Frame 64: 211 bytes on wire (1688 bits), 211 bytes captured (1688 bits) on interface 0 Interface id: 0 (\Device\NPF_{B2DBE326-03F4-48A2-B92A-A5CD7F8889BF}) Interface name: \Device\NPF_{B2DBE326-03F4-48A2-B92A-A5CD7F8889BF} Encapsulation type: Ethernet (1) Arrival Time: Aug 17, 2018 16:34:35.129857000 Romance Daylight Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1534516475.129857000 seconds [Time delta from previous captured frame: 0.000003000 seconds] [Time delta from previous displayed frame: 0.004945000 seconds] [Time since reference or first frame: 14.440333000 seconds] Frame Number: 64 Frame Length: 211 bytes (1688 bits) Capture Length: 211 bytes (1688 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:kerberos] [Coloring Rule Name: TCP] [Coloring Rule String: tcp] Ethernet II, Src: Microsof_32:ba:0b (00:15:5d:32:ba:0b), Dst: Microsof_32:ba:06 (00:15:5d:32:ba:06) Destination: Microsof_32:ba:06 (00:15:5d:32:ba:06) Address: Microsof_32:ba:06 (00:15:5d:32:ba:06) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Microsof_32:ba:0b (00:15:5d:32:ba:0b) Address: Microsof_32:ba:0b (00:15:5d:32:ba:0b) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IPv4 (0x0800) Internet Protocol Version 4, Src: 192.168.0.104, Dst: 192.168.0.101 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) 0000 00.. = Differentiated Services Codepoint: Default (0) .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) Total Length: 197 Identification: 0x10cc (4300) Flags: 0x4000, Don't fragment 0... .... .... .... = Reserved bit: Not set .1.. .... .... .... = Don't fragment: Set ..0. .... .... .... = More fragments: Not set ...0 0000 0000 0000 = Fragment offset: 0 Time to live: 128 Protocol: TCP (6) Header checksum: 0x6749 [validation disabled] [Header checksum status: Unverified] Source: 192.168.0.104 Destination: 192.168.0.101 Transmission Control Protocol, Src Port: 88, Dst Port: 49472, Seq: 1461, Ack: 1646, Len: 157 Source Port: 88 Destination Port: 49472 [Stream index: 3] [TCP Segment Len: 157] Sequence number: 1461 (relative sequence number) [Next sequence number: 1618 (relative sequence number)] Acknowledgment number: 1646 (relative ack number) 0101 .... = Header Length: 20 bytes (5) Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set [TCP Flags: ·······AP···] Window size value: 1026 [Calculated window size: 262656] [Window size scaling factor: 256] Checksum: 0xc4cd [unverified] [Checksum Status: Unverified] Urgent pointer: 0 [SEQ/ACK analysis] [iRTT: 0.002847000 seconds] [Bytes in flight: 1617] [Bytes sent since last PSH flag: 1617] [Timestamps] [Time since first frame in this TCP stream: 0.007852000 seconds] [Time since previous frame in this TCP stream: 0.000003000 seconds] TCP payload (157 bytes) [PDU Size: 1617] TCP segment data (157 bytes) [2 Reassembled TCP Segments (1617 bytes): #63(1460), #64(157)] [Frame: 63, payload: 0-1459 (1460 bytes)] [Frame: 64, payload: 1460-1616 (157 bytes)] [Segment count: 2] [Reassembled TCP length: 1617] [Reassembled TCP Data: 0000064d6d82064930820645a003020105a10302010da30c...] Kerberos Record Mark: 1613 bytes 0... .... .... .... .... .... .... .... = Reserved: Not set .000 0000 0000 0000 0000 0110 0100 1101 = Record Length: 1613 tgs-rep pvno: 5 msg-type: krb-tgs-rep (13) crealm: TEST.LOCAL cname name-type: kRB5-NT-PRINCIPAL (1) cname-string: 1 item CNameString: localadminuser ticket tkt-vno: 5 realm: TEST.LOCAL sname name-type: kRB5-NT-SRV-INST (2) sname-string: 2 items SNameString: HTTP SNameString: monsite.test.local enc-part etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18) kvno: 4 cipher: df0b0ba8ccf7eaac34248e89681bb0fcc7677e58b9730648... encTicketPart Padding: 0 flags: 40a10000 (forwardable, renewable, pre-authent, enc-pa-rep) 0... .... = reserved: False .1.. .... = forwardable: True ..0. .... = forwarded: False ...0 .... = proxiable: False .... 