winbindd version 3.0.31-3 started. Copyright Andrew Tridgell and the Samba Team 1992-2008 lp_load: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" doing parameter realm = CHILD03.EIGHTAD6.TESTING.COM doing parameter workgroup = CHILD03 doing parameter server string = Samba Server Version %v doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 50 doing parameter security = ads doing parameter passdb backend = tdbsam doing parameter client ntlmv2 auth = yes doing parameter load printers = yes doing parameter cups options = raw Processing section "[homes]" add_a_service: Creating snum = 0 for homes hash_a_service: creating tdb servicehash hash_a_service: hashing index 0 for service name homes doing parameter comment = Home Directories doing parameter browseable = no doing parameter writable = yes Processing section "[printers]" add_a_service: Creating snum = 1 for printers hash_a_service: hashing index 1 for service name printers doing parameter comment = All Printers doing parameter path = /var/spool/samba doing parameter browseable = no doing parameter guest ok = no doing parameter writable = no doing parameter printable = yes pm_process() returned Yes add_a_service: Creating snum = 2 for IPC$ hash_a_service: hashing index 2 for service name IPC$ adding IPC service set_server_role: role = ROLE_DOMAIN_MEMBER Attempting to register new charset UCS-2LE Registered charset UCS-2LE Attempting to register new charset UTF-16LE Registered charset UTF-16LE Attempting to register new charset UCS-2BE Registered charset UCS-2BE Attempting to register new charset UTF-16BE Registered charset UTF-16BE Attempting to register new charset UTF8 Registered charset UTF8 Attempting to register new charset UTF-8 Registered charset UTF-8 Attempting to register new charset ASCII Registered charset ASCII Attempting to register new charset 646 Registered charset 646 Attempting to register new charset ISO-8859-1 Registered charset ISO-8859-1 Attempting to register new charset UCS2-HEX Registered charset UCS2-HEX Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE added interface ip=192.168.152.94 bcast=192.168.152.255 nmask=255.255.255.0 added interface ip=192.168.12.94 bcast=192.168.12.255 nmask=255.255.255.0 Netbios name list:- my_netbios_names[0]="MONOCEROS" added interface ip=192.168.152.94 bcast=192.168.152.255 nmask=255.255.255.0 added interface ip=192.168.12.94 bcast=192.168.12.255 nmask=255.255.255.0 Opening cache file at /var/lib/samba/gencache.tdb namecache_enable: enabling netbios namecache, timeout 660 seconds Opening cache file at /var/lib/samba/idmap_cache.tdb fcntl_lock fd=7 op=6 offset=0 count=1 type=1 fcntl_lock: Lock call successful TimeInit: Serverzone is -19800 Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED initialize_winbindd_cache: clearing cache and re-creating with version number 1 Added domain CHILD03 CHILD03.EIGHTAD6.TESTING.COM S-1-5-21-1527705246-3463401961-2594329352 set_domain_online_request: called for domain CHILD03 set_domain_online_request: domain CHILD03 was globally offline. Added timed event "check_domain_online_handler": 2aac2da3b8d0 Added domain MONOCEROS S-1-5-21-3379143535-217924180-1168101821 Added domain BUILTIN S-1-5-32 open_winbindd_socket: opened socket fd 10 open_winbindd_priv_socket: opened socket fd 11 run_events: Nothing to do timed_events_timeout: 4/999306 run_events: Nothing to do timed_events_timeout: 4/999198 select will use timeout of 4.999198 seconds Added timed event "async_request_timeout": 2aac2da3a600 run_events: Nothing to do timed_events_timeout: 4/998940 child daemon request 47 process_request: request fn INIT_CONNECTION connection_ok: Connection to for domain CHILD03 has NULL cli! Returning valid cache entry: key = SAF/DOMAIN/CHILD03, value = 192.168.12.172, timeout = Wed Nov 25 18:30:18 2009 saf_fetch: Returning "192.168.12.172" for "CHILD03" domain cm_open_connection: saf_servername is '192.168.12.172' for domain CHILD03 ads_try_connect: sending CLDAP request to 192.168.12.172 (realm: CHILD03.EIGHTAD6.TESTING.COM) sitename_store: realm = [CHILD03.EIGHTAD6.TESTING.COM], sitename = [Default-First-Site-Name], expire = [4294967295] Adding cache entry with key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM; value = Default-First-Site-Name and timeout = (null) (-1259153182 seconds ahead) namecache_store: storing 1 address for norma.child03.eightad6.testing.com#20: 192.168.12.172:0 Adding cache entry with key = NBT/NORMA.CHILD03.EIGHTAD6.TESTING.COM#20; value = 192.168.12.172:0 and timeout = Wed Nov 25 18:27:21 2009 (660 seconds ahead) dcip_to_name: flags = 0x1f9 ads_closest_dc: ADS_CLOSEST flag set Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" create_local_private_krb5_conf_for_domain: fname = /var/lib/samba/smb_krb5/krb5.conf.CHILD03, realm = CHILD03.EIGHTAD6.TESTING.COM, domain = CHILD03 Returning valid cache entry: key = SAF/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = 192.168.12.172, timeout = Wed Nov 25 18:30:18 2009 saf_fetch: Returning "192.168.12.172" for "CHILD03.EIGHTAD6.TESTING.COM" domain get_dc_list: preferred server list: "192.168.12.172, *" internal_resolve_name: looking up CHILD03.EIGHTAD6.TESTING.COM#1c (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/CHILD03.EIGHTAD6.TESTING.COM#1C, value = 192.168.12.172:389, timeout = Wed Nov 25 18:26:18 2009 name CHILD03.EIGHTAD6.TESTING.COM#1C found. Adding 1 DC's from auto lookup Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" remove_duplicate_addrs2: looking for duplicate address/port pairs get_dc_list: returning 1 ip addresses in an ordered list get_dc_list: 192.168.12.172:389 Returning valid cache entry: key = SAF/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = 192.168.12.172, timeout = Wed Nov 25 18:30:18 2009 saf_fetch: Returning "192.168.12.172" for "CHILD03.EIGHTAD6.TESTING.COM" domain get_dc_list: preferred server list: "192.168.12.172, *" internal_resolve_name: looking up CHILD03.EIGHTAD6.TESTING.COM#1c (sitename (null)) Returning valid cache entry: key = NBT/CHILD03.EIGHTAD6.TESTING.COM#1C, value = 192.168.12.172:389, timeout = Wed Nov 25 18:26:18 2009 name CHILD03.EIGHTAD6.TESTING.COM#1C found. Adding 1 DC's from auto lookup Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" remove_duplicate_addrs2: looking for duplicate address/port pairs get_dc_list: returning 1 ip addresses in an ordered list get_dc_list: 192.168.12.172:389 get_kdc_ip_string: Returning kdc = 192.168.12.172 create_local_private_krb5_conf_for_domain: wrote file /var/lib/samba/smb_krb5/krb5.conf.CHILD03 with realm CHILD03.EIGHTAD6.TESTING.COM KDC = 192.168.12.172 saf_store: domain = [CHILD03], server = [norma.child03.eightad6.testing.com], expire = [1259154081] Adding cache entry with key = SAF/DOMAIN/CHILD03; value = norma.child03.eightad6.testing.com and timeout = Wed Nov 25 18:31:21 2009 (900 seconds ahead) saf_store: domain = [CHILD03.EIGHTAD6.TESTING.COM], server = [norma.child03.eightad6.testing.com], expire = [1259154081] Adding cache entry with key = SAF/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM; value = norma.child03.eightad6.testing.com and timeout = Wed Nov 25 18:31:21 2009 (900 seconds ahead) cm_open_connection: dcname is 'norma.child03.eightad6.testing.com' for domain CHILD03 Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" internal_resolve_name: looking up norma.child03.eightad6.testing.com#20 (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/NORMA.CHILD03.EIGHTAD6.TESTING.COM#20, value = 192.168.12.172:0, timeout = Wed Nov 25 18:27:21 2009 name norma.child03.eightad6.testing.com#20 found. cm_prepare_connection: connecting to DC norma.child03.eightad6.testing.com for domain CHILD03 secrets_named_mutex: got mutex for norma.child03.eightad6.testing.com write_socket(15,194) write_socket(15,194) wrote 194 got smb length of 192 size=192 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=25418 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 9 (0x9) smb_vwv[ 1]=12815 (0x320F) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 17 (0x11) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 499 (0x1F3) smb_vwv[11]=26240 (0x6680) smb_vwv[12]=11418 (0x2C9A) smb_vwv[13]=52556 (0xCD4C) smb_vwv[14]=51821 (0xCA6D) smb_vwv[15]=46593 (0xB601) smb_vwv[16]= 254 (0xFE) smb_bcc=123 [000] ED A7 B6 66 44 4A 8A 42 B4 A2 4E A1 30 18 17 60 ...fDJ.B ..N.0..` [010] 60 69 06 06 2B 06 01 05 05 02 A0 5F 30 5D A0 30 `i..+... ..._0].0 [020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. .......* [030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H...... ..*.H... [040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... [050] A3 29 30 27 A0 25 1B 23 6E 6F 72 6D 61 24 40 43 .)0'.%.# norma$@C [060] 48 49 4C 44 30 33 2E 45 49 47 48 54 41 44 36 2E HILD03.E IGHTAD6. [070] 54 45 53 54 49 4E 47 2E 43 4F 4D TESTING. COM size=192 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=25418 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 9 (0x9) smb_vwv[ 1]=12815 (0x320F) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 17 (0x11) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 499 (0x1F3) smb_vwv[11]=26240 (0x6680) smb_vwv[12]=11418 (0x2C9A) smb_vwv[13]=52556 (0xCD4C) smb_vwv[14]=51821 (0xCA6D) smb_vwv[15]=46593 (0xB601) smb_vwv[16]= 254 (0xFE) smb_bcc=123 [000] ED A7 B6 66 44 4A 8A 42 B4 A2 4E A1 30 18 17 60 ...fDJ.B ..N.0..` [010] 60 69 06 06 2B 06 01 05 05 02 A0 5F 30 5D A0 30 `i..+... ..._0].0 [020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. .......* [030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H...... ..*.H... [040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... [050] A3 29 30 27 A0 25 1B 23 6E 6F 72 6D 61 24 40 43 .)0'.%.# norma$@C [060] 48 49 4C 44 30 33 2E 45 49 47 48 54 41 44 36 2E HILD03.E IGHTAD6. [070] 54 45 53 54 49 4E 47 2E 43 4F 4D TESTING. COM connecting to norma.child03.eightad6.testing.com from MONOCEROS with kerberos principal [MONOCEROS$@CHILD03.EIGHTAD6.TESTING.COM] and realm [CHILD03.EIGHTAD6.TESTING.COM] Doing spnego session setup (blob length=123) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got principal=norma$@CHILD03.EIGHTAD6.TESTING.COM kerberos_kinit_password: using [MEMORY:cliconnect] as ccache and config [/var/lib/samba/smb_krb5/krb5.conf.CHILD03] Doing kerberos session setup ads_krb5_mk_req: Advancing clock by 3 seconds to cope with clock skew ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Thu, 26 Nov 2009 04:16:24 IST ads_krb5_mk_req: Ticket (norma$@CHILD03.EIGHTAD6.TESTING.COM) in ccache (MEMORY:cliconnect) is valid until: (Thu, 26 Nov 2009 04:16:24 IST - 1259189184) Got KRB5 session key of length 16 Mandatory SMB signing enabled! SMB signing enabled! cli_simple_set_signing: user_session_key [000] 73 86 42 4B 64 72 35 96 9F 52 14 38 DF DD 9C 5C s.BKdr5. .R.8...\ cli_simple_set_signing: NULL response_data cli_session_setup_blob: Remaining (0) sending (1226) current (1226) simple_packet_signature: sequence number 0 client_sign_outgoing_message: sent SMB signature of [000] DB 28 26 FA 42 9D 34 F2 .(&.B.4. store_sequence_for_reply: stored seq = 1 mid = 2 write_socket(15,1312) write_socket(15,1312) wrote 1312 got smb length of 197 size=197 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=25418 smb_uid=4097 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 197 (0xC5) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 26 (0x1A) smb_bcc=154 [000] A1 18 30 16 A0 03 0A 01 00 A1 0B 06 09 2A 86 48 ..0..... .....*.H [010] 82 F7 12 01 02 02 A2 02 04 00 CE 57 00 69 00 6E ........ ...W.i.n [020] 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 .d.o.w.s . .S.e.r [030] 00 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 .v.e.r. .2.0.0.3 [040] 00 20 00 33 00 37 00 39 00 30 00 20 00 53 00 65 . .3.7.9 .0. .S.e [050] 00 72 00 76 00 69 00 63 00 65 00 20 00 50 00 61 .r.v.i.c .e. .P.a [060] 00 63 00 6B 00 20 00 31 00 00 00 57 00 69 00 6E .c.k. .1 ...W.i.n [070] 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 .d.o.w.s . .S.e.r [080] 00 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 .v.e.r. .2.0.0.3 [090] 00 20 00 35 00 2E 00 32 00 00 . .5...2 .. get_sequence_for_reply: found seq = 1 mid = 2 simple_packet_signature: sequence number 1 client_check_incoming_message: seq 1: got good SMB signature of [000] 3A 8E 0C 1B 63 17 DA E2 :...c... size=197 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=25418 smb_uid=4097 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 197 (0xC5) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 26 (0x1A) smb_bcc=154 [000] A1 18 30 16 A0 03 0A 01 00 A1 0B 06 09 2A 86 48 ..0..... .....*.H [010] 82 F7 12 01 02 02 A2 02 04 00 CE 57 00 69 00 6E ........ ...W.i.n [020] 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 .d.o.w.s . .S.e.r [030] 00 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 .v.e.r. .2.0.0.3 [040] 00 20 00 33 00 37 00 39 00 30 00 20 00 53 00 65 . .3.7.9 .0. .S.e [050] 00 72 00 76 00 69 00 63 00 65 00 20 00 50 00 61 .r.v.i.c .e. .P.a [060] 00 63 00 6B 00 20 00 31 00 00 00 57 00 69 00 6E .c.k. .1 ...W.i.n [070] 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 .d.o.w.s . .S.e.r [080] 00 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 .v.e.r. .2.0.0.3 [090] 00 20 00 35 00 2E 00 32 00 00 . .5...2 .. cli_init_creds: user MONOCEROS$ domain CHILD03 saf_store: domain = [CHILD03], server = [norma.child03.eightad6.testing.com], expire = [1259154081] Adding cache entry with key = SAF/DOMAIN/CHILD03; value = norma.child03.eightad6.testing.com and timeout = Wed Nov 25 18:31:21 2009 (900 seconds ahead) saf_store: domain = [CHILD03.EIGHTAD6.TESTING.COM], server = [norma.child03.eightad6.testing.com], expire = [1259154081] Adding cache entry with key = SAF/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM; value = norma.child03.eightad6.testing.com and timeout = Wed Nov 25 18:31:21 2009 (900 seconds ahead) simple_packet_signature: sequence number 2 client_sign_outgoing_message: sent SMB signature of [000] E5 B0 0F 67 78 F9 83 F4 ...gx... store_sequence_for_reply: stored seq = 3 mid = 3 write_socket(15,136) write_socket(15,136) wrote 136 got smb length of 56 size=56 smb_com=0x75 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=3 smt_wct=7 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 56 (0x38) smb_vwv[ 2]= 1 (0x1) smb_vwv[ 3]= 511 (0x1FF) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 511 (0x1FF) smb_vwv[ 6]= 0 (0x0) smb_bcc=7 [000] 49 50 43 00 00 00 00 IPC.... get_sequence_for_reply: found seq = 3 mid = 3 simple_packet_signature: sequence number 3 client_check_incoming_message: seq 3: got good SMB signature of [000] ED 6D 89 C8 0B 0A C6 9B .m...... secrets_named_mutex: released mutex for norma.child03.eightad6.testing.com set_global_winbindd_state_online: online requested. set_global_winbindd_state_online: rejecting. set_domain_online: called for domain CHILD03 Destroying timed event 2aac2da3b8d0 "check_domain_online_handler" set_dc_type_and_flags: domain CHILD03 simple_packet_signature: sequence number 4 client_sign_outgoing_message: sent SMB signature of [000] 3F D6 B4 C6 8E 2B ED DF ?....+.. store_sequence_for_reply: stored seq = 5 mid = 4 write_socket(15,104) write_socket(15,104) wrote 104 got smb length of 103 size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=4 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 3072 (0xC00) smb_vwv[ 3]= 320 (0x140) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 get_sequence_for_reply: found seq = 5 mid = 4 simple_packet_signature: sequence number 5 client_check_incoming_message: seq 5: got good SMB signature of [000] A2 C4 B6 A2 3D 97 8E 8B ....=... Bind RPC Pipe[400c]: \lsarpc auth_type 0, auth_level 0 Bind Abstract Syntax: [000] 6A 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5 j(.9.... ....O... [010] 00 00 00 00 .... Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]...... ....+.H` [010] 02 00 00 00 .... 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0b 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0048 000a auth_len : 0000 000c call_id : 00000001 000010 smb_io_rpc_hdr_rb 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00000000 0018 num_contexts: 01 001c context_id : 0000 001e num_transfer_syntaxes: 01 00001f smb_io_rpc_iface 000020 smb_io_uuid uuid 0020 data : 3919286a 0024 data : b10c 0026 data : 11d0 0028 data : 9b a8 002a data : 00 c0 4f d9 2e f5 0030 version: 00000000 000034 smb_io_rpc_iface 000034 smb_io_uuid uuid 0034 data : 8a885d04 0038 data : 1ceb 003a data : 11c9 003c data : 9f e8 003e data : 08 00 2b 10 48 60 0044 version: 00000002 rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0x400c size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=5 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=16396 (0x400C) smb_bcc=87 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 01 00 00 00 B8 .......H ........ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 6A ........ .......j [030] 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5 00 (.9..... ...O.... [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ [050] 10 48 60 02 00 00 00 .H`.... simple_packet_signature: sequence number 6 client_sign_outgoing_message: sent SMB signature of [000] 1E 86 57 3D 72 FE 6D 73 ..W=r.ms store_sequence_for_reply: stored seq = 7 mid = 5 write_socket(15,158) write_socket(15,158) wrote 158 got smb length of 124 size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=5 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 H....... .D...... [010] 00 B8 10 B8 10 69 70 00 00 0C 00 5C 50 49 50 45 .....ip. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... get_sequence_for_reply: found seq = 7 mid = 5 simple_packet_signature: sequence number 7 client_check_incoming_message: seq 7: got good SMB signature of [000] 85 40 DE 1F 68 B3 C7 CC .@..h... size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=5 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 H....... .D...... [010] 00 B8 10 B8 10 69 70 00 00 0C 00 5C 50 49 50 45 .....ip. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... get_sequence_for_reply: found seq = 7 mid = 5 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000001 rpc_api_pipe: got PDU len of 68 at offset 0 rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0x400c returned 68 bytes. rpc_pipe_bind: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0x400c bind request returned ok. 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000001 000010 smb_io_rpc_hdr_ba 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00007069 000018 smb_io_rpc_addr_str 0018 len: 000c 001a str: \PIPE\lsass. 000026 smb_io_rpc_results 0028 num_results: 01 002c result : 0000 002e reason : 0000 000030 smb_io_rpc_iface 000030 smb_io_uuid uuid 0030 data : 8a885d04 0034 data : 1ceb 0036 data : 11c9 0038 data : 9f e8 003a data : 08 00 2b 10 48 60 0040 version: 00000002 check_bind_response: accepted! cli_rpc_pipe_open_noauth: opened pipe \lsarpc to machine norma.child03.eightad6.testing.com and bound anonymously. 000000 ds_io_q_getprimdominfo 0000 level: 0001 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 001a 000a auth_len : 0000 000c call_id : 00000002 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000002 0014 context_id: 0000 0016 opnum : 0000 rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0x400c size=108 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=6 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 26 (0x1A) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 26 (0x1A) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=16396 (0x400C) smb_bcc=41 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 1A 00 00 00 02 00 00 00 02 ........ ........ [020] 00 00 00 00 00 00 00 01 00 ........ . simple_packet_signature: sequence number 8 client_sign_outgoing_message: sent SMB signature of [000] 50 E6 F3 15 20 94 3B B3 P... .;. store_sequence_for_reply: stored seq = 9 mid = 6 write_socket(15,112) write_socket(15,112) wrote 112 got smb length of 284 size=284 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=6 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 228 (0xE4) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 228 (0xE4) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=229 [000] 1A 05 00 02 03 10 00 00 00 E4 00 00 00 02 00 00 ........ ........ [010] 00 CC 00 00 00 00 00 00 00 00 00 02 00 01 00 00 ........ ........ [020] 00 05 00 00 00 01 00 00 01 04 00 02 00 08 00 02 ........ ........ [030] 00 0C 00 02 00 88 B9 1F 05 9F D9 A3 42 87 55 7B ........ ....B.U{ [040] C9 B4 D4 8A F3 08 00 00 00 00 00 00 00 08 00 00 ........ ........ [050] 00 43 00 48 00 49 00 4C 00 44 00 30 00 33 00 00 .C.H.I.L .D.0.3.. [060] 00 1D 00 00 00 00 00 00 00 1D 00 00 00 63 00 68 ........ .....c.h [070] 00 69 00 6C 00 64 00 30 00 33 00 2E 00 65 00 69 .i.l.d.0 .3...e.i [080] 00 67 00 68 00 74 00 61 00 64 00 36 00 2E 00 74 .g.h.t.a .d.6...t [090] 00 65 00 73 00 74 00 69 00 6E 00 67 00 2E 00 63 .e.s.t.i .n.g...c [0A0] 00 6F 00 6D 00 00 00 45 00 15 00 00 00 00 00 00 .o.m...E ........ [0B0] 00 15 00 00 00 65 00 69 00 67 00 68 00 74 00 61 .....e.i .g.h.t.a [0C0] 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 00 69 .d.6...t .e.s.t.i [0D0] 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 00 00 00 .n.g...c .o.m.... [0E0] 00 00 00 00 00 ..... get_sequence_for_reply: found seq = 9 mid = 6 simple_packet_signature: sequence number 9 client_check_incoming_message: seq 9: got good SMB signature of [000] 87 13 73 F7 80 20 11 E0 ..s.. .. size=284 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=6 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 228 (0xE4) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 228 (0xE4) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=229 [000] 1A 05 00 02 03 10 00 00 00 E4 00 00 00 02 00 00 ........ ........ [010] 00 CC 00 00 00 00 00 00 00 00 00 02 00 01 00 00 ........ ........ [020] 00 05 00 00 00 01 00 00 01 04 00 02 00 08 00 02 ........ ........ [030] 00 0C 00 02 00 88 B9 1F 05 9F D9 A3 42 87 55 7B ........ ....B.U{ [040] C9 B4 D4 8A F3 08 00 00 00 00 00 00 00 08 00 00 ........ ........ [050] 00 43 00 48 00 49 00 4C 00 44 00 30 00 33 00 00 .C.H.I.L .D.0.3.. [060] 00 1D 00 00 00 00 00 00 00 1D 00 00 00 63 00 68 ........ .....c.h [070] 00 69 00 6C 00 64 00 30 00 33 00 2E 00 65 00 69 .i.l.d.0 .3...e.i [080] 00 67 00 68 00 74 00 61 00 64 00 36 00 2E 00 74 .g.h.t.a .d.6...t [090] 00 65 00 73 00 74 00 69 00 6E 00 67 00 2E 00 63 .e.s.t.i .n.g...c [0A0] 00 6F 00 6D 00 00 00 45 00 15 00 00 00 00 00 00 .o.m...E ........ [0B0] 00 15 00 00 00 65 00 69 00 67 00 68 00 74 00 61 .....e.i .g.h.t.a [0C0] 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 00 69 .d.6...t .e.s.t.i [0D0] 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 00 00 00 .n.g...c .o.m.... [0E0] 00 00 00 00 00 ..... get_sequence_for_reply: found seq = 9 mid = 6 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 00e4 000a auth_len : 0000 000c call_id : 00000002 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 000000cc 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 cli_pipe_validate_current_pdu: got pdu len 228, data_len 204, ss_len 0 rpc_api_pipe: got PDU len of 228 at offset 0 rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0x400c returned 408 bytes. 000000 ds_io_r_getprimdominfo 0000 ptr: 00020000 0004 level: 0001 0006 unknown0: 0000 0008 machine_role: 0005 000c flags: 01000001 0010 netbios_ptr: 00020004 0014 dnsname_ptr: 00020008 0018 forestname_ptr: 0002000c 00001c smb_io_uuid domain_guid 001c data : 051fb988 0020 data : d99f 0022 data : 42a3 0024 data : 87 55 0026 data : 7b c9 b4 d4 8a f3 00002c smb_io_unistr2 netbios_domain 002c uni_max_len: 00000008 0030 offset : 00000000 0034 uni_str_len: 00000008 0038 buffer : C.H.I.L.D.0.3... 000048 smb_io_unistr2 dns_domain 0048 uni_max_len: 0000001d 004c offset : 00000000 0050 uni_str_len: 0000001d 0054 buffer : c.h.i.l.d.0.3...e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m... 000090 smb_io_unistr2 forest_domain 0090 uni_max_len: 00000015 0094 offset : 00000000 0098 uni_str_len: 00000015 009c buffer : e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m... 00c8 status: NT_STATUS_OK simple_packet_signature: sequence number 10 client_sign_outgoing_message: sent SMB signature of [000] 21 9C 92 9D 5A 2A 34 9D !...Z*4. store_sequence_for_reply: stored seq = 11 mid = 7 write_socket(15,45) write_socket(15,45) wrote 45 got smb length of 35 size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=7 smt_wct=0 smb_bcc=0 get_sequence_for_reply: found seq = 11 mid = 7 simple_packet_signature: sequence number 11 client_check_incoming_message: seq 11: got good SMB signature of [000] 4C 47 BF 74 4A 5A 4F A0 LG.tJZO. cli_rpc_pipe_close: closed pipe \lsarpc to machine norma.child03.eightad6.testing.com simple_packet_signature: sequence number 12 client_sign_outgoing_message: sent SMB signature of [000] AF A0 1B EF DD A8 02 0A ........ store_sequence_for_reply: stored seq = 13 mid = 8 write_socket(15,104) write_socket(15,104) wrote 104 got smb length of 103 size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=8 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 3328 (0xD00) smb_vwv[ 3]= 320 (0x140) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 get_sequence_for_reply: found seq = 13 mid = 8 simple_packet_signature: sequence number 13 client_check_incoming_message: seq 13: got good SMB signature of [000] 19 CD 11 09 95 07 1E 23 .......# Bind RPC Pipe[400d]: \lsarpc auth_type 0, auth_level 0 Bind Abstract Syntax: [000] 78 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB xW4.4... ...#Eg.. [010] 00 00 00 00 .... Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]...... ....+.H` [010] 02 00 00 00 .... 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0b 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0048 000a auth_len : 0000 000c call_id : 00000003 000010 smb_io_rpc_hdr_rb 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00000000 0018 num_contexts: 01 001c context_id : 0000 001e num_transfer_syntaxes: 01 00001f smb_io_rpc_iface 000020 smb_io_uuid uuid 0020 data : 12345778 0024 data : 1234 0026 data : abcd 0028 data : ef 00 002a data : 01 23 45 67 89 ab 0030 version: 00000000 000034 smb_io_rpc_iface 000034 smb_io_uuid uuid 0034 data : 8a885d04 0038 data : 1ceb 003a data : 11c9 003c data : 9f e8 003e data : 08 00 2b 10 48 60 0044 version: 00000002 rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0x400d size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=9 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=16397 (0x400D) smb_bcc=87 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 03 00 00 00 B8 .......H ........ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 ........ .......x [030] 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB 00 W4.4.... ..#Eg... [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ [050] 10 48 60 02 00 00 00 .H`.... simple_packet_signature: sequence number 14 client_sign_outgoing_message: sent SMB signature of [000] 3E BE 15 BE C1 0F 49 88 >.....I. store_sequence_for_reply: stored seq = 15 mid = 9 write_socket(15,158) write_socket(15,158) wrote 158 got smb length of 124 size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=9 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 03 00 00 H....... .D...... [010] 00 B8 10 B8 10 6A 70 00 00 0C 00 5C 50 49 50 45 .....jp. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 01 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... get_sequence_for_reply: found seq = 15 mid = 9 simple_packet_signature: sequence number 15 client_check_incoming_message: seq 15: got good SMB signature of [000] 2C B1 A2 92 2A 0F C8 3A ,...*..: size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=9 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 03 00 00 H....... .D...... [010] 00 B8 10 B8 10 6A 70 00 00 0C 00 5C 50 49 50 45 .....jp. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 01 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... get_sequence_for_reply: found seq = 15 mid = 9 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000003 rpc_api_pipe: got PDU len of 68 at offset 0 rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0x400d returned 68 bytes. rpc_pipe_bind: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0x400d bind request returned ok. 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000003 000010 smb_io_rpc_hdr_ba 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 0000706a 000018 smb_io_rpc_addr_str 0018 len: 000c 001a str: \PIPE\lsass. 000026 smb_io_rpc_results 0028 num_results: 01 002c result : 0000 002e reason : 0000 000030 smb_io_rpc_iface 000030 smb_io_uuid uuid 0030 data : 8a885d04 0034 data : 1ceb 0036 data : 11c9 0038 data : 9f e8 003a data : 08 00 2b 10 48 60 0040 version: 00000002 check_bind_response: accepted! cli_rpc_pipe_open_noauth: opened pipe \lsarpc to machine norma.child03.eightad6.testing.com and bound anonymously. init_lsa_sec_qos init_q_open_pol2: attr:0 da:33554432 init_lsa_obj_attr 000000 lsa_io_q_open_pol2 0000 ptr : 00000001 000004 smb_io_unistr2 0004 uni_max_len: 00000025 0008 offset : 00000000 000c uni_str_len: 00000025 0010 buffer : \.\.n.o.r.m.a...c.h.i.l.d.0.3...e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m... 00005a lsa_io_obj_attr 005c len : 00000018 0060 ptr_root_dir: 00000000 0064 ptr_obj_name: 00000000 0068 attributes : 00000000 006c ptr_sec_desc: 00000000 0070 ptr_sec_qos : 00000001 000074 lsa_io_obj_qos sec_qos 0074 len : 0000000c 0078 sec_imp_level : 0002 007a sec_ctxt_mode : 01 007b effective_only: 00 lsa_io_sec_qos: length c does not match size 8 007c des_access: 02000000 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0098 000a auth_len : 0000 000c call_id : 00000004 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000080 0014 context_id: 0000 0016 opnum : 002c rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0x400d size=234 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=10 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 152 (0x98) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 152 (0x98) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=16397 (0x400D) smb_bcc=167 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 98 00 00 00 04 00 00 00 80 ........ ........ [020] 00 00 00 00 00 2C 00 01 00 00 00 25 00 00 00 00 .....,.. ...%.... [030] 00 00 00 25 00 00 00 5C 00 5C 00 6E 00 6F 00 72 ...%...\ .\.n.o.r [040] 00 6D 00 61 00 2E 00 63 00 68 00 69 00 6C 00 64 .m.a...c .h.i.l.d [050] 00 30 00 33 00 2E 00 65 00 69 00 67 00 68 00 74 .0.3...e .i.g.h.t [060] 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 .a.d.6.. .t.e.s.t [070] 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 00 .i.n.g.. .c.o.m.. [080] 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [090] 00 00 00 00 00 00 00 01 00 00 00 0C 00 00 00 02 ........ ........ [0A0] 00 01 00 00 00 00 02 ....... simple_packet_signature: sequence number 16 client_sign_outgoing_message: sent SMB signature of [000] 18 F7 60 45 93 F6 2E ED ..`E.... store_sequence_for_reply: stored seq = 17 mid = 10 write_socket(15,238) write_socket(15,238) wrote 238 got smb length of 104 size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=10 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [000] 98 05 00 02 03 10 00 00 00 30 00 00 00 04 00 00 ........ .0...... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 4E DD 3F ........ .....N.? [020] C4 18 D2 91 46 98 6A B0 8A E2 39 0C A5 00 00 00 ....F.j. ..9..... [030] 00 . get_sequence_for_reply: found seq = 17 mid = 10 simple_packet_signature: sequence number 17 client_check_incoming_message: seq 17: got good SMB signature of [000] 98 A0 EC 05 43 66 02 94 ....Cf.. size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=10 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [000] 98 05 00 02 03 10 00 00 00 30 00 00 00 04 00 00 ........ .0...... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 4E DD 3F ........ .....N.? [020] C4 18 D2 91 46 98 6A B0 8A E2 39 0C A5 00 00 00 ....F.j. ..9..... [030] 00 . get_sequence_for_reply: found seq = 17 mid = 10 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0030 000a auth_len : 0000 000c call_id : 00000004 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 00000018 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 cli_pipe_validate_current_pdu: got pdu len 48, data_len 24, ss_len 0 rpc_api_pipe: got PDU len of 48 at offset 0 rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0x400d returned 48 bytes. 