The Samba-Bugzilla – Attachment 5005 Details for
Bug 6563
ntlm_auth returns invalid NT_KEY
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
samba 3.0.31 winbind success log
winbind-3.0.31-success-log.txt (text/plain), 173.42 KB, created by
Rajesh Kumar G
on 2009-11-25 07:19:01 UTC
(
hide
)
Description:
samba 3.0.31 winbind success log
Filename:
MIME Type:
Creator:
Rajesh Kumar G
Created:
2009-11-25 07:19:01 UTC
Size:
173.42 KB
patch
obsolete
>winbindd version 3.0.31-3 started. >Copyright Andrew Tridgell and the Samba Team 1992-2008 >lp_load: refreshing parameters >Initialising global parameters >params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" >Processing section "[global]" >doing parameter realm = CHILD03.EIGHTAD6.TESTING.COM >doing parameter workgroup = CHILD03 >doing parameter server string = Samba Server Version %v >doing parameter log file = /var/log/samba/log.%m >doing parameter max log size = 50 >doing parameter security = ads >doing parameter passdb backend = tdbsam >doing parameter client ntlmv2 auth = yes >doing parameter load printers = yes >doing parameter cups options = raw >Processing section "[homes]" >add_a_service: Creating snum = 0 for homes >hash_a_service: creating tdb servicehash >hash_a_service: hashing index 0 for service name homes >doing parameter comment = Home Directories >doing parameter browseable = no >doing parameter writable = yes >Processing section "[printers]" >add_a_service: Creating snum = 1 for printers >hash_a_service: hashing index 1 for service name printers >doing parameter comment = All Printers >doing parameter path = /var/spool/samba >doing parameter browseable = no >doing parameter guest ok = no >doing parameter writable = no >doing parameter printable = yes >pm_process() returned Yes >add_a_service: Creating snum = 2 for IPC$ >hash_a_service: hashing index 2 for service name IPC$ >adding IPC service >set_server_role: role = ROLE_DOMAIN_MEMBER >Attempting to register new charset UCS-2LE >Registered charset UCS-2LE >Attempting to register new charset UTF-16LE >Registered charset UTF-16LE >Attempting to register new charset UCS-2BE >Registered charset UCS-2BE >Attempting to register new charset UTF-16BE >Registered charset UTF-16BE >Attempting to register new charset UTF8 >Registered charset UTF8 >Attempting to register new charset UTF-8 >Registered charset UTF-8 >Attempting to register new charset ASCII >Registered charset ASCII >Attempting to register new charset 646 >Registered charset 646 >Attempting to register new charset ISO-8859-1 >Registered charset ISO-8859-1 >Attempting to register new charset UCS2-HEX >Registered charset UCS2-HEX >Substituting charset 'UTF-8' for LOCALE >Substituting charset 'UTF-8' for LOCALE >Substituting charset 'UTF-8' for LOCALE >Substituting charset 'UTF-8' for LOCALE >Substituting charset 'UTF-8' for LOCALE >Substituting charset 'UTF-8' for LOCALE >Substituting charset 'UTF-8' for LOCALE >Substituting charset 'UTF-8' for LOCALE >Substituting charset 'UTF-8' for LOCALE >Substituting charset 'UTF-8' for LOCALE >Substituting charset 'UTF-8' for LOCALE >Substituting charset 'UTF-8' for LOCALE >Substituting charset 'UTF-8' for LOCALE >Substituting charset 'UTF-8' for LOCALE >Substituting charset 'UTF-8' for LOCALE >Substituting charset 'UTF-8' for LOCALE >Substituting charset 'UTF-8' for LOCALE >Substituting charset 'UTF-8' for LOCALE >Substituting charset 'UTF-8' for LOCALE >Substituting charset 'UTF-8' for LOCALE >Substituting charset 'UTF-8' for LOCALE >Substituting charset 'UTF-8' for LOCALE >Substituting charset 'UTF-8' for LOCALE >Substituting charset 'UTF-8' for LOCALE >added interface ip=192.168.152.94 bcast=192.168.152.255 nmask=255.255.255.0 >added interface ip=192.168.12.94 bcast=192.168.12.255 nmask=255.255.255.0 >Netbios name list:- >my_netbios_names[0]="MONOCEROS" >added interface ip=192.168.152.94 bcast=192.168.152.255 nmask=255.255.255.0 >added interface ip=192.168.12.94 bcast=192.168.12.255 nmask=255.255.255.0 >Opening cache file at /var/lib/samba/gencache.tdb >namecache_enable: enabling netbios namecache, timeout 660 seconds >Opening cache file at /var/lib/samba/idmap_cache.tdb >fcntl_lock fd=7 op=6 offset=0 count=1 type=1 >fcntl_lock: Lock call successful >TimeInit: Serverzone is -19800 >Registered MSG_REQ_POOL_USAGE >Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED >initialize_winbindd_cache: clearing cache and re-creating with version number 1 >Added domain CHILD03 CHILD03.EIGHTAD6.TESTING.COM S-1-5-21-1527705246-3463401961-2594329352 >set_domain_online_request: called for domain CHILD03 >set_domain_online_request: domain CHILD03 was globally offline. >Added timed event "check_domain_online_handler": 2aac2da3b8d0 >Added domain MONOCEROS S-1-5-21-3379143535-217924180-1168101821 >Added domain BUILTIN S-1-5-32 >open_winbindd_socket: opened socket fd 10 >open_winbindd_priv_socket: opened socket fd 11 >run_events: Nothing to do >timed_events_timeout: 4/999306 >run_events: Nothing to do >timed_events_timeout: 4/999198 >select will use timeout of 4.999198 seconds >Added timed event "async_request_timeout": 2aac2da3a600 >run_events: Nothing to do >timed_events_timeout: 4/998940 >child daemon request 47 >process_request: request fn INIT_CONNECTION >connection_ok: Connection to for domain CHILD03 has NULL cli! >Returning valid cache entry: key = SAF/DOMAIN/CHILD03, value = 192.168.12.172, timeout = Wed Nov 25 18:30:18 2009 >saf_fetch: Returning "192.168.12.172" for "CHILD03" domain >cm_open_connection: saf_servername is '192.168.12.172' for domain CHILD03 >ads_try_connect: sending CLDAP request to 192.168.12.172 (realm: CHILD03.EIGHTAD6.TESTING.COM) >sitename_store: realm = [CHILD03.EIGHTAD6.TESTING.COM], sitename = [Default-First-Site-Name], expire = [4294967295] >Adding cache entry with key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM; value = Default-First-Site-Name and timeout = (null) (-1259153182 seconds ahead) >namecache_store: storing 1 address for norma.child03.eightad6.testing.com#20: 192.168.12.172:0 >Adding cache entry with key = NBT/NORMA.CHILD03.EIGHTAD6.TESTING.COM#20; value = 192.168.12.172:0 and timeout = Wed Nov 25 18:27:21 2009 > (660 seconds ahead) >dcip_to_name: flags = 0x1f9 >ads_closest_dc: ADS_CLOSEST flag set >Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 >sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" >create_local_private_krb5_conf_for_domain: fname = /var/lib/samba/smb_krb5/krb5.conf.CHILD03, realm = CHILD03.EIGHTAD6.TESTING.COM, domain = CHILD03 >Returning valid cache entry: key = SAF/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = 192.168.12.172, timeout = Wed Nov 25 18:30:18 2009 >saf_fetch: Returning "192.168.12.172" for "CHILD03.EIGHTAD6.TESTING.COM" domain >get_dc_list: preferred server list: "192.168.12.172, *" >internal_resolve_name: looking up CHILD03.EIGHTAD6.TESTING.COM#1c (sitename Default-First-Site-Name) >Returning valid cache entry: key = NBT/CHILD03.EIGHTAD6.TESTING.COM#1C, value = 192.168.12.172:389, timeout = Wed Nov 25 18:26:18 2009 >name CHILD03.EIGHTAD6.TESTING.COM#1C found. >Adding 1 DC's from auto lookup >Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 >sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" >remove_duplicate_addrs2: looking for duplicate address/port pairs >get_dc_list: returning 1 ip addresses in an ordered list >get_dc_list: 192.168.12.172:389 >Returning valid cache entry: key = SAF/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = 192.168.12.172, timeout = Wed Nov 25 18:30:18 2009 >saf_fetch: Returning "192.168.12.172" for "CHILD03.EIGHTAD6.TESTING.COM" domain >get_dc_list: preferred server list: "192.168.12.172, *" >internal_resolve_name: looking up CHILD03.EIGHTAD6.TESTING.COM#1c (sitename (null)) >Returning valid cache entry: key = NBT/CHILD03.EIGHTAD6.TESTING.COM#1C, value = 192.168.12.172:389, timeout = Wed Nov 25 18:26:18 2009 >name CHILD03.EIGHTAD6.TESTING.COM#1C found. >Adding 1 DC's from auto lookup >Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 >sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" >remove_duplicate_addrs2: looking for duplicate address/port pairs >get_dc_list: returning 1 ip addresses in an ordered list >get_dc_list: 192.168.12.172:389 >get_kdc_ip_string: Returning kdc = 192.168.12.172 > >create_local_private_krb5_conf_for_domain: wrote file /var/lib/samba/smb_krb5/krb5.conf.CHILD03 with realm CHILD03.EIGHTAD6.TESTING.COM KDC = 192.168.12.172 >saf_store: domain = [CHILD03], server = [norma.child03.eightad6.testing.com], expire = [1259154081] >Adding cache entry with key = SAF/DOMAIN/CHILD03; value = norma.child03.eightad6.testing.com and timeout = Wed Nov 25 18:31:21 2009 > (900 seconds ahead) >saf_store: domain = [CHILD03.EIGHTAD6.TESTING.COM], server = [norma.child03.eightad6.testing.com], expire = [1259154081] >Adding cache entry with key = SAF/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM; value = norma.child03.eightad6.testing.com and timeout = Wed Nov 25 18:31:21 2009 > (900 seconds ahead) >cm_open_connection: dcname is 'norma.child03.eightad6.testing.com' for domain CHILD03 >Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 >sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" >internal_resolve_name: looking up norma.child03.eightad6.testing.com#20 (sitename Default-First-Site-Name) >Returning valid cache entry: key = NBT/NORMA.CHILD03.EIGHTAD6.TESTING.COM#20, value = 192.168.12.172:0, timeout = Wed Nov 25 18:27:21 2009 >name norma.child03.eightad6.testing.com#20 found. >cm_prepare_connection: connecting to DC norma.child03.eightad6.testing.com for domain CHILD03 >secrets_named_mutex: got mutex for norma.child03.eightad6.testing.com >write_socket(15,194) >write_socket(15,194) wrote 194 >got smb length of 192 >size=192 >smb_com=0x72 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51201 >smb_tid=0 >smb_pid=25418 >smb_uid=0 >smb_mid=1 >smt_wct=17 >smb_vwv[ 0]= 9 (0x9) >smb_vwv[ 1]=12815 (0x320F) >smb_vwv[ 2]= 256 (0x100) >smb_vwv[ 3]= 1024 (0x400) >smb_vwv[ 4]= 17 (0x11) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 256 (0x100) >smb_vwv[ 7]= 0 (0x0) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]=64768 (0xFD00) >smb_vwv[10]= 499 (0x1F3) >smb_vwv[11]=26240 (0x6680) >smb_vwv[12]=11418 (0x2C9A) >smb_vwv[13]=52556 (0xCD4C) >smb_vwv[14]=51821 (0xCA6D) >smb_vwv[15]=46593 (0xB601) >smb_vwv[16]= 254 (0xFE) >smb_bcc=123 >[000] ED A7 B6 66 44 4A 8A 42 B4 A2 4E A1 30 18 17 60 ...fDJ.B ..N.0..` >[010] 60 69 06 06 2B 06 01 05 05 02 A0 5F 30 5D A0 30 `i..+... ..._0].0 >[020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. .......* >[030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H...... ..*.H... >[040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... >[050] A3 29 30 27 A0 25 1B 23 6E 6F 72 6D 61 24 40 43 .)0'.%.# norma$@C >[060] 48 49 4C 44 30 33 2E 45 49 47 48 54 41 44 36 2E HILD03.E IGHTAD6. >[070] 54 45 53 54 49 4E 47 2E 43 4F 4D TESTING. COM >size=192 >smb_com=0x72 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51201 >smb_tid=0 >smb_pid=25418 >smb_uid=0 >smb_mid=1 >smt_wct=17 >smb_vwv[ 0]= 9 (0x9) >smb_vwv[ 1]=12815 (0x320F) >smb_vwv[ 2]= 256 (0x100) >smb_vwv[ 3]= 1024 (0x400) >smb_vwv[ 4]= 17 (0x11) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 256 (0x100) >smb_vwv[ 7]= 0 (0x0) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]=64768 (0xFD00) >smb_vwv[10]= 499 (0x1F3) >smb_vwv[11]=26240 (0x6680) >smb_vwv[12]=11418 (0x2C9A) >smb_vwv[13]=52556 (0xCD4C) >smb_vwv[14]=51821 (0xCA6D) >smb_vwv[15]=46593 (0xB601) >smb_vwv[16]= 254 (0xFE) >smb_bcc=123 >[000] ED A7 B6 66 44 4A 8A 42 B4 A2 4E A1 30 18 17 60 ...fDJ.B ..N.0..` >[010] 60 69 06 06 2B 06 01 05 05 02 A0 5F 30 5D A0 30 `i..+... ..._0].0 >[020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. .......* >[030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H...... ..*.H... >[040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... >[050] A3 29 30 27 A0 25 1B 23 6E 6F 72 6D 61 24 40 43 .)0'.%.# norma$@C >[060] 48 49 4C 44 30 33 2E 45 49 47 48 54 41 44 36 2E HILD03.E IGHTAD6. >[070] 54 45 53 54 49 4E 47 2E 43 4F 4D TESTING. COM >connecting to norma.child03.eightad6.testing.com from MONOCEROS with kerberos principal [MONOCEROS$@CHILD03.EIGHTAD6.TESTING.COM] and realm [CHILD03.EIGHTAD6.TESTING.COM] >Doing spnego session setup (blob length=123) >got OID=1 2 840 48018 1 2 2 >got OID=1 2 840 113554 1 2 2 >got OID=1 2 840 113554 1 2 2 3 >got OID=1 3 6 1 4 1 311 2 2 10 >got principal=norma$@CHILD03.EIGHTAD6.TESTING.COM >kerberos_kinit_password: using [MEMORY:cliconnect] as ccache and config [/var/lib/samba/smb_krb5/krb5.conf.CHILD03] >Doing kerberos session setup >ads_krb5_mk_req: Advancing clock by 3 seconds to cope with clock skew >ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Thu, 26 Nov 2009 04:16:24 IST >ads_krb5_mk_req: Ticket (norma$@CHILD03.EIGHTAD6.TESTING.COM) in ccache (MEMORY:cliconnect) is valid until: (Thu, 26 Nov 2009 04:16:24 IST - 1259189184) >Got KRB5 session key of length 16 >Mandatory SMB signing enabled! >SMB signing enabled! >cli_simple_set_signing: user_session_key >[000] 73 86 42 4B 64 72 35 96 9F 52 14 38 DF DD 9C 5C s.BKdr5. .R.8...\ >cli_simple_set_signing: NULL response_data >cli_session_setup_blob: Remaining (0) sending (1226) current (1226) >simple_packet_signature: sequence number 0 >client_sign_outgoing_message: sent SMB signature of >[000] DB 28 26 FA 42 9D 34 F2 .(&.B.4. >store_sequence_for_reply: stored seq = 1 mid = 2 >write_socket(15,1312) >write_socket(15,1312) wrote 1312 >got smb length of 197 >size=197 >smb_com=0x73 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=0 >smb_pid=25418 >smb_uid=4097 >smb_mid=2 >smt_wct=4 >smb_vwv[ 0]= 255 (0xFF) >smb_vwv[ 1]= 197 (0xC5) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 26 (0x1A) >smb_bcc=154 >[000] A1 18 30 16 A0 03 0A 01 00 A1 0B 06 09 2A 86 48 ..0..... .....*.H >[010] 82 F7 12 01 02 02 A2 02 04 00 CE 57 00 69 00 6E ........ ...W.i.n >[020] 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 .d.o.w.s . .S.e.r >[030] 00 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 .v.e.r. .2.0.0.3 >[040] 00 20 00 33 00 37 00 39 00 30 00 20 00 53 00 65 . .3.7.9 .0. .S.e >[050] 00 72 00 76 00 69 00 63 00 65 00 20 00 50 00 61 .r.v.i.c .e. .P.a >[060] 00 63 00 6B 00 20 00 31 00 00 00 57 00 69 00 6E .c.k. .1 ...W.i.n >[070] 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 .d.o.w.s . .S.e.r >[080] 00 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 .v.e.r. .2.0.0.3 >[090] 00 20 00 35 00 2E 00 32 00 00 . .5...2 .. >get_sequence_for_reply: found seq = 1 mid = 2 >simple_packet_signature: sequence number 1 >client_check_incoming_message: seq 1: got good SMB signature of >[000] 3A 8E 0C 1B 63 17 DA E2 :...c... >size=197 >smb_com=0x73 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=0 >smb_pid=25418 >smb_uid=4097 >smb_mid=2 >smt_wct=4 >smb_vwv[ 0]= 255 (0xFF) >smb_vwv[ 1]= 197 (0xC5) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 26 (0x1A) >smb_bcc=154 >[000] A1 18 30 16 A0 03 0A 01 00 A1 0B 06 09 2A 86 48 ..0..... .....*.H >[010] 82 F7 12 01 02 02 A2 02 04 00 CE 57 00 69 00 6E ........ ...W.i.n >[020] 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 .d.o.w.s . .S.e.r >[030] 00 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 .v.e.r. .2.0.0.3 >[040] 00 20 00 33 00 37 00 39 00 30 00 20 00 53 00 65 . .3.7.9 .0. .S.e >[050] 00 72 00 76 00 69 00 63 00 65 00 20 00 50 00 61 .r.v.i.c .e. .P.a >[060] 00 63 00 6B 00 20 00 31 00 00 00 57 00 69 00 6E .c.k. .1 ...W.i.n >[070] 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 .d.o.w.s . .S.e.r >[080] 00 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 .v.e.r. .2.0.0.3 >[090] 00 20 00 35 00 2E 00 32 00 00 . .5...2 .. >cli_init_creds: user MONOCEROS$ domain CHILD03 >saf_store: domain = [CHILD03], server = [norma.child03.eightad6.testing.com], expire = [1259154081] >Adding cache entry with key = SAF/DOMAIN/CHILD03; value = norma.child03.eightad6.testing.com and timeout = Wed Nov 25 18:31:21 2009 > (900 seconds ahead) >saf_store: domain = [CHILD03.EIGHTAD6.TESTING.COM], server = [norma.child03.eightad6.testing.com], expire = [1259154081] >Adding cache entry with key = SAF/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM; value = norma.child03.eightad6.testing.com and timeout = Wed Nov 25 18:31:21 2009 > (900 seconds ahead) >simple_packet_signature: sequence number 2 >client_sign_outgoing_message: sent SMB signature of >[000] E5 B0 0F 67 78 F9 83 F4 ...gx... >store_sequence_for_reply: stored seq = 3 mid = 3 >write_socket(15,136) >write_socket(15,136) wrote 136 >got smb length of 56 >size=56 >smb_com=0x75 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=3 >smt_wct=7 >smb_vwv[ 0]= 255 (0xFF) >smb_vwv[ 1]= 56 (0x38) >smb_vwv[ 2]= 1 (0x1) >smb_vwv[ 3]= 511 (0x1FF) >smb_vwv[ 4]= 0 (0x0) >smb_vwv[ 5]= 511 (0x1FF) >smb_vwv[ 6]= 0 (0x0) >smb_bcc=7 >[000] 49 50 43 00 00 00 00 IPC.... >get_sequence_for_reply: found seq = 3 mid = 3 >simple_packet_signature: sequence number 3 >client_check_incoming_message: seq 3: got good SMB signature of >[000] ED 6D 89 C8 0B 0A C6 9B .m...... >secrets_named_mutex: released mutex for norma.child03.eightad6.testing.com >set_global_winbindd_state_online: online requested. >set_global_winbindd_state_online: rejecting. >set_domain_online: called for domain CHILD03 >Destroying timed event 2aac2da3b8d0 "check_domain_online_handler" >set_dc_type_and_flags: domain CHILD03 >simple_packet_signature: sequence number 4 >client_sign_outgoing_message: sent SMB signature of >[000] 3F D6 B4 C6 8E 2B ED DF ?....+.. >store_sequence_for_reply: stored seq = 5 mid = 4 >write_socket(15,104) >write_socket(15,104) wrote 104 >got smb length of 103 >size=103 >smb_com=0xa2 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=4 >smt_wct=34 >smb_vwv[ 0]= 255 (0xFF) >smb_vwv[ 1]= 103 (0x67) >smb_vwv[ 2]= 3072 (0xC00) >smb_vwv[ 3]= 320 (0x140) >smb_vwv[ 4]= 0 (0x0) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 0 (0x0) >smb_vwv[ 7]= 0 (0x0) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_vwv[10]= 0 (0x0) >smb_vwv[11]= 0 (0x0) >smb_vwv[12]= 0 (0x0) >smb_vwv[13]= 0 (0x0) >smb_vwv[14]= 0 (0x0) >smb_vwv[15]= 0 (0x0) >smb_vwv[16]= 0 (0x0) >smb_vwv[17]= 0 (0x0) >smb_vwv[18]= 0 (0x0) >smb_vwv[19]= 0 (0x0) >smb_vwv[20]= 0 (0x0) >smb_vwv[21]=32768 (0x8000) >smb_vwv[22]= 0 (0x0) >smb_vwv[23]= 0 (0x0) >smb_vwv[24]= 16 (0x10) >smb_vwv[25]= 0 (0x0) >smb_vwv[26]= 0 (0x0) >smb_vwv[27]= 0 (0x0) >smb_vwv[28]= 0 (0x0) >smb_vwv[29]= 0 (0x0) >smb_vwv[30]= 0 (0x0) >smb_vwv[31]= 512 (0x200) >smb_vwv[32]=65280 (0xFF00) >smb_vwv[33]= 5 (0x5) >smb_bcc=0 >get_sequence_for_reply: found seq = 5 mid = 4 >simple_packet_signature: sequence number 5 >client_check_incoming_message: seq 5: got good SMB signature of >[000] A2 C4 B6 A2 3D 97 8E 8B ....=... >Bind RPC Pipe[400c]: \lsarpc auth_type 0, auth_level 0 >Bind Abstract Syntax: [000] 6A 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5 j(.9.... ....O... >[010] 00 00 00 00 .... >Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]...... ....