5) SMB_COM_TRANSACTION2与SMB_COM_NT_TRANSACTION 在上一小节我提到这两个命令，并且怀疑它们亦可用于承载Bind(11)。拖了些日子，昨天翻看draft-leach-cifs-v1-spec-02.txt([11])，发现原来的简单想象有问题。参看如下小节: 3.13.1 SMB_COM_TRANSACTION and SMB_COM_TRANSACTION2 Formats 6.2 SMB_COM_TRANSACTION2 Subcommand codes 3.13.2 SMB_COM_NT_TRANSACTION Formats 6.3 SMB_COM_NT_TRANSACTION Subcommand Codes 4.6.1 NT_TRANSACT_IOCTL SMB_COM_TRANSACTION2(0x32)请求包的格式与SMB_COM_TRANSACTION(0x25)非常像，但是这次Setup Count由2变成了1。原来的Setup[]对应: Setup[0] Function: TransactNmPipe (0x0026) Setup[1] FID: 0x4000 现在的Setup[]对应: Setup[0] Subcommand: 原来有"Transaction Name: \PIPE\"字段，现在没有这个字段。这实际意味着二者的编码解码完全不同了，SMB_COM_TRANSACTION2的具体功能与Subcommand紧密相关，无法承载抽象的Bind(11)。在cmd中执行start \\\，抓取SMB_37_6.cap: -------------------------------------------------------------------------- Transmission Control Protocol, Src Port: 3268, Dst Port: 445, Len: 80 NetBIOS Session Service Message Type: Session message Length: 76 SMB (Server Message Block Protocol) SMB Header Server Component: SMB Response in: 2 SMB Command: Trans2 (0x32) NT Status: STATUS_SUCCESS (0x00000000) Flags: 0x18 0... .... = Request/Response: Message is a request to the server .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized .... 1... = Case Sensitivity: Path names are caseless .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0xc807 1... .... .... .... = Unicode Strings: Strings are Unicode .1.. .... .... .... = Error Code Type: Error codes are NT error codes ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported .... .... .0.. .... = Long Names Used: Path names in request are not long file names .... .... .... .1.. = Security Signatures: Security signatures are supported .... .... .... ..1. = Extended Attributes: Extended attributes are supported .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response Process ID High: 0 Signature: 0000000000000000 Reserved: 0000 Tree ID: 2052 Process ID: 1576 User ID: 2049 Multiplex ID: 3584 Trans2 Request (0x32) Word Count (WCT): 15 Total Parameter Count: 8 Total Data Count: 0 Max Parameter Count: 2 Max Data Count: 40 Max Setup Count: 0 Reserved: 00 Flags: 0x0000 .... .... .... ..0. = One Way Transaction: Two way transaction .... .... .... ...0 = Disconnect TID: Do NOT disconnect TID Timeout: Return immediately (0) Reserved: 0000 Parameter Count: 8 Parameter Offset: 68 Data Count: 0 Data Offset: 0 Setup Count: 1 Reserved: 00 Subcommand: QUERY_PATH_INFO (0x0005) Byte Count (BCC): 11 Padding: 000000 QUERY_PATH_INFO Parameters Level of Interest: Query File Basic Info (1004) Reserved: 00000000 File Name: 0030 00 00 00 4c ff 53 4d 42 32 00 ...L.SMB2. 0040 00 00 00 18 07 c8 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 04 08 28 06 01 08 00 0e 0f 08 00 00 00 02 ....(........... 0060 00 28 00 00 00 00 00 00 00 00 00 00 00 08 00 44 .(.............D 0070 00 00 00 00 00 01 00 05 00 0b 00 00 00 00 ec 03 ................ 0080 00 00 00 00 00 00 ...... NetBIOS Session Service Message Type: Session message Length: 100 SMB (Server Message Block Protocol) SMB Header Server Component: SMB Response to: 1 Time from request: 0.000571000 seconds SMB Command: Trans2 (0x32) NT Status: STATUS_SUCCESS (0x00000000) Flags: 0x98 1... .... = Request/Response: Message is a response to the client/redirector .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized .... 1... = Case Sensitivity: Path names are caseless .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0xc807 1... .... .... .... = Unicode Strings: Strings are Unicode .1.. .... .... .... = Error Code Type: Error codes are NT error codes ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported .... .... .0.. .... = Long Names Used: Path names in request are not long file names .... .... .... .1.. = Security Signatures: Security signatures are supported .... .... .... ..1. = Extended Attributes: Extended attributes are supported .