Taking ownership of files on remote computer

Eisenbart · 06-02-2009, 06:00 AM

Hallo everyone!

I am running a network on two computers using Windows XP and basically everything works fine. In order to be able to access my backup data on computer B from computer A, I created a limited user account with identical user names and passwords on both machines.

I set the permissions in such a way that I can theoretically take ownership of files on computer B from computer A, but when I try to do so, I get the following error message:

"This security ID may not be assigned as the owner of this object."

What can I do about it? I can take ownership on the remote computer when I am logged in as administrator, but from my limited user account, it only works if I log in locally on computer B. Does it have to do with the SID of my limited user account not being identical on both machines?

Best regards,

Matthias

**johnwill** · 06-02-2009, 06:35 AM

You can't change file permissions with a limited account.

grue155 · 06-02-2009, 06:44 PM

On an XP Pro box, a limited account can change permissions of a file that is owned by that limited account user. Just tried that on a file, and it took that change.

However, SID's are another matter entirely. The SID is the numeric equivalent of the user name (the S-1-stuff-morestuff-yetmorestuff). SIDs are generated by the operating system and are intended to be universally unique. Deleting a user, and then recreating the account with the same user name will produce a different SID, and the recreated account is not able to access the old account. Only in a domain login can you guarantee the same SID across machines, as there is only one SID in the domain and the login authenticates the SID.

In short, in a workgroup environment, you can't get there from here.

Eisenbart · 06-03-2009, 05:21 AM

I understand that SIDs may vary from one machine to the other, even if the user name ist the same. For example, on my primary computer, the SID for my account is

S-1-5-21-1547161642-2111687655-725345543-1003

while on my secondary computer, the SID is

S-1-5-21-1202660629-117609710-682003330-1005

As you can see, the SIDs differ greatly, so having identical SIDs on both machines for my account is next to impossible. If taking over file ownership requires identical SIDs, then it cannot be done. But I doubt that this is the case, because taking over file ownership works when I am logged in as administrator. And the administrator's SID on my primary computer is

S-1-5-21-1547161642-2111687655-725345543-500

while on my secondary computer it is

S-1-5-21-1202660629-117609710-682003330-500

If taking over file ownership required identical SIDs on both machines, then it wouldn't work for the administrator either. But it does work for the administrator, so it cannot have to do with the SIDs not being identical.

It must be some access rights problem, or maybe it has to do with some strange policy setting. Otherwise, why should I not be able to take over file ownership on a remote computer, while it does work locally?

grue155 · 06-04-2009, 07:32 PM

Someone who knows more than me had to walk be thru this. I'm translating my understanding back into this posting, so I may not quite have it right.

What you're describing is an autheniticated logon. In the general case, it goes like this:

A user on machine A (userA), logs into machine B as userB. UserB owns and can manipulate files. UserA is impersonating userB thru the login, but userA does not own the files. They're owned by userB.

In this instance, that userA is an administrator provides a different level of authentication for impersonating userB, who also happens to be an adminstrator. But it is still an impersonation. The files are still owned by userB, and not by userA.

As it was explained to me.

Eisenbart · 06-05-2009, 06:32 AM

I see, thank you for that information!

So the files on machine B are owned by userB, and if he and userA happen to be administrators, userA can transfer file ownership to userB, who he is impersonating.

But what is the difference between an authenticated logon through a limited user account and an authenticated logon through an administrator's account? How can I make the taking over of file ownership work not only for administrators, but also for limited user accounts? After all, userA is impersonating userB, and userB does have the rights to take over file ownership!

grue155 · 06-08-2009, 10:35 AM

Quote:

How can I make the taking over of file ownership work not only for administrators, but also for limited user accounts?

This is in the settings that I know as permissions, and I think Microsoft calls "access rights". Right-click on a file or folder, select properties, the security tab, then the Advanced button. You'll get a list of user accounts and groups. Click on one to highlight it, and edit, and you'll get a list of things that can be allowed. As seen in the attached, "take ownership" is one of the settings. If you want a user to take ownership, then the permissions settings need to allow that user to take ownership.

Eisenbart · 06-08-2009, 12:49 PM

Thank you, but I already know these permissions, and I have already set them accordingly. That's just the problem, everything is set the way it should, but it still does not work!

grue155 · 06-08-2009, 01:19 PM

Hmm... Should be a two step process. First the admin grants the chosen user (userB, in the posting so far) or a group the permission to take ownership. Then, second, that user or group member has to go and explicitly take ownership.

And your second step isn't working. The thing to check next is the effective permissions. To check a file or folder, get down to the permissions list, then click the effective permissions tab, and put in userB and see what comes back. If the "take ownership" isn't checked, it won't work. Alternatively, click the Owner tab, and see if userB is listed as one of the alternatives, while logged in as userB.

If the "take ownership" isn't checked in the effective permissions, then it's something that either needs to be set explicitly for that file or folder, or it's something that is inherited from a parent folder and needs to be overridden with an explicit setting.

At worst, just to check how things are working, create a test file as an admin, and then set the permissions for userB to have "full control". If that doesn't work, then something is off somewhere, and it's going to be time to walk thru some screenshots of the test file permissions, or xcacls output.

Eisenbart · 06-09-2009, 08:06 AM

That effective permissions thing is an interesting idea... I just logged into my secondary computer locally and checked the effective permissions for my limited user account. The result was just as expected, my limited user account does have the "Take Ownership" access right.

Then I remotely logged into my secondary computer to do the same check. I clicked the effective permissions tab, clicked on "Choose" to select a user or group, followed by "Extended" and finally "Search now". Then I was prompted to enter the user name and password of an account on the remote computer, and when I did so, Windows kept searching and searching without ever coming to an end. (I closed the dialog after a while).

Now what does this tell us?

grue155 · 06-09-2009, 11:08 AM

In a workgroup environment, remote logins have to authenticate against local users and passwords. Which should happen in an eyeblink. What you've described sounds like it's trying to do a network authentication, which is a domain logon. Without a domain, that will have to go thru a very long timeout (something like 20+ minutes, I think).

One way to check that, is to run a network monitor like Wireshark (wireshark.org), on the machine the machine that you are trying to log into, to see if it is trying to do a network authentication.

Eisenbart · 06-10-2009, 04:39 AM

Ok, I just installed and ran Wireshark, but as my understanding about networking is rather limited, I can only post an extract of the log file it created:

Quote:

No. Time Source Destination Protocol Info
61 14.021737 192.168.0.2 192.168.0.1 TCP activesync > icslap [ACK] Seq=11101 Ack=17611 Win=64361 Len=0
62 15.046133 192.168.0.2 192.168.0.1 TCP activesync > icslap [PSH, ACK] Seq=11101 Ack=17611 Win=64361 Len=740
63 15.047267 192.168.0.1 192.168.0.2 TCP icslap > activesync [PSH, ACK] Seq=17611 Ack=11841 Win=65535 Len=204
64 15.048421 192.168.0.1 192.168.0.2 TCP icslap > activesync [PSH, ACK] Seq=17815 Ack=11841 Win=65535 Len=970
65 15.048505 192.168.0.2 192.168.0.1 TCP activesync > icslap [ACK] Seq=11841 Ack=18785 Win=65535 Len=0
66 15.999177 192.168.0.2 192.168.0.1 TCP activesync > icslap [PSH, ACK] Seq=11841 Ack=18785 Win=65535 Len=740
67 16.000304 192.168.0.1 192.168.0.2 TCP icslap > activesync [PSH, ACK] Seq=18785 Ack=12581 Win=64795 Len=204
68 16.001459 192.168.0.1 192.168.0.2 TCP icslap > activesync [PSH, ACK] Seq=18989 Ack=12581 Win=64795 Len=970
69 16.001557 192.168.0.2 192.168.0.1 TCP activesync > icslap [ACK] Seq=12581 Ack=19959 Win=64361 Len=0
70 16.269936 192.168.0.1 192.168.0.2 SMB Tree Connect AndX Request, Path: \\HAMMER\IPC$
71 16.270147 192.168.0.2 192.168.0.1 SMB Tree Connect AndX Response
72 16.271376 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0xc000, Path: \wkssvc
73 16.271666 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0xc000
74 16.271875 192.168.0.1 192.168.0.2 DCERPC Bind: call_id: 1 WKSSVC V1.0
75 16.271971 192.168.0.2 192.168.0.1 SMB Write AndX Response, FID: 0xc000, 72 bytes
76 16.272107 192.168.0.1 192.168.0.2 SMB Read AndX Request, FID: 0xc000, 1024 bytes at offset 0
77 16.272175 192.168.0.2 192.168.0.1 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
78 16.272330 192.168.0.1 192.168.0.2 WKSSVC NetWkstaGetInfo request Level:100
79 16.272612 192.168.0.2 192.168.0.1 WKSSVC NetWkstaGetInfo response
80 16.272791 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0xc000
81 16.272882 192.168.0.2 192.168.0.1 SMB Close Response, FID: 0xc000
82 16.274360 192.168.0.1 192.168.0.2 SMB Tree Disconnect Request
83 16.368506 192.168.0.2 192.168.0.1 SMB Tree Disconnect Response
84 16.369641 192.168.0.1 192.168.0.2 TCP xiip > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460
85 16.540248 192.168.0.2 192.168.0.1 SMB [TCP Retransmission] Tree Disconnect Response
86 16.540361 192.168.0.1 192.168.0.2 TCP armadp > microsoft-ds [ACK] Seq=622 Ack=649 Win=64688 Len=0

