[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cifs-protocol
Subject:    Re: [cifs-protocol] [REG:111092854890403] RE: double send of
From:       Hongwei Sun <hongweis () microsoft ! com>
Date:       2011-10-28 20:54:25
Message-ID: 3BB1B69706070E4D8CF623CF69DE544E195AB1DA () TK5EX14MBXC291 ! redmond ! corp ! microsoft ! com
[Download RAW message or body]

Hi, Matthieu,

  Ahh,  you used the 32bit version.  I used 64bit version.  It is  surprising to find \
that the option for "Try to decrypt Kerberos blobs"  only shows up in 32 bite \
version.   I never expect that there is such a difference.   Anyway,  I can decrypt \
it now.  Thanks!

Hongwei
 

-----Original Message-----
From: Matthieu Patou [mailto:mat@samba.org] 
Sent: Friday, October 28, 2011 3:32 PM
To: Hongwei Sun
Cc: pfif@tridgell.net; cifs-protocol@samba.org; MSSolve Case Email
Subject: Re: [REG:111092854890403] RE: double send of command joined from a upstream \
windows Server

Hello Hongwei,

I made a screencast on a windows machine explaining how to decrypt FRS traffic, I'm \
sure that following the instruction in this demo you'll succeed.

Here is the file:
http://athena.matws.net/mat/pres/frs.avi


Regards.

Matthieu.
On 21/10/2011 23:20, Hongwei Sun wrote:
> Matthieu,
> 
> Do you get a chance to capture the screen shot with the FRS1 packets displayed ?    \
> It will be ideal if I can decrypt myself, but I cannot get a version of wireshark \
> to allow me to do that.   So the screen shot at least show me all the packet \
> sequences so I have something to work with.    I may need to work with the product \
> team, so I need some information to show them. 
> Thanks!
> 
> Hongwei
> 
> -----Original Message-----
> From: Matthieu Patou [mailto:mat@samba.org]
> Sent: Wednesday, October 19, 2011 6:04 PM
> To: Hongwei Sun
> Cc: pfif@tridgell.net; cifs-protocol@samba.org; MSSolve Case Email
> Subject: Re: [REG:111092854890403] RE: double send of command joined 
> from a upstream windows Server
> 
> Hi hongwei I'm planning to work on it tomorrow,
> 
> the best though would be to catch me tomorrow so that I can show you in a live \
> demo. 
> Matthieu
> On 20/10/2011 00:59, Hongwei Sun wrote:
> > Matthieu,
> > 
> > Do you have a chance to send the information I request below?  I have a trouble \
> > to see the sequence of the packets without decrypting it.   If you don't have \
> > time to work on it,  I can archive it and we can work on it whenever you get \
> > time. 
> > Thanks!
> > 
> > Hongwei
> > 
> > 
> > -----Original Message-----
> > From: Hongwei Sun
> > Sent: Thursday, October 13, 2011 5:49 PM
> > To: 'mat@samba.org'; 'pfif@tridgell.net'; 'cifs-protocol@samba.org'
> > Cc: MSSolve Case Email
> > Subject: RE: [REG:111092854890403] RE: double send of command joined 
> > from a upstream windows Server
> > 
> > Matthieu,
> > 
> > Can you send me the screenshot  you mentioned in your e-mail ?   Even I cannot \
> > make the decryption work with the correct version, looking at the screen may help \
> > me know the scenario. 
> > Thanks!
> > 
> > HOngwei
> > 
> > -----Original Message-----
> > From: Hongwei Sun
> > Sent: Tuesday, October 11, 2011 5:27 PM
> > To: 'mat@samba.org'; pfif@tridgell.net; cifs-protocol@samba.org
> > Cc: MSSolve Case Email
> > Subject: [REG:111092854890403] RE: double send of command joined from 
> > a upstream windows Server
> > 
> > Matthieu,
> > 
> > I downloaded the wireshark 1.6.2 ,which is the latest version I can download.  \
> > But I still don't see the option for me to provide the file name for keytab file \
> > in krb5 screen.   What is the minimum version of  Wireshark for me to use with \
> > your keytab file for decryption ?    I am running Windows 64bit version of \
> > Wireshark. 
> > Thanks!
> > 
> > Hongwei
> > 
> > -----Original Message-----
> > From: Matthieu Patou [mailto:mat@samba.org]
> > Sent: Tuesday, September 27, 2011 10:45 PM
> > To: Hongwei Sun; pfif@tridgell.net; cifs-protocol@samba.org; 
> > Interoperability Documentation Help
> > Subject: double send of command joined from a upstream windows Server
> > 
> > Hello hongwei,
> > 
> > Following our talk concerning the double send of "command_joined"
> > packets from a W2K3R2 server when talking to a samba server.
> > 
> > Here is the wireshark capture and the keytab to decrypt it.
> > 
> > By getting a recent version of wireshark is needed. You can get nightly build at \
> > http://www.wireshark.org/download/automated/win32/ newer than the revision 38976 \
> > (which is ~ 2 weeks old). 
> > The way to use it is:
> > wireshark -K w2k_2.keytab frs_big_file_samba.pcap.
> > 
> > I attached the screenshot of this packets it's packets 319 and 321.
> > 
> > Thanks for explaining what's going on, and maybe update the doc.
> > 
> > Matthieu.
> > 
> > --
> > Matthieu Patou
> > Samba Team
> > http://samba.org
> > 
> 
> --
> Matthieu Patou
> Samba Team
> http://samba.org
> 
> 


--
Matthieu Patou
Samba Team
http://samba.org


_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic