[2006/06/07 11:02:58, 1] nsswitch/winbindd.c:main(953) winbindd version 3.0.23pre2-SVN-build-15985 started. Copyright The Samba Team 2000-2004 [2006/06/07 11:02:58, 5] lib/debug.c:debug_dump_status(391) INFO: Current debug levels: all: True/10 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 acls: False/0 locking: False/0 msdfs: False/0 dmapi: False/0 doing parameter syslog = 1 doing parameter log file = /usr/local/samba3/var/log.%m doing parameter max log size = 70550 doing parameter idmap backend = ad doing parameter use kerberos keytab = yes doing parameter idmap uid = 30000-39999 doing parameter idmap gid = 30000-39999 doing parameter template shell = /bin/bash doing parameter winbind trusted domains only = yes doing parameter winbind nss info = sfu template doing parameter winbind enum users = yes doing parameter passdb backend = smbpasswd doing parameter deadtime = 15 doing parameter wins server = 192.168.200.35 doing parameter guest account = guest doing parameter create mask = 0664 doing parameter directory mask = 0775 doing parameter load printers = yes doing parameter printing = cups doing parameter printcap name = cups doing parameter socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=65536 SO_RCVBUF=65536 doing parameter keepalive = 0 doing parameter interfaces = 192.168.200.25 [2006/06/07 11:02:58, 2] param/loadparm.c:do_section(3708) Processing section "[printers]" [2006/06/07 11:02:58, 8] param/loadparm.c:add_a_service(2499) add_a_service: Creating snum = 0 for printers [2006/06/07 11:02:58, 10] param/loadparm.c:hash_a_service(2536) hash_a_service: creating tdb servicehash [2006/06/07 11:02:58, 10] param/loadparm.c:hash_a_service(2546) hash_a_service: hashing index 0 for service name printers doing parameter comment = SMB Print Spool doing parameter path = /var/spool/samba doing parameter browseable = no doing parameter public = yes doing parameter guest ok = no doing parameter writable = no doing parameter printable = yes doing parameter write list = doug,root,administrator [2006/06/07 11:02:58, 2] param/loadparm.c:do_section(3708) Processing section "[print$]" [2006/06/07 11:02:58, 8] param/loadparm.c:add_a_service(2499) add_a_service: Creating snum = 1 for print$ [2006/06/07 11:02:58, 10] param/loadparm.c:hash_a_service(2546) hash_a_service: hashing index 1 for service name print$ doing parameter comment = Printer Drivers doing parameter path = /usr/local/samba3/drivers doing parameter admin users = doug,root,administrator doing parameter read only = yes doing parameter write list = doug,root,administrator doing parameter include = /usr/local/samba3/lib/smb.services [2006/06/07 11:02:58, 3] param/params.c:pm_process(572) params.c:pm_process() - Processing configuration file "/usr/local/samba3/lib/smb.services" [2006/06/07 11:02:58, 2] param/loadparm.c:do_section(3708) Processing section "[homes]" [2006/06/07 11:02:58, 8] param/loadparm.c:add_a_service(2499) add_a_service: Creating snum = 2 for homes [2006/06/07 11:02:58, 10] param/loadparm.c:hash_a_service(2546) hash_a_service: hashing index 2 for service name homes doing parameter comment = Home Directories doing parameter read only = No doing parameter browseable = No doing parameter dont descend = .gnome-desktop doing parameter hide files = .desktop.ini/ntuser.dat doing parameter csc policy = disable [2006/06/07 11:02:58, 2] param/loadparm.c:do_section(3708) Processing section "[netlogon]" [2006/06/07 11:02:58, 8] param/loadparm.c:add_a_service(2499) add_a_service: Creating snum = 3 for netlogon [2006/06/07 11:02:58, 10] param/loadparm.c:hash_a_service(2546) hash_a_service: hashing index 3 for service name netlogon doing parameter comment = Network Logon Service doing parameter root preexec = fortune |unix2dos > /home/netlogon/motd.txt;cp /home/netlogon/motd.txt /home/public/motd.txt doing parameter path = /home/netlogon doing parameter browseable = Yes doing parameter writable = no [2006/06/07 11:02:58, 2] param/loadparm.c:do_section(3708) Processing section "[Profiles]" [2006/06/07 11:02:58, 8] param/loadparm.c:add_a_service(2499) add_a_service: Creating snum = 4 for Profiles [2006/06/07 11:02:58, 10] param/loadparm.c:hash_a_service(2546) hash_a_service: hashing index 4 for service name Profiles doing parameter path = /home/profiles doing parameter read only = no doing parameter browseable = yes doing parameter nt acl support = no doing parameter create mask = 0600 doing parameter directory mask = 0700 doing parameter hide files = desktop.ini/ntuser.*/USER.* doing parameter csc policy = disable [2006/06/07 11:02:58, 2] param/loadparm.c:do_section(3708) Processing section "[profilesNT]" [2006/06/07 11:02:58, 8] param/loadparm.c:add_a_service(2499) add_a_service: Creating snum = 5 for profilesNT [2006/06/07 11:02:58, 10] param/loadparm.c:hash_a_service(2546) hash_a_service: hashing index 5 for service name profilesNT doing parameter comment = Roaming Profiles for 2000 domain doing parameter path = /home/profilesNT doing parameter nt acl support = no doing parameter create mask = 0711 doing parameter directory mask = 0711 doing parameter read only = no doing parameter csc policy = disable doing parameter map system = yes doing parameter map hidden = yes doing parameter map archive = yes [2006/06/07 11:02:58, 2] param/loadparm.c:do_section(3708) Processing section "[test]" [2006/06/07 11:02:58, 8] param/loadparm.c:add_a_service(2499) add_a_service: Creating snum = 6 for test [2006/06/07 11:02:58, 10] param/loadparm.c:hash_a_service(2546) hash_a_service: hashing index 6 for service name test doing parameter comment = Temporary file space doing parameter path = /tmp doing parameter read only = No doing parameter create mask = 0775 doing parameter strict locking = yes [2006/06/07 11:02:58, 2] param/loadparm.c:do_section(3708) Processing section "[temp]" [2006/06/07 11:02:58, 8] param/loadparm.c:add_a_service(2499) add_a_service: Creating snum = 7 for temp [2006/06/07 11:02:58, 10] param/loadparm.c:hash_a_service(2546) hash_a_service: hashing index 7 for service name temp doing parameter comment = Temporary file space doing parameter path = /tmp doing parameter read only = No doing parameter create mask = 0777 doing parameter nt acl support = yes doing parameter ea support = yes [2006/06/07 11:02:58, 2] param/loadparm.c:do_section(3708) Processing section "[public]" [2006/06/07 11:02:58, 8] param/loadparm.c:add_a_service(2499) add_a_service: Creating snum = 8 for public [2006/06/07 11:02:58, 10] param/loadparm.c:hash_a_service(2546) hash_a_service: hashing index 8 for service name public doing parameter comment = Public Stuff doing parameter path = /home/public doing parameter write list = @staff doing parameter read only = No doing parameter create mask = 0666 [2006/06/07 11:02:58, 2] param/loadparm.c:do_section(3708) Processing section "[web_folder]" [2006/06/07 11:02:58, 8] param/loadparm.c:add_a_service(2499) add_a_service: Creating snum = 9 for web_folder [2006/06/07 11:02:58, 10] param/loadparm.c:hash_a_service(2546) hash_a_service: hashing index 9 for service name web_folder doing parameter comment = Web publishing directory doing parameter path = /var/www/pubhtml/pictures doing parameter write list = @staff doing parameter read only = No doing parameter create mask = 0775 [2006/06/07 11:02:58, 2] param/loadparm.c:do_section(3708) Processing section "[download]" [2006/06/07 11:02:58, 8] param/loadparm.c:add_a_service(2499) add_a_service: Creating snum = 10 for download [2006/06/07 11:02:58, 10] param/loadparm.c:hash_a_service(2546) hash_a_service: hashing index 10 for service name download doing parameter comment = Download Area doing parameter path = /vol/download doing parameter write list = @staff doing parameter read only = No [2006/06/07 11:02:58, 2] param/loadparm.c:do_section(3708) Processing section "[vol]" [2006/06/07 11:02:58, 8] param/loadparm.c:add_a_service(2499) add_a_service: Creating snum = 11 for vol [2006/06/07 11:02:58, 10] param/loadparm.c:hash_a_service(2546) hash_a_service: hashing index 11 for service name vol doing parameter comment = Download Area doing parameter path = /vol doing parameter write list = @staff doing parameter read only = No [2006/06/07 11:02:58, 2] param/loadparm.c:do_section(3708) Processing section "[POBox]" [2006/06/07 11:02:58, 8] param/loadparm.c:add_a_service(2499) add_a_service: Creating snum = 12 for POBox [2006/06/07 11:02:58, 10] param/loadparm.c:hash_a_service(2546) hash_a_service: hashing index 12 for service name POBox doing parameter comment = MS Post Office doing parameter path = /home/POBox doing parameter read only = No [2006/06/07 11:02:58, 2] param/loadparm.c:do_section(3708) Processing section "[www]" [2006/06/07 11:02:58, 8] param/loadparm.c:add_a_service(2499) add_a_service: Creating snum = 13 for www [2006/06/07 11:02:58, 10] param/loadparm.c:hash_a_service(2546) hash_a_service: hashing index 13 for service name www doing parameter comment = http root doing parameter path = /var/www/html doing parameter write list = @staff doing parameter read only = No [2006/06/07 11:02:58, 2] param/loadparm.c:do_section(3708) Processing section "[amanda]" [2006/06/07 11:02:58, 8] param/loadparm.c:add_a_service(2499) add_a_service: Creating snum = 14 for amanda [2006/06/07 11:02:58, 10] param/loadparm.c:hash_a_service(2546) hash_a_service: hashing index 14 for service name amanda doing parameter comment = Amanda archive doing parameter path = /var/lib/amanda doing parameter admin users = administrator doing parameter write list = @staff,@finances doing parameter read only = No [2006/06/07 11:02:58, 2] param/loadparm.c:do_section(3708) Processing section "[winapps]" [2006/06/07 11:02:58, 8] param/loadparm.c:add_a_service(2499) add_a_service: Creating snum = 15 for winapps [2006/06/07 11:02:58, 10] param/loadparm.c:hash_a_service(2546) hash_a_service: hashing index 15 for service name winapps doing parameter comment = Shared Windows Applications doing parameter path = /winapps doing parameter admin users = administrator doing parameter write list = @staff,@finances doing parameter read only = No doing parameter nt acl support = no [2006/06/07 11:02:58, 2] param/loadparm.c:do_section(3708) Processing section "[opt]" [2006/06/07 11:02:58, 8] param/loadparm.c:add_a_service(2499) add_a_service: Creating snum = 16 for opt [2006/06/07 11:02:58, 10] param/loadparm.c:hash_a_service(2546) hash_a_service: hashing index 16 for service name opt doing parameter comment = Shared Unix Applications doing parameter path = /opt doing parameter admin users = administrator doing parameter write list = @wheel,@finances doing parameter read only = No doing parameter nt acl support = no [2006/06/07 11:02:58, 2] param/loadparm.c:do_section(3708) Processing section "[photo_cd2]" [2006/06/07 11:02:58, 8] param/loadparm.c:add_a_service(2499) add_a_service: Creating snum = 17 for photo_cd2 [2006/06/07 11:02:58, 10] param/loadparm.c:hash_a_service(2546) hash_a_service: hashing index 17 for service name photo_cd2 doing parameter comment = MS PhotoDraw CD #2 doing parameter path = /winapps/ms/photodrw doing parameter admin users = administrator doing parameter write list = @staff,@finances doing parameter read only = No [2006/06/07 11:02:58, 2] param/loadparm.c:do_section(3708) Processing section "[photocd2]" [2006/06/07 11:02:58, 8] param/loadparm.c:add_a_service(2499) add_a_service: Creating snum = 18 for photocd2 [2006/06/07 11:02:58, 10] param/loadparm.c:hash_a_service(2546) hash_a_service: hashing index 18 for service name photocd2 doing parameter comment = MS PhotoDraw CD #2 doing parameter path = /winapps/ms/photodrw doing parameter admin users = administrator doing parameter write list = @staff,@finances doing parameter read only = No [2006/06/07 11:02:58, 2] param/loadparm.c:do_section(3708) Processing section "[games]" [2006/06/07 11:02:58, 8] param/loadparm.c:add_a_service(2499) add_a_service: Creating snum = 19 for games [2006/06/07 11:02:58, 10] param/loadparm.c:hash_a_service(2546) hash_a_service: hashing index 19 for service name games doing parameter comment = Windows Games doing parameter path = /winapps/games doing parameter admin users = administrator doing parameter write list = @staff doing parameter read only = No doing parameter nt acl support = no [2006/06/07 11:02:58, 2] param/loadparm.c:do_section(3708) Processing section "[docs]" [2006/06/07 11:02:58, 8] param/loadparm.c:add_a_service(2499) add_a_service: Creating snum = 20 for docs [2006/06/07 11:02:58, 10] param/loadparm.c:hash_a_service(2546) hash_a_service: hashing index 20 for service name docs doing parameter comment = Unix Documentation doing parameter path = /usr/share/doc [2006/06/07 11:02:58, 2] param/loadparm.c:do_section(3708) Processing section "[cdrom]" [2006/06/07 11:02:58, 8] param/loadparm.c:add_a_service(2499) add_a_service: Creating snum = 21 for cdrom [2006/06/07 11:02:58, 10] param/loadparm.c:hash_a_service(2546) hash_a_service: hashing index 21 for service name cdrom doing parameter comment = CD-ROM doing parameter path = /mnt/cdrom doing parameter fake oplocks = Yes [2006/06/07 11:02:58, 2] param/loadparm.c:do_section(3708) Processing section "[pub-html]" [2006/06/07 11:02:58, 8] param/loadparm.c:add_a_service(2499) add_a_service: Creating snum = 22 for pub-html [2006/06/07 11:02:58, 10] param/loadparm.c:hash_a_service(2546) hash_a_service: hashing index 22 for service name pub-html doing parameter comment = test isp http root doing parameter path = /home/httpd/isp_html doing parameter write list = @staff doing parameter read only = No [2006/06/07 11:02:58, 2] param/loadparm.c:do_section(3708) Processing section "[Installs]" [2006/06/07 11:02:58, 8] param/loadparm.c:add_a_service(2499) add_a_service: Creating snum = 23 for Installs [2006/06/07 11:02:58, 10] param/loadparm.c:hash_a_service(2546) hash_a_service: hashing index 23 for service name Installs doing parameter comment = sysprep distribution point doing parameter path = /vol/stor/Installs doing parameter write list = @staff doing parameter read only = No doing parameter create mask = 0666 [2006/06/07 11:02:58, 2] param/loadparm.c:do_section(3708) Processing section "[vfs]" [2006/06/07 11:02:58, 8] param/loadparm.c:add_a_service(2499) add_a_service: Creating snum = 24 for vfs [2006/06/07 11:02:58, 10] param/loadparm.c:hash_a_service(2546) hash_a_service: hashing index 24 for service name vfs doing parameter comment = Audit test directory doing parameter path = /tmp doing parameter vfs objects = audit doing parameter writeable = yes doing parameter browseable = yes [2006/06/07 11:02:58, 2] param/loadparm.c:do_section(3708) Processing section "[top-dir]" [2006/06/07 11:02:58, 8] param/loadparm.c:add_a_service(2499) add_a_service: Creating snum = 25 for top-dir [2006/06/07 11:02:58, 10] param/loadparm.c:hash_a_service(2546) hash_a_service: hashing index 25 for service name top-dir doing parameter comment = Root Directory doing parameter path = / doing parameter valid users = administrator doug doing parameter admin users = administrator doug doing parameter read only = No doing parameter dont descend = /proc ./proc /dev proc dev doing parameter guest ok = No doing parameter include = /usr/local/samba3/lib/smb.services.%U [2006/06/07 11:02:58, 3] param/params.c:pm_process(572) params.c:pm_process() - Processing configuration file "/usr/local/samba3/lib/smb.services." [2006/06/07 11:02:58, 4] param/loadparm.c:lp_load(4980) pm_process() returned Yes [2006/06/07 11:02:58, 8] param/loadparm.c:add_a_service(2499) add_a_service: Creating snum = 26 for IPC$ [2006/06/07 11:02:58, 10] param/loadparm.c:hash_a_service(2546) hash_a_service: hashing index 26 for service name IPC$ [2006/06/07 11:02:58, 3] param/loadparm.c:lp_add_ipc(2633) adding IPC service [2006/06/07 11:02:58, 10] param/loadparm.c:set_server_role(4225) set_server_role: role = ROLE_DOMAIN_MEMBER [2006/06/07 11:02:58, 5] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2006/06/07 11:02:58, 5] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2006/06/07 11:02:58, 5] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2006/06/07 11:02:58, 5] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2006/06/07 11:02:58, 5] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2006/06/07 11:02:58, 5] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2006/06/07 11:02:58, 5] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2006/06/07 11:02:58, 5] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2006/06/07 11:02:58, 5] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2006/06/07 11:02:58, 5] lib/charcnv.c:charset_name(81) Substituting charset 'ISO-8859-1' for LOCALE [2006/06/07 11:02:58, 2] lib/interface.c:add_interface(81) added interface ip=192.168.200.25 bcast=192.168.200.255 nmask=255.255.255.0 [2006/06/07 11:02:58, 5] lib/util.c:init_names(286) Netbios name list:- my_netbios_names[0]="GATE" [2006/06/07 11:02:58, 2] lib/interface.c:add_interface(81) added interface ip=192.168.200.25 bcast=192.168.200.255 nmask=255.255.255.0 [2006/06/07 11:02:58, 5] lib/gencache.c:gencache_init(59) Opening cache file at /usr/local/samba3/var/locks/gencache.tdb [2006/06/07 11:02:58, 5] libsmb/namecache.c:namecache_enable(58) namecache_enable: enabling netbios namecache, timeout 660 seconds [2006/06/07 11:02:58, 5] sam/idmap.c:smb_register_idmap(93) smb_register_idmap: Successfully added idmap backend 'ldap' [2006/06/07 11:02:58, 5] sam/idmap.c:smb_register_idmap(93) smb_register_idmap: Successfully added idmap backend 'tdb' [2006/06/07 11:02:58, 10] sam/idmap_tdb.c:db_idmap_init(462) db_idmap_init: Opening tdbfile /usr/local/samba3/var/locks/winbindd_idmap.tdb [2006/06/07 11:02:58, 3] sam/idmap.c:idmap_init(142) idmap_init: using 'ad' as remote backend [2006/06/07 11:02:58, 5] lib/module.c:smb_probe_module(108) Probing module 'ad' [2006/06/07 11:02:58, 5] lib/module.c:smb_probe_module(119) Probing module 'ad': Trying to load from /usr/local/samba3/lib/idmap/ad.so [2006/06/07 11:02:58, 2] lib/module.c:do_smb_load_module(64) Module '/usr/local/samba3/lib/idmap/ad.so' loaded [2006/06/07 11:02:58, 5] sam/idmap.c:smb_register_idmap(93) smb_register_idmap: Successfully added idmap backend 'ad' [2006/06/07 11:02:58, 8] lib/util.c:fcntl_lock(1952) fcntl_lock fd=8 op=13 offset=0 count=1 type=1 [2006/06/07 11:02:58, 8] lib/util.c:fcntl_lock(1971) fcntl_lock: Lock call successful [2006/06/07 11:02:58, 4] lib/time.c:TimeInit(136) TimeInit: Serverzone is 25200 [2006/06/07 11:02:58, 2] lib/tallocmsg.c:register_msg_pool_usage(61) Registered MSG_REQ_POOL_USAGE [2006/06/07 11:02:58, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71) Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED [2006/06/07 11:02:58, 2] nsswitch/winbindd_util.c:add_trusted_domain(175) Added domain FOREST NT.LDXNET.COM S-1-5-21-484763869-746137067-1343024091 [2006/06/07 11:02:58, 2] nsswitch/winbindd_util.c:add_trusted_domain(175) Added domain GATE S-1-5-21-3088879221-4048462968-515935220 [2006/06/07 11:02:58, 2] nsswitch/winbindd_util.c:add_trusted_domain(175) Added domain BUILTIN S-1-5-32 [2006/06/07 11:02:58, 10] lib/events.c:add_timed_event(77) Added timed event "account_lockout_policy_handler": 82bccf0 [2006/06/07 11:02:58, 10] lib/events.c:run_events(100) Running event "account_lockout_policy_handler" 82bccf0 [2006/06/07 11:02:58, 10] nsswitch/winbindd_dual.c:account_lockout_policy_handler(529) account_lockout_policy_handler called [2006/06/07 11:02:58, 10] lib/events.c:timed_event_destructor(30) Destroying timed event 82bccf0 "account_lockout_policy_handler" [2006/06/07 11:02:58, 8] nsswitch/winbindd_cm.c:connection_ok(898) Connection to for domain FOREST has NULL cli! [2006/06/07 11:02:58, 10] lib/gencache.c:gencache_get(272) Returning valid cache entry: key = SAF/DOMAIN/FOREST, value = 192.168.200.35, timeout = Wed Jun 7 11:17:56 2006 [2006/06/07 11:02:58, 5] libsmb/namequery.c:saf_fetch(108) saf_fetch: Returning "192.168.200.35" for "FOREST" domain [2006/06/07 11:02:58, 8] lib/util.c:fcntl_lock(1952) fcntl_lock fd=13 op=13 offset=0 count=1 type=0 [2006/06/07 11:02:58, 3] lib/util.c:fcntl_lock(1965) fcntl_lock: lock failed at offset 0 count 1 op 13 type 0 (Resource temporarily unavailable) [2006/06/07 11:02:58, 4] libsmb/clidgram.c:cli_send_mailslot(100) send_mailslot: Sending to mailslot \MAILSLOT\NET\NTLOGON from GATE<00> to FOREST<1c> IP 192.168.200.35 [2006/06/07 11:02:58, 10] nsswitch/winbindd_util.c:open_winbindd_socket(913) open_winbindd_socket: opened socket fd 12 [2006/06/07 11:02:58, 10] nsswitch/winbindd_util.c:open_winbindd_priv_socket(925) open_winbindd_priv_socket: opened socket fd 14 [2006/06/07 11:02:58, 5] nsswitch/winbindd_cm.c:receive_getdc_response(530) Received packet for \MAILSLOT\NET\GETDC23C8A8C0 [2006/06/07 11:02:58, 10] nsswitch/winbindd_cm.c:receive_getdc_response(574) GetDC gave name RANGER1 for domain FOREST [2006/06/07 11:02:58, 5] libsmb/namecache.c:namecache_store(131) namecache_store: storing 1 address for RANGER1#20: 192.168.200.35:0 [2006/06/07 11:02:58, 10] lib/gencache.c:gencache_set(130) Adding cache entry with key = NBT/RANGER1#20; value = 192.168.200.35:0 and timeout = Wed Jun 7 11:13:58 2006 (660 seconds ahead) [2006/06/07 11:02:58, 10] libsmb/namequery.c:internal_resolve_name(1112) internal_resolve_name: looking up RANGER1#20 [2006/06/07 11:02:58, 10] lib/gencache.c:gencache_get(272) Returning valid cache entry: key = NBT/RANGER1#20, value = 192.168.200.35:0, timeout = Wed Jun 7 11:13:58 2006 [2006/06/07 11:02:58, 5] libsmb/namecache.c:namecache_fetch(201) name RANGER1#20 found. [2006/06/07 11:02:58, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(91) cm_get_ipc_userpass: Retrieved auth-user from secrets.tdb [FOREST\administrator] [2006/06/07 11:02:58, 10] passdb/secrets.c:secrets_named_mutex(779) secrets_named_mutex: got mutex for RANGER1 [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(132) write_socket(13,183) [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(135) write_socket(13,183) wrote 183 [2006/06/07 11:02:58, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 179 [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=179 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55297 smb_tid=0 smb_pid=32155 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 8 (0x8) smb_vwv[ 1]=12807 (0x3207) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 17 (0x11) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 499 (0x1F3) smb_vwv[11]=24704 (0x6080) smb_vwv[12]= 2520 (0x9D8) smb_vwv[13]=23708 (0x5C9C) smb_vwv[14]=50826 (0xC68A) smb_vwv[15]=41985 (0xA401) smb_vwv[16]= 1 (0x1) smb_bcc=110 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] CA A8 09 C4 73 11 B8 46 AC C0 B0 20 AE A4 5F AB ʨ.Äs.¸F ¬À° ®¤_« [010] 60 5C 06 06 2B 06 01 05 05 02 A0 52 30 50 A0 30 `\..+... .. R0P 0 [020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. ÷......* [030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H.÷.... ..*.H.÷. [040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... [050] A3 1C 30 1A A0 18 1B 16 72 61 6E 67 65 72 31 24 £.0. ... ranger1$ [060] 40 4E 54 2E 4C 44 58 4E 45 54 2E 43 4F 4D @NT.LDXN ET.COM [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=179 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55297 smb_tid=0 smb_pid=32155 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 8 (0x8) smb_vwv[ 1]=12807 (0x3207) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 17 (0x11) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 499 (0x1F3) smb_vwv[11]=24704 (0x6080) smb_vwv[12]= 2520 (0x9D8) smb_vwv[13]=23708 (0x5C9C) smb_vwv[14]=50826 (0xC68A) smb_vwv[15]=41985 (0xA401) smb_vwv[16]= 1 (0x1) smb_bcc=110 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] CA A8 09 C4 73 11 B8 46 AC C0 B0 20 AE A4 5F AB ʨ.Äs.¸F ¬À° ®¤_« [010] 60 5C 06 06 2B 06 01 05 05 02 A0 52 30 50 A0 30 `\..+... .. R0P 0 [020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. ÷......* [030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H.÷.... ..*.H.÷. [040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... [050] A3 1C 30 1A A0 18 1B 16 72 61 6E 67 65 72 31 24 £.0. ... ranger1$ [060] 40 4E 54 2E 4C 44 58 4E 45 54 2E 43 4F 4D @NT.LDXN ET.COM [2006/06/07 11:02:58, 5] nsswitch/winbindd_cm.c:cm_prepare_connection(272) connecting to RANGER1 from GATE with kerberos principal [GATE$@NT.LDXNET.COM] [2006/06/07 11:02:58, 3] libsmb/cliconnect.c:cli_session_setup_spnego(723) Doing spnego session setup (blob length=110) [2006/06/07 11:02:58, 3] libsmb/cliconnect.c:cli_session_setup_spnego(748) got OID=1 2 840 48018 1 2 2 [2006/06/07 11:02:58, 3] libsmb/cliconnect.c:cli_session_setup_spnego(748) got OID=1 2 840 113554 1 2 2 [2006/06/07 11:02:58, 3] libsmb/cliconnect.c:cli_session_setup_spnego(748) got OID=1 2 840 113554 1 2 2 3 [2006/06/07 11:02:58, 3] libsmb/cliconnect.c:cli_session_setup_spnego(748) got OID=1 3 6 1 4 1 311 2 2 10 [2006/06/07 11:02:58, 3] libsmb/cliconnect.c:cli_session_setup_spnego(757) got principal=ranger1$@NT.LDXNET.COM [2006/06/07 11:02:58, 10] libads/kerberos.c:kerberos_kinit_password_ext(88) kerberos_kinit_password: using MEMORY:cliconnect as ccache [2006/06/07 11:02:58, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(546) Doing kerberos session setup [2006/06/07 11:02:58, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(488) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Wed, 07 Jun 2006 21:02:58 PDT [2006/06/07 11:02:58, 10] libsmb/clikrb5.c:ads_krb5_mk_req(581) ads_krb5_mk_req: Ticket (ranger1$@NT.LDXNET.COM) in ccache (MEMORY:cliconnect) is valid until: (Wed, 07 Jun 2006 21:02:58 PDT - 1149739378) [2006/06/07 11:02:58, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(685) Got KRB5 session key of length 16 [2006/06/07 11:02:58, 5] libsmb/smb_signing.c:set_smb_signing_real_common(124) SMB signing enabled! [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:cli_simple_set_signing(446) cli_simple_set_signing: user_session_key [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] E0 0F 86 D5 51 CB 62 E9 1A 45 38 02 E0 CF 8C 50 à..ÕQËbé .E8.àÏ.P [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:cli_simple_set_signing(454) cli_simple_set_signing: NULL response_data [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 0 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_sign_outgoing_message(327) client_sign_outgoing_message: sent SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] F8 0F 6F 76 93 ED 63 9B ø.ov.íc. [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(132) write_socket(13,1242) [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(135) write_socket(13,1242) wrote 1242 [2006/06/07 11:02:58, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 197 [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=197 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=0 smb_pid=32155 smb_uid=63490 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 197 (0xC5) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 26 (0x1A) smb_bcc=154 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] A1 18 30 16 A0 03 0A 01 00 A1 0B 06 09 2A 86 48 ¡.0. ... .¡...*.H [010] 82 F7 12 01 02 02 A2 02 04 00 00 57 00 69 00 6E .÷....¢. ...W.i.n [020] 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 .d.o.w.s . .S.e.r [030] 00 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 .v.e.r. .2.0.0.3 [040] 00 20 00 33 00 37 00 39 00 30 00 20 00 53 00 65 . .3.7.9 .0. .S.e [050] 00 72 00 76 00 69 00 63 00 65 00 20 00 50 00 61 .r.v.i.c .e. .P.a [060] 00 63 00 6B 00 20 00 31 00 00 00 57 00 69 00 6E .c.k. .1 ...W.i.n [070] 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 .d.o.w.s . .S.e.r [080] 00 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 .v.e.r. .2.0.0.3 [090] 00 20 00 35 00 2E 00 32 00 00 . .5...2 .. [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 1 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_check_incoming_message(387) client_check_incoming_message: seq 1: got good SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 8C D9 37 41 9A FE 26 F6 .