Я немного поправил команду. До этого команда видела только запросы к WinXP. Теперь видит как запросы, так и ответы от WinXP.
/usr/sbin/tcpdump -vv -i enp5s0 ip net 172.30.54.144 and not dst port 3389
Нашел первую попавшую разницу между ответами для AL6 и BA8. Приведу запросы:
BA8:
13:17:42.805288 IP (tos 0x0, ttl 64, id 17785, offset 0, flags [DF], proto TCP (6), length 238)
172.30.54.100.53656 > 172.30.54.144.netbios-ssn: Flags [P.], cksum 0xdb93 (correct), seq 427:625, ack 472, win 237, length 198
>>> NBT Session Packet
NBT Session Message
Flags=0x0
Length=194 (0xc2)
SMB PACKET: SMBsesssetupX (REQUEST)
SMB Command = 0x73
Error class = 0x0
Error code = 0 (0x0)
Flags1 = 0x18
Flags2 = 0x43
Tree ID = 0 (0x0)
Proc ID = 30361 (0x7699)
UID = 2050 (0x802)
MID = 2 (0x2)
Word Count = 12 (0xc)
Com2=0xFF
Res1=0x0
Off2=0 (0x0)
MaxBuffer=65535 (0xffff)
MaxMpx=2 (0x2)
VcNumber=1 (0x1)
SessionKey=0x0
CaseInsensitivePasswordLength=112 (0x70)
CaseSensitivePasswordLength=0 (0x0)
Res=0xC0540000
Capabilities=0x878000
Pass1&Pass2&Account&Domain&OS&LanMan=
smb_bcc=135
[000] A1 6E 30 6C A2 6A 04 68 4E 54 4C 4D 53 53 50 00 \0xa1n0l\0xa2j\0x04h NTLMSSP\0x00
[010] 03 00 00 00 00 00 00 00 58 00 00 00 00 00 00 00 \0x03\0x00\0x00\0x00\0x00\0x00\0x00\0x00 X\0x00\0x00\0x00\0x00\0x00\0x00\0x00
[020] 58 00 00 00 00 00 00 00 58 00 00 00 00 00 00 00 X\0x00\0x00\0x00\0x00\0x00\0x00\0x00 X\0x00\0x00\0x00\0x00\0x00\0x00\0x00
[030] 58 00 00 00 00 00 00 00 58 00 00 00 10 00 10 00 X\0x00\0x00\0x00\0x00\0x00\0x00\0x00 X\0x00\0x00\0x00\0x10\0x00\0x10\0x00
[040] 58 00 00 00 15 8A 00 62 06 01 00 00 00 00 00 0F X\0x00\0x00\0x00\0x15\0x8a\0x00b \0x06\0x01\0x00\0x00\0x00\0x00\0x00\0x0f
[050] 8B BD 7C 31 4D 60 39 B8 2C 9F F1 99 A1 F6 F7 74 \0x8b\0xbd|1M`9\0xb8 ,\0x9f\0xf1\0x99\0xa1\0xf6\0xf7t
[060] 3E 89 BF FE 76 E7 F2 C5 E6 BC BE CC AF 61 F1 88 >\0x89\0xbf\0xfev\0xe7\0xf2\0xc5 \0xe6\0xbc\0xbe\0xcc\0xafa\0xf1\0x88
[070] 00 55 00 6E 00 69 00 78 00 00 00 53 00 61 00 6D \0x00U\0x00n\0x00i\0x00x \0x00\0x00\0x00S\0x00a\0x00m
[080] 00 62 00 61 00 00 00 \0x00b\0x00a\0x00\0x00\0x00
AL6:
13:38:59.633571 IP (tos 0x0, ttl 64, id 3852, offset 0, flags [DF], proto TCP (6), length 302)
SERVER.localdomain.34851 > 172.30.54.144.netbios-ssn: Flags [P.], cksum 0xc5ee (incorrect -> 0x015f), seq 431:693, ack 472, win 54, length 262
>>> NBT Session Packet
NBT Session Message
Flags=0x0
Length=258 (0x102)
SMB PACKET: SMBsesssetupX (REQUEST)
SMB Command = 0x73
Error class = 0x0
Error code = 0 (0x0)
Flags1 = 0x8
Flags2 = 0x1
Tree ID = 0 (0x0)
Proc ID = 29963 (0x750b)
UID = 2051 (0x803)
MID = 4 (0x4)
Word Count = 12 (0xc)
Com2=0xFF
Res1=0x0
Off2=0 (0x0)
MaxBuffer=65535 (0xffff)
MaxMpx=2 (0x2)
VcNumber=1 (0x1)
SessionKey=0x0
CaseInsensitivePasswordLength=176 (0xb0)
CaseSensitivePasswordLength=0 (0x0)
Res=0xC05C0000
Capabilities=0xC78000
Pass1&Pass2&Account&Domain&OS&LanMan=
smb_bcc=199
[000] A1 81 AD 30 81 AA A2 81 A7 04 81 A4 4E 54 4C 4D \0xa1\0x81\0xad0\0x81\0xaa\0xa2\0x81 \0xa7\0x04\0x81\0xa4NTLM