000000 lsa_io_r_open_pol2 000000 smb_io_pol_hnd 0000 handle_type: 00000000 000004 smb_io_uuid uuid 0004 data : c43fdd4e 0008 data : d218 000a data : 4691 000c data : 98 6a 000e data : b0 8a e2 39 0c a5 0014 status: NT_STATUS_OK init_q_query2 000000 lsa_io_q_query_info2 000000 smb_io_pol_hnd pol 0000 handle_type: 00000000 000004 smb_io_uuid uuid 0004 data : c43fdd4e 0008 data : d218 000a data : 4691 000c data : 98 6a 000e data : b0 8a e2 39 0c a5 0014 info_class: 000c 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 002e 000a auth_len : 0000 000c call_id : 00000005 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000016 0014 context_id: 0000 0016 opnum : 002e rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0x400d size=128 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=11 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 46 (0x2E) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 46 (0x2E) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=16397 (0x400D) smb_bcc=61 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 2E 00 00 00 05 00 00 00 16 ........ ........ [020] 00 00 00 00 00 2E 00 00 00 00 00 4E DD 3F C4 18 ........ ...N.?.. [030] D2 91 46 98 6A B0 8A E2 39 0C A5 0C 00 ..F.j... 9.... simple_packet_signature: sequence number 18 client_sign_outgoing_message: sent SMB signature of [000] B0 98 5B 89 E6 84 09 7F ..[..... store_sequence_for_reply: stored seq = 19 mid = 11 write_socket(15,132) write_socket(15,132) wrote 132 got smb length of 312 size=312 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=11 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 256 (0x100) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=257 [000] 2E 05 00 02 03 10 00 00 00 00 01 00 00 05 00 00 ........ ........ [010] 00 E8 00 00 00 00 00 00 00 00 00 02 00 0C 00 00 ........ ........ [020] 00 0E 00 10 00 04 00 02 00 38 00 3A 00 08 00 02 ........ .8.:.... [030] 00 28 00 2A 00 0C 00 02 00 88 B9 1F 05 9F D9 A3 .(.*.... ........ [040] 42 87 55 7B C9 B4 D4 8A F3 10 00 02 00 08 00 00 B.U{.... ........ [050] 00 00 00 00 00 07 00 00 00 43 00 48 00 49 00 4C ........ .C.H.I.L [060] 00 44 00 30 00 33 00 63 00 1D 00 00 00 00 00 00 .D.0.3.c ........ [070] 00 1C 00 00 00 63 00 68 00 69 00 6C 00 64 00 30 .....c.h .i.l.d.0 [080] 00 33 00 2E 00 65 00 69 00 67 00 68 00 74 00 61 .3...e.i .g.h.t.a [090] 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 00 69 .d.6...t .e.s.t.i [0A0] 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 15 00 00 .n.g...c .o.m.... [0B0] 00 00 00 00 00 14 00 00 00 65 00 69 00 67 00 68 ........ .e.i.g.h [0C0] 00 74 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 .t.a.d.6 ...t.e.s [0D0] 00 74 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D .t.i.n.g ...c.o.m [0E0] 00 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 ........ ........ [0F0] 00 9E EE 0E 5B E9 51 6F CE 08 53 A2 9A 00 00 00 ....[.Qo ..S..... [100] 00 . get_sequence_for_reply: found seq = 19 mid = 11 simple_packet_signature: sequence number 19 client_check_incoming_message: seq 19: got good SMB signature of [000] 2B 71 57 D7 D7 F6 87 52 +qW....R size=312 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=11 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 256 (0x100) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=257 [000] 2E 05 00 02 03 10 00 00 00 00 01 00 00 05 00 00 ........ ........ [010] 00 E8 00 00 00 00 00 00 00 00 00 02 00 0C 00 00 ........ ........ [020] 00 0E 00 10 00 04 00 02 00 38 00 3A 00 08 00 02 ........ .8.:.... [030] 00 28 00 2A 00 0C 00 02 00 88 B9 1F 05 9F D9 A3 .(.*.... ........ [040] 42 87 55 7B C9 B4 D4 8A F3 10 00 02 00 08 00 00 B.U{.... ........ [050] 00 00 00 00 00 07 00 00 00 43 00 48 00 49 00 4C ........ .C.H.I.L [060] 00 44 00 30 00 33 00 63 00 1D 00 00 00 00 00 00 .D.0.3.c ........ [070] 00 1C 00 00 00 63 00 68 00 69 00 6C 00 64 00 30 .....c.h .i.l.d.0 [080] 00 33 00 2E 00 65 00 69 00 67 00 68 00 74 00 61 .3...e.i .g.h.t.a [090] 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 00 69 .d.6...t .e.s.t.i [0A0] 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 15 00 00 .n.g...c .o.m.... [0B0] 00 00 00 00 00 14 00 00 00 65 00 69 00 67 00 68 ........ .e.i.g.h [0C0] 00 74 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 .t.a.d.6 ...t.e.s [0D0] 00 74 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D .t.i.n.g ...c.o.m [0E0] 00 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 ........ ........ [0F0] 00 9E EE 0E 5B E9 51 6F CE 08 53 A2 9A 00 00 00 ....[.Qo ..S..... [100] 00 . get_sequence_for_reply: found seq = 19 mid = 11 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0100 000a auth_len : 0000 000c call_id : 00000005 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 000000e8 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 cli_pipe_validate_current_pdu: got pdu len 256, data_len 232, ss_len 0 rpc_api_pipe: got PDU len of 256 at offset 0 rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0x400d returned 464 bytes. 000000 lsa_io_r_query_info2 0000 dom_ptr: 00020000 000004 lsa_io_query_info_ctr2 0004 info_class: 000c 000006 lsa_io_dom_query_12 000008 smb_io_unihdr nb_name 0008 uni_str_len: 000e 000a uni_max_len: 0010 000c buffer : 00020004 000010 smb_io_unihdr dns_name 0010 uni_str_len: 0038 0012 uni_max_len: 003a 0014 buffer : 00020008 000018 smb_io_unihdr forest 0018 uni_str_len: 0028 001a uni_max_len: 002a 001c buffer : 0002000c 000020 smb_io_uuid dom_guid 0020 data : 051fb988 0024 data : d99f 0026 data : 42a3 0028 data : 87 55 002a data : 7b c9 b4 d4 8a f3 0030 dom_sid: 00020010 000034 smb_io_unistr2 nb_name 0034 uni_max_len: 00000008 0038 offset : 00000000 003c uni_str_len: 00000007 0040 buffer : C.H.I.L.D.0.3. 00004e smb_io_unistr2 dns_name 0050 uni_max_len: 0000001d 0054 offset : 00000000 0058 uni_str_len: 0000001c 005c buffer : c.h.i.l.d.0.3...e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m. 000094 smb_io_unistr2 forest 0094 uni_max_len: 00000015 0098 offset : 00000000 009c uni_str_len: 00000014 00a0 buffer : e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m. 0000c8 smb_io_dom_sid2 dom_sid 00c8 num_auths: 00000004 0000cc smb_io_dom_sid sid 00cc sid_rev_num: 01 00cd num_auths : 04 00ce id_auth[0] : 00 00cf id_auth[1] : 00 00d0 id_auth[2] : 00 00d1 id_auth[3] : 00 00d2 id_auth[4] : 00 00d3 id_auth[5] : 05 00d4 sub_auths : 00000015 5b0eee9e ce6f51e9 9aa25308 00e4 status: NT_STATUS_OK set_dc_type_and_flags: domain CHILD03 is in native mode. set_dc_type_and_flags: domain CHILD03 is running active directory. simple_packet_signature: sequence number 20 client_sign_outgoing_message: sent SMB signature of [000] 58 29 A6 A7 A5 1E 38 67 X)....8g store_sequence_for_reply: stored seq = 21 mid = 12 write_socket(15,45) write_socket(15,45) wrote 45 got smb length of 35 size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=12 smt_wct=0 smb_bcc=0 get_sequence_for_reply: found seq = 21 mid = 12 simple_packet_signature: sequence number 21 client_check_incoming_message: seq 21: got good SMB signature of [000] CA 6A 93 A2 06 FA D5 0B .j...... cli_rpc_pipe_close: closed pipe \lsarpc to machine norma.child03.eightad6.testing.com Storing response for pid 25418, len 3240 Destroying timed event 2aac2da3a600 "async_request_timeout" Retrieving response for pid 25418 Received child initialization response for domain CHILD03 connection_ok: Connection to for domain CHILD03 has NULL cli! Returning valid cache entry: key = SAF/DOMAIN/CHILD03, value = norma.child03.eightad6.testing.com, timeout = Wed Nov 25 18:31:21 2009 saf_fetch: Returning "norma.child03.eightad6.testing.com" for "CHILD03" domain cm_open_connection: saf_servername is 'norma.child03.eightad6.testing.com' for domain CHILD03 cm_open_connection: dcname is 'norma.child03.eightad6.testing.com' for domain CHILD03 Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" internal_resolve_name: looking up norma.child03.eightad6.testing.com#20 (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/NORMA.CHILD03.EIGHTAD6.TESTING.COM#20, value = 192.168.12.172:0, timeout = Wed Nov 25 18:27:21 2009 name norma.child03.eightad6.testing.com#20 found. cm_prepare_connection: connecting to DC norma.child03.eightad6.testing.com for domain CHILD03 secrets_named_mutex: got mutex for norma.child03.eightad6.testing.com write_socket(16,194) write_socket(16,194) wrote 194 got smb length of 192 size=192 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=25417 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 9 (0x9) smb_vwv[ 1]=12815 (0x320F) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 17 (0x11) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 499 (0x1F3) smb_vwv[11]=57984 (0xE280) smb_vwv[12]=13244 (0x33BC) smb_vwv[13]=52556 (0xCD4C) smb_vwv[14]=51821 (0xCA6D) smb_vwv[15]=46593 (0xB601) smb_vwv[16]= 254 (0xFE) smb_bcc=123 [000] ED A7 B6 66 44 4A 8A 42 B4 A2 4E A1 30 18 17 60 ...fDJ.B ..N.0..` [010] 60 69 06 06 2B 06 01 05 05 02 A0 5F 30 5D A0 30 `i..+... ..._0].0 [020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. .......* [030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H...... ..*.H... [040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... [050] A3 29 30 27 A0 25 1B 23 6E 6F 72 6D 61 24 40 43 .)0'.%.# norma$@C [060] 48 49 4C 44 30 33 2E 45 49 47 48 54 41 44 36 2E HILD03.E IGHTAD6. [070] 54 45 53 54 49 4E 47 2E 43 4F 4D TESTING. COM size=192 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=25417 smb_uid=0 smb_mid=1 smt_wct=17 smb_vwv[ 0]= 9 (0x9) smb_vwv[ 1]=12815 (0x320F) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 17 (0x11) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 499 (0x1F3) smb_vwv[11]=57984 (0xE280) smb_vwv[12]=13244 (0x33BC) smb_vwv[13]=52556 (0xCD4C) smb_vwv[14]=51821 (0xCA6D) smb_vwv[15]=46593 (0xB601) smb_vwv[16]= 254 (0xFE) smb_bcc=123 [000] ED A7 B6 66 44 4A 8A 42 B4 A2 4E A1 30 18 17 60 ...fDJ.B ..N.0..` [010] 60 69 06 06 2B 06 01 05 05 02 A0 5F 30 5D A0 30 `i..+... ..._0].0 [020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. .......* [030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H...... ..*.H... [040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... [050] A3 29 30 27 A0 25 1B 23 6E 6F 72 6D 61 24 40 43 .)0'.%.# norma$@C [060] 48 49 4C 44 30 33 2E 45 49 47 48 54 41 44 36 2E HILD03.E IGHTAD6. [070] 54 45 53 54 49 4E 47 2E 43 4F 4D TESTING. COM connecting to norma.child03.eightad6.testing.com from MONOCEROS with kerberos principal [MONOCEROS$@CHILD03.EIGHTAD6.TESTING.COM] and realm [child03.eightad6.testing.com] Doing spnego session setup (blob length=123) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got principal=norma$@CHILD03.EIGHTAD6.TESTING.COM kerberos_kinit_password: using [MEMORY:cliconnect] as ccache and config [(null)] Doing kerberos session setup ads_krb5_mk_req: Advancing clock by 3 seconds to cope with clock skew ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Thu, 26 Nov 2009 04:16:24 IST ads_krb5_mk_req: Ticket (norma$@CHILD03.EIGHTAD6.TESTING.COM) in ccache (MEMORY:cliconnect) is valid until: (Thu, 26 Nov 2009 04:16:24 IST - 1259189184) Got KRB5 session key of length 16 Mandatory SMB signing enabled! SMB signing enabled! cli_simple_set_signing: user_session_key [000] F7 D4 6F 1D B5 47 9D 83 3E E4 75 05 B8 7E A7 77 ..o..G.. >.u..~.w cli_simple_set_signing: NULL response_data cli_session_setup_blob: Remaining (0) sending (1225) current (1225) simple_packet_signature: sequence number 0 client_sign_outgoing_message: sent SMB signature of [000] 2D 44 8D 6E F0 7D 56 DC -D.n.}V. store_sequence_for_reply: stored seq = 1 mid = 2 write_socket(16,1310) write_socket(16,1310) wrote 1310 got smb length of 197 size=197 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=25417 smb_uid=10241 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 197 (0xC5) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 26 (0x1A) smb_bcc=154 [000] A1 18 30 16 A0 03 0A 01 00 A1 0B 06 09 2A 86 48 ..0..... .....*.H [010] 82 F7 12 01 02 02 A2 02 04 00 ED 57 00 69 00 6E ........ ...W.i.n [020] 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 .d.o.w.s . .S.e.r [030] 00 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 .v.e.r. .2.0.0.3 [040] 00 20 00 33 00 37 00 39 00 30 00 20 00 53 00 65 . .3.7.9 .0. .S.e [050] 00 72 00 76 00 69 00 63 00 65 00 20 00 50 00 61 .r.v.i.c .e. .P.a [060] 00 63 00 6B 00 20 00 31 00 00 00 57 00 69 00 6E .c.k. .1 ...W.i.n [070] 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 .d.o.w.s . .S.e.r [080] 00 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 .v.e.r. .2.0.0.3 [090] 00 20 00 35 00 2E 00 32 00 00 . .5...2 .. get_sequence_for_reply: found seq = 1 mid = 2 simple_packet_signature: sequence number 1 client_check_incoming_message: seq 1: got good SMB signature of [000] 59 23 40 2E 7B A0 E1 2C Y#@.{.., size=197 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=25417 smb_uid=10241 smb_mid=2 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 197 (0xC5) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 26 (0x1A) smb_bcc=154 [000] A1 18 30 16 A0 03 0A 01 00 A1 0B 06 09 2A 86 48 ..0..... .....*.H [010] 82 F7 12 01 02 02 A2 02 04 00 ED 57 00 69 00 6E ........ ...W.i.n [020] 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 .d.o.w.s . .S.e.r [030] 00 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 .v.e.r. .2.0.0.3 [040] 00 20 00 33 00 37 00 39 00 30 00 20 00 53 00 65 . .3.7.9 .0. .S.e [050] 00 72 00 76 00 69 00 63 00 65 00 20 00 50 00 61 .r.v.i.c .e. .P.a [060] 00 63 00 6B 00 20 00 31 00 00 00 57 00 69 00 6E .c.k. .1 ...W.i.n [070] 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 .d.o.w.s . .S.e.r [080] 00 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 .v.e.r. .2.0.0.3 [090] 00 20 00 35 00 2E 00 32 00 00 . .5...2 .. cli_init_creds: user MONOCEROS$ domain CHILD03 saf_store: domain = [CHILD03], server = [norma.child03.eightad6.testing.com], expire = [1259154081] Adding cache entry with key = SAF/DOMAIN/CHILD03; value = norma.child03.eightad6.testing.com and timeout = Wed Nov 25 18:31:21 2009 (900 seconds ahead) saf_store: domain = [child03.eightad6.testing.com], server = [norma.child03.eightad6.testing.com], expire = [1259154081] Adding cache entry with key = SAF/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM; value = norma.child03.eightad6.testing.com and timeout = Wed Nov 25 18:31:21 2009 (900 seconds ahead) simple_packet_signature: sequence number 2 client_sign_outgoing_message: sent SMB signature of [000] 35 B0 40 25 B0 FF 36 F8 5.@%..6. store_sequence_for_reply: stored seq = 3 mid = 3 write_socket(16,136) write_socket(16,136) wrote 136 got smb length of 56 size=56 smb_com=0x75 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6146 smb_pid=25417 smb_uid=10241 smb_mid=3 smt_wct=7 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 56 (0x38) smb_vwv[ 2]= 1 (0x1) smb_vwv[ 3]= 511 (0x1FF) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 511 (0x1FF) smb_vwv[ 6]= 0 (0x0) smb_bcc=7 [000] 49 50 43 00 00 00 00 IPC.... get_sequence_for_reply: found seq = 3 mid = 3 simple_packet_signature: sequence number 3 client_check_incoming_message: seq 3: got good SMB signature of [000] 4D 2B 3B 92 23 33 69 DC M+;.#3i. secrets_named_mutex: released mutex for norma.child03.eightad6.testing.com set_global_winbindd_state_online: online requested. set_global_winbindd_state_online: rejecting. set_domain_online: called for domain CHILD03 Destroying timed event 2aac2da3b8d0 "check_domain_online_handler" set_dc_type_and_flags: domain CHILD03 simple_packet_signature: sequence number 4 client_sign_outgoing_message: sent SMB signature of [000] 78 A8 37 43 CD C7 75 4B x.7C..uK store_sequence_for_reply: stored seq = 5 mid = 4 write_socket(16,104) write_socket(16,104) wrote 104 got smb length of 103 size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6146 smb_pid=25417 smb_uid=10241 smb_mid=4 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 448 (0x1C0) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 get_sequence_for_reply: found seq = 5 mid = 4 simple_packet_signature: sequence number 5 client_check_incoming_message: seq 5: got good SMB signature of [000] 15 0D 88 1B 7A F0 EF CD ....z... Bind RPC Pipe[c000]: \lsarpc auth_type 0, auth_level 0 Bind Abstract Syntax: [000] 6A 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5 j(.9.... ....O... [010] 00 00 00 00 .... Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]...... ....+.H` [010] 02 00 00 00 .... 