0... = proxy: False .... .0.. = may-postdate: False .... ..0. = postdated: False .... ...0 = invalid: False 1... .... = renewable: True .0.. .... = initial: False ..1. .... = pre-authent: True ...0 .... = hw-authent: False .... 0... = transited-policy-checked: False .... .0.. = ok-as-delegate: False .... ..0. = unused: False .... ...1 = enc-pa-rep: True 0... .... = anonymous: False key keytype: 18 keyvalue: d3d055bfed7fe15db7c10157ecb9e87b0cce14315f0eb157... crealm: TEST.LOCAL cname name-type: kRB5-NT-PRINCIPAL (1) cname-string: 1 item CNameString: localadminuser transited tr-type: 1 contents: authtime: 2018-08-17 14:34:35 (UTC) starttime: 2018-08-17 14:34:35 (UTC) endtime: 2018-08-18 00:34:35 (UTC) renew-till: 2018-08-24 14:34:35 (UTC) authorization-data: 2 items AuthorizationData item ad-type: AD-IF-RELEVANT (1) ad-data: 3082030a30820306a00402020080a18202fc048202f80500... AuthorizationData item ad-type: AD-Win2k-PAC (128) ad-data: 050000000000000001000000f00100005800000000000000... Num Entries: 5 Version: 0 Type: Logon Info (1) Size: 496 Offset: 88 PAC_LOGON_INFO: 01100800cccccccce001000000000000000002006a5c0818... MES header Version: 1 DREP Byte order: Little-endian (1) HDR Length: 8 Fill bytes: 0xcccccccc Blob Length: 480 PAC_LOGON_INFO: Referent ID: 0x00020000 Logon Time: Aug 17, 2018 16:25:05.992202600 Romance Daylight Time Logoff Time: Infinity (absolute time) Kickoff Time: Infinity (absolute time) PWD Last Set: Aug 16, 2018 14:13:10.300710200 Romance Daylight Time PWD Can Change: Aug 17, 2018 14:13:10.300710200 Romance Daylight Time PWD Must Change: Infinity (absolute time) Acct Name: localadminuser Length: 28 Size: 28 Character Array: localadminuser Referent ID: 0x00020004 Max Count: 14 Offset: 0 Actual Count: 14 Acct Name: localadminuser Full Name: localadminuser Length: 28 Size: 28 Character Array: localadminuser Referent ID: 0x00020008 Max Count: 14 Offset: 0 Actual Count: 14 Full Name: localadminuser Logon Script Length: 0 Size: 0 Character Array Referent ID: 0x0002000c Max Count: 0 Offset: 0 Actual Count: 0 Profile Path Length: 0 Size: 0 Character Array Referent ID: 0x00020010 Max Count: 0 Offset: 0 Actual Count: 0 Home Dir Length: 0 Size: 0 Character Array Referent ID: 0x00020014 Max Count: 0 Offset: 0 Actual Count: 0 Dir Drive Length: 0 Size: 0 Character Array Referent ID: 0x00020018 Max Count: 0 Offset: 0 Actual Count: 0 Logon Count: 42 Bad PW Count: 0 User RID: 1106 Group RID: 513 Num RIDs: 2 GROUP_MEMBERSHIP_ARRAY Referent ID: 0x0002001c Max Count: 2 GROUP_MEMBERSHIP: Group RID: 1108 Attributes: 0x00000007 .... .... .... .... .... .... .... .1.. = Enabled: The enabled bit is SET .... .... .... .... .... .... .... ..1. = Enabled By Default: The ENABLED_BY_DEFAULT bit is SET .... .... .... .... .... .... .... ...1 = Mandatory: The MANDATORY bit is SET GROUP_MEMBERSHIP: Group RID: 513 Attributes: 0x00000007 .... .... .... .... .... .... .... .1.. = Enabled: The enabled bit is SET .... .... .... .... .... .... .... ..1. = Enabled By Default: The ENABLED_BY_DEFAULT bit is SET .... .... .... .... .... .... .... ...1 = Mandatory: The MANDATORY bit is SET User Flags: 0x00000020 .... .... .... .... .... ..0. .... .... = Resource Groups: The resource_groups is NOT set .... .... .... .... .... .... ..1. .... = Extra SIDs: The EXTRA_SIDS bit is SET User Session Key: 00000000000000000000000000000000 Server: DC2016 Length: 12 Size: 14 Character Array: DC2016 Referent ID: 0x00020020 Max Count: 7 Offset: 0 Actual Count: 6 Server: DC2016 Domain: TESTLOCAL Length: 18 Size: 20 Character Array: TESTLOCAL Referent ID: 0x00020024 Max Count: 10 Offset: 0 Actual Count: 9 Domain: TESTLOCAL SID pointer: SID pointer Referent ID: 0x00020028 Count: 4 Domain SID: S-1-5-21-3643611871-2386784019-710848469 (Domain SID) Revision: 1 Num Auth: 4 Authority: 5 Subauthorities: 21-3643611871-2386784019-710848469 Dummy1 Long: 0x00000000 Dummy2 Long: 0x00000000 User Account Control: 0x00000210 .... .... .... ...0 .... .... .... .... = Don't Require PreAuth: This account REQUIRES preauthentication .... .... .... .... 