Clik here to view.
Encryption in SMB3
SMB3 will debut in the upcoming version of Windows 8. This is a significant update from the last version (SMB2.1) and a host of new features are being introduced in this release. An important one among...
View ArticleClik here to view.
MS-FSU: A look from the Windows interface
It is not unusual for our group to receive a question regarding Constrained Delegation and Protocol Transition.Even though the document (MS-SFU) does a great job in detailing the specification, not...
View ArticleClik here to view.
SMB3 Secure Dialect Negotiation
This blog talks about secure dialect negotiation, one of the new SMB3 security enhancements in Windows Server 2012. Secure dialect negotiation is introduced in SMB3 to protect against man-in-the-middle...
View ArticleClik here to view.
Hitchhiker’s Guide to Debugging RDP protocols: Part 2
Hitchhiker’s Guide to Debugging RDP protocols: Part 2NOTE: Questions and comments are welcome. However, please DO NOT post a comment using the comment tool at the end of this post. Instead, post a...
View ArticleClik here to view.
Encryption in SMB 3.0: A protocol perspective
Encryption is one of the new SMB 3.0 security enhancements in Windows Server 2012 RTM. It can be enabled on a per-share basis, or enforced for all shares on the server. SMB 3.0 uses AES-CCM [RFC5084]...
View ArticleClik here to view.
Unencrypted MS-EVEN6 Traffic
This blog entry is intended for readers interested in generating unencrypted MS-EVEN6 (http://msdn.microsoft.com/en-us/library/cc231282(v=PROT.13).aspx ) protocol traffic. NOTE: Questions and comments...
View ArticleClik here to view.
Determining Office Binary File Format Types
Referenced Documents:MS-CFBMS-OLEPS If you need to programmatically determine the office file type for a file and cannot rely on the file extension you can use the following method. These files are...
View ArticleClik here to view.
How to manually decode an ActiveSync WBXML stream
OverviewActiveSync requests and responses are sent as HTTP messages. In order to reduce the size of the messages, the body is encoded in a format known as WAP Binary XML. The information about...
View ArticleClik here to view.
Rich Text Format (RTF) and Watermarks
Seldom is the question asked, "Is there an RTF directive that can be used to add watermarks in RTF documents?"One day recently this question found me, and after delving into the world of the Rich Text...
View ArticleClik here to view.
CIFS and SMB Timeouts in Windows
This blog gives a consolidated overview of the most common SMB timeouts in Windows and their behaviors. Some of these legacy timeouts or timers are optional, implementation specific, not defined or not...
View ArticleClik here to view.
NTLM and Channel Binding Hash (aka Extended Protection for Authentication)
Extended Protection for Authnetication (EPA) was introduced in Windows 7/WS2008R2 to thwart reflection attacks. This blog describes the changes in the implementation of NTLM Authentication that are...
View ArticleClik here to view.
SMB 2.x and SMB 3.0 Timeouts in Windows
This blog talks about common timeouts for SMB dialects 2.x and 3.0 [MS-SMB2] in Windows. It also covers continuous availability timeout, witness keep alive [MS-SWN], and some SMB-Direct timers...
View ArticleClik here to view.
PowerShell script for finding Microsoft Office legacy files
Referenced documents:[MS-CFB]: Compound File Binary File Format[MS-OLEPS]: Object Linking and Embedding (OLE) Property Set Data StructuresWindows PowerShell Cookbook, 3rd edition, by Lee HolmesNOTE:...
View ArticleClik here to view.
RDPESC parser modification
Hello world!I’ve decided to write this entry to talk about twointertwined subjects:- The published RDPESC parser needs a little tweakin order to function properly- That tweak is a real life example of...
View ArticleClik here to view.
Extracting a PowerPoint VBA Macro
AbstractThis post of my blog responds to a request by a customer to find and extract a VBA macro in a PowerPoint file, specifically one stored in the older binary file format, also known to many as...
View ArticleClik here to view.
[MS-RDPEUDP] : Glance at TLS/DTLS handshake packets.
MS-RDPEUDP is a new protocol in RDP8 and operates in 2 modes : Reliable (RDP-UDP-R) and Best Efforts “Loss” (RDP-UDP-L). RDPEUDP is preferred by default if both the endpoints are RDP8 capable, however,...
View ArticleClik here to view.
GUIDs and Endianness: {Endi-an-ne-ssInGUID} OR idnE-na-en-ssInGUID?
Hi all!I have recently received a couple inquiries regarding theway in which GUIDs are represented, how they are stored, how they aretransferred over the wire and how endianness impacts on them so I...
View ArticleClik here to view.
Message Analyzer
As interoperability relies mainly on the network interactionbetween systems and services, it is of the utmost importance to have toolshandy that can help analyze and understand the traffic generated as...
View ArticleClik here to view.
Extended DFS referral for SMB 3
This blog talks about site-aware DFS referral introduced in Windows Server 2012. Extended DFS referrals provide remote client computers with optimal DFS referrals when the computers connect to the...
View ArticleClik here to view.
MS-PST - Parsing a Heap-on-Node Property Context Block
SummaryThis Blog will use the sample Heap-on-Node (HN) from section 3.8 of MS-PST and walk through the process of how to read a property from it. The current version of the MS-PST open specification...
View Article