Wireshark · Ethereal-dev: [Ethereal-dev] [Patch] SAMR objects specific permissions

Ethereal-dev: [Ethereal-dev] [Patch] SAMR objects specific permissions

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Jean-Baptiste Marchand <jbm@xxxxxx>

Date: Thu, 24 Jul 2003 16:04:26 +0200

Hello,

the attached patch for the DCE-RPC SAMR dissector adds descriptions of
specific permissions for the SAM_SERVER and SAM_USER objects that are
currently unknown in the current version of the dissector.

To discover textual descriptions of unknown specific permissions, the
trick is to analyze security events (more precisely, 560 and 565,
depending on whether the SAM in stored in the registry or in Active
Directory) that appear in the Windows security eventlog, once the _Audit
object access_ or _Audit directory access_ security auditing categories
are enabled.

For more information, see:

http://sisyphus.iocaine.com/pipermail/loganalysis/2003-June/002083.html

http://sisyphus.iocaine.com/pipermail/loganalysis/2003-July/002104.html


Example of a 560 event for a SAM_SERVER object:

[...]

Object Open:
 	Object Server:	Security Account Manager
 	Object Type:	SAM_SERVER
 	Object Name:	SAM
 	Handle ID:	1223296
 	Operation ID:	{0,190525}
 	Process ID:	504
 	Image File Name:	C:\WINDOWS\system32\lsass.exe
 	Primary User Name:	GARBAREK$
 	Primary Domain:	WORKGROUP
 	Primary Logon ID:	(0x0,0x3E7)
 	Client User Name:	jbm
 	Client Domain:	GARBAREK
 	Client Logon ID:	(0x0,0xC41B)
 	Accesses:	READ_CONTROL 
			ConnectToServer 
			EnumerateDomains 
			LookupDomain 
			
[...]

In this specific event, the SAM_SERVER object was opened with the
specific permissions ConnectToServer, EnumerateDomains and LookupDomain.


To find the exact mapping between specific permissions bits and
textual description, you can use a (unicode-aware) strings utility
(http://www.sysinternals.com/ntw2k/source/misc.shtml) to extract all
textual descriptions of specific permissions that can appear in the
Windows security eventlog from the msobjs.dll DLL. 

It is easier to do this operation on a Windows Server 2003 version of
the DLL, because specific permissions bits for each object types can be
distinguished, because the 16 bits available for specific permissions in
a NT permission mask are never all used.

For instance, SAM_SERVER specific permissions appear as follow (output
of the strings utility on a Windows Server 2003 version of the
msobjs.dll DLL): 

[...]

Undefined Access (no effect) Bit 15 # end of specific permissions 
                                    # for another object type
ConnectToServer
ShutdownServer
InitializeServer
CreateDomain
EnumerateDomains
LookupDomain
Undefined Access (no effect) Bit 6
Undefined Access (no effect) Bit 7
Undefined Access (no effect) Bit 8
Undefined Access (no effect) Bit 9
Undefined Access (no effect) Bit 10
Undefined Access (no effect) Bit 11
Undefined Access (no effect) Bit 12
Undefined Access (no effect) Bit 13
Undefined Access (no effect) Bit 14
Undefined Access (no effect) Bit 15
ReadPasswordParameters # begin of permissions for another object type

[...]


Once you know at least one description for a specific permission of a
given object (in the case of SAM objects, you can find 560 or 565 events
in the security eventlog for each kind of SAM objects), you can easily
identify other specific permissions.

For the record, specific permissions descriptions for the SAM objects
are defined as follow:

SAM_SERVER:
 0x01 ConnectToServer
 0x02 ShutdownServer
 0x04 InitializeServer
 0x08 CreateDomain
 0x10 EnumerateDomains
 0x20 LookupDomain
 

SAM_DOMAIN:
 0x01 ReadPasswordParameters
 0x02 WritePasswordParameters
 0x04 ReadOtherParameters
 0x08 WriteOtherParameters
 0x10 CreateUser
 0x20 CreateGlobalGroup
 0x40 CreateLocalGroup
 0x80 GetLocalGroupMembership
 0x100 ListAccounts
 0x200 LookupIDs
 0x400 AdministerServer

SAM_GROUP:
 0x01 ReadInformation
 0x02 WriteAccount
 0x04 AddMember
 0x08 RemoveMember
 0x10 ListMembers

SAM_ALIAS:
 0x01 AddMember
 0x02 RemoveMember
 0x04 ListMembers
 0x08 ReadInformation
 0x10 WriteAccount

SAM_USER:
 0x01   ReadGeneralInformation
 0x02   ReadPreferences
 0x04   WritePreferences
 0x08   ReadLogon
 0x10   ReadAccount
 0x20   WriteAccount
 0x40   ChangePassword (with knowledge of old password)
 0x80   SetPassword (without knowledge of old password)
 0x100  ListGroups
 0x200  ReadGroupMembership
 0x400  ChangeGroupMembership


Looking at current descriptions for some specific permissions of
SAM_USER objects, it might be possible to improve descriptions, given
that new information.

Jean-Baptiste Marchand
-- 
Jean-Baptiste.Marchand@xxxxxx
Hervé Schauer Consultants
http://www.hsc.fr/

Attachment: packet-dcerpc-samr.c.patch.gz
Description: application/gunzip

Attachment: packet-dcerpc-samr.h.patch.gz
Description: application/gunzip

Follow-Ups:
- Re: [Ethereal-dev] [Patch] SAMR objects specific permissions
  - From: Guy Harris

Prev by Date: [Ethereal-dev] [patch] Partial dissector for Laplink
Next by Date: [Ethereal-dev] Retrieving the IP source address of a message
Previous by thread: Re: [Ethereal-dev] [patch] Partial dissector for Laplink
Next by thread: Re: [Ethereal-dev] [Patch] SAMR objects specific permissions
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$