SSO Authentication -> sends authenticated users to login.php

Issue #748 resolved
Rory McInerney created an issue

piler -V output:

piler 1.2.0, build 952, Janos SUTO <sj@acts.hu>

Build Date: Mon Nov 21 13:19:39 GMT 2016
ldd version: ldd (Debian GLIBC 2.19-18+deb8u6) 2.19
gcc version: gcc version 4.9.2 (Debian 4.9.2-10)
OS: Linux svcaarchive 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 GNU/Linux
Configure command: ./configure --localstatedir=/var --with-database=mysql --enable-starttls --enable-tcpwrappers
MySQL client library version: 5.5.53
Extractors: /usr/bin/catdoc /usr/bin/catppt /usr/bin/xls2csv /usr/bin/unrtf /usr/bin/tnef

Where I am: This is a new installation of piler on a debian install following instructions on the site with the following addition steps as the apache module couldn't find the socket (samba3->samba4 moves it, resulting in helper broken errors):

$ usermod -a -G winbindd_priv www-data
$ chgrp winbindd_priv /var/lib/samba/winbindd_privileged
$ ln -s /var/lib/samba/winbindd_privileged/pipe /var/run/samba/winbindd_privileged/pipe

This solved the authentication errors in the debug log, but when the user goes to the site address, it seems to be authenticating the user against AD fine, but redirecting them to /login.php. There aren't currently any contents of the archives, I'm not sure if this would cause this. I have included the apache debug information below.

[Mon Nov 21 15:41:21.947673 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of <RequireAny>: granted
[Mon Nov 21 15:41:21.947725 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of Require all granted: granted
[Mon Nov 21 15:41:21.947733 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of <RequireAny>: granted
[Mon Nov 21 15:41:21.967990 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Nov 21 15:41:21.968002 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Nov 21 15:41:22.059856 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Nov 21 15:41:22.059872 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Nov 21 15:41:22.059878 2016] [auth_ntlm_winbind:debug] [pid 7088] mod_auth_ntlm_winbind.c(1023): [client 10.200.5.70:50924] doing ntlm auth dance
[Mon Nov 21 15:41:22.060925 2016] [auth_ntlm_winbind:debug] [pid 7088] mod_auth_ntlm_winbind.c(487): [client 10.200.5.70:50924] Launched ntlm_helper, pid 7171
[Mon Nov 21 15:41:22.060942 2016] [auth_ntlm_winbind:debug] [pid 7088] mod_auth_ntlm_winbind.c(657): [client 10.200.5.70:50924] creating auth user
[Mon Nov 21 15:41:22.060966 2016] [auth_ntlm_winbind:debug] [pid 7088] mod_auth_ntlm_winbind.c(708): [client 10.200.5.70:50924] parsing reply from helper to YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==\n
[Mon Nov 21 15:41:22.083783 2016] [auth_ntlm_winbind:debug] [pid 7088] mod_auth_ntlm_winbind.c(746): [client 10.200.5.70:50924] got response: TT <base64 removed>
[Mon Nov 21 15:41:22.083817 2016] [auth_ntlm_winbind:debug] [pid 7088] mod_auth_ntlm_winbind.c(416): [client 10.200.5.70:50924] sending back <base64 removed>
[Mon Nov 21 15:41:22.095744 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Nov 21 15:41:22.095756 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Nov 21 15:41:22.095761 2016] [auth_ntlm_winbind:debug] [pid 7088] mod_auth_ntlm_winbind.c(1023): [client 10.200.5.70:50924] doing ntlm auth dance
[Mon Nov 21 15:41:22.095764 2016] [auth_ntlm_winbind:debug] [pid 7088] mod_auth_ntlm_winbind.c(489): [client 10.200.5.70:50924] Using existing auth helper 7171
[Mon Nov 21 15:41:22.095774 2016] [auth_ntlm_winbind:debug] [pid 7088] mod_auth_ntlm_winbind.c(708): [client 10.200.5.70:50924] parsing reply from helper to KK <base64 removed>
[Mon Nov 21 15:41:22.866184 2016] [auth_ntlm_winbind:debug] [pid 7088] mod_auth_ntlm_winbind.c(746): [client 10.200.5.70:50924] got response: AF MYDOMIAN\\some.user
[Mon Nov 21 15:41:22.866215 2016] [auth_ntlm_winbind:debug] [pid 7088] mod_auth_ntlm_winbind.c(792): [client 10.200.5.70:50924] authenticated MYDOMAIN\\some.users
[Mon Nov 21 15:41:22.866225 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of Require valid-user : granted
[Mon Nov 21 15:41:22.866230 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of <RequireAny>: granted
[Mon Nov 21 15:41:22.866709 2016] [:error] [pid 7088] [client 10.200.5.70:50924] PHP Notice:  A session had already been started - ignoring session_start() in /var/www/piler/system/request.php on line 30
[Mon Nov 21 15:41:22.867289 2016] [:error] [pid 7088] [client 10.200.5.70:50924] PHP Notice:  A session had already been started - ignoring session_start() in /var/www/piler/system/request.php on line 30
[Mon Nov 21 15:41:22.886141 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of Require all granted: granted
[Mon Nov 21 15:41:22.886153 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of <RequireAny>: granted
[Mon Nov 21 15:41:22.886248 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of Require all granted: granted
[Mon Nov 21 15:41:22.886258 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of <RequireAny>: granted
[Mon Nov 21 15:41:22.888940 2016] [deflate:debug] [pid 7088] mod_deflate.c(855): [client 10.200.5.70:50924] AH01384: Zlib: Compressed 2427 to 961 : URL /index.php
[Mon Nov 21 15:41:22.933571 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of Require all granted: granted, referer: http://svcaarchive/login.php
[Mon Nov 21 15:41:22.933585 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of <RequireAny>: granted, referer: http://svcaarchive/login.php
[Mon Nov 21 15:41:22.940039 2016] [deflate:debug] [pid 7088] mod_deflate.c(855): [client 10.200.5.70:50924] AH01384: Zlib: Compressed 186679 to 31541 : URL /view/theme/default/assets/css/metro-bootstrap.css, referer: http://svcaarchive/login.php
[Mon Nov 21 15:41:23.006634 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of Require all granted: granted, referer: http://svcaarchive/login.php
[Mon Nov 21 15:41:23.006649 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of <RequireAny>: granted, referer: http://svcaarchive/login.php
[Mon Nov 21 15:41:23.006811 2016] [deflate:debug] [pid 7088] mod_deflate.c(855): [client 10.200.5.70:50924] AH01384: Zlib: Compressed 2444 to 1238 : URL /view/theme/default/assets/js/html5.js, referer: http://svcaarchive/login.php
[Mon Nov 21 15:41:23.018076 2016] [authz_core:debug] [pid 7087] mod_authz_core.c(809): [client 10.200.5.70:50925] AH01626: authorization result of Require all granted: granted, referer: http://svcaarchive/login.php
[Mon Nov 21 15:41:23.018105 2016] [authz_core:debug] [pid 7087] mod_authz_core.c(809): [client 10.200.5.70:50925] AH01626: authorization result of <RequireAny>: granted, referer: http://svcaarchive/login.php
[Mon Nov 21 15:41:23.332434 2016] [authz_core:debug] [pid 7087] mod_authz_core.c(809): [client 10.200.5.70:50925] AH01626: authorization result of Require all granted: granted
[Mon Nov 21 15:41:23.332448 2016] [authz_core:debug] [pid 7087] mod_authz_core.c(809): [client 10.200.5.70:50925] AH01626: authorization result of <RequireAny>: granted

Comments (26)

  1. Rory McInerney reporter

    Saw another thread on this, so including this information to provde it's bound to the domain ok:

    root@svcaarchive:/var/log/apache2# wbinfo -u
    MYDOMAIN\administrator
    MYDOMAIN\ldap
    MYDOMAIN\sharepoint
    MYDOMAIN\join
    
    root@svcaarchive:/var/log/apache2# wbinfo -g
    MYDOMAIN\domain computers
    MYDOMAIN\domain users
    MYDOMAIN\domain guests
    
    root@svcaarchive:/var/log/apache2# net ads info
    LDAP server: xx.xx.xx.165
    LDAP server name: mydc.mydomain
    Realm: MYDOMAIN
    Bind Path: dc=MYDOMAIN
    LDAP port: 389
    Server time: Tue, 22 Nov 2016 07:54:13 GMT
    KDC server: xx.xx.xx.165
    Server time offset: 0
    

    I can email net ads lookup over too (it works!) but I'd rather not post it here as it contains loads of info about our setup.

    Thanks

  2. Janos SUTO repo owner

    It seems that the authentication is successful: [Mon Nov 21 15:41:22.866215 2016] [auth_ntlm_winbind:debug] [pid 7088] mod_auth_ntlm_winbind.c(792): [client 10.200.5.70:50924] authenticated MYDOMAIN\some.users

    I suspect that some data is sent before the session cookie is sent. Perhaps some white characters from config-site.php? I also recommend to go to search.php after you are redirected to login.php (=manually change the url), and let's see if it shows the search page or sends you to login.php again.

  3. Rory McInerney reporter

    I've checked the site-config.php file and there's no white characters (spaces/newlines). Going to /search.php just sends me back to /login.php

  4. Rory McInerney reporter

    This is the php version too, if it's any help.

    root@svcaarchive:/var/www/piler# php -v
    PHP 5.6.27-0+deb8u1 (cli) (built: Oct 15 2016 15:53:28)
    Copyright (c) 1997-2016 The PHP Group
    Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
        with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies
    

    Update: This also happens when logging in on /login.php with ldap username and password on non-NTLM enabled browser with the same outcomes in the error log.

  5. Janos SUTO repo owner

    OK, then we have to figure out what data is sent before the session cookies. Can you do some debugging? It would be great to see a network dump, eg. "ngrep -X port 80" output when you try to login. You may need to install ngrep, eg. apt-get install ngrep.

  6. Rory McInerney reporter

    Sure, it's saying there is some browser unauthorised message. I've checked the apache logs and the winbind helper is reporting ok again.

    interface: eth0 (192.168.0.0/255.255.254.0)
    filter: (ip or ip6) and ( port 80 )
    ###
    T 192.168.0.65:60100 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:60100 -> 192.168.0.66:80 [AP]
      GET /sso.php HTTP/1.1..Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, ap
      plication/msword, */*..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET
      4.0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..DNT: 1..Connection: Keep-Alive....                                                                                                                                            
    ##
    T 192.168.0.66:80 -> 192.168.0.65:60100 [AP]
      HTTP/1.1 401 Unauthorized..Date: Tue, 22 Nov 2016 11:28:12 GMT..Server: Apache/2.4.10 (Debian)..WWW-Authenticate: NTLM..Content-Length: 458..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: text/html; charset=is
      o-8859-1....<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>401 Unauthorized</title>.</head><body>.<h1>Unauthorized</h1>.<p>This server could not verify that you.are authorized to access the document.requested
      .  Either you supplied the wrong.credentials (e.g., bad password), or your.browser doesn't understand how to supply.the credentials required.</p>.<hr>.<address>Apache/2.4.10 (Debian) Server at svcaarchive Port 80</address>.</body></
      html>.                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:60100 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:60100 -> 192.168.0.66:80 [AP]
      GET /sso.php HTTP/1.1..Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, ap
      plication/msword, */*..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET
      4.0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..DNT: 1..Connection: Keep-Alive..Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==....                                                              
    #
    T 192.168.0.66:80 -> 192.168.0.65:60100 [AP]
      HTTP/1.1 401 Unauthorized..Date: Tue, 22 Nov 2016 11:28:12 GMT..Server: Apache/2.4.10 (Debian)..WWW-Authenticate: NTLM TlRMTVNTUAACAAAAGgAaADgAAAAFgomi0d4G3M6SZsYAAAAAAAAAALQAtABSAAAABgEAAAAAAA9NAFUATABUAEkARwBSAE8AVQBQAFAATABDAAIAG
      gBNAFUATABUAEkARwBSAE8AVQBQAFAATABDAAEAFgBTAFYAQwBBAEEAUgBDAEgASQBWAEUABAAmAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwAAwA+AHMAdgBjAGEAYQByAGMAaABpAHYAZQAuAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwABwAIADBEUYKzRNIBA
      AAAAA==..Content-Length: 458..Keep-Alive: timeout=5, max=99..Connection: Keep-Alive..Content-Type: text/html; charset=iso-8859-1....<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>401 Unauthorized</title>.</he
      ad><body>.<h1>Unauthorized</h1>.<p>This server could not verify that you.are authorized to access the document.requested.  Either you supplied the wrong.credentials (e.g., bad password), or your.browser doesn't understand how to sup
      ply.the credentials required.</p>.<hr>.<address>Apache/2.4.10 (Debian) Server at svcaarchive Port 80</address>.</body></html>.                                                                                                          
    #
    T 192.168.0.65:60100 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:60100 -> 192.168.0.66:80 [AP]
      GET /sso.php HTTP/1.1..Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, ap
      plication/msword, */*..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET
      4.0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..DNT: 1..Connection: Keep-Alive..Authorization: NTLM TlRMTVNTUAADAAAAGAAYAJoAAAB4AXgBsgAAABoAGgBYAAAAHAAcAHIAAAAMAAwAjgAAAAAAAAAqAgAABYKIogYBsR0AAAAPuwoGzK+jxHUYSJ1CloBPz00AVQ
      BMAFQASQBHAFIATwBVAFAAUABMAEMAUgBvAHIAeQAuAE0AYwBJAG4AZQByAG4AZQB5AFIATwBSAFkAUABDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKtM2JWTyYpHCJTudkCBn+UBAQAAAAAAADBEUYKzRNIB4rAC04rYVLIAAAAAAgAaAE0AVQBMAFQASQBHAFIATwBVAFAAUABMAEMAAQAWAFMAVgBDAEEAQQ
      BSAEMASABJAFYARQAEACYAbQB1AGwAdABpAGcAcgBvAHUAcABwAGwAYwAuAGwAbwBjAGEAbAADAD4AcwB2AGMAYQBhAHIAYwBoAGkAdgBlAC4AbQB1AGwAdABpAGcAcgBvAHUAcABwAGwAYwAuAGwAbwBjAGEAbAAHAAgAMERRgrNE0gEGAAQAAgAAAAgAMAAwAAAAAAAAAAAAAAAAMAAAkJzxPmjuTLhsWDaTAK
      18VvjOndxqmWaDJKymOBlk8w0KABAAAAAAAAAAAAAAAAAAAAAAAAkAPABIAFQAVABQAC8AcwB2AGMAYQBhAHIAYwBoAGkAdgBlAC4ATQB1AGwAdABpAEcAcgBvAHUAcABQAGwAYwAAAAAAAAAAAAAAAAA=....                                                                          
    ##
    T 192.168.0.66:80 -> 192.168.0.65:60100 [AP]
      HTTP/1.1 302 Found..Date: Tue, 22 Nov 2016 11:28:12 GMT..Server: Apache/2.4.10 (Debian)..Set-Cookie: PHPSESSID=h82nu0n365s962jfd5fea4v8g5; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GMT..Cache-Control: no-store, no-cache, must-reval
      idate, post-check=0, pre-check=0..Pragma: no-cache..Location: http://svcaarchive/login.php..Content-Length: 0..Keep-Alive: timeout=5, max=98..Connection: Keep-Alive..Content-Type: text/html; charset=UTF-8....                        
    #
    T 192.168.0.65:60100 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:60100 -> 192.168.0.66:80 [AP]
      GET /login.php HTTP/1.1..Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, 
      application/msword, */*..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .N
      ET4.0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..Cookie: PHPSESSID=h82nu0n365s962jfd5fea4v8g5..Connection: Keep-Alive..DNT: 1....                                                                                            
    ##
    T 192.168.0.66:80 -> 192.168.0.65:60100 [AP]
      HTTP/1.1 200 OK..Date: Tue, 22 Nov 2016 11:28:13 GMT..Server: Apache/2.4.10 (Debian)..Expires: Thu, 19 Nov 1981 08:52:00 GMT..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0..Pragma: no-cache..Vary: Acc
      ept-Encoding..Content-Encoding: gzip..Content-Length: 979..Keep-Alive: timeout=5, max=97..Connection: Keep-Alive..Content-Type: text/html; charset=UTF-8...............VQo.6.~........fi..@...7...gCQ..-.%6........(...,....6u....;...W.
      ./...c..B.z..!..YD....!a.<u.\.`9Ir.....v....++...Te....8.)y..m.l*.-%.*-..........@.>..Q.+..L.%D....).-l7J......4...I.Nr........`.-*+TyD4.m..a..M.E..}.3...JQ..\.:....l........q.m4,1.a....R.X..>.(. #j.V...,v......qy9=%&...Y+M&...7....
      /Q...$&,.!A0..+-pL.........o.w....:.~.T&!Q)..U0...........!?.5..Y.._...........5..t.2.....e*._\........eJ...........m.xUI.Z..9.....J.H)1.o0...~}.......=...C.~Uf.H".$28...."r6.;..K.l._Y........O.Mj.....h......r.2/.N.W*...FT:..x.>iwPS
      ...:...t..HL...ewd...@b..(2...3j..w..=...1.s.:8_...[...A.Vd..)iu;....jC.t:.i......J...' .c..+JP.r.%.$.}..20"+EI..[.|..^.k.pc...|.(......k..R.E.......w2GI.e..V.{..[...o_.+...$4 w....V.T.'.+....._!i...._.....8.Z%..=.....Z{9...A...|P..
      t..ZU..W.$..$....J...[.12.....q..q..C...w.s#D.....&.a%.....7 %q_.....L....\........^.... =!`..U..j..w.^{.,&..U|1........U.../.4......y..8../.g....|...g.._o...0Y.........%..M~.....Oo....k.c.P-./......u.<g{...                         
    #
    T 192.168.0.65:60100 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:60100 -> 192.168.0.66:80 [AP]
      GET /view/theme/default/assets/css/metro-bootstrap.css HTTP/1.1..Accept: */*..Referer: http://svcaarchive/login.php..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .
      NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..If-Modified-Since: Mon, 21 Nov 2016 13:33:38 GMT..If-None-Match: "2d937-541cfb40
      ffe1f-gzip"..DNT: 1..Connection: Keep-Alive..Cookie: PHPSESSID=h82nu0n365s962jfd5fea4v8g5....                                                                                                                                           
    #
    T 192.168.0.66:80 -> 192.168.0.65:60100 [A]
      HTTP/1.1 200 OK..Date: Tue, 22 Nov 2016 11:28:13 GMT..Server: Apache/2.4.10 (Debian)..Last-Modified: Mon, 21 Nov 2016 13:33:38 GMT..ETag: "2d937-541cfb40ffe1f-gzip"..Accept-Ranges: bytes..Vary: Accept-Encoding..Content-Encoding: gzi
      p..Content-Length: 31559..Keep-Alive: timeout=5, max=96..Connection: Keep-Alive..Content-Type: text/css................k.#7. .].".d:U.H*..LSm..Z...........5cAF0.]$..$......w8..".....S..E.....p8.............z...&..]v...o.2.].........
      .:.....?~S..n.o...k.E.^.n.^l..M}.t..~...b...vX.....<....8....vC....|......~....7......>~.....y.@...;.K..VO...k..."...._^.........y...{.......................v...,/.'....?_...{8;rH.w.~s=?...%.....A._....&Ir/3.....^.@...-.......~...~.
      =...e|..*..........C.j.I...^....S..(O..v_S....E..=..k.....#.H...e....w...2FR|..K..[...=.....5..$-......P.Z~....3.....Su/*.....]....u?.. .P.vG"'........i....J.'u}{.O..e" ..V.}..o.$.%.BD.......;..."k{"m..{....zx...bC.p2ud.oiGl.......[
      ....c?...*swG......x$].......i....._T.TZ.V....S..+.....L.Z"1F...CG.....A..C}...2$...p...S...T....^2.......5..F..<........FCHH..@kH....ot..G.t....s...C.e....A..DQ..,.v..L....7.......!!.Jp..a...Y...C.tup"*...#.X..!.(...u.S?\....)..o.0
      ...z....csw!T.O...E....Q~.j.... ..W>2...l..d.....n.......EO...^....exMs..............[7<...V....t.+...^..&.c3t'R..3..W.j..D.06...J..G12#.....#.....S.@f%.?..P...].......:....R.m..S......h....8l=.3...h.t.*...|Z....y......]Bus..~...,P#
      k..........>=.9U%...mOx2&p.iM..,.../.....;2..h..4.M.lj.....Z.)..{S....mh.NWlXr.b.o?.{......;J..2m.#*.cF5...S.n....T.........m..6...|....._...h..Z:...n.............,%.B...x1...c...-.....H..r....CXh$a.(.0........z...'._..4.^.T...'K.&.
      x..b..S..|..T?..v..H-....5=S........0.J.....p...V..]..X..-...M.......s.D.7.@....Y..<..X.A;.....1..6-.....Wz.~.U..e4m..f_..o..{....H&..rG).c.p......i.uG...Y...ay....,.4. .D...?... ....*.uRB..M.Dj...P..%H.db..K... .....*..).)....(....
      D$.."..Hk.$I....i?....s#=7.sC-....J.,R-..2s..B..t.r=S.(.2S..T.Lt..-3...y..<.3.(\n.W...$..B....Hy...J........_5.C......"...H...K..~...2'...L..6.n....r.....E:..~.^.2.}4..`.l.`...`...eS.*...BK..[E....<*...8.!9 .JQ<Rm...*."&...Y......)Q
      ...0<J..+..B..9. 5..(...F..T.BCs8.....R..*5X.V.$.k(...-W...c.S.V*.ah..N..$<.YLr...Q.ch...V.ddQ*<$..t.(.....R..#.IV...6.e.8..J..h.V.....W.......2,z..+...&...6(..K..%^...Bs.[u......Q.1.f+M...Z..Cn..:....&+.YA..D..J|./V@...2..|.[.f.N..
      l..2...U......H.*4...$_......."_e.F3+.u5..N.4*...2...j.J..(.D...h..0E0/V3..n.....F..3..."u..U+X<)LS...S.V.aK&.H....D.U..$...h..:L.*B}Rt...s...Xs<.|.g.@.$;.W>.K.}v.n~.+M1..p$.....N.D'.J..L)L.}.wH..0(V.&.&...`...Iu..`....$_kT..Lc...)0
      7.&.&.P..)..'@k..m......W...!I.Lv.X.3.>.Z3.a>1..5.s......`.....s.......|.F(.^a.5..l.0n......h..FO.J...l....*W....O..V.2it.!...f3..D.W.'.5.. "../..t.A.V..2.....#.......FAR.d.C....|)y&....#.....X{.........{.o...-.P.....n...)........_.
      ../-......H:E.n....V.f....h..B..C...UZ....e...,Y'.*.....J.....4.3|.M^..*|.n6..,s.b*.b,/.u.I..IFO-D|_g.K..l............/.W.....`.+....a....qG.....R.<...t..D|..C........].0.".....!..2.!..$~...!)..)I.S..,...].$;)...b........LM...9hv...
      .C.r.FV.....a#....kH.<QO..Y..>........o.....P ....q.qW.e?..u...........}......i....7........1Z~u=2.......D.w.Q..9.+~:......."...X.|.O!i3D...>.p.....Y.e.4X{...c...Q.../w...Jg.=.........:=a..yU.....w.......X2S.......9.b.4.....v..N..|.
      qG..%1E.Q..C}B.0.&|.;i....w.....P..;....:.UX..M}....RW._..y.e..O.Nyrl...""...#\:.. ...8w..7.....tj.M}f'....j..l..qO..`.Ka6...,8Yc.....2....VB..F......6...Y\..:.....0J.?.....k...W}.FpD..!.8....D.......O.<.F..pG......)...s..(Z./RO.E..
      .Q...b....pk.....N.....&..d%s......X....?..}....Xo....G.'.y........1v>.Z..c.T....:..o|'..wbmz'.lE2.#H.z.(......B.....-qUG...Y...f..@.....GR=?.t'N...<..(..w..B....c....S.JD..G..x..V.0...."._...19tv&.....a.>....I..y3..=..../..........
      8.)D.....I2=.xn/.i..$V9.....fi.......G............m.rU ..8..O.....a_. .XI..Nc|.Q-A.WA.E.^.v..&..hO..L...L..B..u$/I....4......4....}o$...u;......Z..."O..M7..T.4.2h.......Q..v58....Q ).........CC9.N...h.. :.K%.v{.Nj.O.)..g......v.r..D
      .4:.!...#...?..!..."....*ts%............y=.....F. ........=...)....".H.(.H.(..L9.. h.........@2..A..8Ar.hA......x.1~D.5..m)...8b.Y.. ..E.'9.....x...\.....E.../....9.VZ).s...x3..."....-.a......-$..P...p...7. .m.7.sw...4...r3..B.o.x.l
      ..l...9A.ns.N....Zu.r..y....u..N..#.....1..,d... ..3.HS...W..Q..kej..:..........2.f.xb.t...^...=u...X.`Ly4].......o]^..d.$.....{z.VMmf...&..9..,H.............|/VR...y.....C..P.)..(p.....%<.OO.............                            
    #
    T 192.168.0.66:80 -> 192.168.0.65:60100 [A]
      |I+.9..TnE.RrG... ...V..A.....?X..'..-..}.G:..>..+uq.W/BD.z..53-oO*j...k....z...%..X7N&H.k.J.4..ql..g ........pLd..!.l..:J.yE...].j ...Cxh'QJ...C5X.).............:...........[*.......&....9...K..%4..N,..Snb..$....-..&..@Q.P......0P.
      ........@..P....G3.E.B..sY.L........[.L....Eb....SJ.B.n..2j..S..}7}....Q?.%...^*.)'.....5........:&N5.[.u0fE.xm;..U....FM.c...c./C...........JzD,q{..N. ..U.i :.d..:G..V.....<..J.^S=.....(z|.O+~.a..'.....8.Js...kC<S,...."r.....X.....
      }._|...7.O.0.....8H.D.,.......f....I...<..{ .&-Qx......M...IF.!e...........A..U.....:......D6..x.:Ny.>Jy.....=....D].)E....q....W.....W.Y.T.sU.G........4X|..iB....M{...E.8.>....[.. ..P....;...@...EG......5..../Q..1....R....z.'~..j..
      .....z]..g........a.r0.q. ..V..v.6.=*..a....n. n...u.....u:T..E...BG(...'.2......`H7..75.G&..........~.K...I.?.)...w.....A.......U.l.{T...........k.z..d..2..E.J.6.fD.!u...k..X}...U....R].-...@b....,.{.d..f....Alz.....AYp6 ........f.
      ..?.::.!..i.%..4D..!..rG.yV._..{.u.f..........N.;W....}Bv<......F...el...A..S];g..`&.f.OD...C{.Z..\.j..`..(....[}...c.8B.....G...lw.&.r.CX.gi..Kay.f..\..~%....]l..........i...I..[z..h.$.....:..e1.a.V>1......._....f../6$H.`|n.7..K...
      o......b...).H.Ydx..<`...r.T.y.+I.*IF..........TMFq. ..J;H.<G..I....lw.Wu.Z.5..*...?.".9..M.j......).j..(h..F..5N.h....R.....JU.`.!.....>........>S_M.l.....TdR...:lZ?".....:...>.m.G..)@.Xc...S.Q...*...'..rm..F,!f*.I)?w...40...C..3..
      vY..D.Y}....[Lr.M..l...T.....Z43)r.....A..........t........|y8.7...F..!_.O.$....FK.1@`.(<.....T....X.,.qhi......|*:.$..Br%F{...udC.......X.D..c#.E.e.Xy.m......Nc.......nB..i.......d.j"2..-^.Y......G.9...N..6..i.!.LS.C..,O.E....@.]..
      n.V.-.o.p.!9}...k.....-........R....3..O...............a6.........$...:...,.#88.[..c.x>N.......o@.Q......g...q..$.9.o....9...mG.3..F..~(de.....,X...@.....&.U....9}Q._@...qc..)?.....#.....=|L..v....n!?./..X.. .l. .M|..a?.0R%..Ne.uCA.
      .*..#.xt...?@.....5...3.0......l=..r..y.|....sb?..."vs^H..R3. ...=.[@(L.....8.P..V....).j.y;%.B..D<(.Z..1I...]'[.".....}.l....'.X......$........e..j>...z..w7.....v?.!F%./..Lz..=%..<..{B.....Df.M.N...}e]..I.......s.n...#.sK...S.....f
      .;.?.C...k...$...#.7Gz8.%@....(.?.......c..e..ITQ...6.z.....[....;.&.>...ipf.....*|....8.O_.)v.*;Y._o.8_..$U.;B....4...........a.uE...X..@1@|Uu..(b~2Q.'..+..Xa..)8.. &....M....bT....l...W.AQy..s|iXb.Klc..i4..&....4..@."h.i4..&..$.4.
      .@.c..FS.h..M6........3X\.h*....G.)~........cD...l.LQ..Y.....c... *C\/.K.k.X.qc........5W..._.....;..J{(..!l.M....z.....8c...^.q4......c1x.M.&[..?....V.>..........C...y..]....W..)..S.\:{........?%.x.}.f~.o.v.}..T...5.......m.D,.S{..
      ...YLb..o....E....\......%....[.>...}= H. a.r..y........n...d.TSd R...}7...rm.M?..|..C>...%....Q........6jg..B....S.^..b.-..p...X.O4....d.X.........;x.x..?..:..\.6...^.....*;..v.-..1.h..q..._B.......Wz...M....r...Zn...Js.Y.x^......5
      h....9K:.D.......... .4..z}...K{/..!...........)....={....=...,S.eds.S"....5..^.....e._.H.8.(S..D/=...=..8..#..e...4...3TT.d:B.......n.....HB2..xHH.$8.....2@B.IHG.R......'!.H....$!.I.<$dN....."..$..rd9th........Q5..3..b\.8.PY9p!..1?
      8.."A..mH2.2..tca.....J...........f..;....v.m.:....nO...;...wVc=P....j.I\(..j]...H.sn..}..$.V.v.../.jn4#.'@=h}..!q.4.6...{...P`q."....-..Z...~...eGX(p....U...7a.Sw....=d..P...8*.d1v.-.q.8.@1k,.rV&Z..cG...N...s.M)oi........Y.5Hx.f..s
      .m....:.....K..x.....L...f.t-nF...<..d.`.PS....:_....-2.[.Z...gq.E.g.K..._.....5K...#A...|I&F...n.........hlI.N....o!..W.....L.^.$..N{!....'.C..a.-...l....|^R..X.i.#X.9%.%B}$f.k...b..jK..m.c:....@b!2.9.A.=........=%l.?...o?o...... .
      .q|....:.............v..$.*.......v............S.....pFYr.......8..<.xw..e.J...e.G....D..y..D.+}.....;..C........m..%.......{...G}.6,.5.@.........Q9.J..i....Se"..y..g55.....M%0....HSU&.T...xVS....}w...F.{&SU.z.-..j..wvf...G.F..0.h$E
      ...U.M...i.9..q.0........3J...;F.69.ZN....`0.b~..m......H....@......P..C..O-.B.(l2...F.(}......t.e{8]>....y=.8.b.!.....#.e.o.ip..C!j..1LQ.....G!6#.....8A..Eo:-.#...`..%+..s.?..}.K]......$.'b.........C.z_....h! Wd..Q.G@.v..eV.i.....H
      .}....R5.u.......=.s.Y..(.........;...0  aT.,7.....m`k...+C...S.+.Ba..-..1."...`V....D..H.v_......jN;b..*5....,...k ...I...-,Pu.Q......>..B..Z.n0...|Yk 8G...{\....CV.8....6:....6...j.*....RQ....GGP.D.#.5>.&P5...X.c.......$.5......27
      !.k..-L..Iji...z.t[t.N*}..05TG.Iv7im...."HO).7p?tM...@.O..r....@Yl.....Rhb.'zq.=....[.PF.P@......a..NQ.h^.j..).0v.......>R S.K{Z...........E...X.e.8 Y.Y....:..LD.6.)=.......ISk4......}.@..?.p..P.....w..,.                            
    #
    T 192.168.0.66:80 -> 192.168.0.65:60100 [A]
      a..-K!..gf...@......D...nP i.{7..(........T5..........x..8..V..FU.......h}.A....z|...yhB:{>.LP.J.c..e..@....../..r..y.9M]...u...<.@.v....R......@p.%#{.........6..;.....Y|..}..p.............]..e.mQ.V...{\..@..9fgC...D}..BmW..c.{.. pC
      }lz..P.....C....Tp......$I......!]#.(.,_>....T.]u:.g........=.........bc.;....7.......P+..w...@........pH].....t.......Hh....Y..|..vJ...:G..:...B..,....Wcw=..D.]..,,`vh.....y.v..U;%.L.#t..J8...p..J....{b...g.].......J..>.y9.{...nu:q
      .....?..6W@..:....)..>..ruN.DoO....4.......v=..CkL.,.....B...@..Qnn...G.*{x.p...(............,..&F-...@.._.i.5(......DD..<.........8...D._P......gL].e....#...@|..s..5{.p.eF...\.....U....k....@....... r.......@....=*o5\..-J.j.En.....
      ..5._.l.......@.6.h..u......5Wt.lb8.j./g....t..l....6@.O..%.......%H....?..of.}3...&F4. ...wB00......cS.`=.....h..^v...PI..y...}t7...Dz./.7@....{v.m......k........&F...Y.......R.z\...GA...L..|6p.B....6j.....Mi..4nS..NU.@.I.O.x......
      ...0..7....pE,..1..._.xE.....7..........e....j..5.y...6Jk/.].g..L...a...T..=.(.[ ld.2....*j...........DbQ..`....D..G..A..A:.y.{...vo..@..a..........?o.................:y...~.mql@..}.7.....c.j.l].=......"\9u.......D ...o...C....l...B
      E.t..q..v.....[ `;.....arrq2.HV._iL.".....#x.I+.R..<...@.l..%i......I...&.....uP..pN2..6..=.....J........5.7...._...r.D...X......`....x8...n.Cg........9&.nI..,.m..=..E4.i.cFR..e...|.D.....:.S...X..@..O'..uAB.N.5u.....9...t..HG......
      .jz......"x..}..e.D.`.=..lcc.q....X....}..3nQ.e.?....NL...~T.O:.":.Z.a.....s.."x|j.o...sM...(.pm.g:_....8..........)......e.o0.|....^.+Y..7CwB....:_..@ ..P..X#x..t..W....5<"x..@O.;5:</5B:..E...y.....(Av.....P..H.q'...;.pF..TCO.,..D.
      ...i..L.]....U. .ug.i.....J...<O...L.x.jw9.3..N..s...1$......h.....^.I*..>..Q..g....;...../...T...b..W.g.+%.g...X' <....0E.......H8.:^...W..C.wH.<t..\b.Vf.....c..N@mI....%.....pB..q.8.W!"x.K.tG....[:.j...3.P(xs..6..*.-.=.k.v x...8D.
      =...C0d.j.R....H.g...e..z.#xTkh.D...^ps...Y......P....Zw.M........e....n.a..c@.M...Zh.]...Bf:...K7..]...2t...=....^v.W=...,....../.......g.P...t).x..s..\.n...w.X....'.Y...^.<.."x.K..8....]4P.~s#......>n.c.OzuG..0....(..CdN....1..*x.
      .....5=.3^...Hx..BDb....zq(7B d..t.w.5....8......v......w....X}:........I.PE.....l.;t.)..6WT2......5.....^...Q.s.Oxm..p...?..iG....].i...C..VjKn.................R...............<....:...........m..............YT....e.)<L......*..Z..
      ....||......Q.l...VG7.}.4.{.n..Y.t|.'d?*..zd.g#.g..vm...W... ...)..........r.^...@D.._...O4-.."O.W...|...2G.....D..SH..1:.Htz.J.]&...J.....p...V...>...?F.......p.7.J.Q|.......>8.D.9g.H.y&.|....Vz@D.x%.D.8.....]~`.C.........62.:z.jx|
      ...Q.z.E+......%.$.~..CGD....k....O.._...(Ec.T.<.....#..(..=l..`D."[/...UY.D......C}......X...\...|V.d6..ae1,...&..E21.!o..T...yM..".6n..fC?TE... ............v.".......f.\.......I..\...p..(.E.\~...C.D......u..?}Oz...."h.....'...(...
      ....d$.0......Q.....5...K...Et..n"7.l.Y.tU...K.@....)...vf.GFI.S.........4H]M...{.0....o5...K|gX].....76A....$l>...GV...X.....>5...md..4.&...A.e....~.52.T1.M.....7.N..&..&/s.2^FN.0.......u._.B................X+.......p...V..|yXO....
      ..J..W.0......^....+.&..f4rnB. .:{.L.h.~ ..QR.@\F..+e.....).Z1....n8.....A...[...O.u._...5.8..IC.......ON........y.5i..^y.........^.....Q5..|...;_7...mB._.Xdu......;|.d....^c.)s#......bv,.Q.....)...I...}!B...._.......V.+'.[_........
      .....g....%2Yk.*"..T...'A...0.W.Q..1W...D&X.l..6.4.KjLH.m}n.v!..?...EQN...E...G..7"@.Z:z...]kva.1.S9^"....W]...E.6.^...bj!s.t..".V...<.....$.+I......u..."...F..L.@t..Q..;.....~.....oi.8"b...(.ti.....nu........P.-..>...."..l....U..A.
      .0.nY...r....y...c.kX...5...\k....5....X....5,..Y........EB.'..7...$...L[.%V./.$E..Tv....;..................%.......Y..x.9...Is;..C.....[.Qn:......i.o?.o.<.j.)&.....+t4R/.xc....O.,....:1.........3.,.,#......p:|.V.$|......S...6..s.AC
      F....+..J...(....I9...!V(.%$=DK../.y.P^..>.~.....gT\SCd....A..T/.E0.9xtg..Y...3....7.#Yi.%\....Lc..1....'.x...u.[.7.o..y.%.1...Xl5B......./.,|O..o.p<d%.9..,..e4.D.G#.y9@.CO.=....6.a`.Ts...C...v..shr.......S!M?......o...z..zk~zE.T...
      /#..f.-...\.r........@....jF..LKk...AK..1ki......|.3&0..U.X....&......TD.bU.l:....5K`..X.M..X....7..<.l^tS.c|......M9W.y.rv.......rA.....0...+.hxE/......0.U......i.. Sm..}B.7.kl.U.......c<..m....Tl/7..I...m.. \aE?..<m.9.961....G...\
      #~..o..J.....CF<..r.s.`.....#.W.r#^..8.e... .../Ro...IXc.z.d.X.....m^G...xn....o.t.V7.,.m.&..M...g.,)61...'.,'Ir.,...}..._.gI.C.<..r.s.@.[.q.._q...^n.s...].L.."I..<....Z.....0..Q.....U..q.F.X...P..."[.4..                            
    #
    T 192.168.0.66:80 -> 192.168.0.65:60100 [A]
      x..1..Eu.E..........C}.I..>].7.}...P..!C..?9.9X..M."L..8.yE/7....c]&M..e.>.E...]4.ilZUqj.U.]..O.2J.k...^n..U..47..l......o.|.>s.slr..1.<.g.....E}..W.k.w^..xg.O/..X....yR._s..*z.........O..H.>.i.-.u...uu..!...Z.uzZ..F...i.r..h..M..o.
      R.f?...b.^......{.I..=].7.}....V'.....L...'P..[..5.r.......}|.$.s]O3.:K.e..M......c.C.2....5.....).pm}<...3t....../..COl.g.t.G6..fa...mPp.K...d.[.N.`.R#.@H/............y.1..}8?v.S.!...`k...Y.O.8.. yO.V."{...}cI....u.[..;........^?..
      .yX..Y..a......y;.0.(.B.#.Uo:.8n.Zw..IB...}...H.......h...F....~]...H....+p.A.5O....._X}.+..cg...e2`.+^B....5..p.~.[....%.s.OL..#..:.O..~..k5.L.....u....DI.$..D......=.&....J.......9.Y.....}-[.w......_..l...p.-.6.N..........?...n...
      .n......v.~.....sO....2o..7#x....p.bN.P.lfX..A..f.....#.Z*...v.w.b..+...eNP.S5........U../..1v.6.....qX....W.N3~3...'0:.M.df...^^.3......iW8I=>M3M1A>.s....f..+..!2{....9\./T.yxc..G...t&...8.<j......w.....h.........#.$.x.Kt.7...D"<..
      .p...3#..~.W.%P.^K.g.m..Qf=n..,.=n-...L..1...wa..A.}).Rk..1-....D.Lg.....u......e.../...V..o......<.T2..~.?-.1..[.....@mUl.....q....T`.G:......... ......_b.v...X...w@.........c.;..6\1.`.!.......(. .7r....7......M_..8~.r.-[yOP.7.n.&{
      ....]..O.K..m.Ve.(..#"..c...l.n.P....r.G.u\.G.aA..m.#n..G...&...4/........\..6/.a..l>...1N5.K..4..z].5....I..n@.Y...#...fk..~....6R............. 4.v..Y...2...;-........Q 8.p..v.............C......9.........8N>.b...F...2..;.....]z...
      ...MJ.._.....D..d!...........*.M..Lc.c/.".y.B.....5@..NX$$..........                                                                                                                                                                    
    #
    T 192.168.0.65:60100 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.66:80 -> 192.168.0.65:60100 [A]
      .b..i.0u.;........G...Y.}2..Fo..^.KJ..^.y.N.~.~T6..U......@X.#...xb....bp.....&.w.@......#.J..I.....A...@.z...5.....t..G'.P....H......Jl..,....5.`.v12.........h.6.....w.N.!.0.F.-..-V...!7.N1.U.....h.[.p.;.h..\3.Q-9......8..\.2.C.1..
      g.k..'.....s.........W.tz..=O+.........W.at.....8i.&j.8.\;...........Q2...X.<..[..P..t..=[B...-.g{..*x.z*..W..x..#z....$.k....s.....ZN......VJ..5C...4z.]...*7...c.....I,..!<.)...^...ke*.z`.zJ.f.g..{h....`.!.b.C8#.jkl3)..v50.e.2.U...
      .QP7.I.R.~T......d...w`..RE.c#..4u...Q.;..T.I........P....V\n...........C)..>V.X..k.,..E...E]..ju.s..........|L.A.....U..Ml....m.....vy:..wO..T.v0j5`"._R.(X. ....7..G.I.\s...K.`.;.C.w.......t..L.qe.........kw..~....\.]......inPr....
      ......2k.n/.1|V.9...6..Z.-`..g..Q.......O~^.u..s.j^...;:."....V.[sIBC.... Nu..g{.jcOrd.....g..3.4.......9.I......&IrG..*......u... ?....~..#.x.6.....D....cDct..9.4.>.RsT.Q.].c....fa..M.....=......i.S...Q...-V.....5...Z....;I.....x;.
      .......~..w>..&"..<o.....#.h..........iiv....y...pQ...gb`.rw<...".....O.)......~.B.^.a......D...A.h.n.e.B.....cq..5l...4,..c.......X....s.o7F..j..Hc...5.d.mU.]a...R.....f..3..H.}0..zH..n....,KH.....97f.}.T.o..;...R.....1.Y.....V..._
      .....k-.|*U..>t..w...}.......B|...!.....h.j.......g21...n.O.$..D....Sk.......H.ab...(oF..4..T.@7._`.d|...Pz..d....k.W.gD.sa...7a1.FA.x-..`...G..%.. .L.<.g.n}V.@.(sd........L.....HZ3.S{.iN..M..t.%.A.......W..F._.o..t...$..........*.2
      )4...t..B7|e!....$.q.y..Y...1......5X.jo........t..p...A.Q...o'..bx&.K?.J......J"..Z.'b.%.o.[...YxY.....*.....+...;......,...9X.J.~`.`..`....`..ow.L..t.L..:X<....E.Q,....:B.......$......U..A\..6K.n.a.a...Zf.|Yl_.Mb.V.#w....'k.kcg...
      .w6&.<.7...iF..h...J.......=.....T..>.1D..,^It,..+%{...B.*.7...|....br...G.e.2 .38...(=,....6....=..... .uW.\.z..9;...zM._/....;....4Z..nhs>.f/.h..#...=.lO.-...........q..;.n.....).......=Q+NW..p........w.'g.3W.....Fo>.......F._..P.
      q_V..s..P>...Ml2......r>... ...-...hz6\.....%..*.G.tMR...F......W".....Ue2.J.[..u.'K-".'.....T^..j.....u. b.....t..|...s.t.G......t.$9.t.E.k:O....c?....?cMG.19a...L|.g.w...E..W..J...[..2...6.....`.?.....f........sd{..8.e........&...
      .vn.Y...q'A.vz....'g.R.b.&....L+..Y.r..z.e..f....`......-..;mv..YxO..s.wj.f..5t..........N.&.].c{9...v.P.Vbo%...Z..!n........fTx.=....`.!.....B.,......]EV.H..K.r.l.!.0p....,.<p(.\..(....v&..Q.2P.-.....[.{....FF>.).}......]`..f.A..f.
      ....}......Clv^......._....axE/.L.=.\.......f..........;..x.x...6!6#.@..1.u.........1aZ..hs...m...e...M..|s.....:2.g.&.1.."....6=..Y....-.g.*...\o.>..3.:$.2g.cd...n..g..l.{....]+.......v...R2.7.>......%.;.Dc.....M.....`.s.;..y.tI.o.
      .E.. Z.B<...d..|.......S=F.-.Z>...Y.w.7.M.j=...0.d3....W~l.r..{.d1..;......|..@.Pi...JE.....)5P..*V........[..P.>....w..%...YR.[.......O...5<..@e.z'.9..../q.^2K.....%^.K|.v......G....2......#.n.......a...b.d7cu].....33(....#f;...+7.
      ...(.{sUdO-..2V^...o.^$...+d,'p..,Kp..f.F.#..-...9....e......j.0..8.rc..W.F.s;.?......A..d.-.R...'.{_.@.p....|..z...t..._........R..Q.b....0.Xm..}..{B...V`...2....S.0?.8..(......#.Y(.Wf.y.}.......n.....J5y#C+.E_ J.......Y3'.J..<..$.
      pn....0..E.._..t.}...\..M.! .*9.....J..m}n....i3.P.s...Y...;%.j@H.VCH......>8..!.9..F+,....5.*.]2.>..K.B.u.|FnL.k.......4......J.sl.]k.._@..T.tB.2[.2....p.......'/.H....0........T6..x.....-.....R8"k[%.E....v)f..0~4....;}..t`.T'..K..
      .}.u...9K...6...}......m..[fCY..)...d.,..}.......i.......o.@F.Qa.cm...i..1...i....e...-.........*..6......g......L7.2.d..hw..N...T....)...Y%.. M%.).guZ..)).R..U....]i(.....:.a}.....j.O..u.wP.........I...I..B.....[68...Z_^..6\.k...7~
      .........iY.>...z.......xK..k-2...&..lM.[....Kw.....m......z.o..:.....sM.......c..lw.h.........`.F......{.b......J....F.~.H>i..Ieq..`..G.k.(...l.z.r..).=+.W`m@.Q.P..m..K.x.Q.O.....)..bdL.FE..........5....X0*.....r6....[}!>y.N.b-....
      'H4Z...==I..pn:`&......!f1...d.G.bD.U.........j........g]...s.....V....c.........4{.._..w.k`1b. .:a..d..Q..;.q.O.e..`'2..y...~.b..E.8......$.....I.../..cg..f.....[F!}.*J...}%n....^?...x.....`..u*H.DH......`.....h..^...j]7...GE.)..Y.
      .i.Yo.1cH.<...XW.I....$..3.....X#....-A.....qNi.........#..............p.|.......k..wkj..|C..e..C0t..p..K}.......d...Q....n..P.d.I.,Y'c...y%...;N.Vyh......fl.",F$.!KY..H....VP.]KD.$Y.'.`.q.+...T..L.E.....q.&....gGr...+V.....4....=..
      ......G...j.....`.8.XR$..2....x|.~....=..d.@.b.C....=?....LU}..3...G..........u..z...k.}.e._..u...H.x..]Eh.!....p.u...C?T....M86q.D`......\.M......J...&.>......n2.. .L2.z ,rc./.. ....2.(x..Z..}.VK...uW0..                            
    #
    T 192.168.0.66:80 -> 192.168.0.65:60100 [A]
      y.%.*l...q......Ke.n.{..aS...../qM....5Y.{..S..\.b....h...*.....z..X.$....l.......r....l...r.T...V~...d....6..|.!....tZ..&..].Tl/...^....q.....&u.5..KE..!....T.-./`... ..GofO......X..(A.p."L..}..M>~..f'd..n......L....2......o....F [
      ..ZbK..d...6.{O.;..>..%T.....M...*...?.b.d.|.s.S...R..B..K.......2)..'M....M.E..&..m..cM>l.d.d..P96a...7[.3HrY..E}......Py}....G,T[@p.b.'.%................b#.%..G@.4..E......9y.Is..1+.*{.............$......9.W.k.i.>dN..O.iB.n.......
      }V.}V.}V.[m.o..Pe..jtJsl}..u...I.l....|H.j.~....&.3....l.I..l..o>..........x.......&3..p2~..~..~...V..[l.TV...:.y..eu...+.-.y......s..0l....x.Y.i..gM&.z..xJ...&.>.....b>.bp.....F...........j;~.. *..l.....j'&a>..`B..c.....)....+..G.v
      h... I<T...Q..5,..}v~.....b...=.G..MM.xn...g.....AqQ.y..\*..[....K{......sP.......3..i(.T?.3..h.r.f...T.m3....Si.-..'.......]..A.:..{....\..t#a..q.V.!6.U......&...Z..*.....H..\6.8o..........A.r...:.kG....2N.........<#..c.%.......0-.
      ..%c.]L.BN.....3.......pz*n..5..kV......i.. ..3.c.y*.....]...OF{.[.8&.....A..i...];........xq.21bI..........%....a.=.....A....`.Y.4F...u*...Bc.P.!....F....i*]v..D...i..GzxD2]..=..y...u{w....A.%1.R.`..>...y..B..E ./O;.....M..........
      ...z~Oc...i..>...ph...^.H.s.[.D.....!..NkU.k......w... :...'p...).}Q.S.(.......=.m......C....1..%...;...#..1u.`/........%.R......Be.t...P....1.-.l..]?t.R.}..../.... .....@F6...$.hx..H..C..-....D&.....R.....>......Z}..bu=.^c.........
      F...}..~...oI..SR..R). ._.Z.).v{n/.~................M|E;.....J."H...d.>...;..-3cC.....i.OJ46.&.\..4..j.]..M4..>...y^..4e.........<...r@.......{........r..(....%...........<.:.yT'..n.FZ.ohM4......,..g)..R....@.....{...s`2..z.=<......
      ....%...4.`..8...Q.....t....q,j..Y.]Q...>.E.....e.7...-....r..\..._....Gm...9@....6.k....U..q...~..B...Pvg.q4:.=..a.h."..h.^470P....@......U....21.;..U..;SF.2-."NO`"DS#...1H.e..74...YR...HL.|L,db...Eb...2..W..T&...DN.9.h..a.d...>...
      ..(.T....P/.j.y...J..[.0..3..f.Zf.i$.z..J.(.3...T..s..D..5.t.E..#-....f.6.y6.."...Q+..J.-._e..A.8.WE..IX.>..,.R.0. ...J....2*....oT....F.F.......]]..4/.2..<)..-).l...$O..+..*.r....2..8..0....#.V...".b.....l.Cs..H..,.$)M.j..HW..IR(4$
      '..8.."+...04R7...H.2..,..(......s..y...Q...M.b..q..i.UeYe.....(&iqNy....7-WyT.e.%aR.E....,..*..(....e..S..-&..d#....aV..H...C#u|Bz...h...u#....Y..QQ.E.cx.5W.@w.Q...T..H"....L#...]..@.*..fDD!.iH.(.*\.eW.(.aZ.qRdy5RCE...$-.0JH7.h..*.
      ...uh.......D.H...,...-H...<...Wy....<...b$:.V......[2...4...2K...^.).dN"u.].+>....o.OWD.f..6e....o.._.+....q.j.O.\...%..\...T.d..u..q...i..UA8Gz...b...E.*.4.......I...(.RcJ:..`..IsQ.. .*.2+.]..)i...<.t+f...J.}..d4.&.&.h...P8...D.D.
      ..S.AiT@..0..4!.I..A.n..t...09A...\TU...Vf.C..'...7."..2*......_..1/..Io....1+2#c.N.&3H~H..O.. b....$.....4.8g.>7k..M..!..@$.. 3,.U.........n..bg...$.:.N.U0..afV@.;".Y..D....u.;!.%"%..o."!.%".G...!.....IuB..t.Ps.'...........W`...x..
      A.$......91....U.m...N.cj..91..,Hh35vL{...D......!iL.d@..@h..$. ........,qauO.....*.O...$....=tM.:R2^...,Lf..8...I........V.L...3..."..*!...?...;.;F..........0...@...,...Fda.L,........%4..N,r......2.T...."\4cNi.(](.?F.s...@Q.P(.Mh25
      7P.................&;S.E.B..H....@..P(.Sf...R..J..,.5e.)Z.....Wn..=1.yD..a.h......7.3...=9R~.-Y...@..%L.....rX.01Wk{.......M`.Z..D.*.zI..)4....H........d...Vz...(.L....L....L.n.|~.T... ............c.v.h.3...k.E.($fLX..6-..4=......_.
      /JL.*..5.hU..f.'y\.....E.0.Hu.....~.,...(.....A.hV.._...[4.....t..O.EK.......E..,..8..4B]v.-..i.../t..D..%X.edi.R...ETTi)..<.....F.8&K."....D.Vi(.B.(!..~.2"L..#.c4..*......E..2..$%..*F.QsC...."JK....Yd=M.y%YkE..=.7.....%9)Y=..).....
      ;GG...G<$..0....j\.<..s4".....8G..,..!X...'^.sT........TA.jdmYE.u.....A`{G..+..,.R.Q....=.By.....B.D.&ta..xc.G.$..zQ.5W......3".i.:..^.)...~..M...$'..iE.....X..q......Z%eX...K2.B....".W`......_..Kw.R.(w..p..+.Nl.../..(.....Z..3|..u.
      .....,...r".U...9.G..WR..$.@...t..:)].h..TS$.hg...3.W.$y.`.."MVe.GY"..H.UA..B. #...U..H5me9a#2.d9..B5u.;T..#..9.,.&.....Q.U.9.....IF.....4'....$O.n.,.iNf...`.....D...J./J....')PSid.6......DDN..tp........9..VeA:..%a....;I5...n.%M.j%F
      .Q5.m.8..9.oL.4.......DE.l...I.z.UD4dY..'..1w...^.H....a...bH......^Rm.1..r..!aH...&....+.I..p........I.=e.y.......(--.7;J.......Bq..4.P..(M-.7;J.......Bq.....[=....}I....F`..Y.?"..+~.Z...N....b.....w.....dG.10.O.).2....A.._.....v.F
      B.....;.....3..r.q<....`..f_}a..x. c...2..w5.|..]5...:..k..U?..O....{..].?}.#....)u\...5..`.....w.....I..2>.......v.D...~.'...}...X.d.......P.E.*.......;o.z...6...[.h..........Uwd....`....@..W.......aZ.}B                            
    #
    T 192.168.0.66:80 -> 192.168.0.65:60100 [A]
      .M.m ...."...A.K...........!...Gj.........S{|gp..J.e........8!..HM8....."...C....rA...I2.lvp.Pw]...%E..H..!W.H....../..c....*z...z..{....5G'i.4.*.....+".5vMI1#.....e..`A].V.hq...[ID9.......q..oWa...2....$...J...UK..q....Z....Y....[.
      rS..S-...u6f....Iu.../....1.._.|..A.......i.L.7..#xn...+Q.$.....,....... =...n)f..1.....<...$....S.b...@5W.w..s;|h.I..A...7....Xg% ...bG.....S......../H....hr.''xr.'gxrn.../.3...nK...(m@L".d..@d.0.|.3I..=p.,e...}.....gB...H.......&.
      D...TJ.......q..... ........7...C.....!.z..bOLK1v.|....>N]U.qjW..m..{.(.....>.{......M.6......X;...]EO..=Fn^D..[.:..X..:.V^r...+Xn..8.........Q.V....%Kq....^..C...,.......7.R./wCk.+...f._...m}....^.k......c...d.j........(..n.-I.....
      .....L0D.....Y......a.....'~C.].7(#.-.hA......W...o...\...<f4..S%..l3s.o.....(....V..._.......g......a...x.Q/ ..0....k'.....b ....._.+...7..,.B......x..A.../.4J.",.....B.....Ds......T:s.~...vAl..h...#.#.Ac^..s...$..rm.<~.I..\cy.L.P.
      .............g....S........T..f":.L..........5.S.....4.m......u"V..~.Jh..uK..w/,..3.4..b..yi.c`...1,..b...... P..`(D......5...]...^...xG?z....Q7$...K..W.WRG.\.3.sH..Gy...(].,..D.r..L.../.T.......S...jqa.8.b.....'v.h...Y.._:...'[..5.
      ..^...v....&1.H......SMT,.>...B.!A5......v......1nK...A).......I'.H..j.9.F..-................B...LV...X.<.v.... ....%F7Y)+lV..9..;.....'.....@F..K'W............_.........@......CM..................v..2'..EQ-..X.r.n...^...(.=...0.$V6
      ...............ri..3rb?.X....q.:..x..;........~z%?...._..u^v...u+.y....0Tm.......,.e...l.A.r.../...Cm/....)i.".......fOv.....3...f.............Y.@..F..nx.]I..F...}.....N.u"Z%...vv..\..o...+.v...jy.{......n......6n<&..o....a.`%d.....