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response Process ID High: 0 Signature: 0000000000000000 Reserved: 0000 Tree ID: 2052 Process ID: 1576 User ID: 2049 Multiplex ID: 3584 Trans2 Response (0x32) Subcommand: QUERY_PATH_INFO (0x0005) Word Count (WCT): 10 Total Parameter Count: 2 Total Data Count: 40 Reserved: 0000 Parameter Count: 2 Parameter Offset: 56 Parameter Displacement: 0 Data Count: 40 Data Offset: 60 Data Displacement: 0 Setup Count: 0 Reserved: 00 Byte Count (BCC): 45 Padding: 00 QUERY_PATH_INFO Parameters EA Error offset: 0 Padding: 0001 QUERY_PATH_INFO Data Created: Jun 4, 2003 16:39:30.335908800 Last Access: Sep 12, 2003 13:15:38.276899200 Last Write: Aug 21, 2003 16:06:07.509022400 Change: Aug 22, 2003 10:04:31.689686400 File Attributes: 0x00000036 .0.. .... .... .... = Encrypted: This is NOT an encrypted file ..0. .... .... .... = Content Indexed: This file MAY be indexed by the content indexing service ...0 .... .... .... = Offline: This file is NOT offline .... 0... .... .... = Compressed: This is NOT a compressed file .... .0.. .... .... = Reparse Point: This file does NOT have an associated reparse point .... ..0. .... .... = Sparse: This is NOT a sparse file .... ...0 .... .... = Temporary: This is NOT a temporary file .... .... 0... .... = Normal: This file has some attribute set .... .... .0.. .... = Device: This is NOT a device .... .... ..1. .... = Archive: This file has been modified since last ARCHIVE .... .... ...1 .... = Directory: This is a DIRECTORY .... .... .... 0... = Volume ID: This is NOT a volume ID .... .... .... .1.. = System: This is a SYSTEM file .... .... .... ..1. = Hidden: This is a HIDDEN file .... .... .... ...0 = Read Only: This file is NOT read only Unknown Data: 00000000 0030 00 00 00 64 ff 53 4d 42 32 00 ...d.SMB2. 0040 00 00 00 98 07 c8 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 04 08 28 06 01 08 00 0e 0a 02 00 28 00 00 ....(........(.. 0060 00 02 00 38 00 00 00 28 00 3c 00 00 00 00 00 2d ...8...(.<.....- 0070 00 00 00 00 00 01 70 8e c0 d0 74 2a c3 01 60 79 ......p...t*..`y 0080 2f e7 ec 78 c3 01 30 ed 31 13 bb 67 c3 01 60 5e /..x..0.1..g..`^ 0090 e4 b9 51 68 c3 01 36 00 00 00 00 00 00 00 ..Qh..6....... NetBIOS Session Service Message Type: Session message Length: 86 SMB (Server Message Block Protocol) SMB Header Server Component: SMB SMB Command: Trans2 (0x32) NT Status: STATUS_SUCCESS (0x00000000) Flags: 0x18 0... .... = Request/Response: Message is a request to the server .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized .... 1... = Case Sensitivity: Path names are caseless .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0xc807 1... .... .... .... = Unicode Strings: Strings are Unicode .1.. .... .... .... = Error Code Type: Error codes are NT error codes ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported .... .... .0.. .... = Long Names Used: Path names in request are not long file names .... .... .... .1.. = Security Signatures: Security signatures are supported .... .... .... ..1. = Extended Attributes: Extended attributes are supported .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response Process ID High: 0 Signature: 0000000000000000 Reserved: 0000 Tree ID: 2052 Process ID: 1576 User ID: 2049 Multiplex ID: 3648 Trans2 Request (0x32) Word Count (WCT): 15 Total Parameter Count: 18 Total Data Count: 0 Max Parameter Count: 10 Max Data Count: 16384 Max Setup Count: 0 Reserved: 00 Flags: 0x0000 .... .... .... ..0. = One Way Transaction: Two way transaction .... .... .... ...0 = Disconnect TID: Do NOT disconnect TID Timeout: Return immediately (0) Reserved: 0000 Parameter Count: 18 Parameter Offset: 68 Data Count: 0 Data Offset: 0 Setup Count: 1 Reserved: 00 Subcommand: FIND_FIRST2 (0x0001) Byte Count (BCC): 21 Padding: 000000 FIND_FIRST2 Parameters Search Attributes: 0x0016 .... .... .... ...0 = Read Only: Do NOT include read only files in search results .... .... .... ..1. = Hidden: Include HIDDEN files in search results .... .... .... .1.. = System: Include SYSTEM files in search results .... .... .... 