Frame: Number = 15, Captured Frame Length = 220, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-05-B4-44],SourceAddress:[00-15-5D-05-B4-49]
+ Ipv4: Src = 10.10.10.20, Dest = 10.10.10.27, Next Protocol = TCP, Packet ID = 747, Total IP Length = 206
+ Tcp: Flags=...AP..., SrcPort=49235, DstPort=Microsoft-DS(445), PayloadLen=166, Seq=2204022974 - 2204023140, Ack=820542383, Win=32724 (scale factor 0x2) = 130896
+ SMBOverTCP: Length = 162
- SMB2: C SESSION SETUP (0x1)
SMBIdentifier: SMB
+ SMB2Header: C SESSION SETUP (0x1),TID=0x0000, MID=0x0002, PID=0xFEFF, SID=0x0000
- CSessionSetup:
StructureSize: 25 (0x19)
VcNumber: 0 (0x0)
+ SecurityMode: 1 (0x1)
+ Capabilities: 0x1
Channel: 0 (0x0)
SecurityBufferOffset: 88 (0x58)
SecurityBufferLength: 74 (0x4A)
PreviousSessionId: 0 (0x0)
- securityBlob:
- GSSAPI:
- InitialContextToken:
+ ApplicationHeader:
+ ThisMech: SpnegoToken (1.3.6.1.5.5.2)
- InnerContextToken: 0x1
- SpnegoToken: 0x1
+ ChoiceTag:
- NegTokenInit:
+ SequenceHeader:
+ Tag0:
+ MechTypes: Prefer NLMP (1.3.6.1.4.1.311.2.2.10)
+ Tag2:
+ OctetStringHeader:
-MechToken: NTLM NEGOTIATE MESSAGE
- NLMP: NTLM NEGOTIATE MESSAGE
Signature: NTLMSSP
MessageType: Negotiate Message (0x00000001)
+ NegotiateFlags: 0xE2088297 (NTLM v2128-bit encryption, Always Sign)
+ DomainNameFields: Length: 0, Offset: 0
+ WorkstationFields: Length: 0, Offset: 0
+ Version: Windows 6.1 Build 7601 NLMPv15
Frame: Number = 16, Captured Frame Length = 447, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-05-B4-49],SourceAddress:[00-15-5D-05-B4-44]
+ Ipv4: Src = 10.10.10.27, Dest = 10.10.10.20, Next Protocol = TCP, Packet ID = 24310, Total IP Length = 433
+ Tcp: Flags=...AP..., SrcPort=Microsoft-DS(445), DstPort=49235, PayloadLen=393, Seq=820542383 - 820542776, Ack=2204023140, Win=512 (scale factor 0x8) = 131072
+ SMBOverTCP: Length = 389
- SMB2: R - NT Status: System - Error, Code = (22) STATUS_MORE_PROCESSING_REQUIRED SESSION SETUP (0x1), SessionFlags=0x0
SMBIdentifier: SMB
+ SMB2Header: R SESSION SETUP (0x1),TID=0x0000, MID=0x0002, PID=0xFEFF, SID=0x0019
- RSessionSetup:
StructureSize: 9 (0x9)
+ SessionFlags: 0x0
SecurityBufferOffset: 72 (0x48)
SecurityBufferLength: 317 (0x13D)
- securityBlob:
- GSSAPI:
- NegotiationToken:
+ ChoiceTag:
- NegTokenResp:
+ SequenceHeader:
+ Tag0:
+ NegState: accept-incomplete (1)
+ Tag1:
+ SupportedMech: NLMP (1.3.6.1.4.1.311.2.2.10)
+ Tag2:
+ OctetStringHeader:
- ResponseToken: NTLM CHALLENGE MESSAGE
- NLMP: NTLM CHALLENGE MESSAGE
Signature: NTLMSSP
MessageType: Challenge Message (0x00000002)
+ TargetNameFields: Length: 12, Offset: 56
+ NegotiateFlags: 0xE2898215 (NTLM v2128-bit encryption, Always Sign)
+ ServerChallenge: 67F9C5F851F2CD73
Reserved: Binary Large Object (8 Bytes)
+ TargetInfoFields: Length: 214, Offset: 68
+ Version: Windows 6.1 Build 7601 NLMPv15
TargetNameString: CORP01
+ AvPairs: 7 pairs
Frame: Number = 17, Captured Frame Length = 401, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-05-B4-44],SourceAddress:[00-15-5D-05-B4-49]
+ Ipv4: Src = 10.10.10.20, Dest = 10.10.10.27, Next Protocol = TCP, Packet ID = 748, Total IP Length = 387