Ù7A.þ&ö [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=197 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=0 smb_pid=32155 smb_uid=63490 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 197 (0xC5) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 26 (0x1A) smb_bcc=154 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] A1 18 30 16 A0 03 0A 01 00 A1 0B 06 09 2A 86 48 ¡.0. ... .¡...*.H [010] 82 F7 12 01 02 02 A2 02 04 00 00 57 00 69 00 6E .÷....¢. ...W.i.n [020] 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 .d.o.w.s . .S.e.r [030] 00 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 .v.e.r. .2.0.0.3 [040] 00 20 00 33 00 37 00 39 00 30 00 20 00 53 00 65 . .3.7.9 .0. .S.e [050] 00 72 00 76 00 69 00 63 00 65 00 20 00 50 00 61 .r.v.i.c .e. .P.a [060] 00 63 00 6B 00 20 00 31 00 00 00 57 00 69 00 6E .c.k. .1 ...W.i.n [070] 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 .d.o.w.s . .S.e.r [080] 00 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 .v.e.r. .2.0.0.3 [090] 00 20 00 35 00 2E 00 32 00 00 . .5...2 .. [2006/06/07 11:02:58, 10] libsmb/clientgen.c:cli_init_creds(233) cli_init_creds: user GATE$ domain FOREST [2006/06/07 11:02:58, 10] libsmb/namequery.c:saf_store(71) saf_store: domain = [FOREST], server = [RANGER1], expire = [1149704278] [2006/06/07 11:02:58, 10] lib/gencache.c:gencache_set(130) Adding cache entry with key = SAF/DOMAIN/FOREST; value = RANGER1 and timeout = Wed Jun 7 11:17:58 2006 (900 seconds ahead) [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 2 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_sign_outgoing_message(327) client_sign_outgoing_message: sent SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 51 99 07 34 07 F4 B5 C9 Q..4.ôµÉ [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(132) write_socket(13,82) [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(135) write_socket(13,82) wrote 82 [2006/06/07 11:02:58, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 48 [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=48 smb_com=0x75 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=3 smt_wct=3 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 1 (0x1) smb_bcc=7 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 49 50 43 00 00 00 00 IPC.... [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 3 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_check_incoming_message(387) client_check_incoming_message: seq 3: got good SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] C6 87 7F 3A 72 E4 B8 7C Æ..:rä¸| [2006/06/07 11:02:58, 10] passdb/secrets.c:secrets_named_mutex_release(791) secrets_named_mutex: released mutex for RANGER1 [2006/06/07 11:02:58, 10] nsswitch/winbindd_cache.c:set_global_winbindd_state_online(2334) set_global_winbindd_state_online: online requested. [2006/06/07 11:02:58, 10] nsswitch/winbindd_cache.c:set_global_winbindd_state_online(2337) set_global_winbindd_state_online: rejecting. [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 4 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_sign_outgoing_message(327) client_sign_outgoing_message: sent SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 92 3C 05 83 B5 54 11 E4 .<..µT.ä [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(132) write_socket(13,104) [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(135) write_socket(13,104) wrote 104 [2006/06/07 11:02:58, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 103 [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=4 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 3840 (0xF00) smb_vwv[ 3]= 384 (0x180) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 5 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_check_incoming_message(387) client_check_incoming_message: seq 5: got good SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] D0 A4 7B A8 2E B2 42 50 Ф{¨.²BP [2006/06/07 11:02:58, 5] rpc_client/cli_pipe.c:rpc_pipe_bind(2044) Bind RPC Pipe[800f]: \lsarpc auth_type 0, auth_level 0 [2006/06/07 11:02:58, 5] rpc_client/cli_pipe.c:valid_pipe_name(1647) Bind Abstract Syntax: [000] 6A 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5 j(.9.±Ð. .¨.ÀOÙ.õ [010] 00 00 00 00 .... [2006/06/07 11:02:58, 5] rpc_client/cli_pipe.c:valid_pipe_name(1650) Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]..ë.É. .è..+.H` [010] 02 00 00 00 .... [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr hdr [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 0b [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 0048 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 00000001 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_rb [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_bba [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0010 max_tsize: 10b8 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0012 max_rsize: 10b8 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0014 assoc_gid: 00000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0018 num_contexts: 01 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 001c context_id : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 001e num_transfer_syntaxes: 01 [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 00001f smb_io_rpc_iface [2006/06/07 11:02:58, 7] rpc_parse/parse_prs.c:prs_debug(84) 000020 smb_io_uuid uuid [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0020 data : 3919286a [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0024 data : b10c [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0026 data : 11d0 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0028 data : 9b a8 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 002a data : 00 c0 4f d9 2e f5 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0030 version: 00000000 [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000034 smb_io_rpc_iface [2006/06/07 11:02:58, 7] rpc_parse/parse_prs.c:prs_debug(84) 000034 smb_io_uuid uuid [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0034 data : 8a885d04 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0038 data : 1ceb [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 003a data : 11c9 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 003c data : 9f e8 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 003e data : 08 00 2b 10 48 60 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0044 version: 00000002 [2006/06/07 11:02:58, 5] rpc_client/cli_pipe.c:rpc_api_pipe(770) rpc_api_pipe: Remote machine RANGER1 pipe \lsarpc fnum 0x800f [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=55297 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=5 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32783 (0x800F) smb_bcc=87 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 01 00 00 00 B8 .......H .......¸ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 6A .¸...... .......j [030] 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5 00 (.9.±Ð.. ¨.ÀOÙ.õ. [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]..ë .É..è..+ [050] 10 48 60 02 00 00 00 .H`.... [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 6 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_sign_outgoing_message(327) client_sign_outgoing_message: sent SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 7C 64 43 A1 2B DF 1E EA |dC¡+ß.ê [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(132) write_socket(13,158) [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(135) write_socket(13,158) wrote 158 [2006/06/07 11:02:58, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 124 [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=5 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 H....... .D...... [010] 00 B8 10 B8 10 6C 73 00 00 0C 00 5C 50 49 50 45 .¸.¸.ls. ...\PIPE [020] 5C 6C 73 61 73 73 00 AE 67 01 00 00 00 00 00 00 \lsass.® g....... [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..ë.É ..è..+.H [040] 60 02 00 00 00 `.... [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 7 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_check_incoming_message(387) client_check_incoming_message: seq 7: got good SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 07 B4 F8 8F 5D 29 F9 23 .´ø.])ù# [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=5 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 H....... .D...... [010] 00 B8 10 B8 10 6C 73 00 00 0C 00 5C 50 49 50 45 .¸.¸.ls. ...\PIPE [020] 5C 6C 73 61 73 73 00 AE 67 01 00 00 00 00 00 00 \lsass.® g....... [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..ë.É ..è..+.H [040] 60 02 00 00 00 `.... [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr rpc_hdr [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 0c [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 0044 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 00000001 [2006/06/07 11:02:58, 10] rpc_client/cli_pipe.c:rpc_api_pipe(843) rpc_api_pipe: got PDU len of 68 at offset 0 [2006/06/07 11:02:58, 10] rpc_client/cli_pipe.c:rpc_api_pipe(894) rpc_api_pipe: Remote machine RANGER1 pipe \lsarpc fnum 0x800f returned 68 bytes. [2006/06/07 11:02:58, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine RANGER1 pipe \lsarpc fnum 0x800f bind request returned ok. [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr hdr [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 0c [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 0044 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 00000001 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_ba [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_bba [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0010 max_tsize: 10b8 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0012 max_rsize: 10b8 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0014 assoc_gid: 0000736c [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000018 smb_io_rpc_addr_str [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0018 len: 000c [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 001a str: \PIPE\lsass. [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000026 smb_io_rpc_results [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0028 num_results: 01 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 002c result : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 002e reason : 0000 [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000030 smb_io_rpc_iface [2006/06/07 11:02:58, 7] rpc_parse/parse_prs.c:prs_debug(84) 000030 smb_io_uuid uuid [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0030 data : 8a885d04 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0034 data : 1ceb [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0036 data : 11c9 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0038 data : 9f e8 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 003a data : 08 00 2b 10 48 60 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0040 version: 00000002 [2006/06/07 11:02:58, 5] rpc_client/cli_pipe.c:check_bind_response(1701) check_bind_response: accepted! [2006/06/07 11:02:58, 10] rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2271) cli_rpc_pipe_open_noauth: opened pipe \lsarpc to machine RANGER1 and bound anonymously. [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 ds_io_q_getprimdominfo [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0000 level: 0001 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr hdr [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 001a [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 00000002 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_req hdr_req [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0010 alloc_hint: 00000002 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0014 context_id: 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0016 opnum : 0000 [2006/06/07 11:02:58, 5] rpc_client/cli_pipe.c:rpc_api_pipe(770) rpc_api_pipe: Remote machine RANGER1 pipe \lsarpc fnum 0x800f [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=108 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=55297 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=6 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 26 (0x1A) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 26 (0x1A) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32783 (0x800F) smb_bcc=41 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 1A 00 00 00 02 00 00 00 02 ........ ........ [020] 00 00 00 00 00 00 00 01 00 ........ . [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 8 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_sign_outgoing_message(327) client_sign_outgoing_message: sent SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 5C 51 5B D9 94 A6 4F 5D \Q[Ù.¦O] [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(132) write_socket(13,112) [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(135) write_socket(13,112) wrote 112 [2006/06/07 11:02:58, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 236 [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=236 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=6 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 180 (0xB4) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 180 (0xB4) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=181 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 1A 05 00 02 03 10 00 00 00 B4 00 00 00 02 00 00 ........ .´...... [010] 00 9C 00 00 00 00 00 00 00 00 00 02 00 01 00 00 ........ ........ [020] 00 05 00 00 00 01 00 00 01 04 00 02 00 08 00 02 ........ ........ [030] 00 0C 00 02 00 12 DB 58 36 E3 CE 26 46 B0 D2 CA ......ÛX 6ãÎ&F°ÒÊ [040] 3E AA 25 A9 1D 07 00 00 00 00 00 00 00 07 00 00 >ª%©.... ........ [050] 00 46 00 4F 00 52 00 45 00 53 00 54 00 00 00 45 .F.O.R.E .S.T...E [060] 00 0E 00 00 00 00 00 00 00 0E 00 00 00 6E 00 74 ........ .....n.t [070] 00 2E 00 6C 00 64 00 78 00 6E 00 65 00 74 00 2E ...l.d.x .n.e.t.. [080] 00 63 00 6F 00 6D 00 00 00 0E 00 00 00 00 00 00 .c.o.m.. ........ [090] 00 0E 00 00 00 6E 00 74 00 2E 00 6C 00 64 00 78 .....n.t ...l.d.x [0A0] 00 6E 00 65 00 74 00 2E 00 63 00 6F 00 6D 00 00 .n.e.t.. .c.o.m.. [0B0] 00 00 00 00 00 ..... [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 9 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_check_incoming_message(387) client_check_incoming_message: seq 9: got good SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] EE 2B 5B 92 87 A7 BD 83 î+[..§½. [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=236 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=6 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 180 (0xB4) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 180 (0xB4) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=181 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 1A 05 00 02 03 10 00 00 00 B4 00 00 00 02 00 00 ........ .´...... [010] 00 9C 00 00 00 00 00 00 00 00 00 02 00 01 00 00 ........ ........ [020] 00 05 00 00 00 01 00 00 01 04 00 02 00 08 00 02 ........ ........ [030] 00 0C 00 02 00 12 DB 58 36 E3 CE 26 46 B0 D2 CA ......ÛX 6ãÎ&F°ÒÊ [040] 3E AA 25 A9 1D 07 00 00 00 00 00 00 00 07 00 00 >ª%©.... ........ [050] 00 46 00 4F 00 52 00 45 00 53 00 54 00 00 00 45 .F.O.R.E .S.T...E [060] 00 0E 00 00 00 00 00 00 00 0E 00 00 00 6E 00 74 ........ .....n.t [070] 00 2E 00 6C 00 64 00 78 00 6E 00 65 00 74 00 2E ...l.d.x .n.e.t.. [080] 00 63 00 6F 00 6D 00 00 00 0E 00 00 00 00 00 00 .c.o.m.. ........ [090] 00 0E 00 00 00 6E 00 74 00 2E 00 6C 00 64 00 78 .....n.t ...l.d.x [0A0] 00 6E 00 65 00 74 00 2E 00 63 00 6F 00 6D 00 00 .n.e.t.. .c.o.m.. [0B0] 00 00 00 00 00 ..... [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr rpc_hdr [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 02 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 00b4 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 00000002 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_resp rpc_hdr_resp [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0010 alloc_hint: 0000009c [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0014 context_id: 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0016 cancel_ct : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0017 reserved : 00 [2006/06/07 11:02:58, 10] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(577) cli_pipe_validate_current_pdu: got pdu len 180, data_len 156, ss_len 0 [2006/06/07 11:02:58, 10] rpc_client/cli_pipe.c:rpc_api_pipe(843) rpc_api_pipe: got PDU len of 180 at offset 0 [2006/06/07 11:02:58, 10] rpc_client/cli_pipe.c:rpc_api_pipe(894) rpc_api_pipe: Remote machine RANGER1 pipe \lsarpc fnum 0x800f returned 312 bytes. [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 ds_io_r_getprimdominfo [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0000 ptr: 00020000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0004 level: 0001 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0006 unknown0: 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 machine_role: 0005 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a unknown: 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c flags: 01000001 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0010 netbios_ptr: 00020004 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0014 dnsname_ptr: 00020008 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0018 forestname_ptr: 0002000c [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 00001c smb_io_uuid domain_guid [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 001c data : 3658db12 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0020 data : cee3 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0022 data : 4626 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0024 data : b0 d2 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0026 data : ca 3e aa 25 a9 1d [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 00002c smb_io_unistr2 netbios_domain [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 002c uni_max_len: 00000007 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0030 offset : 00000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0034 uni_str_len: 00000007 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 0038 buffer : F.O.R.E.S.T... [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000048 smb_io_unistr2 dns_domain [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0048 uni_max_len: 0000000e [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 004c offset : 00000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0050 uni_str_len: 0000000e [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 0054 buffer : n.t...l.d.x.n.e.t...c.o.m... [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000070 smb_io_unistr2 forest_domain [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0070 uni_max_len: 0000000e [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0074 offset : 00000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0078 uni_str_len: 0000000e [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 007c buffer : n.t...l.d.x.n.e.t...c.o.m... [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_ntstatus(763) 0098 status: NT_STATUS_OK [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 10 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_sign_outgoing_message(327) client_sign_outgoing_message: sent SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] C2 23 49 02 06 17 8C 23 Â#I....# [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(132) write_socket(13,45) [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(135) write_socket(13,45) wrote 45 [2006/06/07 11:02:58, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 35 [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=7 smt_wct=0 smb_bcc=0 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 11 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_check_incoming_message(387) client_check_incoming_message: seq 11: got good SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] BF 70 D7 B8 2B 35 FD D9 ¿p׸+5ýÙ [2006/06/07 11:02:58, 10] libsmb/clientgen.c:cli_rpc_pipe_close(384) cli_rpc_pipe_close: closed pipe \lsarpc to machine RANGER1 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 12 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_sign_outgoing_message(327) client_sign_outgoing_message: sent SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] A7 E6 AA BA 38 3D 9C A7 §æªº8=.§ [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(132) write_socket(13,104) [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(135) write_socket(13,104) wrote 104 [2006/06/07 11:02:58, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 103 [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=8 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 2048 (0x800) smb_vwv[ 3]= 384 (0x180) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 13 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_check_incoming_message(387) client_check_incoming_message: seq 13: got good SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 13 8A AA 03 9B 17 13 9B ..ª..... [2006/06/07 11:02:58, 5] rpc_client/cli_pipe.c:rpc_pipe_bind(2044) Bind RPC Pipe[8008]: \lsarpc auth_type 0, auth_level 0 [2006/06/07 11:02:58, 5] rpc_client/cli_pipe.c:valid_pipe_name(1647) Bind Abstract Syntax: [000] 78 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB xW4.4.Í« ï..#Eg.« [010] 00 00 00 00 .... [2006/06/07 11:02:58, 5] rpc_client/cli_pipe.c:valid_pipe_name(1650) Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]..ë.É. .è..+.H` [010] 02 00 00 00 .... [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr hdr [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 0b [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 0048 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 00000003 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_rb [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_bba [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0010 max_tsize: 10b8 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0012 max_rsize: 10b8 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0014 assoc_gid: 00000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0018 num_contexts: 01 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 001c context_id : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 001e num_transfer_syntaxes: 01 [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 00001f smb_io_rpc_iface [2006/06/07 11:02:58, 7] rpc_parse/parse_prs.c:prs_debug(84) 000020 smb_io_uuid uuid [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0020 data : 12345778 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0024 data : 1234 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0026 data : abcd [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0028 data : ef 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 002a data : 01 23 45 67 89 ab [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0030 version: 00000000 [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000034 smb_io_rpc_iface [2006/06/07 11:02:58, 7] rpc_parse/parse_prs.c:prs_debug(84) 000034 smb_io_uuid uuid [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0034 data : 8a885d04 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0038 data : 1ceb [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 003a data : 11c9 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 003c data : 9f e8 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 003e data : 08 00 2b 10 48 60 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0044 version: 00000002 [2006/06/07 11:02:58, 5] rpc_client/cli_pipe.c:rpc_api_pipe(770) rpc_api_pipe: Remote machine RANGER1 pipe \lsarpc fnum 0x8008 [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=55297 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=9 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32776 (0x8008) smb_bcc=87 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 03 00 00 00 B8 .......H .......¸ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 .¸...... .......x [030] 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB 00 W4.4.Í«ï ..#Eg.«. [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]..ë .É..è..+ [050] 10 48 60 02 00 00 00 .H`.... [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 14 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_sign_outgoing_message(327) client_sign_outgoing_message: sent SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] F7 41 58 CB 39 C2 9A F5 ÷AXË9Â.õ [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(132) write_socket(13,158) [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(135) write_socket(13,158) wrote 158 [2006/06/07 11:02:58, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 124 [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=9 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 03 00 00 H....... .D...... [010] 00 B8 10 B8 10 6D 73 00 00 0C 00 5C 50 49 50 45 .¸.¸.ms. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 01 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..ë.É ..è..+.H [040] 60 02 00 00 00 `.... [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 15 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_check_incoming_message(387) client_check_incoming_message: seq 15: got good SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 3B 34 46 CB 2D DE CC 03 ;4FË-ÞÌ. [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=9 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 03 00 00 H....... .D...... [010] 00 B8 10 B8 10 6D 73 00 00 0C 00 5C 50 49 50 45 .¸.¸.ms. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 01 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..ë.É ..è..