Wireshark · Ethereal-dev: [Ethereal-dev] [Patch] Allow packet-dcerpc-samr.c to indicate lockout times and threshold - plus a b

["Richardson, Michael (711)" <Michael.Richardson@xxxxxxxxxxxxx>]

<part 1 - the patch>

 

Attached is a patch to packet-dcerpc-samr.c to decode the following parameters:

- Lockout Threshold

- Lockout Reset Time

- Lockout Duration Time

- Forced Logoff Time After Time Expires

 

If you need some test packets, it's easy to recreate on a Windows box:

 

Just run " net accounts /domain" at a command line.

 

<part 2 - the bug>

If you do happen to capture these packets, you will note that that Ethereal is unable to display the times correctly.  They will always appear as "Time can't be converted".

 

I believe there are bugs in the functions "nt_time_to_nstime" or "dissect_nt_64bit_time" in "packet-windows-common.c".  I'm trying to figure out how to correct this and could easily be wrong.

 

For example, it appears that these functions are unable to handle "relative" times.  A negative value here should indicate a "relative" time.  Positive should indicate absolute time.

 

Here are some common values that are found in "Lockout Duration Time".

0x00CC1dcffbffffff (-18,000,000,000 decimal) (nano seconds), should equal 30 minutes - Ethereal displays as "Time can't be converted".

0x0080d21647b9ffff (-77,760,000,000,000 decimal) = 129600 minutes = 2160 hours = 90 days - Ethereal displays as "Time can't be converted".

 

But, using a hex editor to manipulate one of these values in a capture, the time will display.

0xa2028589cb2fc501 = Ethereal displays as "March 23, 2005 11:12:48.198928200"

 

I also think the "Infinity" markings in "dissect_nt_64bit_time" is interesting. Windows is actually indicating that the values have not been set or never occur.  The phrase "Infinity" doesn't really communicate what this indicates.  For example with most windows computers (unless the default value is changed), Windows will indicate the "Forced Logoff Time After Times" expires value 0x0000000000000080, as "Never Expires".  Ethereal indicates this value as "Infinity (relative time)".  You can see this with the "net accounts" command or other tools.

 

I'm currently working on a patch, but since I can barely code, I'm moving slowly.  The following link from the "samba" team has an example of two

 

References: 

http://www.samba.org/cgi-bin/cvsweb/samba/source/rpc_server/srv_samr_nt.c?rev=1.187&content-type=text/x-cvsweb-markup

http://www.samba.org/cgi-bin/cvsweb/samba/source/lib/time.c?rev=1.53&content-type=text/x-cvsweb-markup - "nt_time_to_unix" and "nt_time_to_unix_abs" functions.

 

Thanks,

Mike

Michael Richardson

Protiviti
http://www.protiviti.com

 

120 South LaSalle Street
Suite 2200
Chicago, IL  60603

 

Direct: 312.476.6354
Fax: 312.476.6854

 

 

NOTICE: Protiviti is a leading international provider of independent internal audit and business and technology risk consulting services. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. This electronic mail message is intended exclusively for the individual or entity to which it is addressed. This message, together with any attachment, may contain confidential and privileged information. Any unauthorized review, use, print, retain, copy, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email message to the sender and delete all copies of this message. Thank you
==============================================================================

Attachment: packet-dcerpc-samr.c-lockout-patch.diff
Description: packet-dcerpc-samr.c-lockout-patch.diff