ack_ctx result : DCERPC_BIND_ACK_RESULT_ACCEPTANCE (0) reason : union dcerpc_bind_ack_reason(case 0) value : DCERPC_BIND_ACK_REASON_NOT_SPECIFIED (0) syntax: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 rpc_api_pipe: got frag len of 68 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 68 bytes. check_bind_response: accepted! cli_rpc_pipe_open_noauth: opened pipe samr to machine 10.10.11.1 and bound anonymously. samr_Connect2: struct samr_Connect2 in: struct samr_Connect2 system_name : * system_name : '10.10.11.1' access_mask : 0x02000000 (33554432) 0: SAMR_ACCESS_CONNECT_TO_SERVER 0: SAMR_ACCESS_SHUTDOWN_SERVER 0: SAMR_ACCESS_INITIALIZE_SERVER 0: SAMR_ACCESS_CREATE_DOMAIN 0: SAMR_ACCESS_ENUM_DOMAINS 0: SAMR_ACCESS_LOOKUP_DOMAIN &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000006 (6) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000002c (44) context_id : 0x0000 (0) opnum : 0x0039 (57) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000006 (6) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 F5 57 D0 3E 18 A8 6C 41 9B 36 71 99 .....W.> ..lA.6q. [0010] 20 40 56 1D 00 00 00 00 @V..... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Connect2: struct samr_Connect2 out: struct samr_Connect2 connect_handle : * connect_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 3ed057f5-a818-416c-9b36-71992040561d result : NT_STATUS_OK samr_OpenDomain: struct samr_OpenDomain in: struct samr_OpenDomain connect_handle : * connect_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 3ed057f5-a818-416c-9b36-71992040561d access_mask : 0x02000000 (33554432) 0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 0: SAMR_DOMAIN_ACCESS_SET_INFO_1 0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2 0: SAMR_DOMAIN_ACCESS_SET_INFO_2 0: SAMR_DOMAIN_ACCESS_CREATE_USER 0: SAMR_DOMAIN_ACCESS_CREATE_GROUP 0: SAMR_DOMAIN_ACCESS_CREATE_ALIAS 0: SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS 0: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS 0: SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT 0: SAMR_DOMAIN_ACCESS_SET_INFO_3 sid : * sid : S-1-5-32 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000007 (7) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000028 (40) context_id : 0x0000 (0) opnum : 0x0007 (7) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000007 (7) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 72 1A 96 44 4F 58 8B 4D A3 9E AA 1F ....r..D OX.M.... [0010] FB FB 8C 5B 00 00 00 00 ...[.... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenDomain: struct samr_OpenDomain out: struct samr_OpenDomain domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b result : NT_STATUS_OK samr_EnumDomainAliases: struct samr_EnumDomainAliases in: struct samr_EnumDomainAliases domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b resume_handle : * resume_handle : 0x00000000 (0) max_size : 0x000000fa (250) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000008 (8) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 1860 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0754 (1876) auth_length : 0x0000 (0) call_id : 0x00000008 (8) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000073c (1852) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=1852 [0000] 00 00 00 00 00 00 02 00 1B 00 00 00 04 00 02 00 ........ ........ [0010] 1B 00 00 00 20 02 00 00 1C 00 1C 00 08 00 02 00 .... ... ........ [0020] 21 02 00 00 0A 00 0A 00 0C 00 02 00 22 02 00 00 !....... ...."... [0030] 0C 00 0C 00 10 00 02 00 26 02 00 00 1E 00 1E 00 ........ &....... [0040] 14 00 02 00 27 02 00 00 20 00 20 00 18 00 02 00 ....'... . ..... [0050] 28 02 00 00 14 00 14 00 1C 00 02 00 2B 02 00 00 (....... ....+... [0060] 28 00 28 00 20 00 02 00 2C 02 00 00 3E 00 3E 00 (.(. ... ,...>.>. [0070] 24 00 02 00 2E 02 00 00 32 00 32 00 28 00 02 00 $....... 2.2.(... [0080] 2F 02 00 00 2A 00 2A 00 2C 00 02 00 32 02 00 00 /...*.*. ,...2... [0090] 2A 00 2A 00 30 00 02 00 38 02 00 00 12 00 12 00 *.*.0... 8....... [00A0] 34 00 02 00 39 02 00 00 2E 00 2E 00 38 00 02 00 4...9... ....8... [00B0] 3D 02 00 00 22 00 22 00 3C 00 02 00 3E 02 00 00 =...".". <...>... [00C0] 3E 00 3E 00 40 00 02 00 3F 02 00 00 32 00 32 00 >.>.@... ?...2.2. [00D0] 44 00 02 00 40 02 00 00 28 00 28 00 48 00 02 00 D...@... (.(.H... [00E0] 41 02 00 00 2C 00 2C 00 4C 00 02 00 42 02 00 00 A...,.,. L...B... [00F0] 2C 00 2C 00 50 00 02 00 43 02 00 00 46 00 46 00 ,.,.P... C...F.F. [0100] 54 00 02 00 44 02 00 00 2E 00 2E 00 58 00 02 00 T...D... ....X... [0110] 25 02 00 00 20 00 20 00 5C 00 02 00 24 02 00 00 %... . . \...$... [0120] 22 00 22 00 60 00 02 00 2A 02 00 00 44 00 44 00 ".".`... *...D.D. [0130] 64 00 02 00 2D 02 00 00 3C 00 3C 00 68 00 02 00 d...-... <.<.h... [0140] 30 02 00 00 44 00 44 00 6C 00 02 00 31 02 00 00 0...D.D. l...1... [0150] 3E 00 3E 00 70 00 02 00 0E 00 00 00 00 00 00 00 >.>.p... ........ [0160] 0E 00 00 00 41 00 64 00 6D 00 69 00 6E 00 69 00 ....A.d. m.i.n.i. [0170] 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 73 00 s.t.r.a. t.o.r.s. [0180] 05 00 00 00 00 00 00 00 05 00 00 00 55 00 73 00 ........ ....U.s. [0190] 65 00 72 00 73 00 00 00 06 00 00 00 00 00 00 00 e.r.s... ........ [01A0] 06 00 00 00 47 00 75 00 65 00 73 00 74 00 73 00 ....G.u. e.s.t.s. [01B0] 0F 00 00 00 00 00 00 00 0F 00 00 00 50 00 72 00 ........ ....P.r. [01C0] 69 00 6E 00 74 00 20 00 4F 00 70 00 65 00 72 00 i.n.t. . O.p.e.r. [01D0] 61 00 74 00 6F 00 72 00 73 00 00 00 10 00 00 00 a.t.o.r. s....... [01E0] 00 00 00 00 10 00 00 00 42 00 61 00 63 00 6B 00 ........ B.a.c.k. [01F0] 75 00 70 00 20 00 4F 00 70 00 65 00 72 00 61 00 u.p. .O. p.e.r.a. [0200] 74 00 6F 00 72 00 73 00 0A 00 00 00 00 00 00 00 t.o.r.s. ........ [0210] 0A 00 00 00 52 00 65 00 70 00 6C 00 69 00 63 00 ....R.e. p.l.i.c. [0220] 61 00 74 00 6F 00 72 00 14 00 00 00 00 00 00 00 a.t.o.r. ........ [0230] 14 00 00 00 52 00 65 00 6D 00 6F 00 74 00 65 00 ....R.e. m.o.t.e. [0240] 20 00 44 00 65 00 73 00 6B 00 74 00 6F 00 70 00 .D.e.s. k.t.o.p. [0250] 20 00 55 00 73 00 65 00 72 00 73 00 1F 00 00 00 .U.s.e. r.s..... [0260] 00 00 00 00 1F 00 00 00 4E 00 65 00 74 00 77 00 ........ N.e.t.w. [0270] 6F 00 72 00 6B 00 20 00 43 00 6F 00 6E 00 66 00 o.r.k. . C.o.n.f. [0280] 69 00 67 00 75 00 72 00 61 00 74 00 69 00 6F 00 i.g.u.r. a.t.i.o. [0290] 6E 00 20 00 4F 00 70 00 65 00 72 00 61 00 74 00 n. .O.p. e.r.a.t. [02A0] 6F 00 72 00 73 00 00 00 19 00 00 00 00 00 00 00 o.r.s... ........ [02B0] 19 00 00 00 50 00 65 00 72 00 66 00 6F 00 72 00 ....P.e. r.f.o.r. [02C0] 6D 00 61 00 6E 00 63 00 65 00 20 00 4D 00 6F 00 m.a.n.c. e. .M.o. [02D0] 6E 00 69 00 74 00 6F 00 72 00 20 00 55 00 73 00 n.i.t.o. r. .U.s. [02E0] 65 00 72 00 73 00 00 00 15 00 00 00 00 00 00 00 e.r.s... ........ [02F0] 15 00 00 00 50 00 65 00 72 00 66 00 6F 00 72 00 ....P.e. r.f.o.r. [0300] 6D 00 61 00 6E 00 63 00 65 00 20 00 4C 00 6F 00 m.a.n.c. e. .L.o. [0310] 67 00 20 00 55 00 73 00 65 00 72 00 73 00 00 00 g. .U.s. e.r.s... [0320] 15 00 00 00 00 00 00 00 15 00 00 00 44 00 69 00 ........ ....D.i. [0330] 73 00 74 00 72 00 69 00 62 00 75 00 74 00 65 00 s.t.r.i. b.u.t.e. [0340] 64 00 20 00 43 00 4F 00 4D 00 20 00 55 00 73 00 d. .C.O. M. .U.s. [0350] 65 00 72 00 73 00 00 00 09 00 00 00 00 00 00 00 e.r.s... ........ [0360] 09 00 00 00 49 00 49 00 53 00 5F 00 49 00 55 00 ....I.I. S._.I.U. [0370] 53 00 52 00 53 00 00 00 17 00 00 00 00 00 00 00 S.R.S... ........ [0380] 17 00 00 00 43 00 72 00 79 00 70 00 74 00 6F 00 ....C.r. y.p.t.o. [0390] 67 00 72 00 61 00 70 00 68 00 69 00 63 00 20 00 g.r.a.p. h.i.c. . [03A0] 4F 00 70 00 65 00 72 00 61 00 74 00 6F 00 72 00 O.p.e.r. a.t.o.r. [03B0] 73 00 00 00 11 00 00 00 00 00 00 00 11 00 00 00 s....... ........ [03C0] 45 00 76 00 65 00 6E 00 74 00 20 00 4C 00 6F 00 E.v.e.n. t. .L.o. [03D0] 67 00 20 00 52 00 65 00 61 00 64 00 65 00 72 00 g. .R.e. a.d.e.r. [03E0] 73 00 00 00 1F 00 00 00 00 00 00 00 1F 00 00 00 s....... ........ [03F0] 43 00 65 00 72 00 74 00 69 00 66 00 69 00 63 00 C.e.r.t. i.f.i.c. [0400] 61 00 74 00 65 00 20 00 53 00 65 00 72 00 76 00 a.t.e. . S.e.r.v. [0410] 69 00 63 00 65 00 20 00 44 00 43 00 4F 00 4D 00 i.c.e. . D.C.O.M. [0420] 20 00 41 00 63 00 63 00 65 00 73 00 73 00 00 00 .A.c.c. e.s.s... [0430] 19 00 00 00 00 00 00 00 19 00 00 00 52 00 44 00 ........ ....R.D. [0440] 53 00 20 00 52 00 65 00 6D 00 6F 00 74 00 65 00 S. .R.e. m.o.t.e. [0450] 20 00 41 00 63 00 63 00 65 00 73 00 73 00 20 00 .A.c.c. e.s.s. . [0460] 53 00 65 00 72 00 76 00 65 00 72 00 73 00 00 00 S.e.r.v. e.r.s... [0470] 14 00 00 00 00 00 00 00 14 00 00 00 52 00 44 00 ........ ....R.D. [0480] 53 00 20 00 45 00 6E 00 64 00 70 00 6F 00 69 00 S. .E.n. d.p.o.i. [0490] 6E 00 74 00 20 00 53 00 65 00 72 00 76 00 65 00 n.t. .S. e.r.v.e. [04A0] 72 00 73 00 16 00 00 00 00 00 00 00 16 00 00 00 r.s..... ........ [04B0] 52 00 44 00 53 00 20 00 4D 00 61 00 6E 00 61 00 R.D.S. . M.a.n.a. [04C0] 67 00 65 00 6D 00 65 00 6E 00 74 00 20 00 53 00 g.e.m.e. n.t. .S. [04D0] 65 00 72 00 76 00 65 00 72 00 73 00 16 00 00 00 e.r.v.e. r.s..... [04E0] 00 00 00 00 16 00 00 00 48 00 79 00 70 00 65 00 ........ H.y.p.e. [04F0] 72 00 2D 00 56 00 20 00 41 00 64 00 6D 00 69 00 r.-.V. . A.d.m.i. [0500] 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 n.i.s.t. r.a.t.o. [0510] 72 00 73 00 23 00 00 00 00 00 00 00 23 00 00 00 r.s.#... ....#... [0520] 41 00 63 00 63 00 65 00 73 00 73 00 20 00 43 00 A.c.c.e. s.s. .C. [0530] 6F 00 6E 00 74 00 72 00 6F 00 6C 00 20 00 41 00 o.n.t.r. o.l. .A. [0540] 73 00 73 00 69 00 73 00 74 00 61 00 6E 00 63 00 s.s.i.s. t.a.n.c. [0550] 65 00 20 00 4F 00 70 00 65 00 72 00 61 00 74 00 e. .O.p. e.r.a.t. [0560] 6F 00 72 00 73 00 00 00 17 00 00 00 00 00 00 00 o.r.s... ........ [0570] 17 00 00 00 52 00 65 00 6D 00 6F 00 74 00 65 00 ....R.e. m.o.t.e. [0580] 20 00 4D 00 61 00 6E 00 61 00 67 00 65 00 6D 00 .M.a.n. a.g.e.m. [0590] 65 00 6E 00 74 00 20 00 55 00 73 00 65 00 72 00 e.n.t. . U.s.e.r. [05A0] 73 00 00 00 10 00 00 00 00 00 00 00 10 00 00 00 s....... ........ [05B0] 53 00 65 00 72 00 76 00 65 00 72 00 20 00 4F 00 S.e.r.v. e.r. .O. [05C0] 70 00 65 00 72 00 61 00 74 00 6F 00 72 00 73 00 p.e.r.a. t.o.r.s. [05D0] 11 00 00 00 00 00 00 00 11 00 00 00 41 00 63 00 ........ ....A.c. [05E0] 63 00 6F 00 75 00 6E 00 74 00 20 00 4F 00 70 00 c.o.u.n. t. .O.p. [05F0] 65 00 72 00 61 00 74 00 6F 00 72 00 73 00 00 00 e.r.a.t. o.r.s... [0600] 22 00 00 00 00 00 00 00 22 00 00 00 50 00 72 00 "....... "...P.r. [0610] 65 00 2D 00 57 00 69 00 6E 00 64 00 6F 00 77 00 e.-.W.i. n.d.o.w. [0620] 73 00 20 00 32 00 30 00 30 00 30 00 20 00 43 00 s. .2.0. 0.0. .C. [0630] 6F 00 6D 00 70 00 61 00 74 00 69 00 62 00 6C 00 o.m.p.a. t.i.b.l. [0640] 65 00 20 00 41 00 63 00 63 00 65 00 73 00 73 00 e. .A.c. c.e.s.s. [0650] 1E 00 00 00 00 00 00 00 1E 00 00 00 49 00 6E 00 ........ ....I.n. [0660] 63 00 6F 00 6D 00 69 00 6E 00 67 00 20 00 46 00 c.o.m.i. n.g. .F. [0670] 6F 00 72 00 65 00 73 00 74 00 20 00 54 00 72 00 o.r.e.s. t. .T.r. [0680] 75 00 73 00 74 00 20 00 42 00 75 00 69 00 6C 00 u.s.t. . B.u.i.l. [0690] 64 00 65 00 72 00 73 00 22 00 00 00 00 00 00 00 d.e.r.s. "....... [06A0] 22 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 "...W.i. n.d.o.w. [06B0] 73 00 20 00 41 00 75 00 74 00 68 00 6F 00 72 00 s. .A.u. t.h.o.r. [06C0] 69 00 7A 00 61 00 74 00 69 00 6F 00 6E 00 20 00 i.z.a.t. i.o.n. . [06D0] 41 00 63 00 63 00 65 00 73 00 73 00 20 00 47 00 A.c.c.e. s.s. .G. [06E0] 72 00 6F 00 75 00 70 00 1F 00 00 00 00 00 00 00 r.o.u.p. ........ [06F0] 1F 00 00 00 54 00 65 00 72 00 6D 00 69 00 6E 00 ....T.e. r.m.i.n. [0700] 61 00 6C 00 20 00 53 00 65 00 72 00 76 00 65 00 a.l. .S. e.r.v.e. [0710] 72 00 20 00 4C 00 69 00 63 00 65 00 6E 00 73 00 r. .L.i. c.e.n.s. [0720] 65 00 20 00 53 00 65 00 72 00 76 00 65 00 72 00 e. .S.e. r.v.e.r. [0730] 73 00 00 00 1B 00 00 00 00 00 00 00 s....... .... Got pdu len 1876, data_len 1852 rpc_api_pipe: got frag len of 1876 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 1852 bytes. samr_EnumDomainAliases: struct samr_EnumDomainAliases out: struct samr_EnumDomainAliases resume_handle : * resume_handle : 0x00000000 (0) sam : * sam : * sam: struct samr_SamArray count : 0x0000001b (27) entries : * entries: ARRAY(27) entries: struct samr_SamEntry idx : 0x00000220 (544) name: struct lsa_String length : 0x001c (28) size : 0x001c (28) string : * string : 'Administrators' entries: struct samr_SamEntry idx : 0x00000221 (545) name: struct lsa_String length : 0x000a (10) size : 0x000a (10) string : * string : 'Users' entries: struct samr_SamEntry idx : 0x00000222 (546) name: struct lsa_String length : 0x000c (12) size : 0x000c (12) string : * string : 'Guests' entries: struct samr_SamEntry idx : 0x00000226 (550) name: struct lsa_String length : 0x001e (30) size : 0x001e (30) string : * string : 'Print Operators' entries: struct samr_SamEntry idx : 0x00000227 (551) name: struct lsa_String length : 0x0020 (32) size : 0x0020 (32) string : * string : 'Backup Operators' entries: struct samr_SamEntry idx : 0x00000228 (552) name: struct lsa_String length : 0x0014 (20) size : 0x0014 (20) string : * string : 'Replicator' entries: struct samr_SamEntry idx : 0x0000022b (555) name: struct lsa_String length : 0x0028 (40) size : 0x0028 (40) string : * string : 'Remote Desktop Users' entries: struct samr_SamEntry idx : 0x0000022c (556) name: struct lsa_String length : 0x003e (62) size : 0x003e (62) string : * string : 'Network Configuration Operators' entries: struct samr_SamEntry idx : 0x0000022e (558) name: struct lsa_String length : 0x0032 (50) size : 0x0032 (50) string : * string : 'Performance Monitor Users' entries: struct samr_SamEntry idx : 0x0000022f (559) name: struct lsa_String length : 0x002a (42) size : 0x002a (42) string : * string : 'Performance Log Users' entries: struct samr_SamEntry idx : 0x00000232 (562) name: struct lsa_String length : 0x002a (42) size : 0x002a (42) string : * string : 'Distributed COM Users' entries: struct samr_SamEntry idx : 0x00000238 (568) name: struct lsa_String length : 0x0012 (18) size : 0x0012 (18) string : * string : 'IIS_IUSRS' entries: struct samr_SamEntry idx : 0x00000239 (569) name: struct lsa_String length : 0x002e (46) size : 0x002e (46) string : * string : 'Cryptographic Operators' entries: struct samr_SamEntry idx : 0x0000023d (573) name: struct lsa_String length : 0x0022 (34) size : 0x0022 (34) string : * string : 'Event Log Readers' entries: struct samr_SamEntry idx : 0x0000023e (574) name: struct lsa_String length : 0x003e (62) size : 0x003e (62) string : * string : 'Certificate Service DCOM Access' entries: struct samr_SamEntry idx : 0x0000023f (575) name: struct lsa_String length : 0x0032 (50) size : 0x0032 (50) string : * string : 'RDS Remote Access Servers' entries: struct samr_SamEntry idx : 0x00000240 (576) name: struct lsa_String length : 0x0028 (40) size : 0x0028 (40) string : * string : 'RDS Endpoint Servers' entries: struct samr_SamEntry idx : 0x00000241 (577) name: struct lsa_String length : 0x002c (44) size : 0x002c (44) string : * string : 'RDS Management Servers' entries: struct samr_SamEntry idx : 0x00000242 (578) name: struct lsa_String length : 0x002c (44) size : 0x002c (44) string : * string : 'Hyper-V Administrators' entries: struct samr_SamEntry idx : 0x00000243 (579) name: struct lsa_String length : 0x0046 (70) size : 0x0046 (70) string : * string : 'Access Control Assistance Operators' entries: struct samr_SamEntry idx : 0x00000244 (580) name: struct lsa_String length : 0x002e (46) size : 0x002e (46) string : * string : 'Remote Management Users' entries: struct samr_SamEntry idx : 0x00000225 (549) name: struct lsa_String length : 0x0020 (32) size : 0x0020 (32) string : * string : 'Server Operators' entries: struct samr_SamEntry idx : 0x00000224 (548) name: struct lsa_String length : 0x0022 (34) size : 0x0022 (34) string : * string : 'Account Operators' entries: struct samr_SamEntry idx : 0x0000022a (554) name: struct lsa_String length : 0x0044 (68) size : 0x0044 (68) string : * string : 'Pre-Windows 2000 Compatible Access' entries: struct samr_SamEntry idx : 0x0000022d (557) name: struct lsa_String length : 0x003c (60) size : 0x003c (60) string : * string : 'Incoming Forest Trust Builders' entries: struct samr_SamEntry idx : 0x00000230 (560) name: struct lsa_String length : 0x0044 (68) size : 0x0044 (68) string : * string : 'Windows Authorization Access Group' entries: struct samr_SamEntry idx : 0x00000231 (561) name: struct lsa_String length : 0x003e (62) size : 0x003e (62) string : * string : 'Terminal Server License Servers' num_entries : * num_entries : 0x0000001b (27) result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x00000220 (544) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000009 (9) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000009 (9) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 4F 6C CF 96 1D B6 47 45 89 F0 DC 5C ....Ol.. ..GE...\ [0010] F9 BE C3 01 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 96cf6c4f-b61d-4547-89f0-dc5cf9bec301 result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 96cf6c4f-b61d-4547-89f0-dc5cf9bec301 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000000a (10) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 204 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00dc (220) auth_length : 0x0000 (0) call_id : 0x0000000a (10) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000c4 (196) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=196 [0000] 05 00 00 00 00 00 02 00 05 00 00 00 04 00 02 00 ........ ........ [0010] 08 00 02 00 0C 00 02 00 10 00 02 00 14 00 02 00 ........ ........ [0020] 05 00 00 00 01 05 00 00 00 00 00 05 15 00 00 00 ........ ........ [0030] 9C 35 33 51 19 74 23 9A D3 83 E6 CA F4 01 00 00 .53Q.t#. ........ [0040] 05 00 00 00 01 05 00 00 00 00 00 05 15 00 00 00 ........ ........ [0050] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 07 02 00 00 .53Q.t#. ........ [0060] 05 00 00 00 01 05 00 00 00 00 00 05 15 00 00 00 ........ ........ [0070] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 00 02 00 00 .53Q.t#. ........ [0080] 05 00 00 00 01 05 00 00 00 00 00 05 15 00 00 00 ........ ........ [0090] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 50 04 00 00 .53Q.t#. ....P... [00A0] 05 00 00 00 01 05 00 00 00 00 00 05 15 00 00 00 ........ ........ [00B0] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 65 04 00 00 .53Q.t#. ....e... [00C0] 00 00 00 00 .... Got pdu len 220, data_len 196 rpc_api_pipe: got frag len of 220 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 196 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000005 (5) sids : * sids: ARRAY(5) sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-500 sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-519 sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-512 sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-1104 sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-1125 result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 96cf6c4f-b61d-4547-89f0-dc5cf9bec301 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000000b (11) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x0000000b (11) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x00000221 (545) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000000c (12) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x0000000c (12) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 66 29 DF 8E 86 04 90 4E 9E E9 3E 2A ....f).. ...N..>* [0010] B1 90 99 60 00 00 00 00 ...`.... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 8edf2966-0486-4e90-9ee9-3e2ab1909960 result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 8edf2966-0486-4e90-9ee9-3e2ab1909960 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000000d (13) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 100 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0074 (116) auth_length : 0x0000 (0) call_id : 0x0000000d (13) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000005c (92) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=92 [0000] 03 00 00 00 00 00 02 00 03 00 00 00 04 00 02 00 ........ ........ [0010] 08 00 02 00 0C 00 02 00 01 00 00 00 01 01 00 00 ........ ........ [0020] 00 00 00 05 04 00 00 00 01 00 00 00 01 01 00 00 ........ ........ [0030] 00 00 00 05 0B 00 00 00 05 00 00 00 01 05 00 00 ........ ........ [0040] 00 00 00 05 15 00 00 00 9C 35 33 51 19 74 23 9A ........ .53Q.t#. [0050] D3 83 E6 CA 01 02 00 00 00 00 00 00 ........ .... Got pdu len 116, data_len 92 rpc_api_pipe: got frag len of 116 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 92 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000003 (3) sids : * sids: ARRAY(3) sids: struct lsa_SidPtr sid : * sid : S-1-5-4 sids: struct lsa_SidPtr sid : * sid : S-1-5-11 sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-513 result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 8edf2966-0486-4e90-9ee9-3e2ab1909960 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000000e (14) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x0000000e (14) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x00000222 (546) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000000f (15) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x0000000f (15) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 69 82 7A 84 64 5E F7 4D 93 C4 C6 9D ....i.z. d^.M.... [0010] 0C 88 6F F6 00 00 00 00 ..o..... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 847a8269-5e64-4df7-93c4-c69d0c886ff6 result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 847a8269-5e64-4df7-93c4-c69d0c886ff6 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000010 (16) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 96 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0070 (112) auth_length : 0x0000 (0) call_id : 0x00000010 (16) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000058 (88) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=88 [0000] 02 00 00 00 00 00 02 00 02 00 00 00 04 00 02 00 ........ ........ [0010] 08 00 02 00 05 00 00 00 01 05 00 00 00 00 00 05 ........ ........ [0020] 15 00 00 00 9C 35 33 51 19 74 23 9A D3 83 E6 CA .....53Q .t#..... [0030] F5 01 00 00 05 00 00 00 01 05 00 00 00 00 00 05 ........ ........ [0040] 15 00 00 00 9C 35 33 51 19 74 23 9A D3 83 E6 CA .....53Q .t#..... [0050] 02 02 00 00 00 00 00 00 ........ Got pdu len 112, data_len 88 rpc_api_pipe: got frag len of 112 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 88 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000002 (2) sids : * sids: ARRAY(2) sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-501 sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-514 result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 847a8269-5e64-4df7-93c4-c69d0c886ff6 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000011 (17) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000011 (17) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x00000226 (550) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000012 (18) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000012 (18) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 E2 D5 C6 DE B4 9C 53 41 B2 FB 2C 48 ........ ..SA..,H [0010] C7 FE 3A F5 00 00 00 00 ..:..... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : dec6d5e2-9cb4-4153-b2fb-2c48c7fe3af5 result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : dec6d5e2-9cb4-4153-b2fb-2c48c7fe3af5 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000013 (19) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 20 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0024 (36) auth_length : 0x0000 (0) call_id : 0x00000013 (19) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000000c (12) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=12 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... Got pdu len 36, data_len 12 rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 12 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000000 (0) sids : NULL result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : dec6d5e2-9cb4-4153-b2fb-2c48c7fe3af5 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000014 (20) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000014 (20) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x00000227 (551) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000015 (21) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000015 (21) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 7E 0A D3 7F 35 D3 8B 4C 84 0E 97 39 ....~... 5..L...9 [0010] F9 47 0D 33 00 00 00 00 .G.3.... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 7fd30a7e-d335-4c8b-840e-9739f9470d33 result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 7fd30a7e-d335-4c8b-840e-9739f9470d33 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000016 (22) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 20 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0024 (36) auth_length : 0x0000 (0) call_id : 0x00000016 (22) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000000c (12) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=12 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... Got pdu len 36, data_len 12 rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 12 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000000 (0) sids : NULL result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 7fd30a7e-d335-4c8b-840e-9739f9470d33 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000017 (23) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000017 (23) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x00000228 (552) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000018 (24) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000018 (24) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 F3 44 9D 46 EA 30 8C 4F B3 0C 6F E7 .....D.F .0.O..o. [0010] 7F 65 88 F1 00 00 00 00 .e...... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 469d44f3-30ea-4f8c-b30c-6fe77f6588f1 result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 469d44f3-30ea-4f8c-b30c-6fe77f6588f1 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000019 (25) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 20 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0024 (36) auth_length : 0x0000 (0) call_id : 0x00000019 (25) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000000c (12) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=12 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... Got pdu len 36, data_len 12 rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 12 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000000 (0) sids : NULL result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 469d44f3-30ea-4f8c-b30c-6fe77f6588f1 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000001a (26) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x0000001a (26) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x0000022b (555) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000001b (27) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x0000001b (27) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 95 06 80 A2 07 A7 BB 49 B2 08 A5 0F ........ ...I.... [0010] DF 81 F4 34 00 00 00 00 ...4.... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : a2800695-a707-49bb-b208-a50fdf81f434 result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : a2800695-a707-49bb-b208-a50fdf81f434 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000001c (28) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 60 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x004c (76) auth_length : 0x0000 (0) call_id : 0x0000001c (28) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000034 (52) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=52 [0000] 01 00 00 00 00 00 02 00 01 00 00 00 04 00 02 00 ........ ........ [0010] 05 00 00 00 01 05 00 00 00 00 00 05 15 00 00 00 ........ ........ [0020] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 58 04 00 00 .53Q.t#. ....X... [0030] 00 00 00 00 .... Got pdu len 76, data_len 52 rpc_api_pipe: got frag len of 76 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 52 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-1112 result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : a2800695-a707-49bb-b208-a50fdf81f434 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000001d (29) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x0000001d (29) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x0000022c (556) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000001e (30) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x0000001e (30) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 74 1B E9 9F 64 24 6A 41 8F CE 23 35 ....t... d$jA..#5 [0010] 3D 42 B9 A2 00 00 00 00 =B...... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 9fe91b74-2464-416a-8fce-23353d42b9a2 result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 9fe91b74-2464-416a-8fce-23353d42b9a2 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000001f (31) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 20 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0024 (36) auth_length : 0x0000 (0) call_id : 0x0000001f (31) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000000c (12) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=12 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... Got pdu len 36, data_len 12 rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 12 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000000 (0) sids : NULL result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 9fe91b74-2464-416a-8fce-23353d42b9a2 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000020 (32) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000020 (32) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x0000022e (558) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000021 (33) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000021 (33) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 77 03 15 60 00 37 94 45 80 C5 32 F5 ....w..` .7.E..2. [0010] 95 5C CF 8D 00 00 00 00 .\...... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 60150377-3700-4594-80c5-32f5955ccf8d result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 60150377-3700-4594-80c5-32f5955ccf8d &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000022 (34) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 20 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0024 (36) auth_length : 0x0000 (0) call_id : 0x00000022 (34) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000000c (12) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=12 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... Got pdu len 36, data_len 12 rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 12 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000000 (0) sids : NULL result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 60150377-3700-4594-80c5-32f5955ccf8d &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000023 (35) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000023 (35) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x0000022f (559) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000024 (36) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000024 (36) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 F7 73 FD F9 B0 4B 21 4A BA FA 3A 88 .....s.. .K!J..:. [0010] 80 22 56 F9 00 00 00 00 ."V..... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : f9fd73f7-4bb0-4a21-bafa-3a88802256f9 result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : f9fd73f7-4bb0-4a21-bafa-3a88802256f9 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000025 (37) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 96 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0070 (112) auth_length : 0x0000 (0) call_id : 0x00000025 (37) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000058 (88) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=88 [0000] 02 00 00 00 00 00 02 00 02 00 00 00 04 00 02 00 ........ ........ [0010] 08 00 02 00 05 00 00 00 01 05 00 00 00 00 00 05 ........ ........ [0020] 15 00 00 00 9C 35 33 51 19 74 23 9A D3 83 E6 CA .....53Q .t#..... [0030] F4 01 00 00 05 00 00 00 01 05 00 00 00 00 00 05 ........ ........ [0040] 15 00 00 00 9C 35 33 51 19 74 23 9A D3 83 E6 CA .....53Q .t#..... [0050] 65 04 00 00 00 00 00 00 e....... Got pdu len 112, data_len 88 rpc_api_pipe: got frag len of 112 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 88 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000002 (2) sids : * sids: ARRAY(2) sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-500 sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-1125 result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : f9fd73f7-4bb0-4a21-bafa-3a88802256f9 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000026 (38) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000026 (38) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x00000232 (562) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000027 (39) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000027 (39) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 B0 3A 33 79 D0 DF 32 42 BE E2 07 7B .....:3y ..2B...{ [0010] F1 5E CD 73 00 00 00 00 .^.s.... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 79333ab0-dfd0-4232-bee2-077bf15ecd73 result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 79333ab0-dfd0-4232-bee2-077bf15ecd73 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000028 (40) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 20 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0024 (36) auth_length : 0x0000 (0) call_id : 0x00000028 (40) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000000c (12) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=12 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... Got pdu len 36, data_len 12 rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 12 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000000 (0) sids : NULL result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 79333ab0-dfd0-4232-bee2-077bf15ecd73 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000029 (41) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000029 (41) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x00000238 (568) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000002a (42) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x0000002a (42) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 11 EB A0 A3 1E 37 D9 46 9F A3 EE 27 ........ .7.F...' [0010] 0E EE CA 22 00 00 00 00 ...".... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : a3a0eb11-371e-46d9-9fa3-ee270eeeca22 result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : a3a0eb11-371e-46d9-9fa3-ee270eeeca22 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000002b (43) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 20 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0024 (36) auth_length : 0x0000 (0) call_id : 0x0000002b (43) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000000c (12) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=12 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... Got pdu len 36, data_len 12 rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 12 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000000 (0) sids : NULL result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : a3a0eb11-371e-46d9-9fa3-ee270eeeca22 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000002c (44) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x0000002c (44) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x00000239 (569) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000002d (45) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x0000002d (45) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 93 D1 59 56 23 AC BA 4C 88 9F DE 79 ......YV #..L...y [0010] 31 8A 6E 41 00 00 00 00 1.nA.... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 5659d193-ac23-4cba-889f-de79318a6e41 result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 5659d193-ac23-4cba-889f-de79318a6e41 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000002e (46) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 20 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0024 (36) auth_length : 0x0000 (0) call_id : 0x0000002e (46) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000000c (12) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=12 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... Got pdu len 36, data_len 12 rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 12 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000000 (0) sids : NULL result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 5659d193-ac23-4cba-889f-de79318a6e41 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000002f (47) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x0000002f (47) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x0000023d (573) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000030 (48) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000030 (48) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 CF 56 6B F9 23 D8 F4 4F 89 F3 07 46 .....Vk. #..O...F [0010] D1 7C 47 D4 00 00 00 00 .|G..... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : f96b56cf-d823-4ff4-89f3-0746d17c47d4 result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : f96b56cf-d823-4ff4-89f3-0746d17c47d4 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000031 (49) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 20 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0024 (36) auth_length : 0x0000 (0) call_id : 0x00000031 (49) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000000c (12) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=12 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... Got pdu len 36, data_len 12 rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 12 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000000 (0) sids : NULL result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : f96b56cf-d823-4ff4-89f3-0746d17c47d4 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000032 (50) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000032 (50) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x0000023e (574) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000033 (51) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000033 (51) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 56 75 1E E6 DB 16 29 47 A5 CC C3 46 ....Vu.. ..)G...F [0010] 9D 33 1F DE 00 00 00 00 .3...... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : e61e7556-16db-4729-a5cc-c3469d331fde result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : e61e7556-16db-4729-a5cc-c3469d331fde &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000034 (52) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 20 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0024 (36) auth_length : 0x0000 (0) call_id : 0x00000034 (52) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000000c (12) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=12 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... Got pdu len 36, data_len 12 rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 12 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000000 (0) sids : NULL result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : e61e7556-16db-4729-a5cc-c3469d331fde &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000035 (53) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000035 (53) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x0000023f (575) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000036 (54) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000036 (54) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 BC 24 AE C4 6A 2B 91 4E B2 1A 8D AD .....$.. j+.N.... [0010] 4A 0B F2 CE 00 00 00 00 J....... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : c4ae24bc-2b6a-4e91-b21a-8dad4a0bf2ce result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : c4ae24bc-2b6a-4e91-b21a-8dad4a0bf2ce &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000037 (55) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 60 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x004c (76) auth_length : 0x0000 (0) call_id : 0x00000037 (55) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000034 (52) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=52 [0000] 01 00 00 00 00 00 02 00 01 00 00 00 04 00 02 00 ........ ........ [0010] 05 00 00 00 01 05 00 00 00 00 00 05 15 00 00 00 ........ ........ [0020] 9C 35 33 51 19 74 23 9A D3 83 E6 CA E8 03 00 00 .53Q.t#. ........ [0030] 00 00 00 00 .... Got pdu len 76, data_len 52 rpc_api_pipe: got frag len of 76 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 52 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-1000 result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : c4ae24bc-2b6a-4e91-b21a-8dad4a0bf2ce &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000038 (56) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000038 (56) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x00000240 (576) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000039 (57) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000039 (57) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 7D BF 62 04 AA 1E D2 43 85 F2 79 33 ....}.b. ...C..y3 [0010] E4 FF 60 2A 00 00 00 00 ..`*.... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0462bf7d-1eaa-43d2-85f2-7933e4ff602a result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0462bf7d-1eaa-43d2-85f2-7933e4ff602a &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000003a (58) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 80 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0060 (96) auth_length : 0x0000 (0) call_id : 0x0000003a (58) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000048 (72) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=72 [0000] 02 00 00 00 00 00 02 00 02 00 00 00 04 00 02 00 ........ ........ [0010] 08 00 02 00 05 00 00 00 01 05 00 00 00 00 00 05 ........ ........ [0020] 15 00 00 00 9C 35 33 51 19 74 23 9A D3 83 E6 CA .....53Q .t#..... [0030] E8 03 00 00 01 00 00 00 01 01 00 00 00 00 00 05 ........ ........ [0040] 14 00 00 00 00 00 00 00 ........ Got pdu len 96, data_len 72 rpc_api_pipe: got frag len of 96 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 72 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000002 (2) sids : * sids: ARRAY(2) sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-1000 sids: struct lsa_SidPtr sid : * sid : S-1-5-20 result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0462bf7d-1eaa-43d2-85f2-7933e4ff602a &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000003b (59) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x0000003b (59) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x00000241 (577) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000003c (60) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x0000003c (60) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 53 FE 20 82 0E 78 62 43 84 B6 6C 19 ....S. . .xbC..l. [0010] 57 65 74 F8 00 00 00 00 Wet..... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 8220fe53-780e-4362-84b6-6c19576574f8 result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 8220fe53-780e-4362-84b6-6c19576574f8 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000003d (61) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 80 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0060 (96) auth_length : 0x0000 (0) call_id : 0x0000003d (61) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000048 (72) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=72 [0000] 02 00 00 00 00 00 02 00 02 00 00 00 04 00 02 00 ........ ........ [0010] 08 00 02 00 05 00 00 00 01 05 00 00 00 00 00 05 ........ ........ [0020] 15 00 00 00 9C 35 33 51 19 74 23 9A D3 83 E6 CA .....53Q .t#..... [0030] E8 03 00 00 01 00 00 00 01 01 00 00 00 00 00 05 ........ ........ [0040] 14 00 00 00 00 00 00 00 ........ Got pdu len 96, data_len 72 rpc_api_pipe: got frag len of 96 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 72 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000002 (2) sids : * sids: ARRAY(2) sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-1000 sids: struct lsa_SidPtr sid : * sid : S-1-5-20 result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 8220fe53-780e-4362-84b6-6c19576574f8 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000003e (62) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x0000003e (62) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x00000242 (578) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000003f (63) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x0000003f (63) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 AF 9B B2 F5 75 D8 FB 42 98 1B 36 E4 ........ u..B..6. [0010] F5 C6 89 9B 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : f5b29baf-d875-42fb-981b-36e4f5c6899b result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : f5b29baf-d875-42fb-981b-36e4f5c6899b &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000040 (64) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 20 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0024 (36) auth_length : 0x0000 (0) call_id : 0x00000040 (64) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000000c (12) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=12 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... Got pdu len 36, data_len 12 rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 12 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000000 (0) sids : NULL result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : f5b29baf-d875-42fb-981b-36e4f5c6899b &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000041 (65) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000041 (65) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x00000243 (579) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000042 (66) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000042 (66) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 F9 D3 36 3D 33 85 49 4B 8C 59 6B 4A ......6= 3.IK.YkJ [0010] B1 A6 B6 CE 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 3d36d3f9-8533-4b49-8c59-6b4ab1a6b6ce result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 3d36d3f9-8533-4b49-8c59-6b4ab1a6b6ce &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000043 (67) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 20 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0024 (36) auth_length : 0x0000 (0) call_id : 0x00000043 (67) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000000c (12) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=12 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... Got pdu len 36, data_len 12 rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 12 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000000 (0) sids : NULL result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 3d36d3f9-8533-4b49-8c59-6b4ab1a6b6ce &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000044 (68) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000044 (68) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x00000244 (580) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000045 (69) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000045 (69) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 3B 87 47 75 07 E3 AA 4A B1 8C 43 CF ....;.Gu ...J..C. [0010] E3 BC 51 D2 00 00 00 00 ..Q..... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 7547873b-e307-4aaa-b18c-43cfe3bc51d2 result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 7547873b-e307-4aaa-b18c-43cfe3bc51d2 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000046 (70) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 20 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0024 (36) auth_length : 0x0000 (0) call_id : 0x00000046 (70) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000000c (12) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=12 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... Got pdu len 36, data_len 12 rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 12 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000000 (0) sids : NULL result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 7547873b-e307-4aaa-b18c-43cfe3bc51d2 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000047 (71) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000047 (71) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x00000225 (549) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000048 (72) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000048 (72) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 7E 16 CB DF 0F E6 EC 4A A6 22 18 75 ....~... ...J.".u [0010] 84 F6 3E 30 00 00 00 00 ..>0.... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : dfcb167e-e60f-4aec-a622-187584f63e30 result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : dfcb167e-e60f-4aec-a622-187584f63e30 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000049 (73) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 20 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0024 (36) auth_length : 0x0000 (0) call_id : 0x00000049 (73) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000000c (12) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=12 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... Got pdu len 36, data_len 12 rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 12 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000000 (0) sids : NULL result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : dfcb167e-e60f-4aec-a622-187584f63e30 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000004a (74) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x0000004a (74) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x00000224 (548) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000004b (75) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x0000004b (75) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 02 0F DC 2D 8E D1 CA 44 BA 77 BC 95 .......- ...D.w.. [0010] 4A 41 FA 61 00 00 00 00 JA.a.... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 2ddc0f02-d18e-44ca-ba77-bc954a41fa61 result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 2ddc0f02-d18e-44ca-ba77-bc954a41fa61 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000004c (76) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 20 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0024 (36) auth_length : 0x0000 (0) call_id : 0x0000004c (76) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000000c (12) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=12 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... Got pdu len 36, data_len 12 rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 12 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000000 (0) sids : NULL result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 2ddc0f02-d18e-44ca-ba77-bc954a41fa61 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000004d (77) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x0000004d (77) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x0000022a (554) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000004e (78) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x0000004e (78) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 1B 57 E8 2E C0 01 0B 47 B7 86 6A 4A .....W.. ...G..jJ [0010] 76 40 7D 89 00 00 00 00 v@}..... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 2ee8571b-01c0-470b-b786-6a4a76407d89 result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 2ee8571b-01c0-470b-b786-6a4a76407d89 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000004f (79) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 44 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x003c (60) auth_length : 0x0000 (0) call_id : 0x0000004f (79) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000024 (36) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=36 [0000] 01 00 00 00 00 00 02 00 01 00 00 00 04 00 02 00 ........ ........ [0010] 01 00 00 00 01 01 00 00 00 00 00 05 0B 00 00 00 ........ ........ [0020] 00 00 00 00 .... Got pdu len 60, data_len 36 rpc_api_pipe: got frag len of 60 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 36 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-11 result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 2ee8571b-01c0-470b-b786-6a4a76407d89 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000050 (80) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000050 (80) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x0000022d (557) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000051 (81) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000051 (81) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 46 9D EF 06 76 06 B7 4E 92 74 CE A7 ....F... v..N.t.. [0010] B2 3F 09 60 00 00 00 00 .?.`.... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 06ef9d46-0676-4eb7-9274-cea7b23f0960 result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 06ef9d46-0676-4eb7-9274-cea7b23f0960 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000052 (82) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 20 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0024 (36) auth_length : 0x0000 (0) call_id : 0x00000052 (82) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000000c (12) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=12 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... Got pdu len 36, data_len 12 rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 12 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000000 (0) sids : NULL result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 06ef9d46-0676-4eb7-9274-cea7b23f0960 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000053 (83) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000053 (83) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x00000230 (560) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000054 (84) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000054 (84) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 10 B3 72 D5 DB 6D 92 46 96 48 41 61 ......r. .m.F.HAa [0010] D4 65 EE 34 00 00 00 00 .e.4.... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : d572b310-6ddb-4692-9648-4161d465ee34 result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : d572b310-6ddb-4692-9648-4161d465ee34 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000055 (85) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 44 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x003c (60) auth_length : 0x0000 (0) call_id : 0x00000055 (85) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000024 (36) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=36 [0000] 01 00 00 00 00 00 02 00 01 00 00 00 04 00 02 00 ........ ........ [0010] 01 00 00 00 01 01 00 00 00 00 00 05 09 00 00 00 ........ ........ [0020] 00 00 00 00 .... Got pdu len 60, data_len 36 rpc_api_pipe: got frag len of 60 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 36 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-9 result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : d572b310-6ddb-4692-9648-4161d465ee34 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000056 (86) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000056 (86) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x00000231 (561) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000057 (87) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000057 (87) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 A9 28 4E 8E 85 C9 87 41 AD A8 65 D2 .....(N. ...A..e. [0010] 48 A6 1A 0B 00 00 00 00 H....... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 8e4e28a9-c985-4187-ada8-65d248a61a0b result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 8e4e28a9-c985-4187-ada8-65d248a61a0b &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000058 (88) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 80 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0060 (96) auth_length : 0x0000 (0) call_id : 0x00000058 (88) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000048 (72) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=72 [0000] 02 00 00 00 00 00 02 00 02 00 00 00 04 00 02 00 ........ ........ [0010] 08 00 02 00 05 00 00 00 01 05 00 00 00 00 00 05 ........ ........ [0020] 15 00 00 00 9C 35 33 51 19 74 23 9A D3 83 E6 CA .....53Q .t#..... [0030] E8 03 00 00 01 00 00 00 01 01 00 00 00 00 00 05 ........ ........ [0040] 14 00 00 00 00 00 00 00 ........ Got pdu len 96, data_len 72 rpc_api_pipe: got frag len of 96 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 72 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000002 (2) sids : * sids: ARRAY(2) sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-1000 sids: struct lsa_SidPtr sid : * sid : S-1-5-20 result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 8e4e28a9-c985-4187-ada8-65d248a61a0b &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000059 (89) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000059 (89) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000005a (90) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x0000005a (90) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenDomain: struct samr_OpenDomain in: struct samr_OpenDomain connect_handle : * connect_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 3ed057f5-a818-416c-9b36-71992040561d access_mask : 0x02000000 (33554432) 0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 0: SAMR_DOMAIN_ACCESS_SET_INFO_1 0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2 0: SAMR_DOMAIN_ACCESS_SET_INFO_2 0: SAMR_DOMAIN_ACCESS_CREATE_USER 0: SAMR_DOMAIN_ACCESS_CREATE_GROUP 0: SAMR_DOMAIN_ACCESS_CREATE_ALIAS 0: SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS 0: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS 0: SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT 0: SAMR_DOMAIN_ACCESS_SET_INFO_3 sid : * sid : S-1-5-21-1362310556-2586014745-3404104659 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000005b (91) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000034 (52) context_id : 0x0000 (0) opnum : 0x0007 (7) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x0000005b (91) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 F7 C4 4B 5F 58 B6 0B 4C BC 38 B0 21 ......K_ X..L.8.! [0010] E6 9A 7D E2 00 00 00 00 ..}..... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenDomain: struct samr_OpenDomain out: struct samr_OpenDomain domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 5f4bc4f7-b658-4c0b-bc38-b021e69a7de2 result : NT_STATUS_OK samr_EnumDomainAliases: struct samr_EnumDomainAliases in: struct samr_EnumDomainAliases domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 5f4bc4f7-b658-4c0b-bc38-b021e69a7de2 resume_handle : * resume_handle : 0x00000000 (0) max_size : 0x000000fa (250) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000005c (92) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 360 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0178 (376) auth_length : 0x0000 (0) call_id : 0x0000005c (92) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000160 (352) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=352 [0000] 3C 02 00 00 00 00 02 00 04 00 00 00 04 00 02 00 <....... ........ [0010] 04 00 00 00 05 02 00 00 1E 00 1E 00 08 00 02 00 ........ ........ [0020] 29 02 00 00 26 00 26 00 0C 00 02 00 3B 02 00 00 )...&.&. ....;... [0030] 4E 00 4E 00 10 00 02 00 3C 02 00 00 4C 00 4C 00 N.N..... <...L.L. [0040] 14 00 02 00 0F 00 00 00 00 00 00 00 0F 00 00 00 ........ ........ [0050] 43 00 65 00 72 00 74 00 20 00 50 00 75 00 62 00 C.e.r.t. .P.u.b. [0060] 6C 00 69 00 73 00 68 00 65 00 72 00 73 00 00 00 l.i.s.h. e.r.s... [0070] 13 00 00 00 00 00 00 00 13 00 00 00 52 00 41 00 ........ ....R.A. [0080] 53 00 20 00 61 00 6E 00 64 00 20 00 49 00 41 00 S. .a.n. d. .I.A. [0090] 53 00 20 00 53 00 65 00 72 00 76 00 65 00 72 00 S. .S.e. r.v.e.r. [00A0] 73 00 00 00 27 00 00 00 00 00 00 00 27 00 00 00 s...'... ....'... [00B0] 41 00 6C 00 6C 00 6F 00 77 00 65 00 64 00 20 00 A.l.l.o. w.e.d. . [00C0] 52 00 4F 00 44 00 43 00 20 00 50 00 61 00 73 00 R.O.D.C. .P.a.s. [00D0] 73 00 77 00 6F 00 72 00 64 00 20 00 52 00 65 00 s.w.o.r. d. .R.e. [00E0] 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 p.l.i.c. a.t.i.o. [00F0] 6E 00 20 00 47 00 72 00 6F 00 75 00 70 00 00 00 n. .G.r. o.u.p... [0100] 26 00 00 00 00 00 00 00 26 00 00 00 44 00 65 00 &....... &...D.e. [0110] 6E 00 69 00 65 00 64 00 20 00 52 00 4F 00 44 00 n.i.e.d. .R.O.D. [0120] 43 00 20 00 50 00 61 00 73 00 73 00 77 00 6F 00 C. .P.a. s.s.w.o. [0130] 72 00 64 00 20 00 52 00 65 00 70 00 6C 00 69 00 r.d. .R. e.p.l.i. [0140] 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 47 00 c.a.t.i. o.n. .G. [0150] 72 00 6F 00 75 00 70 00 04 00 00 00 05 01 00 00 r.o.u.p. ........ Got pdu len 376, data_len 352 rpc_api_pipe: got frag len of 376 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 352 bytes. samr_EnumDomainAliases: struct samr_EnumDomainAliases out: struct samr_EnumDomainAliases resume_handle : * resume_handle : 0x0000023c (572) sam : * sam : * sam: struct samr_SamArray count : 0x00000004 (4) entries : * entries: ARRAY(4) entries: struct samr_SamEntry idx : 0x00000205 (517) name: struct lsa_String length : 0x001e (30) size : 0x001e (30) string : * string : 'Cert Publishers' entries: struct samr_SamEntry idx : 0x00000229 (553) name: struct lsa_String length : 0x0026 (38) size : 0x0026 (38) string : * string : 'RAS and IAS Servers' entries: struct samr_SamEntry idx : 0x0000023b (571) name: struct lsa_String length : 0x004e (78) size : 0x004e (78) string : * string : 'Allowed RODC Password Replication Group' entries: struct samr_SamEntry idx : 0x0000023c (572) name: struct lsa_String length : 0x004c (76) size : 0x004c (76) string : * string : 'Denied RODC Password Replication Group' num_entries : * num_entries : 0x00000004 (4) result : STATUS_MORE_ENTRIES samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 5f4bc4f7-b658-4c0b-bc38-b021e69a7de2 access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x00000205 (517) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000005d (93) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x0000005d (93) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 DC C1 59 C4 64 D4 EC 46 8A 08 40 B7 ......Y. d..F..@. [0010] 8D A1 04 01 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : c459c1dc-d464-46ec-8a08-40b78da10401 result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : c459c1dc-d464-46ec-8a08-40b78da10401 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000005e (94) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 20 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0024 (36) auth_length : 0x0000 (0) call_id : 0x0000005e (94) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000000c (12) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=12 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... Got pdu len 36, data_len 12 rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 12 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000000 (0) sids : NULL result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : c459c1dc-d464-46ec-8a08-40b78da10401 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000005f (95) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x0000005f (95) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 5f4bc4f7-b658-4c0b-bc38-b021e69a7de2 access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x00000229 (553) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000060 (96) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000060 (96) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 AA B2 11 81 C1 5E D7 4D 97 D4 87 7F ........ .^.M.... [0010] DA 15 2A FF 00 00 00 00 ..*..... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 8111b2aa-5ec1-4dd7-97d4-877fda152aff result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 8111b2aa-5ec1-4dd7-97d4-877fda152aff &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000061 (97) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 20 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0024 (36) auth_length : 0x0000 (0) call_id : 0x00000061 (97) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000000c (12) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=12 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... Got pdu len 36, data_len 12 rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 12 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000000 (0) sids : NULL result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 8111b2aa-5ec1-4dd7-97d4-877fda152aff &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000062 (98) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000062 (98) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 5f4bc4f7-b658-4c0b-bc38-b021e69a7de2 access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x0000023b (571) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000063 (99) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000063 (99) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 B7 58 FA DC C8 E4 73 42 B7 54 37 DF .....X.. ..sB.T7. [0010] B6 06 FF 3E 00 00 00 00 ...>.... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : dcfa58b7-e4c8-4273-b754-37dfb606ff3e result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : dcfa58b7-e4c8-4273-b754-37dfb606ff3e &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000064 (100) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 20 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0024 (36) auth_length : 0x0000 (0) call_id : 0x00000064 (100) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000000c (12) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=12 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... Got pdu len 36, data_len 12 rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 12 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000000 (0) sids : NULL result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : dcfa58b7-e4c8-4273-b754-37dfb606ff3e &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000065 (101) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000065 (101) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 5f4bc4f7-b658-4c0b-bc38-b021e69a7de2 access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x0000023c (572) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000066 (102) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000066 (102) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 7B B5 7A AF B2 B4 87 4A 87 5D D3 24 ....{.z. ...J.].$ [0010] 3A 84 2B 65 00 00 00 00 :.+e.... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : af7ab57b-b4b2-4a87-875d-d3243a842b65 result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : af7ab57b-b4b2-4a87-875d-d3243a842b65 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000067 (103) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 312 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0148 (328) auth_length : 0x0000 (0) call_id : 0x00000067 (103) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000130 (304) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=304 [0000] 08 00 00 00 00 00 02 00 08 00 00 00 04 00 02 00 ........ ........ [0010] 08 00 02 00 0C 00 02 00 10 00 02 00 14 00 02 00 ........ ........ [0020] 18 00 02 00 1C 00 02 00 20 00 02 00 05 00 00 00 ........ ....... [0030] 01 05 00 00 00 00 00 05 15 00 00 00 9C 35 33 51 ........ .....53Q [0040] 19 74 23 9A D3 83 E6 CA F6 01 00 00 05 00 00 00 .t#..... ........ [0050] 01 05 00 00 00 00 00 05 15 00 00 00 9C 35 33 51 ........ .....53Q [0060] 19 74 23 9A D3 83 E6 CA 04 02 00 00 05 00 00 00 .t#..... ........ [0070] 01 05 00 00 00 00 00 05 15 00 00 00 9C 35 33 51 ........ .....53Q [0080] 19 74 23 9A D3 83 E6 CA 06 02 00 00 05 00 00 00 .t#..... ........ [0090] 01 05 00 00 00 00 00 05 15 00 00 00 9C 35 33 51 ........ .....53Q [00A0] 19 74 23 9A D3 83 E6 CA 07 02 00 00 05 00 00 00 .t#..... ........ [00B0] 01 05 00 00 00 00 00 05 15 00 00 00 9C 35 33 51 ........ .....53Q [00C0] 19 74 23 9A D3 83 E6 CA 05 02 00 00 05 00 00 00 .t#..... ........ [00D0] 01 05 00 00 00 00 00 05 15 00 00 00 9C 35 33 51 ........ .....53Q [00E0] 19 74 23 9A D3 83 E6 CA 00 02 00 00 05 00 00 00 .t#..... ........ [00F0] 01 05 00 00 00 00 00 05 15 00 00 00 9C 35 33 51 ........ .....53Q [0100] 19 74 23 9A D3 83 E6 CA 08 02 00 00 05 00 00 00 .t#..... ........ [0110] 01 05 00 00 00 00 00 05 15 00 00 00 9C 35 33 51 ........ .....53Q [0120] 19 74 23 9A D3 83 E6 CA 09 02 00 00 00 00 00 00 .t#..... ........ Got pdu len 328, data_len 304 rpc_api_pipe: got frag len of 328 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 304 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000008 (8) sids : * sids: ARRAY(8) sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-502 sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-516 sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-518 sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-519 sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-517 sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-512 sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-520 sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-521 result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : af7ab57b-b4b2-4a87-875d-d3243a842b65 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000068 (104) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000068 (104) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_EnumDomainAliases: struct samr_EnumDomainAliases in: struct samr_EnumDomainAliases domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 5f4bc4f7-b658-4c0b-bc38-b021e69a7de2 resume_handle : * resume_handle : 0x0000023c (572) max_size : 0x000000fa (250) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000069 (105) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 248 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0108 (264) auth_length : 0x0000 (0) call_id : 0x00000069 (105) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000f0 (240) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=240 [0000] 00 00 00 00 00 00 02 00 03 00 00 00 04 00 02 00 ........ ........ [0010] 03 00 00 00 4D 04 00 00 12 00 12 00 08 00 02 00 ....M... ........ [0020] 67 04 00 00 26 00 26 00 0C 00 02 00 6A 04 00 00 g...&.&. ....j... [0030] 4E 00 4E 00 10 00 02 00 09 00 00 00 00 00 00 00 N.N..... ........ [0040] 09 00 00 00 44 00 6E 00 73 00 41 00 64 00 6D 00 ....D.n. s.A.d.m. [0050] 69 00 6E 00 73 00 00 00 13 00 00 00 00 00 00 00 i.n.s... ........ [0060] 13 00 00 00 48 00 65 00 6C 00 70 00 4C 00 69 00 ....H.e. l.p.L.i. [0070] 62 00 72 00 61 00 72 00 79 00 55 00 70 00 64 00 b.r.a.r. y.U.p.d. [0080] 61 00 74 00 65 00 72 00 73 00 00 00 27 00 00 00 a.t.e.r. s...'... [0090] 00 00 00 00 27 00 00 00 53 00 51 00 4C 00 53 00 ....'... S.Q.L.S. [00A0] 65 00 72 00 76 00 65 00 72 00 32 00 30 00 30 00 e.r.v.e. r.2.0.0. [00B0] 35 00 53 00 51 00 4C 00 42 00 72 00 6F 00 77 00 5.S.Q.L. B.r.o.w. [00C0] 73 00 65 00 72 00 55 00 73 00 65 00 72 00 24 00 s.e.r.U. s.e.r.$. [00D0] 46 00 52 00 49 00 53 00 4B 00 44 00 45 00 4D 00 F.R.I.S. K.D.E.M. [00E0] 4F 00 30 00 31 00 00 00 03 00 00 00 00 00 00 00 O.0.1... ........ Got pdu len 264, data_len 240 rpc_api_pipe: got frag len of 264 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 240 bytes. samr_EnumDomainAliases: struct samr_EnumDomainAliases out: struct samr_EnumDomainAliases resume_handle : * resume_handle : 0x00000000 (0) sam : * sam : * sam: struct samr_SamArray count : 0x00000003 (3) entries : * entries: ARRAY(3) entries: struct samr_SamEntry idx : 0x0000044d (1101) name: struct lsa_String length : 0x0012 (18) size : 0x0012 (18) string : * string : 'DnsAdmins' entries: struct samr_SamEntry idx : 0x00000467 (1127) name: struct lsa_String length : 0x0026 (38) size : 0x0026 (38) string : * string : 'HelpLibraryUpdaters' entries: struct samr_SamEntry idx : 0x0000046a (1130) name: struct lsa_String length : 0x004e (78) size : 0x004e (78) string : * string : 'SQLServer2005SQLBrowserUser$FRISKDEMO01' num_entries : * num_entries : 0x00000003 (3) result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 5f4bc4f7-b658-4c0b-bc38-b021e69a7de2 access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x0000044d (1101) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000006a (106) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x0000006a (106) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 41 A5 10 8E 0C 67 79 48 BD 7C F5 D9 ....A... .gyH.|.. [0010] 49 97 0B 48 00 00 00 00 I..H.... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 8e10a541-670c-4879-bd7c-f5d949970b48 result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 8e10a541-670c-4879-bd7c-f5d949970b48 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000006b (107) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 20 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0024 (36) auth_length : 0x0000 (0) call_id : 0x0000006b (107) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000000c (12) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=12 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... Got pdu len 36, data_len 12 rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 12 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000000 (0) sids : NULL result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 8e10a541-670c-4879-bd7c-f5d949970b48 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000006c (108) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x0000006c (108) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 5f4bc4f7-b658-4c0b-bc38-b021e69a7de2 access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x00000467 (1127) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000006d (109) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x0000006d (109) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 01 1F 41 30 3A 72 75 4A AE 1D 02 12 ......A0 :ruJ.... [0010] 61 F6 6D CF 00 00 00 00 a.m..... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_OpenAlias: struct samr_OpenAlias out: struct samr_OpenAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 30411f01-723a-4a75-ae1d-021261f66dcf result : NT_STATUS_OK samr_GetMembersInAlias: struct samr_GetMembersInAlias in: struct samr_GetMembersInAlias alias_handle : * alias_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 30411f01-723a-4a75-ae1d-021261f66dcf &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000006e (110) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0021 (33) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 20 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0024 (36) auth_length : 0x0000 (0) call_id : 0x0000006e (110) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000000c (12) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=12 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... Got pdu len 36, data_len 12 rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 12 bytes. samr_GetMembersInAlias: struct samr_GetMembersInAlias out: struct samr_GetMembersInAlias sids : * sids: struct lsa_SidArray num_sids : 0x00000000 (0) sids : NULL result : NT_STATUS_OK samr_Close: struct samr_Close in: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 30411f01-723a-4a75-ae1d-021261f66dcf &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000006f (111) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0001 (1) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x0000006f (111) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. samr_Close: struct samr_Close out: struct samr_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK samr_OpenAlias: struct samr_OpenAlias in: struct samr_OpenAlias domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 5f4bc4f7-b658-4c0b-bc38-b021e69a7de2 access_mask : 0x02000000 (33554432) 0: SAMR_ALIAS_ACCESS_ADD_MEMBER 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER 0: SAMR_ALIAS_ACCESS_GET_MEMBERS 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO 0: SAMR_ALIAS_ACCESS_SET_INFO rid : 0x0000046a (1130) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000070 (112) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000001c (28) context_id : 0x0000 (0) opnum : 0x001b (27) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000070 (112) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 3E C1 23 AC E6 FE 3C 44 82 4C 13 48 ....>.#. ...>. [0060] 14 00 02 00 00 00 00 00 1F 00 00 00 00 00 00 00 ........ ........ [0070] 1F 00 00 00 4E 00 65 00 74 00 77 00 6F 00 72 00 ....N.e. t.w.o.r. [0080] 6B 00 20 00 43 00 6F 00 6E 00 66 00 69 00 67 00 k. .C.o. n.f.i.g. [0090] 75 00 72 00 61 00 74 00 69 00 6F 00 6E 00 20 00 u.r.a.t. i.o.n. . [00A0] 4F 00 70 00 65 00 72 00 61 00 74 00 6F 00 72 00 O.p.e.r. a.t.o.r. [00B0] 73 00 00 00 01 00 00 00 00 00 00 00 s....... .... Got pdu len 212, data_len 188 rpc_api_pipe: got frag len of 212 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 188 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x003e (62) size : 0x003e (62) string : * string : 'Network Configuration Operators' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' BUILTIN\Network Configuration Operators 4: rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-32-558 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000087 (135) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000048 (72) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 184 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00c8 (200) auth_length : 0x0000 (0) call_id : 0x00000087 (135) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000b0 (176) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=176 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. [0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... [0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... [0050] 10 00 02 00 01 00 00 00 04 00 00 00 32 00 32 00 ........ ....2.2. [0060] 14 00 02 00 00 00 00 00 19 00 00 00 00 00 00 00 ........ ........ [0070] 19 00 00 00 50 00 65 00 72 00 66 00 6F 00 72 00 ....P.e. r.f.o.r. [0080] 6D 00 61 00 6E 00 63 00 65 00 20 00 4D 00 6F 00 m.a.n.c. e. .M.o. [0090] 6E 00 69 00 74 00 6F 00 72 00 20 00 55 00 73 00 n.i.t.o. r. .U.s. [00A0] 65 00 72 00 73 00 00 00 01 00 00 00 00 00 00 00 e.r.s... ........ Got pdu len 200, data_len 176 rpc_api_pipe: got frag len of 200 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 176 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x0032 (50) size : 0x0032 (50) string : * string : 'Performance Monitor Users' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' BUILTIN\Performance Monitor Users 4: rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-32-559 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000088 (136) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000048 (72) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 176 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00c0 (192) auth_length : 0x0000 (0) call_id : 0x00000088 (136) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000a8 (168) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=168 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. [0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... [0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... [0050] 10 00 02 00 01 00 00 00 04 00 00 00 2A 00 2A 00 ........ ....*.*. [0060] 14 00 02 00 00 00 00 00 15 00 00 00 00 00 00 00 ........ ........ [0070] 15 00 00 00 50 00 65 00 72 00 66 00 6F 00 72 00 ....P.e. r.f.o.r. [0080] 6D 00 61 00 6E 00 63 00 65 00 20 00 4C 00 6F 00 m.a.n.c. e. .L.o. [0090] 67 00 20 00 55 00 73 00 65 00 72 00 73 00 00 00 g. .U.s. e.r.s... [00A0] 01 00 00 00 00 00 00 00 ........ Got pdu len 192, data_len 168 rpc_api_pipe: got frag len of 192 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 168 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x002a (42) size : 0x002a (42) string : * string : 'Performance Log Users' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' BUILTIN\Performance Log Users 4: rpccli_lsa_lookup_sids: processing items 0 -- 1 of 2. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000002 (2) sids : * sids: ARRAY(2) sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-500 sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-1125 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000089 (137) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000078 (120) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 224 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00f0 (240) auth_length : 0x0000 (0) call_id : 0x00000089 (137) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000d8 (216) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=216 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 12 00 14 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 0A 00 00 00 00 00 00 00 09 00 00 00 46 00 52 00 ........ ....F.R. [0030] 49 00 53 00 4B 00 44 00 45 00 4D 00 4F 00 00 00 I.S.K.D. E.M.O... [0040] 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 00 ........ ........ [0050] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 02 00 00 00 .53Q.t#. ........ [0060] 10 00 02 00 02 00 00 00 01 00 00 00 1A 00 1A 00 ........ ........ [0070] 14 00 02 00 00 00 00 00 01 00 00 00 14 00 14 00 ........ ........ [0080] 18 00 02 00 00 00 00 00 0D 00 00 00 00 00 00 00 ........ ........ [0090] 0D 00 00 00 41 00 64 00 6D 00 69 00 6E 00 69 00 ....A.d. m.i.n.i. [00A0] 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 00 00 s.t.r.a. t.o.r... [00B0] 0A 00 00 00 00 00 00 00 0A 00 00 00 66 00 72 00 ........ ....f.r. [00C0] 69 00 73 00 6B 00 61 00 64 00 6D 00 69 00 6E 00 i.s.k.a. d.m.i.n. [00D0] 02 00 00 00 00 00 00 00 ........ Got pdu len 240, data_len 216 rpc_api_pipe: got frag len of 240 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 216 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0012 (18) size : 0x0014 (20) string : * string : 'FRISKDEMO' sid : * sid : S-1-5-21-1362310556-2586014745-3404104659 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000002 (2) names : * names: ARRAY(2) names: struct lsa_TranslatedName sid_type : SID_NAME_USER (1) name: struct lsa_String length : 0x001a (26) size : 0x001a (26) string : * string : 'Administrator' sid_index : 0x00000000 (0) names: struct lsa_TranslatedName sid_type : SID_NAME_USER (1) name: struct lsa_String length : 0x0014 (20) size : 0x0014 (20) string : * string : 'friskadmin' sid_index : 0x00000000 (0) count : * count : 0x00000002 (2) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 2' FRISKDEMO\Administrator (1); FRISKDEMO\friskadmin (1); rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-32-562 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000008a (138) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000048 (72) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 176 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00c0 (192) auth_length : 0x0000 (0) call_id : 0x0000008a (138) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000a8 (168) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=168 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. [0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... [0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... [0050] 10 00 02 00 01 00 00 00 04 00 00 00 2A 00 2A 00 ........ ....*.*. [0060] 14 00 02 00 00 00 00 00 15 00 00 00 00 00 00 00 ........ ........ [0070] 15 00 00 00 44 00 69 00 73 00 74 00 72 00 69 00 ....D.i. s.t.r.i. [0080] 62 00 75 00 74 00 65 00 64 00 20 00 43 00 4F 00 b.u.t.e. d. .C.O. [0090] 4D 00 20 00 55 00 73 00 65 00 72 00 73 00 00 00 M. .U.s. e.r.s... [00A0] 01 00 00 00 00 00 00 00 ........ Got pdu len 192, data_len 168 rpc_api_pipe: got frag len of 192 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 168 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x002a (42) size : 0x002a (42) string : * string : 'Distributed COM Users' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' BUILTIN\Distributed COM Users 4: rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-32-568 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000008b (139) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000048 (72) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 152 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00a8 (168) auth_length : 0x0000 (0) call_id : 0x0000008b (139) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000090 (144) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=144 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. [0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... [0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... [0050] 10 00 02 00 01 00 00 00 04 00 00 00 12 00 12 00 ........ ........ [0060] 14 00 02 00 00 00 00 00 09 00 00 00 00 00 00 00 ........ ........ [0070] 09 00 00 00 49 00 49 00 53 00 5F 00 49 00 55 00 ....I.I. S._.I.U. [0080] 53 00 52 00 53 00 00 00 01 00 00 00 00 00 00 00 S.R.S... ........ Got pdu len 168, data_len 144 rpc_api_pipe: got frag len of 168 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 144 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x0012 (18) size : 0x0012 (18) string : * string : 'IIS_IUSRS' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' BUILTIN\IIS_IUSRS 4: rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-32-569 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000008c (140) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000048 (72) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 180 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00c4 (196) auth_length : 0x0000 (0) call_id : 0x0000008c (140) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000ac (172) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=172 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. [0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... [0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... [0050] 10 00 02 00 01 00 00 00 04 00 00 00 2E 00 2E 00 ........ ........ [0060] 14 00 02 00 00 00 00 00 17 00 00 00 00 00 00 00 ........ ........ [0070] 17 00 00 00 43 00 72 00 79 00 70 00 74 00 6F 00 ....C.r. y.p.t.o. [0080] 67 00 72 00 61 00 70 00 68 00 69 00 63 00 20 00 g.r.a.p. h.i.c. . [0090] 4F 00 70 00 65 00 72 00 61 00 74 00 6F 00 72 00 O.p.e.r. a.t.o.r. [00A0] 73 00 00 00 01 00 00 00 00 00 00 00 s....... .... Got pdu len 196, data_len 172 rpc_api_pipe: got frag len of 196 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 172 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x002e (46) size : 0x002e (46) string : * string : 'Cryptographic Operators' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' BUILTIN\Cryptographic Operators 4: rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-32-573 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000008d (141) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000048 (72) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 168 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00b8 (184) auth_length : 0x0000 (0) call_id : 0x0000008d (141) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000a0 (160) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=160 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. [0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... [0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... [0050] 10 00 02 00 01 00 00 00 04 00 00 00 22 00 22 00 ........ ....".". [0060] 14 00 02 00 00 00 00 00 11 00 00 00 00 00 00 00 ........ ........ [0070] 11 00 00 00 45 00 76 00 65 00 6E 00 74 00 20 00 ....E.v. e.n.t. . [0080] 4C 00 6F 00 67 00 20 00 52 00 65 00 61 00 64 00 L.o.g. . R.e.a.d. [0090] 65 00 72 00 73 00 00 00 01 00 00 00 00 00 00 00 e.r.s... ........ Got pdu len 184, data_len 160 rpc_api_pipe: got frag len of 184 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 160 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x0022 (34) size : 0x0022 (34) string : * string : 'Event Log Readers' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' BUILTIN\Event Log Readers 4: rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-32-574 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000008e (142) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000048 (72) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 196 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00d4 (212) auth_length : 0x0000 (0) call_id : 0x0000008e (142) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000bc (188) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=188 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. [0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... [0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... [0050] 10 00 02 00 01 00 00 00 04 00 00 00 3E 00 3E 00 ........ ....>.>. [0060] 14 00 02 00 00 00 00 00 1F 00 00 00 00 00 00 00 ........ ........ [0070] 1F 00 00 00 43 00 65 00 72 00 74 00 69 00 66 00 ....C.e. r.t.i.f. [0080] 69 00 63 00 61 00 74 00 65 00 20 00 53 00 65 00 i.c.a.t. e. .S.e. [0090] 72 00 76 00 69 00 63 00 65 00 20 00 44 00 43 00 r.v.i.c. e. .D.C. [00A0] 4F 00 4D 00 20 00 41 00 63 00 63 00 65 00 73 00 O.M. .A. c.c.e.s. [00B0] 73 00 00 00 01 00 00 00 00 00 00 00 s....... .... Got pdu len 212, data_len 188 rpc_api_pipe: got frag len of 212 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 188 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x003e (62) size : 0x003e (62) string : * string : 'Certificate Service DCOM Access' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' BUILTIN\Certificate Service DCOM Access 4: rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-32-575 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000008f (143) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000048 (72) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 184 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00c8 (200) auth_length : 0x0000 (0) call_id : 0x0000008f (143) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000b0 (176) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=176 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. [0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... [0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... [0050] 10 00 02 00 01 00 00 00 04 00 00 00 32 00 32 00 ........ ....2.2. [0060] 14 00 02 00 00 00 00 00 19 00 00 00 00 00 00 00 ........ ........ [0070] 19 00 00 00 52 00 44 00 53 00 20 00 52 00 65 00 ....R.D. S. .R.e. [0080] 6D 00 6F 00 74 00 65 00 20 00 41 00 63 00 63 00 m.o.t.e. .A.c.c. [0090] 65 00 73 00 73 00 20 00 53 00 65 00 72 00 76 00 e.s.s. . S.e.r.v. [00A0] 65 00 72 00 73 00 00 00 01 00 00 00 00 00 00 00 e.r.s... ........ Got pdu len 200, data_len 176 rpc_api_pipe: got frag len of 200 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 176 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x0032 (50) size : 0x0032 (50) string : * string : 'RDS Remote Access Servers' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' BUILTIN\RDS Remote Access Servers 4: rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-1000 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000090 (144) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000054 (84) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 172 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00bc (188) auth_length : 0x0000 (0) call_id : 0x00000090 (144) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000a4 (164) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=164 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 12 00 14 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 0A 00 00 00 00 00 00 00 09 00 00 00 46 00 52 00 ........ ....F.R. [0030] 49 00 53 00 4B 00 44 00 45 00 4D 00 4F 00 00 00 I.S.K.D. E.M.O... [0040] 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 00 ........ ........ [0050] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 01 00 00 00 .53Q.t#. ........ [0060] 10 00 02 00 01 00 00 00 01 00 00 00 18 00 18 00 ........ ........ [0070] 14 00 02 00 00 00 00 00 0C 00 00 00 00 00 00 00 ........ ........ [0080] 0C 00 00 00 46 00 52 00 49 00 53 00 4B 00 44 00 ....F.R. I.S.K.D. [0090] 45 00 4D 00 4F 00 30 00 31 00 24 00 01 00 00 00 E.M.O.0. 1.$..... [00A0] 00 00 00 00 .... Got pdu len 188, data_len 164 rpc_api_pipe: got frag len of 188 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 164 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0012 (18) size : 0x0014 (20) string : * string : 'FRISKDEMO' sid : * sid : S-1-5-21-1362310556-2586014745-3404104659 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_USER (1) name: struct lsa_String length : 0x0018 (24) size : 0x0018 (24) string : * string : 'FRISKDEMO01$' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' FRISKDEMO\FRISKDEMO01$ (1); rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-32-576 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000091 (145) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000048 (72) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 172 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00bc (188) auth_length : 0x0000 (0) call_id : 0x00000091 (145) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000a4 (164) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=164 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. [0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... [0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... [0050] 10 00 02 00 01 00 00 00 04 00 00 00 28 00 28 00 ........ ....(.(. [0060] 14 00 02 00 00 00 00 00 14 00 00 00 00 00 00 00 ........ ........ [0070] 14 00 00 00 52 00 44 00 53 00 20 00 45 00 6E 00 ....R.D. S. .E.n. [0080] 64 00 70 00 6F 00 69 00 6E 00 74 00 20 00 53 00 d.p.o.i. n.t. .S. [0090] 65 00 72 00 76 00 65 00 72 00 73 00 01 00 00 00 e.r.v.e. r.s..... [00A0] 00 00 00 00 .... Got pdu len 188, data_len 164 rpc_api_pipe: got frag len of 188 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 164 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x0028 (40) size : 0x0028 (40) string : * string : 'RDS Endpoint Servers' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' BUILTIN\RDS Endpoint Servers 4: rpccli_lsa_lookup_sids: processing items 0 -- 1 of 2. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000002 (2) sids : * sids: ARRAY(2) sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-1000 sids: struct lsa_SidPtr sid : * sid : S-1-5-20 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000092 (146) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000068 (104) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 292 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0134 (308) auth_length : 0x0000 (0) call_id : 0x00000092 (146) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000011c (284) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=284 [0000] 00 00 02 00 02 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 02 00 00 00 18 00 1A 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 12 00 14 00 10 00 02 00 14 00 02 00 0D 00 00 00 ........ ........ [0030] 00 00 00 00 0C 00 00 00 4E 00 54 00 20 00 41 00 ........ N.T. .A. [0040] 55 00 54 00 48 00 4F 00 52 00 49 00 54 00 59 00 U.T.H.O. R.I.T.Y. [0050] 00 00 00 00 01 00 00 00 00 00 00 05 0A 00 00 00 ........ ........ [0060] 00 00 00 00 09 00 00 00 46 00 52 00 49 00 53 00 ........ F.R.I.S. [0070] 4B 00 44 00 45 00 4D 00 4F 00 00 00 04 00 00 00 K.D.E.M. O....... [0080] 01 04 00 00 00 00 00 05 15 00 00 00 9C 35 33 51 ........ .....53Q [0090] 19 74 23 9A D3 83 E6 CA 02 00 00 00 18 00 02 00 .t#..... ........ [00A0] 02 00 00 00 01 00 00 00 18 00 18 00 1C 00 02 00 ........ ........ [00B0] 01 00 00 00 05 00 00 00 1E 00 20 00 20 00 02 00 ........ .. . ... [00C0] 00 00 00 00 0C 00 00 00 00 00 00 00 0C 00 00 00 ........ ........ [00D0] 46 00 52 00 49 00 53 00 4B 00 44 00 45 00 4D 00 F.R.I.S. K.D.E.M. [00E0] 4F 00 30 00 31 00 24 00 10 00 00 00 00 00 00 00 O.0.1.$. ........ [00F0] 0F 00 00 00 4E 00 45 00 54 00 57 00 4F 00 52 00 ....N.E. T.W.O.R. [0100] 4B 00 20 00 53 00 45 00 52 00 56 00 49 00 43 00 K. .S.E. R.V.I.C. [0110] 45 00 00 00 02 00 00 00 00 00 00 00 E....... .... Got pdu len 308, data_len 284 rpc_api_pipe: got frag len of 308 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 284 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000002 (2) domains : * domains: ARRAY(2) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0018 (24) size : 0x001a (26) string : * string : 'NT AUTHORITY' sid : * sid : S-1-5 domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0012 (18) size : 0x0014 (20) string : * string : 'FRISKDEMO' sid : * sid : S-1-5-21-1362310556-2586014745-3404104659 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000002 (2) names : * names: ARRAY(2) names: struct lsa_TranslatedName sid_type : SID_NAME_USER (1) name: struct lsa_String length : 0x0018 (24) size : 0x0018 (24) string : * string : 'FRISKDEMO01$' sid_index : 0x00000001 (1) names: struct lsa_TranslatedName sid_type : SID_NAME_WKN_GRP (5) name: struct lsa_String length : 0x001e (30) size : 0x0020 (32) string : * string : 'NETWORK SERVICE' sid_index : 0x00000000 (0) count : * count : 0x00000002 (2) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 2' FRISKDEMO\FRISKDEMO01$ (1); NT AUTHORITY\NETWORK SERVICE (5); rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-32-577 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000093 (147) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000048 (72) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 176 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00c0 (192) auth_length : 0x0000 (0) call_id : 0x00000093 (147) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000a8 (168) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=168 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. [0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... [0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... [0050] 10 00 02 00 01 00 00 00 04 00 00 00 2C 00 2C 00 ........ ....,.,. [0060] 14 00 02 00 00 00 00 00 16 00 00 00 00 00 00 00 ........ ........ [0070] 16 00 00 00 52 00 44 00 53 00 20 00 4D 00 61 00 ....R.D. S. .M.a. [0080] 6E 00 61 00 67 00 65 00 6D 00 65 00 6E 00 74 00 n.a.g.e. m.e.n.t. [0090] 20 00 53 00 65 00 72 00 76 00 65 00 72 00 73 00 .S.e.r. v.e.r.s. [00A0] 01 00 00 00 00 00 00 00 ........ Got pdu len 192, data_len 168 rpc_api_pipe: got frag len of 192 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 168 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x002c (44) size : 0x002c (44) string : * string : 'RDS Management Servers' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' BUILTIN\RDS Management Servers 4: rpccli_lsa_lookup_sids: processing items 0 -- 1 of 2. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000002 (2) sids : * sids: ARRAY(2) sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-1000 sids: struct lsa_SidPtr sid : * sid : S-1-5-20 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000094 (148) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000068 (104) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 292 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0134 (308) auth_length : 0x0000 (0) call_id : 0x00000094 (148) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000011c (284) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=284 [0000] 00 00 02 00 02 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 02 00 00 00 18 00 1A 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 12 00 14 00 10 00 02 00 14 00 02 00 0D 00 00 00 ........ ........ [0030] 00 00 00 00 0C 00 00 00 4E 00 54 00 20 00 41 00 ........ N.T. .A. [0040] 55 00 54 00 48 00 4F 00 52 00 49 00 54 00 59 00 U.T.H.O. R.I.T.Y. [0050] 00 00 00 00 01 00 00 00 00 00 00 05 0A 00 00 00 ........ ........ [0060] 00 00 00 00 09 00 00 00 46 00 52 00 49 00 53 00 ........ F.R.I.S. [0070] 4B 00 44 00 45 00 4D 00 4F 00 00 00 04 00 00 00 K.D.E.M. O....... [0080] 01 04 00 00 00 00 00 05 15 00 00 00 9C 35 33 51 ........ .....53Q [0090] 19 74 23 9A D3 83 E6 CA 02 00 00 00 18 00 02 00 .t#..... ........ [00A0] 02 00 00 00 01 00 00 00 18 00 18 00 1C 00 02 00 ........ ........ [00B0] 01 00 00 00 05 00 00 00 1E 00 20 00 20 00 02 00 ........ .. . ... [00C0] 00 00 00 00 0C 00 00 00 00 00 00 00 0C 00 00 00 ........ ........ [00D0] 46 00 52 00 49 00 53 00 4B 00 44 00 45 00 4D 00 F.R.I.S. K.D.E.M. [00E0] 4F 00 30 00 31 00 24 00 10 00 00 00 00 00 00 00 O.0.1.$. ........ [00F0] 0F 00 00 00 4E 00 45 00 54 00 57 00 4F 00 52 00 ....N.E. T.W.O.R. [0100] 4B 00 20 00 53 00 45 00 52 00 56 00 49 00 43 00 K. .S.E. R.V.I.C. [0110] 45 00 00 00 02 00 00 00 00 00 00 00 E....... .... Got pdu len 308, data_len 284 rpc_api_pipe: got frag len of 308 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 284 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000002 (2) domains : * domains: ARRAY(2) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0018 (24) size : 0x001a (26) string : * string : 'NT AUTHORITY' sid : * sid : S-1-5 domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0012 (18) size : 0x0014 (20) string : * string : 'FRISKDEMO' sid : * sid : S-1-5-21-1362310556-2586014745-3404104659 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000002 (2) names : * names: ARRAY(2) names: struct lsa_TranslatedName sid_type : SID_NAME_USER (1) name: struct lsa_String length : 0x0018 (24) size : 0x0018 (24) string : * string : 'FRISKDEMO01$' sid_index : 0x00000001 (1) names: struct lsa_TranslatedName sid_type : SID_NAME_WKN_GRP (5) name: struct lsa_String length : 0x001e (30) size : 0x0020 (32) string : * string : 'NETWORK SERVICE' sid_index : 0x00000000 (0) count : * count : 0x00000002 (2) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 2' FRISKDEMO\FRISKDEMO01$ (1); NT AUTHORITY\NETWORK SERVICE (5); rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-32-578 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000095 (149) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000048 (72) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 176 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00c0 (192) auth_length : 0x0000 (0) call_id : 0x00000095 (149) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000a8 (168) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=168 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. [0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... [0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... [0050] 10 00 02 00 01 00 00 00 04 00 00 00 2C 00 2C 00 ........ ....,.,. [0060] 14 00 02 00 00 00 00 00 16 00 00 00 00 00 00 00 ........ ........ [0070] 16 00 00 00 48 00 79 00 70 00 65 00 72 00 2D 00 ....H.y. p.e.r.-. [0080] 56 00 20 00 41 00 64 00 6D 00 69 00 6E 00 69 00 V. .A.d. m.i.n.i. [0090] 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 73 00 s.t.r.a. t.o.r.s. [00A0] 01 00 00 00 00 00 00 00 ........ Got pdu len 192, data_len 168 rpc_api_pipe: got frag len of 192 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 168 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x002c (44) size : 0x002c (44) string : * string : 'Hyper-V Administrators' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' BUILTIN\Hyper-V Administrators 4: rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-32-579 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000096 (150) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000048 (72) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 204 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00dc (220) auth_length : 0x0000 (0) call_id : 0x00000096 (150) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000c4 (196) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=196 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. [0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... [0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... [0050] 10 00 02 00 01 00 00 00 04 00 00 00 46 00 46 00 ........ ....F.F. [0060] 14 00 02 00 00 00 00 00 23 00 00 00 00 00 00 00 ........ #....... [0070] 23 00 00 00 41 00 63 00 63 00 65 00 73 00 73 00 #...A.c. c.e.s.s. [0080] 20 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00 .C.o.n. t.r.o.l. [0090] 20 00 41 00 73 00 73 00 69 00 73 00 74 00 61 00 .A.s.s. i.s.t.a. [00A0] 6E 00 63 00 65 00 20 00 4F 00 70 00 65 00 72 00 n.c.e. . O.p.e.r. [00B0] 61 00 74 00 6F 00 72 00 73 00 00 00 01 00 00 00 a.t.o.r. s....... [00C0] 00 00 00 00 .... Got pdu len 220, data_len 196 rpc_api_pipe: got frag len of 220 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 196 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x0046 (70) size : 0x0046 (70) string : * string : 'Access Control Assistance Operators' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' BUILTIN\Access Control Assistance Operators 4: rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-32-580 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000097 (151) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000048 (72) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 180 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00c4 (196) auth_length : 0x0000 (0) call_id : 0x00000097 (151) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000ac (172) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=172 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. [0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... [0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... [0050] 10 00 02 00 01 00 00 00 04 00 00 00 2E 00 2E 00 ........ ........ [0060] 14 00 02 00 00 00 00 00 17 00 00 00 00 00 00 00 ........ ........ [0070] 17 00 00 00 52 00 65 00 6D 00 6F 00 74 00 65 00 ....R.e. m.o.t.e. [0080] 20 00 4D 00 61 00 6E 00 61 00 67 00 65 00 6D 00 .M.a.n. a.g.e.m. [0090] 65 00 6E 00 74 00 20 00 55 00 73 00 65 00 72 00 e.n.t. . U.s.e.r. [00A0] 73 00 00 00 01 00 00 00 00 00 00 00 s....... .... Got pdu len 196, data_len 172 rpc_api_pipe: got frag len of 196 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 172 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x002e (46) size : 0x002e (46) string : * string : 'Remote Management Users' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' BUILTIN\Remote Management Users 4: rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-32-549 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000098 (152) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000048 (72) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 164 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00b4 (180) auth_length : 0x0000 (0) call_id : 0x00000098 (152) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000009c (156) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=156 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. [0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... [0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... [0050] 10 00 02 00 01 00 00 00 04 00 00 00 20 00 20 00 ........ .... . . [0060] 14 00 02 00 00 00 00 00 10 00 00 00 00 00 00 00 ........ ........ [0070] 10 00 00 00 53 00 65 00 72 00 76 00 65 00 72 00 ....S.e. r.v.e.r. [0080] 20 00 4F 00 70 00 65 00 72 00 61 00 74 00 6F 00 .O.p.e. r.a.t.o. [0090] 72 00 73 00 01 00 00 00 00 00 00 00 r.s..... .... Got pdu len 180, data_len 156 rpc_api_pipe: got frag len of 180 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 156 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x0020 (32) size : 0x0020 (32) string : * string : 'Server Operators' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' BUILTIN\Server Operators 4: rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-32-548 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x00000099 (153) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000048 (72) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 168 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00b8 (184) auth_length : 0x0000 (0) call_id : 0x00000099 (153) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000a0 (160) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=160 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. [0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... [0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... [0050] 10 00 02 00 01 00 00 00 04 00 00 00 22 00 22 00 ........ ....".". [0060] 14 00 02 00 00 00 00 00 11 00 00 00 00 00 00 00 ........ ........ [0070] 11 00 00 00 41 00 63 00 63 00 6F 00 75 00 6E 00 ....A.c. c.o.u.n. [0080] 74 00 20 00 4F 00 70 00 65 00 72 00 61 00 74 00 t. .O.p. e.r.a.t. [0090] 6F 00 72 00 73 00 00 00 01 00 00 00 00 00 00 00 o.r.s... ........ Got pdu len 184, data_len 160 rpc_api_pipe: got frag len of 184 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 160 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x0022 (34) size : 0x0022 (34) string : * string : 'Account Operators' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' BUILTIN\Account Operators 4: rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-32-554 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000009a (154) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000048 (72) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 200 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00d8 (216) auth_length : 0x0000 (0) call_id : 0x0000009a (154) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000c0 (192) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=192 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. [0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... [0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... [0050] 10 00 02 00 01 00 00 00 04 00 00 00 44 00 44 00 ........ ....D.D. [0060] 14 00 02 00 00 00 00 00 22 00 00 00 00 00 00 00 ........ "....... [0070] 22 00 00 00 50 00 72 00 65 00 2D 00 57 00 69 00 "...P.r. e.-.W.i. [0080] 6E 00 64 00 6F 00 77 00 73 00 20 00 32 00 30 00 n.d.o.w. s. .2.0. [0090] 30 00 30 00 20 00 43 00 6F 00 6D 00 70 00 61 00 0.0. .C. o.m.p.a. [00A0] 74 00 69 00 62 00 6C 00 65 00 20 00 41 00 63 00 t.i.b.l. e. .A.c. [00B0] 63 00 65 00 73 00 73 00 01 00 00 00 00 00 00 00 c.e.s.s. ........ Got pdu len 216, data_len 192 rpc_api_pipe: got frag len of 216 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 192 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x0044 (68) size : 0x0044 (68) string : * string : 'Pre-Windows 2000 Compatible Access' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' BUILTIN\Pre-Windows 2000 Compatible Access 4: rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-11 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000009b (155) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000044 (68) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 176 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00c0 (192) auth_length : 0x0000 (0) call_id : 0x0000009b (155) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000a8 (168) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=168 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 18 00 1A 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 0D 00 00 00 00 00 00 00 0C 00 00 00 4E 00 54 00 ........ ....N.T. [0030] 20 00 41 00 55 00 54 00 48 00 4F 00 52 00 49 00 .A.U.T. H.O.R.I. [0040] 54 00 59 00 00 00 00 00 01 00 00 00 00 00 00 05 T.Y..... ........ [0050] 01 00 00 00 10 00 02 00 01 00 00 00 05 00 00 00 ........ ........ [0060] 26 00 28 00 14 00 02 00 00 00 00 00 14 00 00 00 &.(..... ........ [0070] 00 00 00 00 13 00 00 00 41 00 75 00 74 00 68 00 ........ A.u.t.h. [0080] 65 00 6E 00 74 00 69 00 63 00 61 00 74 00 65 00 e.n.t.i. c.a.t.e. [0090] 64 00 20 00 55 00 73 00 65 00 72 00 73 00 00 00 d. .U.s. e.r.s... [00A0] 01 00 00 00 00 00 00 00 ........ Got pdu len 192, data_len 168 rpc_api_pipe: got frag len of 192 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 168 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0018 (24) size : 0x001a (26) string : * string : 'NT AUTHORITY' sid : * sid : S-1-5 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_WKN_GRP (5) name: struct lsa_String length : 0x0026 (38) size : 0x0028 (40) string : * string : 'Authenticated Users' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' NT AUTHORITY\Authenticated Users (5); rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-32-557 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000009c (156) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000048 (72) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 192 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00d0 (208) auth_length : 0x0000 (0) call_id : 0x0000009c (156) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000b8 (184) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=184 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. [0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... [0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... [0050] 10 00 02 00 01 00 00 00 04 00 00 00 3C 00 3C 00 ........ ....<.<. [0060] 14 00 02 00 00 00 00 00 1E 00 00 00 00 00 00 00 ........ ........ [0070] 1E 00 00 00 49 00 6E 00 63 00 6F 00 6D 00 69 00 ....I.n. c.o.m.i. [0080] 6E 00 67 00 20 00 46 00 6F 00 72 00 65 00 73 00 n.g. .F. o.r.e.s. [0090] 74 00 20 00 54 00 72 00 75 00 73 00 74 00 20 00 t. .T.r. u.s.t. . [00A0] 42 00 75 00 69 00 6C 00 64 00 65 00 72 00 73 00 B.u.i.l. d.e.r.s. [00B0] 01 00 00 00 00 00 00 00 ........ Got pdu len 208, data_len 184 rpc_api_pipe: got frag len of 208 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 184 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x003c (60) size : 0x003c (60) string : * string : 'Incoming Forest Trust Builders' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' BUILTIN\Incoming Forest Trust Builders 4: rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-32-560 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000009d (157) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000048 (72) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 200 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00d8 (216) auth_length : 0x0000 (0) call_id : 0x0000009d (157) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000c0 (192) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=192 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. [0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... [0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... [0050] 10 00 02 00 01 00 00 00 04 00 00 00 44 00 44 00 ........ ....D.D. [0060] 14 00 02 00 00 00 00 00 22 00 00 00 00 00 00 00 ........ "....... [0070] 22 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 "...W.i. n.d.o.w. [0080] 73 00 20 00 41 00 75 00 74 00 68 00 6F 00 72 00 s. .A.u. t.h.o.r. [0090] 69 00 7A 00 61 00 74 00 69 00 6F 00 6E 00 20 00 i.z.a.t. i.o.n. . [00A0] 41 00 63 00 63 00 65 00 73 00 73 00 20 00 47 00 A.c.c.e. s.s. .G. [00B0] 72 00 6F 00 75 00 70 00 01 00 00 00 00 00 00 00 r.o.u.p. ........ Got pdu len 216, data_len 192 rpc_api_pipe: got frag len of 216 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 192 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x0044 (68) size : 0x0044 (68) string : * string : 'Windows Authorization Access Group' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' BUILTIN\Windows Authorization Access Group 4: rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-9 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000009e (158) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000044 (68) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 196 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00d4 (212) auth_length : 0x0000 (0) call_id : 0x0000009e (158) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000bc (188) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=188 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 18 00 1A 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 0D 00 00 00 00 00 00 00 0C 00 00 00 4E 00 54 00 ........ ....N.T. [0030] 20 00 41 00 55 00 54 00 48 00 4F 00 52 00 49 00 .A.U.T. H.O.R.I. [0040] 54 00 59 00 00 00 00 00 01 00 00 00 00 00 00 05 T.Y..... ........ [0050] 01 00 00 00 10 00 02 00 01 00 00 00 05 00 00 00 ........ ........ [0060] 3A 00 3C 00 14 00 02 00 00 00 00 00 1E 00 00 00 :.<..... ........ [0070] 00 00 00 00 1D 00 00 00 45 00 4E 00 54 00 45 00 ........ E.N.T.E. [0080] 52 00 50 00 52 00 49 00 53 00 45 00 20 00 44 00 R.P.R.I. S.E. .D. [0090] 4F 00 4D 00 41 00 49 00 4E 00 20 00 43 00 4F 00 O.M.A.I. N. .C.O. [00A0] 4E 00 54 00 52 00 4F 00 4C 00 4C 00 45 00 52 00 N.T.R.O. L.L.E.R. [00B0] 53 00 00 00 01 00 00 00 00 00 00 00 S....... .... Got pdu len 212, data_len 188 rpc_api_pipe: got frag len of 212 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 188 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0018 (24) size : 0x001a (26) string : * string : 'NT AUTHORITY' sid : * sid : S-1-5 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_WKN_GRP (5) name: struct lsa_String length : 0x003a (58) size : 0x003c (60) string : * string : 'ENTERPRISE DOMAIN CONTROLLERS' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS (5); rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-32-561 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x0000009f (159) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000048 (72) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 196 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00d4 (212) auth_length : 0x0000 (0) call_id : 0x0000009f (159) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000bc (188) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=188 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. [0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... [0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... [0050] 10 00 02 00 01 00 00 00 04 00 00 00 3E 00 3E 00 ........ ....>.>. [0060] 14 00 02 00 00 00 00 00 1F 00 00 00 00 00 00 00 ........ ........ [0070] 1F 00 00 00 54 00 65 00 72 00 6D 00 69 00 6E 00 ....T.e. r.m.i.n. [0080] 61 00 6C 00 20 00 53 00 65 00 72 00 76 00 65 00 a.l. .S. e.r.v.e. [0090] 72 00 20 00 4C 00 69 00 63 00 65 00 6E 00 73 00 r. .L.i. c.e.n.s. [00A0] 65 00 20 00 53 00 65 00 72 00 76 00 65 00 72 00 e. .S.e. r.v.e.r. [00B0] 73 00 00 00 01 00 00 00 00 00 00 00 s....... .... Got pdu len 212, data_len 188 rpc_api_pipe: got frag len of 212 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 188 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x003e (62) size : 0x003e (62) string : * string : 'Terminal Server License Servers' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' BUILTIN\Terminal Server License Servers 4: rpccli_lsa_lookup_sids: processing items 0 -- 1 of 2. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000002 (2) sids : * sids: ARRAY(2) sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-1000 sids: struct lsa_SidPtr sid : * sid : S-1-5-20 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x000000a0 (160) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000068 (104) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 292 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0134 (308) auth_length : 0x0000 (0) call_id : 0x000000a0 (160) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000011c (284) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=284 [0000] 00 00 02 00 02 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 02 00 00 00 18 00 1A 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 12 00 14 00 10 00 02 00 14 00 02 00 0D 00 00 00 ........ ........ [0030] 00 00 00 00 0C 00 00 00 4E 00 54 00 20 00 41 00 ........ N.T. .A. [0040] 55 00 54 00 48 00 4F 00 52 00 49 00 54 00 59 00 U.T.H.O. R.I.T.Y. [0050] 00 00 00 00 01 00 00 00 00 00 00 05 0A 00 00 00 ........ ........ [0060] 00 00 00 00 09 00 00 00 46 00 52 00 49 00 53 00 ........ F.R.I.S. [0070] 4B 00 44 00 45 00 4D 00 4F 00 00 00 04 00 00 00 K.D.E.M. O....... [0080] 01 04 00 00 00 00 00 05 15 00 00 00 9C 35 33 51 ........ .....53Q [0090] 19 74 23 9A D3 83 E6 CA 02 00 00 00 18 00 02 00 .t#..... ........ [00A0] 02 00 00 00 01 00 00 00 18 00 18 00 1C 00 02 00 ........ ........ [00B0] 01 00 00 00 05 00 00 00 1E 00 20 00 20 00 02 00 ........ .. . ... [00C0] 00 00 00 00 0C 00 00 00 00 00 00 00 0C 00 00 00 ........ ........ [00D0] 46 00 52 00 49 00 53 00 4B 00 44 00 45 00 4D 00 F.R.I.S. K.D.E.M. [00E0] 4F 00 30 00 31 00 24 00 10 00 00 00 00 00 00 00 O.0.1.$. ........ [00F0] 0F 00 00 00 4E 00 45 00 54 00 57 00 4F 00 52 00 ....N.E. T.W.O.R. [0100] 4B 00 20 00 53 00 45 00 52 00 56 00 49 00 43 00 K. .S.E. R.V.I.C. [0110] 45 00 00 00 02 00 00 00 00 00 00 00 E....... .... Got pdu len 308, data_len 284 rpc_api_pipe: got frag len of 308 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 284 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000002 (2) domains : * domains: ARRAY(2) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0018 (24) size : 0x001a (26) string : * string : 'NT AUTHORITY' sid : * sid : S-1-5 domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0012 (18) size : 0x0014 (20) string : * string : 'FRISKDEMO' sid : * sid : S-1-5-21-1362310556-2586014745-3404104659 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000002 (2) names : * names: ARRAY(2) names: struct lsa_TranslatedName sid_type : SID_NAME_USER (1) name: struct lsa_String length : 0x0018 (24) size : 0x0018 (24) string : * string : 'FRISKDEMO01$' sid_index : 0x00000001 (1) names: struct lsa_TranslatedName sid_type : SID_NAME_WKN_GRP (5) name: struct lsa_String length : 0x001e (30) size : 0x0020 (32) string : * string : 'NETWORK SERVICE' sid_index : 0x00000000 (0) count : * count : 0x00000002 (2) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 2' FRISKDEMO\FRISKDEMO01$ (1); NT AUTHORITY\NETWORK SERVICE (5); rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-517 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x000000a1 (161) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000054 (84) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 180 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00c4 (196) auth_length : 0x0000 (0) call_id : 0x000000a1 (161) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000ac (172) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=172 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 12 00 14 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 0A 00 00 00 00 00 00 00 09 00 00 00 46 00 52 00 ........ ....F.R. [0030] 49 00 53 00 4B 00 44 00 45 00 4D 00 4F 00 00 00 I.S.K.D. E.M.O... [0040] 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 00 ........ ........ [0050] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 01 00 00 00 .53Q.t#. ........ [0060] 10 00 02 00 01 00 00 00 04 00 00 00 1E 00 1E 00 ........ ........ [0070] 14 00 02 00 00 00 00 00 0F 00 00 00 00 00 00 00 ........ ........ [0080] 0F 00 00 00 43 00 65 00 72 00 74 00 20 00 50 00 ....C.e. r.t. .P. [0090] 75 00 62 00 6C 00 69 00 73 00 68 00 65 00 72 00 u.b.l.i. s.h.e.r. [00A0] 73 00 00 00 01 00 00 00 00 00 00 00 s....... .... Got pdu len 196, data_len 172 rpc_api_pipe: got frag len of 196 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 172 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0012 (18) size : 0x0014 (20) string : * string : 'FRISKDEMO' sid : * sid : S-1-5-21-1362310556-2586014745-3404104659 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x001e (30) size : 0x001e (30) string : * string : 'Cert Publishers' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' FRISKDEMO\Cert Publishers 4: rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-553 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x000000a2 (162) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000054 (84) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 188 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00cc (204) auth_length : 0x0000 (0) call_id : 0x000000a2 (162) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000b4 (180) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=180 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 12 00 14 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 0A 00 00 00 00 00 00 00 09 00 00 00 46 00 52 00 ........ ....F.R. [0030] 49 00 53 00 4B 00 44 00 45 00 4D 00 4F 00 00 00 I.S.K.D. E.M.O... [0040] 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 00 ........ ........ [0050] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 01 00 00 00 .53Q.t#. ........ [0060] 10 00 02 00 01 00 00 00 04 00 00 00 26 00 26 00 ........ ....&.&. [0070] 14 00 02 00 00 00 00 00 13 00 00 00 00 00 00 00 ........ ........ [0080] 13 00 00 00 52 00 41 00 53 00 20 00 61 00 6E 00 ....R.A. S. .a.n. [0090] 64 00 20 00 49 00 41 00 53 00 20 00 53 00 65 00 d. .I.A. S. .S.e. [00A0] 72 00 76 00 65 00 72 00 73 00 00 00 01 00 00 00 r.v.e.r. s....... [00B0] 00 00 00 00 .... Got pdu len 204, data_len 180 rpc_api_pipe: got frag len of 204 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 180 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0012 (18) size : 0x0014 (20) string : * string : 'FRISKDEMO' sid : * sid : S-1-5-21-1362310556-2586014745-3404104659 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x0026 (38) size : 0x0026 (38) string : * string : 'RAS and IAS Servers' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' FRISKDEMO\RAS and IAS Servers 4: rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-571 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x000000a3 (163) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000054 (84) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 228 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00f4 (244) auth_length : 0x0000 (0) call_id : 0x000000a3 (163) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000dc (220) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=220 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 12 00 14 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 0A 00 00 00 00 00 00 00 09 00 00 00 46 00 52 00 ........ ....F.R. [0030] 49 00 53 00 4B 00 44 00 45 00 4D 00 4F 00 00 00 I.S.K.D. E.M.O... [0040] 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 00 ........ ........ [0050] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 01 00 00 00 .53Q.t#. ........ [0060] 10 00 02 00 01 00 00 00 04 00 00 00 4E 00 4E 00 ........ ....N.N. [0070] 14 00 02 00 00 00 00 00 27 00 00 00 00 00 00 00 ........ '....... [0080] 27 00 00 00 41 00 6C 00 6C 00 6F 00 77 00 65 00 '...A.l. l.o.w.e. [0090] 64 00 20 00 52 00 4F 00 44 00 43 00 20 00 50 00 d. .R.O. D.C. .P. [00A0] 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 20 00 a.s.s.w. o.r.d. . [00B0] 52 00 65 00 70 00 6C 00 69 00 63 00 61 00 74 00 R.e.p.l. i.c.a.t. [00C0] 69 00 6F 00 6E 00 20 00 47 00 72 00 6F 00 75 00 i.o.n. . G.r.o.u. [00D0] 70 00 00 00 01 00 00 00 00 00 00 00 p....... .... Got pdu len 244, data_len 220 rpc_api_pipe: got frag len of 244 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 220 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0012 (18) size : 0x0014 (20) string : * string : 'FRISKDEMO' sid : * sid : S-1-5-21-1362310556-2586014745-3404104659 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x004e (78) size : 0x004e (78) string : * string : 'Allowed RODC Password Replication Group' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' FRISKDEMO\Allowed RODC Password Replication Group 4: rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-572 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x000000a4 (164) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000054 (84) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 224 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00f0 (240) auth_length : 0x0000 (0) call_id : 0x000000a4 (164) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000d8 (216) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=216 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 12 00 14 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 0A 00 00 00 00 00 00 00 09 00 00 00 46 00 52 00 ........ ....F.R. [0030] 49 00 53 00 4B 00 44 00 45 00 4D 00 4F 00 00 00 I.S.K.D. E.M.O... [0040] 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 00 ........ ........ [0050] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 01 00 00 00 .53Q.t#. ........ [0060] 10 00 02 00 01 00 00 00 04 00 00 00 4C 00 4C 00 ........ ....L.L. [0070] 14 00 02 00 00 00 00 00 26 00 00 00 00 00 00 00 ........ &....... [0080] 26 00 00 00 44 00 65 00 6E 00 69 00 65 00 64 00 &...D.e. n.i.e.d. [0090] 20 00 52 00 4F 00 44 00 43 00 20 00 50 00 61 00 .R.O.D. C. .P.a. [00A0] 73 00 73 00 77 00 6F 00 72 00 64 00 20 00 52 00 s.s.w.o. r.d. .R. [00B0] 65 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 e.p.l.i. c.a.t.i. [00C0] 6F 00 6E 00 20 00 47 00 72 00 6F 00 75 00 70 00 o.n. .G. r.o.u.p. [00D0] 01 00 00 00 00 00 00 00 ........ Got pdu len 240, data_len 216 rpc_api_pipe: got frag len of 240 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 216 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0012 (18) size : 0x0014 (20) string : * string : 'FRISKDEMO' sid : * sid : S-1-5-21-1362310556-2586014745-3404104659 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x004c (76) size : 0x004c (76) string : * string : 'Denied RODC Password Replication Group' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' FRISKDEMO\Denied RODC Password Replication Group 4: rpccli_lsa_lookup_sids: processing items 0 -- 7 of 8. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000008 (8) sids : * sids: ARRAY(8) sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-502 sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-516 sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-518 sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-519 sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-517 sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-512 sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-520 sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-521 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x000000a5 (165) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000150 (336) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 628 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0284 (644) auth_length : 0x0000 (0) call_id : 0x000000a5 (165) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000026c (620) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=620 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 12 00 14 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 0A 00 00 00 00 00 00 00 09 00 00 00 46 00 52 00 ........ ....F.R. [0030] 49 00 53 00 4B 00 44 00 45 00 4D 00 4F 00 00 00 I.S.K.D. E.M.O... [0040] 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 00 ........ ........ [0050] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 08 00 00 00 .53Q.t#. ........ [0060] 10 00 02 00 08 00 00 00 01 00 00 00 0C 00 0C 00 ........ ........ [0070] 14 00 02 00 00 00 00 00 02 00 00 00 24 00 24 00 ........ ....$.$. [0080] 18 00 02 00 00 00 00 00 02 00 00 00 1A 00 1A 00 ........ ........ [0090] 1C 00 02 00 00 00 00 00 02 00 00 00 22 00 22 00 ........ ....".". [00A0] 20 00 02 00 00 00 00 00 04 00 00 00 1E 00 1E 00 ....... ........ [00B0] 24 00 02 00 00 00 00 00 02 00 00 00 1A 00 1A 00 $....... ........ [00C0] 28 00 02 00 00 00 00 00 02 00 00 00 36 00 36 00 (....... ....6.6. [00D0] 2C 00 02 00 00 00 00 00 02 00 00 00 38 00 38 00 ,....... ....8.8. [00E0] 30 00 02 00 00 00 00 00 06 00 00 00 00 00 00 00 0....... ........ [00F0] 06 00 00 00 6B 00 72 00 62 00 74 00 67 00 74 00 ....k.r. b.t.g.t. [0100] 12 00 00 00 00 00 00 00 12 00 00 00 44 00 6F 00 ........ ....D.o. [0110] 6D 00 61 00 69 00 6E 00 20 00 43 00 6F 00 6E 00 m.a.i.n. .C.o.n. [0120] 74 00 72 00 6F 00 6C 00 6C 00 65 00 72 00 73 00 t.r.o.l. l.e.r.s. [0130] 0D 00 00 00 00 00 00 00 0D 00 00 00 53 00 63 00 ........ ....S.c. [0140] 68 00 65 00 6D 00 61 00 20 00 41 00 64 00 6D 00 h.e.m.a. .A.d.m. [0150] 69 00 6E 00 73 00 00 00 11 00 00 00 00 00 00 00 i.n.s... ........ [0160] 11 00 00 00 45 00 6E 00 74 00 65 00 72 00 70 00 ....E.n. t.e.r.p. [0170] 72 00 69 00 73 00 65 00 20 00 41 00 64 00 6D 00 r.i.s.e. .A.d.m. [0180] 69 00 6E 00 73 00 00 00 0F 00 00 00 00 00 00 00 i.n.s... ........ [0190] 0F 00 00 00 43 00 65 00 72 00 74 00 20 00 50 00 ....C.e. r.t. .P. [01A0] 75 00 62 00 6C 00 69 00 73 00 68 00 65 00 72 00 u.b.l.i. s.h.e.r. [01B0] 73 00 00 00 0D 00 00 00 00 00 00 00 0D 00 00 00 s....... ........ [01C0] 44 00 6F 00 6D 00 61 00 69 00 6E 00 20 00 41 00 D.o.m.a. i.n. .A. [01D0] 64 00 6D 00 69 00 6E 00 73 00 00 00 1B 00 00 00 d.m.i.n. s....... [01E0] 00 00 00 00 1B 00 00 00 47 00 72 00 6F 00 75 00 ........ G.r.o.u. [01F0] 70 00 20 00 50 00 6F 00 6C 00 69 00 63 00 79 00 p. .P.o. l.i.c.y. [0200] 20 00 43 00 72 00 65 00 61 00 74 00 6F 00 72 00 .C.r.e. a.t.o.r. [0210] 20 00 4F 00 77 00 6E 00 65 00 72 00 73 00 00 00 .O.w.n. e.r.s... [0220] 1C 00 00 00 00 00 00 00 1C 00 00 00 52 00 65 00 ........ ....R.e. [0230] 61 00 64 00 2D 00 6F 00 6E 00 6C 00 79 00 20 00 a.d.-.o. n.l.y. . [0240] 44 00 6F 00 6D 00 61 00 69 00 6E 00 20 00 43 00 D.o.m.a. i.n. .C. [0250] 6F 00 6E 00 74 00 72 00 6F 00 6C 00 6C 00 65 00 o.n.t.r. o.l.l.e. [0260] 72 00 73 00 08 00 00 00 00 00 00 00 r.s..... .... Got pdu len 644, data_len 620 rpc_api_pipe: got frag len of 644 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 620 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0012 (18) size : 0x0014 (20) string : * string : 'FRISKDEMO' sid : * sid : S-1-5-21-1362310556-2586014745-3404104659 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000008 (8) names : * names: ARRAY(8) names: struct lsa_TranslatedName sid_type : SID_NAME_USER (1) name: struct lsa_String length : 0x000c (12) size : 0x000c (12) string : * string : 'krbtgt' sid_index : 0x00000000 (0) names: struct lsa_TranslatedName sid_type : SID_NAME_DOM_GRP (2) name: struct lsa_String length : 0x0024 (36) size : 0x0024 (36) string : * string : 'Domain Controllers' sid_index : 0x00000000 (0) names: struct lsa_TranslatedName sid_type : SID_NAME_DOM_GRP (2) name: struct lsa_String length : 0x001a (26) size : 0x001a (26) string : * string : 'Schema Admins' sid_index : 0x00000000 (0) names: struct lsa_TranslatedName sid_type : SID_NAME_DOM_GRP (2) name: struct lsa_String length : 0x0022 (34) size : 0x0022 (34) string : * string : 'Enterprise Admins' sid_index : 0x00000000 (0) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x001e (30) size : 0x001e (30) string : * string : 'Cert Publishers' sid_index : 0x00000000 (0) names: struct lsa_TranslatedName sid_type : SID_NAME_DOM_GRP (2) name: struct lsa_String length : 0x001a (26) size : 0x001a (26) string : * string : 'Domain Admins' sid_index : 0x00000000 (0) names: struct lsa_TranslatedName sid_type : SID_NAME_DOM_GRP (2) name: struct lsa_String length : 0x0036 (54) size : 0x0036 (54) string : * string : 'Group Policy Creator Owners' sid_index : 0x00000000 (0) names: struct lsa_TranslatedName sid_type : SID_NAME_DOM_GRP (2) name: struct lsa_String length : 0x0038 (56) size : 0x0038 (56) string : * string : 'Read-only Domain Controllers' sid_index : 0x00000000 (0) count : * count : 0x00000008 (8) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 8' FRISKDEMO\krbtgt (1); FRISKDEMO\Domain Controllers (2); FRISKDEMO\Schema Admins (2); FRISKDEMO\Enterprise Admins (2); FRISKDEMO\Cert Publishers (4); FRISKDEMO\Domain Admins (2); FRISKDEMO\Group Policy Creator Owners (2); FRISKDEMO\Read-only Domain Controllers (2); rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-1101 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x000000a6 (166) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000054 (84) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 168 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00b8 (184) auth_length : 0x0000 (0) call_id : 0x000000a6 (166) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000a0 (160) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=160 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 12 00 14 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 0A 00 00 00 00 00 00 00 09 00 00 00 46 00 52 00 ........ ....F.R. [0030] 49 00 53 00 4B 00 44 00 45 00 4D 00 4F 00 00 00 I.S.K.D. E.M.O... [0040] 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 00 ........ ........ [0050] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 01 00 00 00 .53Q.t#. ........ [0060] 10 00 02 00 01 00 00 00 04 00 00 00 12 00 12 00 ........ ........ [0070] 14 00 02 00 00 00 00 00 09 00 00 00 00 00 00 00 ........ ........ [0080] 09 00 00 00 44 00 6E 00 73 00 41 00 64 00 6D 00 ....D.n. s.A.d.m. [0090] 69 00 6E 00 73 00 00 00 01 00 00 00 00 00 00 00 i.n.s... ........ Got pdu len 184, data_len 160 rpc_api_pipe: got frag len of 184 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 160 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0012 (18) size : 0x0014 (20) string : * string : 'FRISKDEMO' sid : * sid : S-1-5-21-1362310556-2586014745-3404104659 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x0012 (18) size : 0x0012 (18) string : * string : 'DnsAdmins' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' FRISKDEMO\DnsAdmins 4: rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-1127 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x000000a7 (167) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000054 (84) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 188 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00cc (204) auth_length : 0x0000 (0) call_id : 0x000000a7 (167) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000b4 (180) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=180 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 12 00 14 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 0A 00 00 00 00 00 00 00 09 00 00 00 46 00 52 00 ........ ....F.R. [0030] 49 00 53 00 4B 00 44 00 45 00 4D 00 4F 00 00 00 I.S.K.D. E.M.O... [0040] 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 00 ........ ........ [0050] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 01 00 00 00 .53Q.t#. ........ [0060] 10 00 02 00 01 00 00 00 04 00 00 00 26 00 26 00 ........ ....&.&. [0070] 14 00 02 00 00 00 00 00 13 00 00 00 00 00 00 00 ........ ........ [0080] 13 00 00 00 48 00 65 00 6C 00 70 00 4C 00 69 00 ....H.e. l.p.L.i. [0090] 62 00 72 00 61 00 72 00 79 00 55 00 70 00 64 00 b.r.a.r. y.U.p.d. [00A0] 61 00 74 00 65 00 72 00 73 00 00 00 01 00 00 00 a.t.e.r. s....... [00B0] 00 00 00 00 .... Got pdu len 204, data_len 180 rpc_api_pipe: got frag len of 204 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 180 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0012 (18) size : 0x0014 (20) string : * string : 'FRISKDEMO' sid : * sid : S-1-5-21-1362310556-2586014745-3404104659 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x0026 (38) size : 0x0026 (38) string : * string : 'HelpLibraryUpdaters' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' FRISKDEMO\HelpLibraryUpdaters 4: rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. lsa_LookupSids: struct lsa_LookupSids in: struct lsa_LookupSids handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 sids : * sids: struct lsa_SidArray num_sids : 0x00000001 (1) sids : * sids: ARRAY(1) sids: struct lsa_SidPtr sid : * sid : S-1-5-21-1362310556-2586014745-3404104659-1130 names : * names: struct lsa_TransNameArray count : 0x00000000 (0) names : NULL level : LSA_LOOKUP_NAMES_ALL (1) count : * count : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x000000a8 (168) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000054 (84) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 228 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00f4 (244) auth_length : 0x0000 (0) call_id : 0x000000a8 (168) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000dc (220) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=220 [0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... [0010] 01 00 00 00 12 00 14 00 08 00 02 00 0C 00 02 00 ........ ........ [0020] 0A 00 00 00 00 00 00 00 09 00 00 00 46 00 52 00 ........ ....F.R. [0030] 49 00 53 00 4B 00 44 00 45 00 4D 00 4F 00 00 00 I.S.K.D. E.M.O... [0040] 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 00 ........ ........ [0050] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 01 00 00 00 .53Q.t#. ........ [0060] 10 00 02 00 01 00 00 00 04 00 00 00 4E 00 4E 00 ........ ....N.N. [0070] 14 00 02 00 00 00 00 00 27 00 00 00 00 00 00 00 ........ '....... [0080] 27 00 00 00 53 00 51 00 4C 00 53 00 65 00 72 00 '...S.Q. L.S.e.r. [0090] 76 00 65 00 72 00 32 00 30 00 30 00 35 00 53 00 v.e.r.2. 0.0.5.S. [00A0] 51 00 4C 00 42 00 72 00 6F 00 77 00 73 00 65 00 Q.L.B.r. o.w.s.e. [00B0] 72 00 55 00 73 00 65 00 72 00 24 00 46 00 52 00 r.U.s.e. r.$.F.R. [00C0] 49 00 53 00 4B 00 44 00 45 00 4D 00 4F 00 30 00 I.S.K.D. E.M.O.0. [00D0] 31 00 00 00 01 00 00 00 00 00 00 00 1....... .... Got pdu len 244, data_len 220 rpc_api_pipe: got frag len of 244 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 220 bytes. lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0012 (18) size : 0x0014 (20) string : * string : 'FRISKDEMO' sid : * sid : S-1-5-21-1362310556-2586014745-3404104659 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000001 (1) names : * names: ARRAY(1) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x004e (78) size : 0x004e (78) string : * string : 'SQLServer2005SQLBrowserUser$FRISKDEMO01' sid_index : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' FRISKDEMO\SQLServer2005SQLBrowserUser$FRISKDEMO01 4: lsa_Close: struct lsa_Close in: struct lsa_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x000000a9 (169) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0000 (0) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x000000a9 (169) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. lsa_Close: struct lsa_Close out: struct lsa_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK rpc command function succedded signed SMB2 message signed SMB2 message Connecting to 10.10.11.1 at port 445 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 168960 SO_RCVBUF = 372480 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 Doing spnego session setup (blob length=120) got OID=1.3.6.1.4.1.311.2.2.30 got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.2.840.113554.1.2.2.3 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178@please_ignore Starting GENSEC mechanism spnego Starting GENSEC submechanism ntlmssp negotiate: struct NEGOTIATE_MESSAGE Signature : 'NTLMSSP' MessageType : NtLmNegotiate (1) NegotiateFlags : 0x62088215 (1644724757) 1: NTLMSSP_NEGOTIATE_UNICODE 0: NTLMSSP_NEGOTIATE_OEM 1: NTLMSSP_REQUEST_TARGET 1: NTLMSSP_NEGOTIATE_SIGN 0: NTLMSSP_NEGOTIATE_SEAL 0: NTLMSSP_NEGOTIATE_DATAGRAM 0: NTLMSSP_NEGOTIATE_LM_KEY 0: NTLMSSP_NEGOTIATE_NETWARE 1: NTLMSSP_NEGOTIATE_NTLM 0: NTLMSSP_NEGOTIATE_NT_ONLY 0: NTLMSSP_ANONYMOUS 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN 0: NTLMSSP_TARGET_TYPE_DOMAIN 0: NTLMSSP_TARGET_TYPE_SERVER 0: NTLMSSP_TARGET_TYPE_SHARE 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY 0: NTLMSSP_NEGOTIATE_IDENTIFY 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY 0: NTLMSSP_NEGOTIATE_TARGET_INFO 1: NTLMSSP_NEGOTIATE_VERSION 1: NTLMSSP_NEGOTIATE_128 1: NTLMSSP_NEGOTIATE_KEY_EXCH 0: NTLMSSP_NEGOTIATE_56 DomainNameLen : 0x0000 (0) DomainNameMaxLen : 0x0000 (0) DomainName : * DomainName : '' WorkstationLen : 0x0000 (0) WorkstationMaxLen : 0x0000 (0) Workstation : * Workstation : '' Version: struct ntlmssp_VERSION ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6) ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1) ProductBuild : 0x0000 (0) Reserved: ARRAY(3) [0] : 0x00 (0) [1] : 0x00 (0) [2] : 0x00 (0) NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15) Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_TARGET_TYPE_DOMAIN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH ntlmssp_check_packet: NTLMSSP signature OK ! NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY NTLMSSP_NEGOTIATE_VERSION NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH signed SMB2 message signed SMB2 message signed SMB2 message Bind RPC Pipe: host 10.10.11.1 auth_type 0, auth_level 1 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND (11) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0048 (72) auth_length : 0x0000 (0) call_id : 0x000000aa (170) u : union dcerpc_payload(case 11) bind: struct dcerpc_bind max_xmit_frag : 0x10b8 (4280) max_recv_frag : 0x10b8 (4280) assoc_group_id : 0x00000000 (0) num_contexts : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ctx_list context_id : 0x0000 (0) num_transfer_syntaxes : 0x01 (1) abstract_syntax: struct ndr_syntax_id uuid : 12345778-1234-abcd-ef00-0123456789ab if_version : 0x00000000 (0) transfer_syntaxes: ARRAY(1) transfer_syntaxes: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 52 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND_ACK (12) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0044 (68) auth_length : 0x0000 (0) call_id : 0x000000aa (170) u : union dcerpc_payload(case 12) bind_ack: struct dcerpc_bind_ack max_xmit_frag : 0x10b8 (4280) max_recv_frag : 0x10b8 (4280) assoc_group_id : 0x0000e87c (59516) secondary_address_size : 0x000c (12) secondary_address : '\pipe\lsass' _pad1 : DATA_BLOB length=2 [0000] 00 00 .. num_results : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ack_ctx result : DCERPC_BIND_ACK_RESULT_ACCEPTANCE (0) reason : union dcerpc_bind_ack_reason(case 0) value : DCERPC_BIND_ACK_REASON_NOT_SPECIFIED (0) syntax: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 rpc_api_pipe: got frag len of 68 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 68 bytes. check_bind_response: accepted! cli_rpc_pipe_open_noauth: opened pipe lsarpc to machine 10.10.11.1 and bound anonymously. lsa_OpenPolicy: struct lsa_OpenPolicy in: struct lsa_OpenPolicy system_name : * system_name : 0x005c (92) attr : * attr: struct lsa_ObjectAttribute len : 0x00000018 (24) root_dir : NULL object_name : NULL attributes : 0x00000000 (0) sec_desc : NULL sec_qos : NULL access_mask : 0x02000000 (33554432) 0: LSA_POLICY_VIEW_LOCAL_INFORMATION 0: LSA_POLICY_VIEW_AUDIT_INFORMATION 0: LSA_POLICY_GET_PRIVATE_INFORMATION 0: LSA_POLICY_TRUST_ADMIN 0: LSA_POLICY_CREATE_ACCOUNT 0: LSA_POLICY_CREATE_SECRET 0: LSA_POLICY_CREATE_PRIVILEGE 0: LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS 0: LSA_POLICY_SET_AUDIT_REQUIREMENTS 0: LSA_POLICY_AUDIT_LOG_ADMIN 0: LSA_POLICY_SERVER_ADMIN 0: LSA_POLICY_LOOKUP_NAMES 0: LSA_POLICY_NOTIFICATION &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x000000ab (171) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000024 (36) context_id : 0x0000 (0) opnum : 0x0006 (6) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x000000ab (171) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 58 C6 26 C9 1A 37 B5 49 AF 3A 41 77 ....X.&. .7.I.:Aw [0010] 8C 4F BA 69 00 00 00 00 .O.i.... Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. lsa_OpenPolicy: struct lsa_OpenPolicy out: struct lsa_OpenPolicy handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : c926c658-371a-49b5-af3a-41778c4fba69 result : NT_STATUS_OK lsa_QueryInfoPolicy: struct lsa_QueryInfoPolicy in: struct lsa_QueryInfoPolicy handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : c926c658-371a-49b5-af3a-41778c4fba69 level : LSA_POLICY_INFO_ACCOUNT_DOMAIN (5) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x000000ac (172) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000016 (22) context_id : 0x0000 (0) opnum : 0x0007 (7) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 92 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x006c (108) auth_length : 0x0000 (0) call_id : 0x000000ac (172) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000054 (84) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=84 [0000] 00 00 02 00 05 00 00 00 12 00 14 00 04 00 02 00 ........ ........ [0010] 08 00 02 00 0A 00 00 00 00 00 00 00 09 00 00 00 ........ ........ [0020] 46 00 52 00 49 00 53 00 4B 00 44 00 45 00 4D 00 F.R.I.S. K.D.E.M. [0030] 4F 00 00 00 04 00 00 00 01 04 00 00 00 00 00 05 O....... ........ [0040] 15 00 00 00 9C 35 33 51 19 74 23 9A D3 83 E6 CA .....53Q .t#..... [0050] 00 00 00 00 .... Got pdu len 108, data_len 84 rpc_api_pipe: got frag len of 108 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 84 bytes. lsa_QueryInfoPolicy: struct lsa_QueryInfoPolicy out: struct lsa_QueryInfoPolicy info : * info : * info : union lsa_PolicyInformation(case 5) account_domain: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0012 (18) size : 0x0014 (20) string : * string : 'FRISKDEMO' sid : * sid : S-1-5-21-1362310556-2586014745-3404104659 result : NT_STATUS_OK lsa_Close: struct lsa_Close in: struct lsa_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : c926c658-371a-49b5-af3a-41778c4fba69 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x000000ad (173) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0000 (0) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 32 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x000000ad (173) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ Got pdu len 48, data_len 24 rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 24 bytes. lsa_Close: struct lsa_Close out: struct lsa_Close handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_OK signed SMB2 message signed SMB2 message Bind RPC Pipe: host 10.10.11.1 auth_type 0, auth_level 1 &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND (11) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0048 (72) auth_length : 0x0000 (0) call_id : 0x000000ae (174) u : union dcerpc_payload(case 11) bind: struct dcerpc_bind max_xmit_frag : 0x10b8 (4280) max_recv_frag : 0x10b8 (4280) assoc_group_id : 0x00000000 (0) num_contexts : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ctx_list context_id : 0x0000 (0) num_transfer_syntaxes : 0x01 (1) abstract_syntax: struct ndr_syntax_id uuid : 4b324fc8-1670-01d3-1278-5a47bf6ee188 if_version : 0x00000003 (3) transfer_syntaxes: ARRAY(1) transfer_syntaxes: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 52 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND_ACK (12) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0044 (68) auth_length : 0x0000 (0) call_id : 0x000000ae (174) u : union dcerpc_payload(case 12) bind_ack: struct dcerpc_bind_ack max_xmit_frag : 0x10b8 (4280) max_recv_frag : 0x10b8 (4280) assoc_group_id : 0x00010178 (65912) secondary_address_size : 0x000d (13) secondary_address : '\PIPE\srvsvc' _pad1 : DATA_BLOB length=1 [0000] 00 . num_results : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ack_ctx result : DCERPC_BIND_ACK_RESULT_ACCEPTANCE (0) reason : union dcerpc_bind_ack_reason(case 0) value : DCERPC_BIND_ACK_REASON_NOT_SPECIFIED (0) syntax: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 rpc_api_pipe: got frag len of 68 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 68 bytes. check_bind_response: accepted! cli_rpc_pipe_open_noauth: opened pipe srvsvc to machine 10.10.11.1 and bound anonymously. srvsvc_NetShareEnumAll: struct srvsvc_NetShareEnumAll in: struct srvsvc_NetShareEnumAll server_unc : * server_unc : '10.10.11.1' info_ctr : * info_ctr: struct srvsvc_NetShareInfoCtr level : 0x00000001 (1) ctr : union srvsvc_NetShareCtr(case 1) ctr1 : * ctr1: struct srvsvc_NetShareCtr1 count : 0x00000000 (0) array : NULL max_buffer : 0xffffffff (4294967295) resume_handle : * resume_handle : 0x00000000 (0) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x000000af (175) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000048 (72) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 768 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0310 (784) auth_length : 0x0000 (0) call_id : 0x000000af (175) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000002f8 (760) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=760 [0000] 01 00 00 00 01 00 00 00 00 00 02 00 0A 00 00 00 ........ ........ [0010] 04 00 02 00 0A 00 00 00 08 00 02 00 00 00 00 80 ........ ........ [0020] 0C 00 02 00 10 00 02 00 00 00 00 80 14 00 02 00 ........ ........ [0030] 18 00 02 00 00 00 00 00 1C 00 02 00 20 00 02 00 ........ .... ... [0040] 00 00 00 00 24 00 02 00 28 00 02 00 03 00 00 80 ....$... (....... [0050] 2C 00 02 00 30 00 02 00 00 00 00 00 34 00 02 00 ,...0... ....4... [0060] 38 00 02 00 00 00 00 00 3C 00 02 00 40 00 02 00 8....... <...@... [0070] 00 00 00 00 44 00 02 00 48 00 02 00 00 00 00 00 ....D... H....... [0080] 4C 00 02 00 50 00 02 00 00 00 00 00 54 00 02 00 L...P... ....T... [0090] 07 00 00 00 00 00 00 00 07 00 00 00 41 00 44 00 ........ ....A.D. [00A0] 4D 00 49 00 4E 00 24 00 00 00 00 00 0D 00 00 00 M.I.N.$. ........ [00B0] 00 00 00 00 0D 00 00 00 52 00 65 00 6D 00 6F 00 ........ R.e.m.o. [00C0] 74 00 65 00 20 00 41 00 64 00 6D 00 69 00 6E 00 t.e. .A. d.m.i.n. [00D0] 00 00 00 00 03 00 00 00 00 00 00 00 03 00 00 00 ........ ........ [00E0] 43 00 24 00 00 00 00 00 0E 00 00 00 00 00 00 00 C.$..... ........ [00F0] 0E 00 00 00 44 00 65 00 66 00 61 00 75 00 6C 00 ....D.e. f.a.u.l. [0100] 74 00 20 00 73 00 68 00 61 00 72 00 65 00 00 00 t. .s.h. a.r.e... [0110] 05 00 00 00 00 00 00 00 05 00 00 00 44 00 65 00 ........ ....D.e. [0120] 6D 00 6F 00 00 00 00 00 01 00 00 00 00 00 00 00 m.o..... ........ [0130] 01 00 00 00 00 00 00 00 0A 00 00 00 00 00 00 00 ........ ........ [0140] 0A 00 00 00 46 00 72 00 69 00 73 00 6B 00 44 00 ....F.r. i.s.k.D. [0150] 65 00 6D 00 6F 00 00 00 01 00 00 00 00 00 00 00 e.m.o... ........ [0160] 01 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 ........ ........ [0170] 05 00 00 00 49 00 50 00 43 00 24 00 00 00 00 00 ....I.P. C.$..... [0180] 0B 00 00 00 00 00 00 00 0B 00 00 00 52 00 65 00 ........ ....R.e. [0190] 6D 00 6F 00 74 00 65 00 20 00 49 00 50 00 43 00 m.o.t.e. .I.P.C. [01A0] 00 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 ........ ........ [01B0] 4E 00 45 00 54 00 4C 00 4F 00 47 00 4F 00 4E 00 N.E.T.L. O.G.O.N. [01C0] 00 00 00 00 14 00 00 00 00 00 00 00 14 00 00 00 ........ ........ [01D0] 4C 00 6F 00 67 00 6F 00 6E 00 20 00 73 00 65 00 L.o.g.o. n. .s.e. [01E0] 72 00 76 00 65 00 72 00 20 00 73 00 68 00 61 00 r.v.e.r. .s.h.a. [01F0] 72 00 65 00 20 00 00 00 19 00 00 00 00 00 00 00 r.e. ... ........ [0200] 19 00 00 00 52 00 44 00 56 00 69 00 72 00 74 00 ....R.D. V.i.r.t. [0210] 75 00 61 00 6C 00 44 00 65 00 73 00 6B 00 74 00 u.a.l.D. e.s.k.t. [0220] 6F 00 70 00 54 00 65 00 6D 00 70 00 6C 00 61 00 o.p.T.e. m.p.l.a. [0230] 74 00 65 00 00 00 00 00 01 00 00 00 00 00 00 00 t.e..... ........ [0240] 01 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 ........ ........ [0250] 06 00 00 00 53 00 74 00 65 00 70 00 68 00 00 00 ....S.t. e.p.h... [0260] 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ........ ........ [0270] 06 00 00 00 00 00 00 00 06 00 00 00 53 00 74 00 ........ ....S.t. [0280] 65 00 76 00 65 00 00 00 01 00 00 00 00 00 00 00 e.v.e... ........ [0290] 01 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 ........ ........ [02A0] 07 00 00 00 53 00 59 00 53 00 56 00 4F 00 4C 00 ....S.Y. S.V.O.L. [02B0] 00 00 00 00 14 00 00 00 00 00 00 00 14 00 00 00 ........ ........ [02C0] 4C 00 6F 00 67 00 6F 00 6E 00 20 00 73 00 65 00 L.o.g.o. n. .s.e. [02D0] 72 00 76 00 65 00 72 00 20 00 73 00 68 00 61 00 r.v.e.r. .s.h.a. [02E0] 72 00 65 00 20 00 00 00 0A 00 00 00 58 00 02 00 r.e. ... ....X... [02F0] 00 00 00 00 00 00 00 00 ........ Got pdu len 784, data_len 760 rpc_api_pipe: got frag len of 784 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 760 bytes. srvsvc_NetShareEnumAll: struct srvsvc_NetShareEnumAll out: struct srvsvc_NetShareEnumAll info_ctr : * info_ctr: struct srvsvc_NetShareInfoCtr level : 0x00000001 (1) ctr : union srvsvc_NetShareCtr(case 1) ctr1 : * ctr1: struct srvsvc_NetShareCtr1 count : 0x0000000a (10) array : * array: ARRAY(10) array: struct srvsvc_NetShareInfo1 name : * name : 'ADMIN$' type : STYPE_DISKTREE_HIDDEN (0x80000000) comment : * comment : 'Remote Admin' array: struct srvsvc_NetShareInfo1 name : * name : 'C$' type : STYPE_DISKTREE_HIDDEN (0x80000000) comment : * comment : 'Default share' array: struct srvsvc_NetShareInfo1 name : * name : 'Demo' type : STYPE_DISKTREE (0x0) comment : * comment : '' array: struct srvsvc_NetShareInfo1 name : * name : 'FriskDemo' type : STYPE_DISKTREE (0x0) comment : * comment : '' array: struct srvsvc_NetShareInfo1 name : * name : 'IPC$' type : STYPE_IPC_HIDDEN (0x80000003) comment : * comment : 'Remote IPC' array: struct srvsvc_NetShareInfo1 name : * name : 'NETLOGON' type : STYPE_DISKTREE (0x0) comment : * comment : 'Logon server share ' array: struct srvsvc_NetShareInfo1 name : * name : 'RDVirtualDesktopTemplate' type : STYPE_DISKTREE (0x0) comment : * comment : '' array: struct srvsvc_NetShareInfo1 name : * name : 'Steph' type : STYPE_DISKTREE (0x0) comment : * comment : '' array: struct srvsvc_NetShareInfo1 name : * name : 'Steve' type : STYPE_DISKTREE (0x0) comment : * comment : '' array: struct srvsvc_NetShareInfo1 name : * name : 'SYSVOL' type : STYPE_DISKTREE (0x0) comment : * comment : 'Logon server share ' totalentries : * totalentries : 0x0000000a (10) resume_handle : * resume_handle : 0x00000000 (0) result : WERR_OK srvsvc_NetShareGetInfo: struct srvsvc_NetShareGetInfo in: struct srvsvc_NetShareGetInfo server_unc : * server_unc : '10.10.11.1' share_name : 'Demo' level : 0x000001f6 (502) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0018 (24) auth_length : 0x0000 (0) call_id : 0x000000b0 (176) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000044 (68) context_id : 0x0000 (0) opnum : 0x0010 (16) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=0 rpc_api_pipe: host 10.10.11.1 signed SMB2 message rpc_read_send: data_to_read: 260 r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) 1: DCERPC_PFC_FLAG_FIRST 1: DCERPC_PFC_FLAG_LAST 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING 0: DCERPC_PFC_FLAG_CONC_MPX 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE 0: DCERPC_PFC_FLAG_MAYBE 0: DCERPC_PFC_FLAG_OBJECT_UUID drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0114 (276) auth_length : 0x0000 (0) call_id : 0x000000b0 (176) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x000000fc (252) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=1 [0000] 00 . stub_and_verifier : DATA_BLOB length=252 [0000] F6 01 00 00 00 00 02 00 04 00 02 00 00 00 00 00 ........ ........ [0010] 08 00 02 00 00 00 00 00 FF FF FF FF 01 00 00 00 ........ ........ [0020] 0C 00 02 00 00 00 00 00 74 00 00 00 10 00 02 00 ........ t....... [0030] 05 00 00 00 00 00 00 00 05 00 00 00 44 00 65 00 ........ ....D.e. [0040] 6D 00 6F 00 00 00 00 00 01 00 00 00 00 00 00 00 m.o..... ........ [0050] 01 00 00 00 00 00 00 00 0E 00 00 00 00 00 00 00 ........ ........ [0060] 0E 00 00 00 43 00 3A 00 5C 00 53 00 68 00 61 00 ....C.:. \.S.h.a. [0070] 72 00 65 00 5C 00 44 00 65 00 6D 00 6F 00 00 00 r.e.\.D. e.m.o... [0080] 74 00 00 00 01 00 04 80 48 00 00 00 58 00 00 00 t....... H...X... [0090] 00 00 00 00 14 00 00 00 02 00 34 00 02 00 00 00 ........ ..4..... [00A0] 00 03 18 00 FF 01 1F 00 01 02 00 00 00 00 00 05 ........ ........ [00B0] 20 00 00 00 20 02 00 00 00 03 14 00 FF 01 1F 00 ... ... ........ [00C0] 01 01 00 00 00 00 00 01 00 00 00 00 01 02 00 00 ........ ........ [00D0] 00 00 00 05 20 00 00 00 20 02 00 00 01 05 00 00 .... ... ....... [00E0] 00 00 00 05 15 00 00 00 9C 35 33 51 19 74 23 9A ........ .53Q.t#. [00F0] D3 83 E6 CA 01 02 00 00 00 00 00 00 ........ .... Got pdu len 276, data_len 252 rpc_api_pipe: got frag len of 276 at offset 0: NT_STATUS_OK rpc_api_pipe: host 10.10.11.1 returned 252 bytes. srvsvc_NetShareGetInfo: struct srvsvc_NetShareGetInfo out: struct srvsvc_NetShareGetInfo info : * info : union srvsvc_NetShareInfo(case 502) info502 : * info502: struct srvsvc_NetShareInfo502 name : * name : 'Demo' type : STYPE_DISKTREE (0x0) comment : * comment : '' permissions : 0x00000000 (0) max_users : 0xffffffff (4294967295) current_users : 0x00000001 (1) path : * path : 'C:\Share\Demo' password : NULL sd_buf: struct sec_desc_buf sd_size : 0x00000074 (116) sd : * sd: struct security_descriptor revision : SECURITY_DESCRIPTOR_REVISION_1 (1) type : 0x8004 (32772) 0: SEC_DESC_OWNER_DEFAULTED 0: SEC_DESC_GROUP_DEFAULTED 1: SEC_DESC_DACL_PRESENT 0: SEC_DESC_DACL_DEFAULTED 0: SEC_DESC_SACL_PRESENT 0: SEC_DESC_SACL_DEFAULTED 0: SEC_DESC_DACL_TRUSTED 0: SEC_DESC_SERVER_SECURITY 0: SEC_DESC_DACL_AUTO_INHERIT_REQ 0: SEC_DESC_SACL_AUTO_INHERIT_REQ 0: SEC_DESC_DACL_AUTO_INHERITED 0: SEC_DESC_SACL_AUTO_INHERITED 0: SEC_DESC_DACL_PROTECTED 0: SEC_DESC_SACL_PROTECTED 0: SEC_DESC_RM_CONTROL_VALID 1: SEC_DESC_SELF_RELATIVE owner_sid : * owner_sid : S-1-5-32-544 group_sid : * group_sid : S-1-5-21-1362310556-2586014745-3404104659-513 sacl : NULL dacl : * dacl: struct security_acl revision : SECURITY_ACL_REVISION_NT4 (2) size : 0x0034 (52) num_aces : 0x00000002 (2) aces: ARRAY(2) aces: struct security_ace type : SEC_ACE_TYPE_ACCESS_ALLOWED (0) flags : 0x03 (3) 1: SEC_ACE_FLAG_OBJECT_INHERIT 1: SEC_ACE_FLAG_CONTAINER_INHERIT 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0: SEC_ACE_FLAG_INHERIT_ONLY 0: SEC_ACE_FLAG_INHERITED_ACE 0x03: SEC_ACE_FLAG_VALID_INHERIT (3) 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS 0: SEC_ACE_FLAG_FAILED_ACCESS size : 0x0018 (24) access_mask : 0x001f01ff (2032127) object : union security_ace_object_ctr(case 0) trustee : S-1-5-32-544 aces: struct security_ace type : SEC_ACE_TYPE_ACCESS_ALLOWED (0) flags : 0x03 (3) 1: SEC_ACE_FLAG_OBJECT_INHERIT 1: SEC_ACE_FLAG_CONTAINER_INHERIT 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0: SEC_ACE_FLAG_INHERIT_ONLY 0: SEC_ACE_FLAG_INHERITED_ACE 0x03: SEC_ACE_FLAG_VALID_INHERIT (3) 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS 0: SEC_ACE_FLAG_FAILED_ACCESS size : 0x0014 (20) access_mask : 0x001f01ff (2032127) object : union security_ace_object_ctr(case 0) trustee : S-1-1-0 result : WERR_OK signed SMB2 message signed SMB2 message signed SMB2 message signed SMB2 message signed SMB2 message srvsvc_NetShareGetInfo: struct srvsvc_NetShareGetInfo in: struct srvsvc_NetShareGetInfo server_unc : * server_unc : '10.10.11.1' share_name : 'FriskDemo' level : 0x000001f6 (502) Coult not query secdesc for share FriskDemo srvsvc_NetShareGetInfo: struct srvsvc_NetShareGetInfo in: struct srvsvc_NetShareGetInfo server_unc : * server_unc : '10.10.11.1' share_name : 'NETLOGON' level : 0x000001f6 (502) Coult not query secdesc for share NETLOGON srvsvc_NetShareGetInfo: struct srvsvc_NetShareGetInfo in: struct srvsvc_NetShareGetInfo server_unc : * server_unc : '10.10.11.1' share_name : 'RDVirtualDesktopTemplate' level : 0x000001f6 (502) Coult not query secdesc for share RDVirtualDesktopTemplate srvsvc_NetShareGetInfo: struct srvsvc_NetShareGetInfo in: struct srvsvc_NetShareGetInfo server_unc : * server_unc : '10.10.11.1' share_name : 'Steph' level : 0x000001f6 (502) Coult not query secdesc for share Steph srvsvc_NetShareGetInfo: struct srvsvc_NetShareGetInfo in: struct srvsvc_NetShareGetInfo server_unc : * server_unc : '10.10.11.1' share_name : 'Steve' level : 0x000001f6 (502) Coult not query secdesc for share Steve srvsvc_NetShareGetInfo: struct srvsvc_NetShareGetInfo in: struct srvsvc_NetShareGetInfo server_unc : * server_unc : '10.10.11.1' share_name : 'SYSVOL' level : 0x000001f6 (502) Coult not query secdesc for share SYSVOL rpc command function succedded signed SMB2 message return code = 0 Opening cache file at /var/cache/samba/gencache.tdb tdb(/var/cache/samba/gencache.tdb): tdb_open_ex: could not open file /var/cache/samba/gencache.tdb: Permission denied gencache_init: Opening cache file /var/cache/samba/gencache.tdb read-only. Opening cache file at /var/run/samba/gencache_notrans.tdb tdb(/var/cache/samba/gencache.tdb): tdb_transaction_start: cannot start a transaction on a read-only or internal db Could not start transaction on gencache.tdb: Invalid parameter Freeing parametrics: Demo FRISKDEMO\administrator FRISKDEMO\guest FRISKDEMO\krbtgt FRISKDEMO\frisk FRISKDEMO\gburnard FRISKDEMO\cliff FRISKDEMO\steph FRISKDEMO\kgillard FRISKDEMO\gbrar FRISKDEMO\sfarrimond FRISKDEMO\pgolinski FRISKDEMO\csalmon FRISKDEMO\chilts FRISKDEMO\sbetchley FRISKDEMO\jbugden FRISKDEMO\adrian FRISKDEMO\friskadmin FriskDemo NETLOGON RDVirtualDesktopTemplate Steph Steve SYSVOL