      ...a~...N.N..|'...KW.1.u...U%..G...K9.?.......g.H...[wl(.....G...2.c..^|..I3.....$......;..Qi;gj.l.wCW...1qx j....D..L(..|L.Z....'*m}%.....4._.QG6.,......p....n411 q...UZ.+..A....).6<....`2 ....9...g2....3.....zy..C?.+.@......aX..>.
      '.,..x...D.mwU%..L.f....c6X......J..2.}v....u.`..qz..3.+....QH.r......|.)...$Q.T...AY}..'EV.x.,...5..@'...&6.2Zj....#.A..E..4T8^.Q .].......(...A...>.%..U.Q.r6..(.E......!Q.hz.l]..p.z...L.......(W6.U.....>........G...|b.+.../K.B..9)
      +..."c...z..#3I.(...W).....E.Y.''.B^!q..J...~...M...\.l...WI.H.......m,.....;.r.Un....i.C7.DI.g....Q...8us...6.}#...u...?oQ......D.Q.h....IoQ.....?8=e.G....0..........]|...,.......w........r..~y#C9O'..8..>..wT.(.......n..../.h5.....
      .WS.s.U.nG....w....=Q.....W..S...%...\...L].\.(8Y...>96.......Ot."......F..f......E...v.w....Y._0h....P..r|...w.rc....!....:...r......bM.......a.2.....R...`?.1..Pw.%{.....5............$..2.m...sBy.e.....2."C..$GY@..58.r0K.=....Lo...
      }...n.Z...C=8.......4...M.]..;..K".p.....*...-.6z.$v.....9b. ......b.A....1K4..Q.r.}s.....z..1....../. X............,V.2...e.....K..h.J.Z....b7...D....{..C.............O.........y.;\.RDX\......T$..Y.?-..3h.OE.....g..1..]..u..b..1..7
      .....NJ]l.N...\3@..E.r....@wR..kPW8+.v....Eh...?vl....5BS.....k...........1........f.z..;p....l..1K.....F.Ac.a.q/...;f..\.F.s.D.....Vdb.XE.q....a.......[..j.m..u.'.Y..:....>.V..4.M.........c.fo+F..z.l.U({...Wc.......-.j..Q.o..2A..;%
      .0.'....O.....Bd.Y..K;|^.^!r...R.*.{..U*...Yj....=.e.P.W.u..x...wGA.y!..(....[.S....S....S...oWi.u./..e'.Y.e'.Y.e.N./......*......3.K../..%...+.*89...'G.U.... Z.&oa..|0yKO.2.....]6=.s......8u...C.+5....`;.....W/..)?E..>..s.Nz=..\<.=
      ..a....Px...v ..~...@..Wz.W..?.n_N^.._..g..........R.?8...50..{.....;.G9.4.....8..:.V.A?......V...........7...<.7.8.>..u.l...8._.S....W$.W,.17.d..8....VV.....QY..q]E.9...;........v.eh.5..hB,w..........>V.+.~....C..S.H.%F....H/....Ea
      ..7#.Q..8..V^S(......(H...`.....s...!.|.Z.......... .4.fa_...}..>..x..yx....A.s...../b.%.....ag..jDWiDB.Y].....S.i.RM=.^\FG.d.J..@v;...r ..n..>7`...V.........z...h.Tl{=".=.ALJ68{......[...f......5.Ll9....M`FV.o.H....C....&...ZLgW%..
      .x.......C:......GAA....vU..w.TL1..N.hn...ET........P..2......Y.!H.].)x.y....x.f...9......Aq..i2o...j....c...LGD.....h.).....J)X.j...a..q4.8.....7@I|L.<%.........aZ..].a.&.D.#.J..3...<.....sd.`=W.......j........f\m.P......2....<...*
      -.@..&.0(2..0.....v..A..T'...b..(.!....................3 .~..b.|.l...D_Z-.+Tw.^.JVS.3u...v..&..l...i.^.t#...I...Jg....f....+.)...;....|.Kr.....3.>...h|X@hN.*.n.J=g&.(......P..2.......P(.>=.k.bD.1....p..j.....YP...Z.D....J.........Y.
      .I......O0~\^....oSX....w.@.h0..<..S8I.......D.......Fsk).}.#.#.f...).X.#c...Af#....IP....uXL..V.X..."......t....lv.\T.7.G`..N.+.e..../0.g+%......T>if...&.N.#.K ..98..{.......g!.|..)u n.Z...Sa....~x....(*                            
    #
    T 192.168.0.66:80 -> 192.168.0.65:60100 [AP]
      ?.j.....%d.e......n..t..rL1e..;.....V._+.. .......S2....Z.p.C..*..X0.'.D...6...|...\.Ok.(..z..ss......Z+.6.x/2f.T..#.........X.c...r6.1Z..dL....e............m..4!..,>....E7_..`b............."..?S...g.8q|.....L_.Z...>yh.C.....B......
      .....:.|.A..,t"...V..1..4.,.......*.6..2.W...$....F..R..:=..1...HB.\.fMs......m..v.6.3.n.^...............W.(....Dt.....~.v.._............x...,E.}1...~TN.)h.....O8.b.A...>...D..I.....c[K.r...../V....4...J..8....XF6.w....&.....@.....=
      .k..U......O+.=.Z......w..e.;..>..Mz.y7.8..S.....WY.6..^A.b{iP).4...f!...".3C...,..k..Z+q{....o....0.n G....(mq....v.69..7..{.....~.iF>!...~..UF.sd.8..]s..C...>:......P.}7....'::8.e...Qe.:..._.$Y%....d......4....p......5.\9. r04...U
      ..G.....G.Q%.b.;\.mGc.2C..GAP.a...w...f..2/.-.....LS.......F*....<3..*...3.x..|..^......O...`..ljt.7g.=.....m11e.J..2........7.xL.........D.p3.Cd,f.t...T...........H...u..=Z.X..v..z.......8..`..vh.c-]"|...t...m ;."....=......w..]...
      ..H.E,...;z......./L...k.H.&..cUA...1B.R..B.........b...=@..9.r.k..0?e.o..c.K;x...v..E..).Z(.L.P.R2t......w.n...@Xg..!1...X..=i......V..z.Z....`p..:wF.=c.......Y.}......>..%6.....N.7.Y.......d......%.j.I.;':...B}....r ........A.z..@
      .g..|t.r...A..s.....E......-..8....$N.y...[l.t.V._<L..4.b._..Z.gK.o.@... U.[..........a.kv....=I.t"8.*..;.~..[..G.....].U%.sl...lO.;.8......K..;.0..S+^..=R...S.k..c^?....|....7/nJ=....^z........6.6...+.7.....8.....}.-.]T.0uSg...U...
      4)..$....i.4.a......NM.G.'0.!.].@....e.7.....E..o.La.......?QbO...#.....b..2...9.1....[....t.i.)...R)...&....f.vK@d......D...`.V.<...^G..L.L..s%G.#u&.1+.<.^..?q...W..........MJ..3\.....B....e.._..0.4.........W....8k..(,...<.3.x.....
      .w".].\W.Ra\e..0*.....6...U8.m.U...}.G..'bU....w....@..m.@...uj.U4.....z7.z...."..."..........[0.._..Ag....F.fv.e.ze~...i0...4....2Zy..7W...#.....<....!u.Y.G.n....^..(...,=....3w..\[...U.....~.."9......a....N|n..,}.#...0...w........
      .....I.....=.'..e.!..Y.0I.......WS2<.Q.*....T..$Ey..$..vL......wZ .... d?.rN....,..U..^....T.%..w3..~E...Qj..y......Z.;.>..g..q.6..uq._.p..5;`.@..._e.;...\p".=g.........Y=...>{..9M.5]..^n...r.W.........p.pG7........d......M...A....y
      .;....6..2=.p...(..tKBW.$n.DMd..........7....f_.....+v.../.....W.H~..uq....#H.=u.v.V...;.Po..v.:.!..}.w'R.m.Y7...:.I.G...qi..$T..~M,$U.]...l..........$!..~ IC.q...zd.m..IQ....E.u.iRM....Ep-...n...h...^<P..du...F....,A.Z_.Kb...(..Vm.
      ..o/...r[.V..Q.D.x......P....z..m._.ng...8..*X..K...!.....N..m.o...#.O.G.K^Q.......A......#..*v..[....?]O.c...!.g......J.H...M.......}^..}R7....!M..`....D......+....D.Xw8."+...?ZWc.P.........-.q;..Y.$.%....h.;.<U..eFG:.G...G../h....
      .c..bO..)..A~>...2/O...O.L......9._..G[R.q...8.B..^.....(....Th..f.....y~.B.)$...%...?.O'...T38v.[_...8A.....g~......Cv 0......AQ<..8.a..<.Of.H..E%{.:.(^...VcQ.@.. .""....ldv.....,.m/.+.k........_..520Q..C.L!.....~.l.IN....f#.j.nU..
      ..9.N....,.p&.......L*.!...8.y?.....A....5.... ..l....?J:._f.WT.....Z....._>......B.l...E!1".F.8....../f{Q....k?..!.A.Y.......b.=i0!.......h..C{.&9..`Js.......n...y...BL0.$]a...,t>\N....u...#scG_By...M..4.d...T...JG4.....J...]{h..^.
      .......2...[....$..]AH.rg......E..-..Rq`N..`......|.."~.6..../Cwj..B.......n..u..u.4o.]..\.......~h.3+..hm\vI.........bf.......$...^.[....N@>}.$7.i.v.r.......C....*.!Gl>;.....J...3..r4gx...-:;:JGW.....&...\_..fw.....\3.y.b...%T.f..n
      E.:...:.V.........Q.b.....\'...v.u..H.B+f|*...v..f..G.d.6...zPR0..K.bf$......^.......;.D..;2t??.ks..\[.i...?_..n....-...V..B..O....?.U. ...6........<A0......O.].B...*..a].....o.f.q.....u......!.[.... ....E$.]....~.6.O.h.Q..+.D....M.
      ~....IQ`W.:3...i....^c\>........b....m.!.v.8...3./...C..0m/..R.x....sU...h...8.=....x4#|s..('}r.>....K6|.....t..u..~..@t+.gB....k3z...1?X].-Y.2u.....6.,.+#........Gb.....:m.....z.u..W..4..,.D&..o..l?...9.Id.^..........|..5f.~.F.:0..
      ^.....j.8^\..IKvg.}..d.s.A .A  3..J.~/.A.J.Y?..G..L4.[|.l.=#5...].# .>.......Bi..E..{."q.f....||....S....9m\Wi..F.E.........>...u.a.?..i^..y.O$...n.Mh\...p..s..@_I..l.._.fSP......b....AB.z.C...(.......C..U`...@....|.v.)P3....(.@....
      .......|.....eu.zt'U......;B.:g.~Q..=+....m..mh....(..t....w..........#......x.nt.".Mk...JD..t.$.F......<".g....k.%.@L.zh.n..x................"/.D@.?s...1..{.F..... .^. $..P.s.W...rQ.=.1.W.@...Zx....Y../.....u.7...                  
    #
    T 192.168.0.65:60100 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:60100 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:60100 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:60100 -> 192.168.0.66:80 [AP]
      GET /view/theme/default/assets/js/html5.js HTTP/1.1..Accept: */*..Referer: http://svcaarchive/login.php..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.
      50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..If-Modified-Since: Mon, 21 Nov 2016 13:33:38 GMT..If-None-Match: "98c-541cfb4100dbf-gzip"..D
      NT: 1..Connection: Keep-Alive..Cookie: PHPSESSID=h82nu0n365s962jfd5fea4v8g5....                                                                                                                                                         
    #
    T 192.168.0.66:80 -> 192.168.0.65:60100 [AP]
      HTTP/1.1 200 OK..Date: Tue, 22 Nov 2016 11:28:13 GMT..Server: Apache/2.4.10 (Debian)..Last-Modified: Mon, 21 Nov 2016 13:33:38 GMT..ETag: "98c-541cfb4100dbf-gzip"..Accept-Ranges: bytes..Vary: Accept-Encoding..Content-Encoding: gzip.
      .Content-Length: 1256..Keep-Alive: timeout=5, max=95..Connection: Keep-Alive..Content-Type: application/javascript..............}V]..6.}..PLg.&.'@..^...[:.Lg......l+q$.%.....W..dS.C.!]./.sn..'..............E..n.r...i....ZrZY..A..J..
      .j..L...i.._...w..e......580...n.&.TZ[.d>/.-.,..9..;..v]=7.{.x>..V1+..+.G...Z..nC.D..E%.BY.6.....m.*.B...:G.........D..F/2.....[z......0#......K.....#Y4.G..A.R.a.....(.yXD...5.Z.{. .K..1".,.....QV.[zw}|.Y..........0....h.....^......
      ..Uo.F.)e......f.....EL.Z(......J..4.Ay..O$...Y......q.."...i..].8X....q...3gd..4..l*b.........T.(.C.}.]......3(q..`......".i.1#.aniy...E.....RKp.7..(....o.y.G.......V..<}^.,..gtv.D.]4...V]..bhdt<.{......h.w.|...wo>~.4,...%5....0'4e
      ........r!..f^o?...]....<.n.w.....>4..R).x.!..+c..xI.+Y%05............V.........nk..RaE7..}.;...t.d.f.n.r..([yk..G77...J7...b.]...A:..JP.....n.p....y.y..fx.g.7.L..+..yq8.....H..U.9..!./W.Kx.d...tkZ;.........Z.....ptk...x..W..2...7..
      ..1...r.r)*n.u..W>u.3W.....|...h&*WI.+W.{gj..h.V..W.,..5.|.,w.t.qm......_G-.pI.Xy..ix...l.!..AB.$.....o.yy5.. ]......H.[.K..)....u.7.s...P.-#.....#u......m....T....;....O,~......r.@.:F-+C....$.E.Ea./..al%.q..c.e....hO.D[.5..D......Z
      ..T.X....2........A=kP...Y.<7.Z.] ....[..F.~N..P..k.."+..m ....h..%...A...I.O......M[.....Z).M..")..L.~4,a..$.........$..A...........5...|..@.s.d ...F.WK...........d..!.....~.Yt..P...Q*X...L....y....4...Q./..Jw....                  
    ###
    T 192.168.0.65:60100 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:60103 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:60103 -> 192.168.0.66:80 [AP]
      GET /view/theme/default/assets/images/archive-logo-lg.png HTTP/1.1..Accept: */*..Referer: http://svcaarchive/login.php..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2
      ; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..If-Modified-Since: Mon, 21 Nov 2016 13:33:38 GMT..If-None-Match: "27ce-541cfb
      4100dbf"..DNT: 1..Connection: Keep-Alive..Cookie: PHPSESSID=h82nu0n365s962jfd5fea4v8g5..Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==....                                                                
    ##
    T 192.168.0.66:80 -> 192.168.0.65:60103 [AP]
      HTTP/1.1 304 Not Modified..Date: Tue, 22 Nov 2016 11:28:13 GMT..Server: Apache/2.4.10 (Debian)..Connection: Keep-Alive..Keep-Alive: timeout=5, max=100..ETag: "27ce-541cfb4100dbf"....                                                  
    #
    T 192.168.0.65:60103 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:60100 -> 192.168.0.66:80 [AF]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:60103 -> 192.168.0.66:80 [AF]
      ......                                                                                                                                                                                                                                  
    ###
    T 192.168.0.65:60103 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:60103 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:60100 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:60100 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    exit
    49 received, 0 dropped
    
