SAMR Communication between Client and Server

[sarshah20]

I am studying SAMR and need to examine the SAMR packets that are
actually
sent on the wire.

What I am Doing:
I have setup a virtual machine of Windows NT 4 Server as a
domain controller and created a user (who will login from a remote
machine
joined with this domain controller). Then i took a virtual machine of
Windows
NT 4 Server (which will act as a client) and joined it with the
aforementioned
domain controller. Before logging in using the client machine, i setup
a
network traffic capture application and point it to capture
communication
between client and server. When i logged in on the client using domain
user
name, there were no SAMR packets that i could see in the capture.

The Question:
What kind of environment setup do i need to generate these
packets? By environment setup i mean what kind of client server
environment
must be setup? Or do i need to write a client which will make SAMR
interface
calls (like SamrConnect etc) to connect/authenticate to the SAM
database
residing on the domain controller.

Thanks,
sarshah.

 

[Steven L Umbach]

I am not familiar with SAMR but I wonder if your problem is trying to
capture network traffic with a virtual machine of which I have never tried.
You may also want to use TDImon from SysInternals to see if it shows any
traffic on the client/server. --- Steve

http://www.sysinternals.com/Utilities/TdiMon.html --- TDImon

 

[Roger Abell [MVP]]

I am not sure how well this transports back to NT 4 but I do
believe you would, assuming you are capturing the correct
network packet stream, have better luck if you were to do
a join of a machine to the domain or a remote creation of
a domain account.

 

[sarshah20]

Thanks both of you guys for your replies.
SAMR packets were generated when i made the client PC to join the
domain. The client and server were two separate virtual machines. I
have another question. I was studying the captures and there is a
SamrSetInformationUser2 request from the client. In this request, the
password is sent encrypted. What encryption algo is used to encrypt
this passowrd?

And for those who are studying SAMR like me, this link would be helpful
if they are interested in various SAMR calls.

http://www.hsc.fr/ressources/articles/win_net_srv/ch04s07s03.html


Thanks,
sarshah.

 

[Roger Abell [MVP]]

I do not know, nor whether it is the password within the crypto
or just a hash of it. Perhaps you now need a new thread asking
in the crypto newsgroup to see if someone there knows.