[snip]

196 43.001740 192.168.0.2 192.168.0.1 TCP activesync > icslap [ACK] Seq=32561 Ack=51657 Win=65535 Len=0
197 43.999404 192.168.0.2 192.168.0.1 TCP activesync > icslap [PSH, ACK] Seq=32561 Ack=51657 Win=65535 Len=740
198 44.000603 192.168.0.1 192.168.0.2 TCP icslap > activesync [PSH, ACK] Seq=51657 Ack=33301 Win=64795 Len=204
199 44.001754 192.168.0.1 192.168.0.2 TCP icslap > activesync [PSH, ACK] Seq=51861 Ack=33301 Win=64795 Len=970
200 44.001851 192.168.0.2 192.168.0.1 TCP activesync > icslap [ACK] Seq=33301 Ack=52831 Win=64361 Len=0
201 44.999499 192.168.0.2 192.168.0.1 TCP activesync > icslap [PSH, ACK] Seq=33301 Ack=52831 Win=64361 Len=740
202 45.000667 192.168.0.1 192.168.0.2 TCP icslap > activesync [PSH, ACK] Seq=52831 Ack=34041 Win=65535 Len=204
203 45.001826 192.168.0.1 192.168.0.2 TCP icslap > activesync [PSH, ACK] Seq=53035 Ack=34041 Win=65535 Len=970
204 45.001924 192.168.0.2 192.168.0.1 TCP activesync > icslap [ACK] Seq=34041 Ack=54005 Win=65535 Len=0
205 45.998555 192.168.0.1 192.168.0.2 SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE
206 46.024554 192.168.0.2 192.168.0.1 SMB Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
207 46.025981 192.168.0.1 192.168.0.2 SMB Session Setup AndX Request, NTLMSSP_AUTH, User: \
208 46.026810 192.168.0.2 192.168.0.1 SMB Session Setup AndX Response
209 46.027014 192.168.0.1 192.168.0.2 SMB Tree Connect AndX Request, Path: \\HAMMER\IPC$
210 46.027137 192.168.0.2 192.168.0.1 SMB Tree Connect AndX Response
211 46.029275 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path:
212 46.030447 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
213 46.031580 192.168.0.2 192.168.0.1 TCP activesync > icslap [PSH, ACK] Seq=34041 Ack=54005 Win=65535 Len=740
214 46.032189 192.168.0.1 192.168.0.2 SMB Logoff AndX Request
215 46.032674 192.168.0.2 192.168.0.1 SMB Logoff AndX Response
216 46.032822 192.168.0.1 192.168.0.2 SMB Tree Disconnect Request
217 46.032889 192.168.0.2 192.168.0.1 SMB Tree Disconnect Response
218 46.033024 192.168.0.1 192.168.0.2 TCP icslap > activesync [PSH, ACK] Seq=54005 Ack=34781 Win=64795 Len=204
219 46.034183 192.168.0.1 192.168.0.2 TCP icslap > activesync [PSH, ACK] Seq=54209 Ack=34781 Win=64795 Len=970
220 46.034241 192.168.0.1 192.168.0.2 SMB Tree Connect AndX Request, Path: \\HAMMER\IPC$
221 46.034309 192.168.0.2 192.168.0.1 TCP activesync > icslap [ACK] Seq=34781 Ack=55179 Win=64361 Len=0
222 46.036506 192.168.0.2 192.168.0.1 SMB Tree Connect AndX Response
223 46.036847 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0x8001, Path: \srvsvc
224 46.036896 192.168.0.1 192.168.0.2 SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE
225 46.036937 192.168.0.2 192.168.0.1 TCP microsoft-ds > armadp [ACK] Seq=1333 Ack=1714 Win=65535 Len=0
226 46.038789 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0x8001
227 46.039109 192.168.0.2 192.168.0.1 SMB Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
228 46.040155 192.168.0.1 192.168.0.2 DCERPC Bind: call_id: 1 SRVSVC V3.0
229 46.040221 192.168.0.1 192.168.0.2 SMB Session Setup AndX Request, NTLMSSP_AUTH, User: \
230 46.040281 192.168.0.2 192.168.0.1 TCP microsoft-ds > armadp [ACK] Seq=1729 Ack=2104 Win=65145 Len=0
231 46.040408 192.168.0.2 192.168.0.1 SMB Write AndX Response, FID: 0x8001, 72 bytes
232 46.040551 192.168.0.1 192.168.0.2 SMB Read AndX Request, FID: 0x8001, 1024 bytes at offset 0
233 46.040724 192.168.0.2 192.168.0.1 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
234 46.040905 192.168.0.1 192.168.0.2 SRVSVC NetShareGetInfo request
235 46.041620 192.168.0.2 192.168.0.1 SMB Session Setup AndX Response
236 46.041982 192.168.0.2 192.168.0.1 SRVSVC NetShareGetInfo response
237 46.042167 192.168.0.1 192.168.0.2 SMB Tree Connect AndX Request, Path: \\HAMMER\IPC$
238 46.042208 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0x8001
239 46.042240 192.168.0.2 192.168.0.1 TCP microsoft-ds > armadp [ACK] Seq=2185 Ack=2474 Win=64775 Len=0
240 46.042322 192.168.0.2 192.168.0.1 SMB Tree Connect AndX Response
241 46.042396 192.168.0.2 192.168.0.1 SMB Close Response, FID: 0x8001
242 46.042498 192.168.0.1 192.168.0.2 TCP armadp > microsoft-ds [ACK] Seq=2474 Ack=2284 Win=64524 Len=0
243 46.043825 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0xc005, Path: \srvsvc
244 46.043839 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_FS_INFO, Query FS Volume Info
245 46.043872 192.168.0.2 192.168.0.1 TCP microsoft-ds > armadp [ACK] Seq=2284 Ack=2652 Win=64597 Len=0
246 46.044215 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0xc005
247 46.044328 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_FS_INFO
248 46.045490 192.168.0.1 192.168.0.2 DCERPC Bind: call_id: 1 SRVSVC V3.0
249 46.045530 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Standard Info, Path:
250 46.045566 192.168.0.2 192.168.0.1 TCP microsoft-ds > armadp [ACK] Seq=2513 Ack=2872 Win=64377 Len=0
251 46.045641 192.168.0.2 192.168.0.1 SMB Write AndX Response, FID: 0xc005, 72 bytes
252 46.045809 192.168.0.1 192.168.0.2 SMB Read AndX Request, FID: 0xc005, 1024 bytes at offset 0
253 46.045913 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
254 46.046050 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Internal Info, Path:
255 46.046244 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
256 46.046310 192.168.0.2 192.168.0.1 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
257 46.047445 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File EA Info, Path:
258 46.047470 192.168.0.1 192.168.0.2 SRVSVC NetShareGetInfo request
259 46.047500 192.168.0.2 192.168.0.1 TCP microsoft-ds > armadp [ACK] Seq=2856 Ack=3275 Win=65535 Len=0
260 46.047678 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
261 46.048032 192.168.0.2 192.168.0.1 SRVSVC NetShareGetInfo response
262 46.048200 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0x4009, Path:
263 46.048235 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0xc005
264 46.048265 192.168.0.2 192.168.0.1 TCP microsoft-ds > armadp [ACK] Seq=3076 Ack=3410 Win=65400 Len=0
265 46.048549 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0x4009
266 46.048649 192.168.0.2 192.168.0.1 SMB Close Response, FID: 0xc005
267 46.049783 192.168.0.1 192.168.0.2 SMB NT Trans Request, NT IOCTL FILE_SYSTEM Function:0x0030, FID: 0x4009
268 46.049819 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File EA Info, Path:
269 46.049853 192.168.0.2 192.168.0.1 TCP microsoft-ds > armadp [ACK] Seq=3254 Ack=3578 Win=65232 Len=0
270 46.050149 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
271 46.050215 192.168.0.2 192.168.0.1 SMB NT Trans Response, FID: 0x4009, NT IOCTL
272 46.050368 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0x4006, Path:
273 46.050393 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_FS_INFO, Object ID Information
274 46.050420 192.168.0.2 192.168.0.1 TCP microsoft-ds > armadp [ACK] Seq=3466 Ack=3742 Win=65068 Len=0
275 46.050642 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0x4006
276 46.050760 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_FS_INFO
277 46.050920 192.168.0.1 192.168.0.2 SMB NT Trans Request, NT IOCTL FILE_SYSTEM Function:0x0030, FID: 0x4006
278 46.050947 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0x4009
279 46.050973 192.168.0.2 192.168.0.1 TCP microsoft-ds > armadp [ACK] Seq=3729 Ack=3875 Win=64935 Len=0
280 46.051100 192.168.0.2 192.168.0.1 SMB Close Response, FID: 0x4009
281 46.051139 192.168.0.2 192.168.0.1 SMB NT Trans Response, FID: 0x4006, NT IOCTL
282 46.051241 192.168.0.1 192.168.0.2 TCP armadp > microsoft-ds [ACK] Seq=3875 Ack=3912 Win=64479 Len=0
283 46.052343 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_FS_INFO, Object ID Information
284 46.052440 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_FS_INFO
285 46.052597 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0x4006
286 46.052684 192.168.0.2 192.168.0.1 SMB Close Response, FID: 0x4006
287 46.053695 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0x8008, Path: \Backup@2009-06-01\Matze\Anwendungsdaten\Desktop.ini
288 46.053963 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0x8008
289 46.055158 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x8008, Query File Internal Info
290 46.055250 192.168.0.2 192.168.0.1 SMB Trans2 Response, FID: 0x8008, QUERY_FILE_INFO
291 46.055412 192.168.0.1 192.168.0.2 SMB Read AndX Request, FID: 0x8008, 62 bytes at offset 0
292 46.055528 192.168.0.2 192.168.0.1 SMB Read AndX Response, FID: 0x8008, 62 bytes
293 46.057248 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: \Backup@2009-06-01\Matze\Anwendungsdaten\Desktop.ini
294 46.057496 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
295 46.057649 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: \Backup@2009-06-01\Matze\Anwendungsdaten\Desktop.ini
296 46.057823 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
297 46.059150 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: \Backup@2009-06-01\Matze\Anwendungsdaten\Desktop.ini
298 46.059306 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
299 46.059551 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: \Backup@2009-06-01\Matze\Anwendungsdaten\Desktop.ini
300 46.059718 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
301 46.061083 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0x800b, Path: \Backup@2009-06-01\Matze\Anwendungsdaten
302 46.061510 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0x800b
303 46.061640 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x800b, Query File Internal Info
304 46.061737 192.168.0.2 192.168.0.1 SMB Trans2 Response, FID: 0x800b, QUERY_FILE_INFO
305 46.062942 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x800b, Query File Basic Info
306 46.063008 192.168.0.2 192.168.0.1 SMB Trans2 Response, FID: 0x800b, QUERY_FILE_INFO
307 46.063120 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x800b, Query File Standard Info
308 46.063182 192.168.0.2 192.168.0.1 SMB Trans2 Response, FID: 0x800b, QUERY_FILE_INFO
309 46.064356 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x800b, Query File EA Info
310 46.064416 192.168.0.2 192.168.0.1 SMB Trans2 Response, FID: 0x800b, QUERY_FILE_INFO
311 46.064563 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, Path: \Backup@2009-06-01\Matze\Anwendungsdaten:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA
312 46.064751 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0x0000, Error: STATUS_OBJECT_NAME_NOT_FOUND
313 46.065982 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, Path: \Backup@2009-06-01\Matze\Anwendungsdaten:\005SummaryInformation:$DATA
314 46.066133 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0x0000, Error: STATUS_OBJECT_NAME_NOT_FOUND
315 46.066285 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, Path: \Backup@2009-06-01\Matze\Anwendungsdaten:Docf_\005SummaryInformation:$DATA
316 46.066429 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0x0000, Error: STATUS_OBJECT_NAME_NOT_FOUND
317 46.067695 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, Path: \Backup@2009-06-01\Matze\Anwendungsdaten:\005SummaryInformation:$DATA
318 46.067833 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0x0000, Error: STATUS_OBJECT_NAME_NOT_FOUND
319 46.067994 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, Path: \Backup@2009-06-01\Matze\Anwendungsdaten:Docf_\005SummaryInformation:$DATA
320 46.068134 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0x0000, Error: STATUS_OBJECT_NAME_NOT_FOUND
321 46.069355 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, Path: \Backup@2009-06-01\Matze\Anwendungsdaten:\005SummaryInformation:$DATA
322 46.069491 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0x0000, Error: STATUS_OBJECT_NAME_NOT_FOUND

