Message Analyzer

As interoperability relies mainly on the network interactionbetween systems and services, it is of the utmost importance to have toolshandy that can help analyze and understand the traffic generated as aconsequence of such interaction. In recent years we have seen Microsoft shaping its historictool “Network Monitor” into a more advanced kit that become very useful…


GUIDs and Endianness: {Endi-an-ne-ssInGUID} OR idnE-na-en-ssInGUID?

  Hi all! I have recently received a couple inquiries regarding theway in which GUIDs are represented, how they are stored, how they aretransferred over the wire and how endianness impacts on them so I decided topost a little blog entry to share a couple details and examples. GUIDs are described in [MS-DTYP] Section2.3.4 and…


[MS-RDPEUDP] : Glance at TLS/DTLS handshake packets.

MS-RDPEUDP is a new protocol in RDP8 and operates in 2 modes : Reliable (RDP-UDP-R) and Best Efforts “Loss” (RDP-UDP-L). RDPEUDP is preferred by default if both the endpoints are RDP8 capable, however, this can be changed through Group policy (On the client side, we have Computer Configuration, Administrative Templates, Windows Components, Remote Desktop Services, Remote…


Extracting a PowerPoint VBA Macro

Abstract This post of my blog responds to a request by a customer to find and extract a VBA macro in a PowerPoint file, specifically one stored in the older binary file format, also known to many as BFF. Introduction This post will take you through steps outlined in [MS-PPT] “PowerPoint (.ppt) Binary File Format”…

0

RDPESC parser modification

Hello world! I’ve decided to write this entry to talk about twointertwined subjects: – The published RDPESC parser needs a little tweakin order to function properly – That tweak is a real life example of how tomodify an existing Netmon Parser My goal is not to rewrite the [MS-RDPESC]document in this publication so I’ll be assuming that…


PowerShell script for finding Microsoft Office legacy files

Referenced documents:[MS-CFB]: Compound File Binary File Format[MS-OLEPS]: Object Linking and Embedding (OLE) Property Set Data StructuresWindows PowerShell Cookbook, 3rd edition, by Lee Holmes NOTE: Questions and comments are welcome. However, please DO NOT post a comment using the comment tool at the end of this post. Instead, post a new thread in the Open Specifications…


SMB 2.x and SMB 3.0 Timeouts in Windows

This blog talks about common timeouts for SMB dialects 2.x and 3.0 [MS-SMB2] in Windows. It also covers continuous availability timeout, witness keep alive [MS-SWN], and some SMB-Direct timers [MS-SMBD]. The behaviors are generally version-specific and therefore may change in future Windows releases or fixes. A previous blog discusses “CIFS and SMB Timeouts in Windows”:  …


NTLM and Channel Binding Hash (aka Extended Protection for Authentication)

Extended Protection for Authnetication (EPA) was introduced in Windows 7/WS2008R2 to thwart reflection attacks. This blog describes the changes in the implementation of NTLM Authentication that are needed to successfully authenticate to servers that have EPA enabled. Windows 7/WS 2008R2 and Windows 8/ WS2012 have EPA enabled out of the box.  You can read the…

0

CIFS and SMB Timeouts in Windows

This blog gives a consolidated overview of the most common SMB timeouts in Windows and their behaviors. Some of these legacy timeouts or timers are optional, implementation specific, not defined or not required by the protocol specifications. Let’s recall that MS-CIFS documents the protocol implemented in Windows NT and Windows 98, whereas MS-SMB describes the…


Rich Text Format (RTF) and Watermarks

  Seldom is the question asked, “Is there an RTF directive that can be used to add watermarks in RTF documents?“ One day recently this question found me, and after delving into the world of the Rich Text Format (RTF) specification you may in turn be interested in what I found, which includes a new…