Skip to content

Fix NETLOGON_LOGON_QUERY parsing: Add mailslot name alignment#4952

Open
MatrixEditor wants to merge 1 commit intosecdev:masterfrom
MatrixEditor:fix/netlogon
Open

Fix NETLOGON_LOGON_QUERY parsing: Add mailslot name alignment#4952
MatrixEditor wants to merge 1 commit intosecdev:masterfrom
MatrixEditor:fix/netlogon

Conversation

@MatrixEditor
Copy link

@MatrixEditor MatrixEditor commented Mar 22, 2026

As described in MS-ADTS "6.3.1.4 NETLOGON_LOGON_QUERY", the "MailslotName" field must be "aligned to an even byte boundary, with padding (bytes of value 0) to the next even byte boundary as necessary.".

This pull request fixes parsing NETLOGON_LOGON_QUERY messages by adding an optional padding byte.

  • Before:
###[ NETLOGON_LOGON_QUERY ]###
  OpCode    = LOGON_PRIMARY_QUERY
  ComputerName= b'WIN-SO93T7CNMNN'
  MailslotName= b'\\MAILSLOT\\NET\\GETDC465'
  UnicodeComputerName= 圀䤀一ⴀ匀伀㤀㌀吀㜀䌀一䴀一一
  NtVersion = bit_8+bit_9+bit_11
  LmNtToken = 0xff20
  Lm20Token = 0xffff
###[ Raw ]###
     load      = b'\xff'
  • After
###[ NETLOGON_LOGON_QUERY ]###
  OpCode    = LOGON_PRIMARY_QUERY
  ComputerName= b'WIN-SO93T7CNMNN'
  MailslotName= b'\\MAILSLOT\\NET\\GETDC943'
  MailslotPad= 0
  UnicodeComputerName= WIN-SO93T7CNMNN
  NtVersion = V1+V5+V5EX_WITH_IP+IP
  LmNtToken = 0xffff
  Lm20Token = 0xffff

@MatrixEditor MatrixEditor mentioned this pull request Mar 22, 2026
Open
@gpotter2
Copy link
Member

gpotter2 commented Mar 23, 2026

Hi and thanks for the PR !

Could you add the example packet you provided to the unit tests, at the end of this file:

scapy/test/scapy/layers/ldap.uts

Line 211 in b1add1f

= Dissect NETLOGON_SAM_LOGON_RESPONSE_NT40 - V1

@codecov
Copy link

codecov bot commented Mar 23, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 80.30%. Comparing base (b1add1f) to head (1c0df1c).

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #4952      +/-   ##
==========================================
- Coverage   80.30%   80.30%   -0.01%     
==========================================
  Files         379      379              
  Lines       93102    93102              
==========================================
- Hits        74767    74766       -1     
- Misses      18335    18336       +1
Files with missing lines Coverage Δ
scapy/layers/smb.py 76.78% <ø> (ø)

... and 6 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

gpotter2
gpotter2 requested changes Mar 23, 2026
View reviewed changes
scapy/layers/smb.py
Comment on lines 945 to +949
StrNullField("MailslotName", ""),
ConditionalField(
ByteField("MailslotPad", default=0x00),
lambda pkt: (len(pkt.MailslotName) + 1) % 2 != 0
),
Copy link
Member

@gpotter2 gpotter2 Mar 23, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
StrNullField("MailslotName", ""),
ConditionalField(
ByteField("MailslotPad", default=0x00),
lambda pkt: (len(pkt.MailslotName) + 1) % 2 != 0
),
PadField(StrNullField("MailslotName", ""), 2),

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gpotter2 gpotter2 gpotter2 requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MatrixEditor @gpotter2