[010] 53 53 50 00 03 00 00 00 18 00 18 00 40 00 00 00 SSP\0x00\0x03\0x00\0x00\0x00 \0x18\0x00\0x18\0x00@\0x00\0x00\0x00
[020] 18 00 18 00 58 00 00 00 08 00 08 00 70 00 00 00 \0x18\0x00\0x18\0x00X\0x00\0x00\0x00 \0x08\0x00\0x08\0x00p\0x00\0x00\0x00
[030] 0C 00 0C 00 78 00 00 00 10 00 10 00 84 00 00 00 \0x0c\0x00\0x0c\0x00x\0x00\0x00\0x00 \0x10\0x00\0x10\0x00\0x84\0x00\0x00\0x00
[040] 10 00 10 00 94 00 00 00 15 82 08 60 C0 0E C2 2B \0x10\0x00\0x10\0x00\0x94\0x00\0x00\0x00 \0x15\0x82\0x08`\0xc0\0x0e\0xc2+
[050] 9B 0A 15 E4 00 00 00 00 00 00 00 00 00 00 00 00 \0x9b\0x0a\0x15\0xe4\0x00\0x00\0x00\0x00 \0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00
[060] 00 00 00 00 81 B3 39 D2 7E A8 FE D2 31 CA 8B 78 \0x00\0x00\0x00\0x00\0x81\0xb39\0xd2 ~\0xa8\0xfe\0xd21\0xca\0x8bx
[070] 36 97 C8 00 88 BC CA E6 87 9D 6F 12 53 00 54 00 6\0x97\0xc8\0x00\0x88\0xbc\0xca\0xe6 \0x87\0x9do\0x12S\0x00T\0x00
[080] 41 00 54 00 75 00 73 00 65 00 72 00 34 00 34 00 A\0x00T\0x00u\0x00s\0x00 e\0x00r\0x004\0x004\0x00
[090] 53 00 54 00 41 00 54 00 53 00 45 00 52 00 56 00 S\0x00T\0x00A\0x00T\0x00 S\0x00E\0x00R\0x00V\0x00
[0A0] 69 31 BE D4 5F F1 2F D1 ED CD 24 89 B0 B1 54 72 i1\0xbe\0xd4_\0xf1/\0xd1 \0xed\0xcd$\0x89\0xb0\0xb1Tr
[0B0] 00 55 00 6E 00 69 00 78 00 00 00 53 00 61 00 6D \0x00U\0x00n\0x00i\0x00x \0x00\0x00\0x00S\0x00a\0x00m
[0C0] 00 62 00 61 00 00 00 \0x00b\0x00a\0x00\0x00\0x00
И ответы:
BA8:
13:17:42.806269 IP (tos 0x0, ttl 64, id 16113, offset 0, flags [DF], proto TCP (6), length 79)
172.30.54.144.netbios-ssn > 172.30.54.100.53656: Flags [P.], cksum 0xf026 (correct), seq 472:511, ack 625, win 63888, length 39
>>> NBT Session Packet
NBT Session Message
Flags=0x0
Length=35 (0x23)
SMB PACKET: SMBsesssetupX (REPLY)
SMB Command = 0x73
Error class = 0xD
Error code = 49152 (0xc000)
Flags1 = 0x98
Flags2 = 0x43
Tree ID = 0 (0x0)
Proc ID = 30361 (0x7699)
UID = 2050 (0x802)
MID = 2 (0x2)
Word Count = 0 (0x0)
NTError = STATUS_INVALID_PARAMETER
smb_bcc=0
AL6:
13:38:59.634989 IP (tos 0x0, ttl 64, id 16142, offset 0, flags [DF], proto TCP (6), length 79)
172.30.54.144.netbios-ssn > SERVER.localdomain.34851: Flags [P.], cksum 0x2367 (correct), seq 472:511, ack 693, win 63820, length 39
>>> NBT Session Packet
NBT Session Message
Flags=0x0
Length=35 (0x23)
SMB PACKET: SMBsesssetupX (REPLY)
SMB Command = 0x73
Error class = 0x6D
Error code = 49152 (0xc000)
Flags1 = 0x88
Flags2 = 0x1
Tree ID = 0 (0x0)
Proc ID = 29963 (0x750b)
UID = 2051 (0x803)
MID = 4 (0x4)
Word Count = 0 (0x0)
NTError = STATUS_LOGON_FAILURE
smb_bcc=0
На этом запросы-ответы не закончились. На AL6 после повторился такой же запрос-ответ, который закончился без ошибок. Я так понимаю, произошел успешный ввод логина-пароля, в результате чего успешно вошел к шарам WinXP.
Вот интересно, почему в ответ на запрос от BA8 выдал STATUS_INVALID_PARAMETER?
Более подробный tcpdump приложил к вложениям.