/* packet-dcerpc-samr.c
* Routines for SMB \PIPE\samr packet disassembly
- * Copyright 2001, Tim Potter <tpot@samba.org>
+ * Copyright 2001,2003 Tim Potter <tpot@samba.org>
* 2002 Added all command dissectors Ronnie Sahlberg
*
- * $Id: packet-dcerpc-samr.c,v 1.57 2002/08/28 21:00:10 jmayer Exp $
+ * $Id: packet-dcerpc-samr.c,v 1.85 2003/04/28 04:44:53 tpot Exp $
*
* Ethereal - Network traffic analyzer
* By Gerald Combs <gerald@ethereal.com>
#include "config.h"
#endif
-#ifdef NEED_SNPRINTF_H
-# include "snprintf.h"
-#endif
-
#include <glib.h>
#include <epan/packet.h>
#include <string.h>
+#include "prefs.h"
#include "packet-dcerpc.h"
#include "packet-dcerpc-nt.h"
#include "packet-dcerpc-samr.h"
#include "packet-dcerpc-lsa.h"
#include "smb.h" /* for "NT_errors[]" */
#include "packet-smb-common.h"
+#include "crypt-md4.h"
+#include "crypt-rc4.h"
+
+#ifdef NEED_SNPRINTF_H
+# include "snprintf.h"
+#endif
static int proto_dcerpc_samr = -1;
static int hf_samr_controller = -1;
static int hf_samr_access = -1;
static int hf_samr_access_granted = -1;
-static int hf_samr_mask = -1;
static int hf_samr_crypt_password = -1;
static int hf_samr_crypt_hash = -1;
static int hf_samr_lm_change = -1;
+static int hf_samr_lm_passchange_block = -1;
+static int hf_samr_nt_passchange_block = -1;
+static int hf_samr_nt_passchange_block_decrypted = -1;
+static int hf_samr_nt_passchange_block_newpass = -1;
+static int hf_samr_nt_passchange_block_newpass_len = -1;
+static int hf_samr_nt_passchange_block_pseudorandom = -1;
+static int hf_samr_lm_verifier = -1;
+static int hf_samr_nt_verifier = -1;
static int hf_samr_attrib = -1;
static int hf_samr_max_pwd_age = -1;
static int hf_samr_min_pwd_age = -1;
static int hf_samr_unknown_string = -1;
static int hf_samr_unknown_time = -1;
-/* these are used by functions in packet-dcerpc-nt.c */
-int hf_nt_str_len = -1;
-int hf_nt_str_off = -1;
-int hf_nt_str_max_len = -1;
-int hf_nt_string_length = -1;
-int hf_nt_string_size = -1;
static int hf_nt_acct_ctrl = -1;
static int hf_nt_acb_disabled = -1;
static int hf_nt_acb_homedirreq = -1;
static guint16 ver_dcerpc_samr = 1;
+/* Configuration variables */
+static char *nt_password = NULL;
+
/* Dissect connect specific access rights */
static gint hf_access_connect_unknown_01 = -1;
tvb, offset, 4, access);
}
+struct access_mask_info samr_connect_access_mask_info = {
+ "SAMR connect",
+ specific_rights_connect
+};
+
/* Dissect domain specific access rights */
static gint hf_access_domain_lookup_info1 = -1;
static gint hf_access_domain_create_user = -1;
static gint hf_access_domain_create_group = -1;
static gint hf_access_domain_create_alias = -1;
-static gint hf_access_domain_unknown_80 = -1;
+static gint hf_access_domain_lookup_alias_by_mem = -1;
static gint hf_access_domain_enum_accounts = -1;
static gint hf_access_domain_open_account = -1;
static gint hf_access_domain_set_info3 = -1;
tvb, offset, 4, access);
proto_tree_add_boolean(
- tree, hf_access_domain_unknown_80,
+ tree, hf_access_domain_lookup_alias_by_mem,
tvb, offset, 4, access);
proto_tree_add_boolean(
tvb, offset, 4, access);
}
+struct access_mask_info samr_domain_access_mask_info = {
+ "SAMR domain",
+ specific_rights_domain
+};
+
/* Dissect user specific access rights */
static gint hf_access_user_get_name_etc = -1;
tvb, offset, 4, access);
}
+struct access_mask_info samr_user_access_mask_info = {
+ "SAMR user",
+ specific_rights_user
+};
+
/* Dissect alias specific access rights */
static gint hf_access_alias_add_member = -1;
tvb, offset, 4, access);
}
+struct access_mask_info samr_alias_access_mask_info = {
+ "SAMR alias",
+ specific_rights_alias
+};
+
/* Dissect group specific access rights */
static gint hf_access_group_lookup_info = -1;
tvb, offset, 4, access);
}
+struct access_mask_info samr_group_access_mask_info = {
+ "SAMR group",
+ specific_rights_group
+};
+
int
-dissect_ndr_nt_SID(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree,
- char *drep)
+dissect_ndr_nt_SID(tvbuff_t *tvb, int offset, packet_info *pinfo,
+ proto_tree *tree, char *drep)
{
- dcerpc_info *di;
+ dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
+ dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
+ char *sid_str;
- di=pinfo->private_data;
if(di->conformant_run){
/* just a run to handle conformant arrays, no scalars to dissect */
return offset;
/* the SID contains a conformant array, first we must eat
the 4-byte max_count before we can hand it off */
+
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
hf_samr_count, NULL);
- offset = dissect_nt_sid(tvb, offset, tree, "Domain");
+ offset = dissect_nt_sid(tvb, offset, tree, "Domain", &sid_str);
+
+ dcv->private_data = sid_str;
+
return offset;
}
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
dissect_ndr_nt_SID, NDR_POINTER_UNIQUE,
- "SID pointer", -1, 1);
+ "SID pointer", -1);
return offset;
}
if (check_col(pinfo->cinfo, COL_INFO))
col_append_fstr(pinfo->cinfo, COL_INFO, ", rid 0x%x", rid);
- dcv->private_data = (void *)rid;
+ dcv->private_data = GINT_TO_POINTER(rid);
return offset;
}
packet_info *pinfo, proto_tree *tree,
char *drep)
{
+ dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
+ dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
e_ctx_hnd policy_hnd;
+ guint32 rid = GPOINTER_TO_INT(dcv->private_data);
+ char *pol_name;
offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
hf_samr_hnd, &policy_hnd, TRUE, FALSE);
- dcerpc_smb_store_pol_name(&policy_hnd, "OpenUser handle");
+ if (rid)
+ pol_name = g_strdup_printf("OpenUser(rid 0x%x)", rid);
+ else
+ pol_name = g_strdup("OpenUser handle");
+
+ dcerpc_smb_store_pol_name(&policy_hnd, pol_name);
+
+ g_free(pol_name);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
hf_samr_rc, NULL);
return offset;
}
- offset = dissect_ndr_nt_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
di->hf_index, 0);
return offset;
}
-static int
-samr_dissect_pointer_UNICODE_STRING(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree,
- char *drep)
-{
- dcerpc_info *di;
-
- di=pinfo->private_data;
- if(di->conformant_run){
- /*just a run to handle conformant arrays, nothing to dissect */
- return offset;
- }
-
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- di->hf_index, di->levels);
- return offset;
-}
-
static int
samr_dissect_pointer_short(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
packet_info *pinfo, proto_tree *tree,
char *drep)
{
+ guint16 level;
+ guint32 start_idx;
+
offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
hf_samr_hnd, NULL, FALSE, FALSE);
offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
- hf_samr_level, NULL);
+ hf_samr_level, &level);
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
- hf_samr_start_idx, NULL);
+ hf_samr_start_idx, &start_idx);
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
hf_samr_max_entries, NULL);
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
hf_samr_pref_maxsize, NULL);
+ if (check_col(pinfo->cinfo, COL_INFO))
+ col_append_fstr(
+ pinfo->cinfo, COL_INFO, ", level %d, start_idx %d",
+ level, start_idx);
+
return offset;
}
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
hf_samr_rid, NULL);
offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_acct_name, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_full_name, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_acct_desc, 0);
proto_item_set_len(item, offset-old_offset);
hf_samr_count, &count);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_USER_DISPINFO_1_ARRAY_users, NDR_POINTER_PTR,
