Mystery AFS/Kerberos packet
John Hascall
john at iastate.edu
Fri Jan 23 09:35:14 EST 2004
>6303373b766d61124537XXXXXXXX0000494153544154452e4544550067710e403f6166730000
c . 7 ; v m a . E 7 u s e r . . I A S T A T E . E D U . g q . @ ? a f s . .
> I'm not sure, but the tail bit of it looks like part of a krb4 initial
> ticket request by "user" for "afs at IASTATE.EDU", with lifetime 5 hours
> 15 minutes, around 21 January 2004 (assuming little-endian).
Yes, I've been convinced that this is a valid V4 packet whose
first two bytes (04 03) were somehow corrupted with 10 garbage
bytes (63 03 37 3b 76 6d 61 12 45 37) and I went off on a wrong
tangent upon seeing the 0x6X first byte). At this point, I'm going
to assume the user has either munged hardware or DLLs.
It's really quite interesting to dump out rejected packets,
you see some fascinating crap, here's another:
<04><03>__vmware_user__D2521F2GPKdgDby9P77qlo_w*glhuA3un*!sh!<00><00>IASTATE.EDU<00>^HN<0e>@?afs<00><00
(a 53 character principal name is too long for k4)
(curious how both of these invalid packets used '?', 5h15m, for the lifetime).
John
More information about the Kerberos
mailing list