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0b 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0048 000a auth_len : 0000 000c call_id : 00000001 000010 smb_io_rpc_hdr_rb 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00000000 0018 num_contexts: 01 001c context_id : 0000 001e num_transfer_syntaxes: 01 00001f smb_io_rpc_iface 000020 smb_io_uuid uuid 0020 data : 3919286a 0024 data : b10c 0026 data : 11d0 0028 data : 9b a8 002a data : 00 c0 4f d9 2e f5 0030 version: 00000000 000034 smb_io_rpc_iface 000034 smb_io_uuid uuid 0034 data : 8a885d04 0038 data : 1ceb 003a data : 11c9 003c data : 9f e8 003e data : 08 00 2b 10 48 60 0044 version: 00000002 rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0xc000 size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=6146 smb_pid=25417 smb_uid=10241 smb_mid=5 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=49152 (0xC000) smb_bcc=87 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 01 00 00 00 B8 .......H ........ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 6A ........ .......j [030] 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5 00 (.9..... ...O.... [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ [050] 10 48 60 02 00 00 00 .H`.... simple_packet_signature: sequence number 6 client_sign_outgoing_message: sent SMB signature of [000] FE 2B 28 3B 5B D5 BC 01 .+(;[... store_sequence_for_reply: stored seq = 7 mid = 5 write_socket(16,158) write_socket(16,158) wrote 158 got smb length of 124 size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6146 smb_pid=25417 smb_uid=10241 smb_mid=5 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 H....... .D...... [010] 00 B8 10 B8 10 6B 70 00 00 0C 00 5C 50 49 50 45 .....kp. ...\PIPE [020] 5C 6C 73 61 73 73 00 B0 8A 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... get_sequence_for_reply: found seq = 7 mid = 5 simple_packet_signature: sequence number 7 client_check_incoming_message: seq 7: got good SMB signature of [000] 8E A6 7B EC D9 B7 BF A6 ..{..... size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6146 smb_pid=25417 smb_uid=10241 smb_mid=5 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 H....... .D...... [010] 00 B8 10 B8 10 6B 70 00 00 0C 00 5C 50 49 50 45 .....kp. ...\PIPE [020] 5C 6C 73 61 73 73 00 B0 8A 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... get_sequence_for_reply: found seq = 7 mid = 5 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000001 rpc_api_pipe: got PDU len of 68 at offset 0 rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0xc000 returned 68 bytes. rpc_pipe_bind: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0xc000 bind request returned ok. 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000001 000010 smb_io_rpc_hdr_ba 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 0000706b 000018 smb_io_rpc_addr_str 0018 len: 000c 001a str: \PIPE\lsass. 000026 smb_io_rpc_results 0028 num_results: 01 002c result : 0000 002e reason : 0000 000030 smb_io_rpc_iface 000030 smb_io_uuid uuid 0030 data : 8a885d04 0034 data : 1ceb 0036 data : 11c9 0038 data : 9f e8 003a data : 08 00 2b 10 48 60 0040 version: 00000002 check_bind_response: accepted! cli_rpc_pipe_open_noauth: opened pipe \lsarpc to machine norma.child03.eightad6.testing.com and bound anonymously. 000000 ds_io_q_getprimdominfo 0000 level: 0001 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 001a 000a auth_len : 0000 000c call_id : 00000002 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000002 0014 context_id: 0000 0016 opnum : 0000 rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0xc000 size=108 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=6146 smb_pid=25417 smb_uid=10241 smb_mid=6 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 26 (0x1A) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 26 (0x1A) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=49152 (0xC000) smb_bcc=41 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 1A 00 00 00 02 00 00 00 02 ........ ........ [020] 00 00 00 00 00 00 00 01 00 ........ . simple_packet_signature: sequence number 8 client_sign_outgoing_message: sent SMB signature of [000] 78 6D A5 56 6D FC D9 E5 xm.Vm... store_sequence_for_reply: stored seq = 9 mid = 6 write_socket(16,112) write_socket(16,112) wrote 112 got smb length of 284 size=284 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6146 smb_pid=25417 smb_uid=10241 smb_mid=6 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 228 (0xE4) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 228 (0xE4) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=229 [000] 1A 05 00 02 03 10 00 00 00 E4 00 00 00 02 00 00 ........ ........ [010] 00 CC 00 00 00 00 00 00 00 00 00 02 00 01 00 00 ........ ........ [020] 00 05 00 00 00 01 00 00 01 04 00 02 00 08 00 02 ........ ........ [030] 00 0C 00 02 00 88 B9 1F 05 9F D9 A3 42 87 55 7B ........ ....B.U{ [040] C9 B4 D4 8A F3 08 00 00 00 00 00 00 00 08 00 00 ........ ........ [050] 00 43 00 48 00 49 00 4C 00 44 00 30 00 33 00 00 .C.H.I.L .D.0.3.. [060] 00 1D 00 00 00 00 00 00 00 1D 00 00 00 63 00 68 ........ .....c.h [070] 00 69 00 6C 00 64 00 30 00 33 00 2E 00 65 00 69 .i.l.d.0 .3...e.i [080] 00 67 00 68 00 74 00 61 00 64 00 36 00 2E 00 74 .g.h.t.a .d.6...t [090] 00 65 00 73 00 74 00 69 00 6E 00 67 00 2E 00 63 .e.s.t.i .n.g...c [0A0] 00 6F 00 6D 00 00 00 45 00 15 00 00 00 00 00 00 .o.m...E ........ [0B0] 00 15 00 00 00 65 00 69 00 67 00 68 00 74 00 61 .....e.i .g.h.t.a [0C0] 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 00 69 .d.6...t .e.s.t.i [0D0] 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 00 00 00 .n.g...c .o.m.... [0E0] 00 00 00 00 00 ..... get_sequence_for_reply: found seq = 9 mid = 6 simple_packet_signature: sequence number 9 client_check_incoming_message: seq 9: got good SMB signature of [000] 72 98 14 AF B6 32 42 C1 r....2B. size=284 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6146 smb_pid=25417 smb_uid=10241 smb_mid=6 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 228 (0xE4) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 228 (0xE4) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=229 [000] 1A 05 00 02 03 10 00 00 00 E4 00 00 00 02 00 00 ........ ........ [010] 00 CC 00 00 00 00 00 00 00 00 00 02 00 01 00 00 ........ ........ [020] 00 05 00 00 00 01 00 00 01 04 00 02 00 08 00 02 ........ ........ [030] 00 0C 00 02 00 88 B9 1F 05 9F D9 A3 42 87 55 7B ........ ....B.U{ [040] C9 B4 D4 8A F3 08 00 00 00 00 00 00 00 08 00 00 ........ ........ [050] 00 43 00 48 00 49 00 4C 00 44 00 30 00 33 00 00 .C.H.I.L .D.0.3.. [060] 00 1D 00 00 00 00 00 00 00 1D 00 00 00 63 00 68 ........ .....c.h [070] 00 69 00 6C 00 64 00 30 00 33 00 2E 00 65 00 69 .i.l.d.0 .3...e.i [080] 00 67 00 68 00 74 00 61 00 64 00 36 00 2E 00 74 .g.h.t.a .d.6...t [090] 00 65 00 73 00 74 00 69 00 6E 00 67 00 2E 00 63 .e.s.t.i .n.g...c [0A0] 00 6F 00 6D 00 00 00 45 00 15 00 00 00 00 00 00 .o.m...E ........ [0B0] 00 15 00 00 00 65 00 69 00 67 00 68 00 74 00 61 .....e.i .g.h.t.a [0C0] 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 00 69 .d.6...t .e.s.t.i [0D0] 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 00 00 00 .n.g...c .o.m.... [0E0] 00 00 00 00 00 ..... get_sequence_for_reply: found seq = 9 mid = 6 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 00e4 000a auth_len : 0000 000c call_id : 00000002 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 000000cc 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 cli_pipe_validate_current_pdu: got pdu len 228, data_len 204, ss_len 0 rpc_api_pipe: got PDU len of 228 at offset 0 rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0xc000 returned 408 bytes. 000000 ds_io_r_getprimdominfo 0000 ptr: 00020000 0004 level: 0001 0006 unknown0: 0000 0008 machine_role: 0005 000c flags: 01000001 0010 netbios_ptr: 00020004 0014 dnsname_ptr: 00020008 0018 forestname_ptr: 0002000c 00001c smb_io_uuid domain_guid 001c data : 051fb988 0020 data : d99f 0022 data : 42a3 0024 data : 87 55 0026 data : 7b c9 b4 d4 8a f3 00002c smb_io_unistr2 netbios_domain 002c uni_max_len: 00000008 0030 offset : 00000000 0034 uni_str_len: 00000008 0038 buffer : C.H.I.L.D.0.3... 000048 smb_io_unistr2 dns_domain 0048 uni_max_len: 0000001d 004c offset : 00000000 0050 uni_str_len: 0000001d 0054 buffer : c.h.i.l.d.0.3...e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m... 000090 smb_io_unistr2 forest_domain 0090 uni_max_len: 00000015 0094 offset : 00000000 0098 uni_str_len: 00000015 009c buffer : e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m... 00c8 status: NT_STATUS_OK simple_packet_signature: sequence number 10 client_sign_outgoing_message: sent SMB signature of [000] 99 8D 3B 38 9C 48 2A DF ..;8.H*. store_sequence_for_reply: stored seq = 11 mid = 7 write_socket(16,45) write_socket(16,45) wrote 45 got smb length of 35 size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6146 smb_pid=25417 smb_uid=10241 smb_mid=7 smt_wct=0 smb_bcc=0 get_sequence_for_reply: found seq = 11 mid = 7 simple_packet_signature: sequence number 11 client_check_incoming_message: seq 11: got good SMB signature of [000] F4 18 E9 81 AE BC E2 26 .......& cli_rpc_pipe_close: closed pipe \lsarpc to machine norma.child03.eightad6.testing.com simple_packet_signature: sequence number 12 client_sign_outgoing_message: sent SMB signature of [000] 0A 5E A9 D4 A8 98 82 18 .^...... store_sequence_for_reply: stored seq = 13 mid = 8 write_socket(16,104) write_socket(16,104) wrote 104 got smb length of 103 size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6146 smb_pid=25417 smb_uid=10241 smb_mid=8 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 448 (0x1C0) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 get_sequence_for_reply: found seq = 13 mid = 8 simple_packet_signature: sequence number 13 client_check_incoming_message: seq 13: got good SMB signature of [000] 2C B2 D3 92 35 1C 16 52 ,...5..R Bind RPC Pipe[c001]: \lsarpc auth_type 0, auth_level 0 Bind Abstract Syntax: [000] 78 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB xW4.4... ...#Eg.. [010] 00 00 00 00 .... Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]...... ....+.H` [010] 02 00 00 00 .... 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0b 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0048 000a auth_len : 0000 000c call_id : 00000003 000010 smb_io_rpc_hdr_rb 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00000000 0018 num_contexts: 01 001c context_id : 0000 001e num_transfer_syntaxes: 01 00001f smb_io_rpc_iface 000020 smb_io_uuid uuid 0020 data : 12345778 0024 data : 1234 0026 data : abcd 0028 data : ef 00 002a data : 01 23 45 67 89 ab 0030 version: 00000000 000034 smb_io_rpc_iface 000034 smb_io_uuid uuid 0034 data : 8a885d04 0038 data : 1ceb 003a data : 11c9 003c data : 9f e8 003e data : 08 00 2b 10 48 60 0044 version: 00000002 rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0xc001 size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=6146 smb_pid=25417 smb_uid=10241 smb_mid=9 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=49153 (0xC001) smb_bcc=87 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 03 00 00 00 B8 .......H ........ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 ........ .......x [030] 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB 00 W4.4.... ..#Eg... [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ [050] 10 48 60 02 00 00 00 .H`.... simple_packet_signature: sequence number 14 client_sign_outgoing_message: sent SMB signature of [000] FB 81 04 12 46 3A 91 6A ....F:.j store_sequence_for_reply: stored seq = 15 mid = 9 write_socket(16,158) write_socket(16,158) wrote 158 got smb length of 124 size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6146 smb_pid=25417 smb_uid=10241 smb_mid=9 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 03 00 00 H....... .D...... [010] 00 B8 10 B8 10 6C 70 00 00 0C 00 5C 50 49 50 45 .....lp. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 01 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... get_sequence_for_reply: found seq = 15 mid = 9 simple_packet_signature: sequence number 15 client_check_incoming_message: seq 15: got good SMB signature of [000] 9C E4 8D 34 A5 D3 FD CC ...4.... size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6146 smb_pid=25417 smb_uid=10241 smb_mid=9 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 03 00 00 H....... .D...... [010] 00 B8 10 B8 10 6C 70 00 00 0C 00 5C 50 49 50 45 .....lp. ...\PIPE [020] 5C 6C 73 61 73 73 00 00 01 01 00 00 00 00 00 00 \lsass.. ........ [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... get_sequence_for_reply: found seq = 15 mid = 9 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000003 rpc_api_pipe: got PDU len of 68 at offset 0 rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0xc001 returned 68 bytes. rpc_pipe_bind: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0xc001 bind request returned ok. 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000003 000010 smb_io_rpc_hdr_ba 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 0000706c 000018 smb_io_rpc_addr_str 0018 len: 000c 001a str: \PIPE\lsass. 000026 smb_io_rpc_results 0028 num_results: 01 002c result : 0000 002e reason : 0000 000030 smb_io_rpc_iface 000030 smb_io_uuid uuid 0030 data : 8a885d04 0034 data : 1ceb 0036 data : 11c9 0038 data : 9f e8 003a data : 08 00 2b 10 48 60 0040 version: 00000002 check_bind_response: accepted! cli_rpc_pipe_open_noauth: opened pipe \lsarpc to machine norma.child03.eightad6.testing.com and bound anonymously. init_lsa_sec_qos init_q_open_pol2: attr:0 da:33554432 init_lsa_obj_attr 000000 lsa_io_q_open_pol2 0000 ptr : 00000001 000004 smb_io_unistr2 0004 uni_max_len: 00000025 0008 offset : 00000000 000c uni_str_len: 00000025 0010 buffer : \.\.n.o.r.m.a...c.h.i.l.d.0.3...e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m... 00005a lsa_io_obj_attr 005c len : 00000018 0060 ptr_root_dir: 00000000 0064 ptr_obj_name: 00000000 0068 attributes : 00000000 006c ptr_sec_desc: 00000000 0070 ptr_sec_qos : 00000001 000074 lsa_io_obj_qos sec_qos 0074 len : 0000000c 0078 sec_imp_level : 0002 007a sec_ctxt_mode : 01 007b effective_only: 00 lsa_io_sec_qos: length c does not match size 8 007c des_access: 02000000 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0098 000a auth_len : 0000 000c call_id : 00000004 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000080 0014 context_id: 0000 0016 opnum : 002c rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0xc001 size=234 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=6146 smb_pid=25417 smb_uid=10241 smb_mid=10 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 152 (0x98) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 152 (0x98) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=49153 (0xC001) smb_bcc=167 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 98 00 00 00 04 00 00 00 80 ........ ........ [020] 00 00 00 00 00 2C 00 01 00 00 00 25 00 00 00 00 .....,.. ...%.... [030] 00 00 00 25 00 00 00 5C 00 5C 00 6E 00 6F 00 72 ...%...\ .\.n.o.r [040] 00 6D 00 61 00 2E 00 63 00 68 00 69 00 6C 00 64 .m.a...c .h.i.l.d [050] 00 30 00 33 00 2E 00 65 00 69 00 67 00 68 00 74 .0.3...e .i.g.h.t [060] 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 .a.d.6.. .t.e.s.t [070] 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 00 .i.n.g.. .c.o.m.. [080] 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [090] 00 00 00 00 00 00 00 01 00 00 00 0C 00 00 00 02 ........ ........ [0A0] 00 01 00 00 00 00 02 ....... simple_packet_signature: sequence number 16 client_sign_outgoing_message: sent SMB signature of [000] 2C D1 E0 B8 7C 27 AA DB ,...|'.. store_sequence_for_reply: stored seq = 17 mid = 10 write_socket(16,238) write_socket(16,238) wrote 238 got smb length of 104 size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6146 smb_pid=25417 smb_uid=10241 smb_mid=10 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [000] 98 05 00 02 03 10 00 00 00 30 00 00 00 04 00 00 ........ .0...... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 02 02 50 ........ .......P [020] 64 D0 20 6D 44 90 F8 73 5B 26 86 1B EB 00 00 00 d. mD..s [&...... [030] 00 . get_sequence_for_reply: found seq = 17 mid = 10 simple_packet_signature: sequence number 17 client_check_incoming_message: seq 17: got good SMB signature of [000] E4 B8 DC D1 AE FF 8F EB ........ size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6146 smb_pid=25417 smb_uid=10241 smb_mid=10 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [000] 98 05 00 02 03 10 00 00 00 30 00 00 00 04 00 00 ........ .0...... [010] 00 18 00 00 00 00 00 00 00 00 00 00 00 02 02 50 ........ .......P [020] 64 D0 20 6D 44 90 F8 73 5B 26 86 1B EB 00 00 00 d. mD..s [&...... [030] 00 . get_sequence_for_reply: found seq = 17 mid = 10 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0030 000a auth_len : 0000 000c call_id : 00000004 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 00000018 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 cli_pipe_validate_current_pdu: got pdu len 48, data_len 24, ss_len 0 rpc_api_pipe: got PDU len of 48 at offset 0 rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0xc001 returned 48 bytes. 000000 lsa_io_r_open_pol2 000000 smb_io_pol_hnd 0000 handle_type: 00000000 000004 smb_io_uuid uuid 0004 data : 64500202 0008 data : 20d0 000a data : 446d 000c data : 90 f8 000e data : 73 5b 26 86 1b eb 0014 status: NT_STATUS_OK init_q_query2 000000 lsa_io_q_query_info2 000000 smb_io_pol_hnd pol 0000 handle_type: 00000000 000004 smb_io_uuid uuid 0004 data : 64500202 0008 data : 20d0 000a data : 446d 000c data : 90 f8 000e data : 73 5b 26 86 1b eb 0014 info_class: 000c 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 002e 000a auth_len : 0000 000c call_id : 00000005 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000016 0014 context_id: 0000 0016 opnum : 002e rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0xc001 size=128 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=6146 smb_pid=25417 smb_uid=10241 smb_mid=11 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 46 (0x2E) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 46 (0x2E) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=49153 (0xC001) smb_bcc=61 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 2E 00 00 00 05 00 00 00 16 ........ ........ [020] 00 00 00 00 00 2E 00 00 00 00 00 02 02 50 64 D0 ........ .....Pd. [030] 20 6D 44 90 F8 73 5B 26 86 1B EB 0C 00 mD..s[& ..... simple_packet_signature: sequence number 18 client_sign_outgoing_message: sent SMB signature of [000] 67 E7 9F 31 98 95 A5 B9 g..1.... store_sequence_for_reply: stored seq = 19 mid = 11 write_socket(16,132) write_socket(16,132) wrote 132 got smb length of 312 size=312 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6146 smb_pid=25417 smb_uid=10241 smb_mid=11 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 256 (0x100) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=257 [000] 2E 05 00 02 03 10 00 00 00 00 01 00 00 05 00 00 ........ ........ [010] 00 E8 00 00 00 00 00 00 00 00 00 02 00 0C 00 00 ........ ........ [020] 00 0E 00 10 00 04 00 02 00 38 00 3A 00 08 00 02 ........ .8.:.... [030] 00 28 00 2A 00 0C 00 02 00 88 B9 1F 05 9F D9 A3 .(.*.... ........ [040] 42 87 55 7B C9 B4 D4 8A F3 10 00 02 00 08 00 00 B.U{.... ........ [050] 00 00 00 00 00 07 00 00 00 43 00 48 00 49 00 4C ........ .C.H.I.L [060] 00 44 00 30 00 33 00 67 00 1D 00 00 00 00 00 00 .D.0.3.g ........ [070] 00 1C 00 00 00 63 00 68 00 69 00 6C 00 64 00 30 .....c.h .i.l.d.0 [080] 00 33 00 2E 00 65 00 69 00 67 00 68 00 74 00 61 .3...e.i .g.h.t.a [090] 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 00 69 .d.6...t .e.s.t.i [0A0] 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 15 00 00 .n.g...c .o.m.... [0B0] 00 00 00 00 00 14 00 00 00 65 00 69 00 67 00 68 ........ .e.i.g.h [0C0] 00 74 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 .t.a.d.6 ...t.e.s [0D0] 00 74 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D .t.i.n.g ...c.o.m [0E0] 00 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 ........ ........ [0F0] 00 9E EE 0E 5B E9 51 6F CE 08 53 A2 9A 00 00 00 ....[.Qo ..S..... [100] 00 . get_sequence_for_reply: found seq = 19 mid = 11 simple_packet_signature: sequence number 19 client_check_incoming_message: seq 19: got good SMB signature of [000] 83 05 C2 5F 44 37 6A 07 ..._D7j. size=312 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6146 smb_pid=25417 smb_uid=10241 smb_mid=11 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 256 (0x100) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=257 [000] 2E 05 00 02 03 10 00 00 00 00 01 00 00 05 00 00 ........ ........ [010] 00 E8 00 00 00 00 00 00 00 00 00 02 00 0C 00 00 ........ ........ [020] 00 0E 00 10 00 04 00 02 00 38 00 3A 00 08 00 02 ........ .8.:.... [030] 00 28 00 2A 00 0C 00 02 00 88 B9 1F 05 9F D9 A3 .(.*.... ........ [040] 42 87 55 7B C9 B4 D4 8A F3 10 00 02 00 08 00 00 B.U{.... ........ [050] 00 00 00 00 00 07 00 00 00 43 00 48 00 49 00 4C ........ .C.H.I.L [060] 00 44 00 30 00 33 00 67 00 1D 00 00 00 00 00 00 .D.0.3.g ........ [070] 00 1C 00 00 00 63 00 68 00 69 00 6C 00 64 00 30 .....c.h .i.l.d.0 [080] 00 33 00 2E 00 65 00 69 00 67 00 68 00 74 00 61 .3...e.i .g.h.t.a [090] 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 00 69 .d.6...t .e.s.t.i [0A0] 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 15 00 00 .n.g...c .o.m.... [0B0] 00 00 00 00 00 14 00 00 00 65 00 69 00 67 00 68 ........ .e.i.g.h [0C0] 00 74 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 .t.a.d.6 ...t.e.s [0D0] 00 74 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D .t.i.n.g ...c.o.m [0E0] 00 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 ........ ........ [0F0] 00 9E EE 0E 5B E9 51 6F CE 08 53 A2 9A 00 00 00 ....[.Qo ..S..... [100] 00 . get_sequence_for_reply: found seq = 19 mid = 11 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0100 000a auth_len : 0000 000c call_id : 00000005 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 000000e8 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 cli_pipe_validate_current_pdu: got pdu len 256, data_len 232, ss_len 0 rpc_api_pipe: got PDU len of 256 at offset 0 rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0xc001 returned 464 bytes. 000000 lsa_io_r_query_info2 0000 dom_ptr: 00020000 000004 lsa_io_query_info_ctr2 0004 info_class: 000c 000006 lsa_io_dom_query_12 000008 smb_io_unihdr nb_name 0008 uni_str_len: 000e 000a uni_max_len: 0010 000c buffer : 00020004 000010 smb_io_unihdr dns_name 0010 uni_str_len: 0038 0012 uni_max_len: 003a 0014 buffer : 00020008 000018 smb_io_unihdr forest 0018 uni_str_len: 0028 001a uni_max_len: 002a 001c buffer : 0002000c 000020 smb_io_uuid dom_guid 0020 data : 051fb988 0024 data : d99f 0026 data : 42a3 0028 data : 87 55 002a data : 7b c9 b4 d4 8a f3 0030 dom_sid: 00020010 000034 smb_io_unistr2 nb_name 0034 uni_max_len: 00000008 0038 offset : 00000000 003c uni_str_len: 00000007 0040 buffer : C.H.I.L.D.0.3. 00004e smb_io_unistr2 dns_name 0050 uni_max_len: 0000001d 0054 offset : 00000000 0058 uni_str_len: 0000001c 005c buffer : c.h.i.l.d.0.3...e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m. 000094 smb_io_unistr2 forest 0094 uni_max_len: 00000015 0098 offset : 00000000 009c uni_str_len: 00000014 00a0 buffer : e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m. 0000c8 smb_io_dom_sid2 dom_sid 00c8 num_auths: 00000004 0000cc smb_io_dom_sid sid 00cc sid_rev_num: 01 00cd num_auths : 04 00ce id_auth[0] : 00 00cf id_auth[1] : 00 00d0 id_auth[2] : 00 00d1 id_auth[3] : 00 00d2 id_auth[4] : 00 00d3 id_auth[5] : 05 00d4 sub_auths : 00000015 5b0eee9e ce6f51e9 9aa25308 00e4 status: NT_STATUS_OK set_dc_type_and_flags: domain CHILD03 is in native mode. set_dc_type_and_flags: domain CHILD03 is running active directory. simple_packet_signature: sequence number 20 client_sign_outgoing_message: sent SMB signature of [000] BD E9 90 CA F3 E7 F9 4F .......O store_sequence_for_reply: stored seq = 21 mid = 12 write_socket(16,45) write_socket(16,45) wrote 45 got smb length of 35 size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=6146 smb_pid=25417 smb_uid=10241 smb_mid=12 smt_wct=0 smb_bcc=0 get_sequence_for_reply: found seq = 21 mid = 12 simple_packet_signature: sequence number 21 client_check_incoming_message: seq 21: got good SMB signature of [000] E4 EE 32 6E DA 87 9E 07 ..2n.... cli_rpc_pipe_close: closed pipe \lsarpc to machine norma.child03.eightad6.testing.com Added timed event "async_request_timeout": 2aac341bb350 run_events: Nothing to do timed_events_timeout: 299/999957 child daemon request 19 process_request: request fn LIST_TRUSTDOM [25417]: list trusted domains get_cache: Setting ADS methods for domain CHILD03 fetch_cache_seqnum: invalid data size key [SEQNUM/CHILD03] ads: fetch sequence_number for CHILD03 ads_cached_connection Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for child03.eightad6.testing.com: "Default-First-Site-Name" ads_dc_name: domain=CHILD03 Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for child03.eightad6.testing.com: "Default-First-Site-Name" ads_find_dc: looking for realm 'child03.eightad6.testing.com' get_sorted_dc_list: attempting lookup for name child03.eightad6.testing.com (sitename Default-First-Site-Name) using [ads] Returning valid cache entry: key = SAF/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = norma.child03.eightad6.testing.com, timeout = Wed Nov 25 18:31:21 2009 saf_fetch: Returning "norma.child03.eightad6.testing.com" for "child03.eightad6.testing.com" domain get_dc_list: preferred server list: "norma.child03.eightad6.testing.com, *" internal_resolve_name: looking up child03.eightad6.testing.com#1c (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/CHILD03.EIGHTAD6.TESTING.COM#1C, value = 192.168.12.172:389, timeout = Wed Nov 25 18:26:18 2009 name child03.eightad6.testing.com#1C found. Adding 1 DC's from auto lookup Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" internal_resolve_name: looking up norma.child03.eightad6.testing.com#20 (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/NORMA.CHILD03.EIGHTAD6.TESTING.COM#20, value = 192.168.12.172:0, timeout = Wed Nov 25 18:27:21 2009 name norma.child03.eightad6.testing.com#20 found. remove_duplicate_addrs2: looking for duplicate address/port pairs get_dc_list: returning 1 ip addresses in an ordered list get_dc_list: 192.168.12.172:389 ads_try_connect: sending CLDAP request to 192.168.12.172 (realm: child03.eightad6.testing.com) sitename_store: realm = [CHILD03.EIGHTAD6.TESTING.COM], sitename = [Default-First-Site-Name], expire = [4294967295] Adding cache entry with key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM; value = Default-First-Site-Name and timeout = (null) (-1259153182 seconds ahead) Connected to LDAP server 192.168.12.172 Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for child03.eightad6.testing.com: "Default-First-Site-Name" ads_closest_dc: ADS_CLOSEST flag set create_local_private_krb5_conf_for_domain: fname = /var/lib/samba/smb_krb5/krb5.conf.CHILD03, realm = child03.eightad6.testing.com, domain = CHILD03 Returning valid cache entry: key = SAF/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = norma.child03.eightad6.testing.com, timeout = Wed Nov 25 18:31:21 2009 saf_fetch: Returning "norma.child03.eightad6.testing.com" for "child03.eightad6.testing.com" domain get_dc_list: preferred server list: "norma.child03.eightad6.testing.com, *" internal_resolve_name: looking up child03.eightad6.testing.com#1c (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/CHILD03.EIGHTAD6.TESTING.COM#1C, value = 192.168.12.172:389, timeout = Wed Nov 25 18:26:18 2009 name child03.eightad6.testing.com#1C found. Adding 1 DC's from auto lookup Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" internal_resolve_name: looking up norma.child03.eightad6.testing.com#20 (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/NORMA.CHILD03.EIGHTAD6.TESTING.COM#20, value = 192.168.12.172:0, timeout = Wed Nov 25 18:27:21 2009 name norma.child03.eightad6.testing.com#20 found. remove_duplicate_addrs2: looking for duplicate address/port pairs get_dc_list: returning 1 ip addresses in an ordered list get_dc_list: 192.168.12.172:389 Returning valid cache entry: key = SAF/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = norma.child03.eightad6.testing.com, timeout = Wed Nov 25 18:31:21 2009 saf_fetch: Returning "norma.child03.eightad6.testing.com" for "child03.eightad6.testing.com" domain get_dc_list: preferred server list: "norma.child03.eightad6.testing.com, *" internal_resolve_name: looking up child03.eightad6.testing.com#1c (sitename (null)) Returning valid cache entry: key = NBT/CHILD03.EIGHTAD6.TESTING.COM#1C, value = 192.168.12.172:389, timeout = Wed Nov 25 18:26:18 2009 name child03.eightad6.testing.com#1C found. Adding 1 DC's from auto lookup Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" internal_resolve_name: looking up norma.child03.eightad6.testing.com#20 (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/NORMA.CHILD03.EIGHTAD6.TESTING.COM#20, value = 192.168.12.172:0, timeout = Wed Nov 25 18:27:21 2009 name norma.child03.eightad6.testing.com#20 found. remove_duplicate_addrs2: looking for duplicate address/port pairs get_dc_list: returning 1 ip addresses in an ordered list get_dc_list: 192.168.12.172:389 get_kdc_ip_string: Returning kdc = 192.168.12.172 create_local_private_krb5_conf_for_domain: wrote file /var/lib/samba/smb_krb5/krb5.conf.CHILD03 with realm CHILD03.EIGHTAD6.TESTING.COM KDC = 192.168.12.172 ads_dc_name: using server='NORMA.CHILD03.EIGHTAD6.TESTING.COM' IP=192.168.12.172 Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for child03.eightad6.testing.com: "Default-First-Site-Name" ads_find_dc: looking for realm 'child03.eightad6.testing.com' get_sorted_dc_list: attempting lookup for name child03.eightad6.testing.com (sitename Default-First-Site-Name) using [ads] Returning valid cache entry: key = SAF/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = norma.child03.eightad6.testing.com, timeout = Wed Nov 25 18:31:21 2009 saf_fetch: Returning "norma.child03.eightad6.testing.com" for "child03.eightad6.testing.com" domain get_dc_list: preferred server list: "norma.child03.eightad6.testing.com, *" internal_resolve_name: looking up child03.eightad6.testing.com#1c (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/CHILD03.EIGHTAD6.TESTING.COM#1C, value = 192.168.12.172:389, timeout = Wed Nov 25 18:26:18 2009 name child03.eightad6.testing.com#1C found. Adding 1 DC's from auto lookup Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" internal_resolve_name: looking up norma.child03.eightad6.testing.com#20 (sitename Default-First-Site-Name) Returning valid cache entry: key = NBT/NORMA.CHILD03.EIGHTAD6.TESTING.COM#20, value = 192.168.12.172:0, timeout = Wed Nov 25 18:27:21 2009 name norma.child03.eightad6.testing.com#20 found. remove_duplicate_addrs2: looking for duplicate address/port pairs get_dc_list: returning 1 ip addresses in an ordered list get_dc_list: 192.168.12.172:389 ads_try_connect: sending CLDAP request to 192.168.12.172 (realm: child03.eightad6.testing.com) sitename_store: realm = [CHILD03.EIGHTAD6.TESTING.COM], sitename = [Default-First-Site-Name], expire = [4294967295] Adding cache entry with key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM; value = Default-First-Site-Name and timeout = (null) (-1259153182 seconds ahead) Connected to LDAP server 192.168.12.172 ads_closest_dc: ADS_CLOSEST flag set saf_store: domain = [CHILD03], server = [192.168.12.172], expire = [1259154081] Adding cache entry with key = SAF/DOMAIN/CHILD03; value = 192.168.12.172 and timeout = Wed Nov 25 18:31:21 2009 (900 seconds ahead) saf_store: domain = [child03.eightad6.testing.com], server = [192.168.12.172], expire = [1259154081] Adding cache entry with key = SAF/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM; value = 192.168.12.172 and timeout = Wed Nov 25 18:31:21 2009 (900 seconds ahead) time offset is 3 seconds Found SASL mechanism GSS-SPNEGO ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 ads_sasl_spnego_bind: got server principal name = norma$@CHILD03.EIGHTAD6.TESTING.COM ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) ads_sasl_spnego_krb5_bind failed with: No credentials cache found, calling kinit kerberos_kinit_password: using [MEMORY:winbind_ccache] as ccache and config [/var/lib/samba/smb_krb5/krb5.conf.CHILD03] ads_krb5_mk_req: Advancing clock by 3 seconds to cope with clock skew ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] expiration Thu, 26 Nov 2009 04:16:24 IST ads_krb5_mk_req: Ticket (norma$@CHILD03.EIGHTAD6.TESTING.COM) in ccache (MEMORY:winbind_ccache) is valid until: (Thu, 26 Nov 2009 04:16:24 IST - 1259189184) Got KRB5 session key of length 16 Search for (objectclass=*) in <> gave 1 replies store_cache_seqnum: success [CHILD03][13938 @ 1259153181] refresh_sequence_number: CHILD03 seq number is now 13938 trusted_domains: [Cached] - doing backend query for info for domain CHILD03 ads: trusted_domains simple_packet_signature: sequence number 22 client_sign_outgoing_message: sent SMB signature of [000] 91 3A D8 52 6C 0F 9A 96 .:.Rl... store_sequence_for_reply: stored seq = 23 mid = 13 write_socket(15,108) write_socket(15,108) wrote 108 got smb length of 103 size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=13 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 3584 (0xE00) smb_vwv[ 3]= 320 (0x140) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 get_sequence_for_reply: found seq = 23 mid = 13 simple_packet_signature: sequence number 23 client_check_incoming_message: seq 23: got good SMB signature of [000] B7 7B CD 58 EA 2A C1 C4 .