[snip]

517 46.151741 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, Path: \Backup@2009-06-01\Matze\Anwendungsdaten:\005QebiesnrMkudrfcoIaamtykdDa:$DATA
518 46.151875 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0x0000, Error: STATUS_OBJECT_NAME_NOT_FOUND
519 46.152027 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, Path: \Backup@2009-06-01\Matze\Anwendungsdaten:Docf_\005QebiesnrMkudrfcoIaamtykdDa:$DATA
520 46.152165 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0x0000, Error: STATUS_OBJECT_NAME_NOT_FOUND
521 46.153383 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, Path: \Backup@2009-06-01\Matze\Anwendungsdaten:\005QebiesnrMkudrfcoIaamtykdDa:$DATA
522 46.153521 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0x0000, Error: STATUS_OBJECT_NAME_NOT_FOUND
523 46.153674 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, Path: \Backup@2009-06-01\Matze\Anwendungsdaten:Docf_\005QebiesnrMkudrfcoIaamtykdDa:$DATA
524 46.153811 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0x0000, Error: STATUS_OBJECT_NAME_NOT_FOUND
525 46.153938 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0x800b
526 46.154033 192.168.0.2 192.168.0.1 SMB Close Response, FID: 0x800b
527 46.154259 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path:
528 46.154442 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
529 46.155663 192.168.0.1 192.168.0.2 SMB Trans2 Request, FIND_FIRST2, Pattern: \Backup@2009-06-01
530 46.156038 192.168.0.2 192.168.0.1 SMB Trans2 Response, FIND_FIRST2, Files: Backup@2009-06-01
531 46.157333 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: \Backup@2009-06-01
532 46.157543 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
533 46.157713 192.168.0.1 192.168.0.2 SMB Trans2 Request, FIND_FIRST2, Pattern: \Backup@2009-06-01\Matze
534 46.158086 192.168.0.2 192.168.0.1 SMB Trans2 Response, FIND_FIRST2, Files: Matze
535 46.159383 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: \Backup@2009-06-01\Matze
536 46.159662 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
537 46.159820 192.168.0.1 192.168.0.2 SMB Trans2 Request, FIND_FIRST2, Pattern: \Backup@2009-06-01\Matze\Anwendungsdaten
538 46.160154 192.168.0.2 192.168.0.1 SMB Trans2 Response, FIND_FIRST2, Files: Anwendungsdaten
539 46.161471 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: \Backup@2009-06-01\Matze\Anwendungsdaten\Desktop.ini
540 46.161676 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
541 46.161969 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: \Backup@2009-06-01\Matze\Anwendungsdaten\Desktop.ini
542 46.162137 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
543 46.163458 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: \Backup@2009-06-01\Matze\Anwendungsdaten\Desktop.ini
544 46.163614 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
545 46.332161 192.168.0.1 192.168.0.2 TCP armadp > microsoft-ds [ACK] Seq=32482 Ack=10711 Win=65223 Len=0
546 46.999374 192.168.0.2 192.168.0.1 TCP activesync > icslap [PSH, ACK] Seq=34781 Ack=55179 Win=64361 Len=740
547 47.000617 192.168.0.1 192.168.0.2 TCP icslap > activesync [PSH, ACK] Seq=55179 Ack=35521 Win=65535 Len=204
548 47.000679 192.168.0.1 192.168.0.2 TCP icslap > activesync [PSH, ACK] Seq=55383 Ack=35521 Win=65535 Len=970
549 47.000721 192.168.0.2 192.168.0.1 TCP activesync > icslap [ACK] Seq=35521 Ack=56353 Win=65535 Len=0
550 47.415827 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0x800a, Path: \srvsvc
551 47.416193 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0x800a
552 47.417467 192.168.0.1 192.168.0.2 DCERPC Bind: call_id: 1 SRVSVC V3.0
553 47.417551 192.168.0.2 192.168.0.1 SMB Write AndX Response, FID: 0x800a, 72 bytes
554 47.417696 192.168.0.1 192.168.0.2 SMB Read AndX Request, FID: 0x800a, 1024 bytes at offset 0
555 47.417764 192.168.0.2 192.168.0.1 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
556 47.418977 192.168.0.1 192.168.0.2 SRVSVC NetShareGetInfo request
557 47.419312 192.168.0.2 192.168.0.1 SRVSVC NetShareGetInfo response
558 47.419464 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0x800a
559 47.419556 192.168.0.2 192.168.0.1 SMB Close Response, FID: 0x800a
560 47.421191 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Standard Info, Path:
561 47.421421 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
562 47.421559 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File EA Info, Path:
563 47.421711 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
564 47.422912 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0x8002, Path:
565 47.423130 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0x8002
566 47.423256 192.168.0.1 192.168.0.2 SMB NT Trans Request, NT IOCTL FILE_SYSTEM Function:0x0030, FID: 0x8002
567 47.423367 192.168.0.2 192.168.0.1 SMB NT Trans Response, FID: 0x8002, NT IOCTL
568 47.424546 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_FS_INFO, Object ID Information
569 47.424646 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_FS_INFO
570 47.424771 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0x8002
571 47.424855 192.168.0.2 192.168.0.1 SMB Close Response, FID: 0x8002
572 47.427355 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path:
573 47.427550 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
574 47.427996 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0xc004, Path: \srvsvc
575 47.428273 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0xc004
576 47.429509 192.168.0.1 192.168.0.2 DCERPC Bind: call_id: 1 SRVSVC V3.0
577 47.429592 192.168.0.2 192.168.0.1 SMB Write AndX Response, FID: 0xc004, 72 bytes
578 47.429715 192.168.0.1 192.168.0.2 SMB Read AndX Request, FID: 0xc004, 1024 bytes at offset 0
579 47.429777 192.168.0.2 192.168.0.1 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
580 47.431012 192.168.0.1 192.168.0.2 SRVSVC NetShareGetInfo request
581 47.431560 192.168.0.2 192.168.0.1 SRVSVC NetShareGetInfo response
582 47.431734 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0xc004
583 47.431836 192.168.0.2 192.168.0.1 SMB Close Response, FID: 0xc004
584 47.433425 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Standard Info, Path:
585 47.433656 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
586 47.433884 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File EA Info, Path:
587 47.434096 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
588 47.435304 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0xc007, Path:
589 47.435523 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0xc007
590 47.435652 192.168.0.1 192.168.0.2 SMB NT Trans Request, NT IOCTL FILE_SYSTEM Function:0x0030, FID: 0xc007
591 47.435760 192.168.0.2 192.168.0.1 SMB NT Trans Response, FID: 0xc007, NT IOCTL
592 47.436942 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_FS_INFO, Object ID Information
593 47.437043 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_FS_INFO
594 47.437176 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0xc007
595 47.437258 192.168.0.2 192.168.0.1 SMB Close Response, FID: 0xc007
596 47.439835 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path:
597 47.440026 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
598 47.440471 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0x800d, Path: \srvsvc
599 47.440740 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0x800d
600 47.441978 192.168.0.1 192.168.0.2 DCERPC Bind: call_id: 1 SRVSVC V3.0
601 47.442058 192.168.0.2 192.168.0.1 SMB Write AndX Response, FID: 0x800d, 72 bytes
602 47.442197 192.168.0.1 192.168.0.2 SMB Read AndX Request, FID: 0x800d, 1024 bytes at offset 0
603 47.442260 192.168.0.2 192.168.0.1 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
604 47.443465 192.168.0.1 192.168.0.2 SRVSVC NetShareGetInfo request
605 47.443785 192.168.0.2 192.168.0.1 SRVSVC NetShareGetInfo response
606 47.443931 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0x800d
607 47.444021 192.168.0.2 192.168.0.1 SMB Close Response, FID: 0x800d
608 47.445689 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Standard Info, Path:
609 47.445910 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
610 47.446043 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File EA Info, Path:
611 47.446196 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
612 47.447397 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0x800f, Path:
613 47.447609 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0x800f
614 47.447737 192.168.0.1 192.168.0.2 SMB NT Trans Request, NT IOCTL FILE_SYSTEM Function:0x0030, FID: 0x800f
615 47.447846 192.168.0.2 192.168.0.1 SMB NT Trans Response, FID: 0x800f, NT IOCTL
616 47.449026 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_FS_INFO, Object ID Information
617 47.449127 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_FS_INFO
618 47.449260 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0x800f
619 47.449358 192.168.0.2 192.168.0.1 SMB Close Response, FID: 0x800f
620 47.451809 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path:
621 47.451986 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
