hi, I captured a trace between windows XP and a NAS box. the smb sesstion setup andx reponse packet (fram 8 in attachment) is interesting. Two blobs, responseToken and mechListMIC, seem Kerberos ap_rep blob. But wireshark did not parsered them out. Why? Does the Gssapi on the NAS box does not align to some RFCs?
Frame 8 (458 bytes on wire, 458 bytes captured)
Ethernet II, Src: NortelNe_eb:22:01 (00:0e:62:eb:22:01), Dst: WwPcbaTe_81:2f:18 (00:0f:1f:81:2f:18)
Internet Protocol, Src: 10.24.8.44 (10.24.8.44), Dst: 10.24.64.228 (10.24.64.228)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: 1227 (1227), Seq: 163, Ack: 1694, Len: 404
NetBIOS Session Service
SMB (Server Message Block Protocol)
SMB Header
Session Setup AndX Response (0x73)
Word Count (WCT): 4
AndXCommand: No further commands (0xff)
Reserved: 00
AndXOffset: 0
Action: 0x0000
Security Blob Length: 267
Byte Count (BCC): 357
Security Blob: A182010730820103A0030A0100A27D047B607906092A8648...
GSS-API Generic Security Service Application Program Interface
SPNEGO
negTokenTarg
negResult: accept-completed (0)
responseToken: 607906092A864886F71201020202006F6A3068A003020105...
mechListMIC: 607906092A864886F71201020202006F6A3068A003020105...
Native OS: Windows 5.0
Native LAN Manager: Windows 2000 LAN Manager
Primary Domain: HOUSING
Attachment:
1.cap
Description: Binary data