+.H [040] 60 02 00 00 00 `.... [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr rpc_hdr [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 0c [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 0044 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 00000003 [2006/06/07 11:02:58, 10] rpc_client/cli_pipe.c:rpc_api_pipe(843) rpc_api_pipe: got PDU len of 68 at offset 0 [2006/06/07 11:02:58, 10] rpc_client/cli_pipe.c:rpc_api_pipe(894) rpc_api_pipe: Remote machine RANGER1 pipe \lsarpc fnum 0x8008 returned 68 bytes. [2006/06/07 11:02:58, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine RANGER1 pipe \lsarpc fnum 0x8008 bind request returned ok. [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr hdr [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 0c [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 0044 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 00000003 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_ba [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_bba [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0010 max_tsize: 10b8 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0012 max_rsize: 10b8 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0014 assoc_gid: 0000736d [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000018 smb_io_rpc_addr_str [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0018 len: 000c [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 001a str: \PIPE\lsass. [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000026 smb_io_rpc_results [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0028 num_results: 01 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 002c result : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 002e reason : 0000 [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000030 smb_io_rpc_iface [2006/06/07 11:02:58, 7] rpc_parse/parse_prs.c:prs_debug(84) 000030 smb_io_uuid uuid [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0030 data : 8a885d04 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0034 data : 1ceb [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0036 data : 11c9 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0038 data : 9f e8 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 003a data : 08 00 2b 10 48 60 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0040 version: 00000002 [2006/06/07 11:02:58, 5] rpc_client/cli_pipe.c:check_bind_response(1701) check_bind_response: accepted! [2006/06/07 11:02:58, 10] rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2271) cli_rpc_pipe_open_noauth: opened pipe \lsarpc to machine RANGER1 and bound anonymously. [2006/06/07 11:02:58, 5] rpc_parse/parse_lsa.c:init_lsa_sec_qos(185) init_lsa_sec_qos [2006/06/07 11:02:58, 5] rpc_parse/parse_lsa.c:init_q_open_pol2(368) init_q_open_pol2: attr:0 da:33554432 [2006/06/07 11:02:58, 5] rpc_parse/parse_lsa.c:init_lsa_obj_attr(236) init_lsa_obj_attr [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 lsa_io_q_open_pol2 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0000 ptr : 00000001 [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000004 smb_io_unistr2 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0004 uni_max_len: 0000000a [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0008 offset : 00000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c uni_str_len: 0000000a [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 0010 buffer : \.\.R.A.N.G.E.R.1... [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000024 lsa_io_obj_attr [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0024 len : 00000018 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0028 ptr_root_dir: 00000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 002c ptr_obj_name: 00000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0030 attributes : 00000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0034 ptr_sec_desc: 00000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0038 ptr_sec_qos : 00000001 [2006/06/07 11:02:58, 7] rpc_parse/parse_prs.c:prs_debug(84) 00003c lsa_io_obj_qos sec_qos [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 003c len : 0000000c [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0040 sec_imp_level : 0002 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0042 sec_ctxt_mode : 01 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0043 effective_only: 00 [2006/06/07 11:02:58, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224) lsa_io_sec_qos: length c does not match size 8 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0044 des_access: 02000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr hdr [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 0060 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 00000004 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_req hdr_req [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0010 alloc_hint: 00000048 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0014 context_id: 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0016 opnum : 002c [2006/06/07 11:02:58, 5] rpc_client/cli_pipe.c:rpc_api_pipe(770) rpc_api_pipe: Remote machine RANGER1 pipe \lsarpc fnum 0x8008 [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=178 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=55297 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=10 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 96 (0x60) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 96 (0x60) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32776 (0x8008) smb_bcc=111 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 60 00 00 00 04 00 00 00 48 .......` .......H [020] 00 00 00 00 00 2C 00 01 00 00 00 0A 00 00 00 00 .....,.. ........ [030] 00 00 00 0A 00 00 00 5C 00 5C 00 52 00 41 00 4E .......\ .\.R.A.N [040] 00 47 00 45 00 52 00 31 00 00 00 18 00 00 00 00 .G.E.R.1 ........ [050] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ........ ........ [060] 00 00 00 0C 00 00 00 02 00 01 00 00 00 00 02 ........ ....... [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 16 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_sign_outgoing_message(327) client_sign_outgoing_message: sent SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 1C 1C D7 E4 CF 6A 6B DC ..×äÏjkÜ [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(132) write_socket(13,182) [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(135) write_socket(13,182) wrote 182 [2006/06/07 11:02:58, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 104 [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=10 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 60 05 00 02 03 10 00 00 00 30 00 00 00 04 00 00 `....... .0...... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 0C 41 33 ........ ......A3 [020] 34 1E 97 6E 44 AE 36 07 73 4A A0 A4 E4 00 00 00 4..nD®6. sJ ¤ä... [030] 00 . [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 17 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_check_incoming_message(387) client_check_incoming_message: seq 17: got good SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] CB 27 76 4D 55 F9 37 14 Ë'vMUù7. [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=10 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 60 05 00 02 03 10 00 00 00 30 00 00 00 04 00 00 `....... .0...... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 0C 41 33 ........ ......A3 [020] 34 1E 97 6E 44 AE 36 07 73 4A A0 A4 E4 00 00 00 4..nD®6. sJ ¤ä... [030] 00 . [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr rpc_hdr [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 02 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 0030 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 00000004 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_resp rpc_hdr_resp [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0010 alloc_hint: 00000018 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0014 context_id: 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0016 cancel_ct : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0017 reserved : 00 [2006/06/07 11:02:58, 10] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(577) cli_pipe_validate_current_pdu: got pdu len 48, data_len 24, ss_len 0 [2006/06/07 11:02:58, 10] rpc_client/cli_pipe.c:rpc_api_pipe(843) rpc_api_pipe: got PDU len of 48 at offset 0 [2006/06/07 11:02:58, 10] rpc_client/cli_pipe.c:rpc_api_pipe(894) rpc_api_pipe: Remote machine RANGER1 pipe \lsarpc fnum 0x8008 returned 48 bytes. [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 lsa_io_r_open_pol2 [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_pol_hnd [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0000 data1: 00000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0004 data2: 3433410c [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 data3: 971e [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a data4: 446e [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 000c data5: ae 36 07 73 4a a0 a4 e4 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_ntstatus(763) 0014 status: NT_STATUS_OK [2006/06/07 11:02:58, 5] rpc_parse/parse_lsa.c:init_q_query2(3113) init_q_query2 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 lsa_io_q_query_info2 [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_pol_hnd pol [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0000 data1: 00000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0004 data2: 3433410c [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 data3: 971e [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a data4: 446e [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 000c data5: ae 36 07 73 4a a0 a4 e4 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0014 info_class: 000c [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr hdr [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 002e [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 00000005 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_req hdr_req [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0010 alloc_hint: 00000016 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0014 context_id: 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0016 opnum : 002e [2006/06/07 11:02:58, 5] rpc_client/cli_pipe.c:rpc_api_pipe(770) rpc_api_pipe: Remote machine RANGER1 pipe \lsarpc fnum 0x8008 [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=128 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=55297 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=11 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 46 (0x2E) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 46 (0x2E) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=32776 (0x8008) smb_bcc=61 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 2E 00 00 00 05 00 00 00 16 ........ ........ [020] 00 00 00 00 00 2E 00 00 00 00 00 0C 41 33 34 1E ........ ....A34. [030] 97 6E 44 AE 36 07 73 4A A0 A4 E4 0C 00 .nD®6.sJ  ¤ä.. [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 18 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_sign_outgoing_message(327) client_sign_outgoing_message: sent SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] B4 0A 11 F2 5F 54 FF C2 ´..ò_Tÿ [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(132) write_socket(13,132) [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(135) write_socket(13,132) wrote 132 [2006/06/07 11:02:58, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 268 [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=268 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=11 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 212 (0xD4) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 212 (0xD4) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=213 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 2E 05 00 02 03 10 00 00 00 D4 00 00 00 05 00 00 ........ .Ô...... [010] 00 BC 00 00 00 00 00 00 00 00 00 02 00 0C 00 00 .¼...... ........ [020] 00 0C 00 0E 00 04 00 02 00 1A 00 1C 00 08 00 02 ........ ........ [030] 00 1A 00 1C 00 0C 00 02 00 12 DB 58 36 E3 CE 26 ........ ..ÛX6ãÎ& [040] 46 B0 D2 CA 3E AA 25 A9 1D 10 00 02 00 07 00 00 F°ÒÊ>ª%© ........ [050] 00 00 00 00 00 06 00 00 00 46 00 4F 00 52 00 45 ........ .F.O.R.E [060] 00 53 00 54 00 0E 00 00 00 00 00 00 00 0D 00 00 .S.T.... ........ [070] 00 6E 00 74 00 2E 00 6C 00 64 00 78 00 6E 00 65 .n.t...l .d.x.n.e [080] 00 74 00 2E 00 63 00 6F 00 6D 00 00 00 0E 00 00 .t...c.o .m...... [090] 00 00 00 00 00 0D 00 00 00 6E 00 74 00 2E 00 6C ........ .n.t...l [0A0] 00 64 00 78 00 6E 00 65 00 74 00 2E 00 63 00 6F .d.x.n.e .t...c.o [0B0] 00 6D 00 00 00 04 00 00 00 01 04 00 00 00 00 00 .m...... ........ [0C0] 05 15 00 00 00 DD E8 E4 1C EB 25 79 2C DB EB 0C .....Ýèä .ë%y,Ûë. [0D0] 50 00 00 00 00 P.... [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 19 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_check_incoming_message(387) client_check_incoming_message: seq 19: got good SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] DD 49 9A BB 3D 04 C1 EF ÝI.»=.Áï [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=268 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=11 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 212 (0xD4) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 212 (0xD4) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=213 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 2E 05 00 02 03 10 00 00 00 D4 00 00 00 05 00 00 ........ .Ô...... [010] 00 BC 00 00 00 00 00 00 00 00 00 02 00 0C 00 00 .¼...... ........ [020] 00 0C 00 0E 00 04 00 02 00 1A 00 1C 00 08 00 02 ........ ........ [030] 00 1A 00 1C 00 0C 00 02 00 12 DB 58 36 E3 CE 26 ........ ..ÛX6ãÎ& [040] 46 B0 D2 CA 3E AA 25 A9 1D 10 00 02 00 07 00 00 F°ÒÊ>ª%© ........ [050] 00 00 00 00 00 06 00 00 00 46 00 4F 00 52 00 45 ........ .F.O.R.E [060] 00 53 00 54 00 0E 00 00 00 00 00 00 00 0D 00 00 .S.T.... ........ [070] 00 6E 00 74 00 2E 00 6C 00 64 00 78 00 6E 00 65 .n.t...l .d.x.n.e [080] 00 74 00 2E 00 63 00 6F 00 6D 00 00 00 0E 00 00 .t...c.o .m...... [090] 00 00 00 00 00 0D 00 00 00 6E 00 74 00 2E 00 6C ........ .n.t...l [0A0] 00 64 00 78 00 6E 00 65 00 74 00 2E 00 63 00 6F .d.x.n.e .t...c.o [0B0] 00 6D 00 00 00 04 00 00 00 01 04 00 00 00 00 00 .m...... ........ [0C0] 05 15 00 00 00 DD E8 E4 1C EB 25 79 2C DB EB 0C .....Ýèä .ë%y,Ûë. [0D0] 50 00 00 00 00 P.... [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr rpc_hdr [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 02 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 00d4 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 00000005 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_resp rpc_hdr_resp [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0010 alloc_hint: 000000bc [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0014 context_id: 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0016 cancel_ct : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0017 reserved : 00 [2006/06/07 11:02:58, 10] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(577) cli_pipe_validate_current_pdu: got pdu len 212, data_len 188, ss_len 0 [2006/06/07 11:02:58, 10] rpc_client/cli_pipe.c:rpc_api_pipe(843) rpc_api_pipe: got PDU len of 212 at offset 0 [2006/06/07 11:02:58, 10] rpc_client/cli_pipe.c:rpc_api_pipe(894) rpc_api_pipe: Remote machine RANGER1 pipe \lsarpc fnum 0x8008 returned 376 bytes. [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 lsa_io_r_query_info2 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0000 dom_ptr: 00020000 [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000004 lsa_io_query_info_ctr2 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0004 info_class: 000c [2006/06/07 11:02:58, 7] rpc_parse/parse_prs.c:prs_debug(84) 000006 lsa_io_dom_query_12 [2006/06/07 11:02:58, 8] rpc_parse/parse_prs.c:prs_debug(84) 000008 smb_io_unihdr nb_name [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 uni_str_len: 000c [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a uni_max_len: 000e [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c buffer : 00020004 [2006/06/07 11:02:58, 8] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_unihdr dns_name [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0010 uni_str_len: 001a [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0012 uni_max_len: 001c [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0014 buffer : 00020008 [2006/06/07 11:02:58, 8] rpc_parse/parse_prs.c:prs_debug(84) 000018 smb_io_unihdr forest [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0018 uni_str_len: 001a [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 001a uni_max_len: 001c [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 001c buffer : 0002000c [2006/06/07 11:02:58, 8] rpc_parse/parse_prs.c:prs_debug(84) 000020 smb_io_uuid dom_guid [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0020 data : 3658db12 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0024 data : cee3 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0026 data : 4626 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0028 data : b0 d2 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 002a data : ca 3e aa 25 a9 1d [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0030 dom_sid: 00020010 [2006/06/07 11:02:58, 8] rpc_parse/parse_prs.c:prs_debug(84) 000034 smb_io_unistr2 nb_name [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0034 uni_max_len: 00000007 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0038 offset : 00000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 003c uni_str_len: 00000006 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 0040 buffer : F.O.R.E.S.T. [2006/06/07 11:02:58, 8] rpc_parse/parse_prs.c:prs_debug(84) 00004c smb_io_unistr2 dns_name [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 004c uni_max_len: 0000000e [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0050 offset : 00000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0054 uni_str_len: 0000000d [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 0058 buffer : n.t...l.d.x.n.e.t...c.o.m. [2006/06/07 11:02:58, 8] rpc_parse/parse_prs.c:prs_debug(84) 000072 smb_io_unistr2 forest [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0074 uni_max_len: 0000000e [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0078 offset : 00000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 007c uni_str_len: 0000000d [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 0080 buffer : n.t...l.d.x.n.e.t...c.o.m. [2006/06/07 11:02:58, 8] rpc_parse/parse_prs.c:prs_debug(84) 00009a smb_io_dom_sid2 dom_sid [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 009c num_auths: 00000004 [2006/06/07 11:02:58, 9] rpc_parse/parse_prs.c:prs_debug(84) 0000a0 smb_io_dom_sid sid [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 00a0 sid_rev_num: 01 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 00a1 num_auths : 04 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 00a2 id_auth[0] : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 00a3 id_auth[1] : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 00a4 id_auth[2] : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 00a5 id_auth[3] : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 00a6 id_auth[4] : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 00a7 id_auth[5] : 05 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32s(991) 00a8 sub_auths : 00000015 1ce4e8dd 2c7925eb 500cebdb [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_ntstatus(763) 00b8 status: NT_STATUS_OK [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 20 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_sign_outgoing_message(327) client_sign_outgoing_message: sent SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 02 12 73 07 4C BC BB CA ..s.L¼»Ê [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(132) write_socket(13,45) [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(135) write_socket(13,45) wrote 45 [2006/06/07 11:02:58, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 35 [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=12 smt_wct=0 smb_bcc=0 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 21 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_check_incoming_message(387) client_check_incoming_message: seq 21: got good SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 23 F1 82 FA 9E 44 DE 2A #ñ.ú.DÞ* [2006/06/07 11:02:58, 10] libsmb/clientgen.c:cli_rpc_pipe_close(384) cli_rpc_pipe_close: closed pipe \lsarpc to machine RANGER1 [2006/06/07 11:02:58, 5] nsswitch/winbindd_cache.c:get_cache(125) get_cache: Setting ADS methods for domain FOREST [2006/06/07 11:02:58, 10] nsswitch/winbindd_cache.c:wcache_flush_cache(2144) wcache_flush_cache success [2006/06/07 11:02:58, 10] nsswitch/winbindd_cache.c:fetch_cache_seqnum(337) fetch_cache_seqnum: success [FOREST][1108190 @ 1149703320] [2006/06/07 11:02:58, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(427) refresh_sequence_number: FOREST seq number is now 1108190 [2006/06/07 11:02:58, 10] nsswitch/winbindd_cache.c:centry_expired(469) centry_expired: Key LOC_POL/FOREST for domain FOREST is good. [2006/06/07 11:02:58, 10] nsswitch/winbindd_cache.c:wcache_fetch(556) wcache_fetch: returning entry LOC_POL/FOREST for domain FOREST [2006/06/07 11:02:58, 10] nsswitch/winbindd_cache.c:lockout_policy(1764) lockout_policy: [Cached] - cached info for domain FOREST status Success [2006/06/07 11:02:58, 10] lib/events.c:add_timed_event(77) Added timed event "account_lockout_policy_handler": 82e0378 [2006/06/07 11:02:58, 10] lib/events.c:get_timed_events_timeout(118) timed_events_timeout: 3599/999955 [2006/06/07 11:02:58, 4] nsswitch/winbindd_dual.c:fork_domain_child(802) child daemon request 41 [2006/06/07 11:02:58, 10] nsswitch/winbindd_dual.c:child_process_request(393) process_request: request fn INIT_CONNECTION [2006/06/07 11:02:58, 10] libsmb/namequery.c:internal_resolve_name(1112) internal_resolve_name: looking up RANGER1#20 [2006/06/07 11:02:58, 10] lib/gencache.c:gencache_get(272) Returning valid cache entry: key = NBT/RANGER1#20, value = 192.168.200.35:0, timeout = Wed Jun 7 11:13:58 2006 [2006/06/07 11:02:58, 5] libsmb/namecache.c:namecache_fetch(201) name RANGER1#20 found. [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 22 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_sign_outgoing_message(327) client_sign_outgoing_message: sent SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 1B E2 35 69 25 48 46 06 .â5i%HF. [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(132) write_socket(13,104) [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(135) write_socket(13,104) wrote 104 [2006/06/07 11:02:58, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 103 [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=13 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 448 (0x1C0) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 23 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_check_incoming_message(387) client_check_incoming_message: seq 23: got good SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 75 4C 16 AB CE AA B3 C7 uL.«Îª³Ç [2006/06/07 11:02:58, 5] rpc_client/cli_pipe.c:rpc_pipe_bind(2044) Bind RPC Pipe[c001]: \lsarpc auth_type 0, auth_level 0 [2006/06/07 11:02:58, 5] rpc_client/cli_pipe.c:valid_pipe_name(1647) Bind Abstract Syntax: [000] 6A 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5 j(.9.±Ð. .¨.ÀOÙ.õ [010] 00 00 00 00 .... [2006/06/07 11:02:58, 5] rpc_client/cli_pipe.c:valid_pipe_name(1650) Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]..ë.É. .è..+.H` [010] 02 00 00 00 .... [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr hdr [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 0b [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 0048 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 00000006 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_rb [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_bba [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0010 max_tsize: 10b8 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0012 max_rsize: 10b8 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0014 assoc_gid: 00000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0018 num_contexts: 01 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 001c context_id : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 001e num_transfer_syntaxes: 01 [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 00001f smb_io_rpc_iface [2006/06/07 11:02:58, 7] rpc_parse/parse_prs.c:prs_debug(84) 000020 smb_io_uuid uuid [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0020 data : 3919286a [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0024 data : b10c [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0026 data : 11d0 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0028 data : 9b a8 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 002a data : 00 c0 4f d9 2e f5 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0030 version: 00000000 [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000034 smb_io_rpc_iface [2006/06/07 11:02:58, 7] rpc_parse/parse_prs.c:prs_debug(84) 000034 smb_io_uuid uuid [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0034 data : 8a885d04 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0038 data : 1ceb [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 003a data : 11c9 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 003c data : 9f e8 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 003e data : 08 00 2b 10 48 60 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0044 version: 00000002 [2006/06/07 11:02:58, 5] rpc_client/cli_pipe.c:rpc_api_pipe(770) rpc_api_pipe: Remote machine RANGER1 pipe \lsarpc fnum 0xc001 [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=55297 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=14 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=49153 (0xC001) smb_bcc=87 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 06 00 00 00 B8 .......H .......¸ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 6A .¸...... .......j [030] 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5 00 (.9.±Ð.. ¨.ÀOÙ.õ. [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]..ë .É..è..+ [050] 10 48 60 02 00 00 00 .H`.... [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 24 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_sign_outgoing_message(327) client_sign_outgoing_message: sent SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] CD 24 C5 EF 12 B1 BC EC Í$Åï.±¼ì [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(132) write_socket(13,158) [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(135) write_socket(13,158) wrote 158 [2006/06/07 11:02:58, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 124 [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=14 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 06 00 00 H....... .D...... [010] 00 B8 10 B8 10 6E 73 00 00 0C 00 5C 50 49 50 45 .¸.¸.ns. ...\PIPE [020] 5C 6C 73 61 73 73 00 02 00 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..ë.É ..è..+.H [040] 60 02 00 00 00 `.... [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 25 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_check_incoming_message(387) client_check_incoming_message: seq 25: got good SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] F8 3D A5 08 76 D2 28 D7 ø=¥.vÒ(× [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=14 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 06 00 00 H....... .D...... [010] 00 B8 10 B8 10 6E 73 00 00 0C 00 5C 50 49 50 45 .¸.¸.ns. ...\PIPE [020] 5C 6C 73 61 73 73 00 02 00 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..ë.É ..è..