- "USER_DISPINFO_1_ARRAY", -1, 0);
+ "USER_DISPINFO_1_ARRAY", -1);
proto_item_set_len(item, offset-old_offset);
return offset;
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
hf_samr_rid, NULL);
offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_acct_name, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_acct_desc, 0);
proto_item_set_len(item, offset-old_offset);
hf_samr_count, &count);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_USER_DISPINFO_2_ARRAY_users, NDR_POINTER_PTR,
- "USER_DISPINFO_2_ARRAY", -1, 0);
+ "USER_DISPINFO_2_ARRAY", -1);
proto_item_set_len(item, offset-old_offset);
return offset;
}
-
-
-
-
static int
samr_dissect_GROUP_DISPINFO(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree,
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
hf_samr_rid, NULL);
offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_acct_name, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_acct_desc, 0);
proto_item_set_len(item, offset-old_offset);
hf_samr_count, &count);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_GROUP_DISPINFO_ARRAY_groups, NDR_POINTER_PTR,
- "GROUP_DISPINFO_ARRAY", -1, 0);
+ "GROUP_DISPINFO_ARRAY", -1);
proto_item_set_len(item, offset-old_offset);
return offset;
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
hf_samr_rid, NULL);
offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
- offset = dissect_ndr_nt_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_acct_name, 0);
- offset = dissect_ndr_nt_STRING(tvb, offset, pinfo, tree, drep,
- hf_samr_acct_desc,0 );
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
+ hf_samr_acct_desc, 0);
proto_item_set_len(item, offset-old_offset);
return offset;
hf_samr_count, &count);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_ASCII_DISPINFO_ARRAY_users, NDR_POINTER_PTR,
- "ACSII_DISPINFO_ARRAY", -1, 0);
+ "ACSII_DISPINFO_ARRAY", -1);
proto_item_set_len(item, offset-old_offset);
return offset;
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_pointer_long, NDR_POINTER_REF,
- "Total Size", hf_samr_total_size, 0);
+ "Total Size", hf_samr_total_size);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_pointer_long, NDR_POINTER_REF,
- "Returned Size", hf_samr_ret_size, 0);
+ "Returned Size", hf_samr_ret_size);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_DISPLAY_INFO, NDR_POINTER_REF,
- "DISPLAY_INFO:", -1, 0);
+ "DISPLAY_INFO:", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
hf_samr_rc, NULL);
proto_tree *tree,
char *drep)
{
+ guint16 level;
+
offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
hf_samr_hnd, NULL, FALSE, FALSE);
offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
- hf_samr_level, NULL);
+ hf_samr_level, &level);
- offset = dissect_ndr_nt_STRING(tvb, offset, pinfo, tree, drep,
+ if (check_col(pinfo->cinfo, COL_INFO))
+ col_append_fstr(pinfo->cinfo, COL_INFO, ", level %d", level);
+
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_acct_name, 0);
return offset;
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_pointer_long, NDR_POINTER_REF,
- "Index", hf_samr_index, 0);
+ "Index", hf_samr_index);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
hf_samr_rc, NULL);
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_PASSWORD_INFO, NDR_POINTER_REF,
- "PASSWORD_INFO:", -1, 0);
+ "PASSWORD_INFO:", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
hf_samr_rc, NULL);
return offset;
}
-
-
-static int
-samr_dissect_connect2_server(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
-{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
-
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, -1,
- "Server");
- tree = proto_item_add_subtree(item, ett_samr_server);
- }
-
- offset = dissect_ndr_nt_UNICODE_STRING_str(tvb, offset, pinfo,
- tree, drep);
-
- proto_item_set_len(item, offset-old_offset);
- return offset;
-}
-
static int
samr_dissect_connect2_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
char *drep)
{
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- samr_dissect_connect2_server, NDR_POINTER_UNIQUE,
- "Server", hf_samr_server, 1);
+ offset = dissect_ndr_pointer_cb(
+ tvb, offset, pinfo, tree, drep,
+ dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE,
+ "Server", hf_samr_server, cb_wstr_postprocess,
+ GINT_TO_POINTER(CB_STR_COL_INFO | CB_STR_SAVE | 1));
offset = dissect_nt_access_mask(
tvb, offset, pinfo, tree, drep, hf_samr_access,
- specific_rights_connect);
+ &samr_connect_access_mask_info);
return offset;
}
packet_info *pinfo, proto_tree *tree,
char *drep)
{
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- samr_dissect_connect2_server, NDR_POINTER_UNIQUE,
- "Server", hf_samr_server, 1);
+ offset = dissect_ndr_pointer_cb(
+ tvb, offset, pinfo, tree, drep,
+ dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE,
+ "Server", hf_samr_server, cb_wstr_postprocess,
+ GINT_TO_POINTER(CB_STR_COL_INFO | 1));
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
hf_samr_unknown_long, NULL);
offset = dissect_nt_access_mask(
tvb, offset, pinfo, tree, drep, hf_samr_access,
- specific_rights_connect);
+ &samr_connect_access_mask_info);
return offset;
}
packet_info *pinfo, proto_tree *tree,
char *drep)
{
+ dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
+ dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
e_ctx_hnd policy_hnd;
-
+ char *server = (char *)dcv->private_data, *pol_name;
+
offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
hf_samr_hnd, &policy_hnd, TRUE, FALSE);
- dcerpc_smb_store_pol_name(&policy_hnd, "Connect2 handle");
+ if (server)
+ pol_name = g_strdup_printf("Connect2(%s)", server);
+ else
+ pol_name = g_strdup("Connect2 handle");
+
+ dcerpc_smb_store_pol_name(&policy_hnd, pol_name);
+
+ g_free(pol_name);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
hf_samr_rc, NULL);
hf_samr_count, &count);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_USER_GROUP_ARRAY_groups, NDR_POINTER_UNIQUE,
- "USER_GROUP_ARRAY", -1, 0);
+ "USER_GROUP_ARRAY", -1);
proto_item_set_len(item, offset-old_offset);
return offset;
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_USER_GROUP_ARRAY, NDR_POINTER_UNIQUE,
- "USER_GROUP_ARRAY", -1, 0);
+ "USER_GROUP_ARRAY", -1);
return offset;
}
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_USER_GROUP_ARRAY_ptr, NDR_POINTER_REF,
- "USER_GROUP_ARRAY:", -1, 0);
+ "USER_GROUP_ARRAY:", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
hf_samr_rc, NULL);
}
+static void append_sid_col_info(packet_info *pinfo, proto_tree *tree _U_,
+ proto_item *item _U_, tvbuff_t *tvb _U_,
+ int start_offset _U_, int end_offset _U_,
+ void *callback_args _U_)
+{
+ dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
+ dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
+ char *sid_str = dcv->private_data;
+
+ if (sid_str && check_col(pinfo->cinfo, COL_INFO))
+ col_append_fstr(pinfo->cinfo, COL_INFO, ", %s", sid_str);
+}
static int
samr_dissect_open_domain_rqst(tvbuff_t *tvb, int offset,
offset = dissect_nt_access_mask(
tvb, offset, pinfo, tree, drep, hf_samr_access,
- specific_rights_domain);
+ &samr_domain_access_mask_info);
+
+ offset = dissect_ndr_pointer_cb(
+ tvb, offset, pinfo, tree, drep, dissect_ndr_nt_SID,
+ NDR_POINTER_REF, "SID:", -1, append_sid_col_info, NULL);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_SID, NDR_POINTER_REF,
- "SID:", -1, 0);
return offset;
}
packet_info *pinfo, proto_tree *tree,
char *drep)
{
+ dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
+ dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