0... = Volume ID: Do NOT include volume IDs in search results .... .... ...1 .... = Directory: Include DIRECTORIES in search results .... .... ..0. .... = Archive: Do NOT include archive files in search results Search Count: 1366 Flags: 0x0006 .... .... ...0 .... = Backup Intent: No backup intent .... .... .... 0... = Continue: New search, do NOT continue from previous position .... .... .... .1.. = Resume: Return RESUME keys .... .... .... ..1. = Close on EOS: CLOSE search if END OF SEARCH is reached .... .... .... ...0 = Close: Do NOT close search after this request Level of Interest: Find File Both Directory Info (260) Storage Type: 0 Search Pattern: \* 0030 00 00 00 56 ff 53 4d 42 32 00 ...V.SMB2. 0040 00 00 00 18 07 c8 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 04 08 28 06 01 08 40 0e 0f 12 00 00 00 0a ....(...@....... 0060 00 00 40 00 00 00 00 00 00 00 00 00 00 12 00 44 ..@............D 0070 00 00 00 00 00 01 00 01 00 15 00 00 00 00 16 00 ................ 0080 56 05 06 00 04 01 00 00 00 00 5c 00 2a 00 00 00 V.........\.*... -------------------------------------------------------------------------- 我曾简单地将SMB_37_2.cap中请求包的SMB_COM_TRANSACTION(0x25)改成 SMB_COM_TRANSACTION2(0x32)发送出去，Ethereal解码时会显示: Subcommand: Unkown (0x0026) 因为没有这个子命令嘛。响应包中会在SMB首部显示: Error Class: Server Error (0x02) Reserved: 00 Error Code: Non specific error code (0x0001) 显然服务端因无法识别有效子命令而报错。 SMB_COM_NT_TRANSACTION(0xA0)请求包的格式与前两种相差较大。其具体功能也是与 Subcommand紧密相关的，但这次子命令对应Function字段，而不是某个Setup[]元素。 Setup Count不再固定，而是随子命令变化，可能为0，可能为4，也可能为其它值。比如子命令NT_TRANSACT_IOCTL(0x0002)对应的Setup Count为4，而 NT_TRANSACT_QUERY_SECURITY_DESC(0x0006)对应的Setup Count为0。我也没整明白既然有Parameter区域，这里为什么要用Setup[]，没系统地看文档，可能有向后兼容性方面的考虑吧。SMB_COM_NT_TRANSACTION(0xA0)无法承载抽象的Bind(11)。至此彻底推翻了上一小节的猜想。不过也算有收获，学到点新东西。曾在跟踪漏洞 CVE-2003-0201、CVE-2005-0045、CVE-2005-1206时多次分析过这几类报文，但当时的分析角度不同，可以结合当时写的文章深入理解: <> <> <> 访问共享并查看文件属性的安全页时，会引发SMB_COM_NT_TRANSACTION(0xA0)报文，抓取SMB_37_7.cap: -------------------------------------------------------------------------- Transmission Control Protocol, Src Port: 3493, Dst Port: 445, Len: 88 NetBIOS Session Service Message Type: Session message Length: 84 SMB (Server Message Block Protocol) SMB Header Server Component: SMB Response in: 2 SMB Command: NT Trans (0xa0) NT Status: STATUS_SUCCESS (0x00000000) Flags: 0x18 0... .... = Request/Response: Message is a request to the server .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized .... 1... = Case Sensitivity: Path names are caseless .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0xc807 1... .... .... .... = Unicode Strings: Strings are Unicode .1.. .... .... .... = Error Code Type: Error codes are NT error codes ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported .... .... .0.. .... = Long Names Used: Path names in request are not long file names .... .... .... .1.. = Security Signatures: Security signatures are supported .... .... .... ..1. = Extended Attributes: Extended attributes are supported .