  7. Janos SUTO repo owner

    Apache keeps sending the "HTTP/1.1 401 Unauthorized" response. I have one more trick: edit .htaccess in the document root, and create a block like this in the <IfModule auth_ntlm_winbind_module> block:

       <FilesMatch "1\.txt$">
          AuthName "piler NTLM authentication"
          NTLMAuth on
          NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
          NTLMBasicAuthoritative on
          AuthType NTLM
          require valid-user
       </FilesMatch>
    

    Then create a file 1.txt with some contents, eg. Hello world! or similar. Then restart apache, and try to get this file: /1.txt. If you can, then the apache authentication is fine. I'd like to see the ngrep output again for getting this file.

  8. Rory McInerney reporter
    interface: eth0 (192.168.0.0/255.255.254.0)
    filter: (ip or ip6) and ( port 80 )
    ###
    T 192.168.0.65:63861 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:63861 -> 192.168.0.66:80 [AP]
      GET /1.txt HTTP/1.1..Host: svcaarchive..Connection: keep-alive..Cache-Control: max-age=0..Upgrade-Insecure-Requests: 1..User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safar
      i/537.36..Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8..Accept-Encoding: gzip, deflate, sdch..Accept-Language: en-GB,en-US;q=0.8,en;q=0.6..Cookie: PHPSESSID=ches8bgmfnhbnbgue39rt537g2; splitter2
      =341..If-None-Match: "6-541e322cb103d"..If-Modified-Since: Tue, 22 Nov 2016 12:44:40 GMT....                                                                                                                                            
    ##
    T 192.168.0.66:80 -> 192.168.0.65:63861 [AP]
      HTTP/1.1 401 Unauthorized..Date: Tue, 22 Nov 2016 12:46:38 GMT..Server: Apache/2.4.10 (Debian)..WWW-Authenticate: NTLM..Content-Length: 458..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: text/html; charset=is
      o-8859-1....<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>401 Unauthorized</title>.</head><body>.<h1>Unauthorized</h1>.<p>This server could not verify that you.are authorized to access the document.requested
      .  Either you supplied the wrong.credentials (e.g., bad password), or your.browser doesn't understand how to supply.the credentials required.</p>.<hr>.<address>Apache/2.4.10 (Debian) Server at svcaarchive Port 80</address>.</body></
      html>.                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:63861 -> 192.168.0.66:80 [AP]
      GET /1.txt HTTP/1.1..Host: svcaarchive..Connection: keep-alive..Cache-Control: max-age=0..Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==..Upgrade-Insecure-Requests: 1..User-Agent: Mozilla/5.0 (Windows N
      T 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36..Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8..Accept-Encoding: gzip, deflate, sdch..Accept-Language: en-GB
      ,en-US;q=0.8,en;q=0.6..Cookie: PHPSESSID=ches8bgmfnhbnbgue39rt537g2; splitter2=341..If-None-Match: "6-541e322cb103d"..If-Modified-Since: Tue, 22 Nov 2016 12:44:40 GMT....                                                              
    #
    T 192.168.0.66:80 -> 192.168.0.65:63861 [AP]
      HTTP/1.1 401 Unauthorized..Date: Tue, 22 Nov 2016 12:46:38 GMT..Server: Apache/2.4.10 (Debian)..WWW-Authenticate: NTLM TlRMTVNTUAACAAAAGgAaADgAAAAFgomiS26GLpmYR3YAAAAAAAAAALQAtABSAAAABgEAAAAAAA9NAFUATABUAEkARwBSAE8AVQBQAFAATABDAAIAG
      gBNAFUATABUAEkARwBSAE8AVQBQAFAATABDAAEAFgBTAFYAQwBBAEEAUgBDAEgASQBWAEUABAAmAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwAAwA+AHMAdgBjAGEAYQByAGMAaABpAHYAZQAuAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwABwAIAIgPg3e+RNIBA
      AAAAA==..Content-Length: 458..Keep-Alive: timeout=5, max=99..Connection: Keep-Alive..Content-Type: text/html; charset=iso-8859-1....<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>401 Unauthorized</title>.</he
      ad><body>.<h1>Unauthorized</h1>.<p>This server could not verify that you.are authorized to access the document.requested.  Either you supplied the wrong.credentials (e.g., bad password), or your.browser doesn't understand how to sup
      ply.the credentials required.</p>.<hr>.<address>Apache/2.4.10 (Debian) Server at svcaarchive Port 80</address>.</body></html>.                                                                                                          
    #
    T 192.168.0.65:63861 -> 192.168.0.66:80 [AP]
      GET /1.txt HTTP/1.1..Host: svcaarchive..Connection: keep-alive..Cache-Control: max-age=0..Authorization: NTLM TlRMTVNTUAADAAAAGAAYAJoAAABiAWIBsgAAABoAGgBYAAAAHAAcAHIAAAAMAAwAjgAAAAAAAAAUAgAABYKIogYBsR0AAAAPMJ4GzalrT1cnrceJZv5yE00AVQ
      BMAFQASQBHAFIATwBVAFAAUABMAEMAUgBvAHIAeQAuAE0AYwBJAG4AZQByAG4AZQB5AFIATwBSAFkAUABDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF20kRlFerV1+/tIFJ0CWVQBAQAAAAAAAIgPg3e+RNIBi4bQ/xO/dpYAAAAAAgAaAE0AVQBMAFQASQBHAFIATwBVAFAAUABMAEMAAQAWAFMAVgBDAEEAQQ
      BSAEMASABJAFYARQAEACYAbQB1AGwAdABpAGcAcgBvAHUAcABwAGwAYwAuAGwAbwBjAGEAbAADAD4AcwB2AGMAYQBhAHIAYwBoAGkAdgBlAC4AbQB1AGwAdABpAGcAcgBvAHUAcABwAGwAYwAuAGwAbwBjAGEAbAAHAAgAiA+Dd75E0gEGAAQAAgAAAAgAMAAwAAAAAAAAAAAAAAAAMAAAkJzxPmjuTLhsWDaTAK
      18VvjOndxqmWaDJKymOBlk8w0KABAAAAAAAAAAAAAAAAAAAAAAAAkAJgBIAFQAVABQAC8AcwB2AGMAYQBhAHIAYwBoAGkAdgBlADoAOAAwAAAAAAAAAAAAAAAAAA==..Upgrade-Insecure-Requests: 1..User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
       like Gecko) Chrome/54.0.2840.99 Safari/537.36..Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8..Accept-Encoding: gzip, deflate, sdch..Accept-Language: en-GB,en-US;q=0.8,en;q=0.6..Cookie: PHPSESSID
      =ches8bgmfnhbnbgue39rt537g2; splitter2=341..If-None-Match: "6-541e322cb103d"..If-Modified-Since: Tue, 22 Nov 2016 12:44:40 GMT....                                                                                                      
    #
    T 192.168.0.66:80 -> 192.168.0.65:63861 [AP]
      HTTP/1.1 304 Not Modified..Date: Tue, 22 Nov 2016 12:46:38 GMT..Server: Apache/2.4.10 (Debian)..Connection: Keep-Alive..Keep-Alive: timeout=5, max=98..ETag: "6-541e322cb103d"....                                                      
    #
    T 192.168.0.65:63861 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    exit
    11 received, 0 dropped
    

    I can see contents of the file created, 1.txt but it is still rejecting something.

  9. Janos SUTO repo owner

    I'm confused, because I can't see 1.txt contents in the ngrep output above. Btw. can you try it with a different browser as well, eg. firefox, chrome?

  10. Rory McInerney reporter
    interface: eth0 (192.168.0.0/255.255.254.0)
    filter: (ip or ip6) and ( port 80 )
    #
    T 192.168.0.65:64095 -> 192.168.0.66:80 [AF]
      ......                                                                                                                                                                                                                                  
    ##
    T 192.168.0.65:64095 -> 192.168.0.66:80 [AR]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:64095 -> 192.168.0.66:80 [R]
      ......                                                                                                                                                                                                                                  
    ###
    T 192.168.0.65:64116 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:64116 -> 192.168.0.66:80 [AP]
      GET /1.txt HTTP/1.1..Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, appl
      ication/msword, */*..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.
      0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..If-Modified-Since: Tue, 22 Nov 2016 12:44:40 GMT..If-None-Match: "6-541e322cb103d"..DNT: 1..Connection: Keep-Alive..Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAA
      AAAGAbEdAAAADw==....                                                                                                                                                                                                                    
    ##
    T 192.168.0.66:80 -> 192.168.0.65:64116 [AP]
      HTTP/1.1 401 Unauthorized..Date: Tue, 22 Nov 2016 13:00:15 GMT..Server: Apache/2.4.10 (Debian)..WWW-Authenticate: NTLM TlRMTVNTUAACAAAAGgAaADgAAAAFgomiY3e7RIZqtzYAAAAAAAAAALQAtABSAAAABgEAAAAAAA9NAFUATABUAEkARwBSAE8AVQBQAFAATABDAAIAG
      gBNAFUATABUAEkARwBSAE8AVQBQAFAATABDAAEAFgBTAFYAQwBBAEEAUgBDAEgASQBWAEUABAAmAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwAAwA+AHMAdgBjAGEAYQByAGMAaABpAHYAZQAuAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwABwAIAMTWh17ARNIBA
      AAAAA==..Content-Length: 458..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: text/html; charset=iso-8859-1....<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>401 Unauthorized</title>.</h
      ead><body>.<h1>Unauthorized</h1>.<p>This server could not verify that you.are authorized to access the document.requested.  Either you supplied the wrong.credentials (e.g., bad password), or your.browser doesn't understand how to su
      pply.the credentials required.</p>.<hr>.<address>Apache/2.4.10 (Debian) Server at svcaarchive Port 80</address>.</body></html>.                                                                                                         
    #
    T 192.168.0.65:64116 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:64116 -> 192.168.0.66:80 [AP]
      GET /1.txt HTTP/1.1..Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, appl
      ication/msword, */*..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.
      0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..If-Modified-Since: Tue, 22 Nov 2016 12:44:40 GMT..If-None-Match: "6-541e322cb103d"..DNT: 1..Connection: Keep-Alive..Authorization: NTLM TlRMTVNTUAADAAAAGAAYAJoAAAB4AXgBsgAAABoA
      GgBYAAAAHAAcAHIAAAAMAAwAjgAAAAAAAAAqAgAABYKIogYBsR0AAAAPSPA0g0mQ5UoDQYjXBshzR00AVQBMAFQASQBHAFIATwBVAFAAUABMAEMAUgBvAHIAeQAuAE0AYwBJAG4AZQByAG4AZQB5AFIATwBSAFkAUABDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKeBD5ZEag0EqpvQXCH7uOgBAQAAAAAAAMTW
      h17ARNIBQAlblxijfzYAAAAAAgAaAE0AVQBMAFQASQBHAFIATwBVAFAAUABMAEMAAQAWAFMAVgBDAEEAQQBSAEMASABJAFYARQAEACYAbQB1AGwAdABpAGcAcgBvAHUAcABwAGwAYwAuAGwAbwBjAGEAbAADAD4AcwB2AGMAYQBhAHIAYwBoAGkAdgBlAC4AbQB1AGwAdABpAGcAcgBvAHUAcABwAGwAYwAuAGwA
      bwBjAGEAbAAHAAgAxNaHXsBE0gEGAAQAAgAAAAgAMAAwAAAAAAAAAAAAAAAAMAAAkJzxPmjuTLhsWDaTAK18VvjOndxqmWaDJKymOBlk8w0KABAAAAAAAAAAAAAAAAAAAAAAAAkAPABIAFQAVABQAC8AcwB2AGMAYQBhAHIAYwBoAGkAdgBlAC4ATQB1AGwAdABpAEcAcgBvAHUAcABQAGwAYwAAAAAAAAAAAAAA
      AAA=....                                                                                                                                                                                                                                
    #
    T 192.168.0.66:80 -> 192.168.0.65:64116 [AP]
      HTTP/1.1 304 Not Modified..Date: Tue, 22 Nov 2016 13:00:15 GMT..Server: Apache/2.4.10 (Debian)..Connection: Keep-Alive..Keep-Alive: timeout=5, max=99..ETag: "6-541e322cb103d"....                                                      
    #
    T 192.168.0.65:64116 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    ##
    T 192.168.0.65:64116 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:64116 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    exit
    17 received, 0 dropped
    

    Sorry, that was my bad. Here is the correct log.

  11. Janos SUTO repo owner

    No problem, however, I still can't see a successful authorization. Would try with firefox and/or chrome? Don't forget to setup them to use sso for this site.

  12. Rory McInerney reporter
    T 192.168.0.65:64673 -> 192.168.0.66:80 [AP]
      GET /1.txt HTTP/1.1..Host: svcaarchive..Connection: keep-alive..Upgrade-Insecure-Requests: 1..User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36..Accept: text/htm
      l,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8..Accept-Encoding: gzip, deflate, sdch..Accept-Language: en-GB,en-US;q=0.8,en;q=0.6..Cookie: PHPSESSID=ches8bgmfnhbnbgue39rt537g2; splitter2=341..If-None-Match: "6-54
      1e322cb103d"..If-Modified-Since: Tue, 22 Nov 2016 12:44:40 GMT....                                                                                                                                                                      
    ##
    T 192.168.0.66:80 -> 192.168.0.65:64673 [AP]
      HTTP/1.1 401 Unauthorized..Date: Tue, 22 Nov 2016 13:17:27 GMT..Server: Apache/2.4.10 (Debian)..WWW-Authenticate: NTLM..Content-Length: 458..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: text/html; charset=is
      o-8859-1....<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>401 Unauthorized</title>.</head><body>.<h1>Unauthorized</h1>.<p>This server could not verify that you.are authorized to access the document.requested
      .  Either you supplied the wrong.credentials (e.g., bad password), or your.browser doesn't understand how to supply.the credentials required.</p>.<hr>.<address>Apache/2.4.10 (Debian) Server at svcaarchive Port 80</address>.</body></
      html>.                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:64673 -> 192.168.0.66:80 [AP]
      GET /1.txt HTTP/1.1..Host: svcaarchive..Connection: keep-alive..Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==..Upgrade-Insecure-Requests: 1..User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/
      537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36..Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8..Accept-Encoding: gzip, deflate, sdch..Accept-Language: en-GB,en-US;q=0.8,en;q=0.6..Coo
      kie: PHPSESSID=ches8bgmfnhbnbgue39rt537g2; splitter2=341..If-None-Match: "6-541e322cb103d"..If-Modified-Since: Tue, 22 Nov 2016 12:44:40 GMT....                                                                                        
    #
    T 192.168.0.66:80 -> 192.168.0.65:64673 [AP]
      HTTP/1.1 401 Unauthorized..Date: Tue, 22 Nov 2016 13:17:27 GMT..Server: Apache/2.4.10 (Debian)..WWW-Authenticate: NTLM TlRMTVNTUAACAAAAGgAaADgAAAAFgomil1Dk0+kpqzMAAAAAAAAAALQAtABSAAAABgEAAAAAAA9NAFUATABUAEkARwBSAE8AVQBQAFAATABDAAIAG
      gBNAFUATABUAEkARwBSAE8AVQBQAFAATABDAAEAFgBTAFYAQwBBAEEAUgBDAEgASQBWAEUABAAmAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwAAwA+AHMAdgBjAGEAYQByAGMAaABpAHYAZQAuAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwABwAIAJzVjcXCRNIBA
      AAAAA==..Content-Length: 458..Keep-Alive: timeout=5, max=99..Connection: Keep-Alive..Content-Type: text/html; charset=iso-8859-1....<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>401 Unauthorized</title>.</he
      ad><body>.<h1>Unauthorized</h1>.<p>This server could not verify that you.are authorized to access the document.requested.  Either you supplied the wrong.credentials (e.g., bad password), or your.browser doesn't understand how to sup
      ply.the credentials required.</p>.<hr>.<address>Apache/2.4.10 (Debian) Server at svcaarchive Port 80</address>.</body></html>.                                                                                                          
    #
    T 192.168.0.65:64673 -> 192.168.0.66:80 [AP]
      GET /1.txt HTTP/1.1..Host: svcaarchive..Connection: keep-alive..Authorization: NTLM TlRMTVNTUAADAAAAGAAYAJoAAABiAWIBsgAAABoAGgBYAAAAHAAcAHIAAAAMAAwAjgAAAAAAAAAUAgAABYKIogYBsR0AAAAPd2yqmmSQJo4aKmcLhYkbUk0AVQBMAFQASQBHAFIATwBVAFAAUABM
      AEMAUgBvAHIAeQAuAE0AYwBJAG4AZQByAG4AZQB5AFIATwBSAFkAUABDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMzOTvwwDtrZiAajybaDeqIBAQAAAAAAAJzVjcXCRNIBZFBuI1jnoUQAAAAAAgAaAE0AVQBMAFQASQBHAFIATwBVAFAAUABMAEMAAQAWAFMAVgBDAEEAQQBSAEMASABJAFYARQAEACYAbQB1
      AGwAdABpAGcAcgBvAHUAcABwAGwAYwAuAGwAbwBjAGEAbAADAD4AcwB2AGMAYQBhAHIAYwBoAGkAdgBlAC4AbQB1AGwAdABpAGcAcgBvAHUAcABwAGwAYwAuAGwAbwBjAGEAbAAHAAgAnNWNxcJE0gEGAAQAAgAAAAgAMAAwAAAAAAAAAAAAAAAAMAAAkJzxPmjuTLhsWDaTAK18VvjOndxqmWaDJKymOBlk8w0K
      ABAAAAAAAAAAAAAAAAAAAAAAAAkAJgBIAFQAVABQAC8AcwB2AGMAYQBhAHIAYwBoAGkAdgBlADoAOAAwAAAAAAAAAAAAAAAAAA==..Upgrade-Insecure-Requests: 1..User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2
      840.99 Safari/537.36..Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8..Accept-Encoding: gzip, deflate, sdch..Accept-Language: en-GB,en-US;q=0.8,en;q=0.6..Cookie: PHPSESSID=ches8bgmfnhbnbgue39rt537g
      2; splitter2=341..If-None-Match: "6-541e322cb103d"..If-Modified-Since: Tue, 22 Nov 2016 12:44:40 GMT....                                                                                                                                
    #
    T 192.168.0.66:80 -> 192.168.0.65:64673 [AP]
      HTTP/1.1 304 Not Modified..Date: Tue, 22 Nov 2016 13:17:27 GMT..Server: Apache/2.4.10 (Debian)..Connection: Keep-Alive..Keep-Alive: timeout=5, max=98..ETag: "6-541e322cb103d"....                                                      
    #
    T 192.168.0.65:64673 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    exit
    24 received, 0 dropped
    

    I checked the access logs and there's certainly winbind stuff going on. The browser is also definately set to use NTLM.