e_ctx_hnd policy_hnd;
+ char *pol_name, *sid_str = (char *)dcv->private_data;
offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
hf_samr_hnd, &policy_hnd, TRUE, FALSE);
- dcerpc_smb_store_pol_name(&policy_hnd, "OpenDomain handle");
+ if (sid_str)
+ pol_name = g_strdup_printf("OpenDomain(%s)", sid_str);
+ else
+ pol_name = g_strdup("OpenDomain handle");
+
+ dcerpc_smb_store_pol_name(&policy_hnd, pol_name);
+
+ g_free(pol_name);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
hf_samr_rc, NULL);
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_pointer_short, NDR_POINTER_REF,
- "unknown short", hf_samr_unknown_short, 0);
+ "unknown short", hf_samr_unknown_short);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
hf_samr_rc, NULL);
hf_samr_hnd, NULL, FALSE, FALSE);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- samr_dissect_pointer_UNICODE_STRING, NDR_POINTER_REF,
- "Account Name", hf_samr_acct_name, 0);
+ dissect_ndr_counted_string_ptr, NDR_POINTER_REF,
+ "Account Name", hf_samr_acct_name);
offset = dissect_nt_access_mask(
tvb, offset, pinfo, tree, drep, hf_samr_access,
- specific_rights_alias);
+ &samr_alias_access_mask_info);
return offset;
}
packet_info *pinfo,
proto_tree *tree, char *drep)
{
+ guint16 level;
+
offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
hf_samr_hnd, NULL, FALSE, FALSE);
offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
- hf_samr_level, NULL);
+ hf_samr_level, &level);
+
+ if (check_col(pinfo->cinfo, COL_INFO))
+ col_append_fstr(pinfo->cinfo, COL_INFO, ", level %d", level);
return offset;
}
packet_info *pinfo, proto_tree *tree,
char *drep)
{
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo,
- tree, drep,
- hf_samr_acct_name, 0);
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo,
+ tree, drep, hf_samr_acct_name, 0);
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
hf_samr_rid, NULL);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo,
- tree, drep,
- hf_samr_acct_desc, 0);
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo,
+ tree, drep, hf_samr_acct_desc, 0);
return offset;
}
tvb, offset, pinfo, tree, drep);
break;
case 2:
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo,
- tree, drep,
- hf_samr_acct_name, 0);
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo,
+ tree, drep, hf_samr_acct_name, 0);
break;
case 3:
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo,
- tree, drep,
- hf_samr_acct_desc, 0);
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo,
+ tree, drep, hf_samr_acct_desc, 0);
break;
}
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_ALIAS_INFO, NDR_POINTER_UNIQUE,
- "ALIAS_INFO", -1, 0);
+ "ALIAS_INFO", -1);
return offset;
}
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_ALIAS_INFO_ptr, NDR_POINTER_REF,
- "ALIAS_INFO:", -1, 0);
+ "ALIAS_INFO:", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
hf_samr_rc, NULL);
packet_info *pinfo, proto_tree *tree,
char *drep)
{
+ guint16 level;
+
offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
hf_samr_hnd, NULL, FALSE, FALSE);
offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
- hf_samr_level, NULL);
+ hf_samr_level, &level);
+
+ if (check_col(pinfo->cinfo, COL_INFO))
+ col_append_fstr(pinfo->cinfo, COL_INFO, ", level %d", level);
+
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_ALIAS_INFO, NDR_POINTER_REF,
- "ALIAS_INFO:", -1, 0);
+ "ALIAS_INFO:", -1);
return offset;
}
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_ALIAS_INFO_ptr, NDR_POINTER_REF,
- "ALIAS_INFO", -1, 0);
+ "ALIAS_INFO", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
hf_samr_rc, NULL);
packet_info *pinfo _U_, proto_tree *tree,
char *drep _U_)
{
+ dcerpc_info *di;
+
+ di=pinfo->private_data;
+ if(di->conformant_run){
+ /* just a run to handle conformant arrays, no scalars to dissect */
+ return offset;
+ }
+
proto_tree_add_item(tree, hf_samr_crypt_password, tvb, offset, 516,
- FALSE);
+ TRUE);
offset += 516;
return offset;
}
packet_info *pinfo _U_, proto_tree *tree,
char *drep _U_)
{
+ dcerpc_info *di;
+
+ di=pinfo->private_data;
+ if(di->conformant_run){
+ /* just a run to handle conformant arrays, no scalars to dissect */
+ return offset;
+ }
+
proto_tree_add_item(tree, hf_samr_crypt_hash, tvb, offset, 16,
- FALSE);
+ TRUE);
+ offset += 16;
+ return offset;
+}
+
+#define NT_BLOCK_SIZE 516
+
+static void
+samr_dissect_decrypted_NT_PASSCHANGE_BLOCK(tvbuff_t *tvb, int offset,
+ packet_info *pinfo _U_, proto_tree *tree,
+ char *drep _U_)
+{
+ guint32 new_password_len = 0;
+ guint32 pseudorandom_len = 0;
+ const char *printable_password;
+ guint16 bc;
+ int result_length;
+
+ /* The length of the new password is represented in the last four
+ octets of the decrypted buffer. Since the password length cannot
+ exceed 512, we can check the contents of those bytes to determine
+ if decryption was successful. If the decrypted contents of those
+ four bytes is less than 512, then there is a 99% chance that
+ we decrypted the buffer successfully. Of course, this isn't good
+ enough for a security application, (NT uses the "verifier" field
+ to come to the same conclusion), but it should be good enough for
+ our dissector. */
+
+ new_password_len = tvb_get_letohl(tvb, 512);
+
+ if (new_password_len <= 512)
+ {
+ /* Decryption successful */
+ proto_tree_add_text (tree, tvb, offset, -1,
+ "Decryption of NT Password Encrypted block successful");
+
+ /* Whatever is before the password is pseudorandom data. We calculate
+ the length by examining the password length (at the end), and working
+ backward */
+ pseudorandom_len = NT_BLOCK_SIZE - new_password_len - 4;
+
+ /* Pseudorandom data padding up to password */
+ proto_tree_add_item(tree, hf_samr_nt_passchange_block_pseudorandom,
+ tvb, offset, pseudorandom_len, TRUE);
+ offset += pseudorandom_len;
+
+ /* The new password itself */
+ bc = new_password_len;
+ printable_password = get_unicode_or_ascii_string(tvb, &offset,
+ TRUE,
+ &result_length,
+ FALSE, TRUE, &bc);
+ proto_tree_add_string(tree, hf_samr_nt_passchange_block_newpass,
+ tvb, offset, result_length,
+ printable_password);
+ offset += new_password_len;
+
+ /* Length of password */
+ proto_tree_add_item(tree, hf_samr_nt_passchange_block_newpass_len,
+ tvb, offset, 4, TRUE);
+ }
+ else
+ {
+ /* Decryption failure. Just show the encrypted block */
+ proto_tree_add_text (tree, tvb, offset, -1,
+ "Decryption of NT Passchange block failed");
+
+ proto_tree_add_item(tree, hf_samr_nt_passchange_block_decrypted, tvb,
+ offset, NT_BLOCK_SIZE, TRUE);
+ }
+}
+
+static int
+samr_dissect_NT_PASSCHANGE_BLOCK(tvbuff_t *tvb, int offset,
+ packet_info *pinfo _U_, proto_tree *tree,
+ char *drep _U_)
+{
+ dcerpc_info *di;
+ size_t password_len;
+ unsigned char *password_unicode;
+ size_t password_len_unicode;
+ unsigned char password_md4_hash[16];
+ guint8 *block;
+ tvbuff_t *decr_tvb; /* Used to store decrypted buffer */
+ rc4_state_struct rc4_state;
+ guint i;
+
+ /* This implements the the algorithm discussed in lkcl -"DCE/RPC
+ over SMB" page 257. Note that this code does not properly support
+ Unicode. */
+
+ di=pinfo->private_data;
+ if(di->conformant_run){
+ /* just a run to handle conformant arrays, no scalars to dissect */
+ return offset;
+ }
+
+ /* Put in a protocol tree entry for the encrypted block. */
+ proto_tree_add_text(tree, tvb, offset, NT_BLOCK_SIZE,
+ "Encrypted NT Password Block");
+
+ if (nt_password[0] != '\0') {
+ /* We have an NT password, so we can decrypt the password
+ change block. */
+
