Export (0) Print
Expand All

4.7 TRANS TRANSACT NMPIPE

The following example illustrates how the TRANS_TRANSACT_NMPIPE is used.

7c8a6fd3-3d46-4f3d-9487-873779c58203

Figure 9: Named pipe request sequence

The first frame contains the NT_CREATE_ANDX request to the named pipe. The TRANS_TRANSACT_NMPIPE is then issued against the file ID assigned in the NT_CREATE_ANDX response.

NT_CREATE_ANDX

Client -> Server: SMB: C NT Create Andx, Dialect = NTLM 0.12
        SMB: Tree ID      (Tid) = 2048 (0x800)
        SMB: Process ID   (Pid) = 2292 (0x8F4)
        SMB: User ID      (Uid) = 2048 (0x800)
        SMB: Multiplex ID (Mid) = 4048 (0xFD0)
SMB: Command = C NT create & X
        SMB: Desired Access = 0x0002019F
            SMB: ...............................1 = Read Data Allowed
            SMB: ..............................1. = Write Data Allowed
            SMB: .............................1.. = Append Data Allowed
            SMB: ............................1... = Read EA Allowed
            SMB: ...........................1.... = Write EA Allowed
            SMB: ..........................0..... = File Execute Denied
            SMB: .........................0...... = File Delete Denied
            SMB: ........................1....... = File Read Attributes Allowed
            SMB: .......................1........ = File Write Attributes Allowed
        SMB: NT File Attributes = 0x00000000
            SMB: ...............................0 = Not Read Only
            SMB: ..............................0. = Not Hidden
            SMB: .............................0.. = Not System
            SMB: ...........................0.... = Not Directory
            SMB: ..........................0..... = Not Archive
            SMB: .........................0...... = Not Device
            SMB: ........................0....... = Not Normal
            SMB: .......................0........ = Not Temporary
            SMB: ......................0......... = Not Sparse File
            SMB: .....................0.......... = Not Reparse Point
            SMB: ....................0........... = Not Compressed
            SMB: ...................0............ = Not Offline
            SMB: ..................0............. = 
CONTENT_INDEXED
            SMB: .................0.............. = Not Encrypted
        SMB: File Share Access = 0x00000003
            SMB: ...............................1 = Read allowed
            SMB: ..............................1. = Write allowed
            SMB: .............................0.. = Delete not 
allowed

        SMB: Create Disposition = Open:  If exist, Open, else fail
        SMB: Create Options = 4194368 (0x400040)
            SMB: ...............................0 = non-directory
            SMB: ..............................0. = non-write through
            SMB: .............................0.. = non-sequential writing allowed
            SMB: ............................0... = intermediate buffering allowed
            SMB: ...........................0.... = IO alerts bits not set
            SMB: ..........................0..... = IO non-alerts bit not set
            SMB: .........................1...... = Operation is on a non-directory file
            SMB: ........................0....... = tree connect bit not set
            SMB: .......................0........ = complete if oplocked bit is not set
            SMB: ......................0......... = no EA knowledge bit is not set
            SMB: .....................0.......... = 8.3 filenames bit is not set
            SMB: ....................0........... = random access bit is not set
            SMB: ...................0............ = delete on close bit is not set
            SMB: ..................0............. = open by filename
            SMB: .................0.............. = open for backup bit not set

        SMB: File name =\srvsvc

NT_CREATE_ANDX Response

Server -> Client: SMB: R NT Create Andx, Dialect = NTLM 0.12
        SMB: Tree ID      (Tid) = 2048 (0x800)
        SMB: Process ID   (Pid) = 2292 (0x8F4)
        SMB: User ID      (Uid) = 2048 (0x800)
        SMB: Multiplex ID (Mid) = 4048 (0xFD0)
SMB: Command = R NT create & X
        SMB: Oplock Level = NONE
        SMB: File ID (Fid) = 16385 (0x4001)

        SMB: NT File Attributes = 0x00000080
            SMB: ...............................0 = Not Read Only
            SMB: ..............................0. = Not Hidden
            SMB: .............................0.. = Not System
            SMB: ...........................0.... = Not Directory
            SMB: ..........................0..... = Not Archive
            SMB: .........................0...... = Not Device
            SMB: ........................1....... = Normal
            SMB: .......................0........ = Not Temporary
            SMB: ......................0......... = Not Sparse File
            SMB: .....................0.......... = Not Reparse Point
            SMB: ....................0........... = Not Compressed
            SMB: ...................0............ = Not Offline
            SMB: ..................0............. = CONTENT_INDEXED
            SMB: .................0.............. = Not Encrypted
        SMB: File type = Message mode named pipe

SMB_COM_TRANSACTION Request

Client -> Server: SMB: C transact TransactNmPipe, Dialect = NTLM 
0.12
        SMB: Tree ID      (Tid) = 2048 (0x800)
        SMB: Process ID   (Pid) = 2292 (0x8F4)
        SMB: User ID      (Uid) = 2048 (0x800)
        SMB: Multiplex ID (Mid) = 4096 (0x1000) 
SMB: Command = C transact
        SMB: Data bytes = 76 (0x4C)
        SMB: Data offset = 84 (0x54)
        SMB: Setup words
        SMB: Pipe function = Transact named pipe (TransactNmPipe)
        SMB: File ID (Fid) = 16385 (0x4001)
Data = 00 90 27 66 6D BE 00 90 27 D0 C4 6F 08 00 45 00   ……

SMB_COM_TRANSACTION Response

Server -> Client: SMB: R transact TransactNmPipe, Dialect = NTLM 
0.12
        SMB: Tree ID      (Tid) = 2048 (0x800)
        SMB: Process ID   (Pid) = 2292 (0x8F4)
        SMB: User ID      (Uid) = 2048 (0x800)
        SMB: Multiplex ID (Mid) = 4096 (0x1000)
SMB: Command = R transact
        SMB: Data bytes = 120 (0x78)
        SMB: Data offset = 56 (0x38)

DATA = 00 90 27 D0 C4 6F 00 90 27 66 6D BE 08 00 45 00 ….

SMB_COM_CLOSE Request

Client -> Server: SMB: C Close, Dialect = NTLM 0.12
SMB: Tree ID      (Tid) = 2048 (0x800)
        SMB: Process ID   (Pid) = 65279 (0xFEFF)
        SMB: User ID      (Uid) = 2048 (0x800)
        SMB: Multiplex ID (Mid) = 4112 (0x1010)
SMB: Command = C Close
        SMB: File ID (Fid) = 16385 (0x4001)

SMB_COM_CLOSE Response

Server -> Client: SMB: R Close, Dialect = NTLM 0.12
  SMB: Tree ID      (Tid) = 2048 (0x800)
  SMB: Process ID   (Pid) = 65279 (0xFEFF)
  SMB: User ID      (Uid) = 2048 (0x800)
  SMB: Multiplex ID (Mid) = 4112 (0x1010)
 
Show:
© 2014 Microsoft