  13. Janos SUTO repo owner

    I can see that, however the 'going on stuff' is not good enough. I have no other idea other than double check the samba logs, perhaps there's a clue in them.

  14. Rory McInerney reporter

    By things going on. I meant that mod_auth_ntlm_winbind is working fine, as pasted previously. Apologies for being unclear.

    #!
    [Tue Nov 22 13:53:50.179506 2016] [authz_core:debug] [pid 16518] mod_authz_core.c(809): [client 192.168.0.65:49967] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
    [Tue Nov 22 13:53:50.179568 2016] [authz_core:debug] [pid 16518] mod_authz_core.c(809): [client 192.168.0.65:49967] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
    [Tue Nov 22 13:53:50.181781 2016] [authz_core:debug] [pid 16518] mod_authz_core.c(809): [client 192.168.0.65:49967] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
    [Tue Nov 22 13:53:50.181794 2016] [authz_core:debug] [pid 16518] mod_authz_core.c(809): [client 192.168.0.65:49967] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
    [Tue Nov 22 13:53:50.181873 2016] [auth_ntlm_winbind:debug] [pid 16518] mod_auth_ntlm_winbind.c(1023): [client 192.168.0.65:49967] doing ntlm auth dance
    [Tue Nov 22 13:53:50.181898 2016] [auth_ntlm_winbind:debug] [pid 16518] mod_auth_ntlm_winbind.c(489): [client 192.168.0.65:49967] Using existing auth helper 16584
    [Tue Nov 22 13:53:50.181906 2016] [auth_ntlm_winbind:debug] [pid 16518] mod_auth_ntlm_winbind.c(657): [client 192.168.0.65:49967] creating auth user
    [Tue Nov 22 13:53:50.182501 2016] [auth_ntlm_winbind:debug] [pid 16518] mod_auth_ntlm_winbind.c(708): [client 192.168.0.65:49967] parsing reply from helper to YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==\n
    [Tue Nov 22 13:53:50.182588 2016] [auth_ntlm_winbind:debug] [pid 16518] mod_auth_ntlm_winbind.c(746): [client 192.168.0.65:49967] got response: TT TlRMTVNTUAACAAAAGgAaADgAAAAFgomi+iAqvP1+qkYAAAAAAAAAALQAtABSAAAABgEAAAAAAA9NAFUATABUAEkARwBSAE8AVQBQAFAATABDAAIAGgBNAFUATABUAEkARwBSAE8AVQBQAFAATABDAAEAFgBTAFYAQwBBAEEAUgBDAEgASQBWAEUABAAmAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwAAwA+AHMAdgBjAGEAYQByAGMAaABpAHYAZQAuAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwABwAIAFDAetrHRNIBAAAAAA==
    [Tue Nov 22 13:53:50.182593 2016] [auth_ntlm_winbind:debug] [pid 16518] mod_auth_ntlm_winbind.c(416): [client 192.168.0.65:49967] sending back TlRMTVNTUAACAAAAGgAaADgAAAAFgomi+iAqvP1+qkYAAAAAAAAAALQAtABSAAAABgEAAAAAAA9NAFUATABUAEkARwBSAE8AVQBQAFAATABDAAIAGgBNAFUATABUAEkARwBSAE8AVQBQAFAATABDAAEAFgBTAFYAQwBBAEEAUgBDAEgASQBWAEUABAAmAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwAAwA+AHMAdgBjAGEAYQByAGMAaABpAHYAZQAuAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwABwAIAFDAetrHRNIBAAAAAA==
    [Tue Nov 22 13:53:50.185006 2016] [authz_core:debug] [pid 16518] mod_authz_core.c(809): [client 192.168.0.65:49967] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
    [Tue Nov 22 13:53:50.185017 2016] [authz_core:debug] [pid 16518] mod_authz_core.c(809): [client 192.168.0.65:49967] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
    [Tue Nov 22 13:53:50.185021 2016] [auth_ntlm_winbind:debug] [pid 16518] mod_auth_ntlm_winbind.c(1023): [client 192.168.0.65:49967] doing ntlm auth dance
    [Tue Nov 22 13:53:50.185025 2016] [auth_ntlm_winbind:debug] [pid 16518] mod_auth_ntlm_winbind.c(489): [client 192.168.0.65:49967] Using existing auth helper 16584
    [Tue Nov 22 13:53:50.185789 2016] [auth_ntlm_winbind:debug] [pid 16518] mod_auth_ntlm_winbind.c(708): [client 192.168.0.65:49967] parsing reply from helper to KK TlRMTVNTUAADAAAAGAAYAJoAAABiAWIBsgAAABoAGgBYAAAAHAAcAHIAAAAMAAwAjgAAAAAAAAAUAgAABYKIogYBsR0AAAAP3ODkcPgWh2XfeqNiDaqWTU0AVQBMAFQASQBHAFIATwBVAFAAUABMAEMAUgBvAHIAeQAuAE0AYwBJAG4AZQByAG4AZQB5AFIATwBSAFkAUABDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAObp33nucGUKGwN5c8+o1r8BAQAAAAAAAFDAetrHRNIBDnZbH344QlEAAAAAAgAaAE0AVQBMAFQASQBHAFIATwBVAFAAUABMAEMAAQAWAFMAVgBDAEEAQQBSAEMASABJAFYARQAEACYAbQB1AGwAdABpAGcAcgBvAHUAcABwAGwAYwAuAGwAbwBjAGEAbAADAD4AcwB2AGMAYQBhAHIAYwBoAGkAdgBlAC4AbQB1AGwAdABpAGcAcgBvAHUAcABwAGwAYwAuAGwAbwBjAGEAbAAHAAgAUMB62sdE0gEGAAQAAgAAAAgAMAAwAAAAAAAAAAAAAAAAMAAAkJzxPmjuTLhsWDaTAK18VvjOndxqmWaDJKymOBlk8w0KABAAAAAAAAAAAAAAAAAAAAAAAAkAJgBIAFQAVABQAC8AcwB2AGMAYQBhAHIAYwBoAGkAdgBlADoAOAAwAAAAAAAAAAAAAAAAAA==\n
    [Tue Nov 22 13:53:50.187926 2016] [auth_ntlm_winbind:debug] [pid 16518] mod_auth_ntlm_winbind.c(746): [client 192.168.0.65:49967] got response: AF MULTIGROUPPLC\\rory.mcinerney
    [Tue Nov 22 13:53:50.187938 2016] [auth_ntlm_winbind:debug] [pid 16518] mod_auth_ntlm_winbind.c(792): [client 192.168.0.65:49967] authenticated MULTIGROUPPLC\\rory.mcinerney
    [Tue Nov 22 13:53:50.187944 2016] [authz_core:debug] [pid 16518] mod_authz_core.c(809): [client 192.168.0.65:49967] AH01626: authorization result of Require valid-user : granted
    [Tue Nov 22 13:53:50.187948 2016] [authz_core:debug] [pid 16518] mod_authz_core.c(809): [client 192.168.0.65:49967] AH01626: authorization result of <RequireAny>: granted
    [Tue Nov 22 13:53:50.188678 2016] [:error] [pid 16518] [client 192.168.0.65:49967] PHP Notice:  A session had already been started - ignoring session_start() in /var/www/piler/system/request.php on line 30
    [Tue Nov 22 13:53:50.189475 2016] [:error] [pid 16518] [client 192.168.0.65:49967] PHP Notice:  A session had already been started - ignoring session_start() in /var/www/piler/system/request.php on line 30
    [Tue Nov 22 13:53:50.206918 2016] [authz_core:debug] [pid 16518] mod_authz_core.c(809): [client 192.168.0.65:49967] AH01626: authorization result of Require all granted: granted
    [Tue Nov 22 13:53:50.206930 2016] [authz_core:debug] [pid 16518] mod_authz_core.c(809): [client 192.168.0.65:49967] AH01626: authorization result of <RequireAny>: granted
    [Tue Nov 22 13:53:50.207013 2016] [authz_core:debug] [pid 16518] mod_authz_core.c(809): [client 192.168.0.65:49967] AH01626: authorization result of Require all granted: granted
    [Tue Nov 22 13:53:50.207021 2016] [authz_core:debug] [pid 16518] mod_authz_core.c(809): [client 192.168.0.65:49967] AH01626: authorization result of <RequireAny>: granted
    [Tue Nov 22 13:53:50.209701 2016] [deflate:debug] [pid 16518] mod_deflate.c(855): [client 192.168.0.65:49967] AH01384: Zlib: Compressed 2427 to 961 : URL /index.php
    

    The samba logs are completely clean of any errors, but I'm led to believe by these logs that the module is authenticating correctly. The same result also comes up when using login.php with typed in/username password. As far as I can guess, apache is authenticating against the domain ok.

    Could I ask what version of php the webui was built against and whether it was nginx or apache?

  15. Janos SUTO repo owner

    Well, the sso part was tested with php 5 + apache 2.2 (however, I believe that sso should work with php 7 + apache 2.4 as well, since it has nothing to do with php versions).

    I also saw the 'authenticated' line in the apache debug logs, however if you can't get 1.txt, then it's simply not working properly, and the webserver itself (not php with any versions) rejects your request. We have to fix it first.

  16. Rory McInerney reporter

    I can see the contents of the file, 1.txt - the latest ngrep log is from when I was able to do this.

  17. Rory McInerney reporter

    I think there was some web-browser caching happening which I apologise for. This ngrep for /1.txt displays the word "thins" (content of the file) which is also present in the ngrep log.

    T 192.168.0.65:52229 -> 192.168.0.66:80 [AP]
      GET /1.txt HTTP/1.1..Host: svcaarchive..Connection: keep-alive..Pragma: no-cache..Cache-Control: no-cache..Upgrade-Insecure-Requests: 1..User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/5
      4.0.2840.99 Safari/537.36..Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8..Accept-Encoding: gzip, deflate, sdch..Accept-Language: en-GB,en-US;q=0.8,en;q=0.6..Cookie: PHPSESSID=ches8bgmfnhbnbgue39r
      t537g2; splitter2=341....
    ##
    T 192.168.0.66:80 -> 192.168.0.65:52229 [AP]
      HTTP/1.1 401 Unauthorized..Date: Tue, 22 Nov 2016 15:08:09 GMT..Server: Apache/2.4.10 (Debian)..WWW-Authenticate: NTLM..Content-Length: 458..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: text/html; charset=is
      o-8859-1....<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>401 Unauthorized</title>.</head><body>.<h1>Unauthorized</h1>.<p>This server could not verify that you.are authorized to access the document.requested
      .  Either you supplied the wrong.credentials (e.g., bad password), or your.browser doesn't understand how to supply.the credentials required.</p>.<hr>.<address>Apache/2.4.10 (Debian) Server at svcaarchive Port 80</address>.</body></
      html>.
    #
    T 192.168.0.65:52229 -> 192.168.0.66:80 [AP]
      GET /1.txt HTTP/1.1..Host: svcaarchive..Connection: keep-alive..Pragma: no-cache..Cache-Control: no-cache..Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==..Upgrade-Insecure-Requests: 1..User-Agent: Mozil
      la/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36..Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8..Accept-Encoding: gzip, deflate, sdch..Accep
      t-Language: en-GB,en-US;q=0.8,en;q=0.6..Cookie: PHPSESSID=ches8bgmfnhbnbgue39rt537g2; splitter2=341....
    #
    T 192.168.0.66:80 -> 192.168.0.65:52229 [AP]
      HTTP/1.1 401 Unauthorized..Date: Tue, 22 Nov 2016 15:08:09 GMT..Server: Apache/2.4.10 (Debian)..WWW-Authenticate: NTLM TlRMTVNTUAACAAAAGgAaADgAAAAFgomiS4N+lRChvLsAAAAAAAAAALQAtABSAAAABgEAAAAAAA9NAFUATABUAEkARwBSAE8AVQBQAFAATABDAAIAG
      gBNAFUATABUAEkARwBSAE8AVQBQAFAATABDAAEAFgBTAFYAQwBBAEEAUgBDAEgASQBWAEUABAAmAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwAAwA+AHMAdgBjAGEAYQByAGMAaABpAHYAZQAuAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwABwAIAORDgzzSRNIBA
      AAAAA==..Content-Length: 458..Keep-Alive: timeout=5, max=99..Connection: Keep-Alive..Content-Type: text/html; charset=iso-8859-1....<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>401 Unauthorized</title>.</he
      ad><body>.<h1>Unauthorized</h1>.<p>This server could not verify that you.are authorized to access the document.requested.  Either you supplied the wrong.credentials (e.g., bad password), or your.browser doesn't understand how to sup
      ply.the credentials required.</p>.<hr>.<address>Apache/2.4.10 (Debian) Server at svcaarchive Port 80</address>.</body></html>.
    #
    T 192.168.0.65:52229 -> 192.168.0.66:80 [AP]
      GET /1.txt HTTP/1.1..Host: svcaarchive..Connection: keep-alive..Pragma: no-cache..Cache-Control: no-cache..Authorization: NTLM TlRMTVNTUAADAAAAGAAYAJoAAABiAWIBsgAAABoAGgBYAAAAHAAcAHIAAAAMAAwAjgAAAAAAAAAUAgAABYKIogYBsR0AAAAPmguCECQnZ
      fjY/oiAw1pjrU0AVQBMAFQASQBHAFIATwBVAFAAUABMAEMAUgBvAHIAeQAuAE0AYwBJAG4AZQByAG4AZQB5AFIATwBSAFkAUABDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANoB7ee8TkNGACR7IwilDCsBAQAAAAAAAORDgzzSRNIB323kXWHQHY8AAAAAAgAaAE0AVQBMAFQASQBHAFIATwBVAFAAUABMAEMAA
      QAWAFMAVgBDAEEAQQBSAEMASABJAFYARQAEACYAbQB1AGwAdABpAGcAcgBvAHUAcABwAGwAYwAuAGwAbwBjAGEAbAADAD4AcwB2AGMAYQBhAHIAYwBoAGkAdgBlAC4AbQB1AGwAdABpAGcAcgBvAHUAcABwAGwAYwAuAGwAbwBjAGEAbAAHAAgA5EODPNJE0gEGAAQAAgAAAAgAMAAwAAAAAAAAAAAAAAAAMAAAk
      JzxPmjuTLhsWDaTAK18VvjOndxqmWaDJKymOBlk8w0KABAAAAAAAAAAAAAAAAAAAAAAAAkAJgBIAFQAVABQAC8AcwB2AGMAYQBhAHIAYwBoAGkAdgBlADoAOAAwAAAAAAAAAAAAAAAAAA==..Upgrade-Insecure-Requests: 1..User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebK
      it/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36..Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8..Accept-Encoding: gzip, deflate, sdch..Accept-Language: en-GB,en-US;q=0.8,en;q=0.6..
      Cookie: PHPSESSID=ches8bgmfnhbnbgue39rt537g2; splitter2=341....
    #
    T 192.168.0.66:80 -> 192.168.0.65:52229 [AP]
      HTTP/1.1 200 OK..Date: Tue, 22 Nov 2016 15:08:09 GMT..Server: Apache/2.4.10 (Debian)..Last-Modified: Tue, 22 Nov 2016 12:44:40 GMT..ETag: "6-541e322cb103d"..Accept-Ranges: bytes..Content-Length: 6..Keep-Alive: timeout=5, max=98..Con
      nection: Keep-Alive..Content-Type: text/plain....thins.
    #
    T 192.168.0.65:52229 -> 192.168.0.66:80 [AP]
      GET /favicon.ico HTTP/1.1..Host: svcaarchive..Connection: keep-alive..Pragma: no-cache..Cache-Control: no-cache..User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.3
      6..Accept: */*..Referer: http://svcaarchive/1.txt..Accept-Encoding: gzip, deflate, sdch..Accept-Language: en-GB,en-US;q=0.8,en;q=0.6..Cookie: PHPSESSID=ches8bgmfnhbnbgue39rt537g2; splitter2=341....
    #
    T 192.168.0.66:80 -> 192.168.0.65:52229 [AP]
      HTTP/1.1 404 Not Found..Date: Tue, 22 Nov 2016 15:08:09 GMT..Server: Apache/2.4.10 (Debian)..Content-Length: 286..Keep-Alive: timeout=5, max=97..Connection: Keep-Alive..Content-Type: text/html; charset=iso-8859-1....<!DOCTYPE HTML P
      UBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /favicon.ico was not found on this server.</p>.<hr>.<address>Apache/2.4.10 (Debian) Server at svcaarc
      hive Port 80</address>.</body></html>.
    