+.H` >[010] 02 00 00 00 .... >000000 smb_io_rpc_hdr hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 0b > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 0048 > 000a auth_len : 0000 > 000c call_id : 00000001 >000010 smb_io_rpc_hdr_rb > 000010 smb_io_rpc_hdr_bba > 0010 max_tsize: 10b8 > 0012 max_rsize: 10b8 > 0014 assoc_gid: 00000000 > 0018 num_contexts: 01 > 001c context_id : 0000 > 001e num_transfer_syntaxes: 01 > 00001f smb_io_rpc_iface > 000020 smb_io_uuid uuid > 0020 data : 3919286a > 0024 data : b10c > 0026 data : 11d0 > 0028 data : 9b a8 > 002a data : 00 c0 4f d9 2e f5 > 0030 version: 00000000 > 000034 smb_io_rpc_iface > 000034 smb_io_uuid uuid > 0034 data : 8a885d04 > 0038 data : 1ceb > 003a data : 11c9 > 003c data : 9f e8 > 003e data : 08 00 2b 10 48 60 > 0044 version: 00000002 >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0x400c >size=154 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=8 >smb_flg2=51201 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=5 >smt_wct=16 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 72 (0x48) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 4280 (0x10B8) >smb_vwv[ 4]= 0 (0x0) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 0 (0x0) >smb_vwv[ 7]= 0 (0x0) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_vwv[10]= 82 (0x52) >smb_vwv[11]= 72 (0x48) >smb_vwv[12]= 82 (0x52) >smb_vwv[13]= 2 (0x2) >smb_vwv[14]= 38 (0x26) >smb_vwv[15]=16396 (0x400C) >smb_bcc=87 >[000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... >[010] 00 0B 03 10 00 00 00 48 00 00 00 01 00 00 00 B8 .......H ........ >[020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 6A ........ .......j >[030] 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5 00 (.9..... ...O.... >[040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ >[050] 10 48 60 02 00 00 00 .H`.... >simple_packet_signature: sequence number 6 >client_sign_outgoing_message: sent SMB signature of >[000] 1E 86 57 3D 72 FE 6D 73 ..W=r.ms >store_sequence_for_reply: stored seq = 7 mid = 5 >write_socket(15,158) >write_socket(15,158) wrote 158 >got smb length of 124 >size=124 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=5 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 68 (0x44) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 68 (0x44) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=69 >[000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 H....... .D...... >[010] 00 B8 10 B8 10 69 70 00 00 0C 00 5C 50 49 50 45 .....ip. ...\PIPE >[020] 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 \lsass.. ........ >[030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H >[040] 60 02 00 00 00 `.... >get_sequence_for_reply: found seq = 7 mid = 5 >simple_packet_signature: sequence number 7 >client_check_incoming_message: seq 7: got good SMB signature of >[000] 85 40 DE 1F 68 B3 C7 CC .@..h... >size=124 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=5 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 68 (0x44) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 68 (0x44) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=69 >[000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 H....... .D...... >[010] 00 B8 10 B8 10 69 70 00 00 0C 00 5C 50 49 50 45 .....ip. ...\PIPE >[020] 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 \lsass.. ........ >[030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H >[040] 60 02 00 00 00 `.... >get_sequence_for_reply: found seq = 7 mid = 5 >000000 smb_io_rpc_hdr rpc_hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 0c > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 0044 > 000a auth_len : 0000 > 000c call_id : 00000001 >rpc_api_pipe: got PDU len of 68 at offset 0 >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0x400c returned 68 bytes. >rpc_pipe_bind: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0x400c bind request returned ok. >000000 smb_io_rpc_hdr hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 0c > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 0044 > 000a auth_len : 0000 > 000c call_id : 00000001 >000010 smb_io_rpc_hdr_ba > 000010 smb_io_rpc_hdr_bba > 0010 max_tsize: 10b8 > 0012 max_rsize: 10b8 > 0014 assoc_gid: 00007069 > 000018 smb_io_rpc_addr_str > 0018 len: 000c > 001a str: \PIPE\lsass. > 000026 smb_io_rpc_results > 0028 num_results: 01 > 002c result : 0000 > 002e reason : 0000 > 000030 smb_io_rpc_iface > 000030 smb_io_uuid uuid > 0030 data : 8a885d04 > 0034 data : 1ceb > 0036 data : 11c9 > 0038 data : 9f e8 > 003a data : 08 00 2b 10 48 60 > 0040 version: 00000002 >check_bind_response: accepted! >cli_rpc_pipe_open_noauth: opened pipe \lsarpc to machine norma.child03.eightad6.testing.com and bound anonymously. >000000 ds_io_q_getprimdominfo > 0000 level: 0001 >000000 smb_io_rpc_hdr hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 00 > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 001a > 000a auth_len : 0000 > 000c call_id : 00000002 >000010 smb_io_rpc_hdr_req hdr_req > 0010 alloc_hint: 00000002 > 0014 context_id: 0000 > 0016 opnum : 0000 >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0x400c >size=108 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=8 >smb_flg2=51201 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=6 >smt_wct=16 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 26 (0x1A) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 4280 (0x10B8) >smb_vwv[ 4]= 0 (0x0) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 0 (0x0) >smb_vwv[ 7]= 0 (0x0) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_vwv[10]= 82 (0x52) >smb_vwv[11]= 26 (0x1A) >smb_vwv[12]= 82 (0x52) >smb_vwv[13]= 2 (0x2) >smb_vwv[14]= 38 (0x26) >smb_vwv[15]=16396 (0x400C) >smb_bcc=41 >[000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... >[010] 00 00 03 10 00 00 00 1A 00 00 00 02 00 00 00 02 ........ ........ >[020] 00 00 00 00 00 00 00 01 00 ........ . >simple_packet_signature: sequence number 8 >client_sign_outgoing_message: sent SMB signature of >[000] 50 E6 F3 15 20 94 3B B3 P... .;. >store_sequence_for_reply: stored seq = 9 mid = 6 >write_socket(15,112) >write_socket(15,112) wrote 112 >got smb length of 284 >size=284 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=6 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 228 (0xE4) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 228 (0xE4) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=229 >[000] 1A 05 00 02 03 10 00 00 00 E4 00 00 00 02 00 00 ........ ........ >[010] 00 CC 00 00 00 00 00 00 00 00 00 02 00 01 00 00 ........ ........ >[020] 00 05 00 00 00 01 00 00 01 04 00 02 00 08 00 02 ........ ........ >[030] 00 0C 00 02 00 88 B9 1F 05 9F D9 A3 42 87 55 7B ........ ....B.U{ >[040] C9 B4 D4 8A F3 08 00 00 00 00 00 00 00 08 00 00 ........ ........ >[050] 00 43 00 48 00 49 00 4C 00 44 00 30 00 33 00 00 .C.H.I.L .D.0.3.. >[060] 00 1D 00 00 00 00 00 00 00 1D 00 00 00 63 00 68 ........ .....c.h >[070] 00 69 00 6C 00 64 00 30 00 33 00 2E 00 65 00 69 .i.l.d.0 .3...e.i >[080] 00 67 00 68 00 74 00 61 00 64 00 36 00 2E 00 74 .g.h.t.a .d.6...t >[090] 00 65 00 73 00 74 00 69 00 6E 00 67 00 2E 00 63 .e.s.t.i .n.g...c >[0A0] 00 6F 00 6D 00 00 00 45 00 15 00 00 00 00 00 00 .o.m...E ........ >[0B0] 00 15 00 00 00 65 00 69 00 67 00 68 00 74 00 61 .....e.i .g.h.t.a >[0C0] 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 00 69 .d.6...t .e.s.t.i >[0D0] 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 00 00 00 .n.g...c .o.m.... >[0E0] 00 00 00 00 00 ..... >get_sequence_for_reply: found seq = 9 mid = 6 >simple_packet_signature: sequence number 9 >client_check_incoming_message: seq 9: got good SMB signature of >[000] 87 13 73 F7 80 20 11 E0 ..s.. .. >size=284 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=6 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 228 (0xE4) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 228 (0xE4) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=229 >[000] 1A 05 00 02 03 10 00 00 00 E4 00 00 00 02 00 00 ........ ........ >[010] 00 CC 00 00 00 00 00 00 00 00 00 02 00 01 00 00 ........ ........ >[020] 00 05 00 00 00 01 00 00 01 04 00 02 00 08 00 02 ........ ........ >[030] 00 0C 00 02 00 88 B9 1F 05 9F D9 A3 42 87 55 7B ........ ....B.U{ >[040] C9 B4 D4 8A F3 08 00 00 00 00 00 00 00 08 00 00 ........ ........ >[050] 00 43 00 48 00 49 00 4C 00 44 00 30 00 33 00 00 .C.H.I.L .D.0.3.. >[060] 00 1D 00 00 00 00 00 00 00 1D 00 00 00 63 00 68 ........ .....c.h >[070] 00 69 00 6C 00 64 00 30 00 33 00 2E 00 65 00 69 .i.l.d.0 .3...e.i >[080] 00 67 00 68 00 74 00 61 00 64 00 36 00 2E 00 74 .g.h.t.a .d.6...t >[090] 00 65 00 73 00 74 00 69 00 6E 00 67 00 2E 00 63 .e.s.t.i .n.g...c >[0A0] 00 6F 00 6D 00 00 00 45 00 15 00 00 00 00 00 00 .o.m...E ........ >[0B0] 00 15 00 00 00 65 00 69 00 67 00 68 00 74 00 61 .....e.i .g.h.t.a >[0C0] 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 00 69 .d.6...t .e.s.t.i >[0D0] 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 00 00 00 .n.g...c .o.m.... >[0E0] 00 00 00 00 00 ..... >get_sequence_for_reply: found seq = 9 mid = 6 >000000 smb_io_rpc_hdr rpc_hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 02 > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 00e4 > 000a auth_len : 0000 > 000c call_id : 00000002 >000010 smb_io_rpc_hdr_resp rpc_hdr_resp > 0010 alloc_hint: 000000cc > 0014 context_id: 0000 > 0016 cancel_ct : 00 > 0017 reserved : 00 >cli_pipe_validate_current_pdu: got pdu len 228, data_len 204, ss_len 0 >rpc_api_pipe: got PDU len of 228 at offset 0 >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0x400c returned 408 bytes. >000000 ds_io_r_getprimdominfo > 0000 ptr: 00020000 > 0004 level: 0001 > 0006 unknown0: 0000 > 0008 machine_role: 0005 > 000c flags: 01000001 > 0010 netbios_ptr: 00020004 > 0014 dnsname_ptr: 00020008 > 0018 forestname_ptr: 0002000c > 00001c smb_io_uuid domain_guid > 001c data : 051fb988 > 0020 data : d99f > 0022 data : 42a3 > 0024 data : 87 55 > 0026 data : 7b c9 b4 d4 8a f3 > 00002c smb_io_unistr2 netbios_domain > 002c uni_max_len: 00000008 > 0030 offset : 00000000 > 0034 uni_str_len: 00000008 > 0038 buffer : C.H.I.L.D.0.3... > 000048 smb_io_unistr2 dns_domain > 0048 uni_max_len: 0000001d > 004c offset : 00000000 > 0050 uni_str_len: 0000001d > 0054 buffer : c.h.i.l.d.0.3...e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m... > 000090 smb_io_unistr2 forest_domain > 0090 uni_max_len: 00000015 > 0094 offset : 00000000 > 0098 uni_str_len: 00000015 > 009c buffer : e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m... > 00c8 status: NT_STATUS_OK >simple_packet_signature: sequence number 10 >client_sign_outgoing_message: sent SMB signature of >[000] 21 9C 92 9D 5A 2A 34 9D !...Z*4. >store_sequence_for_reply: stored seq = 11 mid = 7 >write_socket(15,45) >write_socket(15,45) wrote 45 >got smb length of 35 >size=35 >smb_com=0x4 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=7 >smt_wct=0 >smb_bcc=0 >get_sequence_for_reply: found seq = 11 mid = 7 >simple_packet_signature: sequence number 11 >client_check_incoming_message: seq 11: got good SMB signature of >[000] 4C 47 BF 74 4A 5A 4F A0 LG.tJZO. >cli_rpc_pipe_close: closed pipe \lsarpc to machine norma.child03.eightad6.testing.com >simple_packet_signature: sequence number 12 >client_sign_outgoing_message: sent SMB signature of >[000] AF A0 1B EF DD A8 02 0A ........ >store_sequence_for_reply: stored seq = 13 mid = 8 >write_socket(15,104) >write_socket(15,104) wrote 104 >got smb length of 103 >size=103 >smb_com=0xa2 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=8 >smt_wct=34 >smb_vwv[ 0]= 255 (0xFF) >smb_vwv[ 1]= 103 (0x67) >smb_vwv[ 2]= 3328 (0xD00) >smb_vwv[ 3]= 320 (0x140) >smb_vwv[ 4]= 0 (0x0) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 0 (0x0) >smb_vwv[ 7]= 0 (0x0) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_vwv[10]= 0 (0x0) >smb_vwv[11]= 0 (0x0) >smb_vwv[12]= 0 (0x0) >smb_vwv[13]= 0 (0x0) >smb_vwv[14]= 0 (0x0) >smb_vwv[15]= 0 (0x0) >smb_vwv[16]= 0 (0x0) >smb_vwv[17]= 0 (0x0) >smb_vwv[18]= 0 (0x0) >smb_vwv[19]= 0 (0x0) >smb_vwv[20]= 0 (0x0) >smb_vwv[21]=32768 (0x8000) >smb_vwv[22]= 0 (0x0) >smb_vwv[23]= 0 (0x0) >smb_vwv[24]= 16 (0x10) >smb_vwv[25]= 0 (0x0) >smb_vwv[26]= 0 (0x0) >smb_vwv[27]= 0 (0x0) >smb_vwv[28]= 0 (0x0) >smb_vwv[29]= 0 (0x0) >smb_vwv[30]= 0 (0x0) >smb_vwv[31]= 512 (0x200) >smb_vwv[32]=65280 (0xFF00) >smb_vwv[33]= 5 (0x5) >smb_bcc=0 >get_sequence_for_reply: found seq = 13 mid = 8 >simple_packet_signature: sequence number 13 >client_check_incoming_message: seq 13: got good SMB signature of >[000] 19 CD 11 09 95 07 1E 23 .......# >Bind RPC Pipe[400d]: \lsarpc auth_type 0, auth_level 0 >Bind Abstract Syntax: [000] 78 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB xW4.4... ...#Eg.. >[010] 00 00 00 00 .... >Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]...... ....+.H` >[010] 02 00 00 00 .... >000000 smb_io_rpc_hdr hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 0b > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 0048 > 000a auth_len : 0000 > 000c call_id : 00000003 >000010 smb_io_rpc_hdr_rb > 000010 smb_io_rpc_hdr_bba > 0010 max_tsize: 10b8 > 0012 max_rsize: 10b8 > 0014 assoc_gid: 00000000 > 0018 num_contexts: 01 > 001c context_id : 0000 > 001e num_transfer_syntaxes: 01 > 00001f smb_io_rpc_iface > 000020 smb_io_uuid uuid > 0020 data : 12345778 > 0024 data : 1234 > 0026 data : abcd > 0028 data : ef 00 > 002a data : 01 23 45 67 89 ab > 0030 version: 00000000 > 000034 smb_io_rpc_iface > 000034 smb_io_uuid uuid > 0034 data : 8a885d04 > 0038 data : 1ceb > 003a data : 11c9 > 003c data : 9f e8 > 003e data : 08 00 2b 10 48 60 > 0044 version: 00000002 >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0x400d >size=154 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=8 >smb_flg2=51201 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=9 >smt_wct=16 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 72 (0x48) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 4280 (0x10B8) >smb_vwv[ 4]= 0 (0x0) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 0 (0x0) >smb_vwv[ 7]= 0 (0x0) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_vwv[10]= 82 (0x52) >smb_vwv[11]= 72 (0x48) >smb_vwv[12]= 82 (0x52) >smb_vwv[13]= 2 (0x2) >smb_vwv[14]= 38 (0x26) >smb_vwv[15]=16397 (0x400D) >smb_bcc=87 >[000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... >[010] 00 0B 03 10 00 00 00 48 00 00 00 03 00 00 00 B8 .......H ........ >[020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 ........ .......x >[030] 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB 00 W4.4.... ..#Eg... >[040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ >[050] 10 48 60 02 00 00 00 .H`.... >simple_packet_signature: sequence number 14 >client_sign_outgoing_message: sent SMB signature of >[000] 3E BE 15 BE C1 0F 49 88 >.....I. >store_sequence_for_reply: stored seq = 15 mid = 9 >write_socket(15,158) >write_socket(15,158) wrote 158 >got smb length of 124 >size=124 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=9 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 68 (0x44) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 68 (0x44) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=69 >[000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 03 00 00 H....... .D...... >[010] 00 B8 10 B8 10 6A 70 00 00 0C 00 5C 50 49 50 45 .....jp. ...\PIPE >[020] 5C 6C 73 61 73 73 00 00 01 01 00 00 00 00 00 00 \lsass.. ........ >[030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H >[040] 60 02 00 00 00 `.... >get_sequence_for_reply: found seq = 15 mid = 9 >simple_packet_signature: sequence number 15 >client_check_incoming_message: seq 15: got good SMB signature of >[000] 2C B1 A2 92 2A 0F C8 3A ,...*..: >size=124 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=9 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 68 (0x44) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 68 (0x44) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=69 >[000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 03 00 00 H....... .D...... >[010] 00 B8 10 B8 10 6A 70 00 00 0C 00 5C 50 49 50 45 .....jp. ...\PIPE >[020] 5C 6C 73 61 73 73 00 00 01 01 00 00 00 00 00 00 \lsass.. ........ >[030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H >[040] 60 02 00 00 00 `.... >get_sequence_for_reply: found seq = 15 mid = 9 >000000 smb_io_rpc_hdr rpc_hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 0c > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 0044 > 000a auth_len : 0000 > 000c call_id : 00000003 >rpc_api_pipe: got PDU len of 68 at offset 0 >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0x400d returned 68 bytes. >rpc_pipe_bind: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0x400d bind request returned ok. >000000 smb_io_rpc_hdr hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 0c > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 0044 > 000a auth_len : 0000 > 000c call_id : 00000003 >000010 smb_io_rpc_hdr_ba > 000010 smb_io_rpc_hdr_bba > 0010 max_tsize: 10b8 > 0012 max_rsize: 10b8 > 0014 assoc_gid: 0000706a > 000018 smb_io_rpc_addr_str > 0018 len: 000c > 001a str: \PIPE\lsass. > 000026 smb_io_rpc_results > 0028 num_results: 01 > 002c result : 0000 > 002e reason : 0000 > 000030 smb_io_rpc_iface > 000030 smb_io_uuid uuid > 0030 data : 8a885d04 > 0034 data : 1ceb > 0036 data : 11c9 > 0038 data : 9f e8 > 003a data : 08 00 2b 10 48 60 > 0040 version: 00000002 >check_bind_response: accepted! >cli_rpc_pipe_open_noauth: opened pipe \lsarpc to machine norma.child03.eightad6.testing.com and bound anonymously. >init_lsa_sec_qos >init_q_open_pol2: attr:0 da:33554432 >init_lsa_obj_attr >000000 lsa_io_q_open_pol2 > 0000 ptr : 00000001 > 000004 smb_io_unistr2 > 0004 uni_max_len: 00000025 > 0008 offset : 00000000 > 000c uni_str_len: 00000025 > 0010 buffer : \.\.n.o.r.m.a...c.h.i.l.d.0.3...e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m... > 00005a lsa_io_obj_attr > 005c len : 00000018 > 0060 ptr_root_dir: 00000000 > 0064 ptr_obj_name: 00000000 > 0068 attributes : 00000000 > 006c ptr_sec_desc: 00000000 > 0070 ptr_sec_qos : 00000001 > 000074 lsa_io_obj_qos sec_qos > 0074 len : 0000000c > 0078 sec_imp_level : 0002 > 007a sec_ctxt_mode : 01 > 007b effective_only: 00 >lsa_io_sec_qos: length c does not match size 8 > 007c des_access: 02000000 >000000 smb_io_rpc_hdr hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 00 > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 0098 > 000a auth_len : 0000 > 000c call_id : 00000004 >000010 smb_io_rpc_hdr_req hdr_req > 0010 alloc_hint: 00000080 > 0014 context_id: 0000 > 0016 opnum : 002c >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0x400d >size=234 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=8 >smb_flg2=51201 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=10 >smt_wct=16 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 152 (0x98) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 4280 (0x10B8) >smb_vwv[ 4]= 0 (0x0) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 0 (0x0) >smb_vwv[ 7]= 0 (0x0) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_vwv[10]= 82 (0x52) >smb_vwv[11]= 152 (0x98) >smb_vwv[12]= 82 (0x52) >smb_vwv[13]= 2 (0x2) >smb_vwv[14]= 38 (0x26) >smb_vwv[15]=16397 (0x400D) >smb_bcc=167 >[000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... >[010] 00 00 03 10 00 00 00 98 00 00 00 04 00 00 00 80 ........ ........ >[020] 00 00 00 00 00 2C 00 01 00 00 00 25 00 00 00 00 .....,.. ...%.... >[030] 00 00 00 25 00 00 00 5C 00 5C 00 6E 00 6F 00 72 ...%...\ .\.n.o.r >[040] 00 6D 00 61 00 2E 00 63 00 68 00 69 00 6C 00 64 .m.a...c .h.i.l.d >[050] 00 30 00 33 00 2E 00 65 00 69 00 67 00 68 00 74 .0.3...e .i.g.h.t >[060] 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 .a.d.6.. .t.e.s.t >[070] 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 00 .i.n.g.. .c.o.m.. >[080] 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[090] 00 00 00 00 00 00 00 01 00 00 00 0C 00 00 00 02 ........ ........ >[0A0] 00 01 00 00 00 00 02 ....... >simple_packet_signature: sequence number 16 >client_sign_outgoing_message: sent SMB signature of >[000] 18 F7 60 45 93 F6 2E ED ..`E.... >store_sequence_for_reply: stored seq = 17 mid = 10 >write_socket(15,238) >write_socket(15,238) wrote 238 >got smb length of 104 >size=104 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=10 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 48 (0x30) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 48 (0x30) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=49 >[000] 98 05 00 02 03 10 00 00 00 30 00 00 00 04 00 00 ........ .0...... >[010] 00 18 00 00 00 00 00 00 00 00 00 00 00 4E DD 3F ........ .....N.? >[020] C4 18 D2 91 46 98 6A B0 8A E2 39 0C A5 00 00 00 ....F.j. ..9..... >[030] 00 . >get_sequence_for_reply: found seq = 17 mid = 10 >simple_packet_signature: sequence number 17 >client_check_incoming_message: seq 17: got good SMB signature of >[000] 98 A0 EC 05 43 66 02 94 ....Cf.. >size=104 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=10 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 48 (0x30) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 48 (0x30) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=49 >[000] 98 05 00 02 03 10 00 00 00 30 00 00 00 04 00 00 ........ .0...... >[010] 00 18 00 00 00 00 00 00 00 00 00 00 00 4E DD 3F ........ .....N.? >[020] C4 18 D2 91 46 98 6A B0 8A E2 39 0C A5 00 00 00 ....F.j. ..9..... >[030] 00 . >get_sequence_for_reply: found seq = 17 mid = 10 >000000 smb_io_rpc_hdr rpc_hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 02 > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 0030 > 000a auth_len : 0000 > 000c call_id : 00000004 >000010 smb_io_rpc_hdr_resp rpc_hdr_resp > 0010 alloc_hint: 00000018 > 0014 context_id: 0000 > 0016 cancel_ct : 00 > 0017 reserved : 00 >cli_pipe_validate_current_pdu: got pdu len 48, data_len 24, ss_len 0 >rpc_api_pipe: got PDU len of 48 at offset 0 >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0x400d returned 48 bytes. >000000 lsa_io_r_open_pol2 > 000000 smb_io_pol_hnd > 0000 handle_type: 00000000 > 000004 smb_io_uuid uuid > 0004 data : c43fdd4e > 0008 data : d218 > 000a data : 4691 > 000c data : 98 6a > 000e data : b0 8a e2 39 0c a5 > 0014 status: NT_STATUS_OK >init_q_query2 >000000 lsa_io_q_query_info2 > 000000 smb_io_pol_hnd pol > 0000 handle_type: 00000000 > 000004 smb_io_uuid uuid > 0004 data : c43fdd4e > 0008 data : d218 > 000a data : 4691 > 000c data : 98 6a > 000e data : b0 8a e2 39 0c a5 > 0014 info_class: 000c >000000 smb_io_rpc_hdr hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 00 > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 002e > 000a auth_len : 0000 > 000c call_id : 00000005 >000010 smb_io_rpc_hdr_req hdr_req > 0010 alloc_hint: 00000016 > 0014 context_id: 0000 > 0016 opnum : 002e >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0x400d >size=128 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=8 >smb_flg2=51201 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=11 >smt_wct=16 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 46 (0x2E) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 4280 (0x10B8) >smb_vwv[ 4]= 0 (0x0) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 0 (0x0) >smb_vwv[ 7]= 0 (0x0) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_vwv[10]= 82 (0x52) >smb_vwv[11]= 46 (0x2E) >smb_vwv[12]= 82 (0x52) >smb_vwv[13]= 2 (0x2) >smb_vwv[14]= 38 (0x26) >smb_vwv[15]=16397 (0x400D) >smb_bcc=61 >[000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... >[010] 00 00 03 10 00 00 00 2E 00 00 00 05 00 00 00 16 ........ ........ >[020] 00 00 00 00 00 2E 00 00 00 00 00 4E DD 3F C4 18 ........ ...N.?.. >[030] D2 91 46 98 6A B0 8A E2 39 0C A5 0C 00 ..F.j... 9.... >simple_packet_signature: sequence number 18 >client_sign_outgoing_message: sent SMB signature of >[000] B0 98 5B 89 E6 84 09 7F ..[..... >store_sequence_for_reply: stored seq = 19 mid = 11 >write_socket(15,132) >write_socket(15,132) wrote 132 >got smb length of 312 >size=312 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=11 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 256 (0x100) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 256 (0x100) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=257 >[000] 2E 05 00 02 03 10 00 00 00 00 01 00 00 05 00 00 ........ ........ >[010] 00 E8 00 00 00 00 00 00 00 00 00 02 00 0C 00 00 ........ ........ >[020] 00 0E 00 10 00 04 00 02 00 38 00 3A 00 08 00 02 ........ .8.:.... >[030] 00 28 00 2A 00 0C 00 02 00 88 B9 1F 05 9F D9 A3 .(.*.... ........ >[040] 42 87 55 7B C9 B4 D4 8A F3 10 00 02 00 08 00 00 B.U{.... ........ >[050] 00 00 00 00 00 07 00 00 00 43 00 48 00 49 00 4C ........ .C.H.I.L >[060] 00 44 00 30 00 33 00 63 00 1D 00 00 00 00 00 00 .D.0.3.c ........ >[070] 00 1C 00 00 00 63 00 68 00 69 00 6C 00 64 00 30 .....c.h .i.l.d.0 >[080] 00 33 00 2E 00 65 00 69 00 67 00 68 00 74 00 61 .3...e.i .g.h.t.a >[090] 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 00 69 .d.6...t .e.s.t.i >[0A0] 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 15 00 00 .n.g...c .o.m.... >[0B0] 00 00 00 00 00 14 00 00 00 65 00 69 00 67 00 68 ........ .e.i.g.h >[0C0] 00 74 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 .t.a.d.6 ...t.e.s >[0D0] 00 74 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D .t.i.n.g ...c.o.m >[0E0] 00 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 ........ ........ >[0F0] 00 9E EE 0E 5B E9 51 6F CE 08 53 A2 9A 00 00 00 ....[.Qo ..S..... >[100] 00 . >get_sequence_for_reply: found seq = 19 mid = 11 >simple_packet_signature: sequence number 19 >client_check_incoming_message: seq 19: got good SMB signature of >[000] 2B 71 57 D7 D7 F6 87 52 +qW....R >size=312 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=11 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 256 (0x100) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 256 (0x100) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=257 >[000] 2E 05 00 02 03 10 00 00 00 00 01 00 00 05 00 00 ........ ........ >[010] 00 E8 00 00 00 00 00 00 00 00 00 02 00 0C 00 00 ........ ........ >[020] 00 0E 00 10 00 04 00 02 00 38 00 3A 00 08 00 02 ........ .8.:.... >[030] 00 28 00 2A 00 0C 00 02 00 88 B9 1F 05 9F D9 A3 .(.*.... ........ >[040] 42 87 55 7B C9 B4 D4 8A F3 10 00 02 00 08 00 00 B.U{.... ........ >[050] 00 00 00 00 00 07 00 00 00 43 00 48 00 49 00 4C ........ .C.H.I.L >[060] 00 44 00 30 00 33 00 63 00 1D 00 00 00 00 00 00 .D.0.3.c ........ >[070] 00 1C 00 00 00 63 00 68 00 69 00 6C 00 64 00 30 .....c.h .i.l.d.0 >[080] 00 33 00 2E 00 65 00 69 00 67 00 68 00 74 00 61 .3...e.i .g.h.t.a >[090] 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 00 69 .d.6...t .e.s.t.i >[0A0] 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 15 00 00 .n.g...c .o.m.... >[0B0] 00 00 00 00 00 14 00 00 00 65 00 69 00 67 00 68 ........ .e.i.g.h >[0C0] 00 74 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 .t.a.d.6 ...t.e.s >[0D0] 00 74 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D .t.i.n.g ...c.o.m >[0E0] 00 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 ........ ........ >[0F0] 00 9E EE 0E 5B E9 51 6F CE 08 53 A2 9A 00 00 00 ....[.Qo ..S..... >[100] 00 . >get_sequence_for_reply: found seq = 19 mid = 11 >000000 smb_io_rpc_hdr rpc_hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 02 > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 0100 > 000a auth_len : 0000 > 000c call_id : 00000005 >000010 smb_io_rpc_hdr_resp rpc_hdr_resp > 0010 alloc_hint: 000000e8 > 0014 context_id: 0000 > 0016 cancel_ct : 00 > 0017 reserved : 00 >cli_pipe_validate_current_pdu: got pdu len 256, data_len 232, ss_len 0 >rpc_api_pipe: got PDU len of 256 at offset 0 >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0x400d returned 464 bytes. >000000 lsa_io_r_query_info2 > 0000 dom_ptr: 00020000 > 000004 lsa_io_query_info_ctr2 > 0004 info_class: 000c > 000006 lsa_io_dom_query_12 > 000008 smb_io_unihdr nb_name > 0008 uni_str_len: 000e > 000a uni_max_len: 0010 > 000c buffer : 00020004 > 000010 smb_io_unihdr dns_name > 0010 uni_str_len: 0038 > 0012 uni_max_len: 003a > 0014 buffer : 00020008 > 000018 smb_io_unihdr forest > 0018 uni_str_len: 0028 > 001a uni_max_len: 002a > 001c buffer : 0002000c > 000020 smb_io_uuid dom_guid > 0020 data : 051fb988 > 0024 data : d99f > 0026 data : 42a3 > 0028 data : 87 55 > 002a data : 7b c9 b4 d4 8a f3 > 0030 dom_sid: 00020010 > 000034 smb_io_unistr2 nb_name > 0034 uni_max_len: 00000008 > 0038 offset : 00000000 > 003c uni_str_len: 00000007 > 0040 buffer : C.H.I.L.D.0.3. > 00004e smb_io_unistr2 dns_name > 0050 uni_max_len: 0000001d > 0054 offset : 00000000 > 0058 uni_str_len: 0000001c > 005c buffer : c.h.i.l.d.0.3...e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m. > 000094 smb_io_unistr2 forest > 0094 uni_max_len: 00000015 > 0098 offset : 00000000 > 009c uni_str_len: 00000014 > 00a0 buffer : e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m. > 0000c8 smb_io_dom_sid2 dom_sid > 00c8 num_auths: 00000004 > 0000cc smb_io_dom_sid sid > 00cc sid_rev_num: 01 > 00cd num_auths : 04 > 00ce id_auth[0] : 00 > 00cf id_auth[1] : 00 > 00d0 id_auth[2] : 00 > 00d1 id_auth[3] : 00 > 00d2 id_auth[4] : 00 > 00d3 id_auth[5] : 05 > 00d4 sub_auths : 00000015 5b0eee9e ce6f51e9 9aa25308 > 00e4 status: NT_STATUS_OK >set_dc_type_and_flags: domain CHILD03 is in native mode. >set_dc_type_and_flags: domain CHILD03 is running active directory. >simple_packet_signature: sequence number 20 >client_sign_outgoing_message: sent SMB signature of >[000] 58 29 A6 A7 A5 1E 38 67 X)....8g >store_sequence_for_reply: stored seq = 21 mid = 12 >write_socket(15,45) >write_socket(15,45) wrote 45 >got smb length of 35 >size=35 >smb_com=0x4 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=12 >smt_wct=0 >smb_bcc=0 >get_sequence_for_reply: found seq = 21 mid = 12 >simple_packet_signature: sequence number 21 >client_check_incoming_message: seq 21: got good SMB signature of >[000] CA 6A 93 A2 06 FA D5 0B .j...... >cli_rpc_pipe_close: closed pipe \lsarpc to machine norma.child03.eightad6.testing.com >Storing response for pid 25418, len 3240 >Destroying timed event 2aac2da3a600 "async_request_timeout" >Retrieving response for pid 25418 >Received child initialization response for domain CHILD03 >connection_ok: Connection to for domain CHILD03 has NULL cli! >Returning valid cache entry: key = SAF/DOMAIN/CHILD03, value = norma.child03.eightad6.testing.com, timeout = Wed Nov 25 18:31:21 2009 >saf_fetch: Returning "norma.child03.eightad6.testing.com" for "CHILD03" domain >cm_open_connection: saf_servername is 'norma.child03.eightad6.testing.com' for domain CHILD03 >cm_open_connection: dcname is 'norma.child03.eightad6.testing.com' for domain CHILD03 >Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 >sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" >internal_resolve_name: looking up norma.child03.eightad6.testing.com#20 (sitename Default-First-Site-Name) >Returning valid cache entry: key = NBT/NORMA.CHILD03.EIGHTAD6.TESTING.COM#20, value = 192.168.12.172:0, timeout = Wed Nov 25 18:27:21 2009 >name norma.child03.eightad6.testing.com#20 found. >cm_prepare_connection: connecting to DC norma.child03.eightad6.testing.com for domain CHILD03 >secrets_named_mutex: got mutex for norma.child03.eightad6.testing.com >write_socket(16,194) >write_socket(16,194) wrote 194 >got smb length of 192 >size=192 >smb_com=0x72 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51201 >smb_tid=0 >smb_pid=25417 >smb_uid=0 >smb_mid=1 >smt_wct=17 >smb_vwv[ 0]= 9 (0x9) >smb_vwv[ 1]=12815 (0x320F) >smb_vwv[ 2]= 256 (0x100) >smb_vwv[ 3]= 1024 (0x400) >smb_vwv[ 4]= 17 (0x11) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 256 (0x100) >smb_vwv[ 7]= 0 (0x0) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]=64768 (0xFD00) >smb_vwv[10]= 499 (0x1F3) >smb_vwv[11]=57984 (0xE280) >smb_vwv[12]=13244 (0x33BC) >smb_vwv[13]=52556 (0xCD4C) >smb_vwv[14]=51821 (0xCA6D) >smb_vwv[15]=46593 (0xB601) >smb_vwv[16]= 254 (0xFE) >smb_bcc=123 >[000] ED A7 B6 66 44 4A 8A 42 B4 A2 4E A1 30 18 17 60 ...fDJ.B ..N.0..` >[010] 60 69 06 06 2B 06 01 05 05 02 A0 5F 30 5D A0 30 `i..+... ..._0].0 >[020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. .......* >[030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H...... ..*.H... >[040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... >[050] A3 29 30 27 A0 25 1B 23 6E 6F 72 6D 61 24 40 43 .)0'.%.# norma$@C >[060] 48 49 4C 44 30 33 2E 45 49 47 48 54 41 44 36 2E HILD03.E IGHTAD6. >[070] 54 45 53 54 49 4E 47 2E 43 4F 4D TESTING. COM >size=192 >smb_com=0x72 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51201 >smb_tid=0 >smb_pid=25417 >smb_uid=0 >smb_mid=1 >smt_wct=17 >smb_vwv[ 0]= 9 (0x9) >smb_vwv[ 1]=12815 (0x320F) >smb_vwv[ 2]= 256 (0x100) >smb_vwv[ 3]= 1024 (0x400) >smb_vwv[ 4]= 17 (0x11) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 256 (0x100) >smb_vwv[ 7]= 0 (0x0) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]=64768 (0xFD00) >smb_vwv[10]= 499 (0x1F3) >smb_vwv[11]=57984 (0xE280) >smb_vwv[12]=13244 (0x33BC) >smb_vwv[13]=52556 (0xCD4C) >smb_vwv[14]=51821 (0xCA6D) >smb_vwv[15]=46593 (0xB601) >smb_vwv[16]= 254 (0xFE) >smb_bcc=123 >[000] ED A7 B6 66 44 4A 8A 42 B4 A2 4E A1 30 18 17 60 ...fDJ.B ..N.0..` >[010] 60 69 06 06 2B 06 01 05 05 02 A0 5F 30 5D A0 30 `i..+... ..._0].0 >[020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H. .......* >[030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H...... ..*.H... >[040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+. ....7... >[050] A3 29 30 27 A0 25 1B 23 6E 6F 72 6D 61 24 40 43 .)0'.%.# norma$@C >[060] 48 49 4C 44 30 33 2E 45 49 47 48 54 41 44 36 2E HILD03.E IGHTAD6. >[070] 54 45 53 54 49 4E 47 2E 43 4F 4D TESTING. COM >connecting to norma.child03.eightad6.testing.com from MONOCEROS with kerberos principal [MONOCEROS$@CHILD03.EIGHTAD6.TESTING.COM] and realm [child03.eightad6.testing.com] >Doing spnego session setup (blob length=123) >got OID=1 2 840 48018 1 2 2 >got OID=1 2 840 113554 1 2 2 >got OID=1 2 840 113554 1 2 2 3 >got OID=1 3 6 1 4 1 311 2 2 10 >got principal=norma$@CHILD03.EIGHTAD6.TESTING.COM >kerberos_kinit_password: using [MEMORY:cliconnect] as ccache and config [(null)] >Doing kerberos session setup >ads_krb5_mk_req: Advancing clock by 3 seconds to cope with clock skew >ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration Thu, 26 Nov 2009 04:16:24 IST >ads_krb5_mk_req: Ticket (norma$@CHILD03.EIGHTAD6.TESTING.COM) in ccache (MEMORY:cliconnect) is valid until: (Thu, 26 Nov 2009 04:16:24 IST - 1259189184) >Got KRB5 session key of length 16 >Mandatory SMB signing enabled! >SMB signing enabled! >cli_simple_set_signing: user_session_key >[000] F7 D4 6F 1D B5 47 9D 83 3E E4 75 05 B8 7E A7 77 ..o..G.. >.u..~.w >cli_simple_set_signing: NULL response_data >cli_session_setup_blob: Remaining (0) sending (1225) current (1225) >simple_packet_signature: sequence number 0 >client_sign_outgoing_message: sent SMB signature of >[000] 2D 44 8D 6E F0 7D 56 DC -D.n.}V. >store_sequence_for_reply: stored seq = 1 mid = 2 >write_socket(16,1310) >write_socket(16,1310) wrote 1310 >got smb length of 197 >size=197 >smb_com=0x73 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=0 >smb_pid=25417 >smb_uid=10241 >smb_mid=2 >smt_wct=4 >smb_vwv[ 0]= 255 (0xFF) >smb_vwv[ 1]= 197 (0xC5) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 26 (0x1A) >smb_bcc=154 >[000] A1 18 30 16 A0 03 0A 01 00 A1 0B 06 09 2A 86 48 ..0..... .....*.H >[010] 82 F7 12 01 02 02 A2 02 04 00 ED 57 00 69 00 6E ........ ...W.i.n >[020] 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 .d.o.w.s . .S.e.r >[030] 00 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 .v.e.r. .2.0.0.3 >[040] 00 20 00 33 00 37 00 39 00 30 00 20 00 53 00 65 . .3.7.9 .0. .S.e >[050] 00 72 00 76 00 69 00 63 00 65 00 20 00 50 00 61 .r.v.i.c .e. .P.a >[060] 00 63 00 6B 00 20 00 31 00 00 00 57 00 69 00 6E .c.k. .1 ...W.i.n >[070] 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 .d.o.w.s . .S.e.r >[080] 00 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 .v.e.r. .2.0.0.3 >[090] 00 20 00 35 00 2E 00 32 00 00 . .5...2 .. >get_sequence_for_reply: found seq = 1 mid = 2 >simple_packet_signature: sequence number 1 >client_check_incoming_message: seq 1: got good SMB signature of >[000] 59 23 40 2E 7B A0 E1 2C Y#@.{.., >size=197 >smb_com=0x73 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=0 >smb_pid=25417 >smb_uid=10241 >smb_mid=2 >smt_wct=4 >smb_vwv[ 0]= 255 (0xFF) >smb_vwv[ 1]= 197 (0xC5) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 26 (0x1A) >smb_bcc=154 >[000] A1 18 30 16 A0 03 0A 01 00 A1 0B 06 09 2A 86 48 ..0..... .....*.H >[010] 82 F7 12 01 02 02 A2 02 04 00 ED 57 00 69 00 6E ........ ...W.i.n >[020] 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 .d.o.w.s . .S.e.r >[030] 00 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 .v.e.r. .2.0.0.3 >[040] 00 20 00 33 00 37 00 39 00 30 00 20 00 53 00 65 . .3.7.9 .0. .S.e >[050] 00 72 00 76 00 69 00 63 00 65 00 20 00 50 00 61 .r.v.i.c .e. .P.a >[060] 00 63 00 6B 00 20 00 31 00 00 00 57 00 69 00 6E .c.k. .1 ...W.i.n >[070] 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 .d.o.w.s . .S.e.r >[080] 00 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 .v.e.r. .2.0.0.3 >[090] 00 20 00 35 00 2E 00 32 00 00 . .5...2 .. >cli_init_creds: user MONOCEROS$ domain CHILD03 >saf_store: domain = [CHILD03], server = [norma.child03.eightad6.testing.com], expire = [1259154081] >Adding cache entry with key = SAF/DOMAIN/CHILD03; value = norma.child03.eightad6.testing.com and timeout = Wed Nov 25 18:31:21 2009 > (900 seconds ahead) >saf_store: domain = [child03.eightad6.testing.com], server = [norma.child03.eightad6.testing.com], expire = [1259154081] >Adding cache entry with key = SAF/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM; value = norma.child03.eightad6.testing.com and timeout = Wed Nov 25 18:31:21 2009 > (900 seconds ahead) >simple_packet_signature: sequence number 2 >client_sign_outgoing_message: sent SMB signature of >[000] 35 B0 40 25 B0 FF 36 F8 5.@%..6. >store_sequence_for_reply: stored seq = 3 mid = 3 >write_socket(16,136) >write_socket(16,136) wrote 136 >got smb length of 56 >size=56 >smb_com=0x75 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=6146 >smb_pid=25417 >smb_uid=10241 >smb_mid=3 >smt_wct=7 >smb_vwv[ 0]= 255 (0xFF) >smb_vwv[ 1]= 56 (0x38) >smb_vwv[ 2]= 1 (0x1) >smb_vwv[ 3]= 511 (0x1FF) >smb_vwv[ 4]= 0 (0x0) >smb_vwv[ 5]= 511 (0x1FF) >smb_vwv[ 6]= 0 (0x0) >smb_bcc=7 >[000] 49 50 43 00 00 00 00 IPC.... >get_sequence_for_reply: found seq = 3 mid = 3 >simple_packet_signature: sequence number 3 >client_check_incoming_message: seq 3: got good SMB signature of >[000] 4D 2B 3B 92 23 33 69 DC M+;.