[OpenAFS] Re: Mystery AFS/Kerberos packet

John Hascall john@iastate.edu
Fri, 23 Jan 2004 08:35:14 CST


>6303373b766d61124537XXXXXXXX0000494153544154452e4544550067710e403f6166730000
  c . 7 ; v m a . E 7 u s e r . . I A S T A T E . E D U . g q . @ ? a f s . .

> I'm not sure, but the tail bit of it looks like part of a krb4 initial
> ticket request by "user" for "afs@IASTATE.EDU", with lifetime 5 hours
> 15 minutes, around 21 January 2004 (assuming little-endian).

Yes, I've been convinced that this is a valid V4 packet whose
first two bytes (04 03) were somehow corrupted with 10 garbage
bytes (63 03 37 3b 76 6d 61 12 45 37) and I went off on a wrong
tangent upon seeing the 0x6X first byte).  At this point, I'm going
to assume the user has either munged hardware or DLLs.

It's really quite interesting to dump out rejected packets,
you see some fascinating crap, here's another:

<04><03>__vmware_user__D2521F2GPKdgDby9P77qlo_w*glhuA3un*!sh!<00><00>IASTATE.EDU<00>^HN<0e>@?afs<00><00

(a 53 character principal name is too long for k4)
(curious how both of these invalid packets used '?', 5h15m, for the lifetime).


John