+ /* Convert the password provided in the Ethereal GUI to Unicode
+ (UCS-2). Since the input is always ASCII, we can just fake
+ it and pad every other byte with a NUL. If we ever support
+ UTF-8 in the GUI, we would have to perform a real UTF-8 to
+ UCS-2 conversion */
+ password_len = strlen(nt_password);
+ password_len_unicode = password_len*2;
+ password_unicode = g_malloc(password_len_unicode);
+ for (i = 0; i < password_len; i++) {
+ password_unicode[i*2] = nt_password[i];
+ password_unicode[i*2+1] = 0;
+ }
+
+ /* Run MD4 against the resulting Unicode password. This will
+ be used to perform RC4 decryption on the password change
+ block. Then free the Unicode password, as we're done
+ with it. */
+ crypt_md4(password_md4_hash, password_unicode,
+ password_len_unicode);
+ g_free(password_unicode);
+
+ /* Copy the block into a temporary buffer so we can decrypt
+ it */
+ block = g_malloc(NT_BLOCK_SIZE);
+ memset(block, 0, NT_BLOCK_SIZE);
+ tvb_memcpy(tvb, block, offset, NT_BLOCK_SIZE);
+
+ /* RC4 decrypt the block with the old NT password hash */
+ crypt_rc4_init(&rc4_state, password_md4_hash, 16);
+ crypt_rc4(&rc4_state, block, NT_BLOCK_SIZE);
+
+ /* Show the decrypted buffer in a new window */
+ decr_tvb = tvb_new_real_data(block, NT_BLOCK_SIZE,
+ NT_BLOCK_SIZE);
+ tvb_set_free_cb(decr_tvb, g_free);
+ tvb_set_child_real_data_tvbuff(tvb, decr_tvb);
+ add_new_data_source(pinfo, decr_tvb,
+ "Decrypted NT Password Block");
+
+ /* Dissect the decrypted block */
+ samr_dissect_decrypted_NT_PASSCHANGE_BLOCK(decr_tvb, 0, pinfo,
+ tree, drep);
+ }
+ offset += NT_BLOCK_SIZE;
+ return offset;
+}
+
+static int
+samr_dissect_LM_PASSCHANGE_BLOCK(tvbuff_t *tvb, int offset,
+ packet_info *pinfo _U_, proto_tree *tree,
+ char *drep _U_)
+{
+ dcerpc_info *di;
+
+ /* Right now, this just dumps the output. In the long term, we can use
+ the algorithm discussed in lkcl -"DCE/RPC over SMB" page 257 to
+ actually decrypt the block */
+
+ di=pinfo->private_data;
+ if(di->conformant_run){
+ /* just a run to handle conformant arrays, no scalars to dissect */
+ return offset;
+ }
+
+ proto_tree_add_item(tree, hf_samr_lm_passchange_block, tvb, offset,
+ 516, TRUE);
+ offset += 516;
+ return offset;
+}
+
+static int
+samr_dissect_LM_VERIFIER(tvbuff_t *tvb, int offset,
+ packet_info *pinfo _U_, proto_tree *tree,
+ char *drep _U_)
+{
+ dcerpc_info *di;
+
+ /* Right now, this just dumps the output. In the long term, we can use
+ the algorithm discussed in lkcl -"DCE/RPC over SMB" page 257 to
+ actually validate the verifier */
+
+ di=pinfo->private_data;
+ if(di->conformant_run){
+ /* just a run to handle conformant arrays, no scalars to dissect */
+ return offset;
+ }
+
+ proto_tree_add_item(tree, hf_samr_lm_verifier, tvb, offset, 16,
+ TRUE);
+ offset += 16;
+ return offset;
+}
+
+
+static int
+samr_dissect_NT_VERIFIER(tvbuff_t *tvb, int offset,
+ packet_info *pinfo _U_, proto_tree *tree,
+ char *drep _U_)
+{
+ dcerpc_info *di;
+
+ /* Right now, this just dumps the output. In the long term, we can use
+ the algorithm discussed in lkcl -"DCE/RPC over SMB" page 257 to
+ actually validate the verifier */
+
+ di=pinfo->private_data;
+ if(di->conformant_run){
+ /* just a run to handle conformant arrays, no scalars to dissect */
+ return offset;
+ }
+
+ proto_tree_add_item(tree, hf_samr_nt_verifier, tvb, offset, 16,
+ TRUE);
offset += 16;
return offset;
}
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_pointer_STRING, NDR_POINTER_UNIQUE,
- "Server", hf_samr_server, 0);
+ "Server", hf_samr_server);
+
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_pointer_STRING, NDR_POINTER_REF,
- "Account Name", hf_samr_acct_name, 0);
+ "Account Name", hf_samr_acct_name);
+
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_CRYPT_PASSWORD, NDR_POINTER_UNIQUE,
- "Password", -1, 0);
+ "Password", -1);
+
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_CRYPT_HASH, NDR_POINTER_UNIQUE,
- "Hash", -1, 0);
+ "Hash", -1);
return offset;
}
packet_info *pinfo,
proto_tree *tree, char *drep)
{
- offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
- hf_samr_hnd, NULL, FALSE, FALSE);
-
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- samr_dissect_pointer_UNICODE_STRING, NDR_POINTER_UNIQUE,
- "Server", hf_samr_server, 0);
+ samr_dissect_PASSWORD_INFO, NDR_POINTER_REF,
+ "PASSWORD_INFO:", -1);
+
+ offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
+ NDR_POINTER_UNIQUE, "Server", hf_samr_server, 0);
+
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- samr_dissect_pointer_UNICODE_STRING, NDR_POINTER_REF,
- "Account Name", hf_samr_acct_name, 0);
+ dissect_ndr_counted_string_ptr, NDR_POINTER_REF,
+ "Account Name", hf_samr_acct_name);
+
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- samr_dissect_CRYPT_PASSWORD, NDR_POINTER_UNIQUE,
- "Password", -1, 0);
+ samr_dissect_NT_PASSCHANGE_BLOCK, NDR_POINTER_UNIQUE,
+ "New NT Password Encrypted Block", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- samr_dissect_CRYPT_HASH, NDR_POINTER_UNIQUE,
- "Hash", -1, 0);
+ samr_dissect_NT_VERIFIER, NDR_POINTER_UNIQUE,
+ "NT Password Verifier", -1);
offset = dissect_ndr_uint8 (tvb, offset, pinfo, tree, drep,
hf_samr_lm_change, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- samr_dissect_CRYPT_PASSWORD, NDR_POINTER_UNIQUE,
- "Password", -1, 0);
+ samr_dissect_LM_PASSCHANGE_BLOCK, NDR_POINTER_UNIQUE,
+ "New Lan Manager Password Encrypted Block", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- samr_dissect_CRYPT_HASH, NDR_POINTER_UNIQUE,
- "Hash", -1, 0);
+ samr_dissect_LM_VERIFIER, NDR_POINTER_UNIQUE,
+ "Lan Manager Password Verifier", -1);
return offset;
}
offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
hf_samr_unknown_short, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- samr_dissect_pointer_UNICODE_STRING, NDR_POINTER_UNIQUE,
- "Unknown", hf_samr_unknown_string, 0);
+ dissect_ndr_counted_string_ptr, NDR_POINTER_UNIQUE,
+ "Unknown", hf_samr_unknown_string);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- samr_dissect_pointer_UNICODE_STRING, NDR_POINTER_UNIQUE,
- "Unknown", hf_samr_unknown_string, 0);
+ dissect_ndr_counted_string_ptr, NDR_POINTER_UNIQUE,
+ "Unknown", hf_samr_unknown_string);
return offset;
}
hf_samr_hnd, NULL, FALSE, FALSE);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- samr_dissect_pointer_UNICODE_STRING, NDR_POINTER_REF,
- "Account Name", hf_samr_acct_name, 0);
+ dissect_ndr_counted_string_ptr, NDR_POINTER_REF,
+ "Account Name", hf_samr_acct_name);
offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
offset = dissect_nt_access_mask(
tvb, offset, pinfo, tree, drep, hf_samr_access,
- specific_rights_user);
+ &samr_user_access_mask_info);
return offset;
}
offset = dissect_nt_access_mask(
tvb, offset, pinfo, tree, drep, hf_samr_access_granted,
- specific_rights_user);
+ &samr_user_access_mask_info);
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
hf_samr_rid, NULL);
offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
hf_samr_level, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- samr_dissect_pointer_UNICODE_STRING, NDR_POINTER_REF,
- "Account Name", hf_samr_acct_name, 0);
+ dissect_ndr_counted_string_ptr, NDR_POINTER_REF,
+ "Account Name", hf_samr_acct_name);
return offset;
}
hf_samr_unknown_char, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_CRYPT_HASH, NDR_POINTER_UNIQUE,
- "Hash", -1, 0);
+ "Hash", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_CRYPT_HASH, NDR_POINTER_UNIQUE,
- "Hash", -1, 0);
+ "Hash", -1);