#3i. >secrets_named_mutex: released mutex for norma.child03.eightad6.testing.com >set_global_winbindd_state_online: online requested. >set_global_winbindd_state_online: rejecting. >set_domain_online: called for domain CHILD03 >Destroying timed event 2aac2da3b8d0 "check_domain_online_handler" >set_dc_type_and_flags: domain CHILD03 >simple_packet_signature: sequence number 4 >client_sign_outgoing_message: sent SMB signature of >[000] 78 A8 37 43 CD C7 75 4B x.7C..uK >store_sequence_for_reply: stored seq = 5 mid = 4 >write_socket(16,104) >write_socket(16,104) wrote 104 >got smb length of 103 >size=103 >smb_com=0xa2 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=6146 >smb_pid=25417 >smb_uid=10241 >smb_mid=4 >smt_wct=34 >smb_vwv[ 0]= 255 (0xFF) >smb_vwv[ 1]= 103 (0x67) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 448 (0x1C0) >smb_vwv[ 4]= 0 (0x0) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 0 (0x0) >smb_vwv[ 7]= 0 (0x0) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_vwv[10]= 0 (0x0) >smb_vwv[11]= 0 (0x0) >smb_vwv[12]= 0 (0x0) >smb_vwv[13]= 0 (0x0) >smb_vwv[14]= 0 (0x0) >smb_vwv[15]= 0 (0x0) >smb_vwv[16]= 0 (0x0) >smb_vwv[17]= 0 (0x0) >smb_vwv[18]= 0 (0x0) >smb_vwv[19]= 0 (0x0) >smb_vwv[20]= 0 (0x0) >smb_vwv[21]=32768 (0x8000) >smb_vwv[22]= 0 (0x0) >smb_vwv[23]= 0 (0x0) >smb_vwv[24]= 16 (0x10) >smb_vwv[25]= 0 (0x0) >smb_vwv[26]= 0 (0x0) >smb_vwv[27]= 0 (0x0) >smb_vwv[28]= 0 (0x0) >smb_vwv[29]= 0 (0x0) >smb_vwv[30]= 0 (0x0) >smb_vwv[31]= 512 (0x200) >smb_vwv[32]=65280 (0xFF00) >smb_vwv[33]= 5 (0x5) >smb_bcc=0 >get_sequence_for_reply: found seq = 5 mid = 4 >simple_packet_signature: sequence number 5 >client_check_incoming_message: seq 5: got good SMB signature of >[000] 15 0D 88 1B 7A F0 EF CD ....z... >Bind RPC Pipe[c000]: \lsarpc auth_type 0, auth_level 0 >Bind Abstract Syntax: [000] 6A 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5 j(.9.... ....O... >[010] 00 00 00 00 .... >Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]...... ....+.H` >[010] 02 00 00 00 .... >000000 smb_io_rpc_hdr hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 0b > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 0048 > 000a auth_len : 0000 > 000c call_id : 00000001 >000010 smb_io_rpc_hdr_rb > 000010 smb_io_rpc_hdr_bba > 0010 max_tsize: 10b8 > 0012 max_rsize: 10b8 > 0014 assoc_gid: 00000000 > 0018 num_contexts: 01 > 001c context_id : 0000 > 001e num_transfer_syntaxes: 01 > 00001f smb_io_rpc_iface > 000020 smb_io_uuid uuid > 0020 data : 3919286a > 0024 data : b10c > 0026 data : 11d0 > 0028 data : 9b a8 > 002a data : 00 c0 4f d9 2e f5 > 0030 version: 00000000 > 000034 smb_io_rpc_iface > 000034 smb_io_uuid uuid > 0034 data : 8a885d04 > 0038 data : 1ceb > 003a data : 11c9 > 003c data : 9f e8 > 003e data : 08 00 2b 10 48 60 > 0044 version: 00000002 >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0xc000 >size=154 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=8 >smb_flg2=51201 >smb_tid=6146 >smb_pid=25417 >smb_uid=10241 >smb_mid=5 >smt_wct=16 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 72 (0x48) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 4280 (0x10B8) >smb_vwv[ 4]= 0 (0x0) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 0 (0x0) >smb_vwv[ 7]= 0 (0x0) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_vwv[10]= 82 (0x52) >smb_vwv[11]= 72 (0x48) >smb_vwv[12]= 82 (0x52) >smb_vwv[13]= 2 (0x2) >smb_vwv[14]= 38 (0x26) >smb_vwv[15]=49152 (0xC000) >smb_bcc=87 >[000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... >[010] 00 0B 03 10 00 00 00 48 00 00 00 01 00 00 00 B8 .......H ........ >[020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 6A ........ .......j >[030] 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5 00 (.9..... ...O.... >[040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ >[050] 10 48 60 02 00 00 00 .H`.... >simple_packet_signature: sequence number 6 >client_sign_outgoing_message: sent SMB signature of >[000] FE 2B 28 3B 5B D5 BC 01 .+(;[... >store_sequence_for_reply: stored seq = 7 mid = 5 >write_socket(16,158) >write_socket(16,158) wrote 158 >got smb length of 124 >size=124 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=6146 >smb_pid=25417 >smb_uid=10241 >smb_mid=5 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 68 (0x44) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 68 (0x44) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=69 >[000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 H....... .D...... >[010] 00 B8 10 B8 10 6B 70 00 00 0C 00 5C 50 49 50 45 .....kp. ...\PIPE >[020] 5C 6C 73 61 73 73 00 B0 8A 01 00 00 00 00 00 00 \lsass.. ........ >[030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H >[040] 60 02 00 00 00 `.... >get_sequence_for_reply: found seq = 7 mid = 5 >simple_packet_signature: sequence number 7 >client_check_incoming_message: seq 7: got good SMB signature of >[000] 8E A6 7B EC D9 B7 BF A6 ..{..... >size=124 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=6146 >smb_pid=25417 >smb_uid=10241 >smb_mid=5 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 68 (0x44) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 68 (0x44) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=69 >[000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 H....... .D...... >[010] 00 B8 10 B8 10 6B 70 00 00 0C 00 5C 50 49 50 45 .....kp. ...\PIPE >[020] 5C 6C 73 61 73 73 00 B0 8A 01 00 00 00 00 00 00 \lsass.. ........ >[030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H >[040] 60 02 00 00 00 `.... >get_sequence_for_reply: found seq = 7 mid = 5 >000000 smb_io_rpc_hdr rpc_hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 0c > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 0044 > 000a auth_len : 0000 > 000c call_id : 00000001 >rpc_api_pipe: got PDU len of 68 at offset 0 >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0xc000 returned 68 bytes. >rpc_pipe_bind: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0xc000 bind request returned ok. >000000 smb_io_rpc_hdr hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 0c > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 0044 > 000a auth_len : 0000 > 000c call_id : 00000001 >000010 smb_io_rpc_hdr_ba > 000010 smb_io_rpc_hdr_bba > 0010 max_tsize: 10b8 > 0012 max_rsize: 10b8 > 0014 assoc_gid: 0000706b > 000018 smb_io_rpc_addr_str > 0018 len: 000c > 001a str: \PIPE\lsass. > 000026 smb_io_rpc_results > 0028 num_results: 01 > 002c result : 0000 > 002e reason : 0000 > 000030 smb_io_rpc_iface > 000030 smb_io_uuid uuid > 0030 data : 8a885d04 > 0034 data : 1ceb > 0036 data : 11c9 > 0038 data : 9f e8 > 003a data : 08 00 2b 10 48 60 > 0040 version: 00000002 >check_bind_response: accepted! >cli_rpc_pipe_open_noauth: opened pipe \lsarpc to machine norma.child03.eightad6.testing.com and bound anonymously. >000000 ds_io_q_getprimdominfo > 0000 level: 0001 >000000 smb_io_rpc_hdr hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 00 > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 001a > 000a auth_len : 0000 > 000c call_id : 00000002 >000010 smb_io_rpc_hdr_req hdr_req > 0010 alloc_hint: 00000002 > 0014 context_id: 0000 > 0016 opnum : 0000 >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0xc000 >size=108 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=8 >smb_flg2=51201 >smb_tid=6146 >smb_pid=25417 >smb_uid=10241 >smb_mid=6 >smt_wct=16 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 26 (0x1A) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 4280 (0x10B8) >smb_vwv[ 4]= 0 (0x0) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 0 (0x0) >smb_vwv[ 7]= 0 (0x0) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_vwv[10]= 82 (0x52) >smb_vwv[11]= 26 (0x1A) >smb_vwv[12]= 82 (0x52) >smb_vwv[13]= 2 (0x2) >smb_vwv[14]= 38 (0x26) >smb_vwv[15]=49152 (0xC000) >smb_bcc=41 >[000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... >[010] 00 00 03 10 00 00 00 1A 00 00 00 02 00 00 00 02 ........ ........ >[020] 00 00 00 00 00 00 00 01 00 ........ . >simple_packet_signature: sequence number 8 >client_sign_outgoing_message: sent SMB signature of >[000] 78 6D A5 56 6D FC D9 E5 xm.Vm... >store_sequence_for_reply: stored seq = 9 mid = 6 >write_socket(16,112) >write_socket(16,112) wrote 112 >got smb length of 284 >size=284 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=6146 >smb_pid=25417 >smb_uid=10241 >smb_mid=6 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 228 (0xE4) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 228 (0xE4) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=229 >[000] 1A 05 00 02 03 10 00 00 00 E4 00 00 00 02 00 00 ........ ........ >[010] 00 CC 00 00 00 00 00 00 00 00 00 02 00 01 00 00 ........ ........ >[020] 00 05 00 00 00 01 00 00 01 04 00 02 00 08 00 02 ........ ........ >[030] 00 0C 00 02 00 88 B9 1F 05 9F D9 A3 42 87 55 7B ........ ....B.U{ >[040] C9 B4 D4 8A F3 08 00 00 00 00 00 00 00 08 00 00 ........ ........ >[050] 00 43 00 48 00 49 00 4C 00 44 00 30 00 33 00 00 .C.H.I.L .D.0.3.. >[060] 00 1D 00 00 00 00 00 00 00 1D 00 00 00 63 00 68 ........ .....c.h >[070] 00 69 00 6C 00 64 00 30 00 33 00 2E 00 65 00 69 .i.l.d.0 .3...e.i >[080] 00 67 00 68 00 74 00 61 00 64 00 36 00 2E 00 74 .g.h.t.a .d.6...t >[090] 00 65 00 73 00 74 00 69 00 6E 00 67 00 2E 00 63 .e.s.t.i .n.g...c >[0A0] 00 6F 00 6D 00 00 00 45 00 15 00 00 00 00 00 00 .o.m...E ........ >[0B0] 00 15 00 00 00 65 00 69 00 67 00 68 00 74 00 61 .....e.i .g.h.t.a >[0C0] 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 00 69 .d.6...t .e.s.t.i >[0D0] 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 00 00 00 .n.g...c .o.m.... >[0E0] 00 00 00 00 00 ..... >get_sequence_for_reply: found seq = 9 mid = 6 >simple_packet_signature: sequence number 9 >client_check_incoming_message: seq 9: got good SMB signature of >[000] 72 98 14 AF B6 32 42 C1 r....2B. >size=284 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=6146 >smb_pid=25417 >smb_uid=10241 >smb_mid=6 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 228 (0xE4) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 228 (0xE4) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=229 >[000] 1A 05 00 02 03 10 00 00 00 E4 00 00 00 02 00 00 ........ ........ >[010] 00 CC 00 00 00 00 00 00 00 00 00 02 00 01 00 00 ........ ........ >[020] 00 05 00 00 00 01 00 00 01 04 00 02 00 08 00 02 ........ ........ >[030] 00 0C 00 02 00 88 B9 1F 05 9F D9 A3 42 87 55 7B ........ ....B.U{ >[040] C9 B4 D4 8A F3 08 00 00 00 00 00 00 00 08 00 00 ........ ........ >[050] 00 43 00 48 00 49 00 4C 00 44 00 30 00 33 00 00 .C.H.I.L .D.0.3.. >[060] 00 1D 00 00 00 00 00 00 00 1D 00 00 00 63 00 68 ........ .....c.h >[070] 00 69 00 6C 00 64 00 30 00 33 00 2E 00 65 00 69 .i.l.d.0 .3...e.i >[080] 00 67 00 68 00 74 00 61 00 64 00 36 00 2E 00 74 .g.h.t.a .d.6...t >[090] 00 65 00 73 00 74 00 69 00 6E 00 67 00 2E 00 63 .e.s.t.i .n.g...c >[0A0] 00 6F 00 6D 00 00 00 45 00 15 00 00 00 00 00 00 .o.m...E ........ >[0B0] 00 15 00 00 00 65 00 69 00 67 00 68 00 74 00 61 .....e.i .g.h.t.a >[0C0] 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 00 69 .d.6...t .e.s.t.i >[0D0] 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 00 00 00 .n.g...c .o.m.... >[0E0] 00 00 00 00 00 ..... >get_sequence_for_reply: found seq = 9 mid = 6 >000000 smb_io_rpc_hdr rpc_hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 02 > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 00e4 > 000a auth_len : 0000 > 000c call_id : 00000002 >000010 smb_io_rpc_hdr_resp rpc_hdr_resp > 0010 alloc_hint: 000000cc > 0014 context_id: 0000 > 0016 cancel_ct : 00 > 0017 reserved : 00 >cli_pipe_validate_current_pdu: got pdu len 228, data_len 204, ss_len 0 >rpc_api_pipe: got PDU len of 228 at offset 0 >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0xc000 returned 408 bytes. >000000 ds_io_r_getprimdominfo > 0000 ptr: 00020000 > 0004 level: 0001 > 0006 unknown0: 0000 > 0008 machine_role: 0005 > 000c flags: 01000001 > 0010 netbios_ptr: 00020004 > 0014 dnsname_ptr: 00020008 > 0018 forestname_ptr: 0002000c > 00001c smb_io_uuid domain_guid > 001c data : 051fb988 > 0020 data : d99f > 0022 data : 42a3 > 0024 data : 87 55 > 0026 data : 7b c9 b4 d4 8a f3 > 00002c smb_io_unistr2 netbios_domain > 002c uni_max_len: 00000008 > 0030 offset : 00000000 > 0034 uni_str_len: 00000008 > 0038 buffer : C.H.I.L.D.0.3... > 000048 smb_io_unistr2 dns_domain > 0048 uni_max_len: 0000001d > 004c offset : 00000000 > 0050 uni_str_len: 0000001d > 0054 buffer : c.h.i.l.d.0.3...e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m... > 000090 smb_io_unistr2 forest_domain > 0090 uni_max_len: 00000015 > 0094 offset : 00000000 > 0098 uni_str_len: 00000015 > 009c buffer : e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m... > 00c8 status: NT_STATUS_OK >simple_packet_signature: sequence number 10 >client_sign_outgoing_message: sent SMB signature of >[000] 99 8D 3B 38 9C 48 2A DF ..;8.H*. >store_sequence_for_reply: stored seq = 11 mid = 7 >write_socket(16,45) >write_socket(16,45) wrote 45 >got smb length of 35 >size=35 >smb_com=0x4 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=6146 >smb_pid=25417 >smb_uid=10241 >smb_mid=7 >smt_wct=0 >smb_bcc=0 >get_sequence_for_reply: found seq = 11 mid = 7 >simple_packet_signature: sequence number 11 >client_check_incoming_message: seq 11: got good SMB signature of >[000] F4 18 E9 81 AE BC E2 26 .......& >cli_rpc_pipe_close: closed pipe \lsarpc to machine norma.child03.eightad6.testing.com >simple_packet_signature: sequence number 12 >client_sign_outgoing_message: sent SMB signature of >[000] 0A 5E A9 D4 A8 98 82 18 .^...... >store_sequence_for_reply: stored seq = 13 mid = 8 >write_socket(16,104) >write_socket(16,104) wrote 104 >got smb length of 103 >size=103 >smb_com=0xa2 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=6146 >smb_pid=25417 >smb_uid=10241 >smb_mid=8 >smt_wct=34 >smb_vwv[ 0]= 255 (0xFF) >smb_vwv[ 1]= 103 (0x67) >smb_vwv[ 2]= 256 (0x100) >smb_vwv[ 3]= 448 (0x1C0) >smb_vwv[ 4]= 0 (0x0) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 0 (0x0) >smb_vwv[ 7]= 0 (0x0) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_vwv[10]= 0 (0x0) >smb_vwv[11]= 0 (0x0) >smb_vwv[12]= 0 (0x0) >smb_vwv[13]= 0 (0x0) >smb_vwv[14]= 0 (0x0) >smb_vwv[15]= 0 (0x0) >smb_vwv[16]= 0 (0x0) >smb_vwv[17]= 0 (0x0) >smb_vwv[18]= 0 (0x0) >smb_vwv[19]= 0 (0x0) >smb_vwv[20]= 0 (0x0) >smb_vwv[21]=32768 (0x8000) >smb_vwv[22]= 0 (0x0) >smb_vwv[23]= 0 (0x0) >smb_vwv[24]= 16 (0x10) >smb_vwv[25]= 0 (0x0) >smb_vwv[26]= 0 (0x0) >smb_vwv[27]= 0 (0x0) >smb_vwv[28]= 0 (0x0) >smb_vwv[29]= 0 (0x0) >smb_vwv[30]= 0 (0x0) >smb_vwv[31]= 512 (0x200) >smb_vwv[32]=65280 (0xFF00) >smb_vwv[33]= 5 (0x5) >smb_bcc=0 >get_sequence_for_reply: found seq = 13 mid = 8 >simple_packet_signature: sequence number 13 >client_check_incoming_message: seq 13: got good SMB signature of >[000] 2C B2 D3 92 35 1C 16 52 ,...5..R >Bind RPC Pipe[c001]: \lsarpc auth_type 0, auth_level 0 >Bind Abstract Syntax: [000] 78 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB xW4.4... ...#Eg.. >[010] 00 00 00 00 .... >Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]...... ....+.H` >[010] 02 00 00 00 .... >000000 smb_io_rpc_hdr hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 0b > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 0048 > 000a auth_len : 0000 > 000c call_id : 00000003 >000010 smb_io_rpc_hdr_rb > 000010 smb_io_rpc_hdr_bba > 0010 max_tsize: 10b8 > 0012 max_rsize: 10b8 > 0014 assoc_gid: 00000000 > 0018 num_contexts: 01 > 001c context_id : 0000 > 001e num_transfer_syntaxes: 01 > 00001f smb_io_rpc_iface > 000020 smb_io_uuid uuid > 0020 data : 12345778 > 0024 data : 1234 > 0026 data : abcd > 0028 data : ef 00 > 002a data : 01 23 45 67 89 ab > 0030 version: 00000000 > 000034 smb_io_rpc_iface > 000034 smb_io_uuid uuid > 0034 data : 8a885d04 > 0038 data : 1ceb > 003a data : 11c9 > 003c data : 9f e8 > 003e data : 08 00 2b 10 48 60 > 0044 version: 00000002 >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0xc001 >size=154 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=8 >smb_flg2=51201 >smb_tid=6146 >smb_pid=25417 >smb_uid=10241 >smb_mid=9 >smt_wct=16 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 72 (0x48) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 4280 (0x10B8) >smb_vwv[ 4]= 0 (0x0) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 0 (0x0) >smb_vwv[ 7]= 0 (0x0) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_vwv[10]= 82 (0x52) >smb_vwv[11]= 72 (0x48) >smb_vwv[12]= 82 (0x52) >smb_vwv[13]= 2 (0x2) >smb_vwv[14]= 38 (0x26) >smb_vwv[15]=49153 (0xC001) >smb_bcc=87 >[000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... >[010] 00 0B 03 10 00 00 00 48 00 00 00 03 00 00 00 B8 .......H ........ >[020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 ........ .......x >[030] 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB 00 W4.4.... ..#Eg... >[040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ >[050] 10 48 60 02 00 00 00 .H`.... >simple_packet_signature: sequence number 14 >client_sign_outgoing_message: sent SMB signature of >[000] FB 81 04 12 46 3A 91 6A ....F:.j >store_sequence_for_reply: stored seq = 15 mid = 9 >write_socket(16,158) >write_socket(16,158) wrote 158 >got smb length of 124 >size=124 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=6146 >smb_pid=25417 >smb_uid=10241 >smb_mid=9 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 68 (0x44) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 68 (0x44) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=69 >[000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 03 00 00 H....... .D...... >[010] 00 B8 10 B8 10 6C 70 00 00 0C 00 5C 50 49 50 45 .....lp. ...\PIPE >[020] 5C 6C 73 61 73 73 00 00 01 01 00 00 00 00 00 00 \lsass.. ........ >[030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H >[040] 60 02 00 00 00 `.... >get_sequence_for_reply: found seq = 15 mid = 9 >simple_packet_signature: sequence number 15 >client_check_incoming_message: seq 15: got good SMB signature of >[000] 9C E4 8D 34 A5 D3 FD CC ...4.... >size=124 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=6146 >smb_pid=25417 >smb_uid=10241 >smb_mid=9 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 68 (0x44) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 68 (0x44) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=69 >[000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 03 00 00 H....... .D...... >[010] 00 B8 10 B8 10 6C 70 00 00 0C 00 5C 50 49 50 45 .....lp. ...\PIPE >[020] 5C 6C 73 61 73 73 00 00 01 01 00 00 00 00 00 00 \lsass.. ........ >[030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H >[040] 60 02 00 00 00 `.... >get_sequence_for_reply: found seq = 15 mid = 9 >000000 smb_io_rpc_hdr rpc_hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 0c > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 0044 > 000a auth_len : 0000 > 000c call_id : 00000003 >rpc_api_pipe: got PDU len of 68 at offset 0 >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0xc001 returned 68 bytes. >rpc_pipe_bind: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0xc001 bind request returned ok. >000000 smb_io_rpc_hdr hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 0c > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 0044 > 000a auth_len : 0000 > 000c call_id : 00000003 >000010 smb_io_rpc_hdr_ba > 000010 smb_io_rpc_hdr_bba > 0010 max_tsize: 10b8 > 0012 max_rsize: 10b8 > 0014 assoc_gid: 0000706c > 000018 smb_io_rpc_addr_str > 0018 len: 000c > 001a str: \PIPE\lsass. > 000026 smb_io_rpc_results > 0028 num_results: 01 > 002c result : 0000 > 002e reason : 0000 > 000030 smb_io_rpc_iface > 000030 smb_io_uuid uuid > 0030 data : 8a885d04 > 0034 data : 1ceb > 0036 data : 11c9 > 0038 data : 9f e8 > 003a data : 08 00 2b 10 48 60 > 0040 version: 00000002 >check_bind_response: accepted! >cli_rpc_pipe_open_noauth: opened pipe \lsarpc to machine norma.child03.eightad6.testing.com and bound anonymously. >init_lsa_sec_qos >init_q_open_pol2: attr:0 da:33554432 >init_lsa_obj_attr >000000 lsa_io_q_open_pol2 > 0000 ptr : 00000001 > 000004 smb_io_unistr2 > 0004 uni_max_len: 00000025 > 0008 offset : 00000000 > 000c uni_str_len: 00000025 > 0010 buffer : \.