Поделиться через

4.2 NetServerEnum2

The following diagram demonstrates the steps taken to retrieve an enumeration of servers on the network from a remote server by using the Remote Administration Protocol. Assume that this sequence is executed over an existing SMB connection established between the client and the server. The underlying SMB transaction request and response are included for clarity.

Enumeration of servers

Figure 3: Enumeration of servers

  1. The client sends a Remote Administration Protocol request for the NetServerEnum2 command to the server in an SMB transaction request.

     Smb: C; Transact, FileName = \PIPE\LANMAN
      Protocol: SMB
      Command: Transact 37(0x25)
      DOSError: No Error
       ErrorClass: No Error
       Reserved: 0 (0x0)
       Error: No Error
      SMBHeader: Command, TID: 0x0801, PID: 0x74B2, UID: 0x0802, 
                 MID: 0x1B02
       Flags: 0 (0x0)
       Flags2: 32768 (0x8000)
       PIDHigh: 0 (0x0)
       SecuritySignature: 0x0
       Reserved: 0 (0x0)
       TreeID: 2049 (0x801)
       ProcessID: 29874 (0x74B2)
       UserID: 2050 (0x802)
       MultiplexID: 6914 (0x1B02)
       WordCount: 14 (0xE)
       TotalParameterCount: 26 (0x1A)
       TotalDataCount: 0 (0x0)
       MaxParameterCount: 8 (0x8)
       MaxDataCount: 6144 (0x1800)
       MaxSetupCount: 0 (0x0)
       Reserved1: 0 (0x0)
       Flags: Do not disconnect TID
        BIT0: ...............0 Do not disconnect TID
       Timeout: 5000 sec(s)
       Reserved2: 0 (0x0)
       ParameterCount: 26 (0x1A)
       ParameterOffset: 90 (0x5A)
       DataCount: 0 (0x0)
       DataOffset: 0 (0x0)
       SetupCount: 0 (0x0)
       Reserved3: 0 (0x0)
       ByteCount: 53 (0x35)
       Pad: 113 (0x71)
       UnicodeFileName: \PIPE\LANMAN
       Parameters: RAPParams and NetServerEnum2 Request (26 Bytes)
          68 00 57 72 4C 65 68 44 4F 00 42 31 36 42 42 44   (h.WrLehDO.B16BBD)
          7A 00 01 00 00 18 FF FF FF FF                     (z.....ÿÿÿÿ)
  2. The server responds with the list of servers on the network. In this case, there are 12 servers to be returned, and all 12 are returned in this response.

     Smb: R; Transact
      Protocol: SMB
      Command: Transact 37(0x25)
      DOSError: No Error
      ErrorClass: No Error
       Reserved: 0 (0x0)
       Error: No Error
      SMBHeader: Response, TID: 0x0801, PID: 0x74B2, UID: 0x0802, 
                 MID: 0x1B02
       Flags: 128 (0x80)
       Flags2: 32768 (0x8000)
       PIDHigh: 0 (0x0)
       SecuritySignature: 0x0
       Reserved: 0 (0x0)
       TreeID: 2049 (0x801)
       ProcessID: 29874 (0x74B2)
       UserID: 2050 (0x802)
       MultiplexID: 6914 (0x1B02)
       WordCount: 10 (0xA)
       TotalParameterCount: 8 (0x8)
       TotalDataCount: 379 (0x17B)
       Reserved: 0 (0x0)
       ParameterCount: 8 (0x8)
       ParameterOffset: 56 (0x38)
       ParamDisplacement: 0 (0x0)
       DataCount: 379 (0x17B)
       DataOffset: 64 (0x40)
       DataDisplacement: 0 (0x0)
       SetupCount: 0 (0x0)
       Reserved1: 0 (0x0)
       ByteCount: 388 (0x184)
       Pad1: Binary Large Object (1 Bytes)
      Parameters: ErrorCode, Converter, and RAPOutParams for 
                  NetServerEnum2 Response (8 Bytes)
         00 00 85 16 0B 00 0B 00                           (..........)
      Data: RAP NetServerInfo1 Array (379 Bytes)
         42 52 55 43 43 4F 2D 4F 46 46 33 00 00 00 00 00   (BRUCCO-OFF3.....)
         05 02 03 92 82 00 FF 17 00 00 53 4D 42 4E 54 34   (...??.ÿ...SMBNT4)
         53 52 56 00 00 00 00 00 00 00 04 00 03 90 01 00   (SRV..........□..)
         FE 17 00 00 53 4D 42 57 46 57 33 31 31 00 00 00   (þ...SMBWFW311...)
         00 00 00 00 01 33 03 20 01 00 CD 17 00 00 53 4D   (.....3. ..Í...SM)
         42 57 49 4E 32 30 30 30 00 00 00 00 00 00 05 00   (BWIN2000........)
         03 90 02 02 CC 17 00 00 53 4D 42 57 49 4E 32 30   (.□..Ì...SMBWIN20)
         30 33 00 00 00 00 00 00 05 02 03 90 82 00 CB 17   (03.........□?.Ë.)
         00 00 53 4D 42 57 49 4E 32 30 30 33 49 41 36 34   (..SMBWIN2003IA64)
         00 00 05 02 03 90 82 00 CA 17 00 00 53 4D 42 57   (.....□?.Ê...SMBW)
         49 4E 39 38 53 45 00 00 00 00 00 00 04 00 03 20   (IN98SE......... )
         41 00 B8 17 00 00 53 4D 42 57 49 4E 39 38 53 45   (A.¸...SMBWIN98SE)
         2D 55 4D 00 00 00 04 00 03 20 41 00 A6 17 00 00   (-UM...... A.¦...)
         53 4D 42 57 49 4E 58 50 00 00 00 00 00 00 00 00   (SMBWINXP........)
         05 01 03 10 00 00 A5 17 00 00 53 50 53 4D 42 44   (......¥...SPSMBD)
         43 31 00 00 00 00 00 00 00 00 05 00 03 90 82 02   (C1...........□?.)
         A4 17 00 00 53 50 53 4D 42 44 43 32 00 00 00 00   (¤...SPSMBDC2....)
         00 00 00 00 05 02 2B 10 84 00 A3 17 00 00 00 00   (......+.?.£.....)
         00 57 49 4E 53 45 20 46 49 4C 45 20 53 59 53 54   (.WINSE FILE SYST)
         45 4D 00 57 49 4E 53 45 20 46 49 4C 45 20 53 59   (EM.WINSE FILE SY)
         53 54 45 4D 00 00 00 00 31 32 33 34 35 36 37 38   (STEM....12345678)
         39 30 31 32 33 34 35 36 37 38 39 30 31 32 33 34   (9012345678901234)
         35 36 37 38 39 30 31 32 33 34 35 36 37 38 39 30   (5678901234567890)
         31 32 33 34 35 36 37 38 00 00 00                  (12345678...)