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response Process ID High: 0 Signature: 0000000000000000 Reserved: 0000 Tree ID: 2049 Process ID: 1576 User ID: 2049 Multiplex ID: 28802 NT Trans Request (0xa0) Word Count (WCT): 19 Max Setup Count: 0 Reserved: 0000 Total Parameter Count: 8 Total Data Count: 0 Max Parameter Count: 4 Max Data Count: 0 Parameter Count: 8 Parameter Offset: 76 Data Count: 0 Data Offset: 0 Setup Count: 0 Function: NT QUERY SECURITY DESC (6) Byte Count (BCC): 11 Padding: 000000 NT QUERY SECURITY DESC Parameters FID: 0x400d Reserved: 0000 Security Information: 0x00000004 .... .... .... .... .... .... .... ...0 = Owner: NOT requesting owner security information .... .... .... .... .... .... .... ..0. = Group: NOT requesting group security information .... .... .... .... .... .... .... .1.. = DACL: Requesting DACL security information .... .... .... .... .... .... .... 0... = SACL: NOT requesting SACL security information 0030 00 00 00 54 ff 53 4d 42 a0 00 ...T.SMB.. 0040 00 00 00 18 07 c8 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 01 08 28 06 01 08 82 70 13 00 00 00 08 00 ....(....p...... 0060 00 00 00 00 00 00 04 00 00 00 00 00 00 00 08 00 ................ 0070 00 00 4c 00 00 00 00 00 00 00 00 00 00 00 00 06 ..L............. 0080 00 0b 00 00 00 00 0d 40 00 00 04 00 00 00 .......@...... NetBIOS Session Service Message Type: Session message Length: 76 SMB (Server Message Block Protocol) SMB Header Server Component: SMB Response to: 1 Time from request: 0.000419000 seconds SMB Command: NT Trans (0xa0) NT Status: STATUS_BUFFER_TOO_SMALL (0xc0000023) Flags: 0x98 1... .... = Request/Response: Message is a response to the client/redirector .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized .... 1... = Case Sensitivity: Path names are caseless .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0xc807 1... .... .... .... = Unicode Strings: Strings are Unicode .1.. .... .... .... = Error Code Type: Error codes are NT error codes ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported .... .... .0.. .... = Long Names Used: Path names in request are not long file names .... .... .... .1.. = Security Signatures: Security signatures are supported .... .... .... ..1. = Extended Attributes: Extended attributes are supported .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response Process ID High: 0 Signature: 0000000000000000 Reserved: 0000 Tree ID: 2049 Process ID: 1576 User ID: 2049 Multiplex ID: 28802 NT Trans Response (0xa0) Function: NT QUERY SECURITY DESC (6) Word Count (WCT): 18 Reserved: 000000 Total Parameter Count: 4 Total Data Count: 0 Parameter Count: 4 Parameter Offset: 72 Parameter Displacement: 0 Data Count: 0 Data Offset: 76 Data Displacement: 0 Setup Count: 0 Byte Count (BCC): 5 Padding: 0B NT QUERY SECURITY DESC Parameters NT Security Descriptor Length: 48 0030 00 00 00 4c ff 53 4d 42 a0 23 ...L.SMB.# 0040 00 00 c0 98 07 c8 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 01 08 28 06 01 08 82 70 12 00 00 00 04 00 ....(....p...... 0060 00 00 00 00 00 00 04 00 00 00 48 00 00 00 00 00 ..........H..... 0070 00 00 00 00 00 00 4c 00 00 00 00 00 00 00 00 05 ......L......... 0080 00 0b 30 00 00 00 ..0... NetBIOS Session Service Message Type: Session message Length: 84 SMB (Server Message Block Protocol) SMB Header Server Component: SMB Response in: 4 SMB Command: NT Trans (0xa0) NT Status: STATUS_SUCCESS (0x00000000) Flags: 0x18 0... .... = Request/Response: Message is a request to the server .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized .... 1... = Case Sensitivity: Path names are caseless .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0xc807 1... .... .... .... = Unicode Strings: Strings are Unicode .1.. .... .... .... = Error Code Type: Error codes are NT error codes ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported .... .... .0.. .... = Long Names Used: Path names in request are not long file names .... .... .... .1.. = Security Signatures: Security signatures are supported .... .... .... ..1. = Extended Attributes: Extended attributes are supported .