622 47.452415 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0x800e, Path: \srvsvc
623 47.452692 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0x800e
624 47.453934 192.168.0.1 192.168.0.2 DCERPC Bind: call_id: 1 SRVSVC V3.0
625 47.454017 192.168.0.2 192.168.0.1 SMB Write AndX Response, FID: 0x800e, 72 bytes
626 47.454134 192.168.0.1 192.168.0.2 SMB Read AndX Request, FID: 0x800e, 1024 bytes at offset 0
627 47.454197 192.168.0.2 192.168.0.1 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
628 47.455427 192.168.0.1 192.168.0.2 SRVSVC NetShareGetInfo request
629 47.455749 192.168.0.2 192.168.0.1 SRVSVC NetShareGetInfo response
630 47.455916 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0x800e
631 47.456005 192.168.0.2 192.168.0.1 SMB Close Response, FID: 0x800e
632 47.457601 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Standard Info, Path:
633 47.457826 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
634 47.457965 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File EA Info, Path:
635 47.458115 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
636 47.459321 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0x4000, Path:
637 47.459540 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0x4000
638 47.459669 192.168.0.1 192.168.0.2 SMB NT Trans Request, NT IOCTL FILE_SYSTEM Function:0x0030, FID: 0x4000
639 47.459781 192.168.0.2 192.168.0.1 SMB NT Trans Response, FID: 0x4000, NT IOCTL
640 47.460964 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_FS_INFO, Object ID Information
641 47.461129 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_FS_INFO
642 47.461275 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0x4000
643 47.461389 192.168.0.2 192.168.0.1 SMB Close Response, FID: 0x4000
644 47.463953 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path:
645 47.464237 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
646 47.464694 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0xc001, Path: \srvsvc
647 47.464980 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0xc001
648 47.466221 192.168.0.1 192.168.0.2 DCERPC Bind: call_id: 1 SRVSVC V3.0
649 47.466303 192.168.0.2 192.168.0.1 SMB Write AndX Response, FID: 0xc001, 72 bytes
650 47.466439 192.168.0.1 192.168.0.2 SMB Read AndX Request, FID: 0xc001, 1024 bytes at offset 0
651 47.466502 192.168.0.2 192.168.0.1 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
652 47.467707 192.168.0.1 192.168.0.2 SRVSVC NetShareGetInfo request
653 47.468027 192.168.0.2 192.168.0.1 SRVSVC NetShareGetInfo response
654 47.468178 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0xc001
655 47.468272 192.168.0.2 192.168.0.1 SMB Close Response, FID: 0xc001
656 47.469902 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Standard Info, Path:
657 47.470133 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
658 47.470267 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File EA Info, Path:
659 47.470422 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
660 47.471619 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0x0005, Path:
661 47.471829 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0x0005
662 47.471953 192.168.0.1 192.168.0.2 SMB NT Trans Request, NT IOCTL FILE_SYSTEM Function:0x0030, FID: 0x0005
663 47.472066 192.168.0.2 192.168.0.1 SMB NT Trans Response, FID: 0x0005, NT IOCTL
664 47.473249 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_FS_INFO, Object ID Information
665 47.473371 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_FS_INFO
666 47.473499 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0x0005
667 47.473585 192.168.0.2 192.168.0.1 SMB Close Response, FID: 0x0005
668 47.476047 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path:
669 47.476222 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
670 47.476670 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0x8009, Path: \srvsvc
671 47.477035 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0x8009
672 47.478274 192.168.0.1 192.168.0.2 DCERPC Bind: call_id: 1 SRVSVC V3.0
673 47.478347 192.168.0.2 192.168.0.1 SMB Write AndX Response, FID: 0x8009, 72 bytes
674 47.478457 192.168.0.1 192.168.0.2 SMB Read AndX Request, FID: 0x8009, 1024 bytes at offset 0
675 47.478523 192.168.0.2 192.168.0.1 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
676 47.479755 192.168.0.1 192.168.0.2 SRVSVC NetShareGetInfo request
677 47.480077 192.168.0.2 192.168.0.1 SRVSVC NetShareGetInfo response
678 47.480243 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0x8009
679 47.480337 192.168.0.2 192.168.0.1 SMB Close Response, FID: 0x8009
680 47.481932 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Standard Info, Path:
681 47.482160 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
682 47.482296 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File EA Info, Path:
683 47.482444 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
684 47.483650 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0x8006, Path:
685 47.483861 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0x8006
686 47.483992 192.168.0.1 192.168.0.2 SMB NT Trans Request, NT IOCTL FILE_SYSTEM Function:0x0030, FID: 0x8006
687 47.484101 192.168.0.2 192.168.0.1 SMB NT Trans Response, FID: 0x8006, NT IOCTL
688 47.485287 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_FS_INFO, Object ID Information
689 47.485409 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_FS_INFO
690 47.485544 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0x8006
691 47.485629 192.168.0.2 192.168.0.1 SMB Close Response, FID: 0x8006
692 47.488862 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path:
693 47.489031 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
694 47.489497 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0xc00b, Path: \srvsvc
695 47.489772 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0xc00b
696 47.491017 192.168.0.1 192.168.0.2 DCERPC Bind: call_id: 1 SRVSVC V3.0
697 47.491098 192.168.0.2 192.168.0.1 SMB Write AndX Response, FID: 0xc00b, 72 bytes
698 47.491236 192.168.0.1 192.168.0.2 SMB Read AndX Request, FID: 0xc00b, 1024 bytes at offset 0
699 47.491298 192.168.0.2 192.168.0.1 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
700 47.492505 192.168.0.1 192.168.0.2 SRVSVC NetShareGetInfo request
701 47.492827 192.168.0.2 192.168.0.1 SRVSVC NetShareGetInfo response
702 47.492978 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0xc00b
703 47.493068 192.168.0.2 192.168.0.1 SMB Close Response, FID: 0xc00b
704 47.494681 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Standard Info, Path:
705 47.494934 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
706 47.495072 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File EA Info, Path:
707 47.495222 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
708 47.496422 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0xc00a, Path:
709 47.496655 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0xc00a
710 47.496782 192.168.0.1 192.168.0.2 SMB NT Trans Request, NT IOCTL FILE_SYSTEM Function:0x0030, FID: 0xc00a
711 47.496890 192.168.0.2 192.168.0.1 SMB NT Trans Response, FID: 0xc00a, NT IOCTL
712 47.498070 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_FS_INFO, Object ID Information
713 47.498171 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_FS_INFO
714 47.498296 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0xc00a
715 47.498379 192.168.0.2 192.168.0.1 SMB Close Response, FID: 0xc00a
716 47.501197 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path:
717 47.501361 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
718 47.501813 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0xc002, Path: \srvsvc
719 47.502092 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0xc002
720 47.503336 192.168.0.1 192.168.0.2 DCERPC Bind: call_id: 1 SRVSVC V3.0
721 47.503416 192.168.0.2 192.168.0.1 SMB Write AndX Response, FID: 0xc002, 72 bytes
722 47.503535 192.168.0.1 192.168.0.2 SMB Read AndX Request, FID: 0xc002, 1024 bytes at offset 0
723 47.503599 192.168.0.2 192.168.0.1 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
724 47.504826 192.168.0.1 192.168.0.2 SRVSVC NetShareGetInfo request
725 47.505150 192.168.0.2 192.168.0.1 SRVSVC NetShareGetInfo response
726 47.505318 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0xc002
727 47.505411 192.168.0.2 192.168.0.1 SMB Close Response, FID: 0xc002
728 47.507005 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Standard Info, Path:
729 47.507231 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
730 47.507372 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File EA Info, Path:
731 47.507530 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
732 47.508739 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0x0004, Path:
733 47.508977 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0x0004
734 47.509109 192.168.0.1 192.168.0.2 SMB NT Trans Request, NT IOCTL FILE_SYSTEM Function:0x0030, FID: 0x0004
735 47.509225 192.168.0.2 192.168.0.1 SMB NT Trans Response, FID: 0x0004, NT IOCTL