{.X.*.. Bind RPC Pipe[400e]: \NETLOGON auth_type 0, auth_level 0 Bind Abstract Syntax: [000] 78 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB xV4.4... ...#Eg.. [010] 01 00 00 00 .... Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]...... ....+.H` [010] 02 00 00 00 .... 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0b 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0048 000a auth_len : 0000 000c call_id : 00000006 000010 smb_io_rpc_hdr_rb 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00000000 0018 num_contexts: 01 001c context_id : 0000 001e num_transfer_syntaxes: 01 00001f smb_io_rpc_iface 000020 smb_io_uuid uuid 0020 data : 12345678 0024 data : 1234 0026 data : abcd 0028 data : ef 00 002a data : 01 23 45 67 cf fb 0030 version: 00000001 000034 smb_io_rpc_iface 000034 smb_io_uuid uuid 0034 data : 8a885d04 0038 data : 1ceb 003a data : 11c9 003c data : 9f e8 003e data : 08 00 2b 10 48 60 0044 version: 00000002 rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \NETLOGON fnum 0x400e size=154 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=14 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=16398 (0x400E) smb_bcc=87 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 48 00 00 00 06 00 00 00 B8 .......H ........ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 ........ .......x [030] 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB 01 V4.4.... ..#Eg... [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ [050] 10 48 60 02 00 00 00 .H`.... simple_packet_signature: sequence number 24 client_sign_outgoing_message: sent SMB signature of [000] 2B 72 23 04 43 43 FB 38 +r#.CC.8 store_sequence_for_reply: stored seq = 25 mid = 14 write_socket(15,158) write_socket(15,158) wrote 158 got smb length of 124 size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=14 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 06 00 00 H....... .D...... [010] 00 B8 10 B8 10 6D 70 00 00 0C 00 5C 50 49 50 45 .....mp. ...\PIPE [020] 5C 6C 73 61 73 73 00 73 5B 01 00 00 00 00 00 00 \lsass.s [....... [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... get_sequence_for_reply: found seq = 25 mid = 14 simple_packet_signature: sequence number 25 client_check_incoming_message: seq 25: got good SMB signature of [000] BB C1 BF 2F E5 E1 5C 45 .../..\E size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=14 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 06 00 00 H....... .D...... [010] 00 B8 10 B8 10 6D 70 00 00 0C 00 5C 50 49 50 45 .....mp. ...\PIPE [020] 5C 6C 73 61 73 73 00 73 5B 01 00 00 00 00 00 00 \lsass.s [....... [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 `.... get_sequence_for_reply: found seq = 25 mid = 14 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000006 rpc_api_pipe: got PDU len of 68 at offset 0 rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \NETLOGON fnum 0x400e returned 68 bytes. rpc_pipe_bind: Remote machine norma.child03.eightad6.testing.com pipe \NETLOGON fnum 0x400e bind request returned ok. 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0044 000a auth_len : 0000 000c call_id : 00000006 000010 smb_io_rpc_hdr_ba 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 0000706d 000018 smb_io_rpc_addr_str 0018 len: 000c 001a str: \PIPE\lsass. 000026 smb_io_rpc_results 0028 num_results: 01 002c result : 0000 002e reason : 0000 000030 smb_io_rpc_iface 000030 smb_io_uuid uuid 0030 data : 8a885d04 0034 data : 1ceb 0036 data : 11c9 0038 data : 9f e8 003a data : 08 00 2b 10 48 60 0040 version: 00000002 check_bind_response: accepted! cli_rpc_pipe_open_noauth: opened pipe \NETLOGON to machine norma.child03.eightad6.testing.com and bound anonymously. cli_net_req_chal: LSA Request Challenge from MONOCEROS to \\norma.child03.eightad6.testing.com init_q_req_chal: 679 init_q_req_chal: 688 000000 net_io_q_req_chal 0000 undoc_buffer: 00000001 000004 smb_io_unistr2 0004 uni_max_len: 00000025 0008 offset : 00000000 000c uni_str_len: 00000025 0010 buffer : \.\.n.o.r.m.a...c.h.i.l.d.0.3...e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m... 00005a smb_io_unistr2 005c uni_max_len: 0000000a 0060 offset : 00000000 0064 uni_str_len: 0000000a 0068 buffer : M.O.N.O.C.E.R.O.S... 00007c smb_io_chal 007c data: 22 53 49 7e 32 86 5b 5a 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 009c 000a auth_len : 0000 000c call_id : 00000007 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 00000084 0014 context_id: 0000 0016 opnum : 0004 rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \NETLOGON fnum 0x400e size=238 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=15 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 156 (0x9C) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 156 (0x9C) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=16398 (0x400E) smb_bcc=171 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 9C 00 00 00 07 00 00 00 84 ........ ........ [020] 00 00 00 00 00 04 00 01 00 00 00 25 00 00 00 00 ........ ...%.... [030] 00 00 00 25 00 00 00 5C 00 5C 00 6E 00 6F 00 72 ...%...\ .\.n.o.r [040] 00 6D 00 61 00 2E 00 63 00 68 00 69 00 6C 00 64 .m.a...c .h.i.l.d [050] 00 30 00 33 00 2E 00 65 00 69 00 67 00 68 00 74 .0.3...e .i.g.h.t [060] 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 .a.d.6.. .t.e.s.t [070] 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 00 .i.n.g.. .c.o.m.. [080] 00 00 00 0A 00 00 00 00 00 00 00 0A 00 00 00 4D ........ .......M [090] 00 4F 00 4E 00 4F 00 43 00 45 00 52 00 4F 00 53 .O.N.O.C .E.R.O.S [0A0] 00 00 00 22 53 49 7E 32 86 5B 5A ..."SI~2 .[Z simple_packet_signature: sequence number 26 client_sign_outgoing_message: sent SMB signature of [000] 19 27 4E BE A1 01 DD FE .'N..... store_sequence_for_reply: stored seq = 27 mid = 15 write_socket(15,242) write_socket(15,242) wrote 242 got smb length of 92 size=92 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=15 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 36 (0x24) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 36 (0x24) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=37 [000] 9C 05 00 02 03 10 00 00 00 24 00 00 00 07 00 00 ........ .$...... [010] 00 0C 00 00 00 00 00 00 00 EB BC 77 2D EC 92 F1 ........ ...w-... [020] 1A 00 00 00 00 ..... get_sequence_for_reply: found seq = 27 mid = 15 simple_packet_signature: sequence number 27 client_check_incoming_message: seq 27: got good SMB signature of [000] A4 03 7D FE 65 49 16 E3 ..}.eI.. size=92 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=15 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 36 (0x24) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 36 (0x24) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=37 [000] 9C 05 00 02 03 10 00 00 00 24 00 00 00 07 00 00 ........ .$...... [010] 00 0C 00 00 00 00 00 00 00 EB BC 77 2D EC 92 F1 ........ ...w-... [020] 1A 00 00 00 00 ..... get_sequence_for_reply: found seq = 27 mid = 15 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0024 000a auth_len : 0000 000c call_id : 00000007 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 0000000c 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 cli_pipe_validate_current_pdu: got pdu len 36, data_len 12, ss_len 0 rpc_api_pipe: got PDU len of 36 at offset 0 rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \NETLOGON fnum 0x400e returned 24 bytes. 000000 net_io_r_req_chal 000000 smb_io_chal 0000 data: eb bc 77 2d ec 92 f1 1a 0008 status: NT_STATUS_OK creds_client_init: neg_flags : 600fffff creds_client_init: client chal : 2253497E32865B5A creds_client_init: server chal : EBBC772DEC92F11A creds_init_128 clnt_chal_in: 2253497E32865B5A srv_chal_in : EBBC772DEC92F11A creds_client_init: clnt : 5CE1F2DFC5A11FB8 creds_client_init: server : FA8CD6C86F115E08 creds_client_init: seed : 5CE1F2DFC5A11FB8 cli_net_auth2: srv:\\norma.child03.eightad6.testing.com acct:MONOCEROS$ sc:2 mc: MONOCEROS neg: 600fffff init_q_auth_2: 800 make_log_info 1450 init_q_auth_2: 806 000000 net_io_q_auth_2 000000 smb_io_log_info 0000 undoc_buffer: 00000001 000004 smb_io_unistr2 unistr2 0004 uni_max_len: 00000025 0008 offset : 00000000 000c uni_str_len: 00000025 0010 buffer : \.\.n.o.r.m.a...c.h.i.l.d.0.3...e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m... 00005a smb_io_unistr2 unistr2 005c uni_max_len: 0000000b 0060 offset : 00000000 0064 uni_str_len: 0000000b 0068 buffer : M.O.N.O.C.E.R.O.S.$... 007e sec_chan: 0002 000080 smb_io_unistr2 unistr2 0080 uni_max_len: 0000000a 0084 offset : 00000000 0088 uni_str_len: 0000000a 008c buffer : M.O.N.O.C.E.R.O.S... 0000a0 smb_io_chal 00a0 data: 5c e1 f2 df c5 a1 1f b8 0000a8 net_io_neg_flags 00a8 neg_flags: 600fffff 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 00c4 000a auth_len : 0000 000c call_id : 00000008 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 000000ac 0014 context_id: 0000 0016 opnum : 000f rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \NETLOGON fnum 0x400e size=278 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=16 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 196 (0xC4) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 196 (0xC4) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=16398 (0x400E) smb_bcc=211 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 C4 00 00 00 08 00 00 00 AC ........ ........ [020] 00 00 00 00 00 0F 00 01 00 00 00 25 00 00 00 00 ........ ...%.... [030] 00 00 00 25 00 00 00 5C 00 5C 00 6E 00 6F 00 72 ...%...\ .\.n.o.r [040] 00 6D 00 61 00 2E 00 63 00 68 00 69 00 6C 00 64 .m.a...c .h.i.l.d [050] 00 30 00 33 00 2E 00 65 00 69 00 67 00 68 00 74 .0.3...e .i.g.h.t [060] 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 .a.d.6.. .t.e.s.t [070] 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 00 .i.n.g.. .c.o.m.. [080] 00 00 00 0B 00 00 00 00 00 00 00 0B 00 00 00 4D ........ .......M [090] 00 4F 00 4E 00 4F 00 43 00 45 00 52 00 4F 00 53 .O.N.O.C .E.R.O.S [0A0] 00 24 00 00 00 02 00 0A 00 00 00 00 00 00 00 0A .$...... ........ [0B0] 00 00 00 4D 00 4F 00 4E 00 4F 00 43 00 45 00 52 ...M.O.N .O.C.E.R [0C0] 00 4F 00 53 00 00 00 5C E1 F2 DF C5 A1 1F B8 FF .O.S...\ ........ [0D0] FF 0F 60 ..` simple_packet_signature: sequence number 28 client_sign_outgoing_message: sent SMB signature of [000] E2 2E 65 F9 64 C6 0E B3 ..e.d... store_sequence_for_reply: stored seq = 29 mid = 16 write_socket(15,282) write_socket(15,282) wrote 282 got smb length of 96 size=96 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=16 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 40 (0x28) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 40 (0x28) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=41 [000] C4 05 00 02 03 10 00 00 00 28 00 00 00 08 00 00 ........ .(...... [010] 00 10 00 00 00 00 00 00 00 FA 8C D6 C8 6F 11 5E ........ .....o.^ [020] 08 FF FF 0F 60 00 00 00 00 ....`... . get_sequence_for_reply: found seq = 29 mid = 16 simple_packet_signature: sequence number 29 client_check_incoming_message: seq 29: got good SMB signature of [000] CA 08 F6 10 EC 86 FC AC ........ size=96 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=16 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 40 (0x28) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 40 (0x28) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=41 [000] C4 05 00 02 03 10 00 00 00 28 00 00 00 08 00 00 ........ .(...... [010] 00 10 00 00 00 00 00 00 00 FA 8C D6 C8 6F 11 5E ........ .....o.^ [020] 08 FF FF 0F 60 00 00 00 00 ....`... . get_sequence_for_reply: found seq = 29 mid = 16 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0028 000a auth_len : 0000 000c call_id : 00000008 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 00000010 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 cli_pipe_validate_current_pdu: got pdu len 40, data_len 16, ss_len 0 rpc_api_pipe: got PDU len of 40 at offset 0 rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \NETLOGON fnum 0x400e returned 32 bytes. 000000 net_io_r_auth_2 000000 smb_io_chal 0000 data: fa 8c d6 c8 6f 11 5e 08 000008 net_io_neg_flags 0008 neg_flags: 600fffff 000c status: NT_STATUS_OK creds_client_check: credentials check OK. rpccli_netlogon_setup_creds: server norma.child03.eightad6.testing.com credential chain established. simple_packet_signature: sequence number 30 client_sign_outgoing_message: sent SMB signature of [000] 20 B6 38 44 C0 8A 4D B1 .8D..M. store_sequence_for_reply: stored seq = 31 mid = 17 write_socket(15,108) write_socket(15,108) wrote 108 got smb length of 103 size=103 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=17 smt_wct=34 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 103 (0x67) smb_vwv[ 2]= 3840 (0xF00) smb_vwv[ 3]= 320 (0x140) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 0 (0x0) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 0 (0x0) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]=32768 (0x8000) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_vwv[24]= 16 (0x10) smb_vwv[25]= 0 (0x0) smb_vwv[26]= 0 (0x0) smb_vwv[27]= 0 (0x0) smb_vwv[28]= 0 (0x0) smb_vwv[29]= 0 (0x0) smb_vwv[30]= 0 (0x0) smb_vwv[31]= 512 (0x200) smb_vwv[32]=65280 (0xFF00) smb_vwv[33]= 5 (0x5) smb_bcc=0 get_sequence_for_reply: found seq = 31 mid = 17 simple_packet_signature: sequence number 31 client_check_incoming_message: seq 31: got good SMB signature of [000] 8A 64 4B 2E 06 E0 52 EE .dK...R. Bind RPC Pipe[400f]: \NETLOGON auth_type 2, auth_level 6 Bind Abstract Syntax: [000] 78 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB xV4.4... ...#Eg.. [010] 01 00 00 00 .... Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]...... ....+.H` [010] 02 00 00 00 .... 000000 smb_io_rpc_auth_schannel_neg schannel_neg 0000 type1: 00000000 0004 type2: 00000003 [000] 43 48 49 4C 44 30 33 CHILD03 [000] 4D 4F 4E 4F 43 45 52 4F 53 MONOCERO S 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0b 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 006a 000a auth_len : 001a 000c call_id : 00000009 000010 smb_io_rpc_hdr_rb 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 00000000 0018 num_contexts: 01 001c context_id : 0000 001e num_transfer_syntaxes: 01 00001f smb_io_rpc_iface 000020 smb_io_uuid uuid 0020 data : 12345678 0024 data : 1234 0026 data : abcd 0028 data : ef 00 002a data : 01 23 45 67 cf fb 0030 version: 00000001 000034 smb_io_rpc_iface 000034 smb_io_uuid uuid 0034 data : 8a885d04 0038 data : 1ceb 003a data : 11c9 003c data : 9f e8 003e data : 08 00 2b 10 48 60 0044 version: 00000002 000048 smb_io_rpc_hdr_auth hdr_auth 0048 auth_type : 44 0049 auth_level : 06 004a auth_pad_len : 00 004b auth_reserved: 00 004c auth_context_id: 00000001 rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \NETLOGON fnum 0x400f size=188 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=18 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 106 (0x6A) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 106 (0x6A) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=16399 (0x400F) smb_bcc=121 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 0B 03 10 00 00 00 6A 00 1A 00 09 00 00 00 B8 .......j ........ [020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 ........ .......x [030] 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB 01 V4.4.... ..#Eg... [040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ [050] 10 48 60 02 00 00 00 44 06 00 00 01 00 00 00 00 .H`....D ........ [060] 00 00 00 03 00 00 00 43 48 49 4C 44 30 33 00 4D .......C HILD03.M [070] 4F 4E 4F 43 45 52 4F 53 00 ONOCEROS . simple_packet_signature: sequence number 32 client_sign_outgoing_message: sent SMB signature of [000] C3 A6 54 6D C6 19 21 D6 ..Tm..!. store_sequence_for_reply: stored seq = 33 mid = 18 write_socket(15,192) write_socket(15,192) wrote 192 got smb length of 144 size=144 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=18 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 88 (0x58) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 88 (0x58) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=89 [000] 6A 05 00 0C 03 10 00 00 00 58 00 0C 00 09 00 00 j....... .X...... [010] 00 B8 10 B8 10 6E 70 00 00 0C 00 5C 50 49 50 45 .....np. ...