+.H [040] 60 02 00 00 00 `.... [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr rpc_hdr [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 0c [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 0044 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 00000006 [2006/06/07 11:02:58, 10] rpc_client/cli_pipe.c:rpc_api_pipe(843) rpc_api_pipe: got PDU len of 68 at offset 0 [2006/06/07 11:02:58, 10] rpc_client/cli_pipe.c:rpc_api_pipe(894) rpc_api_pipe: Remote machine RANGER1 pipe \lsarpc fnum 0xc001 returned 68 bytes. [2006/06/07 11:02:58, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine RANGER1 pipe \lsarpc fnum 0xc001 bind request returned ok. [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr hdr [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 0c [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 0044 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 00000006 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_ba [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_bba [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0010 max_tsize: 10b8 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0012 max_rsize: 10b8 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0014 assoc_gid: 0000736e [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000018 smb_io_rpc_addr_str [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0018 len: 000c [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 001a str: \PIPE\lsass. [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000026 smb_io_rpc_results [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0028 num_results: 01 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 002c result : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 002e reason : 0000 [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000030 smb_io_rpc_iface [2006/06/07 11:02:58, 7] rpc_parse/parse_prs.c:prs_debug(84) 000030 smb_io_uuid uuid [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0030 data : 8a885d04 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0034 data : 1ceb [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0036 data : 11c9 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0038 data : 9f e8 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 003a data : 08 00 2b 10 48 60 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0040 version: 00000002 [2006/06/07 11:02:58, 5] rpc_client/cli_pipe.c:check_bind_response(1701) check_bind_response: accepted! [2006/06/07 11:02:58, 10] rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2271) cli_rpc_pipe_open_noauth: opened pipe \lsarpc to machine RANGER1 and bound anonymously. [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 ds_io_q_getprimdominfo [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0000 level: 0001 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr hdr [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 001a [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 00000007 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_req hdr_req [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0010 alloc_hint: 00000002 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0014 context_id: 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0016 opnum : 0000 [2006/06/07 11:02:58, 5] rpc_client/cli_pipe.c:rpc_api_pipe(770) rpc_api_pipe: Remote machine RANGER1 pipe \lsarpc fnum 0xc001 [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=108 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=55297 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=15 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 26 (0x1A) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 26 (0x1A) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=49153 (0xC001) smb_bcc=41 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 1A 00 00 00 07 00 00 00 02 ........ ........ [020] 00 00 00 00 00 00 00 01 00 ........ . [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 26 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_sign_outgoing_message(327) client_sign_outgoing_message: sent SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 10 2C 09 2D 94 25 93 CB .,.-.%.Ë [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(132) write_socket(13,112) [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(135) write_socket(13,112) wrote 112 [2006/06/07 11:02:58, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 236 [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=236 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=15 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 180 (0xB4) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 180 (0xB4) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=181 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 1A 05 00 02 03 10 00 00 00 B4 00 00 00 07 00 00 ........ .´...... [010] 00 9C 00 00 00 00 00 00 00 00 00 02 00 01 00 00 ........ ........ [020] 00 05 00 00 00 01 00 00 01 04 00 02 00 08 00 02 ........ ........ [030] 00 0C 00 02 00 12 DB 58 36 E3 CE 26 46 B0 D2 CA ......ÛX 6ãÎ&F°ÒÊ [040] 3E AA 25 A9 1D 07 00 00 00 00 00 00 00 07 00 00 >ª%©.... ........ [050] 00 46 00 4F 00 52 00 45 00 53 00 54 00 00 00 45 .F.O.R.E .S.T...E [060] 00 0E 00 00 00 00 00 00 00 0E 00 00 00 6E 00 74 ........ .....n.t [070] 00 2E 00 6C 00 64 00 78 00 6E 00 65 00 74 00 2E ...l.d.x .n.e.t.. [080] 00 63 00 6F 00 6D 00 00 00 0E 00 00 00 00 00 00 .c.o.m.. ........ [090] 00 0E 00 00 00 6E 00 74 00 2E 00 6C 00 64 00 78 .....n.t ...l.d.x [0A0] 00 6E 00 65 00 74 00 2E 00 63 00 6F 00 6D 00 00 .n.e.t.. .c.o.m.. [0B0] 00 00 00 00 00 ..... [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 27 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_check_incoming_message(387) client_check_incoming_message: seq 27: got good SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 2A 5B 59 0C 5F 5E FB A2 *[Y._^û¢ [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=236 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=15 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 180 (0xB4) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 180 (0xB4) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=181 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 1A 05 00 02 03 10 00 00 00 B4 00 00 00 07 00 00 ........ .´...... [010] 00 9C 00 00 00 00 00 00 00 00 00 02 00 01 00 00 ........ ........ [020] 00 05 00 00 00 01 00 00 01 04 00 02 00 08 00 02 ........ ........ [030] 00 0C 00 02 00 12 DB 58 36 E3 CE 26 46 B0 D2 CA ......ÛX 6ãÎ&F°ÒÊ [040] 3E AA 25 A9 1D 07 00 00 00 00 00 00 00 07 00 00 >ª%©.... ........ [050] 00 46 00 4F 00 52 00 45 00 53 00 54 00 00 00 45 .F.O.R.E .S.T...E [060] 00 0E 00 00 00 00 00 00 00 0E 00 00 00 6E 00 74 ........ .....n.t [070] 00 2E 00 6C 00 64 00 78 00 6E 00 65 00 74 00 2E ...l.d.x .n.e.t.. [080] 00 63 00 6F 00 6D 00 00 00 0E 00 00 00 00 00 00 .c.o.m.. ........ [090] 00 0E 00 00 00 6E 00 74 00 2E 00 6C 00 64 00 78 .....n.t ...l.d.x [0A0] 00 6E 00 65 00 74 00 2E 00 63 00 6F 00 6D 00 00 .n.e.t.. .c.o.m.. [0B0] 00 00 00 00 00 ..... [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr rpc_hdr [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 02 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 00b4 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 00000007 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_resp rpc_hdr_resp [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0010 alloc_hint: 0000009c [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0014 context_id: 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0016 cancel_ct : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0017 reserved : 00 [2006/06/07 11:02:58, 10] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(577) cli_pipe_validate_current_pdu: got pdu len 180, data_len 156, ss_len 0 [2006/06/07 11:02:58, 10] rpc_client/cli_pipe.c:rpc_api_pipe(843) rpc_api_pipe: got PDU len of 180 at offset 0 [2006/06/07 11:02:58, 10] rpc_client/cli_pipe.c:rpc_api_pipe(894) rpc_api_pipe: Remote machine RANGER1 pipe \lsarpc fnum 0xc001 returned 312 bytes. [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 ds_io_r_getprimdominfo [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0000 ptr: 00020000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0004 level: 0001 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0006 unknown0: 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 machine_role: 0005 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a unknown: 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c flags: 01000001 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0010 netbios_ptr: 00020004 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0014 dnsname_ptr: 00020008 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0018 forestname_ptr: 0002000c [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 00001c smb_io_uuid domain_guid [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 001c data : 3658db12 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0020 data : cee3 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0022 data : 4626 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0024 data : b0 d2 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0026 data : ca 3e aa 25 a9 1d [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 00002c smb_io_unistr2 netbios_domain [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 002c uni_max_len: 00000007 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0030 offset : 00000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0034 uni_str_len: 00000007 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 0038 buffer : F.O.R.E.S.T... [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000048 smb_io_unistr2 dns_domain [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0048 uni_max_len: 0000000e [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 004c offset : 00000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0050 uni_str_len: 0000000e [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 0054 buffer : n.t...l.d.x.n.e.t...c.o.m... [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000070 smb_io_unistr2 forest_domain [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0070 uni_max_len: 0000000e [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0074 offset : 00000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0078 uni_str_len: 0000000e [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 007c buffer : n.t...l.d.x.n.e.t...c.o.m... [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_ntstatus(763) 0098 status: NT_STATUS_OK [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 28 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_sign_outgoing_message(327) client_sign_outgoing_message: sent SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 26 65 38 ED CD ED 2C 05 &e8íÍí,. [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(132) write_socket(13,45) [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(135) write_socket(13,45) wrote 45 [2006/06/07 11:02:58, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 35 [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=16 smt_wct=0 smb_bcc=0 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 29 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_check_incoming_message(387) client_check_incoming_message: seq 29: got good SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 61 8A 03 E6 71 88 F0 73 a..æq.ðs [2006/06/07 11:02:58, 10] libsmb/clientgen.c:cli_rpc_pipe_close(384) cli_rpc_pipe_close: closed pipe \lsarpc to machine RANGER1 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 30 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_sign_outgoing_message(327) client_sign_outgoing_message: sent SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 48 EA 1A C7 CD 33 54 5B Hê.ÇÍ3T[ [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(132) write_socket(13,104) [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(135) write_socket(13,104) wrote 104 [2006/06/07 11:02:58, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 103 [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=17 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 320 (0x140) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 31 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_check_incoming_message(387) client_check_incoming_message: seq 31: got good SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 65 E3 6B 8C A5 72 D0 8E eãk.¥rÐ. [2006/06/07 11:02:58, 5] rpc_client/cli_pipe.c:rpc_pipe_bind(2044) Bind RPC Pipe[4000]: \lsarpc auth_type 0, auth_level 0 [2006/06/07 11:02:58, 5] rpc_client/cli_pipe.c:valid_pipe_name(1647) Bind Abstract Syntax: [000] 78 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB xW4.4.Í« ï..#Eg.« [010] 00 00 00 00 .... [2006/06/07 11:02:58, 5] rpc_client/cli_pipe.c:valid_pipe_name(1650) Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]..ë.É. .è..+.H` [010] 02 00 00 00 .... [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr hdr [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 0b [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 0048 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 00000008 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_rb [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_bba [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0010 max_tsize: 10b8 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0012 max_rsize: 10b8 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0014 assoc_gid: 00000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0018 num_contexts: 01 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 001c context_id : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 001e num_transfer_syntaxes: 01 [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 00001f smb_io_rpc_iface [2006/06/07 11:02:58, 7] rpc_parse/parse_prs.c:prs_debug(84) 000020 smb_io_uuid uuid [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0020 data : 12345778 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0024 data : 1234 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0026 data : abcd [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0028 data : ef 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 002a data : 01 23 45 67 89 ab [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0030 version: 00000000 [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000034 smb_io_rpc_iface [2006/06/07 11:02:58, 7] rpc_parse/parse_prs.c:prs_debug(84) 000034 smb_io_uuid uuid [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0034 data : 8a885d04 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0038 data : 1ceb [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 003a data : 11c9 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 003c data : 9f e8 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 003e data : 08 00 2b 10 48 60 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0044 version: 00000002 [2006/06/07 11:02:58, 5] rpc_client/cli_pipe.c:rpc_api_pipe(770) rpc_api_pipe: Remote machine RANGER1 pipe \lsarpc fnum 0x4000 [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=55297 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=18 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=16384 (0x4000) smb_bcc=87 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 08 00 00 00 B8 .......H .......¸ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 .¸...... .......x [030] 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB 00 W4.4.Í«ï ..#Eg.«. [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]..ë .É..è..+ [050] 10 48 60 02 00 00 00 .H`.... [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 32 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_sign_outgoing_message(327) client_sign_outgoing_message: sent SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] E3 7A C5 E8 25 2F A8 98 ãzÅè%/¨. [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(132) write_socket(13,158) [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(135) write_socket(13,158) wrote 158 [2006/06/07 11:02:58, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 124 [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=18 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 08 00 00 H....... .D...... [010] 00 B8 10 B8 10 6F 73 00 00 0C 00 5C 50 49 50 45 .¸.¸.os. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 01 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..ë.É ..è..+.H [040] 60 02 00 00 00 `.... [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 33 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_check_incoming_message(387) client_check_incoming_message: seq 33: got good SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 79 AE ED 3D 27 FD A5 19 y®í='ý¥. [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=18 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 08 00 00 H....... .D...... [010] 00 B8 10 B8 10 6F 73 00 00 0C 00 5C 50 49 50 45 .¸.¸.os. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 01 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..ë.É ..è..+.H [040] 60 02 00 00 00 `.... [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr rpc_hdr [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 0c [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 0044 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 00000008 [2006/06/07 11:02:58, 10] rpc_client/cli_pipe.c:rpc_api_pipe(843) rpc_api_pipe: got PDU len of 68 at offset 0 [2006/06/07 11:02:58, 10] rpc_client/cli_pipe.c:rpc_api_pipe(894) rpc_api_pipe: Remote machine RANGER1 pipe \lsarpc fnum 0x4000 returned 68 bytes. [2006/06/07 11:02:58, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine RANGER1 pipe \lsarpc fnum 0x4000 bind request returned ok. [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr hdr [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 0c [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 0044 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 00000008 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_ba [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_bba [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0010 max_tsize: 10b8 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0012 max_rsize: 10b8 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0014 assoc_gid: 0000736f [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000018 smb_io_rpc_addr_str [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0018 len: 000c [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 001a str: \PIPE\lsass. [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000026 smb_io_rpc_results [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0028 num_results: 01 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 002c result : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 002e reason : 0000 [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000030 smb_io_rpc_iface [2006/06/07 11:02:58, 7] rpc_parse/parse_prs.c:prs_debug(84) 000030 smb_io_uuid uuid [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0030 data : 8a885d04 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0034 data : 1ceb [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0036 data : 11c9 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0038 data : 9f e8 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 003a data : 08 00 2b 10 48 60 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0040 version: 00000002 [2006/06/07 11:02:58, 5] rpc_client/cli_pipe.c:check_bind_response(1701) check_bind_response: accepted! [2006/06/07 11:02:58, 10] rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2271) cli_rpc_pipe_open_noauth: opened pipe \lsarpc to machine RANGER1 and bound anonymously. [2006/06/07 11:02:58, 5] rpc_parse/parse_lsa.c:init_lsa_sec_qos(185) init_lsa_sec_qos [2006/06/07 11:02:58, 5] rpc_parse/parse_lsa.c:init_q_open_pol2(368) init_q_open_pol2: attr:0 da:33554432 [2006/06/07 11:02:58, 5] rpc_parse/parse_lsa.c:init_lsa_obj_attr(236) init_lsa_obj_attr [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 lsa_io_q_open_pol2 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0000 ptr : 00000001 [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000004 smb_io_unistr2 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0004 uni_max_len: 0000000a [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0008 offset : 00000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c uni_str_len: 0000000a [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 0010 buffer : \.\.R.A.N.G.E.R.1... [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000024 lsa_io_obj_attr [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0024 len : 00000018 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0028 ptr_root_dir: 00000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 002c ptr_obj_name: 00000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0030 attributes : 00000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0034 ptr_sec_desc: 00000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0038 ptr_sec_qos : 00000001 [2006/06/07 11:02:58, 7] rpc_parse/parse_prs.c:prs_debug(84) 00003c lsa_io_obj_qos sec_qos [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 003c len : 0000000c [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0040 sec_imp_level : 0002 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0042 sec_ctxt_mode : 01 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0043 effective_only: 00 [2006/06/07 11:02:58, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224) lsa_io_sec_qos: length c does not match size 8 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0044 des_access: 02000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr hdr [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 0060 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 00000009 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_req hdr_req [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0010 alloc_hint: 00000048 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0014 context_id: 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0016 opnum : 002c [2006/06/07 11:02:58, 5] rpc_client/cli_pipe.c:rpc_api_pipe(770) rpc_api_pipe: Remote machine RANGER1 pipe \lsarpc fnum 0x4000 [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=178 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=55297 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=19 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 96 (0x60) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 96 (0x60) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=16384 (0x4000) smb_bcc=111 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 60 00 00 00 09 00 00 00 48 .......` .......H [020] 00 00 00 00 00 2C 00 01 00 00 00 0A 00 00 00 00 .....,.. ........ [030] 00 00 00 0A 00 00 00 5C 00 5C 00 52 00 41 00 4E .......\ .\.R.A.N [040] 00 47 00 45 00 52 00 31 00 00 00 18 00 00 00 00 .G.E.R.1 ........ [050] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ........ ........ [060] 00 00 00 0C 00 00 00 02 00 01 00 00 00 00 02 ........ ....... [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 34 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_sign_outgoing_message(327) client_sign_outgoing_message: sent SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 01 AC C8 BA 0F 3E 84 40 .¬Èº.>.@ [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(132) write_socket(13,182) [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(135) write_socket(13,182) wrote 182 [2006/06/07 11:02:58, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 104 [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=19 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 60 05 00 02 03 10 00 00 00 30 00 00 00 09 00 00 `....... .0...... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 68 E0 B5 ........ .....hൠ[020] 03 86 11 7E 44 95 DE 50 E8 04 5D D7 92 00 00 00 ...~D.ÞP è.]×.... [030] 00 . [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 35 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_check_incoming_message(387) client_check_incoming_message: seq 35: got good SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 41 77 94 74 AC 89 01 F9 Aw.t¬..ù [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=19 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 60 05 00 02 03 10 00 00 00 30 00 00 00 09 00 00 `....... .0...... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 68 E0 B5 ........ .....hൠ[020] 03 86 11 7E 44 95 DE 50 E8 04 5D D7 92 00 00 00 ...~D.ÞP è.]×.... [030] 00 . [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr rpc_hdr [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 02 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 0030 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 00000009 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_resp rpc_hdr_resp [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0010 alloc_hint: 00000018 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0014 context_id: 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0016 cancel_ct : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0017 reserved : 00 [2006/06/07 11:02:58, 10] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(577) cli_pipe_validate_current_pdu: got pdu len 48, data_len 24, ss_len 0 [2006/06/07 11:02:58, 10] rpc_client/cli_pipe.c:rpc_api_pipe(843) rpc_api_pipe: got PDU len of 48 at offset 0 [2006/06/07 11:02:58, 10] rpc_client/cli_pipe.c:rpc_api_pipe(894) rpc_api_pipe: Remote machine RANGER1 pipe \lsarpc fnum 0x4000 returned 48 bytes. [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 lsa_io_r_open_pol2 [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_pol_hnd [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0000 data1: 00000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0004 data2: 03b5e068 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 data3: 1186 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a data4: 447e [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 000c data5: 95 de 50 e8 04 5d d7 92 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_ntstatus(763) 0014 status: NT_STATUS_OK [2006/06/07 11:02:58, 5] rpc_parse/parse_lsa.c:init_q_query2(3113) init_q_query2 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 lsa_io_q_query_info2 [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_pol_hnd pol [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0000 data1: 00000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0004 data2: 03b5e068 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 data3: 1186 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a data4: 447e [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 000c data5: 95 de 50 e8 04 5d d7 92 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0014 info_class: 000c [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr hdr [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 002e [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 0000000a [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_req hdr_req [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0010 alloc_hint: 00000016 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0014 context_id: 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0016 opnum : 002e [2006/06/07 11:02:58, 5] rpc_client/cli_pipe.c:rpc_api_pipe(770) rpc_api_pipe: Remote machine RANGER1 pipe \lsarpc fnum 0x4000 [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=128 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=55297 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=20 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 46 (0x2E) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 46 (0x2E) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=16384 (0x4000) smb_bcc=61 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 2E 00 00 00 0A 00 00 00 16 ........ ........ [020] 00 00 00 00 00 2E 00 00 00 00 00 68 E0 B5 03 86 ........ ...hàµ.. [030] 11 7E 44 95 DE 50 E8 04 5D D7 92 0C 00 .~D.ÞPè. ]×... [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 36 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_sign_outgoing_message(327) client_sign_outgoing_message: sent SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 33 5D 0A 94 4E 9F B7 68 3]..N.·h [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(132) write_socket(13,132) [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(135) write_socket(13,132) wrote 132 [2006/06/07 11:02:58, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 268 [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=268 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=20 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 212 (0xD4) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 212 (0xD4) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=213 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 2E 05 00 02 03 10 00 00 00 D4 00 00 00 0A 00 00 ........ .Ô...... [010] 00 BC 00 00 00 00 00 00 00 00 00 02 00 0C 00 00 .¼...... ........ [020] 00 0C 00 0E 00 04 00 02 00 1A 00 1C 00 08 00 02 ........ ........ [030] 00 1A 00 1C 00 0C 00 02 00 12 DB 58 36 E3 CE 26 ........ ..