ra/radump - Decoding of NetBIOS user data

elof2 at sentor.se elof2 at sentor.se
Tue Jul 2 11:14:02 EDT 2013 

I moved this thread into my other email.


That is a good question. Why!? In the RFC I didn't find the why but an 
explaination to the how:

RFC 1001                                                      March 1987

14.1. FIRST LEVEL ENCODING


    The first level representation consists of two parts:

      -  NetBIOS name
      -  NetBIOS scope identifier

    The 16 byte NetBIOS name is mapped into a 32 byte wide field using a
    reversible, half-ASCII, biased encoding.  Each half-octet of the
    NetBIOS name is encoded into one byte of the 32 byte field.  The
    first half octet is encoded into the first byte, the second half-
    octet into the second byte, etc.

    Each 4-bit, half-octet of the NetBIOS name is treated as an 8-bit,
    right-adjusted, zero-filled binary number.  This number is added to
    value of the ASCII character 'A' (hexidecimal 41).  The resulting 8-
    bit number is stored in the appropriate byte.  The following diagram
    demonstrates this procedure:
<snip>


Could it be something with the NBT protocol being designed to run on all 
kinds of architectures back in the 1980's, when systems often had 7bit 
limits?

/Elof


On Tue, 2 Jul 2013, Carter Bullard wrote:

> Hey Elof2,
> I usually don't want to support sheer stupidity,..., isn't this one
> of those cases?  We have a number of "printer"s for ra user data,
> we can define a printer that does what you want.  Are there other
> protocols that have their own encodings?
>
> While I see a conversion path, what is this ?  Why on earth did they
> do it this way?
>
> Carter
>
> On Jul 2, 2013, at 8:03 AM, elof2 at sentor.se wrote:
>
>>
>> Hi Carter!
>>
>> I have a request:
>>
>> It would be nice if ra and/or radump could decode NetBIOS name strings (half-ASCII) found in the user data.
>>
>>
>> Example:
>> ra -nr argus.log -s saddr sport dir daddr dport suser:120 - port 137
>> 10.2.3.4.137  ->  10.2.3.255.137   s[120]=............ FHFAEBEECACACACACACACACACACACAAA.. .............. FHFAEBEECACACACACACACACACACACAAA.. .............. FHFAEBE
>>
>> Instead I'd like ra to decode this and show:
>>
>> 10.2.3.4.137  ->  10.2.3.255.137   s[120]~=............ WPAD           AA.. .............. WPAD           AA.. .............. WPA.
>>
>> See http://support.microsoft.com/kb/194203 for a static conversion table.
>> FH = W
>> FA = P
>> EB = A
>> EE = D
>> ...and so on...
>>
>>
>> Apparently the host 10.2.3.4.137 is called "WPAD".
>> This identity information is what I'm looking for.
>>
>>
>> Suggestion:
>> If ra has converted the user data in any way, this could be indicated by adding a ~ in front of the = like this:    s[120]~=XXXXXXXXXXXXXXXXXX
>>
>>
>> I know that ra already has code to manipulate the user data, replacing clear text passwords with "xxxxxxxx". This code section could be expanded with a function to decode NetBIOS names.
>>
>>
>>
>> ...and/or make radump able to display the NetBIOS name string. The above is only translated into:
>>  s[46]="NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST"
>> I don't see the name "WPAD" there. :-/
>>
>> /Elof
>>
>
>

More information about the argus mailing list