\.n.o.r.m.a...c.h.i.l.d.0.3...e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m... > 00005a lsa_io_obj_attr > 005c len : 00000018 > 0060 ptr_root_dir: 00000000 > 0064 ptr_obj_name: 00000000 > 0068 attributes : 00000000 > 006c ptr_sec_desc: 00000000 > 0070 ptr_sec_qos : 00000001 > 000074 lsa_io_obj_qos sec_qos > 0074 len : 0000000c > 0078 sec_imp_level : 0002 > 007a sec_ctxt_mode : 01 > 007b effective_only: 00 >lsa_io_sec_qos: length c does not match size 8 > 007c des_access: 02000000 >000000 smb_io_rpc_hdr hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 00 > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 0098 > 000a auth_len : 0000 > 000c call_id : 00000004 >000010 smb_io_rpc_hdr_req hdr_req > 0010 alloc_hint: 00000080 > 0014 context_id: 0000 > 0016 opnum : 002c >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0xc001 >size=234 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=8 >smb_flg2=51201 >smb_tid=6146 >smb_pid=25417 >smb_uid=10241 >smb_mid=10 >smt_wct=16 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 152 (0x98) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 4280 (0x10B8) >smb_vwv[ 4]= 0 (0x0) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 0 (0x0) >smb_vwv[ 7]= 0 (0x0) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_vwv[10]= 82 (0x52) >smb_vwv[11]= 152 (0x98) >smb_vwv[12]= 82 (0x52) >smb_vwv[13]= 2 (0x2) >smb_vwv[14]= 38 (0x26) >smb_vwv[15]=49153 (0xC001) >smb_bcc=167 >[000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... >[010] 00 00 03 10 00 00 00 98 00 00 00 04 00 00 00 80 ........ ........ >[020] 00 00 00 00 00 2C 00 01 00 00 00 25 00 00 00 00 .....,.. ...%.... >[030] 00 00 00 25 00 00 00 5C 00 5C 00 6E 00 6F 00 72 ...%...\ .\.n.o.r >[040] 00 6D 00 61 00 2E 00 63 00 68 00 69 00 6C 00 64 .m.a...c .h.i.l.d >[050] 00 30 00 33 00 2E 00 65 00 69 00 67 00 68 00 74 .0.3...e .i.g.h.t >[060] 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 .a.d.6.. .t.e.s.t >[070] 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 00 .i.n.g.. .c.o.m.. >[080] 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ >[090] 00 00 00 00 00 00 00 01 00 00 00 0C 00 00 00 02 ........ ........ >[0A0] 00 01 00 00 00 00 02 ....... >simple_packet_signature: sequence number 16 >client_sign_outgoing_message: sent SMB signature of >[000] 2C D1 E0 B8 7C 27 AA DB ,...|'.. >store_sequence_for_reply: stored seq = 17 mid = 10 >write_socket(16,238) >write_socket(16,238) wrote 238 >got smb length of 104 >size=104 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=6146 >smb_pid=25417 >smb_uid=10241 >smb_mid=10 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 48 (0x30) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 48 (0x30) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=49 >[000] 98 05 00 02 03 10 00 00 00 30 00 00 00 04 00 00 ........ .0...... >[010] 00 18 00 00 00 00 00 00 00 00 00 00 00 02 02 50 ........ .......P >[020] 64 D0 20 6D 44 90 F8 73 5B 26 86 1B EB 00 00 00 d. mD..s [&...... >[030] 00 . >get_sequence_for_reply: found seq = 17 mid = 10 >simple_packet_signature: sequence number 17 >client_check_incoming_message: seq 17: got good SMB signature of >[000] E4 B8 DC D1 AE FF 8F EB ........ >size=104 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=6146 >smb_pid=25417 >smb_uid=10241 >smb_mid=10 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 48 (0x30) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 48 (0x30) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=49 >[000] 98 05 00 02 03 10 00 00 00 30 00 00 00 04 00 00 ........ .0...... >[010] 00 18 00 00 00 00 00 00 00 00 00 00 00 02 02 50 ........ .......P >[020] 64 D0 20 6D 44 90 F8 73 5B 26 86 1B EB 00 00 00 d. mD..s [&...... >[030] 00 . >get_sequence_for_reply: found seq = 17 mid = 10 >000000 smb_io_rpc_hdr rpc_hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 02 > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 0030 > 000a auth_len : 0000 > 000c call_id : 00000004 >000010 smb_io_rpc_hdr_resp rpc_hdr_resp > 0010 alloc_hint: 00000018 > 0014 context_id: 0000 > 0016 cancel_ct : 00 > 0017 reserved : 00 >cli_pipe_validate_current_pdu: got pdu len 48, data_len 24, ss_len 0 >rpc_api_pipe: got PDU len of 48 at offset 0 >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0xc001 returned 48 bytes. >000000 lsa_io_r_open_pol2 > 000000 smb_io_pol_hnd > 0000 handle_type: 00000000 > 000004 smb_io_uuid uuid > 0004 data : 64500202 > 0008 data : 20d0 > 000a data : 446d > 000c data : 90 f8 > 000e data : 73 5b 26 86 1b eb > 0014 status: NT_STATUS_OK >init_q_query2 >000000 lsa_io_q_query_info2 > 000000 smb_io_pol_hnd pol > 0000 handle_type: 00000000 > 000004 smb_io_uuid uuid > 0004 data : 64500202 > 0008 data : 20d0 > 000a data : 446d > 000c data : 90 f8 > 000e data : 73 5b 26 86 1b eb > 0014 info_class: 000c >000000 smb_io_rpc_hdr hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 00 > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 002e > 000a auth_len : 0000 > 000c call_id : 00000005 >000010 smb_io_rpc_hdr_req hdr_req > 0010 alloc_hint: 00000016 > 0014 context_id: 0000 > 0016 opnum : 002e >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0xc001 >size=128 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=8 >smb_flg2=51201 >smb_tid=6146 >smb_pid=25417 >smb_uid=10241 >smb_mid=11 >smt_wct=16 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 46 (0x2E) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 4280 (0x10B8) >smb_vwv[ 4]= 0 (0x0) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 0 (0x0) >smb_vwv[ 7]= 0 (0x0) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_vwv[10]= 82 (0x52) >smb_vwv[11]= 46 (0x2E) >smb_vwv[12]= 82 (0x52) >smb_vwv[13]= 2 (0x2) >smb_vwv[14]= 38 (0x26) >smb_vwv[15]=49153 (0xC001) >smb_bcc=61 >[000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... >[010] 00 00 03 10 00 00 00 2E 00 00 00 05 00 00 00 16 ........ ........ >[020] 00 00 00 00 00 2E 00 00 00 00 00 02 02 50 64 D0 ........ .....Pd. >[030] 20 6D 44 90 F8 73 5B 26 86 1B EB 0C 00 mD..s[& ..... >simple_packet_signature: sequence number 18 >client_sign_outgoing_message: sent SMB signature of >[000] 67 E7 9F 31 98 95 A5 B9 g..1.... >store_sequence_for_reply: stored seq = 19 mid = 11 >write_socket(16,132) >write_socket(16,132) wrote 132 >got smb length of 312 >size=312 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=6146 >smb_pid=25417 >smb_uid=10241 >smb_mid=11 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 256 (0x100) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 256 (0x100) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=257 >[000] 2E 05 00 02 03 10 00 00 00 00 01 00 00 05 00 00 ........ ........ >[010] 00 E8 00 00 00 00 00 00 00 00 00 02 00 0C 00 00 ........ ........ >[020] 00 0E 00 10 00 04 00 02 00 38 00 3A 00 08 00 02 ........ .8.:.... >[030] 00 28 00 2A 00 0C 00 02 00 88 B9 1F 05 9F D9 A3 .(.*.... ........ >[040] 42 87 55 7B C9 B4 D4 8A F3 10 00 02 00 08 00 00 B.U{.... ........ >[050] 00 00 00 00 00 07 00 00 00 43 00 48 00 49 00 4C ........ .C.H.I.L >[060] 00 44 00 30 00 33 00 67 00 1D 00 00 00 00 00 00 .D.0.3.g ........ >[070] 00 1C 00 00 00 63 00 68 00 69 00 6C 00 64 00 30 .....c.h .i.l.d.0 >[080] 00 33 00 2E 00 65 00 69 00 67 00 68 00 74 00 61 .3...e.i .g.h.t.a >[090] 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 00 69 .d.6...t .e.s.t.i >[0A0] 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 15 00 00 .n.g...c .o.m.... >[0B0] 00 00 00 00 00 14 00 00 00 65 00 69 00 67 00 68 ........ .e.i.g.h >[0C0] 00 74 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 .t.a.d.6 ...t.e.s >[0D0] 00 74 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D .t.i.n.g ...c.o.m >[0E0] 00 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 ........ ........ >[0F0] 00 9E EE 0E 5B E9 51 6F CE 08 53 A2 9A 00 00 00 ....[.Qo ..S..... >[100] 00 . >get_sequence_for_reply: found seq = 19 mid = 11 >simple_packet_signature: sequence number 19 >client_check_incoming_message: seq 19: got good SMB signature of >[000] 83 05 C2 5F 44 37 6A 07 ..._D7j. >size=312 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=6146 >smb_pid=25417 >smb_uid=10241 >smb_mid=11 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 256 (0x100) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 256 (0x100) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=257 >[000] 2E 05 00 02 03 10 00 00 00 00 01 00 00 05 00 00 ........ ........ >[010] 00 E8 00 00 00 00 00 00 00 00 00 02 00 0C 00 00 ........ ........ >[020] 00 0E 00 10 00 04 00 02 00 38 00 3A 00 08 00 02 ........ .8.:.... >[030] 00 28 00 2A 00 0C 00 02 00 88 B9 1F 05 9F D9 A3 .(.*.... ........ >[040] 42 87 55 7B C9 B4 D4 8A F3 10 00 02 00 08 00 00 B.U{.... ........ >[050] 00 00 00 00 00 07 00 00 00 43 00 48 00 49 00 4C ........ .C.H.I.L >[060] 00 44 00 30 00 33 00 67 00 1D 00 00 00 00 00 00 .D.0.3.g ........ >[070] 00 1C 00 00 00 63 00 68 00 69 00 6C 00 64 00 30 .....c.h .i.l.d.0 >[080] 00 33 00 2E 00 65 00 69 00 67 00 68 00 74 00 61 .3...e.i .g.h.t.a >[090] 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 00 69 .d.6...t .e.s.t.i >[0A0] 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 15 00 00 .n.g...c .o.m.... >[0B0] 00 00 00 00 00 14 00 00 00 65 00 69 00 67 00 68 ........ .e.i.g.h >[0C0] 00 74 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 .t.a.d.6 ...t.e.s >[0D0] 00 74 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D .t.i.n.g ...c.o.m >[0E0] 00 04 00 00 00 01 04 00 00 00 00 00 05 15 00 00 ........ ........ >[0F0] 00 9E EE 0E 5B E9 51 6F CE 08 53 A2 9A 00 00 00 ....[.Qo ..S..... >[100] 00 . >get_sequence_for_reply: found seq = 19 mid = 11 >000000 smb_io_rpc_hdr rpc_hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 02 > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 0100 > 000a auth_len : 0000 > 000c call_id : 00000005 >000010 smb_io_rpc_hdr_resp rpc_hdr_resp > 0010 alloc_hint: 000000e8 > 0014 context_id: 0000 > 0016 cancel_ct : 00 > 0017 reserved : 00 >cli_pipe_validate_current_pdu: got pdu len 256, data_len 232, ss_len 0 >rpc_api_pipe: got PDU len of 256 at offset 0 >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \lsarpc fnum 0xc001 returned 464 bytes. >000000 lsa_io_r_query_info2 > 0000 dom_ptr: 00020000 > 000004 lsa_io_query_info_ctr2 > 0004 info_class: 000c > 000006 lsa_io_dom_query_12 > 000008 smb_io_unihdr nb_name > 0008 uni_str_len: 000e > 000a uni_max_len: 0010 > 000c buffer : 00020004 > 000010 smb_io_unihdr dns_name > 0010 uni_str_len: 0038 > 0012 uni_max_len: 003a > 0014 buffer : 00020008 > 000018 smb_io_unihdr forest > 0018 uni_str_len: 0028 > 001a uni_max_len: 002a > 001c buffer : 0002000c > 000020 smb_io_uuid dom_guid > 0020 data : 051fb988 > 0024 data : d99f > 0026 data : 42a3 > 0028 data : 87 55 > 002a data : 7b c9 b4 d4 8a f3 > 0030 dom_sid: 00020010 > 000034 smb_io_unistr2 nb_name > 0034 uni_max_len: 00000008 > 0038 offset : 00000000 > 003c uni_str_len: 00000007 > 0040 buffer : C.H.I.L.D.0.3. > 00004e smb_io_unistr2 dns_name > 0050 uni_max_len: 0000001d > 0054 offset : 00000000 > 0058 uni_str_len: 0000001c > 005c buffer : c.h.i.l.d.0.3...e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m. > 000094 smb_io_unistr2 forest > 0094 uni_max_len: 00000015 > 0098 offset : 00000000 > 009c uni_str_len: 00000014 > 00a0 buffer : e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m. > 0000c8 smb_io_dom_sid2 dom_sid > 00c8 num_auths: 00000004 > 0000cc smb_io_dom_sid sid > 00cc sid_rev_num: 01 > 00cd num_auths : 04 > 00ce id_auth[0] : 00 > 00cf id_auth[1] : 00 > 00d0 id_auth[2] : 00 > 00d1 id_auth[3] : 00 > 00d2 id_auth[4] : 00 > 00d3 id_auth[5] : 05 > 00d4 sub_auths : 00000015 5b0eee9e ce6f51e9 9aa25308 > 00e4 status: NT_STATUS_OK >set_dc_type_and_flags: domain CHILD03 is in native mode. >set_dc_type_and_flags: domain CHILD03 is running active directory. >simple_packet_signature: sequence number 20 >client_sign_outgoing_message: sent SMB signature of >[000] BD E9 90 CA F3 E7 F9 4F .......O >store_sequence_for_reply: stored seq = 21 mid = 12 >write_socket(16,45) >write_socket(16,45) wrote 45 >got smb length of 35 >size=35 >smb_com=0x4 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=6146 >smb_pid=25417 >smb_uid=10241 >smb_mid=12 >smt_wct=0 >smb_bcc=0 >get_sequence_for_reply: found seq = 21 mid = 12 >simple_packet_signature: sequence number 21 >client_check_incoming_message: seq 21: got good SMB signature of >[000] E4 EE 32 6E DA 87 9E 07 ..2n.... >cli_rpc_pipe_close: closed pipe \lsarpc to machine norma.child03.eightad6.testing.com >Added timed event "async_request_timeout": 2aac341bb350 >run_events: Nothing to do >timed_events_timeout: 299/999957 >child daemon request 19 >process_request: request fn LIST_TRUSTDOM >[25417]: list trusted domains >get_cache: Setting ADS methods for domain CHILD03 >fetch_cache_seqnum: invalid data size key [SEQNUM/CHILD03] >ads: fetch sequence_number for CHILD03 >ads_cached_connection >Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 >sitename_fetch: Returning sitename for child03.eightad6.testing.com: "Default-First-Site-Name" >ads_dc_name: domain=CHILD03 >Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 >sitename_fetch: Returning sitename for child03.eightad6.testing.com: "Default-First-Site-Name" >ads_find_dc: looking for realm 'child03.eightad6.testing.com' >get_sorted_dc_list: attempting lookup for name child03.eightad6.testing.com (sitename Default-First-Site-Name) using [ads] >Returning valid cache entry: key = SAF/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = norma.child03.eightad6.testing.com, timeout = Wed Nov 25 18:31:21 2009 >saf_fetch: Returning "norma.child03.eightad6.testing.com" for "child03.eightad6.testing.com" domain >get_dc_list: preferred server list: "norma.child03.eightad6.testing.com, *" >internal_resolve_name: looking up child03.eightad6.testing.com#1c (sitename Default-First-Site-Name) >Returning valid cache entry: key = NBT/CHILD03.EIGHTAD6.TESTING.COM#1C, value = 192.168.12.172:389, timeout = Wed Nov 25 18:26:18 2009 >name child03.eightad6.testing.com#1C found. >Adding 1 DC's from auto lookup >Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 >sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" >internal_resolve_name: looking up norma.child03.eightad6.testing.com#20 (sitename Default-First-Site-Name) >Returning valid cache entry: key = NBT/NORMA.CHILD03.EIGHTAD6.TESTING.COM#20, value = 192.168.12.172:0, timeout = Wed Nov 25 18:27:21 2009 >name norma.child03.eightad6.testing.com#20 found. >remove_duplicate_addrs2: looking for duplicate address/port pairs >get_dc_list: returning 1 ip addresses in an ordered list >get_dc_list: 192.168.12.172:389 >ads_try_connect: sending CLDAP request to 192.168.12.172 (realm: child03.eightad6.testing.com) >sitename_store: realm = [CHILD03.EIGHTAD6.TESTING.COM], sitename = [Default-First-Site-Name], expire = [4294967295] >Adding cache entry with key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM; value = Default-First-Site-Name and timeout = (null) (-1259153182 seconds ahead) >Connected to LDAP server 192.168.12.172 >Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 >sitename_fetch: Returning sitename for child03.eightad6.testing.com: "Default-First-Site-Name" >ads_closest_dc: ADS_CLOSEST flag set >create_local_private_krb5_conf_for_domain: fname = /var/lib/samba/smb_krb5/krb5.conf.CHILD03, realm = child03.eightad6.testing.com, domain = CHILD03 >Returning valid cache entry: key = SAF/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = norma.child03.eightad6.testing.com, timeout = Wed Nov 25 18:31:21 2009 >saf_fetch: Returning "norma.child03.eightad6.testing.com" for "child03.eightad6.testing.com" domain >get_dc_list: preferred server list: "norma.child03.eightad6.testing.com, *" >internal_resolve_name: looking up child03.eightad6.testing.com#1c (sitename Default-First-Site-Name) >Returning valid cache entry: key = NBT/CHILD03.EIGHTAD6.TESTING.COM#1C, value = 192.168.12.172:389, timeout = Wed Nov 25 18:26:18 2009 >name child03.eightad6.testing.com#1C found. >Adding 1 DC's from auto lookup >Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 >sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" >internal_resolve_name: looking up norma.child03.eightad6.testing.com#20 (sitename Default-First-Site-Name) >Returning valid cache entry: key = NBT/NORMA.CHILD03.EIGHTAD6.TESTING.COM#20, value = 192.168.12.172:0, timeout = Wed Nov 25 18:27:21 2009 >name norma.child03.eightad6.testing.com#20 found. >remove_duplicate_addrs2: looking for duplicate address/port pairs >get_dc_list: returning 1 ip addresses in an ordered list >get_dc_list: 192.168.12.172:389 >Returning valid cache entry: key = SAF/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = norma.child03.eightad6.testing.com, timeout = Wed Nov 25 18:31:21 2009 >saf_fetch: Returning "norma.child03.eightad6.testing.com" for "child03.eightad6.testing.com" domain >get_dc_list: preferred server list: "norma.child03.eightad6.testing.com, *" >internal_resolve_name: looking up child03.eightad6.testing.com#1c (sitename (null)) >Returning valid cache entry: key = NBT/CHILD03.EIGHTAD6.TESTING.COM#1C, value = 192.168.12.172:389, timeout = Wed Nov 25 18:26:18 2009 >name child03.eightad6.testing.com#1C found. >Adding 1 DC's from auto lookup >Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 >sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" >internal_resolve_name: looking up norma.child03.eightad6.testing.com#20 (sitename Default-First-Site-Name) >Returning valid cache entry: key = NBT/NORMA.CHILD03.EIGHTAD6.TESTING.COM#20, value = 192.168.12.172:0, timeout = Wed Nov 25 18:27:21 2009 >name norma.child03.eightad6.testing.com#20 found. >remove_duplicate_addrs2: looking for duplicate address/port pairs >get_dc_list: returning 1 ip addresses in an ordered list >get_dc_list: 192.168.12.172:389 >get_kdc_ip_string: Returning kdc = 192.168.12.172 > >create_local_private_krb5_conf_for_domain: wrote file /var/lib/samba/smb_krb5/krb5.conf.CHILD03 with realm CHILD03.EIGHTAD6.TESTING.COM KDC = 192.168.12.172 >ads_dc_name: using server='NORMA.CHILD03.EIGHTAD6.TESTING.COM' IP=192.168.12.172 >Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 >sitename_fetch: Returning sitename for child03.eightad6.testing.com: "Default-First-Site-Name" >ads_find_dc: looking for realm 'child03.eightad6.testing.com' >get_sorted_dc_list: attempting lookup for name child03.eightad6.testing.com (sitename Default-First-Site-Name) using [ads] >Returning valid cache entry: key = SAF/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = norma.child03.eightad6.testing.com, timeout = Wed Nov 25 18:31:21 2009 >saf_fetch: Returning "norma.child03.eightad6.testing.com" for "child03.eightad6.testing.com" domain >get_dc_list: preferred server list: "norma.child03.eightad6.testing.com, *" >internal_resolve_name: looking up child03.eightad6.testing.com#1c (sitename Default-First-Site-Name) >Returning valid cache entry: key = NBT/CHILD03.EIGHTAD6.TESTING.COM#1C, value = 192.168.12.172:389, timeout = Wed Nov 25 18:26:18 2009 >name child03.eightad6.testing.com#1C found. >Adding 1 DC's from auto lookup >Returning valid cache entry: key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM, value = Default-First-Site-Name, timeout = Sun Feb 7 11:58:15 2106 >sitename_fetch: Returning sitename for CHILD03.EIGHTAD6.TESTING.COM: "Default-First-Site-Name" >internal_resolve_name: looking up norma.child03.eightad6.testing.com#20 (sitename Default-First-Site-Name) >Returning valid cache entry: key = NBT/NORMA.CHILD03.EIGHTAD6.TESTING.COM#20, value = 192.168.12.172:0, timeout = Wed Nov 25 18:27:21 2009 >name norma.child03.eightad6.testing.com#20 found. >remove_duplicate_addrs2: looking for duplicate address/port pairs >get_dc_list: returning 1 ip addresses in an ordered list >get_dc_list: 192.168.12.172:389 >ads_try_connect: sending CLDAP request to 192.168.12.172 (realm: child03.eightad6.testing.com) >sitename_store: realm = [CHILD03.EIGHTAD6.TESTING.COM], sitename = [Default-First-Site-Name], expire = [4294967295] >Adding cache entry with key = AD_SITENAME/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM; value = Default-First-Site-Name and timeout = (null) (-1259153182 seconds ahead) >Connected to LDAP server 192.168.12.172 >ads_closest_dc: ADS_CLOSEST flag set >saf_store: domain = [CHILD03], server = [192.168.12.172], expire = [1259154081] >Adding cache entry with key = SAF/DOMAIN/CHILD03; value = 192.168.12.172 and timeout = Wed Nov 25 18:31:21 2009 > (900 seconds ahead) >saf_store: domain = [child03.eightad6.testing.com], server = [192.168.12.172], expire = [1259154081] >Adding cache entry with key = SAF/DOMAIN/CHILD03.EIGHTAD6.TESTING.COM; value = 192.168.12.172 and timeout = Wed Nov 25 18:31:21 2009 > (900 seconds ahead) >time offset is 3 seconds >Found SASL mechanism GSS-SPNEGO >ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 >ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 >ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 >ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 >ads_sasl_spnego_bind: got server principal name = norma$@CHILD03.EIGHTAD6.TESTING.COM >ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) >ads_sasl_spnego_krb5_bind failed with: No credentials cache found, calling kinit >kerberos_kinit_password: using [MEMORY:winbind_ccache] as ccache and config [/var/lib/samba/smb_krb5/krb5.conf.CHILD03] >ads_krb5_mk_req: Advancing clock by 3 seconds to cope with clock skew >ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] expiration Thu, 26 Nov 2009 04:16:24 IST >ads_krb5_mk_req: Ticket (norma$@CHILD03.EIGHTAD6.TESTING.COM) in ccache (MEMORY:winbind_ccache) is valid until: (Thu, 26 Nov 2009 04:16:24 IST - 1259189184) >Got KRB5 session key of length 16 >Search for (objectclass=*) in <> gave 1 replies >store_cache_seqnum: success [CHILD03][13938 @ 1259153181] >refresh_sequence_number: CHILD03 seq number is now 13938 >trusted_domains: [Cached] - doing backend query for info for domain CHILD03 >ads: trusted_domains >simple_packet_signature: sequence number 22 >client_sign_outgoing_message: sent SMB signature of >[000] 91 3A D8 52 6C 0F 9A 96 .:.Rl... >store_sequence_for_reply: stored seq = 23 mid = 13 >write_socket(15,108) >write_socket(15,108) wrote 108 >got smb length of 103 >size=103 >smb_com=0xa2 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=13 >smt_wct=34 >smb_vwv[ 0]= 255 (0xFF) >smb_vwv[ 1]= 103 (0x67) >smb_vwv[ 2]= 3584 (0xE00) >smb_vwv[ 3]= 320 (0x140) >smb_vwv[ 4]= 0 (0x0) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 0 (0x0) >smb_vwv[ 7]= 0 (0x0) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_vwv[10]= 0 (0x0) >smb_vwv[11]= 0 (0x0) >smb_vwv[12]= 0 (0x0) >smb_vwv[13]= 0 (0x0) >smb_vwv[14]= 0 (0x0) >smb_vwv[15]= 0 (0x0) >smb_vwv[16]= 0 (0x0) >smb_vwv[17]= 0 (0x0) >smb_vwv[18]= 0 (0x0) >smb_vwv[19]= 0 (0x0) >smb_vwv[20]= 0 (0x0) >smb_vwv[21]=32768 (0x8000) >smb_vwv[22]= 0 (0x0) >smb_vwv[23]= 0 (0x0) >smb_vwv[24]= 16 (0x10) >smb_vwv[25]= 0 (0x0) >smb_vwv[26]= 0 (0x0) >smb_vwv[27]= 0 (0x0) >smb_vwv[28]= 0 (0x0) >smb_vwv[29]= 0 (0x0) >smb_vwv[30]= 0 (0x0) >smb_vwv[31]= 512 (0x200) >smb_vwv[32]=65280 (0xFF00) >smb_vwv[33]= 5 (0x5) >smb_bcc=0 >get_sequence_for_reply: found seq = 23 mid = 13 >simple_packet_signature: sequence number 23 >client_check_incoming_message: seq 23: got good SMB signature of >[000] B7 7B CD 58 EA 2A C1 C4 .{.X.*.. >Bind RPC Pipe[400e]: \NETLOGON auth_type 0, auth_level 0 >Bind Abstract Syntax: [000] 78 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB xV4.4... ...#Eg.. >[010] 01 00 00 00 .... >Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]...... ....+.H` >[010] 02 00 00 00 .... >000000 smb_io_rpc_hdr hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 0b > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 0048 > 000a auth_len : 0000 > 000c call_id : 00000006 >000010 smb_io_rpc_hdr_rb > 000010 smb_io_rpc_hdr_bba > 0010 max_tsize: 10b8 > 0012 max_rsize: 10b8 > 0014 assoc_gid: 00000000 > 0018 num_contexts: 01 > 001c context_id : 0000 > 001e num_transfer_syntaxes: 01 > 00001f smb_io_rpc_iface > 000020 smb_io_uuid uuid > 0020 data : 12345678 > 0024 data : 1234 > 0026 data : abcd > 0028 data : ef 00 > 002a data : 01 23 45 67 cf fb > 0030 version: 00000001 > 000034 smb_io_rpc_iface > 000034 smb_io_uuid uuid > 0034 data : 8a885d04 > 0038 data : 1ceb > 003a data : 11c9 > 003c data : 9f e8 > 003e data : 08 00 2b 10 48 60 > 0044 version: 00000002 >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \NETLOGON fnum 0x400e >size=154 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=8 >smb_flg2=51201 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=14 >smt_wct=16 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 72 (0x48) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 4280 (0x10B8) >smb_vwv[ 4]= 0 (0x0) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 0 (0x0) >smb_vwv[ 7]= 0 (0x0) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_vwv[10]= 82 (0x52) >smb_vwv[11]= 72 (0x48) >smb_vwv[12]= 82 (0x52) >smb_vwv[13]= 2 (0x2) >smb_vwv[14]= 38 (0x26) >smb_vwv[15]=16398 (0x400E) >smb_bcc=87 >[000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... >[010] 00 0B 03 10 00 00 00 48 00 00 00 06 00 00 00 B8 .......H ........ >[020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 ........ .......x >[030] 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB 01 V4.4.... ..#Eg... >[040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ >[050] 10 48 60 02 00 00 00 .H`.... >simple_packet_signature: sequence number 24 >client_sign_outgoing_message: sent SMB signature of >[000] 2B 72 23 04 43 43 FB 38 +r#.CC.8 >store_sequence_for_reply: stored seq = 25 mid = 14 >write_socket(15,158) >write_socket(15,158) wrote 158 >got smb length of 124 >size=124 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=14 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 68 (0x44) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 68 (0x44) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=69 >[000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 06 00 00 H....... .D...... >[010] 00 B8 10 B8 10 6D 70 00 00 0C 00 5C 50 49 50 45 .....mp. ...\PIPE >[020] 5C 6C 73 61 73 73 00 73 5B 01 00 00 00 00 00 00 \lsass.s [....... >[030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H >[040] 60 02 00 00 00 `.... >get_sequence_for_reply: found seq = 25 mid = 14 >simple_packet_signature: sequence number 25 >client_check_incoming_message: seq 25: got good SMB signature of >[000] BB C1 BF 2F E5 E1 5C 45 .../..\E >size=124 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=14 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 68 (0x44) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 68 (0x44) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=69 >[000] 48 05 00 0C 03 10 00 00 00 44 00 00 00 06 00 00 H....... .D...... >[010] 00 B8 10 B8 10 6D 70 00 00 0C 00 5C 50 49 50 45 .....mp. ...\PIPE >[020] 5C 6C 73 61 73 73 00 73 5B 01 00 00 00 00 00 00 \lsass.s [....... >[030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H >[040] 60 02 00 00 00 `.... >get_sequence_for_reply: found seq = 25 mid = 14 >000000 smb_io_rpc_hdr rpc_hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 0c > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 0044 > 000a auth_len : 0000 > 000c call_id : 00000006 >rpc_api_pipe: got PDU len of 68 at offset 0 >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \NETLOGON fnum 0x400e returned 68 bytes. >rpc_pipe_bind: Remote machine norma.child03.eightad6.testing.com pipe \NETLOGON fnum 0x400e bind request returned ok. >000000 smb_io_rpc_hdr hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 0c > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 0044 > 000a auth_len : 0000 > 000c call_id : 00000006 >000010 smb_io_rpc_hdr_ba > 000010 smb_io_rpc_hdr_bba > 0010 max_tsize: 10b8 > 0012 max_rsize: 10b8 > 0014 assoc_gid: 0000706d > 000018 smb_io_rpc_addr_str > 0018 len: 000c > 001a str: \PIPE\lsass. > 000026 smb_io_rpc_results > 0028 num_results: 01 > 002c result : 0000 > 002e reason : 0000 > 000030 smb_io_rpc_iface > 000030 smb_io_uuid uuid > 0030 data : 8a885d04 > 0034 data : 1ceb > 0036 data : 11c9 > 0038 data : 9f e8 > 003a data : 08 00 2b 10 48 60 > 0040 version: 00000002 >check_bind_response: accepted! >cli_rpc_pipe_open_noauth: opened pipe \NETLOGON to machine norma.child03.eightad6.testing.com and bound anonymously. >cli_net_req_chal: LSA Request Challenge from MONOCEROS to \\norma.child03.eightad6.testing.com >init_q_req_chal: 679 >init_q_req_chal: 688 >000000 net_io_q_req_chal > 0000 undoc_buffer: 00000001 > 000004 smb_io_unistr2 > 0004 uni_max_len: 00000025 > 0008 offset : 00000000 > 000c uni_str_len: 00000025 > 0010 buffer : \.\.n.o.r.m.a...c.h.i.l.d.0.3...e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m... > 00005a smb_io_unistr2 > 005c uni_max_len: 0000000a > 0060 offset : 00000000 > 0064 uni_str_len: 0000000a > 0068 buffer : M.O.N.O.C.E.R.O.S... > 00007c smb_io_chal > 007c data: 22 53 49 7e 32 86 5b 5a >000000 smb_io_rpc_hdr hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 00 > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 009c > 000a auth_len : 0000 > 000c call_id : 00000007 >000010 smb_io_rpc_hdr_req hdr_req > 0010 alloc_hint: 00000084 > 0014 context_id: 0000 > 0016 opnum : 0004 >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \NETLOGON fnum 0x400e >size=238 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=8 >smb_flg2=51201 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=15 >smt_wct=16 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 156 (0x9C) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 4280 (0x10B8) >smb_vwv[ 4]= 0 (0x0) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 0 (0x0) >smb_vwv[ 7]= 0 (0x0) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_vwv[10]= 82 (0x52) >smb_vwv[11]= 156 (0x9C) >smb_vwv[12]= 82 (0x52) >smb_vwv[13]= 2 (0x2) >smb_vwv[14]= 38 (0x26) >smb_vwv[15]=16398 (0x400E) >smb_bcc=171 >[000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... >[010] 00 00 03 10 00 00 00 9C 00 00 00 07 00 00 00 84 ........ ........ >[020] 00 00 00 00 00 04 00 01 00 00 00 25 00 00 00 00 ........ ...%.... >[030] 00 00 00 25 00 00 00 5C 00 5C 00 6E 00 6F 00 72 ...%...\ .\.n.o.r >[040] 00 6D 00 61 00 2E 00 63 00 68 00 69 00 6C 00 64 .m.a...c .h.i.l.d >[050] 00 30 00 33 00 2E 00 65 00 69 00 67 00 68 00 74 .0.3...e .i.g.h.t >[060] 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 .a.d.6.. .t.e.s.t >[070] 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 00 .i.n.g.. .c.o.m.. >[080] 00 00 00 0A 00 00 00 00 00 00 00 0A 00 00 00 4D ........ .......M >[090] 00 4F 00 4E 00 4F 00 43 00 45 00 52 00 4F 00 53 .O.N.O.C .E.R.O.S >[0A0] 00 00 00 22 53 49 7E 32 86 5B 5A ..."SI~2 .[Z >simple_packet_signature: sequence number 26 >client_sign_outgoing_message: sent SMB signature of >[000] 19 27 4E BE A1 01 DD FE .'N..... >store_sequence_for_reply: stored seq = 27 mid = 15 >write_socket(15,242) >write_socket(15,242) wrote 242 >got smb length of 92 >size=92 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=15 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 36 (0x24) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 36 (0x24) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=37 >[000] 9C 05 00 02 03 10 00 00 00 24 00 00 00 07 00 00 ........ .$...... >[010] 00 0C 00 00 00 00 00 00 00 EB BC 77 2D EC 92 F1 ........ ...w-... >[020] 1A 00 00 00 00 ..... >get_sequence_for_reply: found seq = 27 mid = 15 >simple_packet_signature: sequence number 27 >client_check_incoming_message: seq 27: got good SMB signature of >[000] A4 03 7D FE 65 49 16 E3 ..}.eI.. >size=92 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=15 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 36 (0x24) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 36 (0x24) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=37 >[000] 9C 05 00 02 03 10 00 00 00 24 00 00 00 07 00 00 ........ .$...... >[010] 00 0C 00 00 00 00 00 00 00 EB BC 77 2D EC 92 F1 ........ ...w-... >[020] 1A 00 00 00 00 ..... >get_sequence_for_reply: found seq = 27 mid = 15 >000000 smb_io_rpc_hdr rpc_hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 02 > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 0024 > 000a auth_len : 0000 > 000c call_id : 00000007 >000010 smb_io_rpc_hdr_resp rpc_hdr_resp > 0010 alloc_hint: 0000000c > 0014 context_id: 0000 > 0016 cancel_ct : 00 > 0017 reserved : 00 >cli_pipe_validate_current_pdu: got pdu len 36, data_len 12, ss_len 0 >rpc_api_pipe: got PDU len of 36 at offset 0 >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \NETLOGON fnum 0x400e returned 24 bytes. >000000 net_io_r_req_chal > 000000 smb_io_chal > 0000 data: eb bc 77 2d ec 92 f1 1a > 0008 status: NT_STATUS_OK >creds_client_init: neg_flags : 600fffff >creds_client_init: client chal : 2253497E32865B5A >creds_client_init: server chal : EBBC772DEC92F11A >creds_init_128 > clnt_chal_in: 2253497E32865B5A > srv_chal_in : EBBC772DEC92F11A >creds_client_init: clnt : 5CE1F2DFC5A11FB8 >creds_client_init: server : FA8CD6C86F115E08 >creds_client_init: seed : 5CE1F2DFC5A11FB8 >cli_net_auth2: srv:\\norma.child03.eightad6.testing.com acct:MONOCEROS$ sc:2 mc: MONOCEROS neg: 600fffff >init_q_auth_2: 800 >make_log_info 1450 >init_q_auth_2: 806 >000000 net_io_q_auth_2 > 000000 smb_io_log_info > 0000 undoc_buffer: 00000001 > 000004 smb_io_unistr2 unistr2 > 0004 uni_max_len: 00000025 > 0008 offset : 00000000 > 000c uni_str_len: 00000025 > 0010 buffer : \.\.n.o.r.m.a...c.h.i.l.d.0.3...e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m... > 00005a smb_io_unistr2 unistr2 > 005c uni_max_len: 0000000b > 0060 offset : 00000000 > 0064 uni_str_len: 0000000b > 0068 buffer : M.O.N.O.C.E.R.O.S.$... > 007e sec_chan: 0002 > 000080 smb_io_unistr2 unistr2 > 0080 uni_max_len: 0000000a > 0084 offset : 00000000 > 0088 uni_str_len: 0000000a > 008c buffer : M.O.N.O.C.E.R.O.S... > 0000a0 smb_io_chal > 00a0 data: 5c e1 f2 df c5 a1 1f b8 > 0000a8 net_io_neg_flags > 00a8 neg_flags: 600fffff >000000 smb_io_rpc_hdr hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 00 > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 00c4 > 000a auth_len : 0000 > 000c call_id : 00000008 >000010 smb_io_rpc_hdr_req hdr_req > 0010 alloc_hint: 000000ac > 0014 context_id: 0000 > 0016 opnum : 000f >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \NETLOGON fnum 0x400e >size=278 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=8 >smb_flg2=51201 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=16 >smt_wct=16 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 196 (0xC4) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 4280 (0x10B8) >smb_vwv[ 4]= 0 (0x0) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 0 (0x0) >smb_vwv[ 7]= 0 (0x0) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_vwv[10]= 82 (0x52) >smb_vwv[11]= 196 (0xC4) >smb_vwv[12]= 82 (0x52) >smb_vwv[13]= 2 (0x2) >smb_vwv[14]= 38 (0x26) >smb_vwv[15]=16398 (0x400E) >smb_bcc=211 >[000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... >[010] 00 00 03 10 00 00 00 C4 00 00 00 08 00 00 00 AC ........ ........ >[020] 00 00 00 00 00 0F 00 01 00 00 00 25 00 00 00 00 ........ ...%.... >[030] 00 00 00 25 00 00 00 5C 00 5C 00 6E 00 6F 00 72 ...%...\ .\.n.o.r >[040] 00 6D 00 61 00 2E 00 63 00 68 00 69 00 6C 00 64 .m.a...c .h.i.l.d >[050] 00 30 00 33 00 2E 00 65 00 69 00 67 00 68 00 74 .0.3...e .i.g.h.t >[060] 00 61 00 64 00 36 00 2E 00 74 00 65 00 73 00 74 .a.d.6.. .t.e.s.t >[070] 00 69 00 6E 00 67 00 2E 00 63 00 6F 00 6D 00 00 .i.n.g.. .c.o.m.. >[080] 00 00 00 0B 00 00 00 00 00 00 00 0B 00 00 00 4D ........ .......M >[090] 00 4F 00 4E 00 4F 00 43 00 45 00 52 00 4F 00 53 .O.N.O.C .E.R.O.S >[0A0] 00 24 00 00 00 02 00 0A 00 00 00 00 00 00 00 0A .$...... ........ >[0B0] 00 00 00 4D 00 4F 00 4E 00 4F 00 43 00 45 00 52 ...M.O.N .O.C.E.R >[0C0] 00 4F 00 53 00 00 00 5C E1 F2 DF C5 A1 1F B8 FF .O.S...\ ........ >[0D0] FF 0F 60 ..` >simple_packet_signature: sequence number 28 >client_sign_outgoing_message: sent SMB signature of >[000] E2 2E 65 F9 64 C6 0E B3 ..e.d... >store_sequence_for_reply: stored seq = 29 mid = 16 >write_socket(15,282) >write_socket(15,282) wrote 282 >got smb length of 96 >size=96 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=16 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 40 (0x28) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 40 (0x28) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=41 >[000] C4 05 00 02 03 10 00 00 00 28 00 00 00 08 00 00 ........ .(...... >[010] 00 10 00 00 00 00 00 00 00 FA 8C D6 C8 6F 11 5E ........ .....o.^ >[020] 08 FF FF 0F 60 00 00 00 00 ....`... . >get_sequence_for_reply: found seq = 29 mid = 16 >simple_packet_signature: sequence number 29 >client_check_incoming_message: seq 29: got good SMB signature of >[000] CA 08 F6 10 EC 86 FC AC ........ >size=96 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=16 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 40 (0x28) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 40 (0x28) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=41 >[000] C4 05 00 02 03 10 00 00 00 28 00 00 00 08 00 00 ........ .(...... >[010] 00 10 00 00 00 00 00 00 00 FA 8C D6 C8 6F 11 5E ........ .....o.^ >[020] 08 FF FF 0F 60 00 00 00 00 ....`... . >get_sequence_for_reply: found seq = 29 mid = 16 >000000 smb_io_rpc_hdr rpc_hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 02 > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 0028 > 000a auth_len : 0000 > 000c call_id : 00000008 >000010 smb_io_rpc_hdr_resp rpc_hdr_resp > 0010 alloc_hint: 00000010 > 0014 context_id: 0000 > 0016 cancel_ct : 00 > 0017 reserved : 00 >cli_pipe_validate_current_pdu: got pdu len 40, data_len 16, ss_len 0 >rpc_api_pipe: got PDU len of 40 at offset 0 >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \NETLOGON fnum 0x400e returned 32 bytes. >000000 net_io_r_auth_2 > 000000 smb_io_chal > 0000 data: fa 8c d6 c8 6f 11 5e 08 > 000008 net_io_neg_flags > 0008 neg_flags: 600fffff > 000c status: NT_STATUS_OK >creds_client_check: credentials check OK. >rpccli_netlogon_setup_creds: server norma.child03.eightad6.testing.com credential chain established. >simple_packet_signature: sequence number 30 >client_sign_outgoing_message: sent SMB signature of >[000] 20 B6 38 44 C0 8A 4D B1 .8D..M. >store_sequence_for_reply: stored seq = 31 mid = 17 >write_socket(15,108) >write_socket(15,108) wrote 108 >got smb length of 103 >size=103 >smb_com=0xa2 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=17 >smt_wct=34 >smb_vwv[ 0]= 255 (0xFF) >smb_vwv[ 1]= 103 (0x67) >smb_vwv[ 2]= 3840 (0xF00) >smb_vwv[ 3]= 320 (0x140) >smb_vwv[ 4]= 0 (0x0) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 0 (0x0) >smb_vwv[ 7]= 0 (0x0) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_vwv[10]= 0 (0x0) >smb_vwv[11]= 0 (0x0) >smb_vwv[12]= 0 (0x0) >smb_vwv[13]= 0 (0x0) >smb_vwv[14]= 0 (0x0) >smb_vwv[15]= 0 (0x0) >smb_vwv[16]= 0 (0x0) >smb_vwv[17]= 0 (0x0) >smb_vwv[18]= 0 (0x0) >smb_vwv[19]= 0 (0x0) >smb_vwv[20]= 0 (0x0) >smb_vwv[21]=32768 (0x8000) >smb_vwv[22]= 0 (0x0) >smb_vwv[23]= 0 (0x0) >smb_vwv[24]= 16 (0x10) >smb_vwv[25]= 0 (0x0) >smb_vwv[26]= 0 (0x0) >smb_vwv[27]= 0 (0x0) >smb_vwv[28]= 0 (0x0) >smb_vwv[29]= 0 (0x0) >smb_vwv[30]= 0 (0x0) >smb_vwv[31]= 512 (0x200) >smb_vwv[32]=65280 (0xFF00) >smb_vwv[33]= 5 (0x5) >smb_bcc=0 >get_sequence_for_reply: found seq = 31 mid = 17 >simple_packet_signature: sequence number 31 >client_check_incoming_message: seq 31: got good SMB signature of >[000] 8A 64 4B 2E 06 E0 52 EE .dK...R. >Bind RPC Pipe[400f]: \NETLOGON auth_type 2, auth_level 6 >Bind Abstract Syntax: [000] 78 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB xV4.4... ...