\PIPE [020] 5C 6C 73 61 73 73 00 73 5B 01 00 00 00 00 00 00 \lsass.s [....... [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 44 06 00 00 01 00 00 00 01 00 00 `....D.. ........ [050] 00 00 00 00 00 00 00 36 00 .......6 . get_sequence_for_reply: found seq = 33 mid = 18 simple_packet_signature: sequence number 33 client_check_incoming_message: seq 33: got good SMB signature of [000] 93 70 13 4A 33 52 26 5B .p.J3R&[ size=144 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=18 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 88 (0x58) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 88 (0x58) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=89 [000] 6A 05 00 0C 03 10 00 00 00 58 00 0C 00 09 00 00 j....... .X...... [010] 00 B8 10 B8 10 6E 70 00 00 0C 00 5C 50 49 50 45 .....np. ...\PIPE [020] 5C 6C 73 61 73 73 00 73 5B 01 00 00 00 00 00 00 \lsass.s [....... [030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [040] 60 02 00 00 00 44 06 00 00 01 00 00 00 01 00 00 `....D.. ........ [050] 00 00 00 00 00 00 00 36 00 .......6 . get_sequence_for_reply: found seq = 33 mid = 18 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0058 000a auth_len : 000c 000c call_id : 00000009 rpc_api_pipe: got PDU len of 88 at offset 0 rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \NETLOGON fnum 0x400f returned 88 bytes. rpc_pipe_bind: Remote machine norma.child03.eightad6.testing.com pipe \NETLOGON fnum 0x400f bind request returned ok. 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 0c 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 0058 000a auth_len : 000c 000c call_id : 00000009 000010 smb_io_rpc_hdr_ba 000010 smb_io_rpc_hdr_bba 0010 max_tsize: 10b8 0012 max_rsize: 10b8 0014 assoc_gid: 0000706e 000018 smb_io_rpc_addr_str 0018 len: 000c 001a str: \PIPE\lsass. 000026 smb_io_rpc_results 0028 num_results: 01 002c result : 0000 002e reason : 0000 000030 smb_io_rpc_iface 000030 smb_io_uuid uuid 0030 data : 8a885d04 0034 data : 1ceb 0036 data : 11c9 0038 data : 9f e8 003a data : 08 00 2b 10 48 60 0040 version: 00000002 check_bind_response: accepted! cli_rpc_pipe_open_schannel_with_key: opened pipe \NETLOGON to machine norma.child03.eightad6.testing.com for domain CHILD03 and bound using schannel. simple_packet_signature: sequence number 34 client_sign_outgoing_message: sent SMB signature of [000] 0A 98 0C 75 41 4C 7A 90 ...uALz. store_sequence_for_reply: stored seq = 35 mid = 19 write_socket(15,45) write_socket(15,45) wrote 45 got smb length of 35 size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=19 smt_wct=0 smb_bcc=0 get_sequence_for_reply: found seq = 35 mid = 19 simple_packet_signature: sequence number 35 client_check_incoming_message: seq 35: got good SMB signature of [000] 7F DB 49 1F 4E AC 4A 5E ..I.N.J^ cli_rpc_pipe_close: closed pipe \NETLOGON to machine norma.child03.eightad6.testing.com 000000 ds_io_q_enum_domain_trusts 0000 server_ptr: 00000001 000004 smb_io_unistr2 server 0004 uni_max_len: 00000023 0008 offset : 00000000 000c uni_str_len: 00000023 0010 buffer : n.o.r.m.a...c.h.i.l.d.0.3...e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m... 0058 flags: 00000003 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 00a0 000a auth_len : 0020 000c call_id : 0000000a 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 0000005c 0014 context_id: 0000 0016 opnum : 0028 000078 smb_io_rpc_hdr_auth hdr_auth 0078 auth_type : 44 0079 auth_level : 06 007a auth_pad_len : 04 007b auth_reserved: 00 007c auth_context_id: 00000001 add_schannel_auth_footer: SCHANNEL seq_num=0 SCHANNEL: schannel_encode seq_num=0 data_len=96 000080 smb_io_rpc_auth_schannel_chk 0080 sig : 77 00 7a 00 ff ff 00 00 0088 seq_num: fa e0 51 05 68 9d ef cb 0090 packet_digest: 80 a3 8d fc b2 62 4d 96 0098 confounder: 4d af d4 78 41 ed cf eb rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \NETLOGON fnum 0x400f size=242 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=20 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 160 (0xA0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 160 (0xA0) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=16399 (0x400F) smb_bcc=175 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 A0 00 20 00 0A 00 00 00 5C ........ . .....\ [020] 00 00 00 00 00 28 00 AD 30 D5 7C DE 84 55 07 8E .....(.. 0.|..U.. [030] 36 EC 5E EF 17 C6 DB A7 3C 69 45 12 AA 6E 9F 71 6.^..... R... W..?.... [050] 82 C3 0A CD 1C 67 40 54 30 66 90 5A 07 31 F5 BA .....g@T 0f.Z.1.. [060] 15 38 BE 99 0D D9 36 3C 5B 6D F0 51 5D CC 2A 3B .8....6< [m.Q].*; [070] CF 7B 7B 32 CC 25 48 36 9D 30 57 CB 22 4E 8C 83 .{{2.%H6 .0W."N.. [080] D1 A0 42 F8 FF 37 7D 44 06 04 00 01 00 00 00 77 ..B..7}D .......w [090] 00 7A 00 FF FF 00 00 FA E0 51 05 68 9D EF CB 80 .z...... .Q.h.... [0A0] A3 8D FC B2 62 4D 96 4D AF D4 78 41 ED CF EB ....bM.M ..xA... simple_packet_signature: sequence number 36 client_sign_outgoing_message: sent SMB signature of [000] F7 1B 49 7D B1 A7 40 30 ..I}..@0 store_sequence_for_reply: stored seq = 37 mid = 20 write_socket(15,246) write_socket(15,246) wrote 246 got smb length of 472 size=472 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=20 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 416 (0x1A0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 416 (0x1A0) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=417 [000] A0 05 00 02 03 10 00 00 00 A0 01 20 00 0A 00 00 ........ ... .... [010] 00 5C 01 00 00 00 00 00 00 70 B3 A8 9C 66 F6 2D .\...... .p...f.- [020] 0E E8 17 1B 8C A1 F5 50 4A 07 D7 73 09 F4 8B 64 .......P J..s...d [030] F5 94 DF 6A A6 27 8E 8B 2F A0 8D 5F 43 C1 54 DB ...j.'.. /.._C.T. [040] 28 CF 1B D2 54 77 89 04 AC CA 5C 66 0F 66 86 49 (...Tw.. ..\f.f.I [050] 9A B1 57 D8 D2 5C 1E 0A 28 C1 92 86 FC 42 AC E2 ..W..\.. (....B.. [060] 88 90 FA 63 51 32 0D B2 CC 86 BB 74 73 9C 41 82 ...cQ2.. ...ts.A. [070] DD 23 DE F2 19 07 17 89 0F A4 BC 2E E5 E6 1E 77 .#...... .......w [080] 06 51 50 95 3A 16 E7 43 3E 61 62 FE E9 02 64 CB .QP.:..C >ab...d. [090] 6E 1F E7 51 B5 83 4C 77 72 02 E4 7A E7 EC 2C 6A n..Q..Lw r..z..,j [0A0] E5 DD C9 94 F8 9B 07 AD 90 F2 8C 4B 28 A0 EB 94 ........ ...K(... [0B0] 33 2C 46 CC AB C0 D5 33 F8 98 13 1C 01 11 51 AC 3,F....3 ......Q. [0C0] 0F 57 8C 66 CE 9D 97 08 28 AD 55 B0 53 4C C9 23 .W.f.... (.U.SL.# [0D0] 4D 06 B1 9C 8B 09 59 38 6A 9D 03 3E E1 1C 0F 07 M.....Y8 j..>.... [0E0] 1F 6D 90 6E E4 1A 59 7E 50 C6 34 3D 46 88 51 6D .m.n..Y~ P.4=F.Qm [0F0] 40 1E 0A 8D 5C 90 C6 78 3D 5B 74 5D 96 72 51 A8 @...\..x =[t].rQ. [100] DB 06 B3 1B A7 39 5E 0C 6F BA FB 51 BF 55 9B FC .....9^. o..Q.U.. [110] FD 1C B4 74 FE 41 3B 4D 90 B1 E0 6D 3C 1A 58 BE ...t.A;M ...m<.X. [120] 7A DB 35 44 6A ED 96 DF DB 9F 1A 18 C9 CF DF 37 z.5Dj... .......7 [130] C9 57 04 44 A3 C6 70 A4 46 8D C7 EC 78 73 C0 24 .W.D..p. F...xs.$ [140] 98 7D 43 97 51 09 1C 44 E4 DA 29 E6 F2 6D DF 52 .}C.Q..D ..)..m.R [150] 7D C5 74 CD 5C EC 16 1C AF 0E 22 EA 85 A0 19 89 }.t.\... .."..... [160] CB EB 0C 8F D6 20 C3 B5 C9 2F 46 F0 A2 18 AE FE ..... .. ./F..... [170] 76 1E C7 33 C4 10 59 19 C7 44 06 04 00 01 00 00 v..3..Y. .D...... [180] 00 77 00 7A 00 FF FF 00 00 6D 84 11 31 7A 48 95 .w.z.... .m..1zH. [190] B9 B6 26 BE 15 F7 DE D0 2F EF F1 43 FB CF 05 8B ..&..... /..C.... [1A0] 26 & get_sequence_for_reply: found seq = 37 mid = 20 simple_packet_signature: sequence number 37 client_check_incoming_message: seq 37: got good SMB signature of [000] E1 47 A3 C1 9D DA 1D 44 .G.....D size=472 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=20 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 416 (0x1A0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 416 (0x1A0) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=417 [000] A0 05 00 02 03 10 00 00 00 A0 01 20 00 0A 00 00 ........ ... .... [010] 00 5C 01 00 00 00 00 00 00 70 B3 A8 9C 66 F6 2D .\...... .p...f.- [020] 0E E8 17 1B 8C A1 F5 50 4A 07 D7 73 09 F4 8B 64 .......P J..s...d [030] F5 94 DF 6A A6 27 8E 8B 2F A0 8D 5F 43 C1 54 DB ...j.'.. /.._C.T. [040] 28 CF 1B D2 54 77 89 04 AC CA 5C 66 0F 66 86 49 (...Tw.. ..\f.f.I [050] 9A B1 57 D8 D2 5C 1E 0A 28 C1 92 86 FC 42 AC E2 ..W..\.. (....B.. [060] 88 90 FA 63 51 32 0D B2 CC 86 BB 74 73 9C 41 82 ...cQ2.. ...ts.A. [070] DD 23 DE F2 19 07 17 89 0F A4 BC 2E E5 E6 1E 77 .#...... .......w [080] 06 51 50 95 3A 16 E7 43 3E 61 62 FE E9 02 64 CB .QP.:..C >ab...d. [090] 6E 1F E7 51 B5 83 4C 77 72 02 E4 7A E7 EC 2C 6A n..Q..Lw r..z..,j [0A0] E5 DD C9 94 F8 9B 07 AD 90 F2 8C 4B 28 A0 EB 94 ........ ...K(... [0B0] 33 2C 46 CC AB C0 D5 33 F8 98 13 1C 01 11 51 AC 3,F....3 ......Q. [0C0] 0F 57 8C 66 CE 9D 97 08 28 AD 55 B0 53 4C C9 23 .W.f.... (.U.SL.# [0D0] 4D 06 B1 9C 8B 09 59 38 6A 9D 03 3E E1 1C 0F 07 M.....Y8 j..>.... [0E0] 1F 6D 90 6E E4 1A 59 7E 50 C6 34 3D 46 88 51 6D .m.n..Y~ P.4=F.Qm [0F0] 40 1E 0A 8D 5C 90 C6 78 3D 5B 74 5D 96 72 51 A8 @...\..x =[t].rQ. [100] DB 06 B3 1B A7 39 5E 0C 6F BA FB 51 BF 55 9B FC .....9^. o..Q.U.. [110] FD 1C B4 74 FE 41 3B 4D 90 B1 E0 6D 3C 1A 58 BE ...t.A;M ...m<.X. [120] 7A DB 35 44 6A ED 96 DF DB 9F 1A 18 C9 CF DF 37 z.5Dj... .......7 [130] C9 57 04 44 A3 C6 70 A4 46 8D C7 EC 78 73 C0 24 .W.D..p. F...xs.$ [140] 98 7D 43 97 51 09 1C 44 E4 DA 29 E6 F2 6D DF 52 .}C.Q..D ..)..m.R [150] 7D C5 74 CD 5C EC 16 1C AF 0E 22 EA 85 A0 19 89 }.t.\... .."..... [160] CB EB 0C 8F D6 20 C3 B5 C9 2F 46 F0 A2 18 AE FE ..... .. ./F..... [170] 76 1E C7 33 C4 10 59 19 C7 44 06 04 00 01 00 00 v..3..Y. .D...... [180] 00 77 00 7A 00 FF FF 00 00 6D 84 11 31 7A 48 95 .w.z.... .m..1zH. [190] B9 B6 26 BE 15 F7 DE D0 2F EF F1 43 FB CF 05 8B ..&..... /..C.... [1A0] 26 & get_sequence_for_reply: found seq = 37 mid = 20 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 01a0 000a auth_len : 0020 000c call_id : 0000000a 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 0000015c 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 000178 smb_io_rpc_hdr_auth hdr_auth 0178 auth_type : 44 0179 auth_level : 06 017a auth_pad_len : 04 017b auth_reserved: 00 017c auth_context_id: 00000001 000180 smb_io_rpc_auth_schannel_chk 0180 sig : 77 00 7a 00 ff ff 00 00 0188 seq_num: 6d 84 11 31 7a 48 95 b9 0190 packet_digest: b6 26 be 15 f7 de d0 2f 0198 confounder: ef f1 43 fb cf 05 8b 26 SCHANNEL: schannel_decode seq_num=1 data_len=352 SCHANNEL: schannel_decode seq_num=1 data_len=352 cli_pipe_validate_current_pdu: got pdu len 416, data_len 348, ss_len 4 rpc_api_pipe: got PDU len of 416 at offset 0 rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \NETLOGON fnum 0x400f returned 696 bytes. 000000 ds_io_r_enum_domain_trusts 0000 num_domains: 00000002 000004 ds_io_dom_trusts_ctr domains 0004 ptr: 00020000 0008 max_count: 00000002 00000c ds_io_dom_trusts_ctr domain_trusts 000c netbios_ptr: 00020004 0010 dns_ptr: 00020008 0014 flags: 00000027 0018 parent_index: 00000000 001c trust_type: 00000002 0020 trust_attributes: 00000020 0024 sid_ptr: 0002000c 000028 smb_io_uuid guid 0028 data : 3bc437b2 002c data : 76c5 002e data : 4ebd 0030 data : b2 c2 0032 data : bc 53 0c e4 9a 8a 000038 ds_io_dom_trusts_ctr domain_trusts 0038 netbios_ptr: 00020010 003c dns_ptr: 00020014 0040 flags: 00000019 0044 parent_index: 00000000 0048 trust_type: 00000002 004c trust_attributes: 00000000 0050 sid_ptr: 00020018 000054 smb_io_uuid guid 0054 data : 051fb988 0058 data : d99f 005a data : 42a3 005c data : 87 55 005e data : 7b c9 b4 d4 8a f3 000064 smb_io_unistr2 netbios_domain 0064 uni_max_len: 00000009 0068 offset : 00000000 006c uni_str_len: 00000009 0070 buffer : E.I.G.H.T.A.D.6... 000084 smb_io_unistr2 dns_domain 0084 uni_max_len: 00000015 0088 offset : 00000000 008c uni_str_len: 00000015 0090 buffer : e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m... 0000bc smb_io_dom_sid2 sid 00bc num_auths: 00000004 0000c0 smb_io_dom_sid sid 00c0 sid_rev_num: 01 00c1 num_auths : 04 00c2 id_auth[0] : 00 00c3 id_auth[1] : 00 00c4 id_auth[2] : 00 00c5 id_auth[3] : 00 00c6 id_auth[4] : 00 00c7 id_auth[5] : 05 00c8 sub_auths : 00000015 09a80eae 763688c1 f72701f1 0000d8 smb_io_unistr2 netbios_domain 00d8 uni_max_len: 00000008 00dc offset : 00000000 00e0 uni_str_len: 00000008 00e4 buffer : C.H.I.L.D.0.3... 0000f4 smb_io_unistr2 dns_domain 00f4 uni_max_len: 0000001d 00f8 offset : 00000000 00fc uni_str_len: 0000001d 0100 buffer : c.h.i.l.d.0.3...e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m... 00013c smb_io_dom_sid2 sid 013c num_auths: 00000004 000140 smb_io_dom_sid sid 0140 sid_rev_num: 01 0141 num_auths : 04 0142 id_auth[0] : 00 0143 id_auth[1] : 00 0144 id_auth[2] : 00 0145 id_auth[3] : 00 0146 id_auth[4] : 00 0147 id_auth[5] : 05 0148 sub_auths : 00000015 5b0eee9e ce6f51e9 9aa25308 0158 status: NT_STATUS_OK refresh_sequence_number: CHILD03 time ok refresh_sequence_number: CHILD03 seq number is now 13938 Storing response for pid 25418, len 3390 Storing extra data: len=150 Destroying timed event 2aac341bb350 "async_request_timeout" Retrieving response for pid 25418 Retrieving extra data length=150 [000] 45 49 47 48 54 41 44 36 5C 65 69 67 68 74 61 64 EIGHTAD6 \eightad [010] 36 2E 74 65 73 74 69 6E 67 2E 63 6F 6D 5C 53 2D 6.testin g.com\S- [020] 31 2D 35 2D 32 31 2D 31 36 32 30 30 38 37 35 30 1-5-21-1 62008750 [030] 2D 31 39 38 33 32 38 35 34 34 31 2D 34 31 34 36 -1983285 441-4146 [040] 35 32 38 37 35 33 0A 43 48 49 4C 44 30 33 5C 63 528753.C HILD03\c [050] 68 69 6C 64 30 33 2E 65 69 67 68 74 61 64 36 2E hild03.e ightad6. [060] 74 65 73 74 69 6E 67 2E 63 6F 6D 5C 53 2D 31 2D testing. com\S-1- [070] 35 2D 32 31 2D 31 35 32 37 37 30 35 32 34 36 2D 5-21-152 7705246- [080] 33 34 36 33 34 30 31 39 36 31 2D 32 35 39 34 33 34634019 61-25943 [090] 32 39 33 35 32 00 29352. Added domain EIGHTAD6 eightad6.testing.com S-1-5-21-162008750-1983285441-4146528753 accepted socket 17 process_request: request fn INTERFACE_VERSION [25844]: request interface version process_request: request fn WINBINDD_PRIV_PIPE_DIR [25844]: request location of privileged pipe accepted socket 18 process_request: request fn AUTH_CRAP [25844]: pam auth crap domain: [CHILD03] user: test is_myname("CHILD03") returns 0 Added timed event "async_request_timeout": 2aac341bd930 run_events: Nothing to do timed_events_timeout: 299/999991 child daemon request 13 process_request: request fn AUTH_CRAP [25417]: pam auth crap domain: CHILD03 user: test is_myname("CHILD03") returns 0 sequence = 0x4b0d271f seed: 5CE1F2DFC5A11FB8 seed+seq 7B08002BC5A11FB8 CLIENT 4C93A6EB2800C7A9 seed+seq+1 7C08002BC5A11FB8 SERVER E8730921C3343822 cred_reseed: seed 7C08002BC5A11FB8 init_id_info2: 1185 make_logon_id: 1629 init_sam_info: 1279 make_clnt_info: 1544 init_clnt_srv: 1389 000000 net_io_q_sam_logon 000000 smb_io_sam_info 000000 smb_io_clnt_info2 000000 smb_io_clnt_srv 0000 undoc_buffer : 00000001 000004 smb_io_unistr2 unistr2 0004 uni_max_len: 00000025 0008 offset : 00000000 000c uni_str_len: 00000025 0010 buffer : \.\.n.o.r.m.a...c.h.i.l.d.0.3...e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m... 005c undoc_buffer2: 00000001 000060 smb_io_unistr2 unistr2 0060 uni_max_len: 0000000a 0064 offset : 00000000 0068 uni_str_len: 0000000a 006c buffer : M.O.N.O.C.E.R.O.S... 0080 ptr_cred: 00000001 000084 smb_io_cred 000084 smb_io_chal 0084 data: 4c 93 a6 eb 28 00 c7 a9 00008c smb_io_utime 008c time: 4b0d271f 0090 ptr_rtn_cred : 00000001 000094 smb_io_cred 000094 smb_io_chal 0094 data: 00 00 00 00 00 00 00 00 00009c smb_io_utime 009c time: 00000000 00a0 logon_level : 0002 0000a2 smb_io_sam_info_ctr logon_info 00a2 switch_value : 0002 0000a4 net_io_id_info2 00a4 ptr_id_info2: 00000001 0000a8 smb_io_unihdr unihdr 00a8 uni_str_len: 000e 00aa uni_max_len: 000e 00ac buffer : 00000001 00b0 param_ctrl: 00000820 0000b4 smb_io_logon_id 00b4 low : 0000dead 00b8 high: 0000beef 0000bc smb_io_unihdr unihdr 00bc uni_str_len: 0008 00be uni_max_len: 0008 00c0 buffer : 00000001 0000c4 smb_io_unihdr unihdr 00c4 uni_str_len: 0016 00c6 uni_max_len: 0016 00c8 buffer : 00000001 00cc lm_chal: 06 a5 32 64 99 9c b0 06 0000d4 smb_io_strhdr hdr_nt_chal_resp 00d4 str_str_len: 0018 00d6 str_max_len: 0018 00d8 buffer : 00000001 0000dc smb_io_strhdr hdr_lm_chal_resp 00dc str_str_len: 0000 00de str_max_len: 0000 00e0 buffer : 00000000 0000e4 smb_io_unistr2 uni_domain_name 00e4 uni_max_len: 00000007 00e8 offset : 00000000 00ec uni_str_len: 00000007 00f0 buffer : C.H.I.L.D.0.3. 