736 47.510436 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_FS_INFO, Object ID Information
737 47.510656 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_FS_INFO
738 47.510795 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0x0004
739 47.510892 192.168.0.2 192.168.0.1 SMB Close Response, FID: 0x0004
740 47.527577 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path:
741 47.527895 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
742 47.528386 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0x0007, Path: \srvsvc
743 47.528672 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0x0007
744 47.529918 192.168.0.1 192.168.0.2 DCERPC Bind: call_id: 1 SRVSVC V3.0
745 47.529998 192.168.0.2 192.168.0.1 SMB Write AndX Response, FID: 0x0007, 72 bytes
746 47.530151 192.168.0.1 192.168.0.2 SMB Read AndX Request, FID: 0x0007, 1024 bytes at offset 0
747 47.530214 192.168.0.2 192.168.0.1 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
748 47.531426 192.168.0.1 192.168.0.2 SRVSVC NetShareGetInfo request
749 47.531811 192.168.0.2 192.168.0.1 SRVSVC NetShareGetInfo response
750 47.531957 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0x0007
751 47.532054 192.168.0.2 192.168.0.1 SMB Close Response, FID: 0x0007
752 47.533706 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Standard Info, Path:
753 47.533939 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
754 47.534077 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File EA Info, Path:
755 47.534230 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
756 47.535428 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0xc00d, Path:
757 47.535643 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0xc00d
758 47.535770 192.168.0.1 192.168.0.2 SMB NT Trans Request, NT IOCTL FILE_SYSTEM Function:0x0030, FID: 0xc00d
759 47.535879 192.168.0.2 192.168.0.1 SMB NT Trans Response, FID: 0xc00d, NT IOCTL
760 47.537058 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_FS_INFO, Object ID Information
761 47.537157 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_FS_INFO
762 47.537286 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0xc00d
763 47.537366 192.168.0.2 192.168.0.1 SMB Close Response, FID: 0xc00d
764 47.539852 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path:
765 47.540020 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
766 47.540452 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0xc00f, Path: \srvsvc
767 47.540749 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0xc00f
768 47.541994 192.168.0.1 192.168.0.2 DCERPC Bind: call_id: 1 SRVSVC V3.0
769 47.542076 192.168.0.2 192.168.0.1 SMB Write AndX Response, FID: 0xc00f, 72 bytes
770 47.542196 192.168.0.1 192.168.0.2 SMB Read AndX Request, FID: 0xc00f, 1024 bytes at offset 0
771 47.542258 192.168.0.2 192.168.0.1 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
772 47.543490 192.168.0.1 192.168.0.2 SRVSVC NetShareGetInfo request
773 47.543830 192.168.0.2 192.168.0.1 SRVSVC NetShareGetInfo response
774 47.543997 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0xc00f
775 47.544089 192.168.0.2 192.168.0.1 SMB Close Response, FID: 0xc00f
776 47.545680 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Standard Info, Path:
777 47.545908 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
778 47.546043 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File EA Info, Path:
779 47.546194 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
780 47.547401 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0xc00e, Path:
781 47.547615 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0xc00e
782 47.547747 192.168.0.1 192.168.0.2 SMB NT Trans Request, NT IOCTL FILE_SYSTEM Function:0x0030, FID: 0xc00e
783 47.547859 192.168.0.2 192.168.0.1 SMB NT Trans Response, FID: 0xc00e, NT IOCTL
784 47.549042 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_FS_INFO, Object ID Information
785 47.549142 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_FS_INFO
786 47.549340 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0xc00e
787 47.549442 192.168.0.2 192.168.0.1 SMB Close Response, FID: 0xc00e
788 47.552052 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path:
789 47.552254 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
790 47.552701 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0x8000, Path: \srvsvc
791 47.552982 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0x8000
792 47.554224 192.168.0.1 192.168.0.2 DCERPC Bind: call_id: 1 SRVSVC V3.0
793 47.554306 192.168.0.2 192.168.0.1 SMB Write AndX Response, FID: 0x8000, 72 bytes
794 47.554443 192.168.0.1 192.168.0.2 SMB Read AndX Request, FID: 0x8000, 1024 bytes at offset 0
795 47.554508 192.168.0.2 192.168.0.1 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
796 47.555718 192.168.0.1 192.168.0.2 SRVSVC NetShareGetInfo request
797 47.649372 192.168.0.2 192.168.0.1 SRVSVC NetShareGetInfo response
798 47.649546 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0x8000
799 47.649661 192.168.0.2 192.168.0.1 SMB Close Response, FID: 0x8000
800 47.651282 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Standard Info, Path:
801 47.651547 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
802 47.651688 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File EA Info, Path:
803 47.651844 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
804 47.653049 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0x0001, Path:
805 47.653291 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0x0001
806 47.653420 192.168.0.1 192.168.0.2 SMB NT Trans Request, NT IOCTL FILE_SYSTEM Function:0x0030, FID: 0x0001
807 47.653535 192.168.0.2 192.168.0.1 SMB NT Trans Response, FID: 0x0001, NT IOCTL
808 47.654713 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_FS_INFO, Object ID Information
809 47.654814 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_FS_INFO
810 47.654938 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0x0001
811 47.655023 192.168.0.2 192.168.0.1 SMB Close Response, FID: 0x0001
812 47.659461 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path:
813 47.659630 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
814 47.660152 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0x4005, Path: \srvsvc
815 47.660517 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0x4005
816 47.661765 192.168.0.1 192.168.0.2 DCERPC Bind: call_id: 1 SRVSVC V3.0
817 47.661848 192.168.0.2 192.168.0.1 SMB Write AndX Response, FID: 0x4005, 72 bytes
818 47.662001 192.168.0.1 192.168.0.2 SMB Read AndX Request, FID: 0x4005, 1024 bytes at offset 0
819 47.662065 192.168.0.2 192.168.0.1 DCERPC Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280
820 47.663288 192.168.0.1 192.168.0.2 SRVSVC NetShareGetInfo request
821 47.663616 192.168.0.2 192.168.0.1 SRVSVC NetShareGetInfo response
822 47.663761 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0x4005
823 47.663853 192.168.0.2 192.168.0.1 SMB Close Response, FID: 0x4005
824 47.665366 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File Standard Info, Path:
825 47.665597 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
826 47.665714 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_PATH_INFO, Query File EA Info, Path:
827 47.665864 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_PATH_INFO
828 47.667057 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0xc009, Path:
829 47.667278 192.168.0.2 192.168.0.1 SMB NT Create AndX Response, FID: 0xc009
830 47.667406 192.168.0.1 192.168.0.2 SMB NT Trans Request, NT IOCTL FILE_SYSTEM Function:0x0030, FID: 0xc009
831 47.667535 192.168.0.2 192.168.0.1 SMB NT Trans Response, FID: 0xc009, NT IOCTL
832 47.668726 192.168.0.1 192.168.0.2 SMB Trans2 Request, QUERY_FS_INFO, Object ID Information
833 47.668913 192.168.0.2 192.168.0.1 SMB Trans2 Response, QUERY_FS_INFO
834 47.669044 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0xc009
835 47.669145 192.168.0.2 192.168.0.1 SMB Close Response, FID: 0xc009
836 47.669448 192.168.0.1 192.168.0.2 SMB NT Cancel Request
837 47.669505 192.168.0.2 192.168.0.1 SMB NT Trans Response, <unknown>, Error: STATUS_CANCELLED
838 47.669616 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0x800c
839 47.669704 192.168.0.2 192.168.0.1 SMB Close Response
840 47.863463 192.168.0.1 192.168.0.2 TCP armadp > microsoft-ds [ACK] Seq=45315 Ack=25313 Win=64342 Len=0
841 48.000064 192.168.0.2 192.168.0.1 TCP activesync > icslap [PSH, ACK] Seq=35521 Ack=56353 Win=65535 Len=740
842 48.001281 192.168.0.1 192.168.0.2 TCP icslap > activesync [PSH, ACK] Seq=56353 Ack=36261 Win=64795 Len=204
843 48.001347 192.168.0.1 192.168.0.2 TCP icslap > activesync [PSH, ACK] Seq=56557 Ack=36261 Win=64795 Len=970
844 48.001393 192.168.0.2 192.168.0.1 TCP activesync > icslap [ACK] Seq=36261 Ack=57527 Win=64361 Len=0
845 48.160695 192.168.0.1 192.168.0.2 SMB NT Cancel Request
846 48.160836 192.168.0.2 192.168.0.1 SMB NT Trans Response, <unknown>, Error: STATUS_CANCELLED
847 48.160978 192.168.0.1 192.168.0.2 SMB Close Request, FID: 0x8003
848 48.161099 192.168.0.2 192.168.0.1 SMB Close Response