ÛX6ãÎ& [040] 46 B0 D2 CA 3E AA 25 A9 1D 10 00 02 00 07 00 00 F°ÒÊ>ª%© ........ [050] 00 00 00 00 00 06 00 00 00 46 00 4F 00 52 00 45 ........ .F.O.R.E [060] 00 53 00 54 00 0E 00 00 00 00 00 00 00 0D 00 00 .S.T.... ........ [070] 00 6E 00 74 00 2E 00 6C 00 64 00 78 00 6E 00 65 .n.t...l .d.x.n.e [080] 00 74 00 2E 00 63 00 6F 00 6D 00 00 00 0E 00 00 .t...c.o .m...... [090] 00 00 00 00 00 0D 00 00 00 6E 00 74 00 2E 00 6C ........ .n.t...l [0A0] 00 64 00 78 00 6E 00 65 00 74 00 2E 00 63 00 6F .d.x.n.e .t...c.o [0B0] 00 6D 00 00 00 04 00 00 00 01 04 00 00 00 00 00 .m...... ........ [0C0] 05 15 00 00 00 DD E8 E4 1C EB 25 79 2C DB EB 0C .....Ýèä .ë%y,Ûë. [0D0] 50 00 00 00 00 P.... [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 37 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_check_incoming_message(387) client_check_incoming_message: seq 37: got good SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 74 7B 05 DF 63 38 2B 96 t{.ßc8+. [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=268 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=20 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 212 (0xD4) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 212 (0xD4) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=213 [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 2E 05 00 02 03 10 00 00 00 D4 00 00 00 0A 00 00 ........ .Ô...... [010] 00 BC 00 00 00 00 00 00 00 00 00 02 00 0C 00 00 .¼...... ........ [020] 00 0C 00 0E 00 04 00 02 00 1A 00 1C 00 08 00 02 ........ ........ [030] 00 1A 00 1C 00 0C 00 02 00 12 DB 58 36 E3 CE 26 ........ ..ÛX6ãÎ& [040] 46 B0 D2 CA 3E AA 25 A9 1D 10 00 02 00 07 00 00 F°ÒÊ>ª%© ........ [050] 00 00 00 00 00 06 00 00 00 46 00 4F 00 52 00 45 ........ .F.O.R.E [060] 00 53 00 54 00 0E 00 00 00 00 00 00 00 0D 00 00 .S.T.... ........ [070] 00 6E 00 74 00 2E 00 6C 00 64 00 78 00 6E 00 65 .n.t...l .d.x.n.e [080] 00 74 00 2E 00 63 00 6F 00 6D 00 00 00 0E 00 00 .t...c.o .m...... [090] 00 00 00 00 00 0D 00 00 00 6E 00 74 00 2E 00 6C ........ .n.t...l [0A0] 00 64 00 78 00 6E 00 65 00 74 00 2E 00 63 00 6F .d.x.n.e .t...c.o [0B0] 00 6D 00 00 00 04 00 00 00 01 04 00 00 00 00 00 .m...... ........ [0C0] 05 15 00 00 00 DD E8 E4 1C EB 25 79 2C DB EB 0C .....Ýèä .ë%y,Ûë. [0D0] 50 00 00 00 00 P.... [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr rpc_hdr [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 02 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 00d4 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 0000000a [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_resp rpc_hdr_resp [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0010 alloc_hint: 000000bc [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0014 context_id: 0000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0016 cancel_ct : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0017 reserved : 00 [2006/06/07 11:02:58, 10] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(577) cli_pipe_validate_current_pdu: got pdu len 212, data_len 188, ss_len 0 [2006/06/07 11:02:58, 10] rpc_client/cli_pipe.c:rpc_api_pipe(843) rpc_api_pipe: got PDU len of 212 at offset 0 [2006/06/07 11:02:58, 10] rpc_client/cli_pipe.c:rpc_api_pipe(894) rpc_api_pipe: Remote machine RANGER1 pipe \lsarpc fnum 0x4000 returned 376 bytes. [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 lsa_io_r_query_info2 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0000 dom_ptr: 00020000 [2006/06/07 11:02:58, 6] rpc_parse/parse_prs.c:prs_debug(84) 000004 lsa_io_query_info_ctr2 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0004 info_class: 000c [2006/06/07 11:02:58, 7] rpc_parse/parse_prs.c:prs_debug(84) 000006 lsa_io_dom_query_12 [2006/06/07 11:02:58, 8] rpc_parse/parse_prs.c:prs_debug(84) 000008 smb_io_unihdr nb_name [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 uni_str_len: 000c [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a uni_max_len: 000e [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c buffer : 00020004 [2006/06/07 11:02:58, 8] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_unihdr dns_name [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0010 uni_str_len: 001a [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0012 uni_max_len: 001c [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0014 buffer : 00020008 [2006/06/07 11:02:58, 8] rpc_parse/parse_prs.c:prs_debug(84) 000018 smb_io_unihdr forest [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0018 uni_str_len: 001a [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 001a uni_max_len: 001c [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 001c buffer : 0002000c [2006/06/07 11:02:58, 8] rpc_parse/parse_prs.c:prs_debug(84) 000020 smb_io_uuid dom_guid [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0020 data : 3658db12 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0024 data : cee3 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0026 data : 4626 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0028 data : b0 d2 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 002a data : ca 3e aa 25 a9 1d [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0030 dom_sid: 00020010 [2006/06/07 11:02:58, 8] rpc_parse/parse_prs.c:prs_debug(84) 000034 smb_io_unistr2 nb_name [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0034 uni_max_len: 00000007 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0038 offset : 00000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 003c uni_str_len: 00000006 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 0040 buffer : F.O.R.E.S.T. [2006/06/07 11:02:58, 8] rpc_parse/parse_prs.c:prs_debug(84) 00004c smb_io_unistr2 dns_name [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 004c uni_max_len: 0000000e [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0050 offset : 00000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0054 uni_str_len: 0000000d [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 0058 buffer : n.t...l.d.x.n.e.t...c.o.m. [2006/06/07 11:02:58, 8] rpc_parse/parse_prs.c:prs_debug(84) 000072 smb_io_unistr2 forest [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0074 uni_max_len: 0000000e [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0078 offset : 00000000 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 007c uni_str_len: 0000000d [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 0080 buffer : n.t...l.d.x.n.e.t...c.o.m. [2006/06/07 11:02:58, 8] rpc_parse/parse_prs.c:prs_debug(84) 00009a smb_io_dom_sid2 dom_sid [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32(704) 009c num_auths: 00000004 [2006/06/07 11:02:58, 9] rpc_parse/parse_prs.c:prs_debug(84) 0000a0 smb_io_dom_sid sid [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 00a0 sid_rev_num: 01 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 00a1 num_auths : 04 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 00a2 id_auth[0] : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 00a3 id_auth[1] : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 00a4 id_auth[2] : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 00a5 id_auth[3] : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 00a6 id_auth[4] : 00 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint8(615) 00a7 id_auth[5] : 05 [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_uint32s(991) 00a8 sub_auths : 00000015 1ce4e8dd 2c7925eb 500cebdb [2006/06/07 11:02:58, 5] rpc_parse/parse_prs.c:prs_ntstatus(763) 00b8 status: NT_STATUS_OK [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 38 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_sign_outgoing_message(327) client_sign_outgoing_message: sent SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 0C A2 44 84 6F 53 0B 71 .¢D.oS.q [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(132) write_socket(13,45) [2006/06/07 11:02:58, 6] libsmb/clientgen.c:write_socket(135) write_socket(13,45) wrote 45 [2006/06/07 11:02:58, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 35 [2006/06/07 11:02:58, 5] lib/util.c:show_msg(478) [2006/06/07 11:02:58, 5] lib/util.c:show_msg(488) size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=21 smt_wct=0 smb_bcc=0 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 39 [2006/06/07 11:02:58, 10] libsmb/smb_signing.c:client_check_incoming_message(387) client_check_incoming_message: seq 39: got good SMB signature of [2006/06/07 11:02:58, 10] lib/util.c:dump_data(2215) [000] 38 FC 44 25 18 61 0F E6 8üD%.a.æ [2006/06/07 11:02:58, 10] libsmb/clientgen.c:cli_rpc_pipe_close(384) cli_rpc_pipe_close: closed pipe \lsarpc to machine RANGER1 [2006/06/07 11:02:58, 10] nsswitch/winbindd_cache.c:cache_store_response(1912) Storing response for pid 32155, len 3192 [2006/06/07 11:02:58, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(1952) Retrieving response for pid 32155 [2006/06/07 11:02:58, 5] nsswitch/winbindd_util.c:init_child_recv(420) Received child initialization response for domain FOREST [2006/06/07 11:02:58, 10] lib/events.c:get_timed_events_timeout(118) timed_events_timeout: 3599/960516 [2006/06/07 11:02:58, 4] nsswitch/winbindd_dual.c:fork_domain_child(802) child daemon request 18 [2006/06/07 11:02:58, 10] nsswitch/winbindd_dual.c:child_process_request(393) process_request: request fn LIST_TRUSTDOM [2006/06/07 11:02:58, 3] nsswitch/winbindd_misc.c:winbindd_dual_list_trusted_domains(121) [32152]: list trusted domains [2006/06/07 11:02:58, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(399) refresh_sequence_number: FOREST time ok [2006/06/07 11:02:58, 10] nsswitch/winbindd_cache.c:refresh_sequence_number(427) refresh_sequence_number: FOREST seq number is now 1108190 [2006/06/07 11:02:58, 10] nsswitch/winbindd_cache.c:centry_expired(469) centry_expired: Key TRUSTDOMS/FOREST for domain FOREST is good. [2006/06/07 11:02:58, 10] nsswitch/winbindd_cache.c:wcache_fetch(556) wcache_fetch: returning entry TRUSTDOMS/FOREST for domain FOREST [2006/06/07 11:02:58, 10] nsswitch/winbindd_cache.c:trusted_domains(1688) trusted_domains: [Cached] - cached info for domain FOREST (0 trusts) status Success [2006/06/07 11:02:58, 10] nsswitch/winbindd_cache.c:cache_store_response(1912) Storing response for pid 32155, len 3192 [2006/06/07 11:02:58, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(1952) Retrieving response for pid 32155 [2006/06/07 11:02:58, 10] lib/events.c:get_timed_events_timeout(118) timed_events_timeout: 3599/959976 [2006/06/07 11:03:15, 6] nsswitch/winbindd.c:new_connection(601) accepted socket 18 [2006/06/07 11:03:15, 10] nsswitch/winbindd.c:process_request(287) process_request: request fn INTERFACE_VERSION [2006/06/07 11:03:15, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(471) [ 0]: request interface version [2006/06/07 11:03:15, 10] nsswitch/winbindd.c:process_request(287) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2006/06/07 11:03:15, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(504) [ 0]: request location of privileged pipe [2006/06/07 11:03:15, 6] nsswitch/winbindd.c:new_connection(601) accepted socket 19 [2006/06/07 11:03:15, 10] nsswitch/winbindd.c:process_request(287) process_request: request fn ENDPWENT [2006/06/07 11:03:15, 3] nsswitch/winbindd_user.c:winbindd_endpwent(508) [ 0]: endpwent [2006/06/07 11:03:15, 10] nsswitch/winbindd.c:process_request(287) process_request: request fn GETGROUPS [2006/06/07 11:03:15, 3] nsswitch/winbindd_group.c:winbindd_getgroups(991) [ 0]: getgroups root [2006/06/07 11:03:15, 7] nsswitch/winbindd_group.c:winbindd_getgroups(1035) winbindd_getpwnam: My domain -- rejecting getgroups() for FOREST\root. [2006/06/07 11:03:35, 6] nsswitch/winbindd.c:new_connection(601) accepted socket 18 [2006/06/07 11:03:35, 10] nsswitch/winbindd.c:process_request(287) process_request: request fn INTERFACE_VERSION [2006/06/07 11:03:35, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(471) [ 0]: request interface version [2006/06/07 11:03:35, 10] nsswitch/winbindd.c:process_request(287) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2006/06/07 11:03:35, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(504) [ 0]: request location of privileged pipe [2006/06/07 11:03:35, 6] nsswitch/winbindd.c:new_connection(601) accepted socket 19 [2006/06/07 11:03:35, 10] nsswitch/winbindd.c:process_request(287) process_request: request fn PAM_AUTH [2006/06/07 11:03:35, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(657) [ 0]: pam auth maint [2006/06/07 11:03:35, 8] lib/util.c:is_myname(2036) is_myname("FOREST") returns 0 [2006/06/07 11:03:35, 4] nsswitch/winbindd_dual.c:fork_domain_child(802) child daemon request 12 [2006/06/07 11:03:35, 10] nsswitch/winbindd_dual.c:child_process_request(393) process_request: request fn PAM_AUTH [2006/06/07 11:03:35, 3] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1095) [32152]: dual pam auth maint [2006/06/07 11:03:35, 10] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1101) winbindd_dual_pam_auth: domain: FOREST last was online [2006/06/07 11:03:35, 10] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_samlogon(940) winbindd_dual_pam_auth_samlogon [2006/06/07 11:03:35, 8] lib/util.c:is_myname(2036) is_myname("FOREST") returns 0 [2006/06/07 11:03:35, 4] passdb/secrets.c:secrets_fetch_trust_account_password(285) Using cleartext machine password [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 40 [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:client_sign_outgoing_message(327) client_sign_outgoing_message: sent SMB signature of [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] BD 64 CA F0 7D F6 EA 6C ½dÊð}öêl [2006/06/07 11:03:35, 6] libsmb/clientgen.c:write_socket(132) write_socket(13,108) [2006/06/07 11:03:35, 6] libsmb/clientgen.c:write_socket(135) write_socket(13,108) wrote 108 [2006/06/07 11:03:35, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 103 [2006/06/07 11:03:35, 5] lib/util.c:show_msg(478) [2006/06/07 11:03:35, 5] lib/util.c:show_msg(488) size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=22 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 2304 (0x900) smb_vwv[ 3]= 448 (0x1C0) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 41 [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:client_check_incoming_message(387) client_check_incoming_message: seq 41: got good SMB signature of [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] BC 25 B2 A3 14 F1 6D AD ¼%²£.ñm­ [2006/06/07 11:03:35, 5] rpc_client/cli_pipe.c:rpc_pipe_bind(2044) Bind RPC Pipe[c009]: \NETLOGON auth_type 0, auth_level 0 [2006/06/07 11:03:35, 5] rpc_client/cli_pipe.c:valid_pipe_name(1647) Bind Abstract Syntax: [000] 78 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB xV4.4.Í« ï..#EgÏû [010] 01 00 00 00 .... [2006/06/07 11:03:35, 5] rpc_client/cli_pipe.c:valid_pipe_name(1650) Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]..ë.É. .è..+.H` [010] 02 00 00 00 .... [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr hdr [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 0b [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 0048 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 0000000b [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_rb [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_bba [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0010 max_tsize: 10b8 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0012 max_rsize: 10b8 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0014 assoc_gid: 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0018 num_contexts: 01 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 001c context_id : 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 001e num_transfer_syntaxes: 01 [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 00001f smb_io_rpc_iface [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000020 smb_io_uuid uuid [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0020 data : 12345678 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0024 data : 1234 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0026 data : abcd [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0028 data : ef 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 002a data : 01 23 45 67 cf fb [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0030 version: 00000001 [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000034 smb_io_rpc_iface [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000034 smb_io_uuid uuid [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0034 data : 8a885d04 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0038 data : 1ceb [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 003a data : 11c9 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 003c data : 9f e8 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 003e data : 08 00 2b 10 48 60 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0044 version: 00000002 [2006/06/07 11:03:35, 5] rpc_client/cli_pipe.c:rpc_api_pipe(770) rpc_api_pipe: Remote machine RANGER1 pipe \NETLOGON fnum 0xc009 [2006/06/07 11:03:35, 5] lib/util.c:show_msg(478) [2006/06/07 11:03:35, 5] lib/util.c:show_msg(488) size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=55297 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=23 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=49161 (0xC009) smb_bcc=87 [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 0B 00 00 00 B8 .......H .......¸ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 .¸...... .......x [030] 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB 01 V4.4.Í«ï ..#EgÏû. [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]..ë .É..è..+ [050] 10 48 60 02 00 00 00 .H`.... [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 42 [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:client_sign_outgoing_message(327) client_sign_outgoing_message: sent SMB signature of [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] F5 84 F2 F9 90 28 B8 21 õ.òù.(¸! [2006/06/07 11:03:35, 6] libsmb/clientgen.c:write_socket(132) write_socket(13,158) [2006/06/07 11:03:35, 6] libsmb/clientgen.c:write_socket(135) write_socket(13,158) wrote 158 [2006/06/07 11:03:35, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 124 [2006/06/07 11:03:35, 5] lib/util.c:show_msg(478) [2006/06/07 11:03:35, 5] lib/util.c:show_msg(488) size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=23 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 0B 00 00 H....... .D...... [010] 00 B8 10 B8 10 70 73 00 00 0C 00 5C 50 49 50 45 .¸.¸.ps. ...\PIPE [020] 5C 6C 73 61 73 73 00 02 00 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..ë.É ..è..+.H [040] 60 02 00 00 00 `.... [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 43 [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:client_check_incoming_message(387) client_check_incoming_message: seq 43: got good SMB signature of [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] 60 53 B2 53 08 0A D6 99 `S²S..Ö. [2006/06/07 11:03:35, 5] lib/util.c:show_msg(478) [2006/06/07 11:03:35, 5] lib/util.c:show_msg(488) size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=23 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 0B 00 00 H....... .D...... [010] 00 B8 10 B8 10 70 73 00 00 0C 00 5C 50 49 50 45 .¸.¸.ps. ...\PIPE [020] 5C 6C 73 61 73 73 00 02 00 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..ë.É ..è..+.H [040] 60 02 00 00 00 `.... [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr rpc_hdr [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 0c [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 0044 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 0000000b [2006/06/07 11:03:35, 10] rpc_client/cli_pipe.c:rpc_api_pipe(843) rpc_api_pipe: got PDU len of 68 at offset 0 [2006/06/07 11:03:35, 10] rpc_client/cli_pipe.c:rpc_api_pipe(894) rpc_api_pipe: Remote machine RANGER1 pipe \NETLOGON fnum 0xc009 returned 68 bytes. [2006/06/07 11:03:35, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine RANGER1 pipe \NETLOGON fnum 0xc009 bind request returned ok. [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr hdr [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 0c [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 0044 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 0000000b [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_ba [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_bba [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0010 max_tsize: 10b8 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0012 max_rsize: 10b8 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0014 assoc_gid: 00007370 [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000018 smb_io_rpc_addr_str [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0018 len: 000c [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 001a str: \PIPE\lsass. [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000026 smb_io_rpc_results [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0028 num_results: 01 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 002c result : 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 002e reason : 0000 [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000030 smb_io_rpc_iface [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000030 smb_io_uuid uuid [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0030 data : 8a885d04 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0034 data : 1ceb [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0036 data : 11c9 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0038 data : 9f e8 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 003a data : 08 00 2b 10 48 60 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0040 version: 00000002 [2006/06/07 11:03:35, 5] rpc_client/cli_pipe.c:check_bind_response(1701) check_bind_response: accepted! [2006/06/07 11:03:35, 10] rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2271) cli_rpc_pipe_open_noauth: opened pipe \NETLOGON to machine RANGER1 and bound anonymously. [2006/06/07 11:03:35, 4] rpc_client/cli_netlogon.c:rpccli_net_req_chal(46) cli_net_req_chal: LSA Request Challenge from GATE to \\RANGER1 [2006/06/07 11:03:35, 5] rpc_parse/parse_net.c:init_q_req_chal(679) init_q_req_chal: 679 [2006/06/07 11:03:35, 5] rpc_parse/parse_net.c:init_q_req_chal(688) init_q_req_chal: 688 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 net_io_q_req_chal [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0000 undoc_buffer: 00000001 [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000004 smb_io_unistr2 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0004 uni_max_len: 0000000a [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0008 offset : 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c uni_str_len: 0000000a [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 0010 buffer : \.\.R.A.N.G.E.R.1... [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000024 smb_io_unistr2 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0024 uni_max_len: 00000005 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0028 offset : 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 002c uni_str_len: 00000005 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 0030 buffer : G.A.T.E... [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 00003a smb_io_chal [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 003a data: a5 8e 13 5a 25 58 50 90 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr hdr [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 005a [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 0000000c [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_req hdr_req [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0010 alloc_hint: 00000042 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0014 context_id: 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0016 opnum : 0004 [2006/06/07 11:03:35, 5] rpc_client/cli_pipe.c:rpc_api_pipe(770) rpc_api_pipe: Remote machine RANGER1 pipe \NETLOGON fnum 0xc009 [2006/06/07 11:03:35, 5] lib/util.c:show_msg(478) [2006/06/07 11:03:35, 5] lib/util.c:show_msg(488) size=172 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=55297 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=24 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 90 (0x5A) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 90 (0x5A) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=49161 (0xC009) smb_bcc=105 [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 5A 00 00 00 0C 00 00 00 42 .......Z .......B [020] 00 00 00 00 00 04 00 01 00 00 00 0A 00 00 00 00 ........ ........ [030] 00 00 00 0A 00 00 00 5C 00 5C 00 52 00 41 00 4E .......\ .\.R.A.N [040] 00 47 00 45 00 52 00 31 00 00 00 05 00 00 00 00 .G.E.R.1 ........ [050] 00 00 00 05 00 00 00 47 00 41 00 54 00 45 00 00 .......G .A.T.E.. [060] 00 A5 8E 13 5A 25 58 50 90 .¥..Z%XP . [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 44 [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:client_sign_outgoing_message(327) client_sign_outgoing_message: sent SMB signature of [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] AB D1 CB 2C 8C 05 C4 FF «ÑË,..Äÿ [2006/06/07 11:03:35, 6] libsmb/clientgen.c:write_socket(132) write_socket(13,176) [2006/06/07 11:03:35, 6] libsmb/clientgen.c:write_socket(135) write_socket(13,176) wrote 176 [2006/06/07 11:03:35, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 92 [2006/06/07 11:03:35, 5] lib/util.c:show_msg(478) [2006/06/07 11:03:35, 5] lib/util.c:show_msg(488) size=92 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=24 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 36 (0x24) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 36 (0x24) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=37 [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] 5A 05 00 02 03 10 00 00 00 24 00 00 00 0C 00 00 Z....... .$...... [010] 00 0C 00 00 00 00 00 00 00 3B 27 F0 83 59 A2 09 ........ .;'ð.Y¢. [020] 0D 00 00 00 00 ..... [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 45 [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:client_check_incoming_message(387) client_check_incoming_message: seq 45: got good SMB signature of [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] E6 AD 8D 9E 5D AE 0C 0A æ­..]®.. [2006/06/07 11:03:35, 5] lib/util.c:show_msg(478) [2006/06/07 11:03:35, 5] lib/util.c:show_msg(488) size=92 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=24 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 36 (0x24) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 36 (0x24) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=37 [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] 5A 05 00 02 03 10 00 00 00 24 00 00 00 0C 00 00 Z....... .$...... [010] 00 0C 00 00 00 00 00 00 00 3B 27 F0 83 59 A2 09 ........ .;'ð.Y¢. [020] 0D 00 00 00 00 ..... [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr rpc_hdr [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 02 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 0024 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 0000000c [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_resp rpc_hdr_resp [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0010 alloc_hint: 0000000c [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0014 context_id: 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0016 cancel_ct : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0017 reserved : 00 [2006/06/07 11:03:35, 10] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(577) cli_pipe_validate_current_pdu: got pdu len 36, data_len 12, ss_len 0 [2006/06/07 11:03:35, 10] rpc_client/cli_pipe.c:rpc_api_pipe(843) rpc_api_pipe: got PDU len of 36 at offset 0 [2006/06/07 11:03:35, 10] rpc_client/cli_pipe.c:rpc_api_pipe(894) rpc_api_pipe: Remote machine RANGER1 pipe \NETLOGON fnum 0xc009 returned 24 bytes. [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 net_io_r_req_chal [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_chal [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0000 data: 3b 27 f0 83 59 a2 09 0d [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_ntstatus(763) 0008 status: NT_STATUS_OK [2006/06/07 11:03:35, 10] libsmb/credentials.c:creds_client_init(286) creds_client_init: neg_flags : 400701ff [2006/06/07 11:03:35, 10] libsmb/credentials.c:creds_client_init(287) creds_client_init: client chal : A58E135A25585090 [2006/06/07 11:03:35, 10] libsmb/credentials.c:creds_client_init(288) creds_client_init: server chal : 3B27F08359A2090D [2006/06/07 11:03:35, 5] libsmb/credentials.c:creds_init_64(117) creds_init_64 [2006/06/07 11:03:35, 5] libsmb/credentials.c:creds_init_64(118) clnt_chal_in: A58E135A25585090 [2006/06/07 11:03:35, 5] libsmb/credentials.c:creds_init_64(119) srv_chal_in : 3B27F08359A2090D [2006/06/07 11:03:35, 5] libsmb/credentials.c:creds_init_64(120) clnt+srv : E0B503DE7EFA599D [2006/06/07 11:03:35, 5] libsmb/credentials.c:creds_init_64(121) sess_key_out : 0FE315ACDB5DAF3D [2006/06/07 11:03:35, 10] libsmb/credentials.c:creds_client_init(306) creds_client_init: clnt : 165A011499CEE688 [2006/06/07 11:03:35, 10] libsmb/credentials.c:creds_client_init(307) creds_client_init: server : 1A56BA1C3DD1768B [2006/06/07 11:03:35, 10] libsmb/credentials.c:creds_client_init(308) creds_client_init: seed : 165A011499CEE688 [2006/06/07 11:03:35, 4] rpc_client/cli_netlogon.c:rpccli_net_auth2(170) cli_net_auth2: srv:\\RANGER1 acct:GATE$ sc:2 mc: GATE neg: 400701ff [2006/06/07 11:03:35, 5] rpc_parse/parse_net.c:init_q_auth_2(800) init_q_auth_2: 800 [2006/06/07 11:03:35, 5] rpc_parse/parse_misc.c:init_log_info(1454) make_log_info 1454 [2006/06/07 11:03:35, 5] rpc_parse/parse_net.c:init_q_auth_2(806) init_q_auth_2: 806 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 net_io_q_auth_2 [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_log_info [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0000 undoc_buffer: 00000001 [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000004 smb_io_unistr2 unistr2 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0004 uni_max_len: 0000000a [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0008 offset : 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c uni_str_len: 0000000a [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 0010 buffer : \.\.R.A.N.G.E.R.1... [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000024 smb_io_unistr2 unistr2 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0024 uni_max_len: 00000006 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0028 offset : 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 002c uni_str_len: 00000006 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 0030 buffer : G.A.T.E.$... [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 003c sec_chan: 0002 [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 00003e smb_io_unistr2 unistr2 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0040 uni_max_len: 00000005 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0044 offset : 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0048 uni_str_len: 00000005 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 004c buffer : G.A.T.E... [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000056 smb_io_chal [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0056 data: 16 5a 01 14 99 ce e6 88 [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 00005e net_io_neg_flags [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0060 neg_flags: 400701ff [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr hdr [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 007c [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 0000000d [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_req hdr_req [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0010 alloc_hint: 00000064 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0014 context_id: 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0016 opnum : 000f [2006/06/07 11:03:35, 5] rpc_client/cli_pipe.c:rpc_api_pipe(770) rpc_api_pipe: Remote machine RANGER1 pipe \NETLOGON fnum 0xc009 [2006/06/07 11:03:35, 5] lib/util.c:show_msg(478) [2006/06/07 11:03:35, 5] lib/util.c:show_msg(488) size=206 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=55297 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=25 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 124 (0x7C) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 124 (0x7C) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=49161 (0xC009) smb_bcc=139 [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 7C 00 00 00 0D 00 00 00 64 .......| .......d [020] 00 00 00 00 00 0F 00 01 00 00 00 0A 00 00 00 00 ........ ........ [030] 00 00 00 0A 00 00 00 5C 00 5C 00 52 00 41 00 4E .......\ .\.R.A.N [040] 00 47 00 45 00 52 00 31 00 00 00 06 00 00 00 00 .G.E.R.1 ........ [050] 00 00 00 06 00 00 00 47 00 41 00 54 00 45 00 24 .......G .A.T.E.$ [060] 00 00 00 02 00 00 00 05 00 00 00 00 00 00 00 05 ........ ........ [070] 00 00 00 47 00 41 00 54 00 45 00 00 00 16 5A 01 ...G.A.T .E....Z. [080] 14 99 CE E6 88 00 00 FF 01 07 40 ..Îæ...ÿ ..@ [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 46 [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:client_sign_outgoing_message(327) client_sign_outgoing_message: sent SMB signature of [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] A4 D9 94 F0 60 D0 1B 80 ¤Ù.ð`Ð.. [2006/06/07 11:03:35, 6] libsmb/clientgen.c:write_socket(132) write_socket(13,210) [2006/06/07 11:03:35, 6] libsmb/clientgen.c:write_socket(135) write_socket(13,210) wrote 210 [2006/06/07 11:03:35, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 96 [2006/06/07 11:03:35, 5] lib/util.c:show_msg(478) [2006/06/07 11:03:35, 5] lib/util.c:show_msg(488) size=96 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=25 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 40 (0x28) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 40 (0x28) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=41 [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] 7C 05 00 02 03 10 00 00 00 28 00 00 00 0D 00 00 |....... .(...... [010] 00 10 00 00 00 00 00 00 00 1A 56 BA 1C 3D D1 76 ........ ..Vº.=Ñv [020] 8B FF 01 07 40 00 00 00 00 .ÿ..@... . [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 47 [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:client_check_incoming_message(387) client_check_incoming_message: seq 47: got good SMB signature of [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] 6C 48 33 3F 74 48 1E F3 lH3?tH.ó [2006/06/07 11:03:35, 5] lib/util.c:show_msg(478) [2006/06/07 11:03:35, 5] lib/util.c:show_msg(488) size=96 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=25 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 40 (0x28) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 40 (0x28) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=41 [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] 7C 05 00 02 03 10 00 00 00 28 00 00 00 0D 00 00 |....... .(...... [010] 00 10 00 00 00 00 00 00 00 1A 56 BA 1C 3D D1 76 ........ ..Vº.=Ñv [020] 8B FF 01 07 40 00 00 00 00 .ÿ..@... . [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr rpc_hdr [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 02 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 0028 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 0000000d [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_resp rpc_hdr_resp [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0010 alloc_hint: 00000010 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0014 context_id: 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0016 cancel_ct : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0017 reserved : 00 [2006/06/07 11:03:35, 10] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(577) cli_pipe_validate_current_pdu: got pdu len 40, data_len 16, ss_len 0 [2006/06/07 11:03:35, 10] rpc_client/cli_pipe.c:rpc_api_pipe(843) rpc_api_pipe: got PDU len of 40 at offset 0 [2006/06/07 11:03:35, 10] rpc_client/cli_pipe.c:rpc_api_pipe(894) rpc_api_pipe: Remote machine RANGER1 pipe \NETLOGON fnum 0xc009 returned 32 bytes. [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 net_io_r_auth_2 [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_chal [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0000 data: 1a 56 ba 1c 3d d1 76 8b [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000008 net_io_neg_flags [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0008 neg_flags: 400701ff [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_ntstatus(763) 000c status: NT_STATUS_OK [2006/06/07 11:03:35, 10] libsmb/credentials.c:creds_client_check(325) creds_client_check: credentials check OK. [2006/06/07 11:03:35, 5] rpc_client/cli_netlogon.c:rpccli_netlogon_setup_creds(346) rpccli_netlogon_setup_creds: server RANGER1 credential chain established. [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 48 [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:client_sign_outgoing_message(327) client_sign_outgoing_message: sent SMB signature of [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] 0F 18 93 E8 7C 3A CF DC ...è|:ÏÜ [2006/06/07 11:03:35, 6] libsmb/clientgen.c:write_socket(132) write_socket(13,108) [2006/06/07 11:03:35, 6] libsmb/clientgen.c:write_socket(135) write_socket(13,108) wrote 108 [2006/06/07 11:03:35, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 103 [2006/06/07 11:03:35, 5] lib/util.c:show_msg(478) [2006/06/07 11:03:35, 5] lib/util.c:show_msg(488) size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=26 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 2560 (0xA00) smb_vwv[ 3]= 448 (0x1C0) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 49 [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:client_check_incoming_message(387) client_check_incoming_message: seq 49: got good SMB signature of [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] BA 8E FD CF AD FF 3A 56 º.ýÏ­ÿ:V [2006/06/07 11:03:35, 5] rpc_client/cli_pipe.c:rpc_pipe_bind(2044) Bind RPC Pipe[c00a]: \NETLOGON auth_type 2, auth_level 6 [2006/06/07 11:03:35, 5] rpc_client/cli_pipe.c:valid_pipe_name(1647) Bind Abstract Syntax: [000] 78 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB xV4.4.Í« ï..#EgÏû [010] 01 00 00 00 .... [2006/06/07 11:03:35, 5] rpc_client/cli_pipe.c:valid_pipe_name(1650) Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]..ë.É. .è..+.H` [010] 02 00 00 00 .... [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_auth_schannel_neg schannel_neg [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0000 type1: 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0004 type2: 00000003 [2006/06/07 11:03:35, 6] lib/util.c:dump_data(2215) [000] 46 4F 52 45 53 54 FOREST [2006/06/07 11:03:35, 6] lib/util.c:dump_data(2215) [000] 47 41 54 45 GATE [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr hdr [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 0b [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 0064 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0014 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 0000000e [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_rb [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_bba [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0010 max_tsize: 10b8 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0012 max_rsize: 10b8 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0014 assoc_gid: 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0018 num_contexts: 01 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 001c context_id : 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 001e num_transfer_syntaxes: 01 [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 00001f smb_io_rpc_iface [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000020 smb_io_uuid uuid [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0020 data : 12345678 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0024 data : 1234 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0026 data : abcd [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0028 data : ef 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 002a data : 01 23 45 67 cf fb [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0030 version: 00000001 [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000034 smb_io_rpc_iface [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000034 smb_io_uuid uuid [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0034 data : 8a885d04 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0038 data : 1ceb [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 003a data : 11c9 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 003c data : 9f e8 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 003e data : 08 00 2b 10 48 60 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0044 version: 00000002 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000048 smb_io_rpc_hdr_auth hdr_auth [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0048 auth_type : 44 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0049 auth_level : 06 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 004a auth_pad_len : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 004b auth_reserved: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 004c auth_context_id: 00000001 [2006/06/07 11:03:35, 5] rpc_client/cli_pipe.c:rpc_api_pipe(770) rpc_api_pipe: Remote machine RANGER1 pipe \NETLOGON fnum 0xc00a [2006/06/07 11:03:35, 5] lib/util.c:show_msg(478) [2006/06/07 11:03:35, 5] lib/util.c:show_msg(488) size=182 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=55297 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=27 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 100 (0x64) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 100 (0x64) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=49162 (0xC00A) smb_bcc=115 [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 64 00 14 00 0E 00 00 00 B8 .......d .......¸ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 .¸...... .......x [030] 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB 01 V4.4.Í«ï ..#EgÏû. [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]..ë .É..è..+ [050] 10 48 60 02 00 00 00 44 06 00 00 01 00 00 00 00 .H`....D ........ [060] 00 00 00 03 00 00 00 46 4F 52 45 53 54 00 47 41 .......F OREST.GA [070] 54 45 00 TE. [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 50 [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:client_sign_outgoing_message(327) client_sign_outgoing_message: sent SMB signature of [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] B3 F5 9C 0E 0D 19 00 65 ³õ.....e [2006/06/07 11:03:35, 6] libsmb/clientgen.c:write_socket(132) write_socket(13,186) [2006/06/07 11:03:35, 6] libsmb/clientgen.c:write_socket(135) write_socket(13,186) wrote 186 [2006/06/07 11:03:35, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 144 [2006/06/07 11:03:35, 5] lib/util.c:show_msg(478) [2006/06/07 11:03:35, 5] lib/util.c:show_msg(488) size=144 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=27 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 88 (0x58) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 88 (0x58) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=89 [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] 64 05 00 0C 03 10 00 00 00 58 00 0C 00 0E 00 00 d....... .X...... [010] 00 B8 10 B8 10 71 73 00 00 0C 00 5C 50 49 50 45 .¸.¸.qs. ...\PIPE [020] 5C 6C 73 61 73 73 00 50 E8 01 00 00 00 00 00 00 \lsass.P è....... [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..ë.É ..è..+.H [040] 60 02 00 00 00 44 06 00 00 01 00 00 00 01 00 00 `....D.. ........ [050] 00 00 00 00 00 00 00 00 00 ........ . [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 51 [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:client_check_incoming_message(387) client_check_incoming_message: seq 51: got good SMB signature of [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] 41 8D D8 52 77 C4 97 7D A.ØRwÄ.} [2006/06/07 11:03:35, 5] lib/util.c:show_msg(478) [2006/06/07 11:03:35, 5] lib/util.c:show_msg(488) size=144 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=27 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 88 (0x58) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 88 (0x58) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=89 [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] 64 05 00 0C 03 10 00 00 00 58 00 0C 00 0E 00 00 d....... .X...... [010] 00 B8 10 B8 10 71 73 00 00 0C 00 5C 50 49 50 45 .¸.¸.qs. ...\PIPE [020] 5C 6C 73 61 73 73 00 50 E8 01 00 00 00 00 00 00 \lsass.P è....... [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..ë.É ..è..+.H [040] 60 02 00 00 00 44 06 00 00 01 00 00 00 01 00 00 `....D.. ........ [050] 00 00 00 00 00 00 00 00 00 ........ . [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr rpc_hdr [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 0c [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 0058 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 000c [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 0000000e [2006/06/07 11:03:35, 10] rpc_client/cli_pipe.c:rpc_api_pipe(843) rpc_api_pipe: got PDU len of 88 at offset 0 [2006/06/07 11:03:35, 10] rpc_client/cli_pipe.c:rpc_api_pipe(894) rpc_api_pipe: Remote machine RANGER1 pipe \NETLOGON fnum 0xc00a returned 88 bytes. [2006/06/07 11:03:35, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081) rpc_pipe_bind: Remote machine RANGER1 pipe \NETLOGON fnum 0xc00a bind request returned ok. [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr hdr [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 0c [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 0058 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 000c [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 0000000e [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_ba [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_bba [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0010 max_tsize: 10b8 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0012 max_rsize: 10b8 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0014 assoc_gid: 00007371 [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000018 smb_io_rpc_addr_str [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0018 len: 000c [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 001a str: \PIPE\lsass. [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000026 smb_io_rpc_results [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0028 num_results: 01 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 002c result : 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 002e reason : 0000 [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000030 smb_io_rpc_iface [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000030 smb_io_uuid uuid [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0030 data : 8a885d04 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0034 data : 1ceb [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0036 data : 11c9 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0038 data : 9f e8 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 003a data : 08 00 2b 10 48 60 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0040 version: 00000002 [2006/06/07 11:03:35, 5] rpc_client/cli_pipe.c:check_bind_response(1701) check_bind_response: accepted! [2006/06/07 11:03:35, 10] rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel_with_key(2534) cli_rpc_pipe_open_schannel_with_key: opened pipe \NETLOGON to machine RANGER1 for domain FOREST and bound using schannel. [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 52 [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:client_sign_outgoing_message(327) client_sign_outgoing_message: sent SMB signature of [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] 6A 52 9B 61 BD C5 28 AB jR.a½Å(« [2006/06/07 11:03:35, 6] libsmb/clientgen.c:write_socket(132) write_socket(13,45) [2006/06/07 11:03:35, 6] libsmb/clientgen.c:write_socket(135) write_socket(13,45) wrote 45 [2006/06/07 11:03:35, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 35 [2006/06/07 11:03:35, 5] lib/util.c:show_msg(478) [2006/06/07 11:03:35, 5] lib/util.c:show_msg(488) size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=28 smt_wct=0 smb_bcc=0 [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 53 [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:client_check_incoming_message(387) client_check_incoming_message: seq 53: got good SMB signature of [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] 22 57 EC 65 6A F9 91 D9 "Wìejù.Ù [2006/06/07 11:03:35, 10] libsmb/clientgen.c:cli_rpc_pipe_close(384) cli_rpc_pipe_close: closed pipe \NETLOGON to machine RANGER1 [2006/06/07 11:03:35, 5] libsmb/credentials.c:creds_step(148) sequence = 0x448714f9 [2006/06/07 11:03:35, 5] libsmb/credentials.c:creds_step(150) seed: 165A011499CEE688 [2006/06/07 11:03:35, 5] libsmb/credentials.c:creds_step(155) seed+seq 0F6F885899CEE688 [2006/06/07 11:03:35, 5] libsmb/credentials.c:creds_step(159) CLIENT 5C090E74C3D718F0 [2006/06/07 11:03:35, 5] libsmb/credentials.c:creds_step(164) seed+seq+1 106F885899CEE688 [2006/06/07 11:03:35, 5] libsmb/credentials.c:creds_step(168) SERVER 5E71A8C5F510AC46 [2006/06/07 11:03:35, 5] libsmb/credentials.c:creds_reseed(238) cred_reseed: seed 106F885899CEE688 [2006/06/07 11:03:35, 5] rpc_parse/parse_net.c:init_id_info2(1181) init_id_info2: 1181 [2006/06/07 11:03:35, 5] rpc_parse/parse_misc.c:init_logon_id(1633) make_logon_id: 1633 [2006/06/07 11:03:35, 5] rpc_parse/parse_net.c:init_sam_info(1275) init_sam_info: 1275 [2006/06/07 11:03:35, 5] rpc_parse/parse_misc.c:init_clnt_info2(1548) make_clnt_info: 1548 [2006/06/07 11:03:35, 5] rpc_parse/parse_misc.c:init_clnt_srv(1393) init_clnt_srv: 1393 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 net_io_q_sam_logon [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_sam_info [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_clnt_info2 [2006/06/07 11:03:35, 8] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_clnt_srv [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0000 undoc_buffer : 00000001 [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 000004 smb_io_unistr2 unistr2 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0004 uni_max_len: 0000000a [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0008 offset : 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c uni_str_len: 0000000a [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 0010 buffer : \.\.R.A.N.G.E.R.1... [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0024 undoc_buffer2: 00000001 [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 000028 smb_io_unistr2 unistr2 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0028 uni_max_len: 00000005 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 002c offset : 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0030 uni_str_len: 00000005 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 0034 buffer : G.A.T.E... [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0040 ptr_cred: 00000001 [2006/06/07 11:03:35, 8] rpc_parse/parse_prs.c:prs_debug(84) 000044 smb_io_cred [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 000044 smb_io_chal [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0044 data: 5c 09 0e 74 c3 d7 18 f0 [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 00004c smb_io_utime [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 004c time: 448714f9 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0050 ptr_rtn_cred : 00000001 [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000054 smb_io_cred [2006/06/07 11:03:35, 8] rpc_parse/parse_prs.c:prs_debug(84) 000054 smb_io_chal [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0054 data: 00 00 00 00 00 00 00 00 [2006/06/07 11:03:35, 8] rpc_parse/parse_prs.c:prs_debug(84) 00005c smb_io_utime [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 005c time: 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0060 logon_level : 0002 [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000062 smb_io_sam_info_ctr logon_info [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0062 switch_value : 0002 [2006/06/07 11:03:35, 8] rpc_parse/parse_prs.c:prs_debug(84) 000064 net_io_id_info2 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0064 ptr_id_info2: 00000001 [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 000068 smb_io_unihdr unihdr [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0068 uni_str_len: 000c [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 006a uni_max_len: 000c [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 006c buffer : 00000001 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0070 param_ctrl: 00000000 [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 000074 smb_io_logon_id [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0074 low : 0000dead [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0078 high: 0000beef [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 00007c smb_io_unihdr unihdr [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 007c uni_str_len: 000a [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 007e uni_max_len: 000a [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0080 buffer : 00000001 [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 000084 smb_io_unihdr unihdr [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0084 uni_str_len: 000c [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0086 uni_max_len: 000c [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0088 buffer : 00000001 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 008c lm_chal: 40 6c 24 f1 0c 24 cc 86 [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 000094 smb_io_strhdr hdr_nt_chal_resp [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0094 str_str_len: 0018 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0096 str_max_len: 0018 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0098 buffer : 00000001 [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 00009c smb_io_strhdr hdr_lm_chal_resp [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 009c str_str_len: 0018 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 009e str_max_len: 0018 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00a0 buffer : 00000001 [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 0000a4 smb_io_unistr2 uni_domain_name [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00a4 uni_max_len: 00000006 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00a8 offset : 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00ac uni_str_len: 00000006 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 00b0 buffer : F.O.R.E.S.T. [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 0000bc smb_io_unistr2 uni_user_name [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00bc uni_max_len: 00000005 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00c0 offset : 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00c4 uni_str_len: 00000005 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 00c8 buffer : m.a.i.n.t. [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 0000d2 smb_io_unistr2 uni_wksta_name [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00d4 uni_max_len: 00000006 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00d8 offset : 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00dc uni_str_len: 00000006 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 00e0 buffer : \.