#Eg.. >[010] 01 00 00 00 .... >Bind Transfer Syntax: [000] 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 .]...... ....+.H` >[010] 02 00 00 00 .... >000000 smb_io_rpc_auth_schannel_neg schannel_neg > 0000 type1: 00000000 > 0004 type2: 00000003 >[000] 43 48 49 4C 44 30 33 CHILD03 >[000] 4D 4F 4E 4F 43 45 52 4F 53 MONOCERO S >000000 smb_io_rpc_hdr hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 0b > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 006a > 000a auth_len : 001a > 000c call_id : 00000009 >000010 smb_io_rpc_hdr_rb > 000010 smb_io_rpc_hdr_bba > 0010 max_tsize: 10b8 > 0012 max_rsize: 10b8 > 0014 assoc_gid: 00000000 > 0018 num_contexts: 01 > 001c context_id : 0000 > 001e num_transfer_syntaxes: 01 > 00001f smb_io_rpc_iface > 000020 smb_io_uuid uuid > 0020 data : 12345678 > 0024 data : 1234 > 0026 data : abcd > 0028 data : ef 00 > 002a data : 01 23 45 67 cf fb > 0030 version: 00000001 > 000034 smb_io_rpc_iface > 000034 smb_io_uuid uuid > 0034 data : 8a885d04 > 0038 data : 1ceb > 003a data : 11c9 > 003c data : 9f e8 > 003e data : 08 00 2b 10 48 60 > 0044 version: 00000002 >000048 smb_io_rpc_hdr_auth hdr_auth > 0048 auth_type : 44 > 0049 auth_level : 06 > 004a auth_pad_len : 00 > 004b auth_reserved: 00 > 004c auth_context_id: 00000001 >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \NETLOGON fnum 0x400f >size=188 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=8 >smb_flg2=51201 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=18 >smt_wct=16 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 106 (0x6A) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 4280 (0x10B8) >smb_vwv[ 4]= 0 (0x0) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 0 (0x0) >smb_vwv[ 7]= 0 (0x0) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_vwv[10]= 82 (0x52) >smb_vwv[11]= 106 (0x6A) >smb_vwv[12]= 82 (0x52) >smb_vwv[13]= 2 (0x2) >smb_vwv[14]= 38 (0x26) >smb_vwv[15]=16399 (0x400F) >smb_bcc=121 >[000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... >[010] 00 0B 03 10 00 00 00 6A 00 1A 00 09 00 00 00 B8 .......j ........ >[020] 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 ........ .......x >[030] 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF FB 01 V4.4.... ..#Eg... >[040] 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B ....]... .......+ >[050] 10 48 60 02 00 00 00 44 06 00 00 01 00 00 00 00 .H`....D ........ >[060] 00 00 00 03 00 00 00 43 48 49 4C 44 30 33 00 4D .......C HILD03.M >[070] 4F 4E 4F 43 45 52 4F 53 00 ONOCEROS . >simple_packet_signature: sequence number 32 >client_sign_outgoing_message: sent SMB signature of >[000] C3 A6 54 6D C6 19 21 D6 ..Tm..!. >store_sequence_for_reply: stored seq = 33 mid = 18 >write_socket(15,192) >write_socket(15,192) wrote 192 >got smb length of 144 >size=144 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=18 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 88 (0x58) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 88 (0x58) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=89 >[000] 6A 05 00 0C 03 10 00 00 00 58 00 0C 00 09 00 00 j....... .X...... >[010] 00 B8 10 B8 10 6E 70 00 00 0C 00 5C 50 49 50 45 .....np. ...\PIPE >[020] 5C 6C 73 61 73 73 00 73 5B 01 00 00 00 00 00 00 \lsass.s [....... >[030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H >[040] 60 02 00 00 00 44 06 00 00 01 00 00 00 01 00 00 `....D.. ........ >[050] 00 00 00 00 00 00 00 36 00 .......6 . >get_sequence_for_reply: found seq = 33 mid = 18 >simple_packet_signature: sequence number 33 >client_check_incoming_message: seq 33: got good SMB signature of >[000] 93 70 13 4A 33 52 26 5B .p.J3R&[ >size=144 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=18 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 88 (0x58) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 88 (0x58) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=89 >[000] 6A 05 00 0C 03 10 00 00 00 58 00 0C 00 09 00 00 j....... .X...... >[010] 00 B8 10 B8 10 6E 70 00 00 0C 00 5C 50 49 50 45 .....np. ...\PIPE >[020] 5C 6C 73 61 73 73 00 73 5B 01 00 00 00 00 00 00 \lsass.s [....... >[030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H >[040] 60 02 00 00 00 44 06 00 00 01 00 00 00 01 00 00 `....D.. ........ >[050] 00 00 00 00 00 00 00 36 00 .......6 . >get_sequence_for_reply: found seq = 33 mid = 18 >000000 smb_io_rpc_hdr rpc_hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 0c > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 0058 > 000a auth_len : 000c > 000c call_id : 00000009 >rpc_api_pipe: got PDU len of 88 at offset 0 >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \NETLOGON fnum 0x400f returned 88 bytes. >rpc_pipe_bind: Remote machine norma.child03.eightad6.testing.com pipe \NETLOGON fnum 0x400f bind request returned ok. >000000 smb_io_rpc_hdr hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 0c > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 0058 > 000a auth_len : 000c > 000c call_id : 00000009 >000010 smb_io_rpc_hdr_ba > 000010 smb_io_rpc_hdr_bba > 0010 max_tsize: 10b8 > 0012 max_rsize: 10b8 > 0014 assoc_gid: 0000706e > 000018 smb_io_rpc_addr_str > 0018 len: 000c > 001a str: \PIPE\lsass. > 000026 smb_io_rpc_results > 0028 num_results: 01 > 002c result : 0000 > 002e reason : 0000 > 000030 smb_io_rpc_iface > 000030 smb_io_uuid uuid > 0030 data : 8a885d04 > 0034 data : 1ceb > 0036 data : 11c9 > 0038 data : 9f e8 > 003a data : 08 00 2b 10 48 60 > 0040 version: 00000002 >check_bind_response: accepted! >cli_rpc_pipe_open_schannel_with_key: opened pipe \NETLOGON to machine norma.child03.eightad6.testing.com for domain CHILD03 and bound using schannel. >simple_packet_signature: sequence number 34 >client_sign_outgoing_message: sent SMB signature of >[000] 0A 98 0C 75 41 4C 7A 90 ...uALz. >store_sequence_for_reply: stored seq = 35 mid = 19 >write_socket(15,45) >write_socket(15,45) wrote 45 >got smb length of 35 >size=35 >smb_com=0x4 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=19 >smt_wct=0 >smb_bcc=0 >get_sequence_for_reply: found seq = 35 mid = 19 >simple_packet_signature: sequence number 35 >client_check_incoming_message: seq 35: got good SMB signature of >[000] 7F DB 49 1F 4E AC 4A 5E ..I.N.J^ >cli_rpc_pipe_close: closed pipe \NETLOGON to machine norma.child03.eightad6.testing.com >000000 ds_io_q_enum_domain_trusts > 0000 server_ptr: 00000001 > 000004 smb_io_unistr2 server > 0004 uni_max_len: 00000023 > 0008 offset : 00000000 > 000c uni_str_len: 00000023 > 0010 buffer : n.o.r.m.a...c.h.i.l.d.0.3...e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m... > 0058 flags: 00000003 >000000 smb_io_rpc_hdr hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 00 > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 00a0 > 000a auth_len : 0020 > 000c call_id : 0000000a >000010 smb_io_rpc_hdr_req hdr_req > 0010 alloc_hint: 0000005c > 0014 context_id: 0000 > 0016 opnum : 0028 >000078 smb_io_rpc_hdr_auth hdr_auth > 0078 auth_type : 44 > 0079 auth_level : 06 > 007a auth_pad_len : 04 > 007b auth_reserved: 00 > 007c auth_context_id: 00000001 >add_schannel_auth_footer: SCHANNEL seq_num=0 >SCHANNEL: schannel_encode seq_num=0 data_len=96 >000080 smb_io_rpc_auth_schannel_chk > 0080 sig : 77 00 7a 00 ff ff 00 00 > 0088 seq_num: fa e0 51 05 68 9d ef cb > 0090 packet_digest: 80 a3 8d fc b2 62 4d 96 > 0098 confounder: 4d af d4 78 41 ed cf eb >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \NETLOGON fnum 0x400f >size=242 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=8 >smb_flg2=51201 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=20 >smt_wct=16 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 160 (0xA0) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 4280 (0x10B8) >smb_vwv[ 4]= 0 (0x0) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 0 (0x0) >smb_vwv[ 7]= 0 (0x0) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_vwv[10]= 82 (0x52) >smb_vwv[11]= 160 (0xA0) >smb_vwv[12]= 82 (0x52) >smb_vwv[13]= 2 (0x2) >smb_vwv[14]= 38 (0x26) >smb_vwv[15]=16399 (0x400F) >smb_bcc=175 >[000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... >[010] 00 00 03 10 00 00 00 A0 00 20 00 0A 00 00 00 5C ........ . .....\ >[020] 00 00 00 00 00 28 00 AD 30 D5 7C DE 84 55 07 8E .....(.. 0.|..U.. >[030] 36 EC 5E EF 17 C6 DB A7 3C 69 45 12 AA 6E 9F 71 6.^..... <iE..n.q >[040] 21 1A 23 3E 52 90 E1 10 57 95 93 3F C8 E3 91 7F !.#>R... W..?.... >[050] 82 C3 0A CD 1C 67 40 54 30 66 90 5A 07 31 F5 BA .....g@T 0f.Z.1.. >[060] 15 38 BE 99 0D D9 36 3C 5B 6D F0 51 5D CC 2A 3B .8....6< [m.Q].*; >[070] CF 7B 7B 32 CC 25 48 36 9D 30 57 CB 22 4E 8C 83 .{{2.%H6 .0W."N.. >[080] D1 A0 42 F8 FF 37 7D 44 06 04 00 01 00 00 00 77 ..B..7}D .......w >[090] 00 7A 00 FF FF 00 00 FA E0 51 05 68 9D EF CB 80 .z...... .Q.h.... >[0A0] A3 8D FC B2 62 4D 96 4D AF D4 78 41 ED CF EB ....bM.M ..xA... >simple_packet_signature: sequence number 36 >client_sign_outgoing_message: sent SMB signature of >[000] F7 1B 49 7D B1 A7 40 30 ..I}..@0 >store_sequence_for_reply: stored seq = 37 mid = 20 >write_socket(15,246) >write_socket(15,246) wrote 246 >got smb length of 472 >size=472 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=20 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 416 (0x1A0) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 416 (0x1A0) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=417 >[000] A0 05 00 02 03 10 00 00 00 A0 01 20 00 0A 00 00 ........ ... .... >[010] 00 5C 01 00 00 00 00 00 00 70 B3 A8 9C 66 F6 2D .\...... .p...f.- >[020] 0E E8 17 1B 8C A1 F5 50 4A 07 D7 73 09 F4 8B 64 .......P J..s...d >[030] F5 94 DF 6A A6 27 8E 8B 2F A0 8D 5F 43 C1 54 DB ...j.'.. /.._C.T. >[040] 28 CF 1B D2 54 77 89 04 AC CA 5C 66 0F 66 86 49 (...Tw.. ..\f.f.I >[050] 9A B1 57 D8 D2 5C 1E 0A 28 C1 92 86 FC 42 AC E2 ..W..\.. (....B.. >[060] 88 90 FA 63 51 32 0D B2 CC 86 BB 74 73 9C 41 82 ...cQ2.. ...ts.A. >[070] DD 23 DE F2 19 07 17 89 0F A4 BC 2E E5 E6 1E 77 .#...... .......w >[080] 06 51 50 95 3A 16 E7 43 3E 61 62 FE E9 02 64 CB .QP.:..C >ab...d. >[090] 6E 1F E7 51 B5 83 4C 77 72 02 E4 7A E7 EC 2C 6A n..Q..Lw r..z..,j >[0A0] E5 DD C9 94 F8 9B 07 AD 90 F2 8C 4B 28 A0 EB 94 ........ ...K(... >[0B0] 33 2C 46 CC AB C0 D5 33 F8 98 13 1C 01 11 51 AC 3,F....3 ......Q. >[0C0] 0F 57 8C 66 CE 9D 97 08 28 AD 55 B0 53 4C C9 23 .W.f.... (.U.SL.# >[0D0] 4D 06 B1 9C 8B 09 59 38 6A 9D 03 3E E1 1C 0F 07 M.....Y8 j..>.... >[0E0] 1F 6D 90 6E E4 1A 59 7E 50 C6 34 3D 46 88 51 6D .m.n..Y~ P.4=F.Qm >[0F0] 40 1E 0A 8D 5C 90 C6 78 3D 5B 74 5D 96 72 51 A8 @...\..x =[t].rQ. >[100] DB 06 B3 1B A7 39 5E 0C 6F BA FB 51 BF 55 9B FC .....9^. o..Q.U.. >[110] FD 1C B4 74 FE 41 3B 4D 90 B1 E0 6D 3C 1A 58 BE ...t.A;M ...m<.X. >[120] 7A DB 35 44 6A ED 96 DF DB 9F 1A 18 C9 CF DF 37 z.5Dj... .......7 >[130] C9 57 04 44 A3 C6 70 A4 46 8D C7 EC 78 73 C0 24 .W.D..p. F...xs.$ >[140] 98 7D 43 97 51 09 1C 44 E4 DA 29 E6 F2 6D DF 52 .}C.Q..D ..)..m.R >[150] 7D C5 74 CD 5C EC 16 1C AF 0E 22 EA 85 A0 19 89 }.t.\... .."..... >[160] CB EB 0C 8F D6 20 C3 B5 C9 2F 46 F0 A2 18 AE FE ..... .. ./F..... >[170] 76 1E C7 33 C4 10 59 19 C7 44 06 04 00 01 00 00 v..3..Y. .D...... >[180] 00 77 00 7A 00 FF FF 00 00 6D 84 11 31 7A 48 95 .w.z.... .m..1zH. >[190] B9 B6 26 BE 15 F7 DE D0 2F EF F1 43 FB CF 05 8B ..&..... /..C.... >[1A0] 26 & >get_sequence_for_reply: found seq = 37 mid = 20 >simple_packet_signature: sequence number 37 >client_check_incoming_message: seq 37: got good SMB signature of >[000] E1 47 A3 C1 9D DA 1D 44 .G.....D >size=472 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=20 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 416 (0x1A0) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 416 (0x1A0) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=417 >[000] A0 05 00 02 03 10 00 00 00 A0 01 20 00 0A 00 00 ........ ... .... >[010] 00 5C 01 00 00 00 00 00 00 70 B3 A8 9C 66 F6 2D .\...... .p...f.- >[020] 0E E8 17 1B 8C A1 F5 50 4A 07 D7 73 09 F4 8B 64 .......P J..s...d >[030] F5 94 DF 6A A6 27 8E 8B 2F A0 8D 5F 43 C1 54 DB ...j.'.. /.._C.T. >[040] 28 CF 1B D2 54 77 89 04 AC CA 5C 66 0F 66 86 49 (...Tw.. ..\f.f.I >[050] 9A B1 57 D8 D2 5C 1E 0A 28 C1 92 86 FC 42 AC E2 ..W..\.. (....B.. >[060] 88 90 FA 63 51 32 0D B2 CC 86 BB 74 73 9C 41 82 ...cQ2.. ...ts.A. >[070] DD 23 DE F2 19 07 17 89 0F A4 BC 2E E5 E6 1E 77 .#...... .......w >[080] 06 51 50 95 3A 16 E7 43 3E 61 62 FE E9 02 64 CB .QP.:..C >ab...d. >[090] 6E 1F E7 51 B5 83 4C 77 72 02 E4 7A E7 EC 2C 6A n..Q..Lw r..z..,j >[0A0] E5 DD C9 94 F8 9B 07 AD 90 F2 8C 4B 28 A0 EB 94 ........ ...K(... >[0B0] 33 2C 46 CC AB C0 D5 33 F8 98 13 1C 01 11 51 AC 3,F....3 ......Q. >[0C0] 0F 57 8C 66 CE 9D 97 08 28 AD 55 B0 53 4C C9 23 .W.f.... (.U.SL.# >[0D0] 4D 06 B1 9C 8B 09 59 38 6A 9D 03 3E E1 1C 0F 07 M.....Y8 j..>.... >[0E0] 1F 6D 90 6E E4 1A 59 7E 50 C6 34 3D 46 88 51 6D .m.n..Y~ P.4=F.Qm >[0F0] 40 1E 0A 8D 5C 90 C6 78 3D 5B 74 5D 96 72 51 A8 @...\..x =[t].rQ. >[100] DB 06 B3 1B A7 39 5E 0C 6F BA FB 51 BF 55 9B FC .....9^. o..Q.U.. >[110] FD 1C B4 74 FE 41 3B 4D 90 B1 E0 6D 3C 1A 58 BE ...t.A;M ...m<.X. >[120] 7A DB 35 44 6A ED 96 DF DB 9F 1A 18 C9 CF DF 37 z.5Dj... .......7 >[130] C9 57 04 44 A3 C6 70 A4 46 8D C7 EC 78 73 C0 24 .W.D..p. F...xs.$ >[140] 98 7D 43 97 51 09 1C 44 E4 DA 29 E6 F2 6D DF 52 .}C.Q..D ..)..m.R >[150] 7D C5 74 CD 5C EC 16 1C AF 0E 22 EA 85 A0 19 89 }.t.\... .."..... >[160] CB EB 0C 8F D6 20 C3 B5 C9 2F 46 F0 A2 18 AE FE ..... .. ./F..... >[170] 76 1E C7 33 C4 10 59 19 C7 44 06 04 00 01 00 00 v..3..Y. .D...... >[180] 00 77 00 7A 00 FF FF 00 00 6D 84 11 31 7A 48 95 .w.z.... .m..1zH. >[190] B9 B6 26 BE 15 F7 DE D0 2F EF F1 43 FB CF 05 8B ..&..... /..C.... >[1A0] 26 & >get_sequence_for_reply: found seq = 37 mid = 20 >000000 smb_io_rpc_hdr rpc_hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 02 > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 01a0 > 000a auth_len : 0020 > 000c call_id : 0000000a >000010 smb_io_rpc_hdr_resp rpc_hdr_resp > 0010 alloc_hint: 0000015c > 0014 context_id: 0000 > 0016 cancel_ct : 00 > 0017 reserved : 00 >000178 smb_io_rpc_hdr_auth hdr_auth > 0178 auth_type : 44 > 0179 auth_level : 06 > 017a auth_pad_len : 04 > 017b auth_reserved: 00 > 017c auth_context_id: 00000001 >000180 smb_io_rpc_auth_schannel_chk > 0180 sig : 77 00 7a 00 ff ff 00 00 > 0188 seq_num: 6d 84 11 31 7a 48 95 b9 > 0190 packet_digest: b6 26 be 15 f7 de d0 2f > 0198 confounder: ef f1 43 fb cf 05 8b 26 >SCHANNEL: schannel_decode seq_num=1 data_len=352 >SCHANNEL: schannel_decode seq_num=1 data_len=352 >cli_pipe_validate_current_pdu: got pdu len 416, data_len 348, ss_len 4 >rpc_api_pipe: got PDU len of 416 at offset 0 >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \NETLOGON fnum 0x400f returned 696 bytes. >000000 ds_io_r_enum_domain_trusts > 0000 num_domains: 00000002 > 000004 ds_io_dom_trusts_ctr domains > 0004 ptr: 00020000 > 0008 max_count: 00000002 > 00000c ds_io_dom_trusts_ctr domain_trusts > 000c netbios_ptr: 00020004 > 0010 dns_ptr: 00020008 > 0014 flags: 00000027 > 0018 parent_index: 00000000 > 001c trust_type: 00000002 > 0020 trust_attributes: 00000020 > 0024 sid_ptr: 0002000c > 000028 smb_io_uuid guid > 0028 data : 3bc437b2 > 002c data : 76c5 > 002e data : 4ebd > 0030 data : b2 c2 > 0032 data : bc 53 0c e4 9a 8a > 000038 ds_io_dom_trusts_ctr domain_trusts > 0038 netbios_ptr: 00020010 > 003c dns_ptr: 00020014 > 0040 flags: 00000019 > 0044 parent_index: 00000000 > 0048 trust_type: 00000002 > 004c trust_attributes: 00000000 > 0050 sid_ptr: 00020018 > 000054 smb_io_uuid guid > 0054 data : 051fb988 > 0058 data : d99f > 005a data : 42a3 > 005c data : 87 55 > 005e data : 7b c9 b4 d4 8a f3 > 000064 smb_io_unistr2 netbios_domain > 0064 uni_max_len: 00000009 > 0068 offset : 00000000 > 006c uni_str_len: 00000009 > 0070 buffer : E.I.G.H.T.A.D.6... > 000084 smb_io_unistr2 dns_domain > 0084 uni_max_len: 00000015 > 0088 offset : 00000000 > 008c uni_str_len: 00000015 > 0090 buffer : e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m... > 0000bc smb_io_dom_sid2 sid > 00bc num_auths: 00000004 > 0000c0 smb_io_dom_sid sid > 00c0 sid_rev_num: 01 > 00c1 num_auths : 04 > 00c2 id_auth[0] : 00 > 00c3 id_auth[1] : 00 > 00c4 id_auth[2] : 00 > 00c5 id_auth[3] : 00 > 00c6 id_auth[4] : 00 > 00c7 id_auth[5] : 05 > 00c8 sub_auths : 00000015 09a80eae 763688c1 f72701f1 > 0000d8 smb_io_unistr2 netbios_domain > 00d8 uni_max_len: 00000008 > 00dc offset : 00000000 > 00e0 uni_str_len: 00000008 > 00e4 buffer : C.H.I.L.D.0.3... > 0000f4 smb_io_unistr2 dns_domain > 00f4 uni_max_len: 0000001d > 00f8 offset : 00000000 > 00fc uni_str_len: 0000001d > 0100 buffer : c.h.i.l.d.0.3...e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m... > 00013c smb_io_dom_sid2 sid > 013c num_auths: 00000004 > 000140 smb_io_dom_sid sid > 0140 sid_rev_num: 01 > 0141 num_auths : 04 > 0142 id_auth[0] : 00 > 0143 id_auth[1] : 00 > 0144 id_auth[2] : 00 > 0145 id_auth[3] : 00 > 0146 id_auth[4] : 00 > 0147 id_auth[5] : 05 > 0148 sub_auths : 00000015 5b0eee9e ce6f51e9 9aa25308 > 0158 status: NT_STATUS_OK >refresh_sequence_number: CHILD03 time ok >refresh_sequence_number: CHILD03 seq number is now 13938 >Storing response for pid 25418, len 3390 >Storing extra data: len=150 >Destroying timed event 2aac341bb350 "async_request_timeout" >Retrieving response for pid 25418 >Retrieving extra data length=150 >[000] 45 49 47 48 54 41 44 36 5C 65 69 67 68 74 61 64 EIGHTAD6 \eightad >[010] 36 2E 74 65 73 74 69 6E 67 2E 63 6F 6D 5C 53 2D 6.testin g.com\S- >[020] 31 2D 35 2D 32 31 2D 31 36 32 30 30 38 37 35 30 1-5-21-1 62008750 >[030] 2D 31 39 38 33 32 38 35 34 34 31 2D 34 31 34 36 -1983285 441-4146 >[040] 35 32 38 37 35 33 0A 43 48 49 4C 44 30 33 5C 63 528753.C HILD03\c >[050] 68 69 6C 64 30 33 2E 65 69 67 68 74 61 64 36 2E hild03.e ightad6. >[060] 74 65 73 74 69 6E 67 2E 63 6F 6D 5C 53 2D 31 2D testing. com\S-1- >[070] 35 2D 32 31 2D 31 35 32 37 37 30 35 32 34 36 2D 5-21-152 7705246- >[080] 33 34 36 33 34 30 31 39 36 31 2D 32 35 39 34 33 34634019 61-25943 >[090] 32 39 33 35 32 00 29352. >Added domain EIGHTAD6 eightad6.testing.com S-1-5-21-162008750-1983285441-4146528753 >accepted socket 17 >process_request: request fn INTERFACE_VERSION >[25844]: request interface version >process_request: request fn WINBINDD_PRIV_PIPE_DIR >[25844]: request location of privileged pipe >accepted socket 18 >process_request: request fn AUTH_CRAP >[25844]: pam auth crap domain: [CHILD03] user: test >is_myname("CHILD03") returns 0 >Added timed event "async_request_timeout": 2aac341bd930 >run_events: Nothing to do >timed_events_timeout: 299/999991 >child daemon request 13 >process_request: request fn AUTH_CRAP >[25417]: pam auth crap domain: CHILD03 user: test >is_myname("CHILD03") returns 0 > sequence = 0x4b0d271f > seed: 5CE1F2DFC5A11FB8 > seed+seq 7B08002BC5A11FB8 > CLIENT 4C93A6EB2800C7A9 > seed+seq+1 7C08002BC5A11FB8 > SERVER E8730921C3343822 >cred_reseed: seed 7C08002BC5A11FB8 >init_id_info2: 1185 >make_logon_id: 1629 >init_sam_info: 1279 >make_clnt_info: 1544 >init_clnt_srv: 1389 >000000 net_io_q_sam_logon > 000000 smb_io_sam_info > 000000 smb_io_clnt_info2 > 000000 smb_io_clnt_srv > 0000 undoc_buffer : 00000001 > 000004 smb_io_unistr2 unistr2 > 0004 uni_max_len: 00000025 > 0008 offset : 00000000 > 000c uni_str_len: 00000025 > 0010 buffer : \.