Ethereal-dev: [Ethereal-dev] [Patch] Allow packet-dcerpc-samr.c to indicate lockout times and
<part 1 - the
patch>
Attached is a patch
to packet-dcerpc-samr.c to decode the following parameters:
- Lockout
Threshold
- Lockout Reset
Time
- Lockout Duration
Time
- Forced Logoff Time After Time
Expires
If you need some
test packets, it's easy to recreate on a Windows box:
Just run " net
accounts /domain" at a command line.
<part 2 - the
bug>
If you do happen
to capture these packets, you will note that that Ethereal is unable to
display the times correctly. They will always appear as "Time can't be
converted".
I believe there are
bugs in the functions "nt_time_to_nstime" or "dissect_nt_64bit_time" in
"packet-windows-common.c". I'm trying to figure out how to correct this
and could easily be wrong.
For example, it
appears that these functions are unable to handle "relative" times. A
negative value here should indicate a "relative" time. Positive should
indicate absolute time.
Here are some common
values that are found in "Lockout Duration Time".
0x00CC1dcffbffffff
(-18,000,000,000 decimal) (nano seconds), should equal 30 minutes -
Ethereal displays as "Time can't be converted".
0x0080d21647b9ffff
(-77,760,000,000,000 decimal) = 129600 minutes = 2160 hours = 90 days -
Ethereal displays as "Time can't be converted".
But, using a hex
editor to manipulate one of these values in a capture, the time will
display.
0xa2028589cb2fc501 =
Ethereal displays as "March 23, 2005 11:12:48.198928200"
I also think the
"Infinity" markings in "dissect_nt_64bit_time" is interesting. Windows
is actually indicating that the values have not been set or never
occur. The phrase "Infinity" doesn't really communicate what this
indicates. For example with most windows computers (unless the default
value is changed), Windows will indicate the "Forced Logoff Time After Times"
expires value 0x0000000000000080, as "Never Expires". Ethereal indicates
this value as "Infinity (relative time)". You can see this with the "net
accounts" command or other tools.
I'm currently
working on a patch, but since I can barely code, I'm moving slowly. The
following link from the "samba" team has an example of two
References:
Thanks,
Mike
Michael Richardson
120 South LaSalle Street
Suite 2200
Chicago, IL
60603
Direct: 312.476.6354
Fax: 312.476.6854
NOTICE: Protiviti is a leading international provider of independent internal audit and business and technology risk consulting services. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. This electronic mail message is intended exclusively for the individual or entity to which it is addressed. This message, together with any attachment, may contain confidential and privileged information. Any unauthorized review, use, print, retain, copy, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email message to the sender and delete all copies of this message. Thank you
==============================================================================
Attachment:
packet-dcerpc-samr.c-lockout-patch.diff
Description: packet-dcerpc-samr.c-lockout-patch.diff