offset = dissect_ndr_uint8 (tvb, offset, pinfo, tree, drep,
hf_samr_unknown_char, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_CRYPT_HASH, NDR_POINTER_UNIQUE,
- "Hash", -1, 0);
+ "Hash", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_CRYPT_HASH, NDR_POINTER_UNIQUE,
- "Hash", -1, 0);
+ "Hash", -1);
offset = dissect_ndr_uint8 (tvb, offset, pinfo, tree, drep,
hf_samr_unknown_char, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_CRYPT_HASH, NDR_POINTER_UNIQUE,
- "Hash", -1, 0);
+ "Hash", -1);
offset = dissect_ndr_uint8 (tvb, offset, pinfo, tree, drep,
hf_samr_unknown_char, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_CRYPT_HASH, NDR_POINTER_UNIQUE,
- "Hash", -1, 0);
+ "Hash", -1);
return offset;
}
packet_info *pinfo, proto_tree *tree,
char *drep)
{
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo,
- tree, drep,
- hf_samr_acct_name, 0);
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo,
+ tree, drep, hf_samr_acct_name, 0);
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
hf_samr_rid, NULL);
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
hf_samr_attrib, NULL);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo,
- tree, drep,
- hf_samr_acct_desc, 0);
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo,
+ tree, drep, hf_samr_acct_desc, 0);
return offset;
}
tvb, offset, pinfo, tree, drep);
break;
case 2:
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo,
- tree, drep,
- hf_samr_acct_name, 0);
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo,
+ tree, drep, hf_samr_acct_name, 0);
break;
case 3:
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
hf_samr_attrib, NULL);
break;
case 4:
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo,
- tree, drep,
- hf_samr_acct_desc, 0);
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo,
+ tree, drep, hf_samr_acct_desc, 0);
break;
}
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_GROUP_INFO, NDR_POINTER_UNIQUE,
- "GROUP_INFO", -1, 0);
+ "GROUP_INFO", -1);
return offset;
}
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_GROUP_INFO_ptr, NDR_POINTER_REF,
- "GROUP_INFO", -1, 0);
+ "GROUP_INFO", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
hf_samr_rc, NULL);
packet_info *pinfo, proto_tree *tree,
char *drep)
{
+ guint16 level;
+
offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
hf_samr_hnd, NULL, FALSE, FALSE);
offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
- hf_samr_level, NULL);
+ hf_samr_level, &level);
+
+ if (check_col(pinfo->cinfo, COL_INFO))
+ col_append_fstr(pinfo->cinfo, COL_INFO, ", level %d", level);
+
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_GROUP_INFO, NDR_POINTER_REF,
- "GROUP_INFO", -1, 0);
+ "GROUP_INFO", -1);
return offset;
}
return offset;
}
-
static int
samr_dissect_get_domain_password_information_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo,
proto_tree *tree,
char *drep)
{
- offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
- hf_samr_hnd, NULL, FALSE, FALSE);
-
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- samr_dissect_pointer_STRING, NDR_POINTER_UNIQUE,
- "Domain", hf_samr_domain, 0);
+ samr_dissect_PASSWORD_INFO, NDR_POINTER_REF,
+ "PASSWORD_INFO:", -1);
+
+ offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
+ NDR_POINTER_UNIQUE, "Domain", hf_samr_domain, 0);
+
return offset;
}
proto_tree *tree,
char *drep)
{
- /*
- * XXX - really? Not the same as
- * "samr_dissect_get_usrdom_pwinfo_reply()"?
- */
- offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
- hf_samr_hnd, NULL, FALSE, FALSE);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ samr_dissect_PASSWORD_INFO, NDR_POINTER_REF,
+ "PASSWORD_INFO:", -1);
+
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_samr_rc, NULL);
return offset;
}
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
hf_samr_unknown_time);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_unknown_string, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_domain, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_controller, 0);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
hf_samr_unknown_time);
hf_samr_unknown_time);
break;
case 4:
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo,
tree, drep, hf_samr_unknown_string, 0);
break;
case 5:
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo,
tree, drep, hf_samr_domain, 0);
break;
case 6:
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo,
tree, drep, hf_samr_controller, 0);
break;
packet_info *pinfo, proto_tree *tree,
char *drep)
{
+ guint16 level;
+
offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
hf_samr_hnd, NULL, FALSE, FALSE);
offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
- hf_samr_level, NULL);
+ hf_samr_level, &level);
+
+ if (check_col(pinfo->cinfo, COL_INFO))
+ col_append_fstr(pinfo->cinfo, COL_INFO, ", level %d", level);
+
offset = samr_dissect_DOMAIN_INFO(tvb, offset, pinfo, tree, drep);
return offset;
hf_samr_hnd, NULL, FALSE, FALSE);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- samr_dissect_pointer_UNICODE_STRING, NDR_POINTER_REF,
- "Domain:", hf_samr_domain, 0);
+ dissect_ndr_counted_string_ptr, NDR_POINTER_REF,
+ "Domain", hf_samr_domain);
return offset;
}
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
dissect_ndr_nt_SID_ptr, NDR_POINTER_REF,
- "SID:", -1, 0);
+ "SID:", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
hf_samr_rc, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
dissect_ndr_nt_SID, NDR_POINTER_UNIQUE,
- "SID", -1, 0);
+ "SID", -1);
proto_item_set_len(item, offset-old_offset);
return offset;
hf_samr_count, &count);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
dissect_ndr_nt_PSID_ARRAY_sids, NDR_POINTER_UNIQUE,
- "PSID_ARRAY", -1, 0);
+ "PSID_ARRAY", -1);
proto_item_set_len(item, offset-old_offset);
return offset;
hf_samr_count, &count);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_INDEX_ARRAY_value, NDR_POINTER_UNIQUE,
- str, di->hf_index, 0);
+ str, di->hf_index);
proto_item_set_len(item, offset-old_offset);
return offset;
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
dissect_ndr_nt_PSID_ARRAY, NDR_POINTER_REF,
- "PSID_ARRAY:", -1, 0);
+ "PSID_ARRAY:", -1);
return offset;
}
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_INDEX_ARRAY, NDR_POINTER_REF,
- "INDEX_ARRAY:", hf_samr_alias, 0);
+ "INDEX_ARRAY:", hf_samr_alias);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
hf_samr_rc, NULL);
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
hf_samr_index, NULL);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo,
tree, drep, di->hf_index, 4);
proto_item_set_len(item, offset-old_offset);
plural_ending(field_name));
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_IDX_AND_NAME_entry, NDR_POINTER_UNIQUE,
- str, di->hf_index, 0);
+ str, di->hf_index);
proto_item_set_len(item, offset-old_offset);
return offset;
plural_ending(field_name));
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_IDX_AND_NAME_ARRAY, NDR_POINTER_UNIQUE,
- str, di->hf_index, 0);
+ str, di->hf_index);
return offset;
}
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_pointer_long, NDR_POINTER_REF,
- "Resume Handle:", hf_samr_resume_hnd, 0);
+ "Resume Handle", hf_samr_resume_hnd);
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
hf_samr_pref_maxsize, NULL);
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_pointer_long, NDR_POINTER_REF,
- "Resume Handle:", hf_samr_resume_hnd, 0);
+ "Resume Handle:", hf_samr_resume_hnd);
+
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_IDX_AND_NAME_ARRAY_ptr, NDR_POINTER_REF,