Does this information tell us whether it's trying to do a network authentication, and if so, what to do next?

grue155 · 06-10-2009, 10:05 AM

Thank you. Taking that extract, and putting it into a wide screen so the lines are more readable, fairly early on there is this sequence:

Code:

220 46.034241 192.168.0.1 192.168.0.2 SMB Tree Connect AndX Request, Path: \\HAMMER\IPC$
223 46.036847 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0x8001, Path: \srvsvc
224 46.036896 192.168.0.1 192.168.0.2 SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE
227 46.039109 192.168.0.2 192.168.0.1 SMB Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
228 46.040155 192.168.0.1 192.168.0.2 DCERPC Bind: call_id: 1 SRVSVC V3.0
229 46.040221 192.168.0.1 192.168.0.2 SMB Session Setup AndX Request, NTLMSSP_AUTH, User: \
237 46.042167 192.168.0.1 192.168.0.2 SMB Tree Connect AndX Request, Path: \\HAMMER\IPC

The NTLM negotiate and challenge are, as I recall, the authentication sequence. What shows up as the user, a couple of lines further down, is a question. "User: \"?? The details could be hidden in the packet contents, or, it could be a Guest userid login. A Guest login has very very limited abilities.

The remainder of the extract looks to be some kind of tree walk or file enumeration thru a backup directory.

In Wireshark, you would need to View -> Packet Details to get an look at the NTLM packets and what the contents are to see what kind of authentication is taking place, and for what user.

Eisenbart · 06-11-2009, 06:34 AM

Ok, I did the whole thing again, but this time I got a somewhat different sequence:

The packet details are as follows:

Code:

No.     Time        Source                Destination           Protocol Info
    135 23.097274   192.168.0.2           192.168.0.1           TCP      mxxrlogin > icslap [ACK] Seq=17761 Ack=28105 Win=64364 Len=0

Frame 135 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: Intel_1b:93:56 (00:04:23:1b:93:56), Dst: Mototech_91:23:c1 (00:50:bf:91:23:c1)
Internet Protocol, Src: 192.168.0.2 (192.168.0.2), Dst: 192.168.0.1 (192.168.0.1)
Transmission Control Protocol, Src Port: mxxrlogin (1035), Dst Port: icslap (2869), Seq: 17761, Ack: 28105, Len: 0

No.     Time        Source                Destination           Protocol Info
    136 23.411193   192.168.0.1           192.168.0.2           SMB      Tree Connect AndX Request, Path: \\HAMMER\IPC$

Frame 136 (136 bytes on wire, 136 bytes captured)
Ethernet II, Src: Mototech_91:23:c1 (00:50:bf:91:23:c1), Dst: Intel_1b:93:56 (00:04:23:1b:93:56)
Internet Protocol, Src: 192.168.0.1 (192.168.0.1), Dst: 192.168.0.2 (192.168.0.2)
Transmission Control Protocol, Src Port: uaiact (1470), Dst Port: microsoft-ds (445), Seq: 40, Ack: 40, Len: 82
NetBIOS Session Service
SMB (Server Message Block Protocol)

No.     Time        Source                Destination           Protocol Info
    137 23.411395   192.168.0.2           192.168.0.1           SMB      Tree Connect AndX Response

Frame 137 (114 bytes on wire, 114 bytes captured)
Ethernet II, Src: Intel_1b:93:56 (00:04:23:1b:93:56), Dst: Mototech_91:23:c1 (00:50:bf:91:23:c1)
Internet Protocol, Src: 192.168.0.2 (192.168.0.2), Dst: 192.168.0.1 (192.168.0.1)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: uaiact (1470), Seq: 40, Ack: 122, Len: 60
NetBIOS Session Service
SMB (Server Message Block Protocol)

No.     Time        Source                Destination           Protocol Info
    138 23.411533   192.168.0.1           192.168.0.2           SMB      NT Create AndX Request, FID: 0x8000, Path: \wkssvc

Frame 138 (158 bytes on wire, 158 bytes captured)
Ethernet II, Src: Mototech_91:23:c1 (00:50:bf:91:23:c1), Dst: Intel_1b:93:56 (00:04:23:1b:93:56)
Internet Protocol, Src: 192.168.0.1 (192.168.0.1), Dst: 192.168.0.2 (192.168.0.2)
Transmission Control Protocol, Src Port: uaiact (1470), Dst Port: microsoft-ds (445), Seq: 122, Ack: 100, Len: 104
NetBIOS Session Service
SMB (Server Message Block Protocol)

No.     Time        Source                Destination           Protocol Info
    139 23.411818   192.168.0.2           192.168.0.1           SMB      NT Create AndX Response, FID: 0x8000

Frame 139 (193 bytes on wire, 193 bytes captured)
Ethernet II, Src: Intel_1b:93:56 (00:04:23:1b:93:56), Dst: Mototech_91:23:c1 (00:50:bf:91:23:c1)
Internet Protocol, Src: 192.168.0.2 (192.168.0.2), Dst: 192.168.0.1 (192.168.0.1)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: uaiact (1470), Seq: 100, Ack: 226, Len: 139
NetBIOS Session Service
SMB (Server Message Block Protocol)

No.     Time        Source                Destination           Protocol Info
    140 23.413062   192.168.0.1           192.168.0.2           DCERPC   Bind: call_id: 1 WKSSVC V1.0

Frame 140 (194 bytes on wire, 194 bytes captured)
Ethernet II, Src: Mototech_91:23:c1 (00:50:bf:91:23:c1), Dst: Intel_1b:93:56 (00:04:23:1b:93:56)
Internet Protocol, Src: 192.168.0.1 (192.168.0.1), Dst: 192.168.0.2 (192.168.0.2)
Transmission Control Protocol, Src Port: uaiact (1470), Dst Port: microsoft-ds (445), Seq: 226, Ack: 239, Len: 140
NetBIOS Session Service
SMB (Server Message Block Protocol)
DCE RPC Bind, Fragment: Single, FragLen: 72, Call: 1

No.     Time        Source                Destination           Protocol Info
    141 23.413149   192.168.0.2           192.168.0.1           SMB      Write AndX Response, FID: 0x8000, 72 bytes

Frame 141 (105 bytes on wire, 105 bytes captured)
Ethernet II, Src: Intel_1b:93:56 (00:04:23:1b:93:56), Dst: Mototech_91:23:c1 (00:50:bf:91:23:c1)
Internet Protocol, Src: 192.168.0.2 (192.168.0.2), Dst: 192.168.0.1 (192.168.0.1)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: uaiact (1470), Seq: 239, Ack: 366, Len: 51
NetBIOS Session Service
SMB (Server Message Block Protocol)

No.     Time        Source                Destination           Protocol Info
    142 23.413287   192.168.0.1           192.168.0.2           SMB      Read AndX Request, FID: 0x8000, 1024 bytes at offset 0

Frame 142 (117 bytes on wire, 117 bytes captured)
Ethernet II, Src: Mototech_91:23:c1 (00:50:bf:91:23:c1), Dst: Intel_1b:93:56 (00:04:23:1b:93:56)
Internet Protocol, Src: 192.168.0.1 (192.168.0.1), Dst: 192.168.0.2 (192.168.0.2)
Transmission Control Protocol, Src Port: uaiact (1470), Dst Port: microsoft-ds (445), Seq: 366, Ack: 290, Len: 63
NetBIOS Session Service
SMB (Server Message Block Protocol)

No.     Time        Source                Destination           Protocol Info
    143 23.413358   192.168.0.2           192.168.0.1           DCERPC   Bind_ack: call_id: 1 accept max_xmit: 4280 max_recv: 4280

Frame 143 (186 bytes on wire, 186 bytes captured)
Ethernet II, Src: Intel_1b:93:56 (00:04:23:1b:93:56), Dst: Mototech_91:23:c1 (00:50:bf:91:23:c1)
Internet Protocol, Src: 192.168.0.2 (192.168.0.2), Dst: 192.168.0.1 (192.168.0.1)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: uaiact (1470), Seq: 290, Ack: 429, Len: 132
NetBIOS Session Service
SMB (Server Message Block Protocol)
DCE RPC Bind_ack, Fragment: Single, FragLen: 68, Call: 1