\.G.A.T.E. [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 0000ec smb_io_string2 nt_chal_resp [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00ec str_max_len: 00000018 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00f0 offset : 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00f4 str_str_len: 00000018 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_string2(1096) 00f8 buffer : ¡Íõ.Mp.oÌóqÕU..àÃÜ.÷..a. [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 000110 smb_io_string2 lm_chal_resp [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0110 str_max_len: 00000018 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0114 offset : 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0118 str_str_len: 00000018 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_string2(1096) 011c buffer : ²Á»=..Ù.K.".¢à.þq[TtqÀ.. [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0134 validation_level: 0003 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr hdr [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 0178 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0020 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 0000000f [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_req hdr_req [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0010 alloc_hint: 00000136 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0014 context_id: 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0016 opnum : 0002 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000150 smb_io_rpc_hdr_auth hdr_auth [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0150 auth_type : 44 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0151 auth_level : 06 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0152 auth_pad_len : 02 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0153 auth_reserved: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0154 auth_context_id: 00000001 [2006/06/07 11:03:35, 10] rpc_client/cli_pipe.c:add_schannel_auth_footer(1357) add_schannel_auth_footer: SCHANNEL seq_num=0 [2006/06/07 11:03:35, 10] rpc_parse/parse_prs.c:schannel_encode(1632) SCHANNEL: schannel_encode seq_num=0 data_len=312 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000158 smb_io_rpc_auth_schannel_chk [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0158 sig : 77 00 7a 00 ff ff 00 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0160 seq_num: 21 59 0d f7 91 a8 77 92 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0168 packet_digest: 02 9a 7d d0 86 05 42 83 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0170 confounder: 57 89 9f c1 d6 8e d2 90 [2006/06/07 11:03:35, 5] rpc_client/cli_pipe.c:rpc_api_pipe(770) rpc_api_pipe: Remote machine RANGER1 pipe \NETLOGON fnum 0xc00a [2006/06/07 11:03:35, 5] lib/util.c:show_msg(478) [2006/06/07 11:03:35, 5] lib/util.c:show_msg(488) size=458 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=55297 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=29 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 376 (0x178) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 376 (0x178) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=49162 (0xC00A) smb_bcc=391 [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 78 01 20 00 0F 00 00 00 36 .......x . .....6 [020] 01 00 00 00 00 02 00 B6 DA DF 7E 17 81 F9 CD BF .......¶ Úß~..ùÍ¿ [030] 9D 43 A9 C5 A7 4A 2E BE 50 02 8A 88 4C A7 4F 8D .C©Å§J.¾ P...L§O. [040] E8 D2 F9 0A 74 F1 11 59 E1 58 FC 9B EE EE 5E 78 èÒù.tñ.Y áXü.îî^x [050] C2 36 58 F4 10 23 9C 44 03 0D DF EE 39 1D 68 21 Â6Xô.#.D ..ßî9.h! [060] 98 A2 CA 2F 23 23 CE 53 87 A1 41 CA CC 2C BF FB .¢Ê/##ÎS .¡AÊÌ,¿û [070] 56 01 36 AB 20 77 32 D8 FC F6 E4 42 DD 1B DA 05 V.6« w2Ø üöäBÝ.Ú. [080] 4A 9E 5C C3 AD F3 04 3E 70 C3 57 F8 AF 84 F9 43 J.\íó.> pÃWø¯.ùC [090] 4F 1B 61 14 12 A1 24 A2 3D 7A A2 AC 73 42 AC CE O.a..¡$¢ =z¢¬sB¬Î [0A0] 67 C8 26 1A 0E EC 2B D0 50 78 AA 56 50 81 6A F9 gÈ&..ì+Ð PxªVP.jù [0B0] FC 0F 52 38 8B AD DF 09 6C E5 B2 92 CA B2 3D 72 ü.R8.­ß. lå².ʲ=r [0C0] 2A E3 FE 6C CF 4C 13 A0 79 38 AA C1 46 C1 F6 96 *ãþlÏL.  y8ªÁFÁö. [0D0] D9 91 D3 2F 53 9F 20 8A 31 1F 91 A3 16 63 47 9D Ù.Ó/S. . 1..£.cG. [0E0] E5 F5 37 6A 9A B9 57 63 64 5B 86 2E 35 1B 51 46 åõ7j.¹Wc d[..5.QF [0F0] 4A 5D A9 8D DF 3F 43 54 A1 F0 67 C3 AC B1 FA A0 J]©.ß?CT ¡ðgì±ú  [100] B2 A4 4B 79 A8 2E AC 91 8A F7 F4 68 94 FA F0 7C ²¤Ky¨.¬. .÷ôh.úð| [110] 57 F2 18 36 6D EB 64 09 97 C6 45 4A 21 39 7C 38 Wò.6mëd. .ÆEJ!9|8 [120] 2B 91 18 4D 3D CF 14 51 4F 74 4C B9 56 33 22 C2 +..M=Ï.Q OtL¹V3" [130] C4 EE 11 08 FA 1B 22 AA E0 0B DF CD 98 C1 33 72 Äî..ú."ª à.ßÍ.Á3r [140] 12 7D E5 EA 2E F9 44 DE 8D C2 44 46 90 54 86 78 .}åê.ùDÞ .ÂDF.T.x [150] 59 20 92 83 C2 77 96 6F 30 B3 0C 79 97 2D D7 44 Y ..Âw.o 0³.y.-×D [160] 06 02 00 01 00 00 00 77 00 7A 00 FF FF 00 00 21 .......w .z.ÿÿ..! [170] 59 0D F7 91 A8 77 92 02 9A 7D D0 86 05 42 83 57 Y.÷.¨w.. .}Ð..B.W [180] 89 9F C1 D6 8E D2 90 ..ÁÖ.Ò. [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 54 [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:client_sign_outgoing_message(327) client_sign_outgoing_message: sent SMB signature of [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] E6 A0 E7 BD 2E BB F8 D5 æ ç½.»øÕ [2006/06/07 11:03:35, 6] libsmb/clientgen.c:write_socket(132) write_socket(13,462) [2006/06/07 11:03:35, 6] libsmb/clientgen.c:write_socket(135) write_socket(13,462) wrote 462 [2006/06/07 11:03:35, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 552 [2006/06/07 11:03:35, 5] lib/util.c:show_msg(478) [2006/06/07 11:03:35, 5] lib/util.c:show_msg(488) size=552 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=29 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 496 (0x1F0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 496 (0x1F0) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=497 [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] 78 05 00 02 03 10 00 00 00 F0 01 20 00 0F 00 00 x....... .ð. .... [010] 00 AC 01 00 00 00 00 00 00 C1 6D A8 FB B0 4F 22 .¬...... .Ám¨û°O" [020] 7A 60 DC D2 87 80 27 80 05 1F 60 33 C9 6C FC 06 z`ÜÒ..'. ..`3Élü. [030] 1B 5C 03 32 0D 00 04 DA 4F B3 4C 98 44 1F F0 37 .\.2...Ú O³L.D.ð7 [040] D6 B5 8B 77 C9 9E 6B B1 8F 75 4B CB 15 03 62 19 Öµ.wÉ.k± .uKË..b. [050] 54 CC 13 58 79 60 D8 ED 40 E4 CC BD A0 18 FF D1 TÌ.Xy`Øí @ä̽ .ÿÑ [060] 20 64 06 D0 62 45 B7 F3 37 75 B6 F0 26 C0 16 66 d.ÐbE·ó 7u¶ð&À.f [070] C9 72 E1 52 1A 59 A0 D4 18 9F ED 71 98 29 CE 69 ÉráR.Y Ô ..íq.)Îi [080] 79 B9 6E AD 2B 0F 43 3E CF 63 47 D0 8F F2 DD EE y¹n­+.C> ÏcGÐ.òÝî [090] B2 C3 FE DC C1 70 12 3B DB 40 B2 13 BF E0 0A 4B ²ÃþÜÁp.; Û@².¿à.K [0A0] 27 21 19 4C AA F3 2C 8D F7 43 66 E3 7D 46 9F 9B '!.Lªó,. ÷Cfã}F.. [0B0] 55 57 22 E3 D6 21 F6 92 F1 B2 F9 7F FD 50 4A 85 UW"ãÖ!ö. ñ²ù.ýPJ. [0C0] FA 55 05 F2 24 C8 F0 74 73 D3 A2 77 1C 21 80 B6 úU.ò$Èðt sÓ¢w.!.¶ [0D0] 3A BE 1B B1 FD 94 A6 2A 55 D2 DE F8 09 F2 8B 12 :¾.±ý.¦* UÒÞø.ò.. [0E0] 48 37 15 BA D8 23 6E 13 90 9D FC 33 AA 22 57 F2 H7.ºØ#n. ..ü3ª"Wò [0F0] FB 2F C3 6D 66 ED 4C AE 7A 95 0B 06 0E 7B AF C5 û/ÃmfíL® z....{¯Å [100] 4C 3D 4A 00 24 1F 40 20 98 AD F6 97 AC B3 04 18 L=J.$.@ .­ö.¬³.. [110] 42 D4 E8 08 7F 22 0A 92 5A D3 02 06 B2 29 9B C3 BÔè..".. ZÓ..²).à [120] 7F 20 01 6B 2F 18 C4 7E 01 08 DC AB C1 22 B7 F1 . .k/.Ä~ ..Ü«Á"·ñ [130] FE D8 E4 9B DE B2 4E 34 A4 FC 74 F9 57 AE 76 5E þØä.Þ²N4 ¤ütùW®v^ [140] FE AF A8 74 E8 68 5D 4C 8B 02 60 4F 7E B1 9B 9E þ¯¨tèh]L ..`O~±.. [150] B6 58 35 8A CC 8C 53 47 F2 62 D3 B7 9E BA F2 DF ¶X5.Ì.SG òbÓ·.ºòß [160] F4 85 FB 58 CF 0D 4B 9E E0 2A D9 3C 6E 08 72 48 ô.ûXÏ.K. à*Ù ÏcGÐ.òÝî [090] B2 C3 FE DC C1 70 12 3B DB 40 B2 13 BF E0 0A 4B ²ÃþÜÁp.; Û@².¿à.K [0A0] 27 21 19 4C AA F3 2C 8D F7 43 66 E3 7D 46 9F 9B '!.Lªó,. ÷Cfã}F.. [0B0] 55 57 22 E3 D6 21 F6 92 F1 B2 F9 7F FD 50 4A 85 UW"ãÖ!ö. ñ²ù.ýPJ. [0C0] FA 55 05 F2 24 C8 F0 74 73 D3 A2 77 1C 21 80 B6 úU.ò$Èðt sÓ¢w.!.¶ [0D0] 3A BE 1B B1 FD 94 A6 2A 55 D2 DE F8 09 F2 8B 12 :¾.±ý.¦* UÒÞø.ò.. [0E0] 48 37 15 BA D8 23 6E 13 90 9D FC 33 AA 22 57 F2 H7.ºØ#n. ..ü3ª"Wò [0F0] FB 2F C3 6D 66 ED 4C AE 7A 95 0B 06 0E 7B AF C5 û/ÃmfíL® z....{¯Å [100] 4C 3D 4A 00 24 1F 40 20 98 AD F6 97 AC B3 04 18 L=J.$.@ .­ö.¬³.. [110] 42 D4 E8 08 7F 22 0A 92 5A D3 02 06 B2 29 9B C3 BÔè..".. ZÓ..²).à [120] 7F 20 01 6B 2F 18 C4 7E 01 08 DC AB C1 22 B7 F1 . .k/.Ä~ ..Ü«Á"·ñ [130] FE D8 E4 9B DE B2 4E 34 A4 FC 74 F9 57 AE 76 5E þØä.Þ²N4 ¤ütùW®v^ [140] FE AF A8 74 E8 68 5D 4C 8B 02 60 4F 7E B1 9B 9E þ¯¨tèh]L ..`O~±.. [150] B6 58 35 8A CC 8C 53 47 F2 62 D3 B7 9E BA F2 DF ¶X5.Ì.SG òbÓ·.ºòß [160] F4 85 FB 58 CF 0D 4B 9E E0 2A D9 3C 6E 08 72 48 ô.ûXÏ.K. à*Ù S-1-5-21-484763869-746137067-1343024091-1142 [2006/06/07 11:03:35, 5] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1273) Plain-text authentication for user maint returned NT_STATUS_OK (PAM: 0) [2006/06/07 11:03:35, 10] nsswitch/winbindd_cache.c:cache_store_response(1912) Storing response for pid 32155, len 3192 [2006/06/07 11:03:35, 10] lib/events.c:get_timed_events_timeout(118) timed_events_timeout: 3563/481753 [2006/06/07 11:03:35, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(1952) Retrieving response for pid 32155 [2006/06/07 11:03:35, 10] nsswitch/winbindd.c:process_request(287) process_request: request fn INFO [2006/06/07 11:03:35, 3] nsswitch/winbindd_misc.c:winbindd_info(459) [ 0]: request misc info [2006/06/07 11:03:35, 10] nsswitch/winbindd.c:process_request(287) process_request: request fn DOMAIN_NAME [2006/06/07 11:03:35, 3] nsswitch/winbindd_misc.c:winbindd_domain_name(481) [ 0]: request domain name [2006/06/07 11:03:35, 10] nsswitch/winbindd.c:process_request(287) process_request: request fn AUTH_CRAP [2006/06/07 11:03:35, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(1376) [ 0]: pam auth crap domain: [FOREST] user: maint [2006/06/07 11:03:35, 8] lib/util.c:is_myname(2036) is_myname("FOREST") returns 0 [2006/06/07 11:03:35, 4] nsswitch/winbindd_dual.c:fork_domain_child(802) child daemon request 13 [2006/06/07 11:03:35, 10] nsswitch/winbindd_dual.c:child_process_request(393) process_request: request fn AUTH_CRAP [2006/06/07 11:03:35, 3] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1442) [32152]: pam auth crap domain: FOREST user: maint [2006/06/07 11:03:35, 8] lib/util.c:is_myname(2036) is_myname("FOREST") returns 0 [2006/06/07 11:03:35, 5] libsmb/credentials.c:creds_step(148) sequence = 0x448714fb [2006/06/07 11:03:35, 5] libsmb/credentials.c:creds_step(150) seed: 106F885899CEE688 [2006/06/07 11:03:35, 5] libsmb/credentials.c:creds_step(155) seed+seq 0B840F9D99CEE688 [2006/06/07 11:03:35, 5] libsmb/credentials.c:creds_step(159) CLIENT 7DB48A27F68F8420 [2006/06/07 11:03:35, 5] libsmb/credentials.c:creds_step(164) seed+seq+1 0C840F9D99CEE688 [2006/06/07 11:03:35, 5] libsmb/credentials.c:creds_step(168) SERVER 69F434183A442D93 [2006/06/07 11:03:35, 5] libsmb/credentials.c:creds_reseed(238) cred_reseed: seed 0C840F9D99CEE688 [2006/06/07 11:03:35, 5] rpc_parse/parse_net.c:init_id_info2(1181) init_id_info2: 1181 [2006/06/07 11:03:35, 5] rpc_parse/parse_misc.c:init_logon_id(1633) make_logon_id: 1633 [2006/06/07 11:03:35, 5] rpc_parse/parse_net.c:init_sam_info(1275) init_sam_info: 1275 [2006/06/07 11:03:35, 5] rpc_parse/parse_misc.c:init_clnt_info2(1548) make_clnt_info: 1548 [2006/06/07 11:03:35, 5] rpc_parse/parse_misc.c:init_clnt_srv(1393) init_clnt_srv: 1393 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 net_io_q_sam_logon [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_sam_info [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_clnt_info2 [2006/06/07 11:03:35, 8] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_clnt_srv [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0000 undoc_buffer : 00000001 [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 000004 smb_io_unistr2 unistr2 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0004 uni_max_len: 0000000a [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0008 offset : 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c uni_str_len: 0000000a [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 0010 buffer : \.\.R.A.N.G.E.R.1... [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0024 undoc_buffer2: 00000001 [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 000028 smb_io_unistr2 unistr2 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0028 uni_max_len: 00000005 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 002c offset : 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0030 uni_str_len: 00000005 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 0034 buffer : G.A.T.E... [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0040 ptr_cred: 00000001 [2006/06/07 11:03:35, 8] rpc_parse/parse_prs.c:prs_debug(84) 000044 smb_io_cred [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 000044 smb_io_chal [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0044 data: 7d b4 8a 27 f6 8f 84 20 [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 00004c smb_io_utime [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 004c time: 448714fb [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0050 ptr_rtn_cred : 00000001 [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000054 smb_io_cred [2006/06/07 11:03:35, 8] rpc_parse/parse_prs.c:prs_debug(84) 000054 smb_io_chal [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0054 data: 00 00 00 00 00 00 00 00 [2006/06/07 11:03:35, 8] rpc_parse/parse_prs.c:prs_debug(84) 00005c smb_io_utime [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 005c time: 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0060 logon_level : 0002 [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000062 smb_io_sam_info_ctr logon_info [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0062 switch_value : 0002 [2006/06/07 11:03:35, 8] rpc_parse/parse_prs.c:prs_debug(84) 000064 net_io_id_info2 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0064 ptr_id_info2: 00000001 [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 000068 smb_io_unihdr unihdr [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0068 uni_str_len: 000c [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 006a uni_max_len: 000c [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 006c buffer : 00000001 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0070 param_ctrl: 00000820 [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 000074 smb_io_logon_id [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0074 low : 0000dead [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0078 high: 0000beef [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 00007c smb_io_unihdr unihdr [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 007c uni_str_len: 000a [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 007e uni_max_len: 000a [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0080 buffer : 00000001 [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 000084 smb_io_unihdr unihdr [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0084 uni_str_len: 000c [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0086 uni_max_len: 000c [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0088 buffer : 00000001 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 008c lm_chal: dd 80 f2 61 43 a5 49 39 [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 000094 smb_io_strhdr hdr_nt_chal_resp [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0094 str_str_len: 0018 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0096 str_max_len: 0018 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0098 buffer : 00000001 [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 00009c smb_io_strhdr hdr_lm_chal_resp [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 009c str_str_len: 0018 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 009e str_max_len: 0018 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00a0 buffer : 00000001 [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 0000a4 smb_io_unistr2 uni_domain_name [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00a4 uni_max_len: 00000006 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00a8 offset : 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00ac uni_str_len: 00000006 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 00b0 buffer : F.O.R.E.S.T. [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 0000bc smb_io_unistr2 uni_user_name [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00bc uni_max_len: 00000005 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00c0 offset : 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00c4 uni_str_len: 00000005 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 00c8 buffer : m.a.i.n.t. [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 0000d2 smb_io_unistr2 uni_wksta_name [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00d4 uni_max_len: 00000006 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00d8 offset : 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00dc uni_str_len: 00000006 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 00e0 buffer : \.\.G.A.T.E. [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 0000ec smb_io_string2 nt_chal_resp [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00ec str_max_len: 00000018 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00f0 offset : 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00f4 str_str_len: 00000018 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_string2(1096) 00f8 buffer : #6¼X.;rª.l.@.³8g¾½ÂKÖ«.M [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 000110 smb_io_string2 lm_chal_resp [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0110 str_max_len: 00000018 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0114 offset : 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0118 str_str_len: 00000018 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_string2(1096) 011c buffer : 5Î,PêµdàË..-¤âhv..IF.}©À [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0134 validation_level: 0003 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr hdr [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 0178 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0020 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 00000010 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_req hdr_req [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0010 alloc_hint: 00000136 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0014 context_id: 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0016 opnum : 0002 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000150 smb_io_rpc_hdr_auth hdr_auth [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0150 auth_type : 44 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0151 auth_level : 06 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0152 auth_pad_len : 02 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0153 auth_reserved: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0154 auth_context_id: 00000001 [2006/06/07 11:03:35, 10] rpc_client/cli_pipe.c:add_schannel_auth_footer(1357) add_schannel_auth_footer: SCHANNEL seq_num=2 [2006/06/07 11:03:35, 10] rpc_parse/parse_prs.c:schannel_encode(1632) SCHANNEL: schannel_encode seq_num=2 data_len=312 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000158 smb_io_rpc_auth_schannel_chk [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0158 sig : 77 00 7a 00 ff ff 00 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0160 seq_num: 87 6f 70 7e 87 10 b6 ce [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0168 packet_digest: 4b e4 93 7b bd 0f 9b dc [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0170 confounder: ea e0 ac c6 98 90 eb e6 [2006/06/07 11:03:35, 5] rpc_client/cli_pipe.c:rpc_api_pipe(770) rpc_api_pipe: Remote machine RANGER1 pipe \NETLOGON fnum 0xc00a [2006/06/07 11:03:35, 5] lib/util.c:show_msg(478) [2006/06/07 11:03:35, 5] lib/util.c:show_msg(488) size=458 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=55297 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=30 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 376 (0x178) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 376 (0x178) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=49162 (0xC00A) smb_bcc=391 [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 78 01 20 00 10 00 00 00 36 .......x . .....6 [020] 01 00 00 00 00 02 00 2B A5 9D 9D 4D 9F A5 0F 66 .......+ ¥..M.¥.f [030] C2 BC 58 C6 C3 38 B7 28 1A C3 5A 87 B3 32 77 6F ¼XÆÃ8·( .ÃZ.³2wo [040] 12 D4 1A 02 C9 72 4E 5D 9A 96 14 82 27 08 39 60 .Ô..ÉrN] ....'.9` [050] DF A7 54 8F 40 B9 72 1F EE CA 1F E4 02 F8 69 56 ߧT.@¹r. îÊ.ä.øiV [060] BB 52 EB BC C8 5A BE FA DC 72 E1 52 AD FE 71 F6 »Rë¼ÈZ¾ú ÜráR­þqö [070] 88 9E 7F 0D 43 69 B3 ED 04 D0 D9 F8 EE 3E 24 65 ....Ci³í .ÐÙøî>$e [080] 75 F1 AE BA C2 86 4B 30 5A BE 80 DC D4 E9 27 6F uñ®ºÂ.K0 Z¾.ÜÔé'o [090] E1 BC C5 51 5A BE 1D A9 27 EE 7A CD 10 12 0B 6D á¼ÅQZ¾.© 'îzÍ...m [0A0] 75 D0 73 2F 99 87 79 67 BC B3 8D 33 BE 45 4D 7F uÐs/..yg ¼³.3¾EM. [0B0] 19 C2 0E 1A 8E 7F 64 62 F6 49 B6 75 8F 85 61 3E .Â....db öI¶u..a> [0C0] A0 DD 67 7E C5 A0 38 07 CD F8 8A 2F 43 8C 14 AF  Ýg~Å 8. Íø./C..¯ [0D0] 9C D5 D1 A2 C0 E2 EC 81 2A 80 54 D6 04 96 55 70 .ÕÑ¢Àâì. *.TÖ..Up [0E0] C3 5B 0A 6C 81 96 EB AB E7 B2 4A 59 03 67 4D 6D Ã[.l..ë« ç²JY.gMm [0F0] E9 09 BB 18 FA 38 1F E7 8C 29 B6 18 44 8B 48 FB é.».ú8.ç .)¶.D.Hû [100] C2 68 55 57 24 82 E7 7A 74 A4 53 9A 61 C2 4B 4A ÂhUW$.çz t¤S.aÂKJ [110] 57 57 33 0E 3D C5 D6 6B AB 07 1A 1D 55 52 78 E0 WW3.=ÅÖk «...URxà [120] 1D 89 90 AB E7 B6 B5 62 E8 00 40 C8 68 DB 7E 25 ...«ç¶µb è.@ÈhÛ~% [130] 5C D2 3E A9 07 39 DE C3 52 88 F3 D2 E5 3B 0B B3 \Ò>©.9Þà R.óÒå;.³ [140] AD BC 9C 72 4E 22 0D 9E 78 E2 07 1D 6A 7D 4C AC ­¼.rN".. xâ..j}L¬ [150] B3 10 3A 45 1C 6B 79 57 2A 22 D0 0E 25 05 7B 44 ³.:E.kyW *"Ð.%.{D [160] 06 02 00 01 00 00 00 77 00 7A 00 FF FF 00 00 87 .......w .z.ÿÿ... [170] 6F 70 7E 87 10 B6 CE 4B E4 93 7B BD 0F 9B DC EA op~..¶ÎK ä.{½..Üê [180] E0 AC C6 98 90 EB E6 à¬Æ..ëæ [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 56 [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:client_sign_outgoing_message(327) client_sign_outgoing_message: sent SMB signature of [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] BB 5B 27 6A B5 DC 3B EA »['jµÜ;ê [2006/06/07 11:03:35, 6] libsmb/clientgen.c:write_socket(132) write_socket(13,462) [2006/06/07 11:03:35, 6] libsmb/clientgen.c:write_socket(135) write_socket(13,462) wrote 462 [2006/06/07 11:03:35, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 552 [2006/06/07 11:03:35, 5] lib/util.c:show_msg(478) [2006/06/07 11:03:35, 5] lib/util.c:show_msg(488) size=552 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=30 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 496 (0x1F0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 496 (0x1F0) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=497 [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] 78 05 00 02 03 10 00 00 00 F0 01 20 00 10 00 00 x....... .ð. .... [010] 00 AC 01 00 00 00 00 00 00 2C 5A DA 04 AA 57 E1 .¬...... .,ZÚ.ªWá [020] 2C 5E 84 87 1C 76 90 23 81 52 8E 8C E8 4D 0C E0 ,^...v.# .R..èM.à [030] E5 54 19 74 0B 22 57 E8 80 5E 21 11 A2 9C 24 4D åT.t."Wè .^!.¢.$M [040] 52 F2 E6 66 6B BE EF 50 22 E9 11 EE 69 78 08 84 Ròæfk¾ïP "é.îix.. [050] 1A 48 0A 05 09 A6 4A 36 8E E7 C1 6C 3B E9 4E C8 .H...¦J6 .çÁl;éNÈ [060] 27 6D CA 52 EE 2F BF EE E6 44 29 A5 9D 94 77 E0 'mÊRî/¿î æD)¥..wà [070] E4 FA 42 0B BE E5 88 8C EA 42 C8 19 71 1B 3E 77 äúB.¾å.. êBÈ.q.>w [080] AD BE 8F 8E 86 17 6A D7 D8 0F A8 78 93 6C 4A 42 ­¾....j× Ø.¨x.lJB [090] 5E 57 C7 42 5E 6F 6D 55 D9 FF AF 7B 9B 80 25 A9 ^WÇB^omU Ùÿ¯{..%© [0A0] 15 36 8C F3 84 2E 62 6A 8E DC BD 25 F5 4B 10 FF .6.ó..bj .ܽ%õK.ÿ [0B0] 2A B4 4A 28 75 DD 3A 9B 3D 66 6A 8E FB 3F 4A 2C *´J(uÝ:. =fj.û?J, [0C0] 2B AE 20 48 EA 7E E5 DE 2A FA 4F C9 55 F5 CD FB +® Hê~åÞ *úOÉUõÍû [0D0] 7B BA A8 2F FA AD E1 5E EB FB FF 24 88 2A E6 6F {º¨/ú­á^ ëûÿ$.*æo [0E0] E8 86 65 4E 55 4C 6C 2A 5A 7A 1E A5 94 C8 5E 6B è.eNULl* Zz.¥.È^k [0F0] 6C 8B 8E A6 AD A6 3F CC 43 B8 BD F4 D5 6D 76 8F l..¦­¦?Ì C¸½ôÕmv. [100] 88 31 63 21 09 66 62 76 92 D0 F3 00 13 58 AA B2 .1c!.fbv .Ðó..Xª² [110] 74 8B FF 28 02 E5 B0 91 0F 52 E4 00 D4 48 6C 21 t.ÿ(.å°. .Rä.ÔHl! [120] 9B E2 D9 7E AB B5 AA 2B 82 EA 1B 66 F4 6F F2 B0 .âÙ~«µª+ .ê.fôoò° [130] 23 81 0D 4A 26 A5 BC 6E DB D0 65 0D 6F C8 39 80 #..J&¥¼n ÛÐe.oÈ9. [140] CA 22 6C 06 AC 18 18 35 75 C0 8C 05 2D 56 14 DD Ê"l.¬..5 uÀ..-V.Ý [150] 35 E8 40 A0 78 1A 6A 29 96 83 E8 3C A0 F3 8C BB 5è@ x.j) ..è< ó.» [160] AD EF 18 77 86 AA 81 7A E6 8C 43 B4 DA 33 92 2A ­ï.w.ª.z æ.C´Ú3.* [170] 82 A2 AC 50 08 F8 2D DD 0F 61 E0 E7 83 42 4D 77 .¢¬P.ø-Ý .aàç.BMw [180] 83 D3 CA 32 CA C1 BA CA 9D D7 1E F0 4F 51 9A C7 .ÓÊ2ÊÁºÊ .×.ðOQ.Ç [190] C9 13 9D 5C 11 83 4E D2 8A 29 52 FA B5 31 CB 29 É..\..NÒ .)Rúµ1Ë) [1A0] AB 96 86 64 D2 98 E7 3E 45 1F 50 B0 60 A2 19 82 «..dÒ.ç> E.P°`¢.. [1B0] C1 BD 4D 8C 9A 88 37 1E 6C 0B 63 8E 0A 1F AD BB Á½M...7. l.c...­» [1C0] 28 5F 22 5F 7F 92 45 06 E3 44 06 04 00 01 00 00 (_"_..E. ãD...... [1D0] 00 77 00 7A 00 FF FF 00 00 1D CC 0D 87 A2 DD 62 .w.z.ÿÿ. ..Ì..¢Ýb [1E0] D2 BC 1E 8F 93 D2 69 35 F0 9A 4C 17 07 EE C2 03 Ò¼...Òi5 ð.L..îÂ. [1F0] 8C . [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:simple_packet_signature(262) simple_packet_signature: sequence number 57 [2006/06/07 11:03:35, 10] libsmb/smb_signing.c:client_check_incoming_message(387) client_check_incoming_message: seq 57: got good SMB signature of [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] CB 9A 97 46 FD FF 45 53 Ë..FýÿES [2006/06/07 11:03:35, 5] lib/util.c:show_msg(478) [2006/06/07 11:03:35, 5] lib/util.c:show_msg(488) size=552 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=55301 smb_tid=53253 smb_pid=32155 smb_uid=63490 smb_mid=30 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 496 (0x1F0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 496 (0x1F0) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=497 [2006/06/07 11:03:35, 10] lib/util.c:dump_data(2215) [000] 78 05 00 02 03 10 00 00 00 F0 01 20 00 10 00 00 x....... .ð. .... [010] 00 AC 01 00 00 00 00 00 00 2C 5A DA 04 AA 57 E1 .¬...... .,ZÚ.ªWá [020] 2C 5E 84 87 1C 76 90 23 81 52 8E 8C E8 4D 0C E0 ,^...v.# .R..èM.à [030] E5 54 19 74 0B 22 57 E8 80 5E 21 11 A2 9C 24 4D åT.t."Wè .^!.¢.$M [040] 52 F2 E6 66 6B BE EF 50 22 E9 11 EE 69 78 08 84 Ròæfk¾ïP "é.îix.. [050] 1A 48 0A 05 09 A6 4A 36 8E E7 C1 6C 3B E9 4E C8 .H...¦J6 .çÁl;éNÈ [060] 27 6D CA 52 EE 2F BF EE E6 44 29 A5 9D 94 77 E0 'mÊRî/¿î æD)¥..wà [070] E4 FA 42 0B BE E5 88 8C EA 42 C8 19 71 1B 3E 77 äúB.¾å.. êBÈ.q.>w [080] AD BE 8F 8E 86 17 6A D7 D8 0F A8 78 93 6C 4A 42 ­¾....j× Ø.¨x.lJB [090] 5E 57 C7 42 5E 6F 6D 55 D9 FF AF 7B 9B 80 25 A9 ^WÇB^omU Ùÿ¯{..%© [0A0] 15 36 8C F3 84 2E 62 6A 8E DC BD 25 F5 4B 10 FF .6.ó..bj .ܽ%õK.ÿ [0B0] 2A B4 4A 28 75 DD 3A 9B 3D 66 6A 8E FB 3F 4A 2C *´J(uÝ:. =fj.û?J, [0C0] 2B AE 20 48 EA 7E E5 DE 2A FA 4F C9 55 F5 CD FB +® Hê~åÞ *úOÉUõÍû [0D0] 7B BA A8 2F FA AD E1 5E EB FB FF 24 88 2A E6 6F {º¨/ú­á^ ëûÿ$.*æo [0E0] E8 86 65 4E 55 4C 6C 2A 5A 7A 1E A5 94 C8 5E 6B è.eNULl* Zz.¥.È^k [0F0] 6C 8B 8E A6 AD A6 3F CC 43 B8 BD F4 D5 6D 76 8F l..¦­¦?Ì C¸½ôÕmv. [100] 88 31 63 21 09 66 62 76 92 D0 F3 00 13 58 AA B2 .1c!.fbv .Ðó..Xª² [110] 74 8B FF 28 02 E5 B0 91 0F 52 E4 00 D4 48 6C 21 t.ÿ(.å°. .Rä.ÔHl! [120] 9B E2 D9 7E AB B5 AA 2B 82 EA 1B 66 F4 6F F2 B0 .âÙ~«µª+ .ê.fôoò° [130] 23 81 0D 4A 26 A5 BC 6E DB D0 65 0D 6F C8 39 80 #..J&¥¼n ÛÐe.oÈ9. [140] CA 22 6C 06 AC 18 18 35 75 C0 8C 05 2D 56 14 DD Ê"l.¬..5 uÀ..-V.