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response Process ID High: 0 Signature: 0000000000000000 Reserved: 0000 Tree ID: 2049 Process ID: 1576 User ID: 2049 Multiplex ID: 28866 NT Trans Request (0xa0) Word Count (WCT): 19 Max Setup Count: 0 Reserved: 0000 Total Parameter Count: 8 Total Data Count: 0 Max Parameter Count: 4 Max Data Count: 48 Parameter Count: 8 Parameter Offset: 76 Data Count: 0 Data Offset: 0 Setup Count: 0 Function: NT QUERY SECURITY DESC (6) Byte Count (BCC): 11 Padding: 000000 NT QUERY SECURITY DESC Parameters FID: 0x400d Reserved: 0000 Security Information: 0x00000004 .... .... .... .... .... .... .... ...0 = Owner: NOT requesting owner security information .... .... .... .... .... .... .... ..0. = Group: NOT requesting group security information .... .... .... .... .... .... .... .1.. = DACL: Requesting DACL security information .... .... .... .... .... .... .... 0... = SACL: NOT requesting SACL security information 0030 00 00 00 54 ff 53 4d 42 a0 00 ...T.SMB.. 0040 00 00 00 18 07 c8 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 01 08 28 06 01 08 c2 70 13 00 00 00 08 00 ....(....p...... 0060 00 00 00 00 00 00 04 00 00 00 30 00 00 00 08 00 ..........0..... 0070 00 00 4c 00 00 00 00 00 00 00 00 00 00 00 00 06 ..L............. 0080 00 0b 00 00 00 00 0d 40 00 00 04 00 00 00 .......@...... NetBIOS Session Service Message Type: Session message Length: 124 SMB (Server Message Block Protocol) SMB Header Server Component: SMB Response to: 3 Time from request: 0.000416000 seconds SMB Command: NT Trans (0xa0) NT Status: STATUS_SUCCESS (0x00000000) Flags: 0x98 1... .... = Request/Response: Message is a response to the client/redirector .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized .... 1... = Case Sensitivity: Path names are caseless .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0xc807 1... .... .... .... = Unicode Strings: Strings are Unicode .1.. .... .... .... = Error Code Type: Error codes are NT error codes ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported .... .... .0.. .... = Long Names Used: Path names in request are not long file names .... .... .... .1.. = Security Signatures: Security signatures are supported .... .... .... ..1. = Extended Attributes: Extended attributes are supported .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response Process ID High: 0 Signature: 0000000000000000 Reserved: 0000 Tree ID: 2049 Process ID: 1576 User ID: 2049 Multiplex ID: 28866 NT Trans Response (0xa0) Function: NT QUERY SECURITY DESC (6) Word Count (WCT): 18 Reserved: 000000 Total Parameter Count: 4 Total Data Count: 48 Parameter Count: 4 Parameter Offset: 72 Parameter Displacement: 0 Data Count: 48 Data Offset: 76 Data Displacement: 0 Setup Count: 0 Byte Count (BCC): 53 Padding: 0B NT QUERY SECURITY DESC Parameters NT Security Descriptor Length: 48 NT QUERY SECURITY DESC Data NT Security Descriptor Revision: 1 Type: 0x8004 1... .... .... .... = Self Relative: This SecDesc is SELF RELATIVE .0.. .... .... .... = RM Control Valid: Rm control valid is FALSE ..0. .... .... .... = SACL Protected: The SACL is NOT protected ...0 .... .... .... = DACL Protected: The DACL is NOT protected .... 0... .... .... = SACL Auto Inherited: SACL is NOT auto inherited .... .0.. .... .... = DACL Auto Inherited: DACL is NOT auto inherited .... ..0. .... .... = SACL Auto Inherit Required: SACL does NOT require auto inherit .... ...0 .... .... = DACL Auto Inherit Required: DACL does NOT require auto inherit .... .... 0... .... = Server Security: Server security is FALSE .... .... .0.. .... = DACL Trusted: Dacl trusted is FALSE .... .... ..0. .... = SACL Defaulted: SACL is NOT defaulted .... .... ...0 .... = SACL Present: SACL is NOT present .... .... .... 