0000fe smb_io_unistr2 uni_user_name 0100 uni_max_len: 00000004 0104 offset : 00000000 0108 uni_str_len: 00000004 010c buffer : t.e.s.t. 000114 smb_io_unistr2 uni_wksta_name 0114 uni_max_len: 0000000b 0118 offset : 00000000 011c uni_str_len: 0000000b 0120 buffer : \.\.M.O.N.O.C.E.R.O.S. 000136 smb_io_string2 nt_chal_resp 0138 str_max_len: 00000018 013c offset : 00000000 0140 str_str_len: 00000018 0144 buffer : T..n.lm...~`..;...,]-... 00015c smb_io_string2 - NULL lm_chal_resp 015c validation_level: 0003 000000 smb_io_rpc_hdr hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 00 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 01a0 000a auth_len : 0020 000c call_id : 0000000b 000010 smb_io_rpc_hdr_req hdr_req 0010 alloc_hint: 0000015e 0014 context_id: 0000 0016 opnum : 0002 000178 smb_io_rpc_hdr_auth hdr_auth 0178 auth_type : 44 0179 auth_level : 06 017a auth_pad_len : 02 017b auth_reserved: 00 017c auth_context_id: 00000001 add_schannel_auth_footer: SCHANNEL seq_num=2 SCHANNEL: schannel_encode seq_num=2 data_len=352 000180 smb_io_rpc_auth_schannel_chk 0180 sig : 77 00 7a 00 ff ff 00 00 0188 seq_num: a0 ac ce e9 bc 62 83 ba 0190 packet_digest: 1b 7f ec 8d 1f f4 a9 e1 0198 confounder: 4f f0 16 d8 04 af 99 bc rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \NETLOGON fnum 0x400f size=498 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=21 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 416 (0x1A0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 4280 (0x10B8) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 82 (0x52) smb_vwv[11]= 416 (0x1A0) smb_vwv[12]= 82 (0x52) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=16399 (0x400F) smb_bcc=431 [000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... [010] 00 00 03 10 00 00 00 A0 01 20 00 0B 00 00 00 5E ........ . .....^ [020] 01 00 00 00 00 02 00 9A E4 90 A7 B2 18 E5 14 DB ........ ........ [030] 27 F0 95 50 48 15 8C 08 C1 CA 30 E6 22 2C A1 B8 '..PH... ..0.",.. [040] 7A 04 D8 F6 95 10 14 6F 51 07 EA 0D 7A 87 62 80 z......o Q...z.b. [050] 5F 12 75 22 56 33 7B C6 7F EF 23 CC 43 93 14 D9 _.u"V3{. ..#.C... [060] 3F B7 54 BE 18 35 5F 71 EA 1F 81 CB E6 81 99 F7 ?.T..5_q ........ [070] 86 A9 01 F5 C5 55 9F 6A 2F 18 53 E2 01 5C CF F6 .....U.j /.S..\.. [080] 08 90 E6 24 AD D9 F7 5D 25 04 39 1D 3A B1 C5 11 ...$...] %.9.:... [090] 48 49 44 10 F5 E6 1C 05 50 30 FF D9 41 20 62 60 HID..... P0..A b` [0A0] 79 0A C6 4A 07 7C 93 F6 E2 BA 64 A5 A6 18 6C 86 y..J.|.. ..d...l. [0B0] 40 28 31 5D 35 33 81 C6 F7 23 20 E1 2C 99 18 C2 @(1]53.. .# .,... [0C0] C5 9C C2 93 9D 02 75 89 DB 43 8B 5D E0 B7 DF 22 ......u. .C.]..." [0D0] 02 42 30 CA 45 D1 06 78 BB 8C 3D 12 75 91 14 4C .B0.E..x ..=.u..L [0E0] C6 3C 15 31 EC F2 98 6F CF 3E 7D 72 6C 78 C0 79 .<.1...o .>}rlx.y [0F0] BE 12 10 06 E9 D3 C4 C4 61 A9 6F A3 4A D0 05 94 ........ a.o.J... [100] E1 17 6D CD 80 6F 29 8A 75 19 05 0B 02 05 CC 71 ..m..o). u......q [110] 1A C4 03 C8 BC 1B 7C B6 8E 4C 24 FF 13 75 A3 C0 ......|. .L$..u.. [120] 0C EA 68 30 23 DA BD 55 3E 3F 9F C0 8F D8 81 A0 ..h0#..U >?...... [130] 09 C5 AC 68 88 8C 30 DE 85 0C EB BF D8 11 E1 43 ...h..0. .......C [140] C3 8C 50 47 C0 7E B7 38 AD 98 BF 76 80 9D 03 B9 ..PG.~.8 ...v.... [150] 26 1B 6B 68 C0 4F E1 A8 21 4B CD 4C 23 5C DB 8D &.kh.O.. !K.L#\.. [160] 77 1E CF 1B 2A 52 A1 B0 CF DA 1B DB 42 2D 5F 5A w...*R.. ....B-_Z [170] 66 49 A5 D8 0C 15 7B 17 C3 35 92 36 8A C7 B4 BA fI....{. .5.6.... [180] 75 55 D1 24 59 3D 31 44 06 02 00 01 00 00 00 77 uU.$Y=1D .......w [190] 00 7A 00 FF FF 00 00 A0 AC CE E9 BC 62 83 BA 1B .z...... ....b... [1A0] 7F EC 8D 1F F4 A9 E1 4F F0 16 D8 04 AF 99 BC .......O ....... simple_packet_signature: sequence number 38 client_sign_outgoing_message: sent SMB signature of [000] 28 08 63 4E B2 62 F1 18 (.cN.b.. store_sequence_for_reply: stored seq = 39 mid = 21 write_socket(15,502) write_socket(15,502) wrote 502 got smb length of 472 size=472 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=21 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 416 (0x1A0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 416 (0x1A0) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=417 [000] A0 05 00 02 03 10 00 00 00 A0 01 20 00 0B 00 00 ........ ... .... [010] 00 5C 01 00 00 00 00 00 00 41 05 9B 79 E2 70 0C .\...... .A..y.p. [020] 30 09 47 18 5E 61 E6 F8 48 AE 3D 2A 87 09 77 B4 0.G.^a.. H.=*..w. [030] A6 07 AF 41 01 89 3C 02 A1 BB 4B 23 4D E6 87 6B ...A..<. ..K#M..k [040] 2A D4 0A 92 0C 87 49 F9 7B C1 4F 77 46 5E 43 34 *.....I. {.OwF^C4 [050] 08 33 52 D1 10 E9 41 E0 2C F9 91 C5 FD 5C 6B A5 .3R...A. ,....\k. [060] 36 BD 99 3B 9C 66 1F 7F D1 9E 85 7F 2A CF 94 38 6..;.f.. ....*..8 [070] B4 52 F5 AA A9 61 9D 04 3B 57 DC 69 7B 3E 20 2E .R...a.. ;W.i{> . [080] 45 2B BD 57 D6 40 9F BB 37 42 13 CC 63 CC 0A 01 E+.W.@.. 7B..c... [090] D3 FD 8F E2 8A 1F 7A FB 89 C9 41 21 22 F0 64 BE ......z. ..A!".d. [0A0] 2C 2F B5 FC C7 B8 CB B8 A7 63 F5 AC 2C EB 14 62 ,/...... .c..,..b [0B0] E3 42 06 21 C2 9F 14 D1 5A 2F 6C 2B F3 0C C5 65 .B.!.... Z/l+...e [0C0] 74 39 86 C0 84 14 A4 23 8A 74 06 4B 4A 44 C2 47 t9.....# .t.KJD.G [0D0] A5 CB 22 CC 0F 5D 1B B3 80 8D 36 D4 30 7C 4A 64 .."..].. ..6.0|Jd [0E0] 37 D9 2C DA 8D BF F1 43 98 86 B1 BB 1B A5 63 42 7.,....C ......cB [0F0] 15 D4 C6 FF 85 34 89 18 F9 BA 33 89 CC FE 81 BF .....4.. ..3..... [100] AB DA 31 22 05 BB 1C 5F B8 4B 23 E0 2D 96 96 67 ..1"..._ .K#.-..g [110] A8 C0 A7 C7 82 6A 5A 90 F4 7B F5 55 49 B8 3D 89 .....jZ. .{.UI.=. [120] BD A8 15 3E 15 53 C8 E8 97 D8 20 B0 0D 8B 70 C1 ...>.S.. .. ...p. [130] A6 C7 D5 AB 01 F9 01 2E BC 10 FE 37 06 7F 4C C6 ........ ...7..L. [140] D5 C7 6F E2 A0 86 34 EE D0 2F 6D 50 47 A8 4F 17 ..o...4. ./mPG.O. [150] 2B CA 0D B5 E7 F0 D5 A8 A9 14 E1 29 C4 D2 96 1F +....... ...).... [160] C3 60 B6 68 72 53 51 17 F9 22 1D 4F BE 15 05 95 .`.hrSQ. .".O.... [170] 2F C7 B7 31 65 79 99 56 16 44 06 04 00 01 00 00 /..1ey.V .D...... [180] 00 77 00 7A 00 FF FF 00 00 DE E1 B8 35 94 2B F7 .w.z.... ....5.+. [190] 4A 58 AA C7 A6 62 22 10 A9 A4 E4 B1 5A C6 2A 1B JX...b". ....Z.*. [1A0] 42 B get_sequence_for_reply: found seq = 39 mid = 21 simple_packet_signature: sequence number 39 client_check_incoming_message: seq 39: got good SMB signature of [000] 04 33 DB D7 8A 83 B3 02 .3...... size=472 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51205 smb_tid=2052 smb_pid=25418 smb_uid=4097 smb_mid=21 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 416 (0x1A0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 416 (0x1A0) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=417 [000] A0 05 00 02 03 10 00 00 00 A0 01 20 00 0B 00 00 ........ ... .... [010] 00 5C 01 00 00 00 00 00 00 41 05 9B 79 E2 70 0C .\...... .A..y.p. [020] 30 09 47 18 5E 61 E6 F8 48 AE 3D 2A 87 09 77 B4 0.G.^a.. H.=*..w. [030] A6 07 AF 41 01 89 3C 02 A1 BB 4B 23 4D E6 87 6B ...A..<. ..K#M..k [040] 2A D4 0A 92 0C 87 49 F9 7B C1 4F 77 46 5E 43 34 *.....I. {.OwF^C4 [050] 08 33 52 D1 10 E9 41 E0 2C F9 91 C5 FD 5C 6B A5 .3R...A. ,....\k. [060] 36 BD 99 3B 9C 66 1F 7F D1 9E 85 7F 2A CF 94 38 6..;.f.. ....*..8 [070] B4 52 F5 AA A9 61 9D 04 3B 57 DC 69 7B 3E 20 2E .R...a.. ;W.i{> . [080] 45 2B BD 57 D6 40 9F BB 37 42 13 CC 63 CC 0A 01 E+.W.@.. 7B..c... [090] D3 FD 8F E2 8A 1F 7A FB 89 C9 41 21 22 F0 64 BE ......z. ..A!".d. [0A0] 2C 2F B5 FC C7 B8 CB B8 A7 63 F5 AC 2C EB 14 62 ,/...... .c..,..b [0B0] E3 42 06 21 C2 9F 14 D1 5A 2F 6C 2B F3 0C C5 65 .B.!.... Z/l+...e [0C0] 74 39 86 C0 84 14 A4 23 8A 74 06 4B 4A 44 C2 47 t9.....# .t.KJD.G [0D0] A5 CB 22 CC 0F 5D 1B B3 80 8D 36 D4 30 7C 4A 64 .."..].. ..6.0|Jd [0E0] 37 D9 2C DA 8D BF F1 43 98 86 B1 BB 1B A5 63 42 7.,....C ......cB [0F0] 15 D4 C6 FF 85 34 89 18 F9 BA 33 89 CC FE 81 BF .....4.. ..3..... [100] AB DA 31 22 05 BB 1C 5F B8 4B 23 E0 2D 96 96 67 ..1"..._ .K#.-..g [110] A8 C0 A7 C7 82 6A 5A 90 F4 7B F5 55 49 B8 3D 89 .....jZ. .{.UI.=. [120] BD A8 15 3E 15 53 C8 E8 97 D8 20 B0 0D 8B 70 C1 ...>.S.. .. ...p. [130] A6 C7 D5 AB 01 F9 01 2E BC 10 FE 37 06 7F 4C C6 ........ ...7..L. [140] D5 C7 6F E2 A0 86 34 EE D0 2F 6D 50 47 A8 4F 17 ..o...4. ./mPG.O. [150] 2B CA 0D B5 E7 F0 D5 A8 A9 14 E1 29 C4 D2 96 1F +....... ...).... [160] C3 60 B6 68 72 53 51 17 F9 22 1D 4F BE 15 05 95 .`.hrSQ. .".O.... [170] 2F C7 B7 31 65 79 99 56 16 44 06 04 00 01 00 00 /..1ey.V .D...... [180] 00 77 00 7A 00 FF FF 00 00 DE E1 B8 35 94 2B F7 .w.z.... ....5.+. [190] 4A 58 AA C7 A6 62 22 10 A9 A4 E4 B1 5A C6 2A 1B JX...b". ....Z.*. [1A0] 42 B get_sequence_for_reply: found seq = 39 mid = 21 000000 smb_io_rpc_hdr rpc_hdr 0000 major : 05 0001 minor : 00 0002 pkt_type : 02 0003 flags : 03 0004 pack_type0: 10 0005 pack_type1: 00 0006 pack_type2: 00 0007 pack_type3: 00 0008 frag_len : 01a0 000a auth_len : 0020 000c call_id : 0000000b 000010 smb_io_rpc_hdr_resp rpc_hdr_resp 0010 alloc_hint: 0000015c 0014 context_id: 0000 0016 cancel_ct : 00 0017 reserved : 00 000178 smb_io_rpc_hdr_auth hdr_auth 0178 auth_type : 44 0179 auth_level : 06 017a auth_pad_len : 04 017b auth_reserved: 00 017c auth_context_id: 00000001 000180 smb_io_rpc_auth_schannel_chk 0180 sig : 77 00 7a 00 ff ff 00 00 0188 seq_num: de e1 b8 35 94 2b f7 4a 0190 packet_digest: 58 aa c7 a6 62 22 10 a9 0198 confounder: a4 e4 b1 5a c6 2a 1b 42 SCHANNEL: schannel_decode seq_num=3 data_len=352 SCHANNEL: schannel_decode seq_num=3 data_len=352 cli_pipe_validate_current_pdu: got pdu len 416, data_len 348, ss_len 4 rpc_api_pipe: got PDU len of 416 at offset 0 rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \NETLOGON fnum 0x400f returned 696 bytes. 000000 net_io_r_sam_logon 0000 buffer_creds: 00020000 000004 smb_io_cred 000004 smb_io_chal 0004 data: e8 73 09 21 c3 34 38 22 00000c smb_io_utime 000c time: 00000000 0010 switch_value: 0003 000014 net_io_user_info3 0014 ptr_user_info : 00020004 000018 smb_io_time logon time 0018 low : 00000000 001c high: 00000000 000020 smb_io_time logoff time 0020 low : ffffffff 0024 high: 7fffffff 000028 smb_io_time kickoff time 0028 low : ffffffff 002c high: 7fffffff 000030 smb_io_time last set time 0030 low : 62aadb36 0034 high: 01ca6db9 000038 smb_io_time can change time 0038 low : 62aadb36 003c high: 01ca6db9 000040 smb_io_time must change time 0040 low : ffffffff 0044 high: 7fffffff 000048 smb_io_unihdr hdr_user_name 0048 uni_str_len: 0008 004a uni_max_len: 000a 004c buffer : 00020008 000050 smb_io_unihdr hdr_full_name 0050 uni_str_len: 0000 0052 uni_max_len: 0000 0054 buffer : 00000000 000058 smb_io_unihdr hdr_logon_script 0058 uni_str_len: 0000 005a uni_max_len: 0000 005c buffer : 00000000 000060 smb_io_unihdr hdr_profile_path 0060 uni_str_len: 0000 0062 uni_max_len: 0000 0064 buffer : 00000000 000068 smb_io_unihdr hdr_home_dir 0068 uni_str_len: 0000 006a uni_max_len: 0000 006c buffer : 00000000 000070 smb_io_unihdr hdr_dir_drive 0070 uni_str_len: 0000 0072 uni_max_len: 0000 0074 buffer : 00000000 0078 logon_count : 0000 007a bad_pw_count : 0000 007c user_rid : 0000044f 0080 group_rid : 00000201 0084 num_groups : 00000001 0088 buffer_groups : 0002000c 008c user_flgs : 00000120 dump_user_flgs account has LOGON_EXTRA_SIDS account has LOGON_NTLMV2_ENABLED 0090 user_sess_key: 7f 95 a4 3c e0 e6 da fb e1 8b b8 e9 f5 dc a1 22 0000a0 smb_io_unihdr hdr_logon_srv 00a0 uni_str_len: 000a 00a2 uni_max_len: 000c 00a4 buffer : 00020010 0000a8 smb_io_unihdr hdr_logon_dom 00a8 uni_str_len: 000e 00aa uni_max_len: 0010 00ac buffer : 00020014 00b0 buffer_dom_id : 00020018 00b4 lm_sess_key: 9a de 3d d6 01 e8 98 ab 00bc acct_flags : 00000210 dump_acct_flags account has ACB_NORMAL account has ACB_PWNOEXP 00c0 unkown: 00000000 00c4 unkown: 00000000 00c8 unkown: 00000000 00cc unkown: 00000000 00d0 unkown: 00000000 00d4 unkown: 00000000 00d8 unkown: 00000000 00dc num_other_sids: 00000000 00e0 buffer_other_sids: 00000000 0000e4 smb_io_unistr2 uni_user_name 00e4 uni_max_len: 00000005 00e8 offset : 00000000 00ec uni_str_len: 00000004 00f0 buffer : t.e.s.t. 0000f8 smb_io_unistr2 - NULL uni_full_name 0000f8 smb_io_unistr2 - NULL uni_logon_script 0000f8 smb_io_unistr2 - NULL uni_profile_path 0000f8 smb_io_unistr2 - NULL uni_home_dir 0000f8 smb_io_unistr2 - NULL uni_dir_drive 00f8 num_groups2 : 00000001 0000fc smb_io_gid 00fc g_rid: 00000201 0100 attr : 00000007 000104 smb_io_unistr2 uni_logon_srv 0104 uni_max_len: 00000006 0108 offset : 00000000 010c uni_str_len: 00000005 0110 buffer : N.O.R.M.A. 00011a smb_io_unistr2 uni_logon_dom 011c uni_max_len: 00000008 0120 offset : 00000000 0124 uni_str_len: 00000007 0128 buffer : C.H.I.L.D.0.3. 000136 smb_io_dom_sid2 0138 num_auths: 00000004 00013c smb_io_dom_sid sid 013c sid_rev_num: 01 013d num_auths : 04 013e id_auth[0] : 00 013f id_auth[1] : 00 0140 id_auth[2] : 00 0141 id_auth[3] : 00 0142 id_auth[4] : 00 0143 id_auth[5] : 05 0144 sub_auths : 00000015 5b0eee9e ce6f51e9 9aa25308 0154 auth_resp : 00000001 0158 status : NT_STATUS_OK creds_client_check: credentials check OK. netsamlogon_cache_store: SID [S-1-5-21-1527705246-3463401961-2594329352-1103] 0000 timestamp: 4b0d2739 000004 net_io_user_info3 0004 ptr_user_info : 00020004 000008 smb_io_time logon time 0008 low : 00000000 000c high: 00000000 000010 smb_io_time logoff time 0010 low : ffffffff 0014 high: 7fffffff 000018 smb_io_time kickoff time 0018 low : ffffffff 001c high: 7fffffff 000020 smb_io_time last set time 0020 low : 62aadb36 0024 high: 01ca6db9 000028 smb_io_time can change time 0028 low : 62aadb36 002c high: 01ca6db9 000030 smb_io_time must change time 0030 low : ffffffff 0034 high: 7fffffff 000038 smb_io_unihdr hdr_user_name 0038 uni_str_len: 0008 003a uni_max_len: 000a 003c buffer : 00020008 000040 smb_io_unihdr hdr_full_name 0040 uni_str_len: 0000 0042 uni_max_len: 0000 0044 buffer : 00000000 000048 smb_io_unihdr hdr_logon_script 0048 uni_str_len: 0000 004a uni_max_len: 0000 004c buffer : 00000000 000050 smb_io_unihdr hdr_profile_path 0050 uni_str_len: 0000 0052 uni_max_len: 0000 0054 buffer : 00000000 000058 smb_io_unihdr hdr_home_dir 0058 uni_str_len: 0000 005a uni_max_len: 0000 005c buffer : 00000000 000060 smb_io_unihdr hdr_dir_drive 0060 uni_str_len: 0000 0062 uni_max_len: 0000 0064 buffer : 00000000 0068 logon_count : 0000 006a bad_pw_count : 0000 006c user_rid : 0000044f 0070 group_rid : 00000201 0074 num_groups : 00000001 0078 buffer_groups : 0002000c 007c user_flgs : 00000120 dump_user_flgs account has LOGON_EXTRA_SIDS account has LOGON_NTLMV2_ENABLED 0080 user_sess_key: 87 01 35 ab d6 9b 8f 91 6f 72 87 94 ce 42 d6 4e 000090 smb_io_unihdr hdr_logon_srv 0090 uni_str_len: 000a 0092 uni_max_len: 000c 0094 buffer : 00020010 000098 smb_io_unihdr hdr_logon_dom 0098 uni_str_len: 000e 009a uni_max_len: 0010 009c buffer : 00020014 00a0 buffer_dom_id : 00020018 00a4 lm_sess_key: 62 4a ac 41 37 95 cd c1 00ac acct_flags : 00000210 dump_acct_flags account has ACB_NORMAL account has ACB_PWNOEXP 00b0 unkown: 00000000 00b4 unkown: 00000000 00b8 unkown: 00000000 00bc unkown: 00000000 00c0 unkown: 00000000 00c4 unkown: 00000000 00c8 unkown: 00000000 00cc num_other_sids: 00000000 00d0 buffer_other_sids: 00000000 0000d4 smb_io_unistr2 uni_user_name 00d4 uni_max_len: 00000005 00d8 offset : 00000000 00dc uni_str_len: 00000004 00e0 buffer : t.e.s.t. 0000e8 smb_io_unistr2 - NULL uni_full_name 0000e8 smb_io_unistr2 - NULL uni_logon_script 0000e8 smb_io_unistr2 - NULL uni_profile_path 0000e8 smb_io_unistr2 - NULL uni_home_dir 0000e8 smb_io_unistr2 - NULL uni_dir_drive 00e8 num_groups2 : 00000001 0000ec smb_io_gid 00ec g_rid: 00000201 00f0 attr : 00000007 0000f4 smb_io_unistr2 uni_logon_srv 00f4 uni_max_len: 00000006 00f8 offset : 00000000 00fc uni_str_len: 00000005 0100 buffer : N.O.R.M.A. 00010a smb_io_unistr2 uni_logon_dom 010c uni_max_len: 00000008 0110 offset : 00000000 0114 uni_str_len: 00000007 0118 buffer : C.H.I.L.D.0.3. 000126 smb_io_dom_sid2 0128 num_auths: 00000004 00012c smb_io_dom_sid sid 012c sid_rev_num: 01 012d num_auths : 04 012e id_auth[0] : 00 012f id_auth[1] : 00 0130 id_auth[2] : 00 0131 id_auth[3] : 00 0132 id_auth[4] : 00 0133 id_auth[5] : 05 0134 sub_auths : 00000015 5b0eee9e ce6f51e9 9aa25308 netsamlogon_clear_cached_user: clearing U/S-1-5-21-1527705246-3463401961-2594329352-1103 netsamlogon_clear_cached_user: clearing UG/S-1-5-21-1527705246-3463401961-2594329352-1103 NTLM CRAP authentication for user [CHILD03]\[test] returned NT_STATUS_OK (PAM: 0) Storing response for pid 25418, len 3240 Destroying timed event 2aac341bd930 "async_request_timeout" Retrieving response for pid 25418