+ Tcp: Flags=...AP..., SrcPort=49235, DstPort=Microsoft-DS(445), PayloadLen=347, Seq=2204023140 - 2204023487, Ack=820542776, Win=32625 (scale factor 0x2) = 130500
+ SMBOverTCP: Length = 343
- SMB2: C SESSION SETUP (0x1)
SMBIdentifier: SMB
+ SMB2Header: C SESSION SETUP (0x1),TID=0x0000, MID=0x0003, PID=0xFEFF, SID=0x0019
- CSessionSetup:
StructureSize: 25 (0x19)
VcNumber: 0 (0x0)
+ SecurityMode: 1 (0x1)
+ Capabilities: 0x1
Channel: 0 (0x0)
SecurityBufferOffset: 88 (0x58)
SecurityBufferLength: 255 (0xFF)
PreviousSessionId: 0 (0x0)
- securityBlob:
- GSSAPI:
- NegotiationToken:
+ ChoiceTag:
- NegTokenResp:
+ SequenceHeader:
+ Tag0:
+ NegState: accept-incomplete (1)
+ Tag2:
+ OctetStringHeader:
- ResponseToken: NTLM AUTHENTICATE MESSAGEVersion:v1, Domain: CORP01, User: Administrator, Workstation: CONTOSO-CLI-01
- NLMP: NTLM AUTHENTICATE MESSAGEVersion:v1, Domain: CORP01, User: Administrator, Workstation: CONTOSO-CLI-01
Signature: NTLMSSP
MessageType: Authenticate Message (0x00000003)
+ LmChallengeResponseFields: Length: 24, Offset: 154
+ NtChallengeResponseFields: Length: 24, Offset: 178
+ DomainNameFields: Length: 12, Offset: 88
+ UserNameFields: Length: 26, Offset: 100
+ WorkstationFields: Length: 28, Offset: 126
+ EncryptedRandomSessionKeyFields: Length: 16, Offset: 202
+ NegotiateFlags: 0xE2888215 (NTLM v2128-bit encryption, Always Sign)
+ Version: Windows 6.1 Build 7601 NLMPv15
+ MessageIntegrityCheckNotPresent: 6243C42AF68F9DFE30BD31BFC722B4C0
DomainNameString: CORP01
UserNameString: Administrator
WorkstationString: CONTOSO-CLI-01
+ LmChallengeResponseStruct: 3995E087245B6F7100000000000000000000000000000000
+ NTLMV1ChallengeResponse: B0751BDCB116BA5737A51962328D5CCD19EEBEBB15A69B1E
+ SessionKeyString: 397DACB158C9F10EF4903F10D4CBE032
+ Tag3:
+ OctetStringHeader:
+ MechListMic: Version: 1
Frame: Number = 18, Captured Frame Length = 159, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-05-B4-49],SourceAddress:[00-15-5D-05-B4-44]
+ Ipv4: Src = 10.10.10.27, Dest = 10.10.10.20, Next Protocol = TCP, Packet ID = 24312, Total IP Length = 145
+ Tcp: Flags=...AP..., SrcPort=Microsoft-DS(445), DstPort=49235, PayloadLen=105, Seq=820542776 - 820542881, Ack=2204023487, Win=510 (scale factor 0x8) = 130560
+ SMBOverTCP: Length = 101
- SMB2: R SESSION SETUP (0x1), SessionFlags=0x0
SMBIdentifier: SMB
+ SMB2Header: R SESSION SETUP (0x1),TID=0x0000, MID=0x0003, PID=0xFEFF, SID=0x0019
- RSessionSetup:
StructureSize: 9 (0x9)
+ SessionFlags: 0x0
SecurityBufferOffset: 72 (0x48)
SecurityBufferLength: 29 (0x1D)
- securityBlob:
- GSSAPI:
- NegotiationToken:
+ ChoiceTag:
- NegTokenResp:
+ SequenceHeader:
+ Tag0:
+NegState: accept-completed (0)
+ Tag3:
+ OctetStringHeader:
+ MechListMic: Version: 1
Frame: Number = 17, Captured Frame Length = 763, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-05-B4-44],SourceAddress:[00-15-5D-05-B4-49]
+ Ipv4: Src = 10.10.10.20, Dest = 10.10.10.27, Next Protocol = TCP, Packet ID = 844, Total IP Length = 749
+ Tcp: Flags=...AP..., SrcPort=49231, DstPort=Microsoft-DS(445), PayloadLen=709, Seq=4045369997 - 4045370706, Ack=881301203, Win=32625 (scale factor 0x2) = 130500