No.     Time        Source                Destination           Protocol Info
    144 23.414611   192.168.0.1           192.168.0.2           WKSSVC   NetWkstaGetInfo request Level:100

Frame 144 (202 bytes on wire, 202 bytes captured)
Ethernet II, Src: Mototech_91:23:c1 (00:50:bf:91:23:c1), Dst: Intel_1b:93:56 (00:04:23:1b:93:56)
Internet Protocol, Src: 192.168.0.1 (192.168.0.1), Dst: 192.168.0.2 (192.168.0.2)
Transmission Control Protocol, Src Port: uaiact (1470), Dst Port: microsoft-ds (445), Seq: 429, Ack: 422, Len: 148
NetBIOS Session Service
SMB (Server Message Block Protocol)
SMB Pipe Protocol
DCE RPC Request, Fragment: Single, FragLen: 60, Call: 1 Ctx: 0, [Resp: #145]
Workstation Service, NetWkstaGetInfo

No.     Time        Source                Destination           Protocol Info
    145 23.414894   192.168.0.2           192.168.0.1           WKSSVC   NetWkstaGetInfo response

Frame 145 (242 bytes on wire, 242 bytes captured)
Ethernet II, Src: Intel_1b:93:56 (00:04:23:1b:93:56), Dst: Mototech_91:23:c1 (00:50:bf:91:23:c1)
Internet Protocol, Src: 192.168.0.2 (192.168.0.2), Dst: 192.168.0.1 (192.168.0.1)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: uaiact (1470), Seq: 422, Ack: 577, Len: 188
NetBIOS Session Service
SMB (Server Message Block Protocol)
SMB Pipe Protocol
DCE RPC Response, Fragment: Single, FragLen: 128, Call: 1 Ctx: 0, [Req: #144]
Workstation Service, NetWkstaGetInfo

No.     Time        Source                Destination           Protocol Info
    146 23.415071   192.168.0.1           192.168.0.2           SMB      Close Request, FID: 0x8000

Frame 146 (99 bytes on wire, 99 bytes captured)
Ethernet II, Src: Mototech_91:23:c1 (00:50:bf:91:23:c1), Dst: Intel_1b:93:56 (00:04:23:1b:93:56)
Internet Protocol, Src: 192.168.0.1 (192.168.0.1), Dst: 192.168.0.2 (192.168.0.2)
Transmission Control Protocol, Src Port: uaiact (1470), Dst Port: microsoft-ds (445), Seq: 577, Ack: 610, Len: 45
NetBIOS Session Service
SMB (Server Message Block Protocol)

No.     Time        Source                Destination           Protocol Info
    147 23.415164   192.168.0.2           192.168.0.1           SMB      Close Response, FID: 0x8000

Frame 147 (93 bytes on wire, 93 bytes captured)
Ethernet II, Src: Intel_1b:93:56 (00:04:23:1b:93:56), Dst: Mototech_91:23:c1 (00:50:bf:91:23:c1)
Internet Protocol, Src: 192.168.0.2 (192.168.0.2), Dst: 192.168.0.1 (192.168.0.1)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: uaiact (1470), Seq: 610, Ack: 622, Len: 39
NetBIOS Session Service
SMB (Server Message Block Protocol)

No.     Time        Source                Destination           Protocol Info
    148 23.434293   192.168.0.1           192.168.0.2           SMB      Tree Disconnect Request

Frame 148 (93 bytes on wire, 93 bytes captured)
Ethernet II, Src: Mototech_91:23:c1 (00:50:bf:91:23:c1), Dst: Intel_1b:93:56 (00:04:23:1b:93:56)
Internet Protocol, Src: 192.168.0.1 (192.168.0.1), Dst: 192.168.0.2 (192.168.0.2)
Transmission Control Protocol, Src Port: uaiact (1470), Dst Port: microsoft-ds (445), Seq: 622, Ack: 649, Len: 39
NetBIOS Session Service
SMB (Server Message Block Protocol)

No.     Time        Source                Destination           Protocol Info
    149 23.434396   192.168.0.2           192.168.0.1           SMB      Tree Disconnect Response

Frame 149 (93 bytes on wire, 93 bytes captured)
Ethernet II, Src: Intel_1b:93:56 (00:04:23:1b:93:56), Dst: Mototech_91:23:c1 (00:50:bf:91:23:c1)
Internet Protocol, Src: 192.168.0.2 (192.168.0.2), Dst: 192.168.0.1 (192.168.0.1)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: uaiact (1470), Seq: 649, Ack: 661, Len: 39
NetBIOS Session Service
SMB (Server Message Block Protocol)

No.     Time        Source                Destination           Protocol Info
    150 23.435431   192.168.0.1           192.168.0.2           TCP      clvm-cfg > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460

Frame 150 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: Mototech_91:23:c1 (00:50:bf:91:23:c1), Dst: Intel_1b:93:56 (00:04:23:1b:93:56)
Internet Protocol, Src: 192.168.0.1 (192.168.0.1), Dst: 192.168.0.2 (192.168.0.2)
Transmission Control Protocol, Src Port: clvm-cfg (1476), Dst Port: http (80), Seq: 0, Len: 0

No.     Time        Source                Destination           Protocol Info
    151 23.722121   192.168.0.1           192.168.0.2           TCP      uaiact > microsoft-ds [ACK] Seq=661 Ack=688 Win=65086 Len=0

Frame 151 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: Mototech_91:23:c1 (00:50:bf:91:23:c1), Dst: Intel_1b:93:56 (00:04:23:1b:93:56)
Internet Protocol, Src: 192.168.0.1 (192.168.0.1), Dst: 192.168.0.2 (192.168.0.2)
Transmission Control Protocol, Src Port: uaiact (1470), Dst Port: microsoft-ds (445), Seq: 661, Ack: 688, Len: 0

No.     Time        Source                Destination           Protocol Info
    152 23.999944   192.168.0.2           192.168.0.1           TCP      mxxrlogin > icslap [PSH, ACK] Seq=17761 Ack=28105 Win=64364 Len=740

grue155 · 06-11-2009, 10:49 AM

That is something different, but it seems incomplete. Details of what is in the SMB portion of the packet can be seen by clicking on the boxed-plus icon in the packet details window. You'd need to look at the NTLM challenge and auth packets to see what kind of login is being attempted.

It's possible to save the packet capture as a file. In Wireshark, on the toolbar at the top, click File -> SaveAs, give it some file name, and save in the default .pcap format. This saves all the packet data in the capture, so it can be examined later. The forum here won't allow pcap file attachment, but you can zip the capture file, and post a zip file. Then I can got thru the capture to see if I can make sense of what's going on.

Eisenbart · 06-12-2009, 07:21 AM

Great, thank you so much for your help!

I did another capture with Wireshark, and it contains that NTLM challenge and authentication stuff. Please have a look at the attached log file!

grue155 · 06-12-2009, 11:40 AM

Got it. Thank you. Dayjob is bit hectic today, so it may be a little while before I get the chance to go thru the capture in detail.

Eisenbart · 06-15-2009, 05:01 AM

Take your time, and thanks for your help so far!

Eisenbart · 06-16-2009, 05:24 AM

Have you had a chance to look at the log file?

grue155 · 06-16-2009, 11:29 AM

A little bit. There is a null login at frame 196 which I'm trying to make sense of. Null login usually translates into the Guest account, or some other minimum privilege account. I'm having to research things a bit as I go, which is proving a bit more time consuming that I had expected. It's educational

06-02-2009, 06:00 AM	#1 (permalink)
Eisenbart Registered User Join Date: Nov 2004 Posts: 20 OS: Windows XP	Taking ownership of files on remote computer Hallo everyone! I am running a network on two computers using Windows XP and basically everything works fine. In order to be able to access my backup data on computer B from computer A, I created a limited user account with identical user names and passwords on both machines. I set the permissions in such a way that I can theoretically take ownership of files on computer B from computer A, but when I try to do so, I get the following error message: "This security ID may not be assigned as the owner of this object." What can I do about it? I can take ownership on the remote computer when I am logged in as administrator, but from my limited user account, it only works if I log in locally on computer B. Does it have to do with the SID of my limited user account not being identical on both machines? Best regards, Matthias

06-02-2009, 06:35 AM	#2 (permalink)
johnwill Manager, Networking Forums Join Date: Sep 2002 Location: S.E. Pennsylvania, US Posts: 41,580 OS: Windows 7, XP-Pro, Vista, Linux Blog Entries: 1	Re: Taking ownership of files on remote computer You can't change file permissions with a limited account. __________________ If TSF has helped you, Tell us about it! or Donate to help keep the site up! Microsoft MVP - Windows Desktop Experience

06-02-2009, 06:44 PM	#3 (permalink)
grue155 Registered User Join Date: May 2008 Posts: 240 OS: LAN Herder	Re: Taking ownership of files on remote computer On an XP Pro box, a limited account can change permissions of a file that is owned by that limited account user. Just tried that on a file, and it took that change. However, SID's are another matter entirely. The SID is the numeric equivalent of the user name (the S-1-stuff-morestuff-yetmorestuff). SIDs are generated by the operating system and are intended to be universally unique. Deleting a user, and then recreating the account with the same user name will produce a different SID, and the recreated account is not able to access the old account. Only in a domain login can you guarantee the same SID across machines, as there is only one SID in the domain and the login authenticates the SID. In short, in a workgroup environment, you can't get there from here.