  18. Janos SUTO repo owner

    OK, it looks better. Can you run ngrep again, but this time checking /sso.php? You may skip the inside of the long binary garbage to shorten the output. The point is that I'd like to see the HTTP/1.1 200 OK response (or something similar) with some cookies.

  19. Rory McInerney reporter
    #!
    
    interface: eth0 (192.168.0.0/255.255.254.0)
    filter: (ip or ip6) and ( port 80 )
    ###
    T 192.168.0.65:52773 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:52773 -> 192.168.0.66:80 [AP]
      GET /sso.php HTTP/1.1..Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, ap
      plication/msword, */*..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET
      4.0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..DNT: 1..Connection: Keep-Alive....                                                                                                                                            
    ##
    T 192.168.0.66:80 -> 192.168.0.65:52773 [AP]
      HTTP/1.1 401 Unauthorized..Date: Tue, 22 Nov 2016 15:24:54 GMT..Server: Apache/2.4.10 (Debian)..WWW-Authenticate: NTLM..Content-Length: 458..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: text/html; charset=is
      o-8859-1....<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>401 Unauthorized</title>.</head><body>.<h1>Unauthorized</h1>.<p>This server could not verify that you.are authorized to access the document.requested
      .  Either you supplied the wrong.credentials (e.g., bad password), or your.browser doesn't understand how to supply.the credentials required.</p>.<hr>.<address>Apache/2.4.10 (Debian) Server at svcaarchive Port 80</address>.</body></
      html>.                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:52773 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:52773 -> 192.168.0.66:80 [AP]
      GET /sso.php HTTP/1.1..Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, ap
      plication/msword, */*..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET
      4.0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..DNT: 1..Connection: Keep-Alive..Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==....                                                              
    #
    T 192.168.0.66:80 -> 192.168.0.65:52773 [AP]
      HTTP/1.1 401 Unauthorized..Date: Tue, 22 Nov 2016 15:24:54 GMT..Server: Apache/2.4.10 (Debian)..WWW-Authenticate: NTLM TlRMTVNTUAACAAAAGgAaADgAAAAFgomivNTJc1ZgmkkAAAAAAAAAALQAtABSAAAABgEAAAAAAA9NAFUATABUAEkARwBSAE8AVQBQAFAATABDAAIAG
      gBNAFUATABUAEkARwBSAE8AVQBQAFAATABDAAEAFgBTAFYAQwBBAEEAUgBDAEgASQBWAEUABAAmAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwAAwA+AHMAdgBjAGEAYQByAGMAaABpAHYAZQAuAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwABwAIACDilZPURNIBA
      AAAAA==..Content-Length: 458..Keep-Alive: timeout=5, max=99..Connection: Keep-Alive..Content-Type: text/html; charset=iso-8859-1....<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>401 Unauthorized</title>.</he
      ad><body>.<h1>Unauthorized</h1>.<p>This server could not verify that you.are authorized to access the document.requested.  Either you supplied the wrong.credentials (e.g., bad password), or your.browser doesn't understand how to sup
      ply.the credentials required.</p>.<hr>.<address>Apache/2.4.10 (Debian) Server at svcaarchive Port 80</address>.</body></html>.                                                                                                          
    #
    T 192.168.0.65:52773 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:52773 -> 192.168.0.66:80 [AP]
      GET /sso.php HTTP/1.1..Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, ap
      plication/msword, */*..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET
      4.0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..DNT: 1..Connection: Keep-Alive..Authorization: NTLM TlRMTVNTUAADAAAAGAAYAJoAAAB4AXgBsgAAABoAGgBYAAAAHAAcAHIAAAAMAAwAjgAAAAAAAAAqAgAABYKIogYBsR0AAAAP/lRW8pUN+uD6EP91WMKwdE0AVQ
      BMAFQASQBHAFIATwBVAFAAUABMAEMAUgBvAHIAeQAuAE0AYwBJAG4AZQByAG4AZQB5AFIATwBSAFkAUABDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMJLGbe96BN69BUVvCDtbF0BAQAAAAAAACDilZPURNIBNdbCrHCd7jsAAAAAAgAaAE0AVQBMAFQASQBHAFIATwBVAFAAUABMAEMAAQAWAFMAVgBDAEEAQQ
      BSAEMASABJAFYARQAEACYAbQB1AGwAdABpAGcAcgBvAHUAcABwAGwAYwAuAGwAbwBjAGEAbAADAD4AcwB2AGMAYQBhAHIAYwBoAGkAdgBlAC4AbQB1AGwAdABpAGcAcgBvAHUAcABwAGwAYwAuAGwAbwBjAGEAbAAHAAgAIOKVk9RE0gEGAAQAAgAAAAgAMAAwAAAAAAAAAAAAAAAAMAAAkJzxPmjuTLhsWDaTAK
      18VvjOndxqmWaDJKymOBlk8w0KABAAAAAAAAAAAAAAAAAAAAAAAAkAPABIAFQAVABQAC8AcwB2AGMAYQBhAHIAYwBoAGkAdgBlAC4ATQB1AGwAdABpAEcAcgBvAHUAcABQAGwAYwAAAAAAAAAAAAAAAAA=....                                                                          
    #
    T 192.168.0.66:80 -> 192.168.0.65:52773 [AP]
      HTTP/1.1 302 Found..Date: Tue, 22 Nov 2016 15:24:54 GMT..Server: Apache/2.4.10 (Debian)..Set-Cookie: PHPSESSID=9r36e2o9b8jtgddc5mrrs25be4; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GMT..Cache-Control: no-store, no-cache, must-reval
      idate, post-check=0, pre-check=0..Pragma: no-cache..Location: http://svcaarchive/login.php..Content-Length: 0..Keep-Alive: timeout=5, max=98..Connection: Keep-Alive..Content-Type: text/html; charset=UTF-8....                        
    #
    T 192.168.0.65:52773 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:52773 -> 192.168.0.66:80 [AP]
      GET /login.php HTTP/1.1..Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, 
      application/msword, */*..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .N
      ET4.0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..Cookie: PHPSESSID=9r36e2o9b8jtgddc5mrrs25be4..Connection: Keep-Alive..DNT: 1....                                                                                            
    #
    T 192.168.0.66:80 -> 192.168.0.65:52773 [AP]
      HTTP/1.1 200 OK..Date: Tue, 22 Nov 2016 15:24:54 GMT..Server: Apache/2.4.10 (Debian)..Expires: Thu, 19 Nov 1981 08:52:00 GMT..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0..Pragma: no-cache..Vary: Acc
      ept-Encoding..Content-Encoding: gzip..Content-Length: 979..Keep-Alive: timeout=5, max=97..Connection: Keep-Alive..Content-Type: text/html; charset=UTF-8 <BINARY GARBAGE>
    T 192.168.0.65:52773 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:52773 -> 192.168.0.66:80 [AP]
      GET /view/theme/default/assets/css/metro-bootstrap.css HTTP/1.1..Accept: */*..Referer: http://svcaarchive/login.php..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .
      NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..If-Modified-Since: Mon, 21 Nov 2016 13:33:38 GMT..If-None-Match: "2d937-541cfb40
      ffe1f-gzip"..DNT: 1..Connection: Keep-Alive..Cookie: PHPSESSID=9r36e2o9b8jtgddc5mrrs25be4....                                                                                                                                           
    #
    T 192.168.0.66:80 -> 192.168.0.65:52773 [A]
      HTTP/1.1 200 OK..Date: Tue, 22 Nov 2016 15:24:54 GMT..Server: Apache/2.4.10 (Debian)..Last-Modified: Tue, 22 Nov 2016 12:42:49 GMT..ETag: "2d937-541e31c26de3e-gzip"..Accept-Ranges: bytes..Vary: Accept-Encoding..Content-Encoding: gzi
      p..Content-Length: 31559..Keep-Alive: timeout=5, max=96..Connection: Keep-Alive..Content-Type: text/css.<BINARY GARBAGE>                           
    #
    T 192.168.0.66:80 -> 192.168.0.65:52773 [A]
     <BINARY GARBAGE>                          
    #
    T 192.168.0.66:80 -> 192.168.0.65:52773 [A]
    <BINARY GARBAGE>                          
    #
    T 192.168.0.66:80 -> 192.168.0.65:52773 [A]
     <BINARY GARBAGE>                                                                                                                                                                  
    #
    T 192.168.0.65:52773 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.66:80 -> 192.168.0.65:52773 [A]
    <BINARY GARBAGE>                         
    #
    T 192.168.0.66:80 -> 192.168.0.65:52773 [A]
    <BINARY GARBAGE>                          
    #
    T 192.168.0.66:80 -> 192.168.0.65:52773 [A]
    <BINARY GARBAGE>                    
    #
    T 192.168.0.66:80 -> 192.168.0.65:52773 [AP]
    <BINARY GARBAGE>                
    #
    T 192.168.0.65:52773 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:52773 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:52773 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:52773 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:52773 -> 192.168.0.66:80 [AP]
      GET /view/theme/default/assets/js/html5.js HTTP/1.1..Accept: */*..Referer: http://svcaarchive/login.php..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.
      50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..If-Modified-Since: Mon, 21 Nov 2016 13:33:38 GMT..If-None-Match: "98c-541cfb4100dbf-gzip"..D
      NT: 1..Connection: Keep-Alive..Cookie: PHPSESSID=9r36e2o9b8jtgddc5mrrs25be4....                                                                                                                                                         
    #
    T 192.168.0.66:80 -> 192.168.0.65:52773 [AP]
      HTTP/1.1 200 OK..Date: Tue, 22 Nov 2016 15:24:54 GMT..Server: Apache/2.4.10 (Debian)..Last-Modified: Tue, 22 Nov 2016 12:42:49 GMT..ETag: "98c-541e31c276ade-gzip"..Accept-Ranges: bytes..Vary: Accept-Encoding..Content-Encoding: gzip.
      .Content-Length: 1256..Keep-Alive: timeout=5, max=95..Connection: Keep-Alive..Content-Type: application/javascript.<BINARY GARBAGE>
    T 192.168.0.65:52773 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:52773 -> 192.168.0.66:80 [AP]
      GET /view/theme/default/assets/images/archive-logo-lg.png HTTP/1.1..Accept: */*..Referer: http://svcaarchive/login.php..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2
      ; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..If-Modified-Since: Mon, 21 Nov 2016 13:33:38 GMT..If-None-Match: "27ce-541cfb
      4100dbf"..DNT: 1..Connection: Keep-Alive..Cookie: PHPSESSID=9r36e2o9b8jtgddc5mrrs25be4....                                                                                                                                              
    #
    T 192.168.0.66:80 -> 192.168.0.65:52773 [A]
      HTTP/1.1 200 OK..Date: Tue, 22 Nov 2016 15:24:54 GMT..Server: Apache/2.4.10 (Debian)..Last-Modified: Tue, 22 Nov 2016 12:42:49 GMT..ETag: "27ce-541e31c270d1e"..Accept-Ranges: bytes..Content-Length: 10190..Keep-Alive: timeout=5, max=
      94..Connection: Keep-Alive..Content-Type: image/png.....PNG........<BINARY GARBAGE>                                                                                                                                                                                                                           
    #
    T 192.168.0.66:80 -> 192.168.0.65:52773 [AP]
      ,UC..q.....>.l.v.Jp=-..6I(.8....E....k.b.|......l..6tk..)...egr.R.~z..s...iy..... .o.~....C..c_.......O......BOD...U...%L..R...T.>........R.}.BB,,8x.._.(YI....S.(4!x.. w..).T.....).+"..N...,.i-..L.cB0Q(B0....Avl.).k.s.....J.......z.
      ..5.?..vg........IEND.B`.                                                                                                                                                                                                               
    #
    T 192.168.0.65:52773 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    #
    T 192.168.0.65:52773 -> 192.168.0.66:80 [A]
      ......                                                                                                                                                                                                                                  
    exit
    38 received, 0 dropped
    
  20. Janos SUTO repo owner

    OK. Unfortunately I can't do more without seeing the php code in action. Is it possible a remote session for that?

  21. Rory McInerney reporter

    Yes, this will be fine. What is your preffered method? I can either get external ssh set up on the firewall or can give teamviewer access to a local machine with web/ssh access to the machine.

  22. Janos SUTO repo owner

    ssh is my preferred method, however it would be great to see the gui in a browser as well. In what timezone are you?

  23. Rory McInerney reporter

    I am in GMT and will be available 07.30 - 1700 to give access if that works for you?

    Easiest method for me would be to give you teamviewer access to a box with browser/putty on if that is ok with you?

  24. Janos SUTO repo owner

    Yes, it's fine. Contact me on skype (janos.suto) tomorrow, and we'll discuss the rest.

  25. Log in to comment