+ SMBOverTCP: Length = 705
- SMB2: C SESSION SETUP (0x1)
SMBIdentifier: SMB
+ SMB2Header: C SESSION SETUP (0x1),TID=0x0000, MID=0x0003, PID=0xFEFF, SID=0x0021
- CSessionSetup:
StructureSize: 25 (0x19)
VcNumber: 0 (0x0)
+ SecurityMode: 1 (0x1)
+ Capabilities: 0x1
Channel: 0 (0x0)
SecurityBufferOffset: 88 (0x58)
SecurityBufferLength: 617 (0x269)
PreviousSessionId: 0 (0x0)
- securityBlob:
- GSSAPI:
- NegotiationToken:
+ ChoiceTag:
- NegTokenResp:
+ SequenceHeader:
+ Tag0:
+ NegState: accept-incomplete (1)
+ Tag2:
+ OctetStringHeader:
- ResponseToken: NTLM AUTHENTICATE MESSAGEVersion:v2, Domain: CORP01, User: Administrator, Workstation: CONTOSO-CLI-01
- NLMP: NTLM AUTHENTICATE MESSAGEVersion:v2, Domain: CORP01, User: Administrator, Workstation: CONTOSO-CLI-01
Signature: NTLMSSP
MessageType: Authenticate Message (0x00000003)
+ LmChallengeResponseFields: Length: 24, Offset: 154
+ NtChallengeResponseFields: Length: 382, Offset: 178
+ DomainNameFields: Length: 12, Offset: 88
+ UserNameFields: Length: 26, Offset: 100
+ WorkstationFields: Length: 28, Offset: 126
+ EncryptedRandomSessionKeyFields: Length: 16, Offset: 560
+ NegotiateFlags: 0xE2888215 (NTLM v2128-bit encryption, Always Sign)
+ Version: Windows 6.1 Build 7601 NLMPv15
+ MessageIntegrityCheck: 2B69C069DD922D4A841D0EC43939DF0F
DomainNameString: CORP01
UserNameString: Administrator
WorkstationString: CONTOSO-CLI-01
+ LmChallengeResponseStruct: 000000000000000000000000000000000000000000000000
+ NTLMV2ChallengeResponse: CD22D7CC09140E02C3D8A5AB623899A8
+ SessionKeyString: AF31EDFAAF8F38D1900D7FBBDCB43760
+ Tag3:
+ OctetStringHeader:
+ MechListMic: Version: 1
Nltest /dbflag:2080ffff
net stop NetLogon
net start NetLogon
Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Value Name: MaximumLogFileSize
Value Type: REG_DWORD
Value Data: <maximum log file size in bytes>
\Computer Configuration\Administrative Templates\System\Net Logon\Maximum Log File Size
REM Sample script to copy the netlogon.bak to a netlogon_DATETIME_COMPUTERNAME.log backup form every 5 minutes
:start
if exist %windir%\debug\netlogon.bak goto copylog
:copylog_return
sleep 300
goto start
:copylog
for /f "tokens=1-7 delims=/:., " %%a in ("%DATE% %TIME%") do (set DATETIME=%%a-%%b-%%c_%%d-%%e-%%f)
copy /v %windir%\debug\netlogon.bak %windir%\debug\netlogon_%DATETIME%_%COMPUTERNAME%.log
if %ERRORLEVEL% EQU 0 del %windir%\debug\netlogon.bak
goto copylog_return
Logparser.exe "SELECT TO_UPPERCASE(EXTRACT_SUFFIX(TEXT,0,'returns ')) AS ERR, TO_UPPERCASE (extract_prefix(extract_suffix(TEXT, 0, 'NetrLogonUasLogon of '), 0, 'from ')) as USER, TO_UPPERCASE (extract_prefix(extract_suffix(TEXT, 0, 'from '), 0, 'returns ')) as WORKSTATION, COUNT(*) FROM '*netlogon.*' WHERE INDEX_OF(TO_UPPERCASE (TEXT),'LOGON') >0 AND INDEX_OF(TO_UPPERCASE(TEXT),'RETURNS') >0 AND INDEX_OF(TO_UPPERCASE(TEXT),'NETRLOGONUASLOGON') >0 GROUP BY ERR, USER, WORKSTATION ORDER BY COUNT(*) DESC" -i:TEXTLINE -rtp:-1 >UASLOGON_USER_BY_WORKSTATION.txt
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.