Ethereal-dev: [Ethereal-dev] [Patch] SAMR objects specific permissions
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: Jean-Baptiste Marchand <jbm@xxxxxx>
Date: Thu, 24 Jul 2003 16:04:26 +0200
Hello, the attached patch for the DCE-RPC SAMR dissector adds descriptions of specific permissions for the SAM_SERVER and SAM_USER objects that are currently unknown in the current version of the dissector. To discover textual descriptions of unknown specific permissions, the trick is to analyze security events (more precisely, 560 and 565, depending on whether the SAM in stored in the registry or in Active Directory) that appear in the Windows security eventlog, once the _Audit object access_ or _Audit directory access_ security auditing categories are enabled. For more information, see: http://sisyphus.iocaine.com/pipermail/loganalysis/2003-June/002083.html http://sisyphus.iocaine.com/pipermail/loganalysis/2003-July/002104.html Example of a 560 event for a SAM_SERVER object: [...] Object Open: Object Server: Security Account Manager Object Type: SAM_SERVER Object Name: SAM Handle ID: 1223296 Operation ID: {0,190525} Process ID: 504 Image File Name: C:\WINDOWS\system32\lsass.exe Primary User Name: GARBAREK$ Primary Domain: WORKGROUP Primary Logon ID: (0x0,0x3E7) Client User Name: jbm Client Domain: GARBAREK Client Logon ID: (0x0,0xC41B) Accesses: READ_CONTROL ConnectToServer EnumerateDomains LookupDomain [...] In this specific event, the SAM_SERVER object was opened with the specific permissions ConnectToServer, EnumerateDomains and LookupDomain. To find the exact mapping between specific permissions bits and textual description, you can use a (unicode-aware) strings utility (http://www.sysinternals.com/ntw2k/source/misc.shtml) to extract all textual descriptions of specific permissions that can appear in the Windows security eventlog from the msobjs.dll DLL. It is easier to do this operation on a Windows Server 2003 version of the DLL, because specific permissions bits for each object types can be distinguished, because the 16 bits available for specific permissions in a NT permission mask are never all used. For instance, SAM_SERVER specific permissions appear as follow (output of the strings utility on a Windows Server 2003 version of the msobjs.dll DLL): [...] Undefined Access (no effect) Bit 15 # end of specific permissions # for another object type ConnectToServer ShutdownServer InitializeServer CreateDomain EnumerateDomains LookupDomain Undefined Access (no effect) Bit 6 Undefined Access (no effect) Bit 7 Undefined Access (no effect) Bit 8 Undefined Access (no effect) Bit 9 Undefined Access (no effect) Bit 10 Undefined Access (no effect) Bit 11 Undefined Access (no effect) Bit 12 Undefined Access (no effect) Bit 13 Undefined Access (no effect) Bit 14 Undefined Access (no effect) Bit 15 ReadPasswordParameters # begin of permissions for another object type [...] Once you know at least one description for a specific permission of a given object (in the case of SAM objects, you can find 560 or 565 events in the security eventlog for each kind of SAM objects), you can easily identify other specific permissions. For the record, specific permissions descriptions for the SAM objects are defined as follow: SAM_SERVER: 0x01 ConnectToServer 0x02 ShutdownServer 0x04 InitializeServer 0x08 CreateDomain 0x10 EnumerateDomains 0x20 LookupDomain SAM_DOMAIN: 0x01 ReadPasswordParameters 0x02 WritePasswordParameters 0x04 ReadOtherParameters 0x08 WriteOtherParameters 0x10 CreateUser 0x20 CreateGlobalGroup 0x40 CreateLocalGroup 0x80 GetLocalGroupMembership 0x100 ListAccounts 0x200 LookupIDs 0x400 AdministerServer SAM_GROUP: 0x01 ReadInformation 0x02 WriteAccount 0x04 AddMember 0x08 RemoveMember 0x10 ListMembers SAM_ALIAS: 0x01 AddMember 0x02 RemoveMember 0x04 ListMembers 0x08 ReadInformation 0x10 WriteAccount SAM_USER: 0x01 ReadGeneralInformation 0x02 ReadPreferences 0x04 WritePreferences 0x08 ReadLogon 0x10 ReadAccount 0x20 WriteAccount 0x40 ChangePassword (with knowledge of old password) 0x80 SetPassword (without knowledge of old password) 0x100 ListGroups 0x200 ReadGroupMembership 0x400 ChangeGroupMembership Looking at current descriptions for some specific permissions of SAM_USER objects, it might be possible to improve descriptions, given that new information. Jean-Baptiste Marchand -- Jean-Baptiste.Marchand@xxxxxx Herv� Schauer Consultants http://www.hsc.fr/
Attachment:
packet-dcerpc-samr.c.patch.gz
Description: application/gunzip
Attachment:
packet-dcerpc-samr.h.patch.gz
Description: application/gunzip
- Follow-Ups:
- Re: [Ethereal-dev] [Patch] SAMR objects specific permissions
- From: Guy Harris
- Re: [Ethereal-dev] [Patch] SAMR objects specific permissions
- Prev by Date: [Ethereal-dev] [patch] Partial dissector for Laplink
- Next by Date: [Ethereal-dev] Retrieving the IP source address of a message
- Previous by thread: Re: [Ethereal-dev] [patch] Partial dissector for Laplink
- Next by thread: Re: [Ethereal-dev] [Patch] SAMR objects specific permissions
- Index(es):