- "IDX_AND_NAME_ARRAY:", hf_samr_domain, 0);
+ "IDX_AND_NAME_ARRAY:", hf_samr_domain);
+
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_pointer_long, NDR_POINTER_REF,
- "Entries:", hf_samr_entries, 0);
+ "Entries:", hf_samr_entries);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
hf_samr_rc, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_pointer_long, NDR_POINTER_REF,
- "Resume Handle:", hf_samr_resume_hnd, 0);
- offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
- hf_samr_mask, NULL);
+ "Resume Handle:", hf_samr_resume_hnd);
+
+ offset = dissect_ndr_nt_acct_ctrl(
+ tvb, offset, pinfo, tree, drep);
+
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
hf_samr_pref_maxsize, NULL);
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_pointer_long, NDR_POINTER_REF,
- "Resume Handle:", hf_samr_resume_hnd, 0);
+ "Resume Handle:", hf_samr_resume_hnd);
+
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_IDX_AND_NAME_ARRAY_ptr, NDR_POINTER_REF,
- "IDX_AND_NAME_ARRAY:", hf_samr_group_name, 0);
+ "IDX_AND_NAME_ARRAY:", hf_samr_group_name);
+
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_pointer_long, NDR_POINTER_REF,
- "Entries:", hf_samr_entries, 0);
+ "Entries:", hf_samr_entries);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
hf_samr_rc, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_pointer_long, NDR_POINTER_REF,
- "Resume Handle:", hf_samr_resume_hnd, 0);
+ "Resume Handle:", hf_samr_resume_hnd);
- offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
- hf_samr_mask, NULL);
+ offset = dissect_ndr_nt_acct_ctrl(
+ tvb, offset, pinfo, tree, drep);
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
hf_samr_pref_maxsize, NULL);
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_pointer_long, NDR_POINTER_REF,
- "Resume Handle:", hf_samr_resume_hnd, 0);
+ "Resume Handle:", hf_samr_resume_hnd);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_IDX_AND_NAME_ARRAY_ptr, NDR_POINTER_REF,
- "IDX_AND_NAME_ARRAY:", hf_samr_alias_name, 0);
+ "IDX_AND_NAME_ARRAY:", hf_samr_alias_name);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_pointer_long, NDR_POINTER_REF,
- "Entries:", hf_samr_entries, 0);
+ "Entries:", hf_samr_entries);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
hf_samr_rc, NULL);
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
dissect_ndr_nt_PSID_ARRAY, NDR_POINTER_REF,
- "PSID_ARRAY:", -1, 0);
+ "PSID_ARRAY:", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
hf_samr_rc, NULL);
of 11? */
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_LOGON_HOURS_hours, NDR_POINTER_UNIQUE,
- "LOGON_HOURS", -1, 0);
+ "LOGON_HOURS", -1);
proto_item_set_len(item, offset-old_offset);
return offset;
tree = proto_item_add_subtree(item, ett_samr_user_info_1);
}
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_acct_name, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_full_name, 0);
offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_home, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_script, 0);
proto_item_set_len(item, offset-old_offset);
tree = proto_item_add_subtree(item, ett_samr_user_info_2);
}
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_acct_name, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_full_name, 0);
offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
hf_samr_bad_pwd_count, NULL);
tree = proto_item_add_subtree(item, ett_samr_user_info_3);
}
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_acct_name, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_full_name, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
hf_samr_rid, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
hf_samr_group, NULL);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_home, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_home_drive, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_script, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_acct_desc, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_workstations, 0);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
hf_samr_logon_time);
tree = proto_item_add_subtree(item, ett_samr_user_info_5);
}
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_acct_name, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_full_name, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
hf_samr_rid, NULL);
hf_samr_country, NULL);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
hf_samr_codepage, NULL);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_home, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_home_drive, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_script, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_acct_desc, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_workstations, 0);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
hf_samr_logon_time);
tree = proto_item_add_subtree(item, ett_samr_user_info_6);
}
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_acct_name, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_full_name, 0);
proto_item_set_len(item, offset-old_offset);
hf_samr_count, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_BUFFER_buffer, NDR_POINTER_UNIQUE,
- "BUFFER", -1, 0);
+ "BUFFER", -1);
proto_item_set_len(item, offset-old_offset);
return offset;
hf_samr_pwd_can_change_time);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
hf_samr_pwd_must_change_time);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_acct_name, 2);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_full_name, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_home, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_home_drive, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_script, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_profile, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_acct_desc, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_workstations, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_comment, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_parameters, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_unknown_string, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_unknown_string, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_unknown_string, 0);
offset = samr_dissect_BUFFER(tvb, offset, pinfo, tree, drep);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
tvb, offset, pinfo, tree, drep);
break;
case 7:
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_samr_full_name, 0);
+ offset = dissect_ndr_counted_string(
+ tvb, offset, pinfo, tree, drep, hf_samr_full_name, 0);
break;
case 8:
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_samr_acct_desc, 0);
+ offset = dissect_ndr_counted_string(
+ tvb, offset, pinfo, tree, drep, hf_samr_acct_desc, 0);
break;
case 9:
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
tvb, offset, pinfo, tree, drep);
break;
case 11:
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_samr_home, 0);
+ offset = dissect_ndr_counted_string(
+ tvb, offset, pinfo, tree, drep, hf_samr_home, 0);
break;
case 12:
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_samr_home_drive, 0);
+ offset = dissect_ndr_counted_string(
+ tvb, offset, pinfo, tree, drep, hf_samr_home_drive, 0);
break;
case 13:
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_samr_script, 0);
+ offset = dissect_ndr_counted_string(
+ tvb, offset, pinfo, tree, drep, hf_samr_script, 0);
break;
case 14:
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_samr_workstations, 0);