06-03-2009, 05:21 AM	#4 (permalink)
Eisenbart Registered User Join Date: Nov 2004 Posts: 20 OS: Windows XP	Re: Taking ownership of files on remote computer I understand that SIDs may vary from one machine to the other, even if the user name ist the same. For example, on my primary computer, the SID for my account is S-1-5-21-1547161642-2111687655-725345543-1003 while on my secondary computer, the SID is S-1-5-21-1202660629-117609710-682003330-1005 As you can see, the SIDs differ greatly, so having identical SIDs on both machines for my account is next to impossible. If taking over file ownership requires identical SIDs, then it cannot be done. But I doubt that this is the case, because taking over file ownership works when I am logged in as administrator. And the administrator's SID on my primary computer is S-1-5-21-1547161642-2111687655-725345543-500 while on my secondary computer it is S-1-5-21-1202660629-117609710-682003330-500 If taking over file ownership required identical SIDs on both machines, then it wouldn't work for the administrator either. But it does work for the administrator, so it cannot have to do with the SIDs not being identical. It must be some access rights problem, or maybe it has to do with some strange policy setting. Otherwise, why should I not be able to take over file ownership on a remote computer, while it does work locally? Last edited by Eisenbart; 06-03-2009 at 05:25 AM.

06-04-2009, 07:32 PM	#5 (permalink)
grue155 Registered User Join Date: May 2008 Posts: 240 OS: LAN Herder	Re: Taking ownership of files on remote computer Someone who knows more than me had to walk be thru this. I'm translating my understanding back into this posting, so I may not quite have it right. What you're describing is an autheniticated logon. In the general case, it goes like this: A user on machine A (userA), logs into machine B as userB. UserB owns and can manipulate files. UserA is impersonating userB thru the login, but userA does not own the files. They're owned by userB. In this instance, that userA is an administrator provides a different level of authentication for impersonating userB, who also happens to be an adminstrator. But it is still an impersonation. The files are still owned by userB, and not by userA. As it was explained to me.

06-05-2009, 06:32 AM	#6 (permalink)
Eisenbart Registered User Join Date: Nov 2004 Posts: 20 OS: Windows XP	Re: Taking ownership of files on remote computer I see, thank you for that information! So the files on machine B are owned by userB, and if he and userA happen to be administrators, userA can transfer file ownership to userB, who he is impersonating. But what is the difference between an authenticated logon through a limited user account and an authenticated logon through an administrator's account? How can I make the taking over of file ownership work not only for administrators, but also for limited user accounts? After all, userA is impersonating userB, and userB does have the rights to take over file ownership! Last edited by Eisenbart; 06-05-2009 at 06:37 AM.

06-08-2009, 12:49 PM	#8 (permalink)
Eisenbart Registered User Join Date: Nov 2004 Posts: 20 OS: Windows XP	Re: Taking ownership of files on remote computer Thank you, but I already know these permissions, and I have already set them accordingly. That's just the problem, everything is set the way it should, but it still does not work!

06-08-2009, 01:19 PM	#9 (permalink)
grue155 Registered User Join Date: May 2008 Posts: 240 OS: LAN Herder	Re: Taking ownership of files on remote computer Hmm... Should be a two step process. First the admin grants the chosen user (userB, in the posting so far) or a group the permission to take ownership. Then, second, that user or group member has to go and explicitly take ownership. And your second step isn't working. The thing to check next is the effective permissions. To check a file or folder, get down to the permissions list, then click the effective permissions tab, and put in userB and see what comes back. If the "take ownership" isn't checked, it won't work. Alternatively, click the Owner tab, and see if userB is listed as one of the alternatives, while logged in as userB. If the "take ownership" isn't checked in the effective permissions, then it's something that either needs to be set explicitly for that file or folder, or it's something that is inherited from a parent folder and needs to be overridden with an explicit setting. At worst, just to check how things are working, create a test file as an admin, and then set the permissions for userB to have "full control". If that doesn't work, then something is off somewhere, and it's going to be time to walk thru some screenshots of the test file permissions, or xcacls output.

06-09-2009, 08:06 AM	#10 (permalink)
Eisenbart Registered User Join Date: Nov 2004 Posts: 20 OS: Windows XP	Re: Taking ownership of files on remote computer That effective permissions thing is an interesting idea... I just logged into my secondary computer locally and checked the effective permissions for my limited user account. The result was just as expected, my limited user account does have the "Take Ownership" access right. Then I remotely logged into my secondary computer to do the same check. I clicked the effective permissions tab, clicked on "Choose" to select a user or group, followed by "Extended" and finally "Search now". Then I was prompted to enter the user name and password of an account on the remote computer, and when I did so, Windows kept searching and searching without ever coming to an end. (I closed the dialog after a while). Now what does this tell us? Last edited by Eisenbart; 06-09-2009 at 08:07 AM.

06-09-2009, 11:08 AM	#11 (permalink)
grue155 Registered User Join Date: May 2008 Posts: 240 OS: LAN Herder	Re: Taking ownership of files on remote computer In a workgroup environment, remote logins have to authenticate against local users and passwords. Which should happen in an eyeblink. What you've described sounds like it's trying to do a network authentication, which is a domain logon. Without a domain, that will have to go thru a very long timeout (something like 20+ minutes, I think). One way to check that, is to run a network monitor like Wireshark (wireshark.org), on the machine the machine that you are trying to log into, to see if it is trying to do a network authentication.

06-10-2009, 10:05 AM	#13 (permalink)
grue155 Registered User Join Date: May 2008 Posts: 240 OS: LAN Herder	Re: Taking ownership of files on remote computer Thank you. Taking that extract, and putting it into a wide screen so the lines are more readable, fairly early on there is this sequence: Code: 220 46.034241 192.168.0.1 192.168.0.2 SMB Tree Connect AndX Request, Path: \\HAMMER\IPC$ 223 46.036847 192.168.0.1 192.168.0.2 SMB NT Create AndX Request, FID: 0x8001, Path: \srvsvc 224 46.036896 192.168.0.1 192.168.0.2 SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE 227 46.039109 192.168.0.2 192.168.0.1 SMB Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED 228 46.040155 192.168.0.1 192.168.0.2 DCERPC Bind: call_id: 1 SRVSVC V3.0 229 46.040221 192.168.0.1 192.168.0.2 SMB Session Setup AndX Request, NTLMSSP_AUTH, User: \ 237 46.042167 192.168.0.1 192.168.0.2 SMB Tree Connect AndX Request, Path: \\HAMMER\IPC The NTLM negotiate and challenge are, as I recall, the authentication sequence. What shows up as the user, a couple of lines further down, is a question. "User: \"?? The details could be hidden in the packet contents, or, it could be a Guest userid login. A Guest login has very very limited abilities. The remainder of the extract looks to be some kind of tree walk or file enumeration thru a backup directory. In Wireshark, you would need to View -> Packet Details to get an look at the NTLM packets and what the contents are to see what kind of authentication is taking place, and for what user.

06-11-2009, 10:49 AM	#15 (permalink)
grue155 Registered User Join Date: May 2008 Posts: 240 OS: LAN Herder	Re: Taking ownership of files on remote computer That is something different, but it seems incomplete. Details of what is in the SMB portion of the packet can be seen by clicking on the boxed-plus icon in the packet details window. You'd need to look at the NTLM challenge and auth packets to see what kind of login is being attempted. It's possible to save the packet capture as a file. In Wireshark, on the toolbar at the top, click File -> SaveAs, give it some file name, and save in the default .pcap format. This saves all the packet data in the capture, so it can be examined later. The forum here won't allow pcap file attachment, but you can zip the capture file, and post a zip file. Then I can got thru the capture to see if I can make sense of what's going on.

06-12-2009, 11:40 AM	#17 (permalink)
grue155 Registered User Join Date: May 2008 Posts: 240 OS: LAN Herder	Re: Taking ownership of files on remote computer Got it. Thank you. Dayjob is bit hectic today, so it may be a little while before I get the chance to go thru the capture in detail.

06-15-2009, 05:01 AM	#18 (permalink)
Eisenbart Registered User Join Date: Nov 2004 Posts: 20 OS: Windows XP	Re: Taking ownership of files on remote computer Take your time, and thanks for your help so far!

06-16-2009, 05:24 AM	#19 (permalink)
Eisenbart Registered User Join Date: Nov 2004 Posts: 20 OS: Windows XP	Re: Taking ownership of files on remote computer Have you had a chance to look at the log file?

06-16-2009, 11:29 AM	#20 (permalink)
grue155 Registered User Join Date: May 2008 Posts: 240 OS: LAN Herder	Re: Taking ownership of files on remote computer A little bit. There is a null login at frame 196 which I'm trying to make sense of. Null login usually translates into the Guest account, or some other minimum privilege account. I'm having to research things a bit as I go, which is proving a bit more time consuming that I had expected. It's educational