Microsoft Protocols Programs
Thanks to Robert Graham for pointing me to the fact that Microsoft has started a Protocols Program. This project includes thousands of pages of documentation (in .pdf format, w00t) divided into categories like Microsoft Communications Protocol Program (MCPP, for "server software that interoperates with Windows desktop operating systems") and Microsoft [Work Group] Server Protocol Program (WSPP, for "server software that interoperates with Microsoft Windows server and desktop operating systems to provide file, print, and user and group administration services").
I am frankly astounded by the number of documents available. Windows_Communication_Protocols.zip and Windows_Server_Protocols.zip are 314 MB total.
I am probably going to follow the recommendations in the [MS-DOCO]: Windows Protocols Documentation Roadmap that outlines what to read and in which order. That means starting with [MS-PROTO]: Windows Protocols Overview and [MS-SYS]: Windows System Overview. Documentation like this is a boon for those who develop protocol analyzers, network security inspection systems, and filtering products. Security analysts and reverse engineers will also like to read this material.
I am frankly astounded by the number of documents available. Windows_Communication_Protocols.zip and Windows_Server_Protocols.zip are 314 MB total.
I am probably going to follow the recommendations in the [MS-DOCO]: Windows Protocols Documentation Roadmap that outlines what to read and in which order. That means starting with [MS-PROTO]: Windows Protocols Overview and [MS-SYS]: Windows System Overview. Documentation like this is a boon for those who develop protocol analyzers, network security inspection systems, and filtering products. Security analysts and reverse engineers will also like to read this material.
Comments
Is there anything you do differently when analyzing attacks involving the SMB protocol?
Doesn't matter to me -- I'm just glad to see the docs.