+ offset = dissect_ndr_counted_string(
+ tvb, offset, pinfo, tree, drep, hf_samr_workstations, 0);
break;
case 16:
offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree,
tvb, offset, pinfo, tree, drep);
break;
case 20:
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_samr_profile, 0);
+ offset = dissect_ndr_counted_string(
+ tvb, offset, pinfo, tree, drep, hf_samr_profile, 0);
break;
case 21:
offset = samr_dissect_USER_INFO_21(
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_USER_INFO, NDR_POINTER_UNIQUE,
- "USER_INFO pointer", -1, 0);
+ "USER_INFO pointer", -1);
return offset;
}
packet_info *pinfo, proto_tree *tree,
char *drep)
{
+ guint16 level;
+
offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
hf_samr_hnd, NULL, FALSE, FALSE);
offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
- hf_samr_level, NULL);
+ hf_samr_level, &level);
+
+ if (check_col(pinfo->cinfo, COL_INFO))
+ col_append_fstr(pinfo->cinfo, COL_INFO, ", level %d", level);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_USER_INFO, NDR_POINTER_REF,
- "USER_INFO:", -1, 0);
+ "USER_INFO:", -1);
return offset;
}
packet_info *pinfo, proto_tree *tree,
char *drep)
{
+ guint16 level;
+
offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
hf_samr_hnd, NULL, FALSE, FALSE);
offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
- hf_samr_level, NULL);
+ hf_samr_level, &level);
+
+ if (check_col(pinfo->cinfo, COL_INFO))
+ col_append_fstr(pinfo->cinfo, COL_INFO, ", level %d", level);
return offset;
}
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_USER_INFO_ptr, NDR_POINTER_REF,
- "USER_INFO:", -1, 0);
+ "USER_INFO:", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
hf_samr_rc, NULL);
hf_samr_count, &count);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_MEMBER_ARRAY_rids, NDR_POINTER_UNIQUE,
- "RIDs", -1, 0);
+ "RIDs", -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_MEMBER_ARRAY_types, NDR_POINTER_UNIQUE,
- "Types", -1, 0);
+ "Types", -1);
proto_item_set_len(item, offset-old_offset);
return offset;
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_MEMBER_ARRAY, NDR_POINTER_UNIQUE,
- "MEMBER_ARRAY", -1, 0);
+ "MEMBER_ARRAY", -1);
return offset;
}
{
offset = dissect_ndr_ctx_hnd (tvb, offset, pinfo, tree, drep,
hf_samr_hnd, NULL);
+
return offset;
}
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_MEMBER_ARRAY_ptr, NDR_POINTER_REF,
- "MEMBER_ARRAY:", -1, 0);
+ "MEMBER_ARRAY:", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
hf_samr_rc, NULL);
packet_info *pinfo, proto_tree *tree,
char *drep)
{
+ guint32 info_type;
+
offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
hf_samr_hnd, NULL, FALSE, FALSE);
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
- hf_samr_info_type, NULL);
+ hf_samr_info_type, &info_type);
+
+ if (check_col(pinfo->cinfo, COL_INFO))
+ col_append_fstr(
+ pinfo->cinfo, COL_INFO, ", info type %d", info_type);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
lsa_dissect_LSA_SECURITY_DESCRIPTOR, NDR_POINTER_REF,
- "LSA_SECURITY_DESCRIPTOR pointer: ", -1, 0);
+ "LSA_SECURITY_DESCRIPTOR pointer: ", -1);
return offset;
}
packet_info *pinfo, proto_tree *tree,
char *drep)
{
+ guint32 info_type;
+
offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
hf_samr_hnd, NULL, FALSE, FALSE);
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
- hf_samr_info_type, NULL);
+ hf_samr_info_type, &info_type);
+
+ if (check_col(pinfo->cinfo, COL_INFO))
+ col_append_fstr(
+ pinfo->cinfo, COL_INFO, ", info_type %d", info_type);
return offset;
}
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
lsa_dissect_LSA_SECURITY_DESCRIPTOR, NDR_POINTER_UNIQUE,
- "LSA_SECURITY_DESCRIPTOR pointer: ", -1, 0);
+ "LSA_SECURITY_DESCRIPTOR pointer: ", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
hf_samr_rc, NULL);
packet_info *pinfo, proto_tree *tree,
char *drep)
{
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_acct_name, 1);
return offset;
}
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_LOOKUP_NAMES, NDR_POINTER_REF,
- "LOOKUP_NAMES:", -1, 0);
+ "LOOKUP_NAMES:", -1);
return offset;
}
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_INDEX_ARRAY, NDR_POINTER_REF,
- "Rids:", hf_samr_rid, 0);
+ "Rids:", hf_samr_rid);
+
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_INDEX_ARRAY, NDR_POINTER_REF,
- "Types:", hf_samr_type, 0);
+ "Types:", hf_samr_type);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
hf_samr_rc, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_LOOKUP_RIDS, NDR_POINTER_REF,
- "LOOKUP_RIDS:", -1, 0);
+ "LOOKUP_RIDS:", -1);
return offset;
}
packet_info *pinfo, proto_tree *tree,
char *drep)
{
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
hf_samr_acct_name, 0);
return offset;
}
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_UNICODE_STRING_ARRAY_names, NDR_POINTER_UNIQUE,
- "Strings", -1, 0);
+ "Strings", -1);
proto_item_set_len(item, offset-old_offset);
return offset;
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_UNICODE_STRING_ARRAY, NDR_POINTER_REF,
- "RIDs:", hf_samr_rid, 0);
+ "RIDs:", hf_samr_rid);
+
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_INDEX_ARRAY, NDR_POINTER_REF,
- "Types:", hf_samr_type, 0);
+ "Types:", hf_samr_type);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
hf_samr_rc, NULL);
samr_dissect_close_hnd_rqst(tvbuff_t *tvb, int offset, packet_info *pinfo,
proto_tree *tree, char *drep)
{
- offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
- hf_samr_hnd, NULL, FALSE, TRUE);
+ e_ctx_hnd policy_hnd;
+ char *name;
+
+ offset = dissect_nt_policy_hnd(
+ tvb, offset, pinfo, tree, drep, hf_samr_hnd, &policy_hnd,
+ FALSE, TRUE);
+
+ dcerpc_smb_fetch_pol(&policy_hnd, &name, NULL, NULL);
+
+ if (name != NULL && check_col(pinfo->cinfo, COL_INFO))
+ col_append_fstr(
+ pinfo->cinfo, COL_INFO, ", %s", name);
return offset;
}
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
dissect_ndr_nt_SID, NDR_POINTER_REF,
- "SID:", -1, 0);
+ "SID:", -1);
+
return offset;
}
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
dissect_ndr_nt_SID, NDR_POINTER_REF,
- "SID:", -1, 0);
+ "SID:", -1);
return offset;
}
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
dissect_ndr_nt_SID, NDR_POINTER_REF,
- "SID:", -1, 0);
+ "SID:", -1);
return offset;
}
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
dissect_ndr_nt_PSID_ARRAY, NDR_POINTER_REF,
- "PSID_ARRAY:", -1, 0);
+ "PSID_ARRAY:", -1);
return offset;
}
offset = dissect_nt_access_mask(
tvb, offset, pinfo, tree, drep, hf_samr_access,
- specific_rights_group);
+ &samr_group_access_mask_info);
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
hf_samr_rid, &rid);
if (check_col(pinfo->cinfo, COL_INFO))
col_append_fstr(pinfo->cinfo, COL_INFO, ", rid 0x%x", rid);
- dcv->private_data = (void *)rid;
+ dcv->private_data = GINT_TO_POINTER(rid);
return offset;
}
packet_info *pinfo, proto_tree *tree,
char *drep)
{
+ dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
+ dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
+ guint32 rid = GPOINTER_TO_INT(dcv->private_data);
e_ctx_hnd policy_hnd;
+ char *pol_name;
offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
hf_samr_hnd, &policy_hnd, TRUE, FALSE);
- dcerpc_smb_store_pol_name(&policy_hnd, "OpenGroup handle");
+ if (rid)
+ pol_name = g_strdup_printf("OpenGroup(rid 0x%x)", rid);
+ else
+ pol_name = g_strdup("OpenGroup handle");
+
+ dcerpc_smb_store_pol_name(&policy_hnd, pol_name);
+
+ g_free(pol_name);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