Ý [150] 35 E8 40 A0 78 1A 6A 29 96 83 E8 3C A0 F3 8C BB 5è@ x.j) ..è< ó.» [160] AD EF 18 77 86 AA 81 7A E6 8C 43 B4 DA 33 92 2A ­ï.w.ª.z æ.C´Ú3.* [170] 82 A2 AC 50 08 F8 2D DD 0F 61 E0 E7 83 42 4D 77 .¢¬P.ø-Ý .aàç.BMw [180] 83 D3 CA 32 CA C1 BA CA 9D D7 1E F0 4F 51 9A C7 .ÓÊ2ÊÁºÊ .×.ðOQ.Ç [190] C9 13 9D 5C 11 83 4E D2 8A 29 52 FA B5 31 CB 29 É..\..NÒ .)Rúµ1Ë) [1A0] AB 96 86 64 D2 98 E7 3E 45 1F 50 B0 60 A2 19 82 «..dÒ.ç> E.P°`¢.. [1B0] C1 BD 4D 8C 9A 88 37 1E 6C 0B 63 8E 0A 1F AD BB Á½M...7. l.c...­» [1C0] 28 5F 22 5F 7F 92 45 06 E3 44 06 04 00 01 00 00 (_"_..E. ãD...... [1D0] 00 77 00 7A 00 FF FF 00 00 1D CC 0D 87 A2 DD 62 .w.z.ÿÿ. ..Ì..¢Ýb [1E0] D2 BC 1E 8F 93 D2 69 35 F0 9A 4C 17 07 EE C2 03 Ò¼...Òi5 ð.L..îÂ. [1F0] 8C . [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr rpc_hdr [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 02 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 01f0 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0020 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 00000010 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_resp rpc_hdr_resp [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0010 alloc_hint: 000001ac [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0014 context_id: 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0016 cancel_ct : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0017 reserved : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 0001c8 smb_io_rpc_hdr_auth hdr_auth [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 01c8 auth_type : 44 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 01c9 auth_level : 06 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 01ca auth_pad_len : 04 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 01cb auth_reserved: 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 01cc auth_context_id: 00000001 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 0001d0 smb_io_rpc_auth_schannel_chk [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 01d0 sig : 77 00 7a 00 ff ff 00 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 01d8 seq_num: 1d cc 0d 87 a2 dd 62 d2 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 01e0 packet_digest: bc 1e 8f 93 d2 69 35 f0 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 01e8 confounder: 9a 4c 17 07 ee c2 03 8c [2006/06/07 11:03:35, 10] rpc_parse/parse_prs.c:schannel_decode(1709) SCHANNEL: schannel_decode seq_num=3 data_len=432 [2006/06/07 11:03:35, 10] rpc_parse/parse_prs.c:schannel_decode(1729) SCHANNEL: schannel_decode seq_num=3 data_len=432 [2006/06/07 11:03:35, 10] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(577) cli_pipe_validate_current_pdu: got pdu len 496, data_len 428, ss_len 4 [2006/06/07 11:03:35, 10] rpc_client/cli_pipe.c:rpc_api_pipe(843) rpc_api_pipe: got PDU len of 496 at offset 0 [2006/06/07 11:03:35, 10] rpc_client/cli_pipe.c:rpc_api_pipe(894) rpc_api_pipe: Remote machine RANGER1 pipe \NETLOGON fnum 0xc00a returned 856 bytes. [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 net_io_r_sam_logon [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0000 buffer_creds: 00020000 [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000004 smb_io_cred [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000004 smb_io_chal [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0004 data: 69 f4 34 18 3a 44 2d 93 [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 00000c smb_io_utime [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c time: 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0010 switch_value: 0003 [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000014 net_io_user_info3 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0014 ptr_user_info : 00020004 [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000018 smb_io_time logon time [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0018 low : 7d10b6be [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 001c high: 01c68a5b [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000020 smb_io_time logoff time [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0020 low : ffffffff [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0024 high: 7fffffff [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000028 smb_io_time kickoff time [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0028 low : ffffffff [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 002c high: 7fffffff [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000030 smb_io_time last set time [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0030 low : ba7541b4 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0034 high: 01c68a5b [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000038 smb_io_time can change time [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0038 low : ba7541b4 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 003c high: 01c68a5b [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000040 smb_io_time must change time [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0040 low : ffffffff [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0044 high: 7fffffff [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000048 smb_io_unihdr hdr_user_name [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0048 uni_str_len: 000a [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 004a uni_max_len: 000c [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 004c buffer : 00020008 [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000050 smb_io_unihdr hdr_full_name [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0050 uni_str_len: 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0052 uni_max_len: 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0054 buffer : 00000000 [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000058 smb_io_unihdr hdr_logon_script [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0058 uni_str_len: 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 005a uni_max_len: 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 005c buffer : 00000000 [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000060 smb_io_unihdr hdr_profile_path [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0060 uni_str_len: 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0062 uni_max_len: 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0064 buffer : 00000000 [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000068 smb_io_unihdr hdr_home_dir [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0068 uni_str_len: 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 006a uni_max_len: 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 006c buffer : 00000000 [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000070 smb_io_unihdr hdr_dir_drive [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0070 uni_str_len: 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0072 uni_max_len: 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0074 buffer : 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0078 logon_count : 01e0 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 007a bad_pw_count : 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 007c user_rid : 00000476 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0080 group_rid : 00000201 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0084 num_groups : 00000005 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0088 buffer_groups : 0002000c [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 008c user_flgs : 00000120 [2006/06/07 11:03:35, 10] rpc_parse/parse_net.c:dump_user_flgs(1555) dump_user_flgs account has LOGON_EXTRA_SIDS account has LOGON_NTLMV2_ENABLED [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0090 user_sess_key: 47 64 4d b2 5a 6b b0 9b 9a 7b f5 38 c1 2d 11 43 [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 0000a0 smb_io_unihdr hdr_logon_srv [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 00a0 uni_str_len: 000e [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 00a2 uni_max_len: 0010 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00a4 buffer : 00020010 [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 0000a8 smb_io_unihdr hdr_logon_dom [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 00a8 uni_str_len: 000c [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 00aa uni_max_len: 000e [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00ac buffer : 00020014 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00b0 buffer_dom_id : 00020018 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 00b4 lm_sess_key: 4f 88 c2 da 83 45 41 5d [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00bc acct_flags : 00000210 [2006/06/07 11:03:35, 10] rpc_parse/parse_net.c:dump_acct_flags(1528) dump_acct_flags account has ACB_NORMAL account has ACB_PWNOEXP [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00c0 unkown: 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00c4 unkown: 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00c8 unkown: 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00cc unkown: 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00d0 unkown: 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00d4 unkown: 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00d8 unkown: 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00dc num_other_sids: 00000001 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00e0 buffer_other_sids: 0002001c [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 0000e4 smb_io_unistr2 uni_user_name [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00e4 uni_max_len: 00000006 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00e8 offset : 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00ec uni_str_len: 00000005 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 00f0 buffer : m.a.i.n.t. [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 0000fa smb_io_unistr2 - NULL uni_full_name [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 0000fa smb_io_unistr2 - NULL uni_logon_script [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 0000fa smb_io_unistr2 - NULL uni_profile_path [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 0000fa smb_io_unistr2 - NULL uni_home_dir [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 0000fa smb_io_unistr2 - NULL uni_dir_drive [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00fc num_groups2 : 00000005 [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000100 smb_io_gid [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0100 g_rid: 0000049f [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0104 attr : 00000007 [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000108 smb_io_gid [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0108 g_rid: 0000046c [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 010c attr : 00000007 [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000110 smb_io_gid [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0110 g_rid: 00000201 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0114 attr : 00000007 [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000118 smb_io_gid [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0118 g_rid: 00000200 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 011c attr : 00000007 [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000120 smb_io_gid [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0120 g_rid: 0000046d [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0124 attr : 00000007 [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000128 smb_io_unistr2 uni_logon_srv [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0128 uni_max_len: 00000008 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 012c offset : 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0130 uni_str_len: 00000007 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 0134 buffer : R.A.N.G.E.R.1. [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000142 smb_io_unistr2 uni_logon_dom [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0144 uni_max_len: 00000007 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0148 offset : 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 014c uni_str_len: 00000006 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 0150 buffer : F.O.R.E.S.T. [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 00015c smb_io_dom_sid2 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 015c num_auths: 00000004 [2006/06/07 11:03:35, 8] rpc_parse/parse_prs.c:prs_debug(84) 000160 smb_io_dom_sid sid [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0160 sid_rev_num: 01 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0161 num_auths : 04 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0162 id_auth[0] : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0163 id_auth[1] : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0164 id_auth[2] : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0165 id_auth[3] : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0166 id_auth[4] : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0167 id_auth[5] : 05 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32s(991) 0168 sub_auths : 00000015 1ce4e8dd 2c7925eb 500cebdb [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0178 num_other_sids: 00000001 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 017c sid_ptr: 00020020 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0180 attribute: 00000007 [2006/06/07 11:03:35, 8] rpc_parse/parse_prs.c:prs_debug(84) 000184 smb_io_dom_sid2 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0184 num_auths: 00000005 [2006/06/07 11:03:35, 9] rpc_parse/parse_prs.c:prs_debug(84) 000188 smb_io_dom_sid sid [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0188 sid_rev_num: 01 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0189 num_auths : 05 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 018a id_auth[0] : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 018b id_auth[1] : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 018c id_auth[2] : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 018d id_auth[3] : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 018e id_auth[4] : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 018f id_auth[5] : 05 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32s(991) 0190 sub_auths : 00000015 1ce4e8dd 2c7925eb 500cebdb 00000468 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 01a4 auth_resp : 00000001 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_ntstatus(763) 01a8 status : NT_STATUS_OK [2006/06/07 11:03:35, 10] libsmb/credentials.c:creds_client_check(325) creds_client_check: credentials check OK. [2006/06/07 11:03:35, 10] libsmb/samlogon_cache.c:netsamlogon_cache_store(134) netsamlogon_cache_store: SID [S-1-5-21-484763869-746137067-1343024091-1142] [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0000 timestamp: 448714f7 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_debug(84) 000004 net_io_user_info3 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0004 ptr_user_info : 00020004 [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000008 smb_io_time logon time [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0008 low : 7d10b6be [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c high: 01c68a5b [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_time logoff time [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0010 low : ffffffff [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0014 high: 7fffffff [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000018 smb_io_time kickoff time [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0018 low : ffffffff [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 001c high: 7fffffff [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000020 smb_io_time last set time [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0020 low : ba7541b4 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0024 high: 01c68a5b [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000028 smb_io_time can change time [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0028 low : ba7541b4 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 002c high: 01c68a5b [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000030 smb_io_time must change time [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0030 low : ffffffff [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0034 high: 7fffffff [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000038 smb_io_unihdr hdr_user_name [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0038 uni_str_len: 000a [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 003a uni_max_len: 000c [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 003c buffer : 00020008 [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000040 smb_io_unihdr hdr_full_name [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0040 uni_str_len: 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0042 uni_max_len: 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0044 buffer : 00000000 [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000048 smb_io_unihdr hdr_logon_script [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0048 uni_str_len: 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 004a uni_max_len: 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 004c buffer : 00000000 [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000050 smb_io_unihdr hdr_profile_path [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0050 uni_str_len: 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0052 uni_max_len: 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0054 buffer : 00000000 [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000058 smb_io_unihdr hdr_home_dir [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0058 uni_str_len: 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 005a uni_max_len: 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 005c buffer : 00000000 [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000060 smb_io_unihdr hdr_dir_drive [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0060 uni_str_len: 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0062 uni_max_len: 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0064 buffer : 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0068 logon_count : 01e0 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 006a bad_pw_count : 0000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 006c user_rid : 00000476 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0070 group_rid : 00000201 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0074 num_groups : 00000005 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0078 buffer_groups : 0002000c [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 007c user_flgs : 00000120 [2006/06/07 11:03:35, 10] rpc_parse/parse_net.c:dump_user_flgs(1555) dump_user_flgs account has LOGON_EXTRA_SIDS account has LOGON_NTLMV2_ENABLED [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0080 user_sess_key: 3a 84 17 d1 0a 13 8f 70 f7 53 cf 7e 22 72 ba e0 [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000090 smb_io_unihdr hdr_logon_srv [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0090 uni_str_len: 000e [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0092 uni_max_len: 0010 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0094 buffer : 00020010 [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000098 smb_io_unihdr hdr_logon_dom [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0098 uni_str_len: 000c [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint16(675) 009a uni_max_len: 000e [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 009c buffer : 00020014 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00a0 buffer_dom_id : 00020018 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 00a4 lm_sess_key: 32 68 98 b9 d3 3d 7e b6 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00ac acct_flags : 00000210 [2006/06/07 11:03:35, 10] rpc_parse/parse_net.c:dump_acct_flags(1528) dump_acct_flags account has ACB_NORMAL account has ACB_PWNOEXP [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00b0 unkown: 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00b4 unkown: 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00b8 unkown: 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00bc unkown: 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00c0 unkown: 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00c4 unkown: 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00c8 unkown: 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00cc num_other_sids: 00000001 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00d0 buffer_other_sids: 0002001c [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 0000d4 smb_io_unistr2 uni_user_name [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00d4 uni_max_len: 00000006 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00d8 offset : 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00dc uni_str_len: 00000005 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 00e0 buffer : m.a.i.n.t. [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 0000ea smb_io_unistr2 - NULL uni_full_name [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 0000ea smb_io_unistr2 - NULL uni_logon_script [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 0000ea smb_io_unistr2 - NULL uni_profile_path [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 0000ea smb_io_unistr2 - NULL uni_home_dir [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 0000ea smb_io_unistr2 - NULL uni_dir_drive [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00ec num_groups2 : 00000005 [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 0000f0 smb_io_gid [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00f0 g_rid: 0000049f [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00f4 attr : 00000007 [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 0000f8 smb_io_gid [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00f8 g_rid: 0000046c [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 00fc attr : 00000007 [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000100 smb_io_gid [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0100 g_rid: 00000201 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0104 attr : 00000007 [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000108 smb_io_gid [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0108 g_rid: 00000200 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 010c attr : 00000007 [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000110 smb_io_gid [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0110 g_rid: 0000046d [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0114 attr : 00000007 [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000118 smb_io_unistr2 uni_logon_srv [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0118 uni_max_len: 00000008 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 011c offset : 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0120 uni_str_len: 00000007 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 0124 buffer : R.A.N.G.E.R.1. [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 000132 smb_io_unistr2 uni_logon_dom [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0134 uni_max_len: 00000007 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0138 offset : 00000000 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 013c uni_str_len: 00000006 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:dbg_rw_punival(936) 0140 buffer : F.O.R.E.S.T. [2006/06/07 11:03:35, 6] rpc_parse/parse_prs.c:prs_debug(84) 00014c smb_io_dom_sid2 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 014c num_auths: 00000004 [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000150 smb_io_dom_sid sid [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0150 sid_rev_num: 01 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0151 num_auths : 04 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0152 id_auth[0] : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0153 id_auth[1] : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0154 id_auth[2] : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0155 id_auth[3] : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0156 id_auth[4] : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0157 id_auth[5] : 05 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32s(991) 0158 sub_auths : 00000015 1ce4e8dd 2c7925eb 500cebdb [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0168 num_other_sids: 00000001 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 016c sid_ptr: 00000001 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0170 attribute: 00000007 [2006/06/07 11:03:35, 7] rpc_parse/parse_prs.c:prs_debug(84) 000174 smb_io_dom_sid2 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0174 num_auths: 00000005 [2006/06/07 11:03:35, 8] rpc_parse/parse_prs.c:prs_debug(84) 000178 smb_io_dom_sid sid [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0178 sid_rev_num: 01 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0179 num_auths : 05 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 017a id_auth[0] : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 017b id_auth[1] : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 017c id_auth[2] : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 017d id_auth[3] : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 017e id_auth[4] : 00 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint8(615) 017f id_auth[5] : 05 [2006/06/07 11:03:35, 5] rpc_parse/parse_prs.c:prs_uint32s(991) 0180 sub_auths : 00000015 1ce4e8dd 2c7925eb 500cebdb 00000468 [2006/06/07 11:03:35, 10] libsmb/samlogon_cache.c:netsamlogon_clear_cached_user(86) netsamlogon_clear_cached_user: clearing U/FOREST/1142 [2006/06/07 11:03:35, 10] libsmb/samlogon_cache.c:netsamlogon_clear_cached_user(97) netsamlogon_clear_cached_user: clearing UG/FOREST/1142 [2006/06/07 11:03:35, 5] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1616) NTLM CRAP authentication for user [FOREST]\[maint] returned NT_STATUS_OK (PAM: 0) [2006/06/07 11:03:35, 10] nsswitch/winbindd_cache.c:cache_store_response(1912) Storing response for pid 32155, len 3192 [2006/06/07 11:03:35, 10] lib/events.c:get_timed_events_timeout(118) timed_events_timeout: 3563/450667 [2006/06/07 11:03:35, 10] nsswitch/winbindd_cache.c:cache_retrieve_response(1952) Retrieving response for pid 32155 [2006/06/07 11:03:46, 6] nsswitch/winbindd.c:new_connection(601) accepted socket 18 [2006/06/07 11:03:46, 10] nsswitch/winbindd.c:process_request(287) process_request: request fn INTERFACE_VERSION [2006/06/07 11:03:46, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(471) [ 0]: request interface version [2006/06/07 11:03:46, 10] nsswitch/winbindd.c:process_request(287) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2006/06/07 11:03:46, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(504) [ 0]: request location of privileged pipe [2006/06/07 11:03:46, 6] nsswitch/winbindd.c:new_connection(601) accepted socket 19 [2006/06/07 11:03:46, 10] nsswitch/winbindd.c:process_request(287) process_request: request fn GETGROUPS [2006/06/07 11:03:46, 3] nsswitch/winbindd_group.c:winbindd_getgroups(991) [ 0]: getgroups maint [2006/06/07 11:03:46, 7] nsswitch/winbindd_group.c:winbindd_getgroups(1035) winbindd_getpwnam: My domain -- rejecting getgroups() for FOREST\maint.