0... .... .... .... = Use DES Key Only: This account does NOT have to use_des_key_only .... .... .... .... .0.. .... .... .... = Not Delegated: This might have been delegated .... .... .... .... ..0. .... .... .... = Trusted For Delegation: This account is NOT trusted_for_delegation .... .... .... .... ...0 .... .... .... = SmartCard Required: This account does NOT require_smartcard to authenticate .... .... .... .... .... 0... .... .... = Encrypted Text Password Allowed: This account does NOT allow encrypted_text_password .... .... .... .... .... .0.. .... .... = Account Auto Locked: This account is NOT auto_locked .... .... .... .... .... ..1. .... .... = Don't Expire Password: This account DOESN'T_EXPIRE_PASSWORDs .... .... .... .... .... ...0 .... .... = Server Trust Account: This account is NOT a server_trust_account .... .... .... .... .... .... 0... .... = Workstation Trust Account: This account is NOT a workstation_trust_account .... .... .... .... .... .... .0.. .... = Interdomain trust Account: This account is NOT an interdomain_trust_account .... .... .... .... .... .... ..0. .... = MNS Logon Account: This account is NOT a mns_logon_account .... .... .... .... .... .... ...1 .... = Normal Account: This account is a NORMAL_ACCOUNT .... .... .... .... .... .... .... 0... = Temp Duplicate Account: This account is NOT a temp_duplicate_account .... .... .... .... .... .... .... .0.. = Password Not Required: This account REQUIRES a password .... .... .... .... .... .... .... ..0. = Home Directory Required: This account does NOT require_home_directory .... .... .... .... .... .... .... ...0 = Account Disabled: This account is NOT disabled Dummy4 Long: 0x00000000 Dummy5 Long: 0x00000000 Dummy6 Long: 0x00000000 Dummy7 Long: 0x00000000 Dummy8 Long: 0x00000000 Dummy9 Long: 0x00000000 Dummy10 Long: 0x00000000 Num Extra SID: 1 SID_AND_ATTRIBUTES_ARRAY: Referent ID: 0x0002002c SID_AND_ATTRIBUTES array: Max Count: 1 SID_AND_ATTRIBUTES: SID pointer: SID pointer Referent ID: 0x00020030 Count: 1 Domain SID: S-1-18-1 () Revision: 1 Num Auth: 1 Authority: 18 Subauthorities: 1 Attributes: 0x00000007 SID pointer: NULL Pointer: SID pointer ResourceGroup count: 0 NULL Pointer: ResourceGroupIDs Type: Client Info Type (10) Size: 38 Offset: 584 PAC_CLIENT_INFO_TYPE: 800f306b3736d4011c006c006f00630061006c0061006400... ClientID: Aug 17, 2018 16:34:35.000000000 Romance Daylight Time Name Length: 28 Name: localadminuser Type: UPN DNS Info (12) Size: 96 Offset: 624 UPN_DNS_INFO: 320010001400480000000000000000006c006f0063006100... UPN Len: 50 UPN Offset: 16 DNS Len: 20 DNS Offset: 72 Flags: 0x00000000 UPN Name: localadminuser@test.local DNS Name: TEST.LOCAL Type: Server Checksum (6) Size: 16 Offset: 720 PAC_SERVER_CHECKSUM: 10000000caa3aed3ea854cb33346b58b Type: 16 Signature: caa3aed3ea854cb33346b58b Type: Privsvr Checksum (7) Size: 20 Offset: 736 PAC_PRIVSVR_CHECKSUM: 76ffffff219e0780dfa3eff07fb67b0eae166da2 Type: -138 Signature: 219e0780dfa3eff07fb67b0eae166da2 AuthorizationData item ad-type: AD-IF-RELEVANT (1) ad-data: 305d303fa0040202008da137043530333031a003020100a1... AuthorizationData item ad-type: Unknown (141) ad-data: 30333031a003020100a12a0428010000000020000073112e... AuthorizationData item ad-type: Unknown (142) ad-data: 4064c42c9700000098dc730100000000 enc-part etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18) cipher: f34e45d2ef31cb87d05b9377dddff0839e5ed66219c1f343...