hf_samr_rc, NULL);
offset = dissect_nt_access_mask(
tvb, offset, pinfo, tree, drep, hf_samr_access,
- specific_rights_alias);
+ &samr_alias_access_mask_info);
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
hf_samr_rid, &rid);
if (check_col(pinfo->cinfo, COL_INFO))
col_append_fstr(pinfo->cinfo, COL_INFO, ", rid 0x%x", rid);
- dcv->private_data = (void *)rid;
+ dcv->private_data = GINT_TO_POINTER(rid);
return offset;
}
packet_info *pinfo, proto_tree *tree,
char *drep)
{
+ dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
+ dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
e_ctx_hnd policy_hnd;
+ char *pol_name;
+ guint32 rid;
offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
hf_samr_hnd, &policy_hnd, TRUE, FALSE);
- dcerpc_smb_store_pol_name(&policy_hnd, "OpenAlias handle");
+ rid = GPOINTER_TO_INT(dcv->private_data);
+
+ if (rid)
+ pol_name = g_strdup_printf("OpenAlias(rid 0x%x)", rid);
+ else
+ pol_name = g_strdup_printf("OpenAlias handle");
+
+ dcerpc_smb_store_pol_name(&policy_hnd, pol_name);
+
+ g_free(pol_name);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
hf_samr_rc, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
dissect_ndr_nt_PSID_ARRAY, NDR_POINTER_REF,
- "PSID_ARRAY:", -1, 0);
+ "PSID_ARRAY:", -1);
return offset;
}
hf_samr_hnd, NULL, FALSE, FALSE);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- samr_dissect_pointer_UNICODE_STRING, NDR_POINTER_REF,
- "Account Name", hf_samr_acct_name, 0);
+ dissect_ndr_counted_string_ptr, NDR_POINTER_REF,
+ "Account Name", hf_samr_acct_name);
offset = dissect_nt_access_mask(
tvb, offset, pinfo, tree, drep, hf_samr_access,
- specific_rights_group);
+ &samr_group_access_mask_info);
return offset;
}
char *drep)
{
e_ctx_hnd policy_hnd;
+ guint32 rid;
+ char *pol_name;
offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
hf_samr_hnd, &policy_hnd, TRUE, FALSE);
- dcerpc_smb_store_pol_name(&policy_hnd, "CreateGroup handle");
-
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
- hf_samr_rid, NULL);
+ hf_samr_rid, &rid);
+
+ pol_name = g_strdup_printf("CreateGroup(rid 0x%x)", rid);
+
+ dcerpc_smb_store_pol_name(&policy_hnd, pol_name);
+
+ g_free(pol_name);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
hf_samr_rc, NULL);
packet_info *pinfo,
proto_tree *tree, char *drep)
{
+ guint16 level;
+
offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
hf_samr_hnd, NULL, FALSE, FALSE);
offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
- hf_samr_level, NULL);
+ hf_samr_level, &level);
+
+ if (check_col(pinfo->cinfo, COL_INFO))
+ col_append_fstr(pinfo->cinfo, COL_INFO, ", level %d", level);
return offset;
}
*/
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_DOMAIN_INFO, NDR_POINTER_UNIQUE,
- "DOMAIN_INFO pointer", hf_samr_domain, 0);
+ "DOMAIN_INFO pointer", hf_samr_domain);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
hf_samr_rc, NULL);
packet_info *pinfo,
proto_tree *tree, char *drep)
{
+ guint16 level;
+
offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep,
hf_samr_hnd, NULL, FALSE, FALSE);
offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep,
- hf_samr_level, NULL);
+ hf_samr_level, &level);
+
+ if (check_col(pinfo->cinfo, COL_INFO))
+ col_append_fstr(pinfo->cinfo, COL_INFO, ", level %d", level);
return offset;
}
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
samr_dissect_USER_INFO_ptr, NDR_POINTER_REF,
- "USER_INFO:", -1, 0);
+ "USER_INFO:", -1);
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
hf_samr_rc, NULL);
{ "Access Granted", "samr.access_granted", FT_UINT32, BASE_HEX,
NULL, 0x0, "Access Granted", HFILL }},
- { &hf_samr_mask,
- { "Mask", "samr.mask", FT_UINT32, BASE_HEX,
- NULL, 0x0, "Mask", HFILL }},
-
{ &hf_samr_crypt_password, {
"Password", "samr.crypt_password", FT_BYTES, BASE_HEX,
NULL, 0, "Encrypted Password", HFILL }},
"Hash", "samr.crypt_hash", FT_BYTES, BASE_HEX,
NULL, 0, "Encrypted Hash", HFILL }},
+ { &hf_samr_lm_verifier, {
+ "Verifier", "samr.lm_password_verifier", FT_BYTES, BASE_HEX,
+ NULL, 0, "Lan Manager Password Verifier", HFILL }},
+
+ { &hf_samr_nt_verifier, {
+ "Verifier", "samr.nt_password_verifier", FT_BYTES, BASE_HEX,
+ NULL, 0, "NT Password Verifier", HFILL }},
+
+ { &hf_samr_lm_passchange_block, {
+ "Encrypted Block", "samr.lm_passchange_block", FT_BYTES,
+ BASE_HEX, NULL, 0, "Lan Manager Password Change Block",
+ HFILL }},
+
+ { &hf_samr_nt_passchange_block, {
+ "Encrypted Block", "samr.nt_passchange_block", FT_BYTES,
+ BASE_HEX, NULL, 0, "NT Password Change Block", HFILL }},
+
+ { &hf_samr_nt_passchange_block_decrypted, {
+ "Decrypted Block", "samr.nt_passchange_block_decrypted",
+ FT_BYTES, BASE_HEX, NULL, 0,
+ "NT Password Change Decrypted Block", HFILL }},
+
+ { &hf_samr_nt_passchange_block_newpass, {
+ "New NT Password", "samr.nt_passchange_block_new_ntpassword",
+ FT_STRING, BASE_NONE, NULL, 0, "New NT Password", HFILL }},
+
+ { &hf_samr_nt_passchange_block_newpass_len, {
+ "New NT Unicode Password length",
+ "samr.nt_passchange_block_new_ntpassword_len", FT_UINT32,
+ BASE_DEC, NULL, 0, "New NT Password Unicode Length", HFILL }},
+
+ { &hf_samr_nt_passchange_block_pseudorandom, {
+ "Pseudorandom data", "samr.nt_passchange_block_pseudorandom",
+ FT_BYTES, BASE_HEX, NULL, 0, "Pseudorandom data", HFILL }},
+
{ &hf_samr_lm_change, {
"LM Change", "samr.lm_change", FT_UINT8, BASE_HEX,
NULL, 0, "LM Change value", HFILL }},
"Divisions", "samr.divisions", FT_UINT16, BASE_DEC,
NULL, 0, "Number of divisions for LOGON_HOURS", HFILL }},
- /* these are used by packet-dcerpc-nt.c */
- { &hf_nt_string_length,
- { "Length", "nt.string.length", FT_UINT16, BASE_DEC,
- NULL, 0x0, "Length of string in bytes", HFILL }},
-
- { &hf_nt_string_size,
- { "Size", "nt.string.size", FT_UINT16, BASE_DEC,
- NULL, 0x0, "Size of string in bytes", HFILL }},
-
- { &hf_nt_str_len,
- { "Length", "nt.str.len", FT_UINT32, BASE_DEC,
- NULL, 0x0, "Length of string in short integers", HFILL }},
-
- { &hf_nt_str_off,
- { "Offset", "nt.str.offset", FT_UINT32, BASE_DEC,
- NULL, 0x0, "Offset into string in short integers", HFILL }},
-
- { &hf_nt_str_max_len,
- { "Max Length", "nt.str.max_len", FT_UINT32, BASE_DEC,
- NULL, 0x0, "Max Length of string in short integers", HFILL }},
-
{ &hf_nt_acct_ctrl,
{ "Acct Ctrl", "nt.acct_ctrl", FT_UINT32, BASE_HEX,
NULL, 0x0, "Acct CTRL", HFILL }},
FT_BOOLEAN, 32, TFS(&flags_set_truth),
DOMAIN_ACCESS_CREATE_ALIAS, "Create alias", HFILL }},
- { &hf_access_domain_unknown_80,
- { "Unknown 0x80", "samr_access_mask.domain_unknown_80",
+ { &hf_access_domain_lookup_alias_by_mem,
+ { "Lookup alias", "samr_access_mask.domain_lookup_alias_by_mem",
FT_BOOLEAN, 32, TFS(&flags_set_truth),
- DOMAIN_ACCESS_UNKNOWN_80, "Unknown 0x80", HFILL }},
+ DOMAIN_ACCESS_LOOKUP_ALIAS, "Lookup alias", HFILL }},
{ &hf_access_domain_enum_accounts,
{ "Enum accounts", "samr_access_mask.domain_enum_accounts",
&ett_samr_rids,
&ett_samr_sid_and_attributes_array,
&ett_samr_sid_and_attributes,
- &ett_nt_acct_ctrl
+ &ett_nt_acct_ctrl,
};
+ module_t *dcerpc_samr_module;
proto_dcerpc_samr = proto_register_protocol(
"Microsoft Security Account Manager", "SAMR", "samr");
proto_register_field_array (proto_dcerpc_samr, hf, array_length (hf));
proto_register_subtree_array(ett, array_length(ett));
+
+ dcerpc_samr_module = prefs_register_protocol(proto_dcerpc_samr, NULL);
+
+ prefs_register_string_preference(dcerpc_samr_module, "nt_password",
+ "NT Password",
+ "NT Password (used to verify password changes)",
+ &nt_password);
}
void