Here we can see what the domain name turns out to be in the request, which happens to be ‘CONTOSO’.
Once all of these steps have been completed, we can start interacting with the SAMR protocol.Īt the connect request, we can see two SAMR Connect specific rights with the likes of SAMR_ACCESS_LOOKUP_DOMAIN to lookup what the domain is, and SAMR_ACCESS_ENUM_DOMAINS to enumerate the domains. The third phase is to open the SAMR named pipe.įourth phase is to connect to the SAMR interface, which can be recognized by its UUID: 12345778-1234-abcd-ef00-0123456789ac The IPC$ share is used for Inter Proces Communication by using RPC over SMB to allow clients to send different commands to the server to listen users, shares, etc. The second phase is to connect to the IPC$ share on the remote machine. First, we are establishing an SMB connection to the remote machine. Let’s cover the basic flow of the SAMR protocol by analyzing the associated network packets. Now go back to the Domain Controller and see what Wireshark has captured. Let’s start capturing network packets on a Domain Controller, and in the meantime. I have Wireshark installed on every server. The binary itself contains different parameter options, so what we can do is perform dynamic analysis with Wireshark to see how it looks on the wire. I have a lab with a few servers and two Domain Controllers. The second step that I’d like to do is analyzing network packets through Wireshark. This is how it will look like once we compile the code.įollow the exact same steps, but for this open-source project: Īt Runtime Library, select ‘Multi-threaded (/MT)’ Once we have done that, we can start download and compile the binary. I’d believe that having an understanding of network protocols to some extend can only be beneficial in understanding the implementation details of the overall topic.įirst, we have to make sure that we download Microsoft Visual Studio and install C++.
The goal of this blog post is to make it reproduceable for others, so the same steps can be repeated. We will compile C++ code and perform dynamic analysis with Wireshark to see how the activities look on the wire. This blog post is primary focused on doing packet capture. The second blog post will be loading the binary into a disassembler and walk through the code, instead of the network packets. First, we will start with doing packet capture with Wireshark to learn more about how a binary works on the ‘wire’. Today, I would like to start my blog series on how I approach a technical topic with the goal to understand the implementation details as much as possible. It has been a while that I decided to blog, but I’ve been lately into Reverse Engineering.
0 kommentar(er)
