The Samba-Bugzilla – Attachment 15249 Details for
Bug 13992
SAMBA RPC share error in SAMBA Stretch 4.5.16 and Buster 4.9.5
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Error Log File
log (text/plain), 922.64 KB, created by
Nick Paterakis (dead mail address)
on 2019-06-14 06:38:14 UTC
(
hide
)
Description:
Error Log File
Filename:
MIME Type:
Creator:
Nick Paterakis (dead mail address)
Created:
2019-06-14 06:38:14 UTC
Size:
922.64 KB
patch
obsolete
>INFO: Current debug levels: > all: 10 > tdb: 10 > printdrivers: 10 > lanman: 10 > smb: 10 > rpc_parse: 10 > rpc_srv: 10 > rpc_cli: 10 > passdb: 10 > sam: 10 > auth: 10 > winbind: 10 > vfs: 10 > idmap: 10 > quota: 10 > acls: 10 > locking: 10 > msdfs: 10 > dmapi: 10 > registry: 10 > scavenger: 10 > dns: 10 > ldb: 10 > tevent: 10 >lp_load_ex: refreshing parameters >Initialising global parameters >rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) >INFO: Current debug levels: > all: 10 > tdb: 10 > printdrivers: 10 > lanman: 10 > smb: 10 > rpc_parse: 10 > rpc_srv: 10 > rpc_cli: 10 > passdb: 10 > sam: 10 > auth: 10 > winbind: 10 > vfs: 10 > idmap: 10 > quota: 10 > acls: 10 > locking: 10 > msdfs: 10 > dmapi: 10 > registry: 10 > scavenger: 10 > dns: 10 > ldb: 10 > tevent: 10 >Processing section "[global]" >doing parameter workgroup = FRISKDEMO >doing parameter realm = FRISKDEMO.LOCAL >doing parameter include = /etc/samba/frisk-krb5.conf >doing parameter dedicated keytab file = /etc/krb5.keytab >doing parameter kerberos method = secrets and keytab >doing parameter preferred master = no >doing parameter domain master = No >doing parameter password server = * >doing parameter security = ADS >doing parameter include = /etc/samba/frisk-krb5-ad-logins.conf >doing parameter ldap timeout = 300 >doing parameter dns proxy = no >doing parameter log file = /var/log/samba/log.%m >doing parameter syslog = 0 >WARNING: The "syslog" option is deprecated >doing parameter panic action = /usr/share/samba/panic-action %d >doing parameter server role = standalone server >doing parameter passdb backend = tdbsam >doing parameter obey pam restrictions = yes >doing parameter passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . >doing parameter idmap config * : range = 10000-4000000000 >doing parameter idmap config * : backend = tdb >pm_process() returned Yes >lp_servicenumber: couldn't find homes >directory_create_or_exist_strict: invalid ownership on directory /var/run/samba/msg.lock >messaging_init: Could not create lock directory: No such file or directory >lp_load_ex: refreshing parameters >Freeing parametrics: >Initialising global parameters >rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) >INFO: Current debug levels: > all: 10 > tdb: 10 > printdrivers: 10 > lanman: 10 > smb: 10 > rpc_parse: 10 > rpc_srv: 10 > rpc_cli: 10 > passdb: 10 > sam: 10 > auth: 10 > winbind: 10 > vfs: 10 > idmap: 10 > quota: 10 > acls: 10 > locking: 10 > msdfs: 10 > dmapi: 10 > registry: 10 > scavenger: 10 > dns: 10 > ldb: 10 > tevent: 10 >Processing section "[global]" >doing parameter workgroup = FRISKDEMO >doing parameter realm = FRISKDEMO.LOCAL >doing parameter include = /etc/samba/frisk-krb5.conf >doing parameter dedicated keytab file = /etc/krb5.keytab >doing parameter kerberos method = secrets and keytab >doing parameter preferred master = no >doing parameter domain master = No >doing parameter password server = * >doing parameter security = ADS >doing parameter include = /etc/samba/frisk-krb5-ad-logins.conf >doing parameter ldap timeout = 300 >doing parameter dns proxy = no >doing parameter log file = /var/log/samba/log.%m >doing parameter syslog = 0 >WARNING: The "syslog" option is deprecated >doing parameter panic action = /usr/share/samba/panic-action %d >doing parameter server role = standalone server >doing parameter passdb backend = tdbsam >doing parameter obey pam restrictions = yes >doing parameter passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . >doing parameter idmap config * : range = 10000-4000000000 >doing parameter idmap config * : backend = tdb >pm_process() returned Yes >lp_servicenumber: couldn't find homes >Netbios name list:- >my_netbios_names[0]="TEST" >added interface bond0 ip=10.10.11.14 bcast=10.10.11.255 netmask=255.255.255.0 >Connecting to 10.10.11.1 at port 445 >Socket options: > SO_KEEPALIVE = 0 > SO_REUSEADDR = 0 > SO_BROADCAST = 0 > TCP_NODELAY = 1 > TCP_KEEPCNT = 9 > TCP_KEEPIDLE = 7200 > TCP_KEEPINTVL = 75 > IPTOS_LOWDELAY = 0 > IPTOS_THROUGHPUT = 0 > SO_REUSEPORT = 0 > SO_SNDBUF = 168960 > SO_RCVBUF = 372480 > SO_SNDLOWAT = 1 > SO_RCVLOWAT = 1 > SO_SNDTIMEO = 0 > SO_RCVTIMEO = 0 > TCP_QUICKACK = 1 > TCP_DEFER_ACCEPT = 0 >Doing spnego session setup (blob length=120) >got OID=1.3.6.1.4.1.311.2.2.30 >got OID=1.2.840.48018.1.2.2 >got OID=1.2.840.113554.1.2.2 >got OID=1.2.840.113554.1.2.2.3 >got OID=1.3.6.1.4.1.311.2.2.10 >got principal=not_defined_in_RFC4178@please_ignore >GENSEC backend 'gssapi_spnego' registered >GENSEC backend 'gssapi_krb5' registered >GENSEC backend 'gssapi_krb5_sasl' registered >GENSEC backend 'spnego' registered >GENSEC backend 'schannel' registered >GENSEC backend 'naclrpc_as_system' registered >GENSEC backend 'sasl-EXTERNAL' registered >GENSEC backend 'ntlmssp' registered >GENSEC backend 'ntlmssp_resume_ccache' registered >GENSEC backend 'http_basic' registered >GENSEC backend 'http_ntlm' registered >GENSEC backend 'krb5' registered >GENSEC backend 'fake_gssapi_krb5' registered >Starting GENSEC mechanism spnego >Starting GENSEC submechanism ntlmssp > negotiate: struct NEGOTIATE_MESSAGE > Signature : 'NTLMSSP' > MessageType : NtLmNegotiate (1) > NegotiateFlags : 0x62088215 (1644724757) > 1: NTLMSSP_NEGOTIATE_UNICODE > 0: NTLMSSP_NEGOTIATE_OEM > 1: NTLMSSP_REQUEST_TARGET > 1: NTLMSSP_NEGOTIATE_SIGN > 0: NTLMSSP_NEGOTIATE_SEAL > 0: NTLMSSP_NEGOTIATE_DATAGRAM > 0: NTLMSSP_NEGOTIATE_LM_KEY > 0: NTLMSSP_NEGOTIATE_NETWARE > 1: NTLMSSP_NEGOTIATE_NTLM > 0: NTLMSSP_NEGOTIATE_NT_ONLY > 0: NTLMSSP_ANONYMOUS > 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED > 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED > 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL > 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN > 0: NTLMSSP_TARGET_TYPE_DOMAIN > 0: NTLMSSP_TARGET_TYPE_SERVER > 0: NTLMSSP_TARGET_TYPE_SHARE > 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > 0: NTLMSSP_NEGOTIATE_IDENTIFY > 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY > 0: NTLMSSP_NEGOTIATE_TARGET_INFO > 1: NTLMSSP_NEGOTIATE_VERSION > 1: NTLMSSP_NEGOTIATE_128 > 1: NTLMSSP_NEGOTIATE_KEY_EXCH > 0: NTLMSSP_NEGOTIATE_56 > DomainNameLen : 0x0000 (0) > DomainNameMaxLen : 0x0000 (0) > DomainName : * > DomainName : '' > WorkstationLen : 0x0000 (0) > WorkstationMaxLen : 0x0000 (0) > Workstation : * > Workstation : '' > Version: struct ntlmssp_VERSION > ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6) > ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1) > ProductBuild : 0x0000 (0) > Reserved: ARRAY(3) > [0] : 0x00 (0) > [1] : 0x00 (0) > [2] : 0x00 (0) > NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15) >Got challenge flags: >Got NTLMSSP neg_flags=0x62898215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_TARGET_TYPE_DOMAIN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_TARGET_INFO > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH >NTLMSSP: Set final flags: >Got NTLMSSP neg_flags=0x62088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH >NTLMSSP Sign/Seal - Initialising with flags: >Got NTLMSSP neg_flags=0x62088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH >ntlmssp_check_packet: NTLMSSP signature OK ! >NTLMSSP Sign/Seal - Initialising with flags: >Got NTLMSSP neg_flags=0x62088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH >signed SMB2 message >signed SMB2 message >signed SMB2 message >Bind RPC Pipe: host 10.10.11.1 auth_type 0, auth_level 1 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_BIND (11) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0048 (72) > auth_length : 0x0000 (0) > call_id : 0x00000001 (1) > u : union dcerpc_payload(case 11) > bind: struct dcerpc_bind > max_xmit_frag : 0x10b8 (4280) > max_recv_frag : 0x10b8 (4280) > assoc_group_id : 0x00000000 (0) > num_contexts : 0x01 (1) > ctx_list: ARRAY(1) > ctx_list: struct dcerpc_ctx_list > context_id : 0x0000 (0) > num_transfer_syntaxes : 0x01 (1) > abstract_syntax: struct ndr_syntax_id > uuid : 12345778-1234-abcd-ef00-0123456789ab > if_version : 0x00000000 (0) > transfer_syntaxes: ARRAY(1) > transfer_syntaxes: struct ndr_syntax_id > uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 > if_version : 0x00000002 (2) > auth_info : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 52 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_BIND_ACK (12) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0044 (68) > auth_length : 0x0000 (0) > call_id : 0x00000001 (1) > u : union dcerpc_payload(case 12) > bind_ack: struct dcerpc_bind_ack > max_xmit_frag : 0x10b8 (4280) > max_recv_frag : 0x10b8 (4280) > assoc_group_id : 0x0000e878 (59512) > secondary_address_size : 0x000c (12) > secondary_address : '\pipe\lsass' > _pad1 : DATA_BLOB length=2 >[0000] 0A 4C .L > num_results : 0x01 (1) > ctx_list: ARRAY(1) > ctx_list: struct dcerpc_ack_ctx > result : DCERPC_BIND_ACK_RESULT_ACCEPTANCE (0) > reason : union dcerpc_bind_ack_reason(case 0) > value : DCERPC_BIND_ACK_REASON_NOT_SPECIFIED (0) > syntax: struct ndr_syntax_id > uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 > if_version : 0x00000002 (2) > auth_info : DATA_BLOB length=0 >rpc_api_pipe: got frag len of 68 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 68 bytes. >check_bind_response: accepted! >cli_rpc_pipe_open_noauth: opened pipe lsarpc to machine 10.10.11.1 and bound anonymously. > lsa_OpenPolicy: struct lsa_OpenPolicy > in: struct lsa_OpenPolicy > system_name : * > system_name : 0x005c (92) > attr : * > attr: struct lsa_ObjectAttribute > len : 0x00000018 (24) > root_dir : NULL > object_name : NULL > attributes : 0x00000000 (0) > sec_desc : NULL > sec_qos : NULL > access_mask : 0x02000000 (33554432) > 0: LSA_POLICY_VIEW_LOCAL_INFORMATION > 0: LSA_POLICY_VIEW_AUDIT_INFORMATION > 0: LSA_POLICY_GET_PRIVATE_INFORMATION > 0: LSA_POLICY_TRUST_ADMIN > 0: LSA_POLICY_CREATE_ACCOUNT > 0: LSA_POLICY_CREATE_SECRET > 0: LSA_POLICY_CREATE_PRIVILEGE > 0: LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS > 0: LSA_POLICY_SET_AUDIT_REQUIREMENTS > 0: LSA_POLICY_AUDIT_LOG_ADMIN > 0: LSA_POLICY_SERVER_ADMIN > 0: LSA_POLICY_LOOKUP_NAMES > 0: LSA_POLICY_NOTIFICATION > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000002 (2) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000024 (36) > context_id : 0x0000 (0) > opnum : 0x0006 (6) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000002 (2) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 83 18 B3 E3 6C 00 0A 4B 98 EA 4B 5A ........ l..K..KZ >[0010] A1 AA 29 E3 00 00 00 00 ..)..... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > lsa_OpenPolicy: struct lsa_OpenPolicy > out: struct lsa_OpenPolicy > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : e3b31883-006c-4b0a-98ea-4b5aa1aa29e3 > result : NT_STATUS_OK > lsa_QueryInfoPolicy: struct lsa_QueryInfoPolicy > in: struct lsa_QueryInfoPolicy > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : e3b31883-006c-4b0a-98ea-4b5aa1aa29e3 > level : LSA_POLICY_INFO_ACCOUNT_DOMAIN (5) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000003 (3) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000016 (22) > context_id : 0x0000 (0) > opnum : 0x0007 (7) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 92 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x006c (108) > auth_length : 0x0000 (0) > call_id : 0x00000003 (3) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000054 (84) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=84 >[0000] 00 00 02 00 05 00 00 00 12 00 14 00 04 00 02 00 ........ ........ >[0010] 08 00 02 00 0A 00 00 00 00 00 00 00 09 00 00 00 ........ ........ >[0020] 46 00 52 00 49 00 53 00 4B 00 44 00 45 00 4D 00 F.R.I.S. K.D.E.M. >[0030] 4F 00 00 00 04 00 00 00 01 04 00 00 00 00 00 05 O....... ........ >[0040] 15 00 00 00 9C 35 33 51 19 74 23 9A D3 83 E6 CA .....53Q .t#..... >[0050] 00 00 00 00 .... >Got pdu len 108, data_len 84 >rpc_api_pipe: got frag len of 108 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 84 bytes. > lsa_QueryInfoPolicy: struct lsa_QueryInfoPolicy > out: struct lsa_QueryInfoPolicy > info : * > info : * > info : union lsa_PolicyInformation(case 5) > account_domain: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x0012 (18) > size : 0x0014 (20) > string : * > string : 'FRISKDEMO' > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659 > result : NT_STATUS_OK > lsa_Close: struct lsa_Close > in: struct lsa_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : e3b31883-006c-4b0a-98ea-4b5aa1aa29e3 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000004 (4) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0000 (0) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000004 (4) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > lsa_Close: struct lsa_Close > out: struct lsa_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK >signed SMB2 message >signed SMB2 message >Bind RPC Pipe: host 10.10.11.1 auth_type 0, auth_level 1 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_BIND (11) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0048 (72) > auth_length : 0x0000 (0) > call_id : 0x00000005 (5) > u : union dcerpc_payload(case 11) > bind: struct dcerpc_bind > max_xmit_frag : 0x10b8 (4280) > max_recv_frag : 0x10b8 (4280) > assoc_group_id : 0x00000000 (0) > num_contexts : 0x01 (1) > ctx_list: ARRAY(1) > ctx_list: struct dcerpc_ctx_list > context_id : 0x0000 (0) > num_transfer_syntaxes : 0x01 (1) > abstract_syntax: struct ndr_syntax_id > uuid : 12345778-1234-abcd-ef00-0123456789ac > if_version : 0x00000001 (1) > transfer_syntaxes: ARRAY(1) > transfer_syntaxes: struct ndr_syntax_id > uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 > if_version : 0x00000002 (2) > auth_info : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 52 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_BIND_ACK (12) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0044 (68) > auth_length : 0x0000 (0) > call_id : 0x00000005 (5) > u : union dcerpc_payload(case 12) > bind_ack: struct dcerpc_bind_ack > max_xmit_frag : 0x10b8 (4280) > max_recv_frag : 0x10b8 (4280) > assoc_group_id : 0x0000e879 (59513) > secondary_address_size : 0x000c (12) > secondary_address : '\pipe\lsass' > _pad1 : DATA_BLOB length=2 >[0000] 7A A1 z. > num_results : 0x01 (1) > ctx_list: ARRAY(1) > ctx_list: struct dcerpc_ack_ctx > result : DCERPC_BIND_ACK_RESULT_ACCEPTANCE (0) > reason : union dcerpc_bind_ack_reason(case 0) > value : DCERPC_BIND_ACK_REASON_NOT_SPECIFIED (0) > syntax: struct ndr_syntax_id > uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 > if_version : 0x00000002 (2) > auth_info : DATA_BLOB length=0 >rpc_api_pipe: got frag len of 68 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 68 bytes. >check_bind_response: accepted! >cli_rpc_pipe_open_noauth: opened pipe samr to machine 10.10.11.1 and bound anonymously. > samr_Connect2: struct samr_Connect2 > in: struct samr_Connect2 > system_name : * > system_name : '10.10.11.1' > access_mask : 0x02000000 (33554432) > 0: SAMR_ACCESS_CONNECT_TO_SERVER > 0: SAMR_ACCESS_SHUTDOWN_SERVER > 0: SAMR_ACCESS_INITIALIZE_SERVER > 0: SAMR_ACCESS_CREATE_DOMAIN > 0: SAMR_ACCESS_ENUM_DOMAINS > 0: SAMR_ACCESS_LOOKUP_DOMAIN > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000006 (6) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000002c (44) > context_id : 0x0000 (0) > opnum : 0x0039 (57) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000006 (6) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 F5 57 D0 3E 18 A8 6C 41 9B 36 71 99 .....W.> ..lA.6q. >[0010] 20 40 56 1D 00 00 00 00 @V..... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Connect2: struct samr_Connect2 > out: struct samr_Connect2 > connect_handle : * > connect_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 3ed057f5-a818-416c-9b36-71992040561d > result : NT_STATUS_OK > samr_OpenDomain: struct samr_OpenDomain > in: struct samr_OpenDomain > connect_handle : * > connect_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 3ed057f5-a818-416c-9b36-71992040561d > access_mask : 0x02000000 (33554432) > 0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 > 0: SAMR_DOMAIN_ACCESS_SET_INFO_1 > 0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2 > 0: SAMR_DOMAIN_ACCESS_SET_INFO_2 > 0: SAMR_DOMAIN_ACCESS_CREATE_USER > 0: SAMR_DOMAIN_ACCESS_CREATE_GROUP > 0: SAMR_DOMAIN_ACCESS_CREATE_ALIAS > 0: SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS > 0: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS > 0: SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT > 0: SAMR_DOMAIN_ACCESS_SET_INFO_3 > sid : * > sid : S-1-5-32 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000007 (7) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000028 (40) > context_id : 0x0000 (0) > opnum : 0x0007 (7) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000007 (7) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 72 1A 96 44 4F 58 8B 4D A3 9E AA 1F ....r..D OX.M.... >[0010] FB FB 8C 5B 00 00 00 00 ...[.... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenDomain: struct samr_OpenDomain > out: struct samr_OpenDomain > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b > result : NT_STATUS_OK > samr_EnumDomainAliases: struct samr_EnumDomainAliases > in: struct samr_EnumDomainAliases > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b > resume_handle : * > resume_handle : 0x00000000 (0) > max_size : 0x000000fa (250) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000008 (8) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 1860 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0754 (1876) > auth_length : 0x0000 (0) > call_id : 0x00000008 (8) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000073c (1852) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=1852 >[0000] 00 00 00 00 00 00 02 00 1B 00 00 00 04 00 02 00 ........ ........ >[0010] 1B 00 00 00 20 02 00 00 1C 00 1C 00 08 00 02 00 .... ... ........ >[0020] 21 02 00 00 0A 00 0A 00 0C 00 02 00 22 02 00 00 !....... ...."... >[0030] 0C 00 0C 00 10 00 02 00 26 02 00 00 1E 00 1E 00 ........ &....... >[0040] 14 00 02 00 27 02 00 00 20 00 20 00 18 00 02 00 ....'... . ..... >[0050] 28 02 00 00 14 00 14 00 1C 00 02 00 2B 02 00 00 (....... ....+... >[0060] 28 00 28 00 20 00 02 00 2C 02 00 00 3E 00 3E 00 (.(. ... ,...>.>. >[0070] 24 00 02 00 2E 02 00 00 32 00 32 00 28 00 02 00 $....... 2.2.(... >[0080] 2F 02 00 00 2A 00 2A 00 2C 00 02 00 32 02 00 00 /...*.*. ,...2... >[0090] 2A 00 2A 00 30 00 02 00 38 02 00 00 12 00 12 00 *.*.0... 8....... >[00A0] 34 00 02 00 39 02 00 00 2E 00 2E 00 38 00 02 00 4...9... ....8... >[00B0] 3D 02 00 00 22 00 22 00 3C 00 02 00 3E 02 00 00 =...".". <...>... >[00C0] 3E 00 3E 00 40 00 02 00 3F 02 00 00 32 00 32 00 >.>.@... ?...2.2. >[00D0] 44 00 02 00 40 02 00 00 28 00 28 00 48 00 02 00 D...@... (.(.H... >[00E0] 41 02 00 00 2C 00 2C 00 4C 00 02 00 42 02 00 00 A...,.,. L...B... >[00F0] 2C 00 2C 00 50 00 02 00 43 02 00 00 46 00 46 00 ,.,.P... C...F.F. >[0100] 54 00 02 00 44 02 00 00 2E 00 2E 00 58 00 02 00 T...D... ....X... >[0110] 25 02 00 00 20 00 20 00 5C 00 02 00 24 02 00 00 %... . . \...$... >[0120] 22 00 22 00 60 00 02 00 2A 02 00 00 44 00 44 00 ".".`... *...D.D. >[0130] 64 00 02 00 2D 02 00 00 3C 00 3C 00 68 00 02 00 d...-... <.<.h... >[0140] 30 02 00 00 44 00 44 00 6C 00 02 00 31 02 00 00 0...D.D. l...1... >[0150] 3E 00 3E 00 70 00 02 00 0E 00 00 00 00 00 00 00 >.>.p... ........ >[0160] 0E 00 00 00 41 00 64 00 6D 00 69 00 6E 00 69 00 ....A.d. m.i.n.i. >[0170] 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 73 00 s.t.r.a. t.o.r.s. >[0180] 05 00 00 00 00 00 00 00 05 00 00 00 55 00 73 00 ........ ....U.s. >[0190] 65 00 72 00 73 00 00 00 06 00 00 00 00 00 00 00 e.r.s... ........ >[01A0] 06 00 00 00 47 00 75 00 65 00 73 00 74 00 73 00 ....G.u. e.s.t.s. >[01B0] 0F 00 00 00 00 00 00 00 0F 00 00 00 50 00 72 00 ........ ....P.r. >[01C0] 69 00 6E 00 74 00 20 00 4F 00 70 00 65 00 72 00 i.n.t. . O.p.e.r. >[01D0] 61 00 74 00 6F 00 72 00 73 00 00 00 10 00 00 00 a.t.o.r. s....... >[01E0] 00 00 00 00 10 00 00 00 42 00 61 00 63 00 6B 00 ........ B.a.c.k. >[01F0] 75 00 70 00 20 00 4F 00 70 00 65 00 72 00 61 00 u.p. .O. p.e.r.a. >[0200] 74 00 6F 00 72 00 73 00 0A 00 00 00 00 00 00 00 t.o.r.s. ........ >[0210] 0A 00 00 00 52 00 65 00 70 00 6C 00 69 00 63 00 ....R.e. p.l.i.c. >[0220] 61 00 74 00 6F 00 72 00 14 00 00 00 00 00 00 00 a.t.o.r. ........ >[0230] 14 00 00 00 52 00 65 00 6D 00 6F 00 74 00 65 00 ....R.e. m.o.t.e. >[0240] 20 00 44 00 65 00 73 00 6B 00 74 00 6F 00 70 00 .D.e.s. k.t.o.p. >[0250] 20 00 55 00 73 00 65 00 72 00 73 00 1F 00 00 00 .U.s.e. r.s..... >[0260] 00 00 00 00 1F 00 00 00 4E 00 65 00 74 00 77 00 ........ N.e.t.w. >[0270] 6F 00 72 00 6B 00 20 00 43 00 6F 00 6E 00 66 00 o.r.k. . C.o.n.f. >[0280] 69 00 67 00 75 00 72 00 61 00 74 00 69 00 6F 00 i.g.u.r. a.t.i.o. >[0290] 6E 00 20 00 4F 00 70 00 65 00 72 00 61 00 74 00 n. .O.p. e.r.a.t. >[02A0] 6F 00 72 00 73 00 00 00 19 00 00 00 00 00 00 00 o.r.s... ........ >[02B0] 19 00 00 00 50 00 65 00 72 00 66 00 6F 00 72 00 ....P.e. r.f.o.r. >[02C0] 6D 00 61 00 6E 00 63 00 65 00 20 00 4D 00 6F 00 m.a.n.c. e. .M.o. >[02D0] 6E 00 69 00 74 00 6F 00 72 00 20 00 55 00 73 00 n.i.t.o. r. .U.s. >[02E0] 65 00 72 00 73 00 00 00 15 00 00 00 00 00 00 00 e.r.s... ........ >[02F0] 15 00 00 00 50 00 65 00 72 00 66 00 6F 00 72 00 ....P.e. r.f.o.r. >[0300] 6D 00 61 00 6E 00 63 00 65 00 20 00 4C 00 6F 00 m.a.n.c. e. .L.o. >[0310] 67 00 20 00 55 00 73 00 65 00 72 00 73 00 00 00 g. .U.s. e.r.s... >[0320] 15 00 00 00 00 00 00 00 15 00 00 00 44 00 69 00 ........ ....D.i. >[0330] 73 00 74 00 72 00 69 00 62 00 75 00 74 00 65 00 s.t.r.i. b.u.t.e. >[0340] 64 00 20 00 43 00 4F 00 4D 00 20 00 55 00 73 00 d. .C.O. M. .U.s. >[0350] 65 00 72 00 73 00 00 00 09 00 00 00 00 00 00 00 e.r.s... ........ >[0360] 09 00 00 00 49 00 49 00 53 00 5F 00 49 00 55 00 ....I.I. S._.I.U. >[0370] 53 00 52 00 53 00 00 00 17 00 00 00 00 00 00 00 S.R.S... ........ >[0380] 17 00 00 00 43 00 72 00 79 00 70 00 74 00 6F 00 ....C.r. y.p.t.o. >[0390] 67 00 72 00 61 00 70 00 68 00 69 00 63 00 20 00 g.r.a.p. h.i.c. . >[03A0] 4F 00 70 00 65 00 72 00 61 00 74 00 6F 00 72 00 O.p.e.r. a.t.o.r. >[03B0] 73 00 00 00 11 00 00 00 00 00 00 00 11 00 00 00 s....... ........ >[03C0] 45 00 76 00 65 00 6E 00 74 00 20 00 4C 00 6F 00 E.v.e.n. t. .L.o. >[03D0] 67 00 20 00 52 00 65 00 61 00 64 00 65 00 72 00 g. .R.e. a.d.e.r. >[03E0] 73 00 00 00 1F 00 00 00 00 00 00 00 1F 00 00 00 s....... ........ >[03F0] 43 00 65 00 72 00 74 00 69 00 66 00 69 00 63 00 C.e.r.t. i.f.i.c. >[0400] 61 00 74 00 65 00 20 00 53 00 65 00 72 00 76 00 a.t.e. . S.e.r.v. >[0410] 69 00 63 00 65 00 20 00 44 00 43 00 4F 00 4D 00 i.c.e. . D.C.O.M. >[0420] 20 00 41 00 63 00 63 00 65 00 73 00 73 00 00 00 .A.c.c. e.s.s... >[0430] 19 00 00 00 00 00 00 00 19 00 00 00 52 00 44 00 ........ ....R.D. >[0440] 53 00 20 00 52 00 65 00 6D 00 6F 00 74 00 65 00 S. .R.e. m.o.t.e. >[0450] 20 00 41 00 63 00 63 00 65 00 73 00 73 00 20 00 .A.c.c. e.s.s. . >[0460] 53 00 65 00 72 00 76 00 65 00 72 00 73 00 00 00 S.e.r.v. e.r.s... >[0470] 14 00 00 00 00 00 00 00 14 00 00 00 52 00 44 00 ........ ....R.D. >[0480] 53 00 20 00 45 00 6E 00 64 00 70 00 6F 00 69 00 S. .E.n. d.p.o.i. >[0490] 6E 00 74 00 20 00 53 00 65 00 72 00 76 00 65 00 n.t. .S. e.r.v.e. >[04A0] 72 00 73 00 16 00 00 00 00 00 00 00 16 00 00 00 r.s..... ........ >[04B0] 52 00 44 00 53 00 20 00 4D 00 61 00 6E 00 61 00 R.D.S. . M.a.n.a. >[04C0] 67 00 65 00 6D 00 65 00 6E 00 74 00 20 00 53 00 g.e.m.e. n.t. .S. >[04D0] 65 00 72 00 76 00 65 00 72 00 73 00 16 00 00 00 e.r.v.e. r.s..... >[04E0] 00 00 00 00 16 00 00 00 48 00 79 00 70 00 65 00 ........ H.y.p.e. >[04F0] 72 00 2D 00 56 00 20 00 41 00 64 00 6D 00 69 00 r.-.V. . A.d.m.i. >[0500] 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 n.i.s.t. r.a.t.o. >[0510] 72 00 73 00 23 00 00 00 00 00 00 00 23 00 00 00 r.s.#... ....#... >[0520] 41 00 63 00 63 00 65 00 73 00 73 00 20 00 43 00 A.c.c.e. s.s. .C. >[0530] 6F 00 6E 00 74 00 72 00 6F 00 6C 00 20 00 41 00 o.n.t.r. o.l. .A. >[0540] 73 00 73 00 69 00 73 00 74 00 61 00 6E 00 63 00 s.s.i.s. t.a.n.c. >[0550] 65 00 20 00 4F 00 70 00 65 00 72 00 61 00 74 00 e. .O.p. e.r.a.t. >[0560] 6F 00 72 00 73 00 00 00 17 00 00 00 00 00 00 00 o.r.s... ........ >[0570] 17 00 00 00 52 00 65 00 6D 00 6F 00 74 00 65 00 ....R.e. m.o.t.e. >[0580] 20 00 4D 00 61 00 6E 00 61 00 67 00 65 00 6D 00 .M.a.n. a.g.e.m. >[0590] 65 00 6E 00 74 00 20 00 55 00 73 00 65 00 72 00 e.n.t. . U.s.e.r. >[05A0] 73 00 00 00 10 00 00 00 00 00 00 00 10 00 00 00 s....... ........ >[05B0] 53 00 65 00 72 00 76 00 65 00 72 00 20 00 4F 00 S.e.r.v. e.r. .O. >[05C0] 70 00 65 00 72 00 61 00 74 00 6F 00 72 00 73 00 p.e.r.a. t.o.r.s. >[05D0] 11 00 00 00 00 00 00 00 11 00 00 00 41 00 63 00 ........ ....A.c. >[05E0] 63 00 6F 00 75 00 6E 00 74 00 20 00 4F 00 70 00 c.o.u.n. t. .O.p. >[05F0] 65 00 72 00 61 00 74 00 6F 00 72 00 73 00 00 00 e.r.a.t. o.r.s... >[0600] 22 00 00 00 00 00 00 00 22 00 00 00 50 00 72 00 "....... "...P.r. >[0610] 65 00 2D 00 57 00 69 00 6E 00 64 00 6F 00 77 00 e.-.W.i. n.d.o.w. >[0620] 73 00 20 00 32 00 30 00 30 00 30 00 20 00 43 00 s. .2.0. 0.0. .C. >[0630] 6F 00 6D 00 70 00 61 00 74 00 69 00 62 00 6C 00 o.m.p.a. t.i.b.l. >[0640] 65 00 20 00 41 00 63 00 63 00 65 00 73 00 73 00 e. .A.c. c.e.s.s. >[0650] 1E 00 00 00 00 00 00 00 1E 00 00 00 49 00 6E 00 ........ ....I.n. >[0660] 63 00 6F 00 6D 00 69 00 6E 00 67 00 20 00 46 00 c.o.m.i. n.g. .F. >[0670] 6F 00 72 00 65 00 73 00 74 00 20 00 54 00 72 00 o.r.e.s. t. .T.r. >[0680] 75 00 73 00 74 00 20 00 42 00 75 00 69 00 6C 00 u.s.t. . B.u.i.l. >[0690] 64 00 65 00 72 00 73 00 22 00 00 00 00 00 00 00 d.e.r.s. "....... >[06A0] 22 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 "...W.i. n.d.o.w. >[06B0] 73 00 20 00 41 00 75 00 74 00 68 00 6F 00 72 00 s. .A.u. t.h.o.r. >[06C0] 69 00 7A 00 61 00 74 00 69 00 6F 00 6E 00 20 00 i.z.a.t. i.o.n. . >[06D0] 41 00 63 00 63 00 65 00 73 00 73 00 20 00 47 00 A.c.c.e. s.s. .G. >[06E0] 72 00 6F 00 75 00 70 00 1F 00 00 00 00 00 00 00 r.o.u.p. ........ >[06F0] 1F 00 00 00 54 00 65 00 72 00 6D 00 69 00 6E 00 ....T.e. r.m.i.n. >[0700] 61 00 6C 00 20 00 53 00 65 00 72 00 76 00 65 00 a.l. .S. e.r.v.e. >[0710] 72 00 20 00 4C 00 69 00 63 00 65 00 6E 00 73 00 r. .L.i. c.e.n.s. >[0720] 65 00 20 00 53 00 65 00 72 00 76 00 65 00 72 00 e. .S.e. r.v.e.r. >[0730] 73 00 00 00 1B 00 00 00 00 00 00 00 s....... .... >Got pdu len 1876, data_len 1852 >rpc_api_pipe: got frag len of 1876 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 1852 bytes. > samr_EnumDomainAliases: struct samr_EnumDomainAliases > out: struct samr_EnumDomainAliases > resume_handle : * > resume_handle : 0x00000000 (0) > sam : * > sam : * > sam: struct samr_SamArray > count : 0x0000001b (27) > entries : * > entries: ARRAY(27) > entries: struct samr_SamEntry > idx : 0x00000220 (544) > name: struct lsa_String > length : 0x001c (28) > size : 0x001c (28) > string : * > string : 'Administrators' > entries: struct samr_SamEntry > idx : 0x00000221 (545) > name: struct lsa_String > length : 0x000a (10) > size : 0x000a (10) > string : * > string : 'Users' > entries: struct samr_SamEntry > idx : 0x00000222 (546) > name: struct lsa_String > length : 0x000c (12) > size : 0x000c (12) > string : * > string : 'Guests' > entries: struct samr_SamEntry > idx : 0x00000226 (550) > name: struct lsa_String > length : 0x001e (30) > size : 0x001e (30) > string : * > string : 'Print Operators' > entries: struct samr_SamEntry > idx : 0x00000227 (551) > name: struct lsa_String > length : 0x0020 (32) > size : 0x0020 (32) > string : * > string : 'Backup Operators' > entries: struct samr_SamEntry > idx : 0x00000228 (552) > name: struct lsa_String > length : 0x0014 (20) > size : 0x0014 (20) > string : * > string : 'Replicator' > entries: struct samr_SamEntry > idx : 0x0000022b (555) > name: struct lsa_String > length : 0x0028 (40) > size : 0x0028 (40) > string : * > string : 'Remote Desktop Users' > entries: struct samr_SamEntry > idx : 0x0000022c (556) > name: struct lsa_String > length : 0x003e (62) > size : 0x003e (62) > string : * > string : 'Network Configuration Operators' > entries: struct samr_SamEntry > idx : 0x0000022e (558) > name: struct lsa_String > length : 0x0032 (50) > size : 0x0032 (50) > string : * > string : 'Performance Monitor Users' > entries: struct samr_SamEntry > idx : 0x0000022f (559) > name: struct lsa_String > length : 0x002a (42) > size : 0x002a (42) > string : * > string : 'Performance Log Users' > entries: struct samr_SamEntry > idx : 0x00000232 (562) > name: struct lsa_String > length : 0x002a (42) > size : 0x002a (42) > string : * > string : 'Distributed COM Users' > entries: struct samr_SamEntry > idx : 0x00000238 (568) > name: struct lsa_String > length : 0x0012 (18) > size : 0x0012 (18) > string : * > string : 'IIS_IUSRS' > entries: struct samr_SamEntry > idx : 0x00000239 (569) > name: struct lsa_String > length : 0x002e (46) > size : 0x002e (46) > string : * > string : 'Cryptographic Operators' > entries: struct samr_SamEntry > idx : 0x0000023d (573) > name: struct lsa_String > length : 0x0022 (34) > size : 0x0022 (34) > string : * > string : 'Event Log Readers' > entries: struct samr_SamEntry > idx : 0x0000023e (574) > name: struct lsa_String > length : 0x003e (62) > size : 0x003e (62) > string : * > string : 'Certificate Service DCOM Access' > entries: struct samr_SamEntry > idx : 0x0000023f (575) > name: struct lsa_String > length : 0x0032 (50) > size : 0x0032 (50) > string : * > string : 'RDS Remote Access Servers' > entries: struct samr_SamEntry > idx : 0x00000240 (576) > name: struct lsa_String > length : 0x0028 (40) > size : 0x0028 (40) > string : * > string : 'RDS Endpoint Servers' > entries: struct samr_SamEntry > idx : 0x00000241 (577) > name: struct lsa_String > length : 0x002c (44) > size : 0x002c (44) > string : * > string : 'RDS Management Servers' > entries: struct samr_SamEntry > idx : 0x00000242 (578) > name: struct lsa_String > length : 0x002c (44) > size : 0x002c (44) > string : * > string : 'Hyper-V Administrators' > entries: struct samr_SamEntry > idx : 0x00000243 (579) > name: struct lsa_String > length : 0x0046 (70) > size : 0x0046 (70) > string : * > string : 'Access Control Assistance Operators' > entries: struct samr_SamEntry > idx : 0x00000244 (580) > name: struct lsa_String > length : 0x002e (46) > size : 0x002e (46) > string : * > string : 'Remote Management Users' > entries: struct samr_SamEntry > idx : 0x00000225 (549) > name: struct lsa_String > length : 0x0020 (32) > size : 0x0020 (32) > string : * > string : 'Server Operators' > entries: struct samr_SamEntry > idx : 0x00000224 (548) > name: struct lsa_String > length : 0x0022 (34) > size : 0x0022 (34) > string : * > string : 'Account Operators' > entries: struct samr_SamEntry > idx : 0x0000022a (554) > name: struct lsa_String > length : 0x0044 (68) > size : 0x0044 (68) > string : * > string : 'Pre-Windows 2000 Compatible Access' > entries: struct samr_SamEntry > idx : 0x0000022d (557) > name: struct lsa_String > length : 0x003c (60) > size : 0x003c (60) > string : * > string : 'Incoming Forest Trust Builders' > entries: struct samr_SamEntry > idx : 0x00000230 (560) > name: struct lsa_String > length : 0x0044 (68) > size : 0x0044 (68) > string : * > string : 'Windows Authorization Access Group' > entries: struct samr_SamEntry > idx : 0x00000231 (561) > name: struct lsa_String > length : 0x003e (62) > size : 0x003e (62) > string : * > string : 'Terminal Server License Servers' > num_entries : * > num_entries : 0x0000001b (27) > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x00000220 (544) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000009 (9) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000009 (9) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 4F 6C CF 96 1D B6 47 45 89 F0 DC 5C ....Ol.. ..GE...\ >[0010] F9 BE C3 01 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 96cf6c4f-b61d-4547-89f0-dc5cf9bec301 > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 96cf6c4f-b61d-4547-89f0-dc5cf9bec301 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000000a (10) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 204 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00dc (220) > auth_length : 0x0000 (0) > call_id : 0x0000000a (10) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000c4 (196) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=196 >[0000] 05 00 00 00 00 00 02 00 05 00 00 00 04 00 02 00 ........ ........ >[0010] 08 00 02 00 0C 00 02 00 10 00 02 00 14 00 02 00 ........ ........ >[0020] 05 00 00 00 01 05 00 00 00 00 00 05 15 00 00 00 ........ ........ >[0030] 9C 35 33 51 19 74 23 9A D3 83 E6 CA F4 01 00 00 .53Q.t#. ........ >[0040] 05 00 00 00 01 05 00 00 00 00 00 05 15 00 00 00 ........ ........ >[0050] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 07 02 00 00 .53Q.t#. ........ >[0060] 05 00 00 00 01 05 00 00 00 00 00 05 15 00 00 00 ........ ........ >[0070] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 00 02 00 00 .53Q.t#. ........ >[0080] 05 00 00 00 01 05 00 00 00 00 00 05 15 00 00 00 ........ ........ >[0090] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 50 04 00 00 .53Q.t#. ....P... >[00A0] 05 00 00 00 01 05 00 00 00 00 00 05 15 00 00 00 ........ ........ >[00B0] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 65 04 00 00 .53Q.t#. ....e... >[00C0] 00 00 00 00 .... >Got pdu len 220, data_len 196 >rpc_api_pipe: got frag len of 220 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 196 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000005 (5) > sids : * > sids: ARRAY(5) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-500 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-519 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-512 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-1104 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-1125 > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 96cf6c4f-b61d-4547-89f0-dc5cf9bec301 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000000b (11) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x0000000b (11) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x00000221 (545) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000000c (12) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x0000000c (12) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 66 29 DF 8E 86 04 90 4E 9E E9 3E 2A ....f).. ...N..>* >[0010] B1 90 99 60 00 00 00 00 ...`.... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 8edf2966-0486-4e90-9ee9-3e2ab1909960 > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 8edf2966-0486-4e90-9ee9-3e2ab1909960 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000000d (13) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 100 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0074 (116) > auth_length : 0x0000 (0) > call_id : 0x0000000d (13) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000005c (92) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=92 >[0000] 03 00 00 00 00 00 02 00 03 00 00 00 04 00 02 00 ........ ........ >[0010] 08 00 02 00 0C 00 02 00 01 00 00 00 01 01 00 00 ........ ........ >[0020] 00 00 00 05 04 00 00 00 01 00 00 00 01 01 00 00 ........ ........ >[0030] 00 00 00 05 0B 00 00 00 05 00 00 00 01 05 00 00 ........ ........ >[0040] 00 00 00 05 15 00 00 00 9C 35 33 51 19 74 23 9A ........ .53Q.t#. >[0050] D3 83 E6 CA 01 02 00 00 00 00 00 00 ........ .... >Got pdu len 116, data_len 92 >rpc_api_pipe: got frag len of 116 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 92 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000003 (3) > sids : * > sids: ARRAY(3) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-4 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-11 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-513 > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 8edf2966-0486-4e90-9ee9-3e2ab1909960 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000000e (14) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x0000000e (14) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x00000222 (546) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000000f (15) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x0000000f (15) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 69 82 7A 84 64 5E F7 4D 93 C4 C6 9D ....i.z. d^.M.... >[0010] 0C 88 6F F6 00 00 00 00 ..o..... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 847a8269-5e64-4df7-93c4-c69d0c886ff6 > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 847a8269-5e64-4df7-93c4-c69d0c886ff6 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000010 (16) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 96 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0070 (112) > auth_length : 0x0000 (0) > call_id : 0x00000010 (16) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000058 (88) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=88 >[0000] 02 00 00 00 00 00 02 00 02 00 00 00 04 00 02 00 ........ ........ >[0010] 08 00 02 00 05 00 00 00 01 05 00 00 00 00 00 05 ........ ........ >[0020] 15 00 00 00 9C 35 33 51 19 74 23 9A D3 83 E6 CA .....53Q .t#..... >[0030] F5 01 00 00 05 00 00 00 01 05 00 00 00 00 00 05 ........ ........ >[0040] 15 00 00 00 9C 35 33 51 19 74 23 9A D3 83 E6 CA .....53Q .t#..... >[0050] 02 02 00 00 00 00 00 00 ........ >Got pdu len 112, data_len 88 >rpc_api_pipe: got frag len of 112 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 88 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000002 (2) > sids : * > sids: ARRAY(2) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-501 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-514 > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 847a8269-5e64-4df7-93c4-c69d0c886ff6 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000011 (17) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000011 (17) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x00000226 (550) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000012 (18) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000012 (18) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 E2 D5 C6 DE B4 9C 53 41 B2 FB 2C 48 ........ ..SA..,H >[0010] C7 FE 3A F5 00 00 00 00 ..:..... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : dec6d5e2-9cb4-4153-b2fb-2c48c7fe3af5 > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : dec6d5e2-9cb4-4153-b2fb-2c48c7fe3af5 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000013 (19) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 20 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0024 (36) > auth_length : 0x0000 (0) > call_id : 0x00000013 (19) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000000c (12) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=12 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... >Got pdu len 36, data_len 12 >rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 12 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000000 (0) > sids : NULL > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : dec6d5e2-9cb4-4153-b2fb-2c48c7fe3af5 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000014 (20) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000014 (20) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x00000227 (551) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000015 (21) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000015 (21) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 7E 0A D3 7F 35 D3 8B 4C 84 0E 97 39 ....~... 5..L...9 >[0010] F9 47 0D 33 00 00 00 00 .G.3.... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 7fd30a7e-d335-4c8b-840e-9739f9470d33 > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 7fd30a7e-d335-4c8b-840e-9739f9470d33 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000016 (22) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 20 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0024 (36) > auth_length : 0x0000 (0) > call_id : 0x00000016 (22) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000000c (12) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=12 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... >Got pdu len 36, data_len 12 >rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 12 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000000 (0) > sids : NULL > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 7fd30a7e-d335-4c8b-840e-9739f9470d33 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000017 (23) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000017 (23) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x00000228 (552) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000018 (24) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000018 (24) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 F3 44 9D 46 EA 30 8C 4F B3 0C 6F E7 .....D.F .0.O..o. >[0010] 7F 65 88 F1 00 00 00 00 .e...... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 469d44f3-30ea-4f8c-b30c-6fe77f6588f1 > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 469d44f3-30ea-4f8c-b30c-6fe77f6588f1 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000019 (25) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 20 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0024 (36) > auth_length : 0x0000 (0) > call_id : 0x00000019 (25) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000000c (12) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=12 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... >Got pdu len 36, data_len 12 >rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 12 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000000 (0) > sids : NULL > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 469d44f3-30ea-4f8c-b30c-6fe77f6588f1 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000001a (26) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x0000001a (26) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x0000022b (555) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000001b (27) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x0000001b (27) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 95 06 80 A2 07 A7 BB 49 B2 08 A5 0F ........ ...I.... >[0010] DF 81 F4 34 00 00 00 00 ...4.... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : a2800695-a707-49bb-b208-a50fdf81f434 > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : a2800695-a707-49bb-b208-a50fdf81f434 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000001c (28) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 60 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x004c (76) > auth_length : 0x0000 (0) > call_id : 0x0000001c (28) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000034 (52) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=52 >[0000] 01 00 00 00 00 00 02 00 01 00 00 00 04 00 02 00 ........ ........ >[0010] 05 00 00 00 01 05 00 00 00 00 00 05 15 00 00 00 ........ ........ >[0020] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 58 04 00 00 .53Q.t#. ....X... >[0030] 00 00 00 00 .... >Got pdu len 76, data_len 52 >rpc_api_pipe: got frag len of 76 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 52 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-1112 > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : a2800695-a707-49bb-b208-a50fdf81f434 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000001d (29) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x0000001d (29) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x0000022c (556) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000001e (30) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x0000001e (30) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 74 1B E9 9F 64 24 6A 41 8F CE 23 35 ....t... d$jA..#5 >[0010] 3D 42 B9 A2 00 00 00 00 =B...... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 9fe91b74-2464-416a-8fce-23353d42b9a2 > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 9fe91b74-2464-416a-8fce-23353d42b9a2 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000001f (31) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 20 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0024 (36) > auth_length : 0x0000 (0) > call_id : 0x0000001f (31) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000000c (12) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=12 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... >Got pdu len 36, data_len 12 >rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 12 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000000 (0) > sids : NULL > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 9fe91b74-2464-416a-8fce-23353d42b9a2 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000020 (32) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000020 (32) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x0000022e (558) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000021 (33) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000021 (33) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 77 03 15 60 00 37 94 45 80 C5 32 F5 ....w..` .7.E..2. >[0010] 95 5C CF 8D 00 00 00 00 .\...... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 60150377-3700-4594-80c5-32f5955ccf8d > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 60150377-3700-4594-80c5-32f5955ccf8d > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000022 (34) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 20 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0024 (36) > auth_length : 0x0000 (0) > call_id : 0x00000022 (34) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000000c (12) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=12 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... >Got pdu len 36, data_len 12 >rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 12 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000000 (0) > sids : NULL > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 60150377-3700-4594-80c5-32f5955ccf8d > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000023 (35) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000023 (35) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x0000022f (559) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000024 (36) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000024 (36) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 F7 73 FD F9 B0 4B 21 4A BA FA 3A 88 .....s.. .K!J..:. >[0010] 80 22 56 F9 00 00 00 00 ."V..... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : f9fd73f7-4bb0-4a21-bafa-3a88802256f9 > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : f9fd73f7-4bb0-4a21-bafa-3a88802256f9 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000025 (37) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 96 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0070 (112) > auth_length : 0x0000 (0) > call_id : 0x00000025 (37) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000058 (88) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=88 >[0000] 02 00 00 00 00 00 02 00 02 00 00 00 04 00 02 00 ........ ........ >[0010] 08 00 02 00 05 00 00 00 01 05 00 00 00 00 00 05 ........ ........ >[0020] 15 00 00 00 9C 35 33 51 19 74 23 9A D3 83 E6 CA .....53Q .t#..... >[0030] F4 01 00 00 05 00 00 00 01 05 00 00 00 00 00 05 ........ ........ >[0040] 15 00 00 00 9C 35 33 51 19 74 23 9A D3 83 E6 CA .....53Q .t#..... >[0050] 65 04 00 00 00 00 00 00 e....... >Got pdu len 112, data_len 88 >rpc_api_pipe: got frag len of 112 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 88 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000002 (2) > sids : * > sids: ARRAY(2) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-500 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-1125 > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : f9fd73f7-4bb0-4a21-bafa-3a88802256f9 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000026 (38) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000026 (38) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x00000232 (562) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000027 (39) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000027 (39) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 B0 3A 33 79 D0 DF 32 42 BE E2 07 7B .....:3y ..2B...{ >[0010] F1 5E CD 73 00 00 00 00 .^.s.... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 79333ab0-dfd0-4232-bee2-077bf15ecd73 > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 79333ab0-dfd0-4232-bee2-077bf15ecd73 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000028 (40) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 20 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0024 (36) > auth_length : 0x0000 (0) > call_id : 0x00000028 (40) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000000c (12) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=12 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... >Got pdu len 36, data_len 12 >rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 12 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000000 (0) > sids : NULL > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 79333ab0-dfd0-4232-bee2-077bf15ecd73 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000029 (41) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000029 (41) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x00000238 (568) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000002a (42) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x0000002a (42) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 11 EB A0 A3 1E 37 D9 46 9F A3 EE 27 ........ .7.F...' >[0010] 0E EE CA 22 00 00 00 00 ...".... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : a3a0eb11-371e-46d9-9fa3-ee270eeeca22 > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : a3a0eb11-371e-46d9-9fa3-ee270eeeca22 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000002b (43) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 20 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0024 (36) > auth_length : 0x0000 (0) > call_id : 0x0000002b (43) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000000c (12) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=12 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... >Got pdu len 36, data_len 12 >rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 12 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000000 (0) > sids : NULL > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : a3a0eb11-371e-46d9-9fa3-ee270eeeca22 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000002c (44) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x0000002c (44) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x00000239 (569) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000002d (45) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x0000002d (45) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 93 D1 59 56 23 AC BA 4C 88 9F DE 79 ......YV #..L...y >[0010] 31 8A 6E 41 00 00 00 00 1.nA.... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 5659d193-ac23-4cba-889f-de79318a6e41 > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 5659d193-ac23-4cba-889f-de79318a6e41 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000002e (46) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 20 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0024 (36) > auth_length : 0x0000 (0) > call_id : 0x0000002e (46) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000000c (12) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=12 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... >Got pdu len 36, data_len 12 >rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 12 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000000 (0) > sids : NULL > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 5659d193-ac23-4cba-889f-de79318a6e41 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000002f (47) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x0000002f (47) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x0000023d (573) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000030 (48) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000030 (48) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 CF 56 6B F9 23 D8 F4 4F 89 F3 07 46 .....Vk. #..O...F >[0010] D1 7C 47 D4 00 00 00 00 .|G..... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : f96b56cf-d823-4ff4-89f3-0746d17c47d4 > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : f96b56cf-d823-4ff4-89f3-0746d17c47d4 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000031 (49) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 20 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0024 (36) > auth_length : 0x0000 (0) > call_id : 0x00000031 (49) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000000c (12) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=12 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... >Got pdu len 36, data_len 12 >rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 12 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000000 (0) > sids : NULL > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : f96b56cf-d823-4ff4-89f3-0746d17c47d4 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000032 (50) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000032 (50) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x0000023e (574) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000033 (51) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000033 (51) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 56 75 1E E6 DB 16 29 47 A5 CC C3 46 ....Vu.. ..)G...F >[0010] 9D 33 1F DE 00 00 00 00 .3...... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : e61e7556-16db-4729-a5cc-c3469d331fde > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : e61e7556-16db-4729-a5cc-c3469d331fde > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000034 (52) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 20 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0024 (36) > auth_length : 0x0000 (0) > call_id : 0x00000034 (52) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000000c (12) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=12 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... >Got pdu len 36, data_len 12 >rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 12 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000000 (0) > sids : NULL > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : e61e7556-16db-4729-a5cc-c3469d331fde > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000035 (53) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000035 (53) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x0000023f (575) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000036 (54) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000036 (54) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 BC 24 AE C4 6A 2B 91 4E B2 1A 8D AD .....$.. j+.N.... >[0010] 4A 0B F2 CE 00 00 00 00 J....... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : c4ae24bc-2b6a-4e91-b21a-8dad4a0bf2ce > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : c4ae24bc-2b6a-4e91-b21a-8dad4a0bf2ce > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000037 (55) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 60 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x004c (76) > auth_length : 0x0000 (0) > call_id : 0x00000037 (55) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000034 (52) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=52 >[0000] 01 00 00 00 00 00 02 00 01 00 00 00 04 00 02 00 ........ ........ >[0010] 05 00 00 00 01 05 00 00 00 00 00 05 15 00 00 00 ........ ........ >[0020] 9C 35 33 51 19 74 23 9A D3 83 E6 CA E8 03 00 00 .53Q.t#. ........ >[0030] 00 00 00 00 .... >Got pdu len 76, data_len 52 >rpc_api_pipe: got frag len of 76 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 52 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-1000 > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : c4ae24bc-2b6a-4e91-b21a-8dad4a0bf2ce > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000038 (56) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000038 (56) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x00000240 (576) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000039 (57) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000039 (57) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 7D BF 62 04 AA 1E D2 43 85 F2 79 33 ....}.b. ...C..y3 >[0010] E4 FF 60 2A 00 00 00 00 ..`*.... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 0462bf7d-1eaa-43d2-85f2-7933e4ff602a > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 0462bf7d-1eaa-43d2-85f2-7933e4ff602a > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000003a (58) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 80 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0060 (96) > auth_length : 0x0000 (0) > call_id : 0x0000003a (58) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=72 >[0000] 02 00 00 00 00 00 02 00 02 00 00 00 04 00 02 00 ........ ........ >[0010] 08 00 02 00 05 00 00 00 01 05 00 00 00 00 00 05 ........ ........ >[0020] 15 00 00 00 9C 35 33 51 19 74 23 9A D3 83 E6 CA .....53Q .t#..... >[0030] E8 03 00 00 01 00 00 00 01 01 00 00 00 00 00 05 ........ ........ >[0040] 14 00 00 00 00 00 00 00 ........ >Got pdu len 96, data_len 72 >rpc_api_pipe: got frag len of 96 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 72 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000002 (2) > sids : * > sids: ARRAY(2) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-1000 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-20 > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 0462bf7d-1eaa-43d2-85f2-7933e4ff602a > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000003b (59) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x0000003b (59) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x00000241 (577) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000003c (60) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x0000003c (60) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 53 FE 20 82 0E 78 62 43 84 B6 6C 19 ....S. . .xbC..l. >[0010] 57 65 74 F8 00 00 00 00 Wet..... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 8220fe53-780e-4362-84b6-6c19576574f8 > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 8220fe53-780e-4362-84b6-6c19576574f8 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000003d (61) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 80 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0060 (96) > auth_length : 0x0000 (0) > call_id : 0x0000003d (61) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=72 >[0000] 02 00 00 00 00 00 02 00 02 00 00 00 04 00 02 00 ........ ........ >[0010] 08 00 02 00 05 00 00 00 01 05 00 00 00 00 00 05 ........ ........ >[0020] 15 00 00 00 9C 35 33 51 19 74 23 9A D3 83 E6 CA .....53Q .t#..... >[0030] E8 03 00 00 01 00 00 00 01 01 00 00 00 00 00 05 ........ ........ >[0040] 14 00 00 00 00 00 00 00 ........ >Got pdu len 96, data_len 72 >rpc_api_pipe: got frag len of 96 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 72 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000002 (2) > sids : * > sids: ARRAY(2) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-1000 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-20 > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 8220fe53-780e-4362-84b6-6c19576574f8 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000003e (62) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x0000003e (62) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x00000242 (578) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000003f (63) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x0000003f (63) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 AF 9B B2 F5 75 D8 FB 42 98 1B 36 E4 ........ u..B..6. >[0010] F5 C6 89 9B 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : f5b29baf-d875-42fb-981b-36e4f5c6899b > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : f5b29baf-d875-42fb-981b-36e4f5c6899b > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000040 (64) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 20 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0024 (36) > auth_length : 0x0000 (0) > call_id : 0x00000040 (64) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000000c (12) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=12 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... >Got pdu len 36, data_len 12 >rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 12 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000000 (0) > sids : NULL > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : f5b29baf-d875-42fb-981b-36e4f5c6899b > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000041 (65) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000041 (65) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x00000243 (579) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000042 (66) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000042 (66) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 F9 D3 36 3D 33 85 49 4B 8C 59 6B 4A ......6= 3.IK.YkJ >[0010] B1 A6 B6 CE 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 3d36d3f9-8533-4b49-8c59-6b4ab1a6b6ce > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 3d36d3f9-8533-4b49-8c59-6b4ab1a6b6ce > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000043 (67) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 20 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0024 (36) > auth_length : 0x0000 (0) > call_id : 0x00000043 (67) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000000c (12) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=12 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... >Got pdu len 36, data_len 12 >rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 12 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000000 (0) > sids : NULL > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 3d36d3f9-8533-4b49-8c59-6b4ab1a6b6ce > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000044 (68) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000044 (68) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x00000244 (580) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000045 (69) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000045 (69) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 3B 87 47 75 07 E3 AA 4A B1 8C 43 CF ....;.Gu ...J..C. >[0010] E3 BC 51 D2 00 00 00 00 ..Q..... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 7547873b-e307-4aaa-b18c-43cfe3bc51d2 > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 7547873b-e307-4aaa-b18c-43cfe3bc51d2 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000046 (70) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 20 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0024 (36) > auth_length : 0x0000 (0) > call_id : 0x00000046 (70) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000000c (12) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=12 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... >Got pdu len 36, data_len 12 >rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 12 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000000 (0) > sids : NULL > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 7547873b-e307-4aaa-b18c-43cfe3bc51d2 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000047 (71) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000047 (71) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x00000225 (549) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000048 (72) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000048 (72) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 7E 16 CB DF 0F E6 EC 4A A6 22 18 75 ....~... ...J.".u >[0010] 84 F6 3E 30 00 00 00 00 ..>0.... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : dfcb167e-e60f-4aec-a622-187584f63e30 > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : dfcb167e-e60f-4aec-a622-187584f63e30 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000049 (73) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 20 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0024 (36) > auth_length : 0x0000 (0) > call_id : 0x00000049 (73) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000000c (12) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=12 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... >Got pdu len 36, data_len 12 >rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 12 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000000 (0) > sids : NULL > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : dfcb167e-e60f-4aec-a622-187584f63e30 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000004a (74) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x0000004a (74) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x00000224 (548) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000004b (75) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x0000004b (75) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 02 0F DC 2D 8E D1 CA 44 BA 77 BC 95 .......- ...D.w.. >[0010] 4A 41 FA 61 00 00 00 00 JA.a.... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 2ddc0f02-d18e-44ca-ba77-bc954a41fa61 > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 2ddc0f02-d18e-44ca-ba77-bc954a41fa61 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000004c (76) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 20 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0024 (36) > auth_length : 0x0000 (0) > call_id : 0x0000004c (76) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000000c (12) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=12 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... >Got pdu len 36, data_len 12 >rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 12 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000000 (0) > sids : NULL > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 2ddc0f02-d18e-44ca-ba77-bc954a41fa61 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000004d (77) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x0000004d (77) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x0000022a (554) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000004e (78) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x0000004e (78) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 1B 57 E8 2E C0 01 0B 47 B7 86 6A 4A .....W.. ...G..jJ >[0010] 76 40 7D 89 00 00 00 00 v@}..... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 2ee8571b-01c0-470b-b786-6a4a76407d89 > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 2ee8571b-01c0-470b-b786-6a4a76407d89 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000004f (79) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 44 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x003c (60) > auth_length : 0x0000 (0) > call_id : 0x0000004f (79) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000024 (36) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=36 >[0000] 01 00 00 00 00 00 02 00 01 00 00 00 04 00 02 00 ........ ........ >[0010] 01 00 00 00 01 01 00 00 00 00 00 05 0B 00 00 00 ........ ........ >[0020] 00 00 00 00 .... >Got pdu len 60, data_len 36 >rpc_api_pipe: got frag len of 60 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 36 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-11 > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 2ee8571b-01c0-470b-b786-6a4a76407d89 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000050 (80) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000050 (80) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x0000022d (557) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000051 (81) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000051 (81) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 46 9D EF 06 76 06 B7 4E 92 74 CE A7 ....F... v..N.t.. >[0010] B2 3F 09 60 00 00 00 00 .?.`.... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 06ef9d46-0676-4eb7-9274-cea7b23f0960 > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 06ef9d46-0676-4eb7-9274-cea7b23f0960 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000052 (82) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 20 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0024 (36) > auth_length : 0x0000 (0) > call_id : 0x00000052 (82) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000000c (12) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=12 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... >Got pdu len 36, data_len 12 >rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 12 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000000 (0) > sids : NULL > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 06ef9d46-0676-4eb7-9274-cea7b23f0960 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000053 (83) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000053 (83) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x00000230 (560) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000054 (84) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000054 (84) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 10 B3 72 D5 DB 6D 92 46 96 48 41 61 ......r. .m.F.HAa >[0010] D4 65 EE 34 00 00 00 00 .e.4.... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : d572b310-6ddb-4692-9648-4161d465ee34 > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : d572b310-6ddb-4692-9648-4161d465ee34 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000055 (85) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 44 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x003c (60) > auth_length : 0x0000 (0) > call_id : 0x00000055 (85) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000024 (36) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=36 >[0000] 01 00 00 00 00 00 02 00 01 00 00 00 04 00 02 00 ........ ........ >[0010] 01 00 00 00 01 01 00 00 00 00 00 05 09 00 00 00 ........ ........ >[0020] 00 00 00 00 .... >Got pdu len 60, data_len 36 >rpc_api_pipe: got frag len of 60 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 36 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-9 > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : d572b310-6ddb-4692-9648-4161d465ee34 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000056 (86) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000056 (86) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x00000231 (561) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000057 (87) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000057 (87) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 A9 28 4E 8E 85 C9 87 41 AD A8 65 D2 .....(N. ...A..e. >[0010] 48 A6 1A 0B 00 00 00 00 H....... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 8e4e28a9-c985-4187-ada8-65d248a61a0b > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 8e4e28a9-c985-4187-ada8-65d248a61a0b > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000058 (88) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 80 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0060 (96) > auth_length : 0x0000 (0) > call_id : 0x00000058 (88) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=72 >[0000] 02 00 00 00 00 00 02 00 02 00 00 00 04 00 02 00 ........ ........ >[0010] 08 00 02 00 05 00 00 00 01 05 00 00 00 00 00 05 ........ ........ >[0020] 15 00 00 00 9C 35 33 51 19 74 23 9A D3 83 E6 CA .....53Q .t#..... >[0030] E8 03 00 00 01 00 00 00 01 01 00 00 00 00 00 05 ........ ........ >[0040] 14 00 00 00 00 00 00 00 ........ >Got pdu len 96, data_len 72 >rpc_api_pipe: got frag len of 96 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 72 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000002 (2) > sids : * > sids: ARRAY(2) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-1000 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-20 > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 8e4e28a9-c985-4187-ada8-65d248a61a0b > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000059 (89) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000059 (89) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 44961a72-584f-4d8b-a39e-aa1ffbfb8c5b > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000005a (90) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x0000005a (90) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenDomain: struct samr_OpenDomain > in: struct samr_OpenDomain > connect_handle : * > connect_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 3ed057f5-a818-416c-9b36-71992040561d > access_mask : 0x02000000 (33554432) > 0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 > 0: SAMR_DOMAIN_ACCESS_SET_INFO_1 > 0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2 > 0: SAMR_DOMAIN_ACCESS_SET_INFO_2 > 0: SAMR_DOMAIN_ACCESS_CREATE_USER > 0: SAMR_DOMAIN_ACCESS_CREATE_GROUP > 0: SAMR_DOMAIN_ACCESS_CREATE_ALIAS > 0: SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS > 0: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS > 0: SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT > 0: SAMR_DOMAIN_ACCESS_SET_INFO_3 > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000005b (91) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000034 (52) > context_id : 0x0000 (0) > opnum : 0x0007 (7) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x0000005b (91) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 F7 C4 4B 5F 58 B6 0B 4C BC 38 B0 21 ......K_ X..L.8.! >[0010] E6 9A 7D E2 00 00 00 00 ..}..... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenDomain: struct samr_OpenDomain > out: struct samr_OpenDomain > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 5f4bc4f7-b658-4c0b-bc38-b021e69a7de2 > result : NT_STATUS_OK > samr_EnumDomainAliases: struct samr_EnumDomainAliases > in: struct samr_EnumDomainAliases > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 5f4bc4f7-b658-4c0b-bc38-b021e69a7de2 > resume_handle : * > resume_handle : 0x00000000 (0) > max_size : 0x000000fa (250) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000005c (92) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 360 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0178 (376) > auth_length : 0x0000 (0) > call_id : 0x0000005c (92) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000160 (352) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=352 >[0000] 3C 02 00 00 00 00 02 00 04 00 00 00 04 00 02 00 <....... ........ >[0010] 04 00 00 00 05 02 00 00 1E 00 1E 00 08 00 02 00 ........ ........ >[0020] 29 02 00 00 26 00 26 00 0C 00 02 00 3B 02 00 00 )...&.&. ....;... >[0030] 4E 00 4E 00 10 00 02 00 3C 02 00 00 4C 00 4C 00 N.N..... <...L.L. >[0040] 14 00 02 00 0F 00 00 00 00 00 00 00 0F 00 00 00 ........ ........ >[0050] 43 00 65 00 72 00 74 00 20 00 50 00 75 00 62 00 C.e.r.t. .P.u.b. >[0060] 6C 00 69 00 73 00 68 00 65 00 72 00 73 00 00 00 l.i.s.h. e.r.s... >[0070] 13 00 00 00 00 00 00 00 13 00 00 00 52 00 41 00 ........ ....R.A. >[0080] 53 00 20 00 61 00 6E 00 64 00 20 00 49 00 41 00 S. .a.n. d. .I.A. >[0090] 53 00 20 00 53 00 65 00 72 00 76 00 65 00 72 00 S. .S.e. r.v.e.r. >[00A0] 73 00 00 00 27 00 00 00 00 00 00 00 27 00 00 00 s...'... ....'... >[00B0] 41 00 6C 00 6C 00 6F 00 77 00 65 00 64 00 20 00 A.l.l.o. w.e.d. . >[00C0] 52 00 4F 00 44 00 43 00 20 00 50 00 61 00 73 00 R.O.D.C. .P.a.s. >[00D0] 73 00 77 00 6F 00 72 00 64 00 20 00 52 00 65 00 s.w.o.r. d. .R.e. >[00E0] 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 p.l.i.c. a.t.i.o. >[00F0] 6E 00 20 00 47 00 72 00 6F 00 75 00 70 00 00 00 n. .G.r. o.u.p... >[0100] 26 00 00 00 00 00 00 00 26 00 00 00 44 00 65 00 &....... &...D.e. >[0110] 6E 00 69 00 65 00 64 00 20 00 52 00 4F 00 44 00 n.i.e.d. .R.O.D. >[0120] 43 00 20 00 50 00 61 00 73 00 73 00 77 00 6F 00 C. .P.a. s.s.w.o. >[0130] 72 00 64 00 20 00 52 00 65 00 70 00 6C 00 69 00 r.d. .R. e.p.l.i. >[0140] 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 47 00 c.a.t.i. o.n. .G. >[0150] 72 00 6F 00 75 00 70 00 04 00 00 00 05 01 00 00 r.o.u.p. ........ >Got pdu len 376, data_len 352 >rpc_api_pipe: got frag len of 376 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 352 bytes. > samr_EnumDomainAliases: struct samr_EnumDomainAliases > out: struct samr_EnumDomainAliases > resume_handle : * > resume_handle : 0x0000023c (572) > sam : * > sam : * > sam: struct samr_SamArray > count : 0x00000004 (4) > entries : * > entries: ARRAY(4) > entries: struct samr_SamEntry > idx : 0x00000205 (517) > name: struct lsa_String > length : 0x001e (30) > size : 0x001e (30) > string : * > string : 'Cert Publishers' > entries: struct samr_SamEntry > idx : 0x00000229 (553) > name: struct lsa_String > length : 0x0026 (38) > size : 0x0026 (38) > string : * > string : 'RAS and IAS Servers' > entries: struct samr_SamEntry > idx : 0x0000023b (571) > name: struct lsa_String > length : 0x004e (78) > size : 0x004e (78) > string : * > string : 'Allowed RODC Password Replication Group' > entries: struct samr_SamEntry > idx : 0x0000023c (572) > name: struct lsa_String > length : 0x004c (76) > size : 0x004c (76) > string : * > string : 'Denied RODC Password Replication Group' > num_entries : * > num_entries : 0x00000004 (4) > result : STATUS_MORE_ENTRIES > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 5f4bc4f7-b658-4c0b-bc38-b021e69a7de2 > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x00000205 (517) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000005d (93) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x0000005d (93) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 DC C1 59 C4 64 D4 EC 46 8A 08 40 B7 ......Y. d..F..@. >[0010] 8D A1 04 01 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : c459c1dc-d464-46ec-8a08-40b78da10401 > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : c459c1dc-d464-46ec-8a08-40b78da10401 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000005e (94) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 20 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0024 (36) > auth_length : 0x0000 (0) > call_id : 0x0000005e (94) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000000c (12) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=12 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... >Got pdu len 36, data_len 12 >rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 12 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000000 (0) > sids : NULL > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : c459c1dc-d464-46ec-8a08-40b78da10401 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000005f (95) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x0000005f (95) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 5f4bc4f7-b658-4c0b-bc38-b021e69a7de2 > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x00000229 (553) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000060 (96) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000060 (96) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 AA B2 11 81 C1 5E D7 4D 97 D4 87 7F ........ .^.M.... >[0010] DA 15 2A FF 00 00 00 00 ..*..... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 8111b2aa-5ec1-4dd7-97d4-877fda152aff > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 8111b2aa-5ec1-4dd7-97d4-877fda152aff > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000061 (97) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 20 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0024 (36) > auth_length : 0x0000 (0) > call_id : 0x00000061 (97) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000000c (12) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=12 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... >Got pdu len 36, data_len 12 >rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 12 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000000 (0) > sids : NULL > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 8111b2aa-5ec1-4dd7-97d4-877fda152aff > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000062 (98) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000062 (98) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 5f4bc4f7-b658-4c0b-bc38-b021e69a7de2 > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x0000023b (571) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000063 (99) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000063 (99) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 B7 58 FA DC C8 E4 73 42 B7 54 37 DF .....X.. ..sB.T7. >[0010] B6 06 FF 3E 00 00 00 00 ...>.... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : dcfa58b7-e4c8-4273-b754-37dfb606ff3e > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : dcfa58b7-e4c8-4273-b754-37dfb606ff3e > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000064 (100) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 20 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0024 (36) > auth_length : 0x0000 (0) > call_id : 0x00000064 (100) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000000c (12) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=12 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... >Got pdu len 36, data_len 12 >rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 12 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000000 (0) > sids : NULL > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : dcfa58b7-e4c8-4273-b754-37dfb606ff3e > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000065 (101) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000065 (101) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 5f4bc4f7-b658-4c0b-bc38-b021e69a7de2 > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x0000023c (572) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000066 (102) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000066 (102) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 7B B5 7A AF B2 B4 87 4A 87 5D D3 24 ....{.z. ...J.].$ >[0010] 3A 84 2B 65 00 00 00 00 :.+e.... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : af7ab57b-b4b2-4a87-875d-d3243a842b65 > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : af7ab57b-b4b2-4a87-875d-d3243a842b65 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000067 (103) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 312 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0148 (328) > auth_length : 0x0000 (0) > call_id : 0x00000067 (103) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000130 (304) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=304 >[0000] 08 00 00 00 00 00 02 00 08 00 00 00 04 00 02 00 ........ ........ >[0010] 08 00 02 00 0C 00 02 00 10 00 02 00 14 00 02 00 ........ ........ >[0020] 18 00 02 00 1C 00 02 00 20 00 02 00 05 00 00 00 ........ ....... >[0030] 01 05 00 00 00 00 00 05 15 00 00 00 9C 35 33 51 ........ .....53Q >[0040] 19 74 23 9A D3 83 E6 CA F6 01 00 00 05 00 00 00 .t#..... ........ >[0050] 01 05 00 00 00 00 00 05 15 00 00 00 9C 35 33 51 ........ .....53Q >[0060] 19 74 23 9A D3 83 E6 CA 04 02 00 00 05 00 00 00 .t#..... ........ >[0070] 01 05 00 00 00 00 00 05 15 00 00 00 9C 35 33 51 ........ .....53Q >[0080] 19 74 23 9A D3 83 E6 CA 06 02 00 00 05 00 00 00 .t#..... ........ >[0090] 01 05 00 00 00 00 00 05 15 00 00 00 9C 35 33 51 ........ .....53Q >[00A0] 19 74 23 9A D3 83 E6 CA 07 02 00 00 05 00 00 00 .t#..... ........ >[00B0] 01 05 00 00 00 00 00 05 15 00 00 00 9C 35 33 51 ........ .....53Q >[00C0] 19 74 23 9A D3 83 E6 CA 05 02 00 00 05 00 00 00 .t#..... ........ >[00D0] 01 05 00 00 00 00 00 05 15 00 00 00 9C 35 33 51 ........ .....53Q >[00E0] 19 74 23 9A D3 83 E6 CA 00 02 00 00 05 00 00 00 .t#..... ........ >[00F0] 01 05 00 00 00 00 00 05 15 00 00 00 9C 35 33 51 ........ .....53Q >[0100] 19 74 23 9A D3 83 E6 CA 08 02 00 00 05 00 00 00 .t#..... ........ >[0110] 01 05 00 00 00 00 00 05 15 00 00 00 9C 35 33 51 ........ .....53Q >[0120] 19 74 23 9A D3 83 E6 CA 09 02 00 00 00 00 00 00 .t#..... ........ >Got pdu len 328, data_len 304 >rpc_api_pipe: got frag len of 328 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 304 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000008 (8) > sids : * > sids: ARRAY(8) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-502 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-516 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-518 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-519 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-517 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-512 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-520 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-521 > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : af7ab57b-b4b2-4a87-875d-d3243a842b65 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000068 (104) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000068 (104) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_EnumDomainAliases: struct samr_EnumDomainAliases > in: struct samr_EnumDomainAliases > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 5f4bc4f7-b658-4c0b-bc38-b021e69a7de2 > resume_handle : * > resume_handle : 0x0000023c (572) > max_size : 0x000000fa (250) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000069 (105) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 248 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0108 (264) > auth_length : 0x0000 (0) > call_id : 0x00000069 (105) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000f0 (240) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=240 >[0000] 00 00 00 00 00 00 02 00 03 00 00 00 04 00 02 00 ........ ........ >[0010] 03 00 00 00 4D 04 00 00 12 00 12 00 08 00 02 00 ....M... ........ >[0020] 67 04 00 00 26 00 26 00 0C 00 02 00 6A 04 00 00 g...&.&. ....j... >[0030] 4E 00 4E 00 10 00 02 00 09 00 00 00 00 00 00 00 N.N..... ........ >[0040] 09 00 00 00 44 00 6E 00 73 00 41 00 64 00 6D 00 ....D.n. s.A.d.m. >[0050] 69 00 6E 00 73 00 00 00 13 00 00 00 00 00 00 00 i.n.s... ........ >[0060] 13 00 00 00 48 00 65 00 6C 00 70 00 4C 00 69 00 ....H.e. l.p.L.i. >[0070] 62 00 72 00 61 00 72 00 79 00 55 00 70 00 64 00 b.r.a.r. y.U.p.d. >[0080] 61 00 74 00 65 00 72 00 73 00 00 00 27 00 00 00 a.t.e.r. s...'... >[0090] 00 00 00 00 27 00 00 00 53 00 51 00 4C 00 53 00 ....'... S.Q.L.S. >[00A0] 65 00 72 00 76 00 65 00 72 00 32 00 30 00 30 00 e.r.v.e. r.2.0.0. >[00B0] 35 00 53 00 51 00 4C 00 42 00 72 00 6F 00 77 00 5.S.Q.L. B.r.o.w. >[00C0] 73 00 65 00 72 00 55 00 73 00 65 00 72 00 24 00 s.e.r.U. s.e.r.$. >[00D0] 46 00 52 00 49 00 53 00 4B 00 44 00 45 00 4D 00 F.R.I.S. K.D.E.M. >[00E0] 4F 00 30 00 31 00 00 00 03 00 00 00 00 00 00 00 O.0.1... ........ >Got pdu len 264, data_len 240 >rpc_api_pipe: got frag len of 264 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 240 bytes. > samr_EnumDomainAliases: struct samr_EnumDomainAliases > out: struct samr_EnumDomainAliases > resume_handle : * > resume_handle : 0x00000000 (0) > sam : * > sam : * > sam: struct samr_SamArray > count : 0x00000003 (3) > entries : * > entries: ARRAY(3) > entries: struct samr_SamEntry > idx : 0x0000044d (1101) > name: struct lsa_String > length : 0x0012 (18) > size : 0x0012 (18) > string : * > string : 'DnsAdmins' > entries: struct samr_SamEntry > idx : 0x00000467 (1127) > name: struct lsa_String > length : 0x0026 (38) > size : 0x0026 (38) > string : * > string : 'HelpLibraryUpdaters' > entries: struct samr_SamEntry > idx : 0x0000046a (1130) > name: struct lsa_String > length : 0x004e (78) > size : 0x004e (78) > string : * > string : 'SQLServer2005SQLBrowserUser$FRISKDEMO01' > num_entries : * > num_entries : 0x00000003 (3) > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 5f4bc4f7-b658-4c0b-bc38-b021e69a7de2 > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x0000044d (1101) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000006a (106) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x0000006a (106) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 41 A5 10 8E 0C 67 79 48 BD 7C F5 D9 ....A... .gyH.|.. >[0010] 49 97 0B 48 00 00 00 00 I..H.... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 8e10a541-670c-4879-bd7c-f5d949970b48 > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 8e10a541-670c-4879-bd7c-f5d949970b48 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000006b (107) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 20 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0024 (36) > auth_length : 0x0000 (0) > call_id : 0x0000006b (107) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000000c (12) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=12 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... >Got pdu len 36, data_len 12 >rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 12 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000000 (0) > sids : NULL > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 8e10a541-670c-4879-bd7c-f5d949970b48 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000006c (108) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x0000006c (108) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 5f4bc4f7-b658-4c0b-bc38-b021e69a7de2 > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x00000467 (1127) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000006d (109) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x0000006d (109) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 01 1F 41 30 3A 72 75 4A AE 1D 02 12 ......A0 :ruJ.... >[0010] 61 F6 6D CF 00 00 00 00 a.m..... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 30411f01-723a-4a75-ae1d-021261f66dcf > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 30411f01-723a-4a75-ae1d-021261f66dcf > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000006e (110) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 20 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0024 (36) > auth_length : 0x0000 (0) > call_id : 0x0000006e (110) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000000c (12) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=12 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... >Got pdu len 36, data_len 12 >rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 12 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000000 (0) > sids : NULL > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 30411f01-723a-4a75-ae1d-021261f66dcf > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000006f (111) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x0000006f (111) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_OpenAlias: struct samr_OpenAlias > in: struct samr_OpenAlias > domain_handle : * > domain_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 5f4bc4f7-b658-4c0b-bc38-b021e69a7de2 > access_mask : 0x02000000 (33554432) > 0: SAMR_ALIAS_ACCESS_ADD_MEMBER > 0: SAMR_ALIAS_ACCESS_REMOVE_MEMBER > 0: SAMR_ALIAS_ACCESS_GET_MEMBERS > 0: SAMR_ALIAS_ACCESS_LOOKUP_INFO > 0: SAMR_ALIAS_ACCESS_SET_INFO > rid : 0x0000046a (1130) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000070 (112) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000001c (28) > context_id : 0x0000 (0) > opnum : 0x001b (27) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000070 (112) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 3E C1 23 AC E6 FE 3C 44 82 4C 13 48 ....>.#. ..<D.L.H >[0010] C4 36 E2 9E 00 00 00 00 .6...... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_OpenAlias: struct samr_OpenAlias > out: struct samr_OpenAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : ac23c13e-fee6-443c-824c-1348c436e29e > result : NT_STATUS_OK > samr_GetMembersInAlias: struct samr_GetMembersInAlias > in: struct samr_GetMembersInAlias > alias_handle : * > alias_handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : ac23c13e-fee6-443c-824c-1348c436e29e > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000071 (113) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0021 (33) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 20 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0024 (36) > auth_length : 0x0000 (0) > call_id : 0x00000071 (113) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000000c (12) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=12 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... >Got pdu len 36, data_len 12 >rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 12 bytes. > samr_GetMembersInAlias: struct samr_GetMembersInAlias > out: struct samr_GetMembersInAlias > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000000 (0) > sids : NULL > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : ac23c13e-fee6-443c-824c-1348c436e29e > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000072 (114) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000072 (114) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 5f4bc4f7-b658-4c0b-bc38-b021e69a7de2 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000073 (115) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000073 (115) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK > samr_Close: struct samr_Close > in: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 3ed057f5-a818-416c-9b36-71992040561d > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000074 (116) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0001 (1) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000074 (116) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > samr_Close: struct samr_Close > out: struct samr_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK >rpc command function succedded >signed SMB2 message >signed SMB2 message >Connecting to 10.10.11.1 at port 445 >Socket options: > SO_KEEPALIVE = 0 > SO_REUSEADDR = 0 > SO_BROADCAST = 0 > TCP_NODELAY = 1 > TCP_KEEPCNT = 9 > TCP_KEEPIDLE = 7200 > TCP_KEEPINTVL = 75 > IPTOS_LOWDELAY = 0 > IPTOS_THROUGHPUT = 0 > SO_REUSEPORT = 0 > SO_SNDBUF = 168960 > SO_RCVBUF = 372480 > SO_SNDLOWAT = 1 > SO_RCVLOWAT = 1 > SO_SNDTIMEO = 0 > SO_RCVTIMEO = 0 > TCP_QUICKACK = 1 > TCP_DEFER_ACCEPT = 0 >Doing spnego session setup (blob length=120) >got OID=1.3.6.1.4.1.311.2.2.30 >got OID=1.2.840.48018.1.2.2 >got OID=1.2.840.113554.1.2.2 >got OID=1.2.840.113554.1.2.2.3 >got OID=1.3.6.1.4.1.311.2.2.10 >got principal=not_defined_in_RFC4178@please_ignore >Starting GENSEC mechanism spnego >Starting GENSEC submechanism ntlmssp > negotiate: struct NEGOTIATE_MESSAGE > Signature : 'NTLMSSP' > MessageType : NtLmNegotiate (1) > NegotiateFlags : 0x62088215 (1644724757) > 1: NTLMSSP_NEGOTIATE_UNICODE > 0: NTLMSSP_NEGOTIATE_OEM > 1: NTLMSSP_REQUEST_TARGET > 1: NTLMSSP_NEGOTIATE_SIGN > 0: NTLMSSP_NEGOTIATE_SEAL > 0: NTLMSSP_NEGOTIATE_DATAGRAM > 0: NTLMSSP_NEGOTIATE_LM_KEY > 0: NTLMSSP_NEGOTIATE_NETWARE > 1: NTLMSSP_NEGOTIATE_NTLM > 0: NTLMSSP_NEGOTIATE_NT_ONLY > 0: NTLMSSP_ANONYMOUS > 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED > 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED > 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL > 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN > 0: NTLMSSP_TARGET_TYPE_DOMAIN > 0: NTLMSSP_TARGET_TYPE_SERVER > 0: NTLMSSP_TARGET_TYPE_SHARE > 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > 0: NTLMSSP_NEGOTIATE_IDENTIFY > 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY > 0: NTLMSSP_NEGOTIATE_TARGET_INFO > 1: NTLMSSP_NEGOTIATE_VERSION > 1: NTLMSSP_NEGOTIATE_128 > 1: NTLMSSP_NEGOTIATE_KEY_EXCH > 0: NTLMSSP_NEGOTIATE_56 > DomainNameLen : 0x0000 (0) > DomainNameMaxLen : 0x0000 (0) > DomainName : * > DomainName : '' > WorkstationLen : 0x0000 (0) > WorkstationMaxLen : 0x0000 (0) > Workstation : * > Workstation : '' > Version: struct ntlmssp_VERSION > ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6) > ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1) > ProductBuild : 0x0000 (0) > Reserved: ARRAY(3) > [0] : 0x00 (0) > [1] : 0x00 (0) > [2] : 0x00 (0) > NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15) >Got challenge flags: >Got NTLMSSP neg_flags=0x62898215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_TARGET_TYPE_DOMAIN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_TARGET_INFO > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH >NTLMSSP: Set final flags: >Got NTLMSSP neg_flags=0x62088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH >NTLMSSP Sign/Seal - Initialising with flags: >Got NTLMSSP neg_flags=0x62088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH >ntlmssp_check_packet: NTLMSSP signature OK ! >NTLMSSP Sign/Seal - Initialising with flags: >Got NTLMSSP neg_flags=0x62088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH >signed SMB2 message >signed SMB2 message >signed SMB2 message >Bind RPC Pipe: host 10.10.11.1 auth_type 0, auth_level 1 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_BIND (11) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0048 (72) > auth_length : 0x0000 (0) > call_id : 0x00000075 (117) > u : union dcerpc_payload(case 11) > bind: struct dcerpc_bind > max_xmit_frag : 0x10b8 (4280) > max_recv_frag : 0x10b8 (4280) > assoc_group_id : 0x00000000 (0) > num_contexts : 0x01 (1) > ctx_list: ARRAY(1) > ctx_list: struct dcerpc_ctx_list > context_id : 0x0000 (0) > num_transfer_syntaxes : 0x01 (1) > abstract_syntax: struct ndr_syntax_id > uuid : 12345778-1234-abcd-ef00-0123456789ab > if_version : 0x00000000 (0) > transfer_syntaxes: ARRAY(1) > transfer_syntaxes: struct ndr_syntax_id > uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 > if_version : 0x00000002 (2) > auth_info : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 52 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_BIND_ACK (12) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0044 (68) > auth_length : 0x0000 (0) > call_id : 0x00000075 (117) > u : union dcerpc_payload(case 12) > bind_ack: struct dcerpc_bind_ack > max_xmit_frag : 0x10b8 (4280) > max_recv_frag : 0x10b8 (4280) > assoc_group_id : 0x0000e87a (59514) > secondary_address_size : 0x000c (12) > secondary_address : '\pipe\lsass' > _pad1 : DATA_BLOB length=2 >[0000] 00 00 .. > num_results : 0x01 (1) > ctx_list: ARRAY(1) > ctx_list: struct dcerpc_ack_ctx > result : DCERPC_BIND_ACK_RESULT_ACCEPTANCE (0) > reason : union dcerpc_bind_ack_reason(case 0) > value : DCERPC_BIND_ACK_REASON_NOT_SPECIFIED (0) > syntax: struct ndr_syntax_id > uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 > if_version : 0x00000002 (2) > auth_info : DATA_BLOB length=0 >rpc_api_pipe: got frag len of 68 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 68 bytes. >check_bind_response: accepted! >cli_rpc_pipe_open_noauth: opened pipe lsarpc to machine 10.10.11.1 and bound anonymously. > lsa_OpenPolicy: struct lsa_OpenPolicy > in: struct lsa_OpenPolicy > system_name : * > system_name : 0x005c (92) > attr : * > attr: struct lsa_ObjectAttribute > len : 0x00000018 (24) > root_dir : NULL > object_name : NULL > attributes : 0x00000000 (0) > sec_desc : NULL > sec_qos : NULL > access_mask : 0x02000000 (33554432) > 0: LSA_POLICY_VIEW_LOCAL_INFORMATION > 0: LSA_POLICY_VIEW_AUDIT_INFORMATION > 0: LSA_POLICY_GET_PRIVATE_INFORMATION > 0: LSA_POLICY_TRUST_ADMIN > 0: LSA_POLICY_CREATE_ACCOUNT > 0: LSA_POLICY_CREATE_SECRET > 0: LSA_POLICY_CREATE_PRIVILEGE > 0: LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS > 0: LSA_POLICY_SET_AUDIT_REQUIREMENTS > 0: LSA_POLICY_AUDIT_LOG_ADMIN > 0: LSA_POLICY_SERVER_ADMIN > 0: LSA_POLICY_LOOKUP_NAMES > 0: LSA_POLICY_NOTIFICATION > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000076 (118) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000024 (36) > context_id : 0x0000 (0) > opnum : 0x0006 (6) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000076 (118) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 1D 49 49 A9 DA B6 02 4E 89 06 61 0A .....II. ...N..a. >[0010] 9D DB 6C C8 00 00 00 00 ..l..... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > lsa_OpenPolicy: struct lsa_OpenPolicy > out: struct lsa_OpenPolicy > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : a949491d-b6da-4e02-8906-610a9ddb6cc8 > result : NT_STATUS_OK > lsa_QueryInfoPolicy: struct lsa_QueryInfoPolicy > in: struct lsa_QueryInfoPolicy > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : a949491d-b6da-4e02-8906-610a9ddb6cc8 > level : LSA_POLICY_INFO_ACCOUNT_DOMAIN (5) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000077 (119) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000016 (22) > context_id : 0x0000 (0) > opnum : 0x0007 (7) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 92 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x006c (108) > auth_length : 0x0000 (0) > call_id : 0x00000077 (119) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000054 (84) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=84 >[0000] 00 00 02 00 05 00 00 00 12 00 14 00 04 00 02 00 ........ ........ >[0010] 08 00 02 00 0A 00 00 00 00 00 00 00 09 00 00 00 ........ ........ >[0020] 46 00 52 00 49 00 53 00 4B 00 44 00 45 00 4D 00 F.R.I.S. K.D.E.M. >[0030] 4F 00 00 00 04 00 00 00 01 04 00 00 00 00 00 05 O....... ........ >[0040] 15 00 00 00 9C 35 33 51 19 74 23 9A D3 83 E6 CA .....53Q .t#..... >[0050] 00 00 00 00 .... >Got pdu len 108, data_len 84 >rpc_api_pipe: got frag len of 108 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 84 bytes. > lsa_QueryInfoPolicy: struct lsa_QueryInfoPolicy > out: struct lsa_QueryInfoPolicy > info : * > info : * > info : union lsa_PolicyInformation(case 5) > account_domain: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x0012 (18) > size : 0x0014 (20) > string : * > string : 'FRISKDEMO' > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659 > result : NT_STATUS_OK > lsa_Close: struct lsa_Close > in: struct lsa_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : a949491d-b6da-4e02-8906-610a9ddb6cc8 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000078 (120) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0000 (0) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x00000078 (120) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > lsa_Close: struct lsa_Close > out: struct lsa_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK >signed SMB2 message >signed SMB2 message >Bind RPC Pipe: host 10.10.11.1 auth_type 0, auth_level 1 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_BIND (11) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0048 (72) > auth_length : 0x0000 (0) > call_id : 0x00000079 (121) > u : union dcerpc_payload(case 11) > bind: struct dcerpc_bind > max_xmit_frag : 0x10b8 (4280) > max_recv_frag : 0x10b8 (4280) > assoc_group_id : 0x00000000 (0) > num_contexts : 0x01 (1) > ctx_list: ARRAY(1) > ctx_list: struct dcerpc_ctx_list > context_id : 0x0000 (0) > num_transfer_syntaxes : 0x01 (1) > abstract_syntax: struct ndr_syntax_id > uuid : 12345778-1234-abcd-ef00-0123456789ab > if_version : 0x00000000 (0) > transfer_syntaxes: ARRAY(1) > transfer_syntaxes: struct ndr_syntax_id > uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 > if_version : 0x00000002 (2) > auth_info : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 52 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_BIND_ACK (12) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0044 (68) > auth_length : 0x0000 (0) > call_id : 0x00000079 (121) > u : union dcerpc_payload(case 12) > bind_ack: struct dcerpc_bind_ack > max_xmit_frag : 0x10b8 (4280) > max_recv_frag : 0x10b8 (4280) > assoc_group_id : 0x0000e87b (59515) > secondary_address_size : 0x000c (12) > secondary_address : '\pipe\lsass' > _pad1 : DATA_BLOB length=2 >[0000] 13 48 .H > num_results : 0x01 (1) > ctx_list: ARRAY(1) > ctx_list: struct dcerpc_ack_ctx > result : DCERPC_BIND_ACK_RESULT_ACCEPTANCE (0) > reason : union dcerpc_bind_ack_reason(case 0) > value : DCERPC_BIND_ACK_REASON_NOT_SPECIFIED (0) > syntax: struct ndr_syntax_id > uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 > if_version : 0x00000002 (2) > auth_info : DATA_BLOB length=0 >rpc_api_pipe: got frag len of 68 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 68 bytes. >check_bind_response: accepted! >cli_rpc_pipe_open_noauth: opened pipe lsarpc to machine 10.10.11.1 and bound anonymously. > lsa_OpenPolicy: struct lsa_OpenPolicy > in: struct lsa_OpenPolicy > system_name : * > system_name : 0x005c (92) > attr : * > attr: struct lsa_ObjectAttribute > len : 0x00000018 (24) > root_dir : NULL > object_name : NULL > attributes : 0x00000000 (0) > sec_desc : NULL > sec_qos : * > sec_qos: struct lsa_QosInfo > len : 0x0000000c (12) > impersonation_level : 0x0002 (2) > context_mode : 0x01 (1) > effective_only : 0x00 (0) > access_mask : 0x02000000 (33554432) > 0: LSA_POLICY_VIEW_LOCAL_INFORMATION > 0: LSA_POLICY_VIEW_AUDIT_INFORMATION > 0: LSA_POLICY_GET_PRIVATE_INFORMATION > 0: LSA_POLICY_TRUST_ADMIN > 0: LSA_POLICY_CREATE_ACCOUNT > 0: LSA_POLICY_CREATE_SECRET > 0: LSA_POLICY_CREATE_PRIVILEGE > 0: LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS > 0: LSA_POLICY_SET_AUDIT_REQUIREMENTS > 0: LSA_POLICY_AUDIT_LOG_ADMIN > 0: LSA_POLICY_SERVER_ADMIN > 0: LSA_POLICY_LOOKUP_NAMES > 0: LSA_POLICY_NOTIFICATION > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000007a (122) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000002c (44) > context_id : 0x0000 (0) > opnum : 0x0006 (6) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x0000007a (122) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 BC 18 D4 85 F3 DF C7 49 B7 4F D3 3B ........ ...I.O.; >[0010] E5 8E 5C 69 00 00 00 00 ..\i.... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > lsa_OpenPolicy: struct lsa_OpenPolicy > out: struct lsa_OpenPolicy > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > result : NT_STATUS_OK >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-32-544 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000007b (123) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 160 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00b0 (176) > auth_length : 0x0000 (0) > call_id : 0x0000007b (123) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000098 (152) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=152 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. >[0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... >[0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... >[0050] 10 00 02 00 01 00 00 00 04 00 00 00 1C 00 1C 00 ........ ........ >[0060] 14 00 02 00 00 00 00 00 0E 00 00 00 00 00 00 00 ........ ........ >[0070] 0E 00 00 00 41 00 64 00 6D 00 69 00 6E 00 69 00 ....A.d. m.i.n.i. >[0080] 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 73 00 s.t.r.a. t.o.r.s. >[0090] 01 00 00 00 00 00 00 00 ........ >Got pdu len 176, data_len 152 >rpc_api_pipe: got frag len of 176 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 152 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x000e (14) > size : 0x0010 (16) > string : * > string : 'BUILTIN' > sid : * > sid : S-1-5-32 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x001c (28) > size : 0x001c (28) > string : * > string : 'Administrators' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >BUILTIN\Administrators 4: rpccli_lsa_lookup_sids: processing items 0 -- 4 of 5. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000005 (5) > sids : * > sids: ARRAY(5) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-500 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-519 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-512 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-1104 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-1125 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000007c (124) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x000000e4 (228) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 384 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0190 (400) > auth_length : 0x0000 (0) > call_id : 0x0000007c (124) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000178 (376) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=376 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 12 00 14 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 0A 00 00 00 00 00 00 00 09 00 00 00 46 00 52 00 ........ ....F.R. >[0030] 49 00 53 00 4B 00 44 00 45 00 4D 00 4F 00 00 00 I.S.K.D. E.M.O... >[0040] 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 00 ........ ........ >[0050] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 05 00 00 00 .53Q.t#. ........ >[0060] 10 00 02 00 05 00 00 00 01 00 00 00 1A 00 1A 00 ........ ........ >[0070] 14 00 02 00 00 00 00 00 02 00 00 00 22 00 22 00 ........ ....".". >[0080] 18 00 02 00 00 00 00 00 02 00 00 00 1A 00 1A 00 ........ ........ >[0090] 1C 00 02 00 00 00 00 00 01 00 00 00 0A 00 0A 00 ........ ........ >[00A0] 20 00 02 00 00 00 00 00 01 00 00 00 14 00 14 00 ....... ........ >[00B0] 24 00 02 00 00 00 00 00 0D 00 00 00 00 00 00 00 $....... ........ >[00C0] 0D 00 00 00 41 00 64 00 6D 00 69 00 6E 00 69 00 ....A.d. m.i.n.i. >[00D0] 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 00 00 s.t.r.a. t.o.r... >[00E0] 11 00 00 00 00 00 00 00 11 00 00 00 45 00 6E 00 ........ ....E.n. >[00F0] 74 00 65 00 72 00 70 00 72 00 69 00 73 00 65 00 t.e.r.p. r.i.s.e. >[0100] 20 00 41 00 64 00 6D 00 69 00 6E 00 73 00 00 00 .A.d.m. i.n.s... >[0110] 0D 00 00 00 00 00 00 00 0D 00 00 00 44 00 6F 00 ........ ....D.o. >[0120] 6D 00 61 00 69 00 6E 00 20 00 41 00 64 00 6D 00 m.a.i.n. .A.d.m. >[0130] 69 00 6E 00 73 00 00 00 05 00 00 00 00 00 00 00 i.n.s... ........ >[0140] 05 00 00 00 66 00 72 00 69 00 73 00 6B 00 00 00 ....f.r. i.s.k... >[0150] 0A 00 00 00 00 00 00 00 0A 00 00 00 66 00 72 00 ........ ....f.r. >[0160] 69 00 73 00 6B 00 61 00 64 00 6D 00 69 00 6E 00 i.s.k.a. d.m.i.n. >[0170] 05 00 00 00 00 00 00 00 ........ >Got pdu len 400, data_len 376 >rpc_api_pipe: got frag len of 400 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 376 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x0012 (18) > size : 0x0014 (20) > string : * > string : 'FRISKDEMO' > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000005 (5) > names : * > names: ARRAY(5) > names: struct lsa_TranslatedName > sid_type : SID_NAME_USER (1) > name: struct lsa_String > length : 0x001a (26) > size : 0x001a (26) > string : * > string : 'Administrator' > sid_index : 0x00000000 (0) > names: struct lsa_TranslatedName > sid_type : SID_NAME_DOM_GRP (2) > name: struct lsa_String > length : 0x0022 (34) > size : 0x0022 (34) > string : * > string : 'Enterprise Admins' > sid_index : 0x00000000 (0) > names: struct lsa_TranslatedName > sid_type : SID_NAME_DOM_GRP (2) > name: struct lsa_String > length : 0x001a (26) > size : 0x001a (26) > string : * > string : 'Domain Admins' > sid_index : 0x00000000 (0) > names: struct lsa_TranslatedName > sid_type : SID_NAME_USER (1) > name: struct lsa_String > length : 0x000a (10) > size : 0x000a (10) > string : * > string : 'frisk' > sid_index : 0x00000000 (0) > names: struct lsa_TranslatedName > sid_type : SID_NAME_USER (1) > name: struct lsa_String > length : 0x0014 (20) > size : 0x0014 (20) > string : * > string : 'friskadmin' > sid_index : 0x00000000 (0) > count : * > count : 0x00000005 (5) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 5' >FRISKDEMO\Administrator (1); FRISKDEMO\Enterprise Admins (2); FRISKDEMO\Domain Admins (2); FRISKDEMO\frisk (1); FRISKDEMO\friskadmin (1); >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-32-545 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000007d (125) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 144 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00a0 (160) > auth_length : 0x0000 (0) > call_id : 0x0000007d (125) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000088 (136) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=136 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. >[0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... >[0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... >[0050] 10 00 02 00 01 00 00 00 04 00 00 00 0A 00 0A 00 ........ ........ >[0060] 14 00 02 00 00 00 00 00 05 00 00 00 00 00 00 00 ........ ........ >[0070] 05 00 00 00 55 00 73 00 65 00 72 00 73 00 00 00 ....U.s. e.r.s... >[0080] 01 00 00 00 00 00 00 00 ........ >Got pdu len 160, data_len 136 >rpc_api_pipe: got frag len of 160 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 136 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x000e (14) > size : 0x0010 (16) > string : * > string : 'BUILTIN' > sid : * > sid : S-1-5-32 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x000a (10) > size : 0x000a (10) > string : * > string : 'Users' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >BUILTIN\Users 4: rpccli_lsa_lookup_sids: processing items 0 -- 2 of 3. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000003 (3) > sids : * > sids: ARRAY(3) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-4 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-11 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-513 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000007e (126) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x0000007c (124) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 352 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0170 (368) > auth_length : 0x0000 (0) > call_id : 0x0000007e (126) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000158 (344) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=344 >[0000] 00 00 02 00 02 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 02 00 00 00 18 00 1A 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 12 00 14 00 10 00 02 00 14 00 02 00 0D 00 00 00 ........ ........ >[0030] 00 00 00 00 0C 00 00 00 4E 00 54 00 20 00 41 00 ........ N.T. .A. >[0040] 55 00 54 00 48 00 4F 00 52 00 49 00 54 00 59 00 U.T.H.O. R.I.T.Y. >[0050] 00 00 00 00 01 00 00 00 00 00 00 05 0A 00 00 00 ........ ........ >[0060] 00 00 00 00 09 00 00 00 46 00 52 00 49 00 53 00 ........ F.R.I.S. >[0070] 4B 00 44 00 45 00 4D 00 4F 00 00 00 04 00 00 00 K.D.E.M. O....... >[0080] 01 04 00 00 00 00 00 05 15 00 00 00 9C 35 33 51 ........ .....53Q >[0090] 19 74 23 9A D3 83 E6 CA 03 00 00 00 18 00 02 00 .t#..... ........ >[00A0] 03 00 00 00 05 00 00 00 16 00 18 00 1C 00 02 00 ........ ........ >[00B0] 00 00 00 00 05 00 00 00 26 00 28 00 20 00 02 00 ........ &.(. ... >[00C0] 00 00 00 00 02 00 00 00 18 00 18 00 24 00 02 00 ........ ....$... >[00D0] 01 00 00 00 0C 00 00 00 00 00 00 00 0B 00 00 00 ........ ........ >[00E0] 49 00 4E 00 54 00 45 00 52 00 41 00 43 00 54 00 I.N.T.E. R.A.C.T. >[00F0] 49 00 56 00 45 00 00 00 14 00 00 00 00 00 00 00 I.V.E... ........ >[0100] 13 00 00 00 41 00 75 00 74 00 68 00 65 00 6E 00 ....A.u. t.h.e.n. >[0110] 74 00 69 00 63 00 61 00 74 00 65 00 64 00 20 00 t.i.c.a. t.e.d. . >[0120] 55 00 73 00 65 00 72 00 73 00 00 00 0C 00 00 00 U.s.e.r. s....... >[0130] 00 00 00 00 0C 00 00 00 44 00 6F 00 6D 00 61 00 ........ D.o.m.a. >[0140] 69 00 6E 00 20 00 55 00 73 00 65 00 72 00 73 00 i.n. .U. s.e.r.s. >[0150] 03 00 00 00 00 00 00 00 ........ >Got pdu len 368, data_len 344 >rpc_api_pipe: got frag len of 368 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 344 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000002 (2) > domains : * > domains: ARRAY(2) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x0018 (24) > size : 0x001a (26) > string : * > string : 'NT AUTHORITY' > sid : * > sid : S-1-5 > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x0012 (18) > size : 0x0014 (20) > string : * > string : 'FRISKDEMO' > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000003 (3) > names : * > names: ARRAY(3) > names: struct lsa_TranslatedName > sid_type : SID_NAME_WKN_GRP (5) > name: struct lsa_String > length : 0x0016 (22) > size : 0x0018 (24) > string : * > string : 'INTERACTIVE' > sid_index : 0x00000000 (0) > names: struct lsa_TranslatedName > sid_type : SID_NAME_WKN_GRP (5) > name: struct lsa_String > length : 0x0026 (38) > size : 0x0028 (40) > string : * > string : 'Authenticated Users' > sid_index : 0x00000000 (0) > names: struct lsa_TranslatedName > sid_type : SID_NAME_DOM_GRP (2) > name: struct lsa_String > length : 0x0018 (24) > size : 0x0018 (24) > string : * > string : 'Domain Users' > sid_index : 0x00000001 (1) > count : * > count : 0x00000003 (3) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 3' >NT AUTHORITY\INTERACTIVE (5); NT AUTHORITY\Authenticated Users (5); FRISKDEMO\Domain Users (2); >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-32-546 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000007f (127) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 144 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00a0 (160) > auth_length : 0x0000 (0) > call_id : 0x0000007f (127) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000088 (136) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=136 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. >[0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... >[0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... >[0050] 10 00 02 00 01 00 00 00 04 00 00 00 0C 00 0C 00 ........ ........ >[0060] 14 00 02 00 00 00 00 00 06 00 00 00 00 00 00 00 ........ ........ >[0070] 06 00 00 00 47 00 75 00 65 00 73 00 74 00 73 00 ....G.u. e.s.t.s. >[0080] 01 00 00 00 00 00 00 00 ........ >Got pdu len 160, data_len 136 >rpc_api_pipe: got frag len of 160 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 136 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x000e (14) > size : 0x0010 (16) > string : * > string : 'BUILTIN' > sid : * > sid : S-1-5-32 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x000c (12) > size : 0x000c (12) > string : * > string : 'Guests' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >BUILTIN\Guests 4: rpccli_lsa_lookup_sids: processing items 0 -- 1 of 2. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000002 (2) > sids : * > sids: ARRAY(2) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-501 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-514 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000080 (128) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000078 (120) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 216 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00e8 (232) > auth_length : 0x0000 (0) > call_id : 0x00000080 (128) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000d0 (208) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=208 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 12 00 14 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 0A 00 00 00 00 00 00 00 09 00 00 00 46 00 52 00 ........ ....F.R. >[0030] 49 00 53 00 4B 00 44 00 45 00 4D 00 4F 00 00 00 I.S.K.D. E.M.O... >[0040] 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 00 ........ ........ >[0050] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 02 00 00 00 .53Q.t#. ........ >[0060] 10 00 02 00 02 00 00 00 01 00 00 00 0A 00 0A 00 ........ ........ >[0070] 14 00 02 00 00 00 00 00 02 00 00 00 1A 00 1A 00 ........ ........ >[0080] 18 00 02 00 00 00 00 00 05 00 00 00 00 00 00 00 ........ ........ >[0090] 05 00 00 00 47 00 75 00 65 00 73 00 74 00 00 00 ....G.u. e.s.t... >[00A0] 0D 00 00 00 00 00 00 00 0D 00 00 00 44 00 6F 00 ........ ....D.o. >[00B0] 6D 00 61 00 69 00 6E 00 20 00 47 00 75 00 65 00 m.a.i.n. .G.u.e. >[00C0] 73 00 74 00 73 00 00 00 02 00 00 00 00 00 00 00 s.t.s... ........ >Got pdu len 232, data_len 208 >rpc_api_pipe: got frag len of 232 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 208 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x0012 (18) > size : 0x0014 (20) > string : * > string : 'FRISKDEMO' > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000002 (2) > names : * > names: ARRAY(2) > names: struct lsa_TranslatedName > sid_type : SID_NAME_USER (1) > name: struct lsa_String > length : 0x000a (10) > size : 0x000a (10) > string : * > string : 'Guest' > sid_index : 0x00000000 (0) > names: struct lsa_TranslatedName > sid_type : SID_NAME_DOM_GRP (2) > name: struct lsa_String > length : 0x001a (26) > size : 0x001a (26) > string : * > string : 'Domain Guests' > sid_index : 0x00000000 (0) > count : * > count : 0x00000002 (2) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 2' >FRISKDEMO\Guest (1); FRISKDEMO\Domain Guests (2); >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-32-550 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000081 (129) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 164 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00b4 (180) > auth_length : 0x0000 (0) > call_id : 0x00000081 (129) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000009c (156) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=156 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. >[0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... >[0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... >[0050] 10 00 02 00 01 00 00 00 04 00 00 00 1E 00 1E 00 ........ ........ >[0060] 14 00 02 00 00 00 00 00 0F 00 00 00 00 00 00 00 ........ ........ >[0070] 0F 00 00 00 50 00 72 00 69 00 6E 00 74 00 20 00 ....P.r. i.n.t. . >[0080] 4F 00 70 00 65 00 72 00 61 00 74 00 6F 00 72 00 O.p.e.r. a.t.o.r. >[0090] 73 00 00 00 01 00 00 00 00 00 00 00 s....... .... >Got pdu len 180, data_len 156 >rpc_api_pipe: got frag len of 180 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 156 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x000e (14) > size : 0x0010 (16) > string : * > string : 'BUILTIN' > sid : * > sid : S-1-5-32 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x001e (30) > size : 0x001e (30) > string : * > string : 'Print Operators' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >BUILTIN\Print Operators 4: >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-32-551 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000082 (130) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 164 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00b4 (180) > auth_length : 0x0000 (0) > call_id : 0x00000082 (130) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000009c (156) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=156 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. >[0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... >[0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... >[0050] 10 00 02 00 01 00 00 00 04 00 00 00 20 00 20 00 ........ .... . . >[0060] 14 00 02 00 00 00 00 00 10 00 00 00 00 00 00 00 ........ ........ >[0070] 10 00 00 00 42 00 61 00 63 00 6B 00 75 00 70 00 ....B.a. c.k.u.p. >[0080] 20 00 4F 00 70 00 65 00 72 00 61 00 74 00 6F 00 .O.p.e. r.a.t.o. >[0090] 72 00 73 00 01 00 00 00 00 00 00 00 r.s..... .... >Got pdu len 180, data_len 156 >rpc_api_pipe: got frag len of 180 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 156 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x000e (14) > size : 0x0010 (16) > string : * > string : 'BUILTIN' > sid : * > sid : S-1-5-32 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x0020 (32) > size : 0x0020 (32) > string : * > string : 'Backup Operators' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >BUILTIN\Backup Operators 4: >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-32-552 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000083 (131) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 152 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00a8 (168) > auth_length : 0x0000 (0) > call_id : 0x00000083 (131) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000090 (144) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=144 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. >[0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... >[0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... >[0050] 10 00 02 00 01 00 00 00 04 00 00 00 14 00 14 00 ........ ........ >[0060] 14 00 02 00 00 00 00 00 0A 00 00 00 00 00 00 00 ........ ........ >[0070] 0A 00 00 00 52 00 65 00 70 00 6C 00 69 00 63 00 ....R.e. p.l.i.c. >[0080] 61 00 74 00 6F 00 72 00 01 00 00 00 00 00 00 00 a.t.o.r. ........ >Got pdu len 168, data_len 144 >rpc_api_pipe: got frag len of 168 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 144 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x000e (14) > size : 0x0010 (16) > string : * > string : 'BUILTIN' > sid : * > sid : S-1-5-32 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x0014 (20) > size : 0x0014 (20) > string : * > string : 'Replicator' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >BUILTIN\Replicator 4: >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-32-555 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000084 (132) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 172 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00bc (188) > auth_length : 0x0000 (0) > call_id : 0x00000084 (132) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000a4 (164) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=164 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. >[0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... >[0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... >[0050] 10 00 02 00 01 00 00 00 04 00 00 00 28 00 28 00 ........ ....(.(. >[0060] 14 00 02 00 00 00 00 00 14 00 00 00 00 00 00 00 ........ ........ >[0070] 14 00 00 00 52 00 65 00 6D 00 6F 00 74 00 65 00 ....R.e. m.o.t.e. >[0080] 20 00 44 00 65 00 73 00 6B 00 74 00 6F 00 70 00 .D.e.s. k.t.o.p. >[0090] 20 00 55 00 73 00 65 00 72 00 73 00 01 00 00 00 .U.s.e. r.s..... >[00A0] 00 00 00 00 .... >Got pdu len 188, data_len 164 >rpc_api_pipe: got frag len of 188 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 164 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x000e (14) > size : 0x0010 (16) > string : * > string : 'BUILTIN' > sid : * > sid : S-1-5-32 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x0028 (40) > size : 0x0028 (40) > string : * > string : 'Remote Desktop Users' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >BUILTIN\Remote Desktop Users 4: rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-1112 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000085 (133) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000054 (84) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 168 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00b8 (184) > auth_length : 0x0000 (0) > call_id : 0x00000085 (133) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000a0 (160) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=160 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 12 00 14 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 0A 00 00 00 00 00 00 00 09 00 00 00 46 00 52 00 ........ ....F.R. >[0030] 49 00 53 00 4B 00 44 00 45 00 4D 00 4F 00 00 00 I.S.K.D. E.M.O... >[0040] 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 00 ........ ........ >[0050] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 01 00 00 00 .53Q.t#. ........ >[0060] 10 00 02 00 01 00 00 00 02 00 00 00 14 00 14 00 ........ ........ >[0070] 14 00 02 00 00 00 00 00 0A 00 00 00 00 00 00 00 ........ ........ >[0080] 0A 00 00 00 46 00 72 00 69 00 73 00 6B 00 55 00 ....F.r. i.s.k.U. >[0090] 73 00 65 00 72 00 73 00 01 00 00 00 00 00 00 00 s.e.r.s. ........ >Got pdu len 184, data_len 160 >rpc_api_pipe: got frag len of 184 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 160 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x0012 (18) > size : 0x0014 (20) > string : * > string : 'FRISKDEMO' > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_DOM_GRP (2) > name: struct lsa_String > length : 0x0014 (20) > size : 0x0014 (20) > string : * > string : 'FriskUsers' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >FRISKDEMO\FriskUsers (2); >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-32-556 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000086 (134) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 196 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00d4 (212) > auth_length : 0x0000 (0) > call_id : 0x00000086 (134) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000bc (188) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=188 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. >[0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... >[0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... >[0050] 10 00 02 00 01 00 00 00 04 00 00 00 3E 00 3E 00 ........ ....>.>. >[0060] 14 00 02 00 00 00 00 00 1F 00 00 00 00 00 00 00 ........ ........ >[0070] 1F 00 00 00 4E 00 65 00 74 00 77 00 6F 00 72 00 ....N.e. t.w.o.r. >[0080] 6B 00 20 00 43 00 6F 00 6E 00 66 00 69 00 67 00 k. .C.o. n.f.i.g. >[0090] 75 00 72 00 61 00 74 00 69 00 6F 00 6E 00 20 00 u.r.a.t. i.o.n. . >[00A0] 4F 00 70 00 65 00 72 00 61 00 74 00 6F 00 72 00 O.p.e.r. a.t.o.r. >[00B0] 73 00 00 00 01 00 00 00 00 00 00 00 s....... .... >Got pdu len 212, data_len 188 >rpc_api_pipe: got frag len of 212 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 188 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x000e (14) > size : 0x0010 (16) > string : * > string : 'BUILTIN' > sid : * > sid : S-1-5-32 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x003e (62) > size : 0x003e (62) > string : * > string : 'Network Configuration Operators' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >BUILTIN\Network Configuration Operators 4: >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-32-558 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000087 (135) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 184 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00c8 (200) > auth_length : 0x0000 (0) > call_id : 0x00000087 (135) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000b0 (176) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=176 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. >[0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... >[0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... >[0050] 10 00 02 00 01 00 00 00 04 00 00 00 32 00 32 00 ........ ....2.2. >[0060] 14 00 02 00 00 00 00 00 19 00 00 00 00 00 00 00 ........ ........ >[0070] 19 00 00 00 50 00 65 00 72 00 66 00 6F 00 72 00 ....P.e. r.f.o.r. >[0080] 6D 00 61 00 6E 00 63 00 65 00 20 00 4D 00 6F 00 m.a.n.c. e. .M.o. >[0090] 6E 00 69 00 74 00 6F 00 72 00 20 00 55 00 73 00 n.i.t.o. r. .U.s. >[00A0] 65 00 72 00 73 00 00 00 01 00 00 00 00 00 00 00 e.r.s... ........ >Got pdu len 200, data_len 176 >rpc_api_pipe: got frag len of 200 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 176 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x000e (14) > size : 0x0010 (16) > string : * > string : 'BUILTIN' > sid : * > sid : S-1-5-32 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x0032 (50) > size : 0x0032 (50) > string : * > string : 'Performance Monitor Users' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >BUILTIN\Performance Monitor Users 4: >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-32-559 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000088 (136) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 176 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00c0 (192) > auth_length : 0x0000 (0) > call_id : 0x00000088 (136) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000a8 (168) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=168 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. >[0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... >[0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... >[0050] 10 00 02 00 01 00 00 00 04 00 00 00 2A 00 2A 00 ........ ....*.*. >[0060] 14 00 02 00 00 00 00 00 15 00 00 00 00 00 00 00 ........ ........ >[0070] 15 00 00 00 50 00 65 00 72 00 66 00 6F 00 72 00 ....P.e. r.f.o.r. >[0080] 6D 00 61 00 6E 00 63 00 65 00 20 00 4C 00 6F 00 m.a.n.c. e. .L.o. >[0090] 67 00 20 00 55 00 73 00 65 00 72 00 73 00 00 00 g. .U.s. e.r.s... >[00A0] 01 00 00 00 00 00 00 00 ........ >Got pdu len 192, data_len 168 >rpc_api_pipe: got frag len of 192 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 168 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x000e (14) > size : 0x0010 (16) > string : * > string : 'BUILTIN' > sid : * > sid : S-1-5-32 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x002a (42) > size : 0x002a (42) > string : * > string : 'Performance Log Users' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >BUILTIN\Performance Log Users 4: rpccli_lsa_lookup_sids: processing items 0 -- 1 of 2. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000002 (2) > sids : * > sids: ARRAY(2) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-500 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-1125 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000089 (137) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000078 (120) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 224 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00f0 (240) > auth_length : 0x0000 (0) > call_id : 0x00000089 (137) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000d8 (216) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=216 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 12 00 14 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 0A 00 00 00 00 00 00 00 09 00 00 00 46 00 52 00 ........ ....F.R. >[0030] 49 00 53 00 4B 00 44 00 45 00 4D 00 4F 00 00 00 I.S.K.D. E.M.O... >[0040] 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 00 ........ ........ >[0050] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 02 00 00 00 .53Q.t#. ........ >[0060] 10 00 02 00 02 00 00 00 01 00 00 00 1A 00 1A 00 ........ ........ >[0070] 14 00 02 00 00 00 00 00 01 00 00 00 14 00 14 00 ........ ........ >[0080] 18 00 02 00 00 00 00 00 0D 00 00 00 00 00 00 00 ........ ........ >[0090] 0D 00 00 00 41 00 64 00 6D 00 69 00 6E 00 69 00 ....A.d. m.i.n.i. >[00A0] 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 00 00 s.t.r.a. t.o.r... >[00B0] 0A 00 00 00 00 00 00 00 0A 00 00 00 66 00 72 00 ........ ....f.r. >[00C0] 69 00 73 00 6B 00 61 00 64 00 6D 00 69 00 6E 00 i.s.k.a. d.m.i.n. >[00D0] 02 00 00 00 00 00 00 00 ........ >Got pdu len 240, data_len 216 >rpc_api_pipe: got frag len of 240 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 216 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x0012 (18) > size : 0x0014 (20) > string : * > string : 'FRISKDEMO' > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000002 (2) > names : * > names: ARRAY(2) > names: struct lsa_TranslatedName > sid_type : SID_NAME_USER (1) > name: struct lsa_String > length : 0x001a (26) > size : 0x001a (26) > string : * > string : 'Administrator' > sid_index : 0x00000000 (0) > names: struct lsa_TranslatedName > sid_type : SID_NAME_USER (1) > name: struct lsa_String > length : 0x0014 (20) > size : 0x0014 (20) > string : * > string : 'friskadmin' > sid_index : 0x00000000 (0) > count : * > count : 0x00000002 (2) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 2' >FRISKDEMO\Administrator (1); FRISKDEMO\friskadmin (1); >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-32-562 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000008a (138) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 176 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00c0 (192) > auth_length : 0x0000 (0) > call_id : 0x0000008a (138) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000a8 (168) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=168 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. >[0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... >[0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... >[0050] 10 00 02 00 01 00 00 00 04 00 00 00 2A 00 2A 00 ........ ....*.*. >[0060] 14 00 02 00 00 00 00 00 15 00 00 00 00 00 00 00 ........ ........ >[0070] 15 00 00 00 44 00 69 00 73 00 74 00 72 00 69 00 ....D.i. s.t.r.i. >[0080] 62 00 75 00 74 00 65 00 64 00 20 00 43 00 4F 00 b.u.t.e. d. .C.O. >[0090] 4D 00 20 00 55 00 73 00 65 00 72 00 73 00 00 00 M. .U.s. e.r.s... >[00A0] 01 00 00 00 00 00 00 00 ........ >Got pdu len 192, data_len 168 >rpc_api_pipe: got frag len of 192 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 168 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x000e (14) > size : 0x0010 (16) > string : * > string : 'BUILTIN' > sid : * > sid : S-1-5-32 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x002a (42) > size : 0x002a (42) > string : * > string : 'Distributed COM Users' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >BUILTIN\Distributed COM Users 4: >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-32-568 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000008b (139) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 152 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00a8 (168) > auth_length : 0x0000 (0) > call_id : 0x0000008b (139) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000090 (144) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=144 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. >[0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... >[0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... >[0050] 10 00 02 00 01 00 00 00 04 00 00 00 12 00 12 00 ........ ........ >[0060] 14 00 02 00 00 00 00 00 09 00 00 00 00 00 00 00 ........ ........ >[0070] 09 00 00 00 49 00 49 00 53 00 5F 00 49 00 55 00 ....I.I. S._.I.U. >[0080] 53 00 52 00 53 00 00 00 01 00 00 00 00 00 00 00 S.R.S... ........ >Got pdu len 168, data_len 144 >rpc_api_pipe: got frag len of 168 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 144 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x000e (14) > size : 0x0010 (16) > string : * > string : 'BUILTIN' > sid : * > sid : S-1-5-32 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x0012 (18) > size : 0x0012 (18) > string : * > string : 'IIS_IUSRS' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >BUILTIN\IIS_IUSRS 4: >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-32-569 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000008c (140) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 180 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00c4 (196) > auth_length : 0x0000 (0) > call_id : 0x0000008c (140) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000ac (172) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=172 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. >[0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... >[0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... >[0050] 10 00 02 00 01 00 00 00 04 00 00 00 2E 00 2E 00 ........ ........ >[0060] 14 00 02 00 00 00 00 00 17 00 00 00 00 00 00 00 ........ ........ >[0070] 17 00 00 00 43 00 72 00 79 00 70 00 74 00 6F 00 ....C.r. y.p.t.o. >[0080] 67 00 72 00 61 00 70 00 68 00 69 00 63 00 20 00 g.r.a.p. h.i.c. . >[0090] 4F 00 70 00 65 00 72 00 61 00 74 00 6F 00 72 00 O.p.e.r. a.t.o.r. >[00A0] 73 00 00 00 01 00 00 00 00 00 00 00 s....... .... >Got pdu len 196, data_len 172 >rpc_api_pipe: got frag len of 196 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 172 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x000e (14) > size : 0x0010 (16) > string : * > string : 'BUILTIN' > sid : * > sid : S-1-5-32 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x002e (46) > size : 0x002e (46) > string : * > string : 'Cryptographic Operators' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >BUILTIN\Cryptographic Operators 4: >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-32-573 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000008d (141) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 168 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00b8 (184) > auth_length : 0x0000 (0) > call_id : 0x0000008d (141) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000a0 (160) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=160 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. >[0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... >[0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... >[0050] 10 00 02 00 01 00 00 00 04 00 00 00 22 00 22 00 ........ ....".". >[0060] 14 00 02 00 00 00 00 00 11 00 00 00 00 00 00 00 ........ ........ >[0070] 11 00 00 00 45 00 76 00 65 00 6E 00 74 00 20 00 ....E.v. e.n.t. . >[0080] 4C 00 6F 00 67 00 20 00 52 00 65 00 61 00 64 00 L.o.g. . R.e.a.d. >[0090] 65 00 72 00 73 00 00 00 01 00 00 00 00 00 00 00 e.r.s... ........ >Got pdu len 184, data_len 160 >rpc_api_pipe: got frag len of 184 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 160 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x000e (14) > size : 0x0010 (16) > string : * > string : 'BUILTIN' > sid : * > sid : S-1-5-32 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x0022 (34) > size : 0x0022 (34) > string : * > string : 'Event Log Readers' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >BUILTIN\Event Log Readers 4: >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-32-574 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000008e (142) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 196 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00d4 (212) > auth_length : 0x0000 (0) > call_id : 0x0000008e (142) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000bc (188) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=188 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. >[0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... >[0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... >[0050] 10 00 02 00 01 00 00 00 04 00 00 00 3E 00 3E 00 ........ ....>.>. >[0060] 14 00 02 00 00 00 00 00 1F 00 00 00 00 00 00 00 ........ ........ >[0070] 1F 00 00 00 43 00 65 00 72 00 74 00 69 00 66 00 ....C.e. r.t.i.f. >[0080] 69 00 63 00 61 00 74 00 65 00 20 00 53 00 65 00 i.c.a.t. e. .S.e. >[0090] 72 00 76 00 69 00 63 00 65 00 20 00 44 00 43 00 r.v.i.c. e. .D.C. >[00A0] 4F 00 4D 00 20 00 41 00 63 00 63 00 65 00 73 00 O.M. .A. c.c.e.s. >[00B0] 73 00 00 00 01 00 00 00 00 00 00 00 s....... .... >Got pdu len 212, data_len 188 >rpc_api_pipe: got frag len of 212 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 188 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x000e (14) > size : 0x0010 (16) > string : * > string : 'BUILTIN' > sid : * > sid : S-1-5-32 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x003e (62) > size : 0x003e (62) > string : * > string : 'Certificate Service DCOM Access' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >BUILTIN\Certificate Service DCOM Access 4: >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-32-575 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000008f (143) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 184 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00c8 (200) > auth_length : 0x0000 (0) > call_id : 0x0000008f (143) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000b0 (176) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=176 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. >[0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... >[0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... >[0050] 10 00 02 00 01 00 00 00 04 00 00 00 32 00 32 00 ........ ....2.2. >[0060] 14 00 02 00 00 00 00 00 19 00 00 00 00 00 00 00 ........ ........ >[0070] 19 00 00 00 52 00 44 00 53 00 20 00 52 00 65 00 ....R.D. S. .R.e. >[0080] 6D 00 6F 00 74 00 65 00 20 00 41 00 63 00 63 00 m.o.t.e. .A.c.c. >[0090] 65 00 73 00 73 00 20 00 53 00 65 00 72 00 76 00 e.s.s. . S.e.r.v. >[00A0] 65 00 72 00 73 00 00 00 01 00 00 00 00 00 00 00 e.r.s... ........ >Got pdu len 200, data_len 176 >rpc_api_pipe: got frag len of 200 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 176 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x000e (14) > size : 0x0010 (16) > string : * > string : 'BUILTIN' > sid : * > sid : S-1-5-32 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x0032 (50) > size : 0x0032 (50) > string : * > string : 'RDS Remote Access Servers' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >BUILTIN\RDS Remote Access Servers 4: rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-1000 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000090 (144) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000054 (84) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 172 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00bc (188) > auth_length : 0x0000 (0) > call_id : 0x00000090 (144) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000a4 (164) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=164 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 12 00 14 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 0A 00 00 00 00 00 00 00 09 00 00 00 46 00 52 00 ........ ....F.R. >[0030] 49 00 53 00 4B 00 44 00 45 00 4D 00 4F 00 00 00 I.S.K.D. E.M.O... >[0040] 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 00 ........ ........ >[0050] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 01 00 00 00 .53Q.t#. ........ >[0060] 10 00 02 00 01 00 00 00 01 00 00 00 18 00 18 00 ........ ........ >[0070] 14 00 02 00 00 00 00 00 0C 00 00 00 00 00 00 00 ........ ........ >[0080] 0C 00 00 00 46 00 52 00 49 00 53 00 4B 00 44 00 ....F.R. I.S.K.D. >[0090] 45 00 4D 00 4F 00 30 00 31 00 24 00 01 00 00 00 E.M.O.0. 1.$..... >[00A0] 00 00 00 00 .... >Got pdu len 188, data_len 164 >rpc_api_pipe: got frag len of 188 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 164 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x0012 (18) > size : 0x0014 (20) > string : * > string : 'FRISKDEMO' > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_USER (1) > name: struct lsa_String > length : 0x0018 (24) > size : 0x0018 (24) > string : * > string : 'FRISKDEMO01$' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >FRISKDEMO\FRISKDEMO01$ (1); >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-32-576 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000091 (145) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 172 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00bc (188) > auth_length : 0x0000 (0) > call_id : 0x00000091 (145) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000a4 (164) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=164 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. >[0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... >[0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... >[0050] 10 00 02 00 01 00 00 00 04 00 00 00 28 00 28 00 ........ ....(.(. >[0060] 14 00 02 00 00 00 00 00 14 00 00 00 00 00 00 00 ........ ........ >[0070] 14 00 00 00 52 00 44 00 53 00 20 00 45 00 6E 00 ....R.D. S. .E.n. >[0080] 64 00 70 00 6F 00 69 00 6E 00 74 00 20 00 53 00 d.p.o.i. n.t. .S. >[0090] 65 00 72 00 76 00 65 00 72 00 73 00 01 00 00 00 e.r.v.e. r.s..... >[00A0] 00 00 00 00 .... >Got pdu len 188, data_len 164 >rpc_api_pipe: got frag len of 188 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 164 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x000e (14) > size : 0x0010 (16) > string : * > string : 'BUILTIN' > sid : * > sid : S-1-5-32 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x0028 (40) > size : 0x0028 (40) > string : * > string : 'RDS Endpoint Servers' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >BUILTIN\RDS Endpoint Servers 4: rpccli_lsa_lookup_sids: processing items 0 -- 1 of 2. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000002 (2) > sids : * > sids: ARRAY(2) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-1000 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-20 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000092 (146) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000068 (104) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 292 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0134 (308) > auth_length : 0x0000 (0) > call_id : 0x00000092 (146) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000011c (284) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=284 >[0000] 00 00 02 00 02 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 02 00 00 00 18 00 1A 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 12 00 14 00 10 00 02 00 14 00 02 00 0D 00 00 00 ........ ........ >[0030] 00 00 00 00 0C 00 00 00 4E 00 54 00 20 00 41 00 ........ N.T. .A. >[0040] 55 00 54 00 48 00 4F 00 52 00 49 00 54 00 59 00 U.T.H.O. R.I.T.Y. >[0050] 00 00 00 00 01 00 00 00 00 00 00 05 0A 00 00 00 ........ ........ >[0060] 00 00 00 00 09 00 00 00 46 00 52 00 49 00 53 00 ........ F.R.I.S. >[0070] 4B 00 44 00 45 00 4D 00 4F 00 00 00 04 00 00 00 K.D.E.M. O....... >[0080] 01 04 00 00 00 00 00 05 15 00 00 00 9C 35 33 51 ........ .....53Q >[0090] 19 74 23 9A D3 83 E6 CA 02 00 00 00 18 00 02 00 .t#..... ........ >[00A0] 02 00 00 00 01 00 00 00 18 00 18 00 1C 00 02 00 ........ ........ >[00B0] 01 00 00 00 05 00 00 00 1E 00 20 00 20 00 02 00 ........ .. . ... >[00C0] 00 00 00 00 0C 00 00 00 00 00 00 00 0C 00 00 00 ........ ........ >[00D0] 46 00 52 00 49 00 53 00 4B 00 44 00 45 00 4D 00 F.R.I.S. K.D.E.M. >[00E0] 4F 00 30 00 31 00 24 00 10 00 00 00 00 00 00 00 O.0.1.$. ........ >[00F0] 0F 00 00 00 4E 00 45 00 54 00 57 00 4F 00 52 00 ....N.E. T.W.O.R. >[0100] 4B 00 20 00 53 00 45 00 52 00 56 00 49 00 43 00 K. .S.E. R.V.I.C. >[0110] 45 00 00 00 02 00 00 00 00 00 00 00 E....... .... >Got pdu len 308, data_len 284 >rpc_api_pipe: got frag len of 308 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 284 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000002 (2) > domains : * > domains: ARRAY(2) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x0018 (24) > size : 0x001a (26) > string : * > string : 'NT AUTHORITY' > sid : * > sid : S-1-5 > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x0012 (18) > size : 0x0014 (20) > string : * > string : 'FRISKDEMO' > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000002 (2) > names : * > names: ARRAY(2) > names: struct lsa_TranslatedName > sid_type : SID_NAME_USER (1) > name: struct lsa_String > length : 0x0018 (24) > size : 0x0018 (24) > string : * > string : 'FRISKDEMO01$' > sid_index : 0x00000001 (1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_WKN_GRP (5) > name: struct lsa_String > length : 0x001e (30) > size : 0x0020 (32) > string : * > string : 'NETWORK SERVICE' > sid_index : 0x00000000 (0) > count : * > count : 0x00000002 (2) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 2' >FRISKDEMO\FRISKDEMO01$ (1); NT AUTHORITY\NETWORK SERVICE (5); >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-32-577 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000093 (147) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 176 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00c0 (192) > auth_length : 0x0000 (0) > call_id : 0x00000093 (147) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000a8 (168) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=168 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. >[0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... >[0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... >[0050] 10 00 02 00 01 00 00 00 04 00 00 00 2C 00 2C 00 ........ ....,.,. >[0060] 14 00 02 00 00 00 00 00 16 00 00 00 00 00 00 00 ........ ........ >[0070] 16 00 00 00 52 00 44 00 53 00 20 00 4D 00 61 00 ....R.D. S. .M.a. >[0080] 6E 00 61 00 67 00 65 00 6D 00 65 00 6E 00 74 00 n.a.g.e. m.e.n.t. >[0090] 20 00 53 00 65 00 72 00 76 00 65 00 72 00 73 00 .S.e.r. v.e.r.s. >[00A0] 01 00 00 00 00 00 00 00 ........ >Got pdu len 192, data_len 168 >rpc_api_pipe: got frag len of 192 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 168 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x000e (14) > size : 0x0010 (16) > string : * > string : 'BUILTIN' > sid : * > sid : S-1-5-32 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x002c (44) > size : 0x002c (44) > string : * > string : 'RDS Management Servers' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >BUILTIN\RDS Management Servers 4: rpccli_lsa_lookup_sids: processing items 0 -- 1 of 2. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000002 (2) > sids : * > sids: ARRAY(2) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-1000 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-20 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000094 (148) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000068 (104) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 292 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0134 (308) > auth_length : 0x0000 (0) > call_id : 0x00000094 (148) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000011c (284) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=284 >[0000] 00 00 02 00 02 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 02 00 00 00 18 00 1A 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 12 00 14 00 10 00 02 00 14 00 02 00 0D 00 00 00 ........ ........ >[0030] 00 00 00 00 0C 00 00 00 4E 00 54 00 20 00 41 00 ........ N.T. .A. >[0040] 55 00 54 00 48 00 4F 00 52 00 49 00 54 00 59 00 U.T.H.O. R.I.T.Y. >[0050] 00 00 00 00 01 00 00 00 00 00 00 05 0A 00 00 00 ........ ........ >[0060] 00 00 00 00 09 00 00 00 46 00 52 00 49 00 53 00 ........ F.R.I.S. >[0070] 4B 00 44 00 45 00 4D 00 4F 00 00 00 04 00 00 00 K.D.E.M. O....... >[0080] 01 04 00 00 00 00 00 05 15 00 00 00 9C 35 33 51 ........ .....53Q >[0090] 19 74 23 9A D3 83 E6 CA 02 00 00 00 18 00 02 00 .t#..... ........ >[00A0] 02 00 00 00 01 00 00 00 18 00 18 00 1C 00 02 00 ........ ........ >[00B0] 01 00 00 00 05 00 00 00 1E 00 20 00 20 00 02 00 ........ .. . ... >[00C0] 00 00 00 00 0C 00 00 00 00 00 00 00 0C 00 00 00 ........ ........ >[00D0] 46 00 52 00 49 00 53 00 4B 00 44 00 45 00 4D 00 F.R.I.S. K.D.E.M. >[00E0] 4F 00 30 00 31 00 24 00 10 00 00 00 00 00 00 00 O.0.1.$. ........ >[00F0] 0F 00 00 00 4E 00 45 00 54 00 57 00 4F 00 52 00 ....N.E. T.W.O.R. >[0100] 4B 00 20 00 53 00 45 00 52 00 56 00 49 00 43 00 K. .S.E. R.V.I.C. >[0110] 45 00 00 00 02 00 00 00 00 00 00 00 E....... .... >Got pdu len 308, data_len 284 >rpc_api_pipe: got frag len of 308 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 284 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000002 (2) > domains : * > domains: ARRAY(2) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x0018 (24) > size : 0x001a (26) > string : * > string : 'NT AUTHORITY' > sid : * > sid : S-1-5 > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x0012 (18) > size : 0x0014 (20) > string : * > string : 'FRISKDEMO' > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000002 (2) > names : * > names: ARRAY(2) > names: struct lsa_TranslatedName > sid_type : SID_NAME_USER (1) > name: struct lsa_String > length : 0x0018 (24) > size : 0x0018 (24) > string : * > string : 'FRISKDEMO01$' > sid_index : 0x00000001 (1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_WKN_GRP (5) > name: struct lsa_String > length : 0x001e (30) > size : 0x0020 (32) > string : * > string : 'NETWORK SERVICE' > sid_index : 0x00000000 (0) > count : * > count : 0x00000002 (2) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 2' >FRISKDEMO\FRISKDEMO01$ (1); NT AUTHORITY\NETWORK SERVICE (5); >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-32-578 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000095 (149) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 176 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00c0 (192) > auth_length : 0x0000 (0) > call_id : 0x00000095 (149) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000a8 (168) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=168 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. >[0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... >[0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... >[0050] 10 00 02 00 01 00 00 00 04 00 00 00 2C 00 2C 00 ........ ....,.,. >[0060] 14 00 02 00 00 00 00 00 16 00 00 00 00 00 00 00 ........ ........ >[0070] 16 00 00 00 48 00 79 00 70 00 65 00 72 00 2D 00 ....H.y. p.e.r.-. >[0080] 56 00 20 00 41 00 64 00 6D 00 69 00 6E 00 69 00 V. .A.d. m.i.n.i. >[0090] 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 73 00 s.t.r.a. t.o.r.s. >[00A0] 01 00 00 00 00 00 00 00 ........ >Got pdu len 192, data_len 168 >rpc_api_pipe: got frag len of 192 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 168 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x000e (14) > size : 0x0010 (16) > string : * > string : 'BUILTIN' > sid : * > sid : S-1-5-32 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x002c (44) > size : 0x002c (44) > string : * > string : 'Hyper-V Administrators' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >BUILTIN\Hyper-V Administrators 4: >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-32-579 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000096 (150) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 204 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00dc (220) > auth_length : 0x0000 (0) > call_id : 0x00000096 (150) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000c4 (196) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=196 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. >[0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... >[0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... >[0050] 10 00 02 00 01 00 00 00 04 00 00 00 46 00 46 00 ........ ....F.F. >[0060] 14 00 02 00 00 00 00 00 23 00 00 00 00 00 00 00 ........ #....... >[0070] 23 00 00 00 41 00 63 00 63 00 65 00 73 00 73 00 #...A.c. c.e.s.s. >[0080] 20 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00 .C.o.n. t.r.o.l. >[0090] 20 00 41 00 73 00 73 00 69 00 73 00 74 00 61 00 .A.s.s. i.s.t.a. >[00A0] 6E 00 63 00 65 00 20 00 4F 00 70 00 65 00 72 00 n.c.e. . O.p.e.r. >[00B0] 61 00 74 00 6F 00 72 00 73 00 00 00 01 00 00 00 a.t.o.r. s....... >[00C0] 00 00 00 00 .... >Got pdu len 220, data_len 196 >rpc_api_pipe: got frag len of 220 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 196 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x000e (14) > size : 0x0010 (16) > string : * > string : 'BUILTIN' > sid : * > sid : S-1-5-32 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x0046 (70) > size : 0x0046 (70) > string : * > string : 'Access Control Assistance Operators' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >BUILTIN\Access Control Assistance Operators 4: >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-32-580 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000097 (151) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 180 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00c4 (196) > auth_length : 0x0000 (0) > call_id : 0x00000097 (151) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000ac (172) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=172 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. >[0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... >[0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... >[0050] 10 00 02 00 01 00 00 00 04 00 00 00 2E 00 2E 00 ........ ........ >[0060] 14 00 02 00 00 00 00 00 17 00 00 00 00 00 00 00 ........ ........ >[0070] 17 00 00 00 52 00 65 00 6D 00 6F 00 74 00 65 00 ....R.e. m.o.t.e. >[0080] 20 00 4D 00 61 00 6E 00 61 00 67 00 65 00 6D 00 .M.a.n. a.g.e.m. >[0090] 65 00 6E 00 74 00 20 00 55 00 73 00 65 00 72 00 e.n.t. . U.s.e.r. >[00A0] 73 00 00 00 01 00 00 00 00 00 00 00 s....... .... >Got pdu len 196, data_len 172 >rpc_api_pipe: got frag len of 196 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 172 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x000e (14) > size : 0x0010 (16) > string : * > string : 'BUILTIN' > sid : * > sid : S-1-5-32 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x002e (46) > size : 0x002e (46) > string : * > string : 'Remote Management Users' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >BUILTIN\Remote Management Users 4: >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-32-549 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000098 (152) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 164 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00b4 (180) > auth_length : 0x0000 (0) > call_id : 0x00000098 (152) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000009c (156) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=156 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. >[0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... >[0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... >[0050] 10 00 02 00 01 00 00 00 04 00 00 00 20 00 20 00 ........ .... . . >[0060] 14 00 02 00 00 00 00 00 10 00 00 00 00 00 00 00 ........ ........ >[0070] 10 00 00 00 53 00 65 00 72 00 76 00 65 00 72 00 ....S.e. r.v.e.r. >[0080] 20 00 4F 00 70 00 65 00 72 00 61 00 74 00 6F 00 .O.p.e. r.a.t.o. >[0090] 72 00 73 00 01 00 00 00 00 00 00 00 r.s..... .... >Got pdu len 180, data_len 156 >rpc_api_pipe: got frag len of 180 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 156 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x000e (14) > size : 0x0010 (16) > string : * > string : 'BUILTIN' > sid : * > sid : S-1-5-32 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x0020 (32) > size : 0x0020 (32) > string : * > string : 'Server Operators' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >BUILTIN\Server Operators 4: >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-32-548 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x00000099 (153) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 168 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00b8 (184) > auth_length : 0x0000 (0) > call_id : 0x00000099 (153) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000a0 (160) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=160 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. >[0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... >[0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... >[0050] 10 00 02 00 01 00 00 00 04 00 00 00 22 00 22 00 ........ ....".". >[0060] 14 00 02 00 00 00 00 00 11 00 00 00 00 00 00 00 ........ ........ >[0070] 11 00 00 00 41 00 63 00 63 00 6F 00 75 00 6E 00 ....A.c. c.o.u.n. >[0080] 74 00 20 00 4F 00 70 00 65 00 72 00 61 00 74 00 t. .O.p. e.r.a.t. >[0090] 6F 00 72 00 73 00 00 00 01 00 00 00 00 00 00 00 o.r.s... ........ >Got pdu len 184, data_len 160 >rpc_api_pipe: got frag len of 184 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 160 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x000e (14) > size : 0x0010 (16) > string : * > string : 'BUILTIN' > sid : * > sid : S-1-5-32 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x0022 (34) > size : 0x0022 (34) > string : * > string : 'Account Operators' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >BUILTIN\Account Operators 4: >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-32-554 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000009a (154) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 200 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00d8 (216) > auth_length : 0x0000 (0) > call_id : 0x0000009a (154) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000c0 (192) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=192 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. >[0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... >[0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... >[0050] 10 00 02 00 01 00 00 00 04 00 00 00 44 00 44 00 ........ ....D.D. >[0060] 14 00 02 00 00 00 00 00 22 00 00 00 00 00 00 00 ........ "....... >[0070] 22 00 00 00 50 00 72 00 65 00 2D 00 57 00 69 00 "...P.r. e.-.W.i. >[0080] 6E 00 64 00 6F 00 77 00 73 00 20 00 32 00 30 00 n.d.o.w. s. .2.0. >[0090] 30 00 30 00 20 00 43 00 6F 00 6D 00 70 00 61 00 0.0. .C. o.m.p.a. >[00A0] 74 00 69 00 62 00 6C 00 65 00 20 00 41 00 63 00 t.i.b.l. e. .A.c. >[00B0] 63 00 65 00 73 00 73 00 01 00 00 00 00 00 00 00 c.e.s.s. ........ >Got pdu len 216, data_len 192 >rpc_api_pipe: got frag len of 216 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 192 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x000e (14) > size : 0x0010 (16) > string : * > string : 'BUILTIN' > sid : * > sid : S-1-5-32 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x0044 (68) > size : 0x0044 (68) > string : * > string : 'Pre-Windows 2000 Compatible Access' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >BUILTIN\Pre-Windows 2000 Compatible Access 4: rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-11 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000009b (155) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000044 (68) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 176 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00c0 (192) > auth_length : 0x0000 (0) > call_id : 0x0000009b (155) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000a8 (168) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=168 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 18 00 1A 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 0D 00 00 00 00 00 00 00 0C 00 00 00 4E 00 54 00 ........ ....N.T. >[0030] 20 00 41 00 55 00 54 00 48 00 4F 00 52 00 49 00 .A.U.T. H.O.R.I. >[0040] 54 00 59 00 00 00 00 00 01 00 00 00 00 00 00 05 T.Y..... ........ >[0050] 01 00 00 00 10 00 02 00 01 00 00 00 05 00 00 00 ........ ........ >[0060] 26 00 28 00 14 00 02 00 00 00 00 00 14 00 00 00 &.(..... ........ >[0070] 00 00 00 00 13 00 00 00 41 00 75 00 74 00 68 00 ........ A.u.t.h. >[0080] 65 00 6E 00 74 00 69 00 63 00 61 00 74 00 65 00 e.n.t.i. c.a.t.e. >[0090] 64 00 20 00 55 00 73 00 65 00 72 00 73 00 00 00 d. .U.s. e.r.s... >[00A0] 01 00 00 00 00 00 00 00 ........ >Got pdu len 192, data_len 168 >rpc_api_pipe: got frag len of 192 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 168 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x0018 (24) > size : 0x001a (26) > string : * > string : 'NT AUTHORITY' > sid : * > sid : S-1-5 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_WKN_GRP (5) > name: struct lsa_String > length : 0x0026 (38) > size : 0x0028 (40) > string : * > string : 'Authenticated Users' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >NT AUTHORITY\Authenticated Users (5); >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-32-557 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000009c (156) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 192 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00d0 (208) > auth_length : 0x0000 (0) > call_id : 0x0000009c (156) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000b8 (184) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=184 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. >[0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... >[0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... >[0050] 10 00 02 00 01 00 00 00 04 00 00 00 3C 00 3C 00 ........ ....<.<. >[0060] 14 00 02 00 00 00 00 00 1E 00 00 00 00 00 00 00 ........ ........ >[0070] 1E 00 00 00 49 00 6E 00 63 00 6F 00 6D 00 69 00 ....I.n. c.o.m.i. >[0080] 6E 00 67 00 20 00 46 00 6F 00 72 00 65 00 73 00 n.g. .F. o.r.e.s. >[0090] 74 00 20 00 54 00 72 00 75 00 73 00 74 00 20 00 t. .T.r. u.s.t. . >[00A0] 42 00 75 00 69 00 6C 00 64 00 65 00 72 00 73 00 B.u.i.l. d.e.r.s. >[00B0] 01 00 00 00 00 00 00 00 ........ >Got pdu len 208, data_len 184 >rpc_api_pipe: got frag len of 208 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 184 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x000e (14) > size : 0x0010 (16) > string : * > string : 'BUILTIN' > sid : * > sid : S-1-5-32 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x003c (60) > size : 0x003c (60) > string : * > string : 'Incoming Forest Trust Builders' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >BUILTIN\Incoming Forest Trust Builders 4: >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-32-560 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000009d (157) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 200 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00d8 (216) > auth_length : 0x0000 (0) > call_id : 0x0000009d (157) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000c0 (192) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=192 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. >[0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... >[0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... >[0050] 10 00 02 00 01 00 00 00 04 00 00 00 44 00 44 00 ........ ....D.D. >[0060] 14 00 02 00 00 00 00 00 22 00 00 00 00 00 00 00 ........ "....... >[0070] 22 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 "...W.i. n.d.o.w. >[0080] 73 00 20 00 41 00 75 00 74 00 68 00 6F 00 72 00 s. .A.u. t.h.o.r. >[0090] 69 00 7A 00 61 00 74 00 69 00 6F 00 6E 00 20 00 i.z.a.t. i.o.n. . >[00A0] 41 00 63 00 63 00 65 00 73 00 73 00 20 00 47 00 A.c.c.e. s.s. .G. >[00B0] 72 00 6F 00 75 00 70 00 01 00 00 00 00 00 00 00 r.o.u.p. ........ >Got pdu len 216, data_len 192 >rpc_api_pipe: got frag len of 216 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 192 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x000e (14) > size : 0x0010 (16) > string : * > string : 'BUILTIN' > sid : * > sid : S-1-5-32 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x0044 (68) > size : 0x0044 (68) > string : * > string : 'Windows Authorization Access Group' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >BUILTIN\Windows Authorization Access Group 4: rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-9 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000009e (158) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000044 (68) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 196 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00d4 (212) > auth_length : 0x0000 (0) > call_id : 0x0000009e (158) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000bc (188) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=188 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 18 00 1A 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 0D 00 00 00 00 00 00 00 0C 00 00 00 4E 00 54 00 ........ ....N.T. >[0030] 20 00 41 00 55 00 54 00 48 00 4F 00 52 00 49 00 .A.U.T. H.O.R.I. >[0040] 54 00 59 00 00 00 00 00 01 00 00 00 00 00 00 05 T.Y..... ........ >[0050] 01 00 00 00 10 00 02 00 01 00 00 00 05 00 00 00 ........ ........ >[0060] 3A 00 3C 00 14 00 02 00 00 00 00 00 1E 00 00 00 :.<..... ........ >[0070] 00 00 00 00 1D 00 00 00 45 00 4E 00 54 00 45 00 ........ E.N.T.E. >[0080] 52 00 50 00 52 00 49 00 53 00 45 00 20 00 44 00 R.P.R.I. S.E. .D. >[0090] 4F 00 4D 00 41 00 49 00 4E 00 20 00 43 00 4F 00 O.M.A.I. N. .C.O. >[00A0] 4E 00 54 00 52 00 4F 00 4C 00 4C 00 45 00 52 00 N.T.R.O. L.L.E.R. >[00B0] 53 00 00 00 01 00 00 00 00 00 00 00 S....... .... >Got pdu len 212, data_len 188 >rpc_api_pipe: got frag len of 212 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 188 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x0018 (24) > size : 0x001a (26) > string : * > string : 'NT AUTHORITY' > sid : * > sid : S-1-5 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_WKN_GRP (5) > name: struct lsa_String > length : 0x003a (58) > size : 0x003c (60) > string : * > string : 'ENTERPRISE DOMAIN CONTROLLERS' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS (5); >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-32-561 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x0000009f (159) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 196 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00d4 (212) > auth_length : 0x0000 (0) > call_id : 0x0000009f (159) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000bc (188) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=188 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 0E 00 10 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 08 00 00 00 00 00 00 00 07 00 00 00 42 00 55 00 ........ ....B.U. >[0030] 49 00 4C 00 54 00 49 00 4E 00 00 00 01 00 00 00 I.L.T.I. N....... >[0040] 01 01 00 00 00 00 00 05 20 00 00 00 01 00 00 00 ........ ....... >[0050] 10 00 02 00 01 00 00 00 04 00 00 00 3E 00 3E 00 ........ ....>.>. >[0060] 14 00 02 00 00 00 00 00 1F 00 00 00 00 00 00 00 ........ ........ >[0070] 1F 00 00 00 54 00 65 00 72 00 6D 00 69 00 6E 00 ....T.e. r.m.i.n. >[0080] 61 00 6C 00 20 00 53 00 65 00 72 00 76 00 65 00 a.l. .S. e.r.v.e. >[0090] 72 00 20 00 4C 00 69 00 63 00 65 00 6E 00 73 00 r. .L.i. c.e.n.s. >[00A0] 65 00 20 00 53 00 65 00 72 00 76 00 65 00 72 00 e. .S.e. r.v.e.r. >[00B0] 73 00 00 00 01 00 00 00 00 00 00 00 s....... .... >Got pdu len 212, data_len 188 >rpc_api_pipe: got frag len of 212 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 188 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x000e (14) > size : 0x0010 (16) > string : * > string : 'BUILTIN' > sid : * > sid : S-1-5-32 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x003e (62) > size : 0x003e (62) > string : * > string : 'Terminal Server License Servers' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >BUILTIN\Terminal Server License Servers 4: rpccli_lsa_lookup_sids: processing items 0 -- 1 of 2. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000002 (2) > sids : * > sids: ARRAY(2) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-1000 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-20 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x000000a0 (160) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000068 (104) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 292 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0134 (308) > auth_length : 0x0000 (0) > call_id : 0x000000a0 (160) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000011c (284) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=284 >[0000] 00 00 02 00 02 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 02 00 00 00 18 00 1A 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 12 00 14 00 10 00 02 00 14 00 02 00 0D 00 00 00 ........ ........ >[0030] 00 00 00 00 0C 00 00 00 4E 00 54 00 20 00 41 00 ........ N.T. .A. >[0040] 55 00 54 00 48 00 4F 00 52 00 49 00 54 00 59 00 U.T.H.O. R.I.T.Y. >[0050] 00 00 00 00 01 00 00 00 00 00 00 05 0A 00 00 00 ........ ........ >[0060] 00 00 00 00 09 00 00 00 46 00 52 00 49 00 53 00 ........ F.R.I.S. >[0070] 4B 00 44 00 45 00 4D 00 4F 00 00 00 04 00 00 00 K.D.E.M. O....... >[0080] 01 04 00 00 00 00 00 05 15 00 00 00 9C 35 33 51 ........ .....53Q >[0090] 19 74 23 9A D3 83 E6 CA 02 00 00 00 18 00 02 00 .t#..... ........ >[00A0] 02 00 00 00 01 00 00 00 18 00 18 00 1C 00 02 00 ........ ........ >[00B0] 01 00 00 00 05 00 00 00 1E 00 20 00 20 00 02 00 ........ .. . ... >[00C0] 00 00 00 00 0C 00 00 00 00 00 00 00 0C 00 00 00 ........ ........ >[00D0] 46 00 52 00 49 00 53 00 4B 00 44 00 45 00 4D 00 F.R.I.S. K.D.E.M. >[00E0] 4F 00 30 00 31 00 24 00 10 00 00 00 00 00 00 00 O.0.1.$. ........ >[00F0] 0F 00 00 00 4E 00 45 00 54 00 57 00 4F 00 52 00 ....N.E. T.W.O.R. >[0100] 4B 00 20 00 53 00 45 00 52 00 56 00 49 00 43 00 K. .S.E. R.V.I.C. >[0110] 45 00 00 00 02 00 00 00 00 00 00 00 E....... .... >Got pdu len 308, data_len 284 >rpc_api_pipe: got frag len of 308 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 284 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000002 (2) > domains : * > domains: ARRAY(2) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x0018 (24) > size : 0x001a (26) > string : * > string : 'NT AUTHORITY' > sid : * > sid : S-1-5 > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x0012 (18) > size : 0x0014 (20) > string : * > string : 'FRISKDEMO' > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000002 (2) > names : * > names: ARRAY(2) > names: struct lsa_TranslatedName > sid_type : SID_NAME_USER (1) > name: struct lsa_String > length : 0x0018 (24) > size : 0x0018 (24) > string : * > string : 'FRISKDEMO01$' > sid_index : 0x00000001 (1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_WKN_GRP (5) > name: struct lsa_String > length : 0x001e (30) > size : 0x0020 (32) > string : * > string : 'NETWORK SERVICE' > sid_index : 0x00000000 (0) > count : * > count : 0x00000002 (2) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 2' >FRISKDEMO\FRISKDEMO01$ (1); NT AUTHORITY\NETWORK SERVICE (5); >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-517 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x000000a1 (161) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000054 (84) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 180 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00c4 (196) > auth_length : 0x0000 (0) > call_id : 0x000000a1 (161) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000ac (172) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=172 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 12 00 14 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 0A 00 00 00 00 00 00 00 09 00 00 00 46 00 52 00 ........ ....F.R. >[0030] 49 00 53 00 4B 00 44 00 45 00 4D 00 4F 00 00 00 I.S.K.D. E.M.O... >[0040] 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 00 ........ ........ >[0050] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 01 00 00 00 .53Q.t#. ........ >[0060] 10 00 02 00 01 00 00 00 04 00 00 00 1E 00 1E 00 ........ ........ >[0070] 14 00 02 00 00 00 00 00 0F 00 00 00 00 00 00 00 ........ ........ >[0080] 0F 00 00 00 43 00 65 00 72 00 74 00 20 00 50 00 ....C.e. r.t. .P. >[0090] 75 00 62 00 6C 00 69 00 73 00 68 00 65 00 72 00 u.b.l.i. s.h.e.r. >[00A0] 73 00 00 00 01 00 00 00 00 00 00 00 s....... .... >Got pdu len 196, data_len 172 >rpc_api_pipe: got frag len of 196 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 172 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x0012 (18) > size : 0x0014 (20) > string : * > string : 'FRISKDEMO' > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x001e (30) > size : 0x001e (30) > string : * > string : 'Cert Publishers' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >FRISKDEMO\Cert Publishers 4: >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-553 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x000000a2 (162) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000054 (84) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 188 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00cc (204) > auth_length : 0x0000 (0) > call_id : 0x000000a2 (162) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000b4 (180) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=180 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 12 00 14 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 0A 00 00 00 00 00 00 00 09 00 00 00 46 00 52 00 ........ ....F.R. >[0030] 49 00 53 00 4B 00 44 00 45 00 4D 00 4F 00 00 00 I.S.K.D. E.M.O... >[0040] 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 00 ........ ........ >[0050] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 01 00 00 00 .53Q.t#. ........ >[0060] 10 00 02 00 01 00 00 00 04 00 00 00 26 00 26 00 ........ ....&.&. >[0070] 14 00 02 00 00 00 00 00 13 00 00 00 00 00 00 00 ........ ........ >[0080] 13 00 00 00 52 00 41 00 53 00 20 00 61 00 6E 00 ....R.A. S. .a.n. >[0090] 64 00 20 00 49 00 41 00 53 00 20 00 53 00 65 00 d. .I.A. S. .S.e. >[00A0] 72 00 76 00 65 00 72 00 73 00 00 00 01 00 00 00 r.v.e.r. s....... >[00B0] 00 00 00 00 .... >Got pdu len 204, data_len 180 >rpc_api_pipe: got frag len of 204 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 180 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x0012 (18) > size : 0x0014 (20) > string : * > string : 'FRISKDEMO' > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x0026 (38) > size : 0x0026 (38) > string : * > string : 'RAS and IAS Servers' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >FRISKDEMO\RAS and IAS Servers 4: >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-571 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x000000a3 (163) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000054 (84) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 228 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00f4 (244) > auth_length : 0x0000 (0) > call_id : 0x000000a3 (163) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000dc (220) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=220 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 12 00 14 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 0A 00 00 00 00 00 00 00 09 00 00 00 46 00 52 00 ........ ....F.R. >[0030] 49 00 53 00 4B 00 44 00 45 00 4D 00 4F 00 00 00 I.S.K.D. E.M.O... >[0040] 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 00 ........ ........ >[0050] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 01 00 00 00 .53Q.t#. ........ >[0060] 10 00 02 00 01 00 00 00 04 00 00 00 4E 00 4E 00 ........ ....N.N. >[0070] 14 00 02 00 00 00 00 00 27 00 00 00 00 00 00 00 ........ '....... >[0080] 27 00 00 00 41 00 6C 00 6C 00 6F 00 77 00 65 00 '...A.l. l.o.w.e. >[0090] 64 00 20 00 52 00 4F 00 44 00 43 00 20 00 50 00 d. .R.O. D.C. .P. >[00A0] 61 00 73 00 73 00 77 00 6F 00 72 00 64 00 20 00 a.s.s.w. o.r.d. . >[00B0] 52 00 65 00 70 00 6C 00 69 00 63 00 61 00 74 00 R.e.p.l. i.c.a.t. >[00C0] 69 00 6F 00 6E 00 20 00 47 00 72 00 6F 00 75 00 i.o.n. . G.r.o.u. >[00D0] 70 00 00 00 01 00 00 00 00 00 00 00 p....... .... >Got pdu len 244, data_len 220 >rpc_api_pipe: got frag len of 244 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 220 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x0012 (18) > size : 0x0014 (20) > string : * > string : 'FRISKDEMO' > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x004e (78) > size : 0x004e (78) > string : * > string : 'Allowed RODC Password Replication Group' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >FRISKDEMO\Allowed RODC Password Replication Group 4: >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-572 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x000000a4 (164) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000054 (84) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 224 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00f0 (240) > auth_length : 0x0000 (0) > call_id : 0x000000a4 (164) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000d8 (216) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=216 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 12 00 14 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 0A 00 00 00 00 00 00 00 09 00 00 00 46 00 52 00 ........ ....F.R. >[0030] 49 00 53 00 4B 00 44 00 45 00 4D 00 4F 00 00 00 I.S.K.D. E.M.O... >[0040] 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 00 ........ ........ >[0050] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 01 00 00 00 .53Q.t#. ........ >[0060] 10 00 02 00 01 00 00 00 04 00 00 00 4C 00 4C 00 ........ ....L.L. >[0070] 14 00 02 00 00 00 00 00 26 00 00 00 00 00 00 00 ........ &....... >[0080] 26 00 00 00 44 00 65 00 6E 00 69 00 65 00 64 00 &...D.e. n.i.e.d. >[0090] 20 00 52 00 4F 00 44 00 43 00 20 00 50 00 61 00 .R.O.D. C. .P.a. >[00A0] 73 00 73 00 77 00 6F 00 72 00 64 00 20 00 52 00 s.s.w.o. r.d. .R. >[00B0] 65 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 e.p.l.i. c.a.t.i. >[00C0] 6F 00 6E 00 20 00 47 00 72 00 6F 00 75 00 70 00 o.n. .G. r.o.u.p. >[00D0] 01 00 00 00 00 00 00 00 ........ >Got pdu len 240, data_len 216 >rpc_api_pipe: got frag len of 240 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 216 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x0012 (18) > size : 0x0014 (20) > string : * > string : 'FRISKDEMO' > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x004c (76) > size : 0x004c (76) > string : * > string : 'Denied RODC Password Replication Group' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >FRISKDEMO\Denied RODC Password Replication Group 4: rpccli_lsa_lookup_sids: processing items 0 -- 7 of 8. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000008 (8) > sids : * > sids: ARRAY(8) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-502 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-516 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-518 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-519 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-517 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-512 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-520 > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-521 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x000000a5 (165) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000150 (336) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 628 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0284 (644) > auth_length : 0x0000 (0) > call_id : 0x000000a5 (165) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x0000026c (620) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=620 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 12 00 14 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 0A 00 00 00 00 00 00 00 09 00 00 00 46 00 52 00 ........ ....F.R. >[0030] 49 00 53 00 4B 00 44 00 45 00 4D 00 4F 00 00 00 I.S.K.D. E.M.O... >[0040] 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 00 ........ ........ >[0050] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 08 00 00 00 .53Q.t#. ........ >[0060] 10 00 02 00 08 00 00 00 01 00 00 00 0C 00 0C 00 ........ ........ >[0070] 14 00 02 00 00 00 00 00 02 00 00 00 24 00 24 00 ........ ....$.$. >[0080] 18 00 02 00 00 00 00 00 02 00 00 00 1A 00 1A 00 ........ ........ >[0090] 1C 00 02 00 00 00 00 00 02 00 00 00 22 00 22 00 ........ ....".". >[00A0] 20 00 02 00 00 00 00 00 04 00 00 00 1E 00 1E 00 ....... ........ >[00B0] 24 00 02 00 00 00 00 00 02 00 00 00 1A 00 1A 00 $....... ........ >[00C0] 28 00 02 00 00 00 00 00 02 00 00 00 36 00 36 00 (....... ....6.6. >[00D0] 2C 00 02 00 00 00 00 00 02 00 00 00 38 00 38 00 ,....... ....8.8. >[00E0] 30 00 02 00 00 00 00 00 06 00 00 00 00 00 00 00 0....... ........ >[00F0] 06 00 00 00 6B 00 72 00 62 00 74 00 67 00 74 00 ....k.r. b.t.g.t. >[0100] 12 00 00 00 00 00 00 00 12 00 00 00 44 00 6F 00 ........ ....D.o. >[0110] 6D 00 61 00 69 00 6E 00 20 00 43 00 6F 00 6E 00 m.a.i.n. .C.o.n. >[0120] 74 00 72 00 6F 00 6C 00 6C 00 65 00 72 00 73 00 t.r.o.l. l.e.r.s. >[0130] 0D 00 00 00 00 00 00 00 0D 00 00 00 53 00 63 00 ........ ....S.c. >[0140] 68 00 65 00 6D 00 61 00 20 00 41 00 64 00 6D 00 h.e.m.a. .A.d.m. >[0150] 69 00 6E 00 73 00 00 00 11 00 00 00 00 00 00 00 i.n.s... ........ >[0160] 11 00 00 00 45 00 6E 00 74 00 65 00 72 00 70 00 ....E.n. t.e.r.p. >[0170] 72 00 69 00 73 00 65 00 20 00 41 00 64 00 6D 00 r.i.s.e. .A.d.m. >[0180] 69 00 6E 00 73 00 00 00 0F 00 00 00 00 00 00 00 i.n.s... ........ >[0190] 0F 00 00 00 43 00 65 00 72 00 74 00 20 00 50 00 ....C.e. r.t. .P. >[01A0] 75 00 62 00 6C 00 69 00 73 00 68 00 65 00 72 00 u.b.l.i. s.h.e.r. >[01B0] 73 00 00 00 0D 00 00 00 00 00 00 00 0D 00 00 00 s....... ........ >[01C0] 44 00 6F 00 6D 00 61 00 69 00 6E 00 20 00 41 00 D.o.m.a. i.n. .A. >[01D0] 64 00 6D 00 69 00 6E 00 73 00 00 00 1B 00 00 00 d.m.i.n. s....... >[01E0] 00 00 00 00 1B 00 00 00 47 00 72 00 6F 00 75 00 ........ G.r.o.u. >[01F0] 70 00 20 00 50 00 6F 00 6C 00 69 00 63 00 79 00 p. .P.o. l.i.c.y. >[0200] 20 00 43 00 72 00 65 00 61 00 74 00 6F 00 72 00 .C.r.e. a.t.o.r. >[0210] 20 00 4F 00 77 00 6E 00 65 00 72 00 73 00 00 00 .O.w.n. e.r.s... >[0220] 1C 00 00 00 00 00 00 00 1C 00 00 00 52 00 65 00 ........ ....R.e. >[0230] 61 00 64 00 2D 00 6F 00 6E 00 6C 00 79 00 20 00 a.d.-.o. n.l.y. . >[0240] 44 00 6F 00 6D 00 61 00 69 00 6E 00 20 00 43 00 D.o.m.a. i.n. .C. >[0250] 6F 00 6E 00 74 00 72 00 6F 00 6C 00 6C 00 65 00 o.n.t.r. o.l.l.e. >[0260] 72 00 73 00 08 00 00 00 00 00 00 00 r.s..... .... >Got pdu len 644, data_len 620 >rpc_api_pipe: got frag len of 644 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 620 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x0012 (18) > size : 0x0014 (20) > string : * > string : 'FRISKDEMO' > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000008 (8) > names : * > names: ARRAY(8) > names: struct lsa_TranslatedName > sid_type : SID_NAME_USER (1) > name: struct lsa_String > length : 0x000c (12) > size : 0x000c (12) > string : * > string : 'krbtgt' > sid_index : 0x00000000 (0) > names: struct lsa_TranslatedName > sid_type : SID_NAME_DOM_GRP (2) > name: struct lsa_String > length : 0x0024 (36) > size : 0x0024 (36) > string : * > string : 'Domain Controllers' > sid_index : 0x00000000 (0) > names: struct lsa_TranslatedName > sid_type : SID_NAME_DOM_GRP (2) > name: struct lsa_String > length : 0x001a (26) > size : 0x001a (26) > string : * > string : 'Schema Admins' > sid_index : 0x00000000 (0) > names: struct lsa_TranslatedName > sid_type : SID_NAME_DOM_GRP (2) > name: struct lsa_String > length : 0x0022 (34) > size : 0x0022 (34) > string : * > string : 'Enterprise Admins' > sid_index : 0x00000000 (0) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x001e (30) > size : 0x001e (30) > string : * > string : 'Cert Publishers' > sid_index : 0x00000000 (0) > names: struct lsa_TranslatedName > sid_type : SID_NAME_DOM_GRP (2) > name: struct lsa_String > length : 0x001a (26) > size : 0x001a (26) > string : * > string : 'Domain Admins' > sid_index : 0x00000000 (0) > names: struct lsa_TranslatedName > sid_type : SID_NAME_DOM_GRP (2) > name: struct lsa_String > length : 0x0036 (54) > size : 0x0036 (54) > string : * > string : 'Group Policy Creator Owners' > sid_index : 0x00000000 (0) > names: struct lsa_TranslatedName > sid_type : SID_NAME_DOM_GRP (2) > name: struct lsa_String > length : 0x0038 (56) > size : 0x0038 (56) > string : * > string : 'Read-only Domain Controllers' > sid_index : 0x00000000 (0) > count : * > count : 0x00000008 (8) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 8' >FRISKDEMO\krbtgt (1); FRISKDEMO\Domain Controllers (2); FRISKDEMO\Schema Admins (2); FRISKDEMO\Enterprise Admins (2); FRISKDEMO\Cert Publishers (4); FRISKDEMO\Domain Admins (2); FRISKDEMO\Group Policy Creator Owners (2); FRISKDEMO\Read-only Domain Controllers (2); >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-1101 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x000000a6 (166) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000054 (84) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 168 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00b8 (184) > auth_length : 0x0000 (0) > call_id : 0x000000a6 (166) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000a0 (160) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=160 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 12 00 14 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 0A 00 00 00 00 00 00 00 09 00 00 00 46 00 52 00 ........ ....F.R. >[0030] 49 00 53 00 4B 00 44 00 45 00 4D 00 4F 00 00 00 I.S.K.D. E.M.O... >[0040] 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 00 ........ ........ >[0050] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 01 00 00 00 .53Q.t#. ........ >[0060] 10 00 02 00 01 00 00 00 04 00 00 00 12 00 12 00 ........ ........ >[0070] 14 00 02 00 00 00 00 00 09 00 00 00 00 00 00 00 ........ ........ >[0080] 09 00 00 00 44 00 6E 00 73 00 41 00 64 00 6D 00 ....D.n. s.A.d.m. >[0090] 69 00 6E 00 73 00 00 00 01 00 00 00 00 00 00 00 i.n.s... ........ >Got pdu len 184, data_len 160 >rpc_api_pipe: got frag len of 184 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 160 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x0012 (18) > size : 0x0014 (20) > string : * > string : 'FRISKDEMO' > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x0012 (18) > size : 0x0012 (18) > string : * > string : 'DnsAdmins' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >FRISKDEMO\DnsAdmins 4: >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-1127 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x000000a7 (167) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000054 (84) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 188 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00cc (204) > auth_length : 0x0000 (0) > call_id : 0x000000a7 (167) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000b4 (180) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=180 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 12 00 14 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 0A 00 00 00 00 00 00 00 09 00 00 00 46 00 52 00 ........ ....F.R. >[0030] 49 00 53 00 4B 00 44 00 45 00 4D 00 4F 00 00 00 I.S.K.D. E.M.O... >[0040] 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 00 ........ ........ >[0050] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 01 00 00 00 .53Q.t#. ........ >[0060] 10 00 02 00 01 00 00 00 04 00 00 00 26 00 26 00 ........ ....&.&. >[0070] 14 00 02 00 00 00 00 00 13 00 00 00 00 00 00 00 ........ ........ >[0080] 13 00 00 00 48 00 65 00 6C 00 70 00 4C 00 69 00 ....H.e. l.p.L.i. >[0090] 62 00 72 00 61 00 72 00 79 00 55 00 70 00 64 00 b.r.a.r. y.U.p.d. >[00A0] 61 00 74 00 65 00 72 00 73 00 00 00 01 00 00 00 a.t.e.r. s....... >[00B0] 00 00 00 00 .... >Got pdu len 204, data_len 180 >rpc_api_pipe: got frag len of 204 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 180 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x0012 (18) > size : 0x0014 (20) > string : * > string : 'FRISKDEMO' > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x0026 (38) > size : 0x0026 (38) > string : * > string : 'HelpLibraryUpdaters' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >FRISKDEMO\HelpLibraryUpdaters 4: >rpccli_lsa_lookup_sids: processing items 0 -- 0 of 1. > lsa_LookupSids: struct lsa_LookupSids > in: struct lsa_LookupSids > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > sids : * > sids: struct lsa_SidArray > num_sids : 0x00000001 (1) > sids : * > sids: ARRAY(1) > sids: struct lsa_SidPtr > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659-1130 > names : * > names: struct lsa_TransNameArray > count : 0x00000000 (0) > names : NULL > level : LSA_LOOKUP_NAMES_ALL (1) > count : * > count : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x000000a8 (168) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000054 (84) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 228 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x00f4 (244) > auth_length : 0x0000 (0) > call_id : 0x000000a8 (168) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000dc (220) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=220 >[0000] 00 00 02 00 01 00 00 00 04 00 02 00 20 00 00 00 ........ .... ... >[0010] 01 00 00 00 12 00 14 00 08 00 02 00 0C 00 02 00 ........ ........ >[0020] 0A 00 00 00 00 00 00 00 09 00 00 00 46 00 52 00 ........ ....F.R. >[0030] 49 00 53 00 4B 00 44 00 45 00 4D 00 4F 00 00 00 I.S.K.D. E.M.O... >[0040] 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 00 ........ ........ >[0050] 9C 35 33 51 19 74 23 9A D3 83 E6 CA 01 00 00 00 .53Q.t#. ........ >[0060] 10 00 02 00 01 00 00 00 04 00 00 00 4E 00 4E 00 ........ ....N.N. >[0070] 14 00 02 00 00 00 00 00 27 00 00 00 00 00 00 00 ........ '....... >[0080] 27 00 00 00 53 00 51 00 4C 00 53 00 65 00 72 00 '...S.Q. L.S.e.r. >[0090] 76 00 65 00 72 00 32 00 30 00 30 00 35 00 53 00 v.e.r.2. 0.0.5.S. >[00A0] 51 00 4C 00 42 00 72 00 6F 00 77 00 73 00 65 00 Q.L.B.r. o.w.s.e. >[00B0] 72 00 55 00 73 00 65 00 72 00 24 00 46 00 52 00 r.U.s.e. r.$.F.R. >[00C0] 49 00 53 00 4B 00 44 00 45 00 4D 00 4F 00 30 00 I.S.K.D. E.M.O.0. >[00D0] 31 00 00 00 01 00 00 00 00 00 00 00 1....... .... >Got pdu len 244, data_len 220 >rpc_api_pipe: got frag len of 244 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 220 bytes. > lsa_LookupSids: struct lsa_LookupSids > out: struct lsa_LookupSids > domains : * > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x0012 (18) > size : 0x0014 (20) > string : * > string : 'FRISKDEMO' > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659 > max_size : 0x00000020 (32) > names : * > names: struct lsa_TransNameArray > count : 0x00000001 (1) > names : * > names: ARRAY(1) > names: struct lsa_TranslatedName > sid_type : SID_NAME_ALIAS (4) > name: struct lsa_String > length : 0x004e (78) > size : 0x004e (78) > string : * > string : 'SQLServer2005SQLBrowserUser$FRISKDEMO01' > sid_index : 0x00000000 (0) > count : * > count : 0x00000001 (1) > result : NT_STATUS_OK >LSA_LOOKUPSIDS returned status: 'NT_STATUS_OK', result: 'NT_STATUS_OK', mapped count = 1' >FRISKDEMO\SQLServer2005SQLBrowserUser$FRISKDEMO01 4: > lsa_Close: struct lsa_Close > in: struct lsa_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 85d418bc-dff3-49c7-b74f-d33be58e5c69 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x000000a9 (169) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0000 (0) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x000000a9 (169) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > lsa_Close: struct lsa_Close > out: struct lsa_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK >rpc command function succedded >signed SMB2 message >signed SMB2 message >Connecting to 10.10.11.1 at port 445 >Socket options: > SO_KEEPALIVE = 0 > SO_REUSEADDR = 0 > SO_BROADCAST = 0 > TCP_NODELAY = 1 > TCP_KEEPCNT = 9 > TCP_KEEPIDLE = 7200 > TCP_KEEPINTVL = 75 > IPTOS_LOWDELAY = 0 > IPTOS_THROUGHPUT = 0 > SO_REUSEPORT = 0 > SO_SNDBUF = 168960 > SO_RCVBUF = 372480 > SO_SNDLOWAT = 1 > SO_RCVLOWAT = 1 > SO_SNDTIMEO = 0 > SO_RCVTIMEO = 0 > TCP_QUICKACK = 1 > TCP_DEFER_ACCEPT = 0 >Doing spnego session setup (blob length=120) >got OID=1.3.6.1.4.1.311.2.2.30 >got OID=1.2.840.48018.1.2.2 >got OID=1.2.840.113554.1.2.2 >got OID=1.2.840.113554.1.2.2.3 >got OID=1.3.6.1.4.1.311.2.2.10 >got principal=not_defined_in_RFC4178@please_ignore >Starting GENSEC mechanism spnego >Starting GENSEC submechanism ntlmssp > negotiate: struct NEGOTIATE_MESSAGE > Signature : 'NTLMSSP' > MessageType : NtLmNegotiate (1) > NegotiateFlags : 0x62088215 (1644724757) > 1: NTLMSSP_NEGOTIATE_UNICODE > 0: NTLMSSP_NEGOTIATE_OEM > 1: NTLMSSP_REQUEST_TARGET > 1: NTLMSSP_NEGOTIATE_SIGN > 0: NTLMSSP_NEGOTIATE_SEAL > 0: NTLMSSP_NEGOTIATE_DATAGRAM > 0: NTLMSSP_NEGOTIATE_LM_KEY > 0: NTLMSSP_NEGOTIATE_NETWARE > 1: NTLMSSP_NEGOTIATE_NTLM > 0: NTLMSSP_NEGOTIATE_NT_ONLY > 0: NTLMSSP_ANONYMOUS > 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED > 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED > 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL > 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN > 0: NTLMSSP_TARGET_TYPE_DOMAIN > 0: NTLMSSP_TARGET_TYPE_SERVER > 0: NTLMSSP_TARGET_TYPE_SHARE > 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > 0: NTLMSSP_NEGOTIATE_IDENTIFY > 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY > 0: NTLMSSP_NEGOTIATE_TARGET_INFO > 1: NTLMSSP_NEGOTIATE_VERSION > 1: NTLMSSP_NEGOTIATE_128 > 1: NTLMSSP_NEGOTIATE_KEY_EXCH > 0: NTLMSSP_NEGOTIATE_56 > DomainNameLen : 0x0000 (0) > DomainNameMaxLen : 0x0000 (0) > DomainName : * > DomainName : '' > WorkstationLen : 0x0000 (0) > WorkstationMaxLen : 0x0000 (0) > Workstation : * > Workstation : '' > Version: struct ntlmssp_VERSION > ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6) > ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1) > ProductBuild : 0x0000 (0) > Reserved: ARRAY(3) > [0] : 0x00 (0) > [1] : 0x00 (0) > [2] : 0x00 (0) > NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15) >Got challenge flags: >Got NTLMSSP neg_flags=0x62898215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_TARGET_TYPE_DOMAIN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_TARGET_INFO > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH >NTLMSSP: Set final flags: >Got NTLMSSP neg_flags=0x62088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH >NTLMSSP Sign/Seal - Initialising with flags: >Got NTLMSSP neg_flags=0x62088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH >ntlmssp_check_packet: NTLMSSP signature OK ! >NTLMSSP Sign/Seal - Initialising with flags: >Got NTLMSSP neg_flags=0x62088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH >signed SMB2 message >signed SMB2 message >signed SMB2 message >Bind RPC Pipe: host 10.10.11.1 auth_type 0, auth_level 1 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_BIND (11) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0048 (72) > auth_length : 0x0000 (0) > call_id : 0x000000aa (170) > u : union dcerpc_payload(case 11) > bind: struct dcerpc_bind > max_xmit_frag : 0x10b8 (4280) > max_recv_frag : 0x10b8 (4280) > assoc_group_id : 0x00000000 (0) > num_contexts : 0x01 (1) > ctx_list: ARRAY(1) > ctx_list: struct dcerpc_ctx_list > context_id : 0x0000 (0) > num_transfer_syntaxes : 0x01 (1) > abstract_syntax: struct ndr_syntax_id > uuid : 12345778-1234-abcd-ef00-0123456789ab > if_version : 0x00000000 (0) > transfer_syntaxes: ARRAY(1) > transfer_syntaxes: struct ndr_syntax_id > uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 > if_version : 0x00000002 (2) > auth_info : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 52 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_BIND_ACK (12) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0044 (68) > auth_length : 0x0000 (0) > call_id : 0x000000aa (170) > u : union dcerpc_payload(case 12) > bind_ack: struct dcerpc_bind_ack > max_xmit_frag : 0x10b8 (4280) > max_recv_frag : 0x10b8 (4280) > assoc_group_id : 0x0000e87c (59516) > secondary_address_size : 0x000c (12) > secondary_address : '\pipe\lsass' > _pad1 : DATA_BLOB length=2 >[0000] 00 00 .. > num_results : 0x01 (1) > ctx_list: ARRAY(1) > ctx_list: struct dcerpc_ack_ctx > result : DCERPC_BIND_ACK_RESULT_ACCEPTANCE (0) > reason : union dcerpc_bind_ack_reason(case 0) > value : DCERPC_BIND_ACK_REASON_NOT_SPECIFIED (0) > syntax: struct ndr_syntax_id > uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 > if_version : 0x00000002 (2) > auth_info : DATA_BLOB length=0 >rpc_api_pipe: got frag len of 68 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 68 bytes. >check_bind_response: accepted! >cli_rpc_pipe_open_noauth: opened pipe lsarpc to machine 10.10.11.1 and bound anonymously. > lsa_OpenPolicy: struct lsa_OpenPolicy > in: struct lsa_OpenPolicy > system_name : * > system_name : 0x005c (92) > attr : * > attr: struct lsa_ObjectAttribute > len : 0x00000018 (24) > root_dir : NULL > object_name : NULL > attributes : 0x00000000 (0) > sec_desc : NULL > sec_qos : NULL > access_mask : 0x02000000 (33554432) > 0: LSA_POLICY_VIEW_LOCAL_INFORMATION > 0: LSA_POLICY_VIEW_AUDIT_INFORMATION > 0: LSA_POLICY_GET_PRIVATE_INFORMATION > 0: LSA_POLICY_TRUST_ADMIN > 0: LSA_POLICY_CREATE_ACCOUNT > 0: LSA_POLICY_CREATE_SECRET > 0: LSA_POLICY_CREATE_PRIVILEGE > 0: LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS > 0: LSA_POLICY_SET_AUDIT_REQUIREMENTS > 0: LSA_POLICY_AUDIT_LOG_ADMIN > 0: LSA_POLICY_SERVER_ADMIN > 0: LSA_POLICY_LOOKUP_NAMES > 0: LSA_POLICY_NOTIFICATION > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x000000ab (171) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000024 (36) > context_id : 0x0000 (0) > opnum : 0x0006 (6) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x000000ab (171) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 58 C6 26 C9 1A 37 B5 49 AF 3A 41 77 ....X.&. .7.I.:Aw >[0010] 8C 4F BA 69 00 00 00 00 .O.i.... >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > lsa_OpenPolicy: struct lsa_OpenPolicy > out: struct lsa_OpenPolicy > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : c926c658-371a-49b5-af3a-41778c4fba69 > result : NT_STATUS_OK > lsa_QueryInfoPolicy: struct lsa_QueryInfoPolicy > in: struct lsa_QueryInfoPolicy > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : c926c658-371a-49b5-af3a-41778c4fba69 > level : LSA_POLICY_INFO_ACCOUNT_DOMAIN (5) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x000000ac (172) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000016 (22) > context_id : 0x0000 (0) > opnum : 0x0007 (7) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 92 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x006c (108) > auth_length : 0x0000 (0) > call_id : 0x000000ac (172) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000054 (84) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=84 >[0000] 00 00 02 00 05 00 00 00 12 00 14 00 04 00 02 00 ........ ........ >[0010] 08 00 02 00 0A 00 00 00 00 00 00 00 09 00 00 00 ........ ........ >[0020] 46 00 52 00 49 00 53 00 4B 00 44 00 45 00 4D 00 F.R.I.S. K.D.E.M. >[0030] 4F 00 00 00 04 00 00 00 01 04 00 00 00 00 00 05 O....... ........ >[0040] 15 00 00 00 9C 35 33 51 19 74 23 9A D3 83 E6 CA .....53Q .t#..... >[0050] 00 00 00 00 .... >Got pdu len 108, data_len 84 >rpc_api_pipe: got frag len of 108 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 84 bytes. > lsa_QueryInfoPolicy: struct lsa_QueryInfoPolicy > out: struct lsa_QueryInfoPolicy > info : * > info : * > info : union lsa_PolicyInformation(case 5) > account_domain: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x0012 (18) > size : 0x0014 (20) > string : * > string : 'FRISKDEMO' > sid : * > sid : S-1-5-21-1362310556-2586014745-3404104659 > result : NT_STATUS_OK > lsa_Close: struct lsa_Close > in: struct lsa_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : c926c658-371a-49b5-af3a-41778c4fba69 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x000000ad (173) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000014 (20) > context_id : 0x0000 (0) > opnum : 0x0000 (0) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 32 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0030 (48) > auth_length : 0x0000 (0) > call_id : 0x000000ad (173) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x00000018 (24) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=24 >[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[0010] 00 00 00 00 00 00 00 00 ........ >Got pdu len 48, data_len 24 >rpc_api_pipe: got frag len of 48 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 24 bytes. > lsa_Close: struct lsa_Close > out: struct lsa_Close > handle : * > handle: struct policy_handle > handle_type : 0x00000000 (0) > uuid : 00000000-0000-0000-0000-000000000000 > result : NT_STATUS_OK >signed SMB2 message >signed SMB2 message >Bind RPC Pipe: host 10.10.11.1 auth_type 0, auth_level 1 > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_BIND (11) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0048 (72) > auth_length : 0x0000 (0) > call_id : 0x000000ae (174) > u : union dcerpc_payload(case 11) > bind: struct dcerpc_bind > max_xmit_frag : 0x10b8 (4280) > max_recv_frag : 0x10b8 (4280) > assoc_group_id : 0x00000000 (0) > num_contexts : 0x01 (1) > ctx_list: ARRAY(1) > ctx_list: struct dcerpc_ctx_list > context_id : 0x0000 (0) > num_transfer_syntaxes : 0x01 (1) > abstract_syntax: struct ndr_syntax_id > uuid : 4b324fc8-1670-01d3-1278-5a47bf6ee188 > if_version : 0x00000003 (3) > transfer_syntaxes: ARRAY(1) > transfer_syntaxes: struct ndr_syntax_id > uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 > if_version : 0x00000002 (2) > auth_info : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 52 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_BIND_ACK (12) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0044 (68) > auth_length : 0x0000 (0) > call_id : 0x000000ae (174) > u : union dcerpc_payload(case 12) > bind_ack: struct dcerpc_bind_ack > max_xmit_frag : 0x10b8 (4280) > max_recv_frag : 0x10b8 (4280) > assoc_group_id : 0x00010178 (65912) > secondary_address_size : 0x000d (13) > secondary_address : '\PIPE\srvsvc' > _pad1 : DATA_BLOB length=1 >[0000] 00 . > num_results : 0x01 (1) > ctx_list: ARRAY(1) > ctx_list: struct dcerpc_ack_ctx > result : DCERPC_BIND_ACK_RESULT_ACCEPTANCE (0) > reason : union dcerpc_bind_ack_reason(case 0) > value : DCERPC_BIND_ACK_REASON_NOT_SPECIFIED (0) > syntax: struct ndr_syntax_id > uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 > if_version : 0x00000002 (2) > auth_info : DATA_BLOB length=0 >rpc_api_pipe: got frag len of 68 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 68 bytes. >check_bind_response: accepted! >cli_rpc_pipe_open_noauth: opened pipe srvsvc to machine 10.10.11.1 and bound anonymously. > srvsvc_NetShareEnumAll: struct srvsvc_NetShareEnumAll > in: struct srvsvc_NetShareEnumAll > server_unc : * > server_unc : '10.10.11.1' > info_ctr : * > info_ctr: struct srvsvc_NetShareInfoCtr > level : 0x00000001 (1) > ctr : union srvsvc_NetShareCtr(case 1) > ctr1 : * > ctr1: struct srvsvc_NetShareCtr1 > count : 0x00000000 (0) > array : NULL > max_buffer : 0xffffffff (4294967295) > resume_handle : * > resume_handle : 0x00000000 (0) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x000000af (175) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000048 (72) > context_id : 0x0000 (0) > opnum : 0x000f (15) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 768 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0310 (784) > auth_length : 0x0000 (0) > call_id : 0x000000af (175) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000002f8 (760) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=760 >[0000] 01 00 00 00 01 00 00 00 00 00 02 00 0A 00 00 00 ........ ........ >[0010] 04 00 02 00 0A 00 00 00 08 00 02 00 00 00 00 80 ........ ........ >[0020] 0C 00 02 00 10 00 02 00 00 00 00 80 14 00 02 00 ........ ........ >[0030] 18 00 02 00 00 00 00 00 1C 00 02 00 20 00 02 00 ........ .... ... >[0040] 00 00 00 00 24 00 02 00 28 00 02 00 03 00 00 80 ....$... (....... >[0050] 2C 00 02 00 30 00 02 00 00 00 00 00 34 00 02 00 ,...0... ....4... >[0060] 38 00 02 00 00 00 00 00 3C 00 02 00 40 00 02 00 8....... <...@... >[0070] 00 00 00 00 44 00 02 00 48 00 02 00 00 00 00 00 ....D... H....... >[0080] 4C 00 02 00 50 00 02 00 00 00 00 00 54 00 02 00 L...P... ....T... >[0090] 07 00 00 00 00 00 00 00 07 00 00 00 41 00 44 00 ........ ....A.D. >[00A0] 4D 00 49 00 4E 00 24 00 00 00 00 00 0D 00 00 00 M.I.N.$. ........ >[00B0] 00 00 00 00 0D 00 00 00 52 00 65 00 6D 00 6F 00 ........ R.e.m.o. >[00C0] 74 00 65 00 20 00 41 00 64 00 6D 00 69 00 6E 00 t.e. .A. d.m.i.n. >[00D0] 00 00 00 00 03 00 00 00 00 00 00 00 03 00 00 00 ........ ........ >[00E0] 43 00 24 00 00 00 00 00 0E 00 00 00 00 00 00 00 C.$..... ........ >[00F0] 0E 00 00 00 44 00 65 00 66 00 61 00 75 00 6C 00 ....D.e. f.a.u.l. >[0100] 74 00 20 00 73 00 68 00 61 00 72 00 65 00 00 00 t. .s.h. a.r.e... >[0110] 05 00 00 00 00 00 00 00 05 00 00 00 44 00 65 00 ........ ....D.e. >[0120] 6D 00 6F 00 00 00 00 00 01 00 00 00 00 00 00 00 m.o..... ........ >[0130] 01 00 00 00 00 00 00 00 0A 00 00 00 00 00 00 00 ........ ........ >[0140] 0A 00 00 00 46 00 72 00 69 00 73 00 6B 00 44 00 ....F.r. i.s.k.D. >[0150] 65 00 6D 00 6F 00 00 00 01 00 00 00 00 00 00 00 e.m.o... ........ >[0160] 01 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 ........ ........ >[0170] 05 00 00 00 49 00 50 00 43 00 24 00 00 00 00 00 ....I.P. C.$..... >[0180] 0B 00 00 00 00 00 00 00 0B 00 00 00 52 00 65 00 ........ ....R.e. >[0190] 6D 00 6F 00 74 00 65 00 20 00 49 00 50 00 43 00 m.o.t.e. .I.P.C. >[01A0] 00 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 ........ ........ >[01B0] 4E 00 45 00 54 00 4C 00 4F 00 47 00 4F 00 4E 00 N.E.T.L. O.G.O.N. >[01C0] 00 00 00 00 14 00 00 00 00 00 00 00 14 00 00 00 ........ ........ >[01D0] 4C 00 6F 00 67 00 6F 00 6E 00 20 00 73 00 65 00 L.o.g.o. n. .s.e. >[01E0] 72 00 76 00 65 00 72 00 20 00 73 00 68 00 61 00 r.v.e.r. .s.h.a. >[01F0] 72 00 65 00 20 00 00 00 19 00 00 00 00 00 00 00 r.e. ... ........ >[0200] 19 00 00 00 52 00 44 00 56 00 69 00 72 00 74 00 ....R.D. V.i.r.t. >[0210] 75 00 61 00 6C 00 44 00 65 00 73 00 6B 00 74 00 u.a.l.D. e.s.k.t. >[0220] 6F 00 70 00 54 00 65 00 6D 00 70 00 6C 00 61 00 o.p.T.e. m.p.l.a. >[0230] 74 00 65 00 00 00 00 00 01 00 00 00 00 00 00 00 t.e..... ........ >[0240] 01 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 ........ ........ >[0250] 06 00 00 00 53 00 74 00 65 00 70 00 68 00 00 00 ....S.t. e.p.h... >[0260] 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ........ ........ >[0270] 06 00 00 00 00 00 00 00 06 00 00 00 53 00 74 00 ........ ....S.t. >[0280] 65 00 76 00 65 00 00 00 01 00 00 00 00 00 00 00 e.v.e... ........ >[0290] 01 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 ........ ........ >[02A0] 07 00 00 00 53 00 59 00 53 00 56 00 4F 00 4C 00 ....S.Y. S.V.O.L. >[02B0] 00 00 00 00 14 00 00 00 00 00 00 00 14 00 00 00 ........ ........ >[02C0] 4C 00 6F 00 67 00 6F 00 6E 00 20 00 73 00 65 00 L.o.g.o. n. .s.e. >[02D0] 72 00 76 00 65 00 72 00 20 00 73 00 68 00 61 00 r.v.e.r. .s.h.a. >[02E0] 72 00 65 00 20 00 00 00 0A 00 00 00 58 00 02 00 r.e. ... ....X... >[02F0] 00 00 00 00 00 00 00 00 ........ >Got pdu len 784, data_len 760 >rpc_api_pipe: got frag len of 784 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 760 bytes. > srvsvc_NetShareEnumAll: struct srvsvc_NetShareEnumAll > out: struct srvsvc_NetShareEnumAll > info_ctr : * > info_ctr: struct srvsvc_NetShareInfoCtr > level : 0x00000001 (1) > ctr : union srvsvc_NetShareCtr(case 1) > ctr1 : * > ctr1: struct srvsvc_NetShareCtr1 > count : 0x0000000a (10) > array : * > array: ARRAY(10) > array: struct srvsvc_NetShareInfo1 > name : * > name : 'ADMIN$' > type : STYPE_DISKTREE_HIDDEN (0x80000000) > comment : * > comment : 'Remote Admin' > array: struct srvsvc_NetShareInfo1 > name : * > name : 'C$' > type : STYPE_DISKTREE_HIDDEN (0x80000000) > comment : * > comment : 'Default share' > array: struct srvsvc_NetShareInfo1 > name : * > name : 'Demo' > type : STYPE_DISKTREE (0x0) > comment : * > comment : '' > array: struct srvsvc_NetShareInfo1 > name : * > name : 'FriskDemo' > type : STYPE_DISKTREE (0x0) > comment : * > comment : '' > array: struct srvsvc_NetShareInfo1 > name : * > name : 'IPC$' > type : STYPE_IPC_HIDDEN (0x80000003) > comment : * > comment : 'Remote IPC' > array: struct srvsvc_NetShareInfo1 > name : * > name : 'NETLOGON' > type : STYPE_DISKTREE (0x0) > comment : * > comment : 'Logon server share ' > array: struct srvsvc_NetShareInfo1 > name : * > name : 'RDVirtualDesktopTemplate' > type : STYPE_DISKTREE (0x0) > comment : * > comment : '' > array: struct srvsvc_NetShareInfo1 > name : * > name : 'Steph' > type : STYPE_DISKTREE (0x0) > comment : * > comment : '' > array: struct srvsvc_NetShareInfo1 > name : * > name : 'Steve' > type : STYPE_DISKTREE (0x0) > comment : * > comment : '' > array: struct srvsvc_NetShareInfo1 > name : * > name : 'SYSVOL' > type : STYPE_DISKTREE (0x0) > comment : * > comment : 'Logon server share ' > totalentries : * > totalentries : 0x0000000a (10) > resume_handle : * > resume_handle : 0x00000000 (0) > result : WERR_OK > srvsvc_NetShareGetInfo: struct srvsvc_NetShareGetInfo > in: struct srvsvc_NetShareGetInfo > server_unc : * > server_unc : '10.10.11.1' > share_name : 'Demo' > level : 0x000001f6 (502) > &r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_REQUEST (0) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0018 (24) > auth_length : 0x0000 (0) > call_id : 0x000000b0 (176) > u : union dcerpc_payload(case 0) > request: struct dcerpc_request > alloc_hint : 0x00000044 (68) > context_id : 0x0000 (0) > opnum : 0x0010 (16) > object : union dcerpc_object(case 0) > empty: struct dcerpc_empty > _pad : DATA_BLOB length=0 > stub_and_verifier : DATA_BLOB length=0 >rpc_api_pipe: host 10.10.11.1 >signed SMB2 message >rpc_read_send: data_to_read: 260 > r: struct ncacn_packet > rpc_vers : 0x05 (5) > rpc_vers_minor : 0x00 (0) > ptype : DCERPC_PKT_RESPONSE (2) > pfc_flags : 0x03 (3) > 1: DCERPC_PFC_FLAG_FIRST > 1: DCERPC_PFC_FLAG_LAST > 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING > 0: DCERPC_PFC_FLAG_CONC_MPX > 0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE > 0: DCERPC_PFC_FLAG_MAYBE > 0: DCERPC_PFC_FLAG_OBJECT_UUID > drep: ARRAY(4) > [0] : 0x10 (16) > [1] : 0x00 (0) > [2] : 0x00 (0) > [3] : 0x00 (0) > frag_length : 0x0114 (276) > auth_length : 0x0000 (0) > call_id : 0x000000b0 (176) > u : union dcerpc_payload(case 2) > response: struct dcerpc_response > alloc_hint : 0x000000fc (252) > context_id : 0x0000 (0) > cancel_count : 0x00 (0) > _pad : DATA_BLOB length=1 >[0000] 00 . > stub_and_verifier : DATA_BLOB length=252 >[0000] F6 01 00 00 00 00 02 00 04 00 02 00 00 00 00 00 ........ ........ >[0010] 08 00 02 00 00 00 00 00 FF FF FF FF 01 00 00 00 ........ ........ >[0020] 0C 00 02 00 00 00 00 00 74 00 00 00 10 00 02 00 ........ t....... >[0030] 05 00 00 00 00 00 00 00 05 00 00 00 44 00 65 00 ........ ....D.e. >[0040] 6D 00 6F 00 00 00 00 00 01 00 00 00 00 00 00 00 m.o..... ........ >[0050] 01 00 00 00 00 00 00 00 0E 00 00 00 00 00 00 00 ........ ........ >[0060] 0E 00 00 00 43 00 3A 00 5C 00 53 00 68 00 61 00 ....C.:. \.S.h.a. >[0070] 72 00 65 00 5C 00 44 00 65 00 6D 00 6F 00 00 00 r.e.\.D. e.m.o... >[0080] 74 00 00 00 01 00 04 80 48 00 00 00 58 00 00 00 t....... H...X... >[0090] 00 00 00 00 14 00 00 00 02 00 34 00 02 00 00 00 ........ ..4..... >[00A0] 00 03 18 00 FF 01 1F 00 01 02 00 00 00 00 00 05 ........ ........ >[00B0] 20 00 00 00 20 02 00 00 00 03 14 00 FF 01 1F 00 ... ... ........ >[00C0] 01 01 00 00 00 00 00 01 00 00 00 00 01 02 00 00 ........ ........ >[00D0] 00 00 00 05 20 00 00 00 20 02 00 00 01 05 00 00 .... ... ....... >[00E0] 00 00 00 05 15 00 00 00 9C 35 33 51 19 74 23 9A ........ .53Q.t#. >[00F0] D3 83 E6 CA 01 02 00 00 00 00 00 00 ........ .... >Got pdu len 276, data_len 252 >rpc_api_pipe: got frag len of 276 at offset 0: NT_STATUS_OK >rpc_api_pipe: host 10.10.11.1 returned 252 bytes. > srvsvc_NetShareGetInfo: struct srvsvc_NetShareGetInfo > out: struct srvsvc_NetShareGetInfo > info : * > info : union srvsvc_NetShareInfo(case 502) > info502 : * > info502: struct srvsvc_NetShareInfo502 > name : * > name : 'Demo' > type : STYPE_DISKTREE (0x0) > comment : * > comment : '' > permissions : 0x00000000 (0) > max_users : 0xffffffff (4294967295) > current_users : 0x00000001 (1) > path : * > path : 'C:\Share\Demo' > password : NULL > sd_buf: struct sec_desc_buf > sd_size : 0x00000074 (116) > sd : * > sd: struct security_descriptor > revision : SECURITY_DESCRIPTOR_REVISION_1 (1) > type : 0x8004 (32772) > 0: SEC_DESC_OWNER_DEFAULTED > 0: SEC_DESC_GROUP_DEFAULTED > 1: SEC_DESC_DACL_PRESENT > 0: SEC_DESC_DACL_DEFAULTED > 0: SEC_DESC_SACL_PRESENT > 0: SEC_DESC_SACL_DEFAULTED > 0: SEC_DESC_DACL_TRUSTED > 0: SEC_DESC_SERVER_SECURITY > 0: SEC_DESC_DACL_AUTO_INHERIT_REQ > 0: SEC_DESC_SACL_AUTO_INHERIT_REQ > 0: SEC_DESC_DACL_AUTO_INHERITED > 0: SEC_DESC_SACL_AUTO_INHERITED > 0: SEC_DESC_DACL_PROTECTED > 0: SEC_DESC_SACL_PROTECTED > 0: SEC_DESC_RM_CONTROL_VALID > 1: SEC_DESC_SELF_RELATIVE > owner_sid : * > owner_sid : S-1-5-32-544 > group_sid : * > group_sid : S-1-5-21-1362310556-2586014745-3404104659-513 > sacl : NULL > dacl : * > dacl: struct security_acl > revision : SECURITY_ACL_REVISION_NT4 (2) > size : 0x0034 (52) > num_aces : 0x00000002 (2) > aces: ARRAY(2) > aces: struct security_ace > type : SEC_ACE_TYPE_ACCESS_ALLOWED (0) > flags : 0x03 (3) > 1: SEC_ACE_FLAG_OBJECT_INHERIT > 1: SEC_ACE_FLAG_CONTAINER_INHERIT > 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT > 0: SEC_ACE_FLAG_INHERIT_ONLY > 0: SEC_ACE_FLAG_INHERITED_ACE > 0x03: SEC_ACE_FLAG_VALID_INHERIT (3) > 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS > 0: SEC_ACE_FLAG_FAILED_ACCESS > size : 0x0018 (24) > access_mask : 0x001f01ff (2032127) > object : union security_ace_object_ctr(case 0) > trustee : S-1-5-32-544 > aces: struct security_ace > type : SEC_ACE_TYPE_ACCESS_ALLOWED (0) > flags : 0x03 (3) > 1: SEC_ACE_FLAG_OBJECT_INHERIT > 1: SEC_ACE_FLAG_CONTAINER_INHERIT > 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT > 0: SEC_ACE_FLAG_INHERIT_ONLY > 0: SEC_ACE_FLAG_INHERITED_ACE > 0x03: SEC_ACE_FLAG_VALID_INHERIT (3) > 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS > 0: SEC_ACE_FLAG_FAILED_ACCESS > size : 0x0014 (20) > access_mask : 0x001f01ff (2032127) > object : union security_ace_object_ctr(case 0) > trustee : S-1-1-0 > result : WERR_OK >signed SMB2 message >signed SMB2 message >signed SMB2 message >signed SMB2 message >signed SMB2 message > srvsvc_NetShareGetInfo: struct srvsvc_NetShareGetInfo > in: struct srvsvc_NetShareGetInfo > server_unc : * > server_unc : '10.10.11.1' > share_name : 'FriskDemo' > level : 0x000001f6 (502) >Coult not query secdesc for share FriskDemo > srvsvc_NetShareGetInfo: struct srvsvc_NetShareGetInfo > in: struct srvsvc_NetShareGetInfo > server_unc : * > server_unc : '10.10.11.1' > share_name : 'NETLOGON' > level : 0x000001f6 (502) >Coult not query secdesc for share NETLOGON > srvsvc_NetShareGetInfo: struct srvsvc_NetShareGetInfo > in: struct srvsvc_NetShareGetInfo > server_unc : * > server_unc : '10.10.11.1' > share_name : 'RDVirtualDesktopTemplate' > level : 0x000001f6 (502) >Coult not query secdesc for share RDVirtualDesktopTemplate > srvsvc_NetShareGetInfo: struct srvsvc_NetShareGetInfo > in: struct srvsvc_NetShareGetInfo > server_unc : * > server_unc : '10.10.11.1' > share_name : 'Steph' > level : 0x000001f6 (502) >Coult not query secdesc for share Steph > srvsvc_NetShareGetInfo: struct srvsvc_NetShareGetInfo > in: struct srvsvc_NetShareGetInfo > server_unc : * > server_unc : '10.10.11.1' > share_name : 'Steve' > level : 0x000001f6 (502) >Coult not query secdesc for share Steve > srvsvc_NetShareGetInfo: struct srvsvc_NetShareGetInfo > in: struct srvsvc_NetShareGetInfo > server_unc : * > server_unc : '10.10.11.1' > share_name : 'SYSVOL' > level : 0x000001f6 (502) >Coult not query secdesc for share SYSVOL >rpc command function succedded >signed SMB2 message >return code = 0 >Opening cache file at /var/cache/samba/gencache.tdb >tdb(/var/cache/samba/gencache.tdb): tdb_open_ex: could not open file /var/cache/samba/gencache.tdb: Permission denied >gencache_init: Opening cache file /var/cache/samba/gencache.tdb read-only. >Opening cache file at /var/run/samba/gencache_notrans.tdb >tdb(/var/cache/samba/gencache.tdb): tdb_transaction_start: cannot start a transaction on a read-only or internal db >Could not start transaction on gencache.tdb: Invalid parameter >Freeing parametrics: >Demo > FRISKDEMO\administrator > FRISKDEMO\guest > FRISKDEMO\krbtgt > FRISKDEMO\frisk > FRISKDEMO\gburnard > FRISKDEMO\cliff > FRISKDEMO\steph > FRISKDEMO\kgillard > FRISKDEMO\gbrar > FRISKDEMO\sfarrimond > FRISKDEMO\pgolinski > FRISKDEMO\csalmon > FRISKDEMO\chilts > FRISKDEMO\sbetchley > FRISKDEMO\jbugden > FRISKDEMO\adrian > FRISKDEMO\friskadmin >FriskDemo >NETLOGON >RDVirtualDesktopTemplate >Steph >Steve >SYSVOL
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=15249">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 13992
: 15249 |
15266
|
15267
|
16412
|
16414
|
16415
|
16416
|
16422
|
16423
|
16424
|
16426