0... = DACL Defaulted: DACL is NOT defaulted .... .... .... .1.. = DACL Present: DACL is PRESENT .... .... .... ..0. = Group Defaulted: Group is NOT defaulted .... .... .... ...0 = Owner Defaulted: Owner is NOT defaulted Offset to owner SID: 0 Offset to group SID: 0 Offset to SACL: 0 Offset to DACL: 20 NT User (DACL) ACL Revision: 2 Size: 28 Num ACEs: 1 NT ACE: S-1-1-0, flags 0x03, Access Allowed, mask 0x001f01ff Type: Access Allowed (0) NT ACE Flags: 0x03 Container Inherit, Object Inherit 0... .... = Audit Failed Accesses: Failed accesses will not be audited .0.. .... = Audit Successful Accesses: Successful accesses will not be audited ...0 .... = Inherited ACE: This ACE was not inherited from its parent object .... 0... = Inherit Only: This ACE applies to the current object .... .0.. = Non-Propagate Inherit: Subordinate object will propagate the inherited ACE further .... ..1. = Container Inherit: Subordinate containers will inherit this ACE .... ...1 = Object Inherit: Subordinate files will inherit this ACE Size: 20 Access required: 0x001f01ff Generic rights: 0x00000000 0... .... .... .... .... .... .... .... = Generic read: Not set .0.. .... .... .... .... .... .... .... = Generic write: Not set ..0. .... .... .... .... .... .... .... = Generic execute: Not set ...0 .... .... .... .... .... .... .... = Generic all: Not set .... ..0. .... .... .... .... .... .... = Maximum allowed: Not set .... .... 0... .... .... .... .... .... = Access SACL: Not set Standard rights: 0x001f0000 .... .... ...1 .... .... .... .... .... = Synchronise: Set .... .... .... 1... .... .... .... .... = Write owner: Set .... .... .... .1.. .... .... .... .... = Write DAC: Set .... .... .... ..1. .... .... .... .... = Read control: Set .... .... .... ...1 .... .... .... .... = Delete: Set Specific rights: 0x000001ff .... .... .... .... 0... .... .... .... = Specific access, bit 15: Not set .... .... .... .... .0.. .... .... .... = Specific access, bit 14: Not set .... .... .... .... ..0. .... .... .... = Specific access, bit 13: Not set .... .... .... .... ...0 .... .... .... = Specific access, bit 12: Not set .... .... .... .... .... 0... .... .... = Specific access, bit 11: Not set .... .... .... .... .... .0.. .... .... = Specific access, bit 10: Not set .... .... .... .... .... ..0. .... .... = Specific access, bit 9: Not set .... .... .... .... .... ...1 .... .... = Specific access, bit 8: Set .... .... .... .... .... .... 1... .... = Specific access, bit 7: Set .... .... .... .... .... .... .1.. .... = Specific access, bit 6: Set .... .... .... .... .... .... ..1. .... = Specific access, bit 5: Set .... .... .... .... .... .... ...1 .... = Specific access, bit 4: Set .... .... .... .... .... .... .... 1... = Specific access, bit 3: Set .... .... .... .... .... .... .... .1.. = Specific access, bit 2: Set .... .... .... .... .... .... .... ..1. = Specific access, bit 1: Set .... .... .... .... .... .... .... ...1 = Specific access, bit 0: Set ACE: S-1-1-0 Revision: 1 Num Auth: 1 Authority: 1 Sub-authorities: 0 0030 00 00 00 7c ff 53 4d 42 a0 00 ...|.SMB.. 0040 00 00 00 98 07 c8 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 01 08 28 06 01 08 c2 70 12 00 00 00 04 00 ....(....p...... 0060 00 00 30 00 00 00 04 00 00 00 48 00 00 00 00 00 ..0.......H..... 0070 00 00 30 00 00 00 4c 00 00 00 00 00 00 00 00 35 ..0...L........5 0080 00 0b 30 00 00 00 01 00 04 80 00 00 00 00 00 00 ..0............. 0090 00 00 00 00 00 00 14 00 00 00 02 00 1c 00 01 00 ................ 00a0 00 00 00 03 14 00 ff 01 1f 00 01 01 00 00 00 00 ................ 00b0 00 01 00 00 00 00 ...... -------------------------------------------------------------------------- ☆ 参考资源 [11] A Common Internet File System (CIFS/1.0) Protocol - Microsoft Corporation [1997-03-13] http://us4.samba.org/samba/ftp/specs/draft-leach-cifs-v1-spec-02.txt