\.n.o.r.m.a...c.h.i.l.d.0.3...e.i.g.h.t.a.d.6...t.e.s.t.i.n.g...c.o.m... > 005c undoc_buffer2: 00000001 > 000060 smb_io_unistr2 unistr2 > 0060 uni_max_len: 0000000a > 0064 offset : 00000000 > 0068 uni_str_len: 0000000a > 006c buffer : M.O.N.O.C.E.R.O.S... > 0080 ptr_cred: 00000001 > 000084 smb_io_cred > 000084 smb_io_chal > 0084 data: 4c 93 a6 eb 28 00 c7 a9 > 00008c smb_io_utime > 008c time: 4b0d271f > 0090 ptr_rtn_cred : 00000001 > 000094 smb_io_cred > 000094 smb_io_chal > 0094 data: 00 00 00 00 00 00 00 00 > 00009c smb_io_utime > 009c time: 00000000 > 00a0 logon_level : 0002 > 0000a2 smb_io_sam_info_ctr logon_info > 00a2 switch_value : 0002 > 0000a4 net_io_id_info2 > 00a4 ptr_id_info2: 00000001 > 0000a8 smb_io_unihdr unihdr > 00a8 uni_str_len: 000e > 00aa uni_max_len: 000e > 00ac buffer : 00000001 > 00b0 param_ctrl: 00000820 > 0000b4 smb_io_logon_id > 00b4 low : 0000dead > 00b8 high: 0000beef > 0000bc smb_io_unihdr unihdr > 00bc uni_str_len: 0008 > 00be uni_max_len: 0008 > 00c0 buffer : 00000001 > 0000c4 smb_io_unihdr unihdr > 00c4 uni_str_len: 0016 > 00c6 uni_max_len: 0016 > 00c8 buffer : 00000001 > 00cc lm_chal: 06 a5 32 64 99 9c b0 06 > 0000d4 smb_io_strhdr hdr_nt_chal_resp > 00d4 str_str_len: 0018 > 00d6 str_max_len: 0018 > 00d8 buffer : 00000001 > 0000dc smb_io_strhdr hdr_lm_chal_resp > 00dc str_str_len: 0000 > 00de str_max_len: 0000 > 00e0 buffer : 00000000 > 0000e4 smb_io_unistr2 uni_domain_name > 00e4 uni_max_len: 00000007 > 00e8 offset : 00000000 > 00ec uni_str_len: 00000007 > 00f0 buffer : C.H.I.L.D.0.3. > 0000fe smb_io_unistr2 uni_user_name > 0100 uni_max_len: 00000004 > 0104 offset : 00000000 > 0108 uni_str_len: 00000004 > 010c buffer : t.e.s.t. > 000114 smb_io_unistr2 uni_wksta_name > 0114 uni_max_len: 0000000b > 0118 offset : 00000000 > 011c uni_str_len: 0000000b > 0120 buffer : \.\.M.O.N.O.C.E.R.O.S. > 000136 smb_io_string2 nt_chal_resp > 0138 str_max_len: 00000018 > 013c offset : 00000000 > 0140 str_str_len: 00000018 > 0144 buffer : T..n.lm...~`..;...,]-... > 00015c smb_io_string2 - NULL lm_chal_resp > 015c validation_level: 0003 >000000 smb_io_rpc_hdr hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 00 > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 01a0 > 000a auth_len : 0020 > 000c call_id : 0000000b >000010 smb_io_rpc_hdr_req hdr_req > 0010 alloc_hint: 0000015e > 0014 context_id: 0000 > 0016 opnum : 0002 >000178 smb_io_rpc_hdr_auth hdr_auth > 0178 auth_type : 44 > 0179 auth_level : 06 > 017a auth_pad_len : 02 > 017b auth_reserved: 00 > 017c auth_context_id: 00000001 >add_schannel_auth_footer: SCHANNEL seq_num=2 >SCHANNEL: schannel_encode seq_num=2 data_len=352 >000180 smb_io_rpc_auth_schannel_chk > 0180 sig : 77 00 7a 00 ff ff 00 00 > 0188 seq_num: a0 ac ce e9 bc 62 83 ba > 0190 packet_digest: 1b 7f ec 8d 1f f4 a9 e1 > 0198 confounder: 4f f0 16 d8 04 af 99 bc >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \NETLOGON fnum 0x400f >size=498 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=8 >smb_flg2=51201 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=21 >smt_wct=16 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 416 (0x1A0) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 4280 (0x10B8) >smb_vwv[ 4]= 0 (0x0) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 0 (0x0) >smb_vwv[ 7]= 0 (0x0) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_vwv[10]= 82 (0x52) >smb_vwv[11]= 416 (0x1A0) >smb_vwv[12]= 82 (0x52) >smb_vwv[13]= 2 (0x2) >smb_vwv[14]= 38 (0x26) >smb_vwv[15]=16399 (0x400F) >smb_bcc=431 >[000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 05 .\.P.I.P .E.\.... >[010] 00 00 03 10 00 00 00 A0 01 20 00 0B 00 00 00 5E ........ . .....^ >[020] 01 00 00 00 00 02 00 9A E4 90 A7 B2 18 E5 14 DB ........ ........ >[030] 27 F0 95 50 48 15 8C 08 C1 CA 30 E6 22 2C A1 B8 '..PH... ..0.",.. >[040] 7A 04 D8 F6 95 10 14 6F 51 07 EA 0D 7A 87 62 80 z......o Q...z.b. >[050] 5F 12 75 22 56 33 7B C6 7F EF 23 CC 43 93 14 D9 _.u"V3{. ..#.C... >[060] 3F B7 54 BE 18 35 5F 71 EA 1F 81 CB E6 81 99 F7 ?.T..5_q ........ >[070] 86 A9 01 F5 C5 55 9F 6A 2F 18 53 E2 01 5C CF F6 .....U.j /.S..\.. >[080] 08 90 E6 24 AD D9 F7 5D 25 04 39 1D 3A B1 C5 11 ...$...] %.9.:... >[090] 48 49 44 10 F5 E6 1C 05 50 30 FF D9 41 20 62 60 HID..... P0..A b` >[0A0] 79 0A C6 4A 07 7C 93 F6 E2 BA 64 A5 A6 18 6C 86 y..J.|.. ..d...l. >[0B0] 40 28 31 5D 35 33 81 C6 F7 23 20 E1 2C 99 18 C2 @(1]53.. .# .,... >[0C0] C5 9C C2 93 9D 02 75 89 DB 43 8B 5D E0 B7 DF 22 ......u. .C.]..." >[0D0] 02 42 30 CA 45 D1 06 78 BB 8C 3D 12 75 91 14 4C .B0.E..x ..=.u..L >[0E0] C6 3C 15 31 EC F2 98 6F CF 3E 7D 72 6C 78 C0 79 .<.1...o .>}rlx.y >[0F0] BE 12 10 06 E9 D3 C4 C4 61 A9 6F A3 4A D0 05 94 ........ a.o.J... >[100] E1 17 6D CD 80 6F 29 8A 75 19 05 0B 02 05 CC 71 ..m..o). u......q >[110] 1A C4 03 C8 BC 1B 7C B6 8E 4C 24 FF 13 75 A3 C0 ......|. .L$..u.. >[120] 0C EA 68 30 23 DA BD 55 3E 3F 9F C0 8F D8 81 A0 ..h0#..U >?...... >[130] 09 C5 AC 68 88 8C 30 DE 85 0C EB BF D8 11 E1 43 ...h..0. .......C >[140] C3 8C 50 47 C0 7E B7 38 AD 98 BF 76 80 9D 03 B9 ..PG.~.8 ...v.... >[150] 26 1B 6B 68 C0 4F E1 A8 21 4B CD 4C 23 5C DB 8D &.kh.O.. !K.L#\.. >[160] 77 1E CF 1B 2A 52 A1 B0 CF DA 1B DB 42 2D 5F 5A w...*R.. ....B-_Z >[170] 66 49 A5 D8 0C 15 7B 17 C3 35 92 36 8A C7 B4 BA fI....{. .5.6.... >[180] 75 55 D1 24 59 3D 31 44 06 02 00 01 00 00 00 77 uU.$Y=1D .......w >[190] 00 7A 00 FF FF 00 00 A0 AC CE E9 BC 62 83 BA 1B .z...... ....b... >[1A0] 7F EC 8D 1F F4 A9 E1 4F F0 16 D8 04 AF 99 BC .......O ....... >simple_packet_signature: sequence number 38 >client_sign_outgoing_message: sent SMB signature of >[000] 28 08 63 4E B2 62 F1 18 (.cN.b.. >store_sequence_for_reply: stored seq = 39 mid = 21 >write_socket(15,502) >write_socket(15,502) wrote 502 >got smb length of 472 >size=472 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=21 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 416 (0x1A0) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 416 (0x1A0) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=417 >[000] A0 05 00 02 03 10 00 00 00 A0 01 20 00 0B 00 00 ........ ... .... >[010] 00 5C 01 00 00 00 00 00 00 41 05 9B 79 E2 70 0C .\...... .A..y.p. >[020] 30 09 47 18 5E 61 E6 F8 48 AE 3D 2A 87 09 77 B4 0.G.^a.. H.=*..w. >[030] A6 07 AF 41 01 89 3C 02 A1 BB 4B 23 4D E6 87 6B ...A..<. ..K#M..k >[040] 2A D4 0A 92 0C 87 49 F9 7B C1 4F 77 46 5E 43 34 *.....I. {.OwF^C4 >[050] 08 33 52 D1 10 E9 41 E0 2C F9 91 C5 FD 5C 6B A5 .3R...A. ,....\k. >[060] 36 BD 99 3B 9C 66 1F 7F D1 9E 85 7F 2A CF 94 38 6..;.f.. ....*..8 >[070] B4 52 F5 AA A9 61 9D 04 3B 57 DC 69 7B 3E 20 2E .R...a.. ;W.i{> . >[080] 45 2B BD 57 D6 40 9F BB 37 42 13 CC 63 CC 0A 01 E+.W.@.. 7B..c... >[090] D3 FD 8F E2 8A 1F 7A FB 89 C9 41 21 22 F0 64 BE ......z. ..A!".d. >[0A0] 2C 2F B5 FC C7 B8 CB B8 A7 63 F5 AC 2C EB 14 62 ,/...... .c..,..b >[0B0] E3 42 06 21 C2 9F 14 D1 5A 2F 6C 2B F3 0C C5 65 .B.!.... Z/l+...e >[0C0] 74 39 86 C0 84 14 A4 23 8A 74 06 4B 4A 44 C2 47 t9.....# .t.KJD.G >[0D0] A5 CB 22 CC 0F 5D 1B B3 80 8D 36 D4 30 7C 4A 64 .."..].. ..6.0|Jd >[0E0] 37 D9 2C DA 8D BF F1 43 98 86 B1 BB 1B A5 63 42 7.,....C ......cB >[0F0] 15 D4 C6 FF 85 34 89 18 F9 BA 33 89 CC FE 81 BF .....4.. ..3..... >[100] AB DA 31 22 05 BB 1C 5F B8 4B 23 E0 2D 96 96 67 ..1"..._ .K#.-..g >[110] A8 C0 A7 C7 82 6A 5A 90 F4 7B F5 55 49 B8 3D 89 .....jZ. .{.UI.=. >[120] BD A8 15 3E 15 53 C8 E8 97 D8 20 B0 0D 8B 70 C1 ...>.S.. .. ...p. >[130] A6 C7 D5 AB 01 F9 01 2E BC 10 FE 37 06 7F 4C C6 ........ ...7..L. >[140] D5 C7 6F E2 A0 86 34 EE D0 2F 6D 50 47 A8 4F 17 ..o...4. ./mPG.O. >[150] 2B CA 0D B5 E7 F0 D5 A8 A9 14 E1 29 C4 D2 96 1F +....... ...).... >[160] C3 60 B6 68 72 53 51 17 F9 22 1D 4F BE 15 05 95 .`.hrSQ. .".O.... >[170] 2F C7 B7 31 65 79 99 56 16 44 06 04 00 01 00 00 /..1ey.V .D...... >[180] 00 77 00 7A 00 FF FF 00 00 DE E1 B8 35 94 2B F7 .w.z.... ....5.+. >[190] 4A 58 AA C7 A6 62 22 10 A9 A4 E4 B1 5A C6 2A 1B JX...b". ....Z.*. >[1A0] 42 B >get_sequence_for_reply: found seq = 39 mid = 21 >simple_packet_signature: sequence number 39 >client_check_incoming_message: seq 39: got good SMB signature of >[000] 04 33 DB D7 8A 83 B3 02 .3...... >size=472 >smb_com=0x25 >smb_rcls=0 >smb_reh=0 >smb_err=0 >smb_flg=136 >smb_flg2=51205 >smb_tid=2052 >smb_pid=25418 >smb_uid=4097 >smb_mid=21 >smt_wct=10 >smb_vwv[ 0]= 0 (0x0) >smb_vwv[ 1]= 416 (0x1A0) >smb_vwv[ 2]= 0 (0x0) >smb_vwv[ 3]= 0 (0x0) >smb_vwv[ 4]= 56 (0x38) >smb_vwv[ 5]= 0 (0x0) >smb_vwv[ 6]= 416 (0x1A0) >smb_vwv[ 7]= 56 (0x38) >smb_vwv[ 8]= 0 (0x0) >smb_vwv[ 9]= 0 (0x0) >smb_bcc=417 >[000] A0 05 00 02 03 10 00 00 00 A0 01 20 00 0B 00 00 ........ ... .... >[010] 00 5C 01 00 00 00 00 00 00 41 05 9B 79 E2 70 0C .\...... .A..y.p. >[020] 30 09 47 18 5E 61 E6 F8 48 AE 3D 2A 87 09 77 B4 0.G.^a.. H.=*..w. >[030] A6 07 AF 41 01 89 3C 02 A1 BB 4B 23 4D E6 87 6B ...A..<. ..K#M..k >[040] 2A D4 0A 92 0C 87 49 F9 7B C1 4F 77 46 5E 43 34 *.....I. {.OwF^C4 >[050] 08 33 52 D1 10 E9 41 E0 2C F9 91 C5 FD 5C 6B A5 .3R...A. ,....\k. >[060] 36 BD 99 3B 9C 66 1F 7F D1 9E 85 7F 2A CF 94 38 6..;.f.. ....*..8 >[070] B4 52 F5 AA A9 61 9D 04 3B 57 DC 69 7B 3E 20 2E .R...a.. ;W.i{> . >[080] 45 2B BD 57 D6 40 9F BB 37 42 13 CC 63 CC 0A 01 E+.W.@.. 7B..c... >[090] D3 FD 8F E2 8A 1F 7A FB 89 C9 41 21 22 F0 64 BE ......z. ..A!".d. >[0A0] 2C 2F B5 FC C7 B8 CB B8 A7 63 F5 AC 2C EB 14 62 ,/...... .c..,..b >[0B0] E3 42 06 21 C2 9F 14 D1 5A 2F 6C 2B F3 0C C5 65 .B.!.... Z/l+...e >[0C0] 74 39 86 C0 84 14 A4 23 8A 74 06 4B 4A 44 C2 47 t9.....# .t.KJD.G >[0D0] A5 CB 22 CC 0F 5D 1B B3 80 8D 36 D4 30 7C 4A 64 .."..].. ..6.0|Jd >[0E0] 37 D9 2C DA 8D BF F1 43 98 86 B1 BB 1B A5 63 42 7.,....C ......cB >[0F0] 15 D4 C6 FF 85 34 89 18 F9 BA 33 89 CC FE 81 BF .....4.. ..3..... >[100] AB DA 31 22 05 BB 1C 5F B8 4B 23 E0 2D 96 96 67 ..1"..._ .K#.-..g >[110] A8 C0 A7 C7 82 6A 5A 90 F4 7B F5 55 49 B8 3D 89 .....jZ. .{.UI.=. >[120] BD A8 15 3E 15 53 C8 E8 97 D8 20 B0 0D 8B 70 C1 ...>.S.. .. ...p. >[130] A6 C7 D5 AB 01 F9 01 2E BC 10 FE 37 06 7F 4C C6 ........ ...7..L. >[140] D5 C7 6F E2 A0 86 34 EE D0 2F 6D 50 47 A8 4F 17 ..o...4. ./mPG.O. >[150] 2B CA 0D B5 E7 F0 D5 A8 A9 14 E1 29 C4 D2 96 1F +....... ...).... >[160] C3 60 B6 68 72 53 51 17 F9 22 1D 4F BE 15 05 95 .`.hrSQ. .".O.... >[170] 2F C7 B7 31 65 79 99 56 16 44 06 04 00 01 00 00 /..1ey.V .D...... >[180] 00 77 00 7A 00 FF FF 00 00 DE E1 B8 35 94 2B F7 .w.z.... ....5.+. >[190] 4A 58 AA C7 A6 62 22 10 A9 A4 E4 B1 5A C6 2A 1B JX...b". ....Z.*. >[1A0] 42 B >get_sequence_for_reply: found seq = 39 mid = 21 >000000 smb_io_rpc_hdr rpc_hdr > 0000 major : 05 > 0001 minor : 00 > 0002 pkt_type : 02 > 0003 flags : 03 > 0004 pack_type0: 10 > 0005 pack_type1: 00 > 0006 pack_type2: 00 > 0007 pack_type3: 00 > 0008 frag_len : 01a0 > 000a auth_len : 0020 > 000c call_id : 0000000b >000010 smb_io_rpc_hdr_resp rpc_hdr_resp > 0010 alloc_hint: 0000015c > 0014 context_id: 0000 > 0016 cancel_ct : 00 > 0017 reserved : 00 >000178 smb_io_rpc_hdr_auth hdr_auth > 0178 auth_type : 44 > 0179 auth_level : 06 > 017a auth_pad_len : 04 > 017b auth_reserved: 00 > 017c auth_context_id: 00000001 >000180 smb_io_rpc_auth_schannel_chk > 0180 sig : 77 00 7a 00 ff ff 00 00 > 0188 seq_num: de e1 b8 35 94 2b f7 4a > 0190 packet_digest: 58 aa c7 a6 62 22 10 a9 > 0198 confounder: a4 e4 b1 5a c6 2a 1b 42 >SCHANNEL: schannel_decode seq_num=3 data_len=352 >SCHANNEL: schannel_decode seq_num=3 data_len=352 >cli_pipe_validate_current_pdu: got pdu len 416, data_len 348, ss_len 4 >rpc_api_pipe: got PDU len of 416 at offset 0 >rpc_api_pipe: Remote machine norma.child03.eightad6.testing.com pipe \NETLOGON fnum 0x400f returned 696 bytes. >000000 net_io_r_sam_logon > 0000 buffer_creds: 00020000 > 000004 smb_io_cred > 000004 smb_io_chal > 0004 data: e8 73 09 21 c3 34 38 22 > 00000c smb_io_utime > 000c time: 00000000 > 0010 switch_value: 0003 > 000014 net_io_user_info3 > 0014 ptr_user_info : 00020004 > 000018 smb_io_time logon time > 0018 low : 00000000 > 001c high: 00000000 > 000020 smb_io_time logoff time > 0020 low : ffffffff > 0024 high: 7fffffff > 000028 smb_io_time kickoff time > 0028 low : ffffffff > 002c high: 7fffffff > 000030 smb_io_time last set time > 0030 low : 62aadb36 > 0034 high: 01ca6db9 > 000038 smb_io_time can change time > 0038 low : 62aadb36 > 003c high: 01ca6db9 > 000040 smb_io_time must change time > 0040 low : ffffffff > 0044 high: 7fffffff > 000048 smb_io_unihdr hdr_user_name > 0048 uni_str_len: 0008 > 004a uni_max_len: 000a > 004c buffer : 00020008 > 000050 smb_io_unihdr hdr_full_name > 0050 uni_str_len: 0000 > 0052 uni_max_len: 0000 > 0054 buffer : 00000000 > 000058 smb_io_unihdr hdr_logon_script > 0058 uni_str_len: 0000 > 005a uni_max_len: 0000 > 005c buffer : 00000000 > 000060 smb_io_unihdr hdr_profile_path > 0060 uni_str_len: 0000 > 0062 uni_max_len: 0000 > 0064 buffer : 00000000 > 000068 smb_io_unihdr hdr_home_dir > 0068 uni_str_len: 0000 > 006a uni_max_len: 0000 > 006c buffer : 00000000 > 000070 smb_io_unihdr hdr_dir_drive > 0070 uni_str_len: 0000 > 0072 uni_max_len: 0000 > 0074 buffer : 00000000 > 0078 logon_count : 0000 > 007a bad_pw_count : 0000 > 007c user_rid : 0000044f > 0080 group_rid : 00000201 > 0084 num_groups : 00000001 > 0088 buffer_groups : 0002000c > 008c user_flgs : 00000120 >dump_user_flgs > account has LOGON_EXTRA_SIDS > account has LOGON_NTLMV2_ENABLED > 0090 user_sess_key: 7f 95 a4 3c e0 e6 da fb e1 8b b8 e9 f5 dc a1 22 > 0000a0 smb_io_unihdr hdr_logon_srv > 00a0 uni_str_len: 000a > 00a2 uni_max_len: 000c > 00a4 buffer : 00020010 > 0000a8 smb_io_unihdr hdr_logon_dom > 00a8 uni_str_len: 000e > 00aa uni_max_len: 0010 > 00ac buffer : 00020014 > 00b0 buffer_dom_id : 00020018 > 00b4 lm_sess_key: 9a de 3d d6 01 e8 98 ab > 00bc acct_flags : 00000210 >dump_acct_flags > account has ACB_NORMAL > account has ACB_PWNOEXP > 00c0 unkown: 00000000 > 00c4 unkown: 00000000 > 00c8 unkown: 00000000 > 00cc unkown: 00000000 > 00d0 unkown: 00000000 > 00d4 unkown: 00000000 > 00d8 unkown: 00000000 > 00dc num_other_sids: 00000000 > 00e0 buffer_other_sids: 00000000 > 0000e4 smb_io_unistr2 uni_user_name > 00e4 uni_max_len: 00000005 > 00e8 offset : 00000000 > 00ec uni_str_len: 00000004 > 00f0 buffer : t.e.s.t. > 0000f8 smb_io_unistr2 - NULL uni_full_name > 0000f8 smb_io_unistr2 - NULL uni_logon_script > 0000f8 smb_io_unistr2 - NULL uni_profile_path > 0000f8 smb_io_unistr2 - NULL uni_home_dir > 0000f8 smb_io_unistr2 - NULL uni_dir_drive > 00f8 num_groups2 : 00000001 > 0000fc smb_io_gid > 00fc g_rid: 00000201 > 0100 attr : 00000007 > 000104 smb_io_unistr2 uni_logon_srv > 0104 uni_max_len: 00000006 > 0108 offset : 00000000 > 010c uni_str_len: 00000005 > 0110 buffer : N.O.R.M.A. > 00011a smb_io_unistr2 uni_logon_dom > 011c uni_max_len: 00000008 > 0120 offset : 00000000 > 0124 uni_str_len: 00000007 > 0128 buffer : C.H.I.L.D.0.3. > 000136 smb_io_dom_sid2 > 0138 num_auths: 00000004 > 00013c smb_io_dom_sid sid > 013c sid_rev_num: 01 > 013d num_auths : 04 > 013e id_auth[0] : 00 > 013f id_auth[1] : 00 > 0140 id_auth[2] : 00 > 0141 id_auth[3] : 00 > 0142 id_auth[4] : 00 > 0143 id_auth[5] : 05 > 0144 sub_auths : 00000015 5b0eee9e ce6f51e9 9aa25308 > 0154 auth_resp : 00000001 > 0158 status : NT_STATUS_OK >creds_client_check: credentials check OK. >netsamlogon_cache_store: SID [S-1-5-21-1527705246-3463401961-2594329352-1103] >0000 timestamp: 4b0d2739 >000004 net_io_user_info3 > 0004 ptr_user_info : 00020004 > 000008 smb_io_time logon time > 0008 low : 00000000 > 000c high: 00000000 > 000010 smb_io_time logoff time > 0010 low : ffffffff > 0014 high: 7fffffff > 000018 smb_io_time kickoff time > 0018 low : ffffffff > 001c high: 7fffffff > 000020 smb_io_time last set time > 0020 low : 62aadb36 > 0024 high: 01ca6db9 > 000028 smb_io_time can change time > 0028 low : 62aadb36 > 002c high: 01ca6db9 > 000030 smb_io_time must change time > 0030 low : ffffffff > 0034 high: 7fffffff > 000038 smb_io_unihdr hdr_user_name > 0038 uni_str_len: 0008 > 003a uni_max_len: 000a > 003c buffer : 00020008 > 000040 smb_io_unihdr hdr_full_name > 0040 uni_str_len: 0000 > 0042 uni_max_len: 0000 > 0044 buffer : 00000000 > 000048 smb_io_unihdr hdr_logon_script > 0048 uni_str_len: 0000 > 004a uni_max_len: 0000 > 004c buffer : 00000000 > 000050 smb_io_unihdr hdr_profile_path > 0050 uni_str_len: 0000 > 0052 uni_max_len: 0000 > 0054 buffer : 00000000 > 000058 smb_io_unihdr hdr_home_dir > 0058 uni_str_len: 0000 > 005a uni_max_len: 0000 > 005c buffer : 00000000 > 000060 smb_io_unihdr hdr_dir_drive > 0060 uni_str_len: 0000 > 0062 uni_max_len: 0000 > 0064 buffer : 00000000 > 0068 logon_count : 0000 > 006a bad_pw_count : 0000 > 006c user_rid : 0000044f > 0070 group_rid : 00000201 > 0074 num_groups : 00000001 > 0078 buffer_groups : 0002000c > 007c user_flgs : 00000120 >dump_user_flgs > account has LOGON_EXTRA_SIDS > account has LOGON_NTLMV2_ENABLED > 0080 user_sess_key: 87 01 35 ab d6 9b 8f 91 6f 72 87 94 ce 42 d6 4e > 000090 smb_io_unihdr hdr_logon_srv > 0090 uni_str_len: 000a > 0092 uni_max_len: 000c > 0094 buffer : 00020010 > 000098 smb_io_unihdr hdr_logon_dom > 0098 uni_str_len: 000e > 009a uni_max_len: 0010 > 009c buffer : 00020014 > 00a0 buffer_dom_id : 00020018 > 00a4 lm_sess_key: 62 4a ac 41 37 95 cd c1 > 00ac acct_flags : 00000210 >dump_acct_flags > account has ACB_NORMAL > account has ACB_PWNOEXP > 00b0 unkown: 00000000 > 00b4 unkown: 00000000 > 00b8 unkown: 00000000 > 00bc unkown: 00000000 > 00c0 unkown: 00000000 > 00c4 unkown: 00000000 > 00c8 unkown: 00000000 > 00cc num_other_sids: 00000000 > 00d0 buffer_other_sids: 00000000 > 0000d4 smb_io_unistr2 uni_user_name > 00d4 uni_max_len: 00000005 > 00d8 offset : 00000000 > 00dc uni_str_len: 00000004 > 00e0 buffer : t.e.s.t. > 0000e8 smb_io_unistr2 - NULL uni_full_name > 0000e8 smb_io_unistr2 - NULL uni_logon_script > 0000e8 smb_io_unistr2 - NULL uni_profile_path > 0000e8 smb_io_unistr2 - NULL uni_home_dir > 0000e8 smb_io_unistr2 - NULL uni_dir_drive > 00e8 num_groups2 : 00000001 > 0000ec smb_io_gid > 00ec g_rid: 00000201 > 00f0 attr : 00000007 > 0000f4 smb_io_unistr2 uni_logon_srv > 00f4 uni_max_len: 00000006 > 00f8 offset : 00000000 > 00fc uni_str_len: 00000005 > 0100 buffer : N.O.R.M.A. > 00010a smb_io_unistr2 uni_logon_dom > 010c uni_max_len: 00000008 > 0110 offset : 00000000 > 0114 uni_str_len: 00000007 > 0118 buffer : C.H.I.L.D.0.3. > 000126 smb_io_dom_sid2 > 0128 num_auths: 00000004 > 00012c smb_io_dom_sid sid > 012c sid_rev_num: 01 > 012d num_auths : 04 > 012e id_auth[0] : 00 > 012f id_auth[1] : 00 > 0130 id_auth[2] : 00 > 0131 id_auth[3] : 00 > 0132 id_auth[4] : 00 > 0133 id_auth[5] : 05 > 0134 sub_auths : 00000015 5b0eee9e ce6f51e9 9aa25308 >netsamlogon_clear_cached_user: clearing U/S-1-5-21-1527705246-3463401961-2594329352-1103 >netsamlogon_clear_cached_user: clearing UG/S-1-5-21-1527705246-3463401961-2594329352-1103 >NTLM CRAP authentication for user [CHILD03]\[test] returned NT_STATUS_OK (PAM: 0) >Storing response for pid 25418, len 3240 >Destroying timed event 2aac341bd930 "async_request_timeout" >Retrieving response for pid 25418
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 6563
:
5004
| 5005 |
5006
|
5007
|
5015
|
5880
|
5882