1. Janos SUTO Avatar Janos SUTO
  2. Piler
  3. piler
  4. Issues

SSO Authentication -> sends authenticated users to login.php

Issue #748 resolved
Rory McInerney created an issue

piler -V output:

piler 1.2.0, build 952, Janos SUTO <sj@acts.hu>

Build Date: Mon Nov 21 13:19:39 GMT 2016
ldd version: ldd (Debian GLIBC 2.19-18+deb8u6) 2.19
gcc version: gcc version 4.9.2 (Debian 4.9.2-10)
OS: Linux svcaarchive 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 GNU/Linux
Configure command: ./configure --localstatedir=/var --with-database=mysql --enable-starttls --enable-tcpwrappers
MySQL client library version: 5.5.53
Extractors: /usr/bin/catdoc /usr/bin/catppt /usr/bin/xls2csv /usr/bin/unrtf /usr/bin/tnef

Where I am: This is a new installation of piler on a debian install following instructions on the site with the following addition steps as the apache module couldn't find the socket (samba3->samba4 moves it, resulting in helper broken errors):

$ usermod -a -G winbindd_priv www-data
$ chgrp winbindd_priv /var/lib/samba/winbindd_privileged
$ ln -s /var/lib/samba/winbindd_privileged/pipe /var/run/samba/winbindd_privileged/pipe

This solved the authentication errors in the debug log, but when the user goes to the site address, it seems to be authenticating the user against AD fine, but redirecting them to /login.php. There aren't currently any contents of the archives, I'm not sure if this would cause this. I have included the apache debug information below.

[Mon Nov 21 15:41:21.947673 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of <RequireAny>: granted
[Mon Nov 21 15:41:21.947725 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of Require all granted: granted
[Mon Nov 21 15:41:21.947733 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of <RequireAny>: granted
[Mon Nov 21 15:41:21.967990 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Nov 21 15:41:21.968002 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Nov 21 15:41:22.059856 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Nov 21 15:41:22.059872 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Nov 21 15:41:22.059878 2016] [auth_ntlm_winbind:debug] [pid 7088] mod_auth_ntlm_winbind.c(1023): [client 10.200.5.70:50924] doing ntlm auth dance
[Mon Nov 21 15:41:22.060925 2016] [auth_ntlm_winbind:debug] [pid 7088] mod_auth_ntlm_winbind.c(487): [client 10.200.5.70:50924] Launched ntlm_helper, pid 7171
[Mon Nov 21 15:41:22.060942 2016] [auth_ntlm_winbind:debug] [pid 7088] mod_auth_ntlm_winbind.c(657): [client 10.200.5.70:50924] creating auth user
[Mon Nov 21 15:41:22.060966 2016] [auth_ntlm_winbind:debug] [pid 7088] mod_auth_ntlm_winbind.c(708): [client 10.200.5.70:50924] parsing reply from helper to YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAKAFopAAAADw==\n
[Mon Nov 21 15:41:22.083783 2016] [auth_ntlm_winbind:debug] [pid 7088] mod_auth_ntlm_winbind.c(746): [client 10.200.5.70:50924] got response: TT <base64 removed>
[Mon Nov 21 15:41:22.083817 2016] [auth_ntlm_winbind:debug] [pid 7088] mod_auth_ntlm_winbind.c(416): [client 10.200.5.70:50924] sending back <base64 removed>
[Mon Nov 21 15:41:22.095744 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Nov 21 15:41:22.095756 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Nov 21 15:41:22.095761 2016] [auth_ntlm_winbind:debug] [pid 7088] mod_auth_ntlm_winbind.c(1023): [client 10.200.5.70:50924] doing ntlm auth dance
[Mon Nov 21 15:41:22.095764 2016] [auth_ntlm_winbind:debug] [pid 7088] mod_auth_ntlm_winbind.c(489): [client 10.200.5.70:50924] Using existing auth helper 7171
[Mon Nov 21 15:41:22.095774 2016] [auth_ntlm_winbind:debug] [pid 7088] mod_auth_ntlm_winbind.c(708): [client 10.200.5.70:50924] parsing reply from helper to KK <base64 removed>
[Mon Nov 21 15:41:22.866184 2016] [auth_ntlm_winbind:debug] [pid 7088] mod_auth_ntlm_winbind.c(746): [client 10.200.5.70:50924] got response: AF MYDOMIAN\\some.user
[Mon Nov 21 15:41:22.866215 2016] [auth_ntlm_winbind:debug] [pid 7088] mod_auth_ntlm_winbind.c(792): [client 10.200.5.70:50924] authenticated MYDOMAIN\\some.users
[Mon Nov 21 15:41:22.866225 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of Require valid-user : granted
[Mon Nov 21 15:41:22.866230 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of <RequireAny>: granted
[Mon Nov 21 15:41:22.866709 2016] [:error] [pid 7088] [client 10.200.5.70:50924] PHP Notice:  A session had already been started - ignoring session_start() in /var/www/piler/system/request.php on line 30
[Mon Nov 21 15:41:22.867289 2016] [:error] [pid 7088] [client 10.200.5.70:50924] PHP Notice:  A session had already been started - ignoring session_start() in /var/www/piler/system/request.php on line 30
[Mon Nov 21 15:41:22.886141 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of Require all granted: granted
[Mon Nov 21 15:41:22.886153 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of <RequireAny>: granted
[Mon Nov 21 15:41:22.886248 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of Require all granted: granted
[Mon Nov 21 15:41:22.886258 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of <RequireAny>: granted
[Mon Nov 21 15:41:22.888940 2016] [deflate:debug] [pid 7088] mod_deflate.c(855): [client 10.200.5.70:50924] AH01384: Zlib: Compressed 2427 to 961 : URL /index.php
[Mon Nov 21 15:41:22.933571 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of Require all granted: granted, referer: http://svcaarchive/login.php
[Mon Nov 21 15:41:22.933585 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of <RequireAny>: granted, referer: http://svcaarchive/login.php
[Mon Nov 21 15:41:22.940039 2016] [deflate:debug] [pid 7088] mod_deflate.c(855): [client 10.200.5.70:50924] AH01384: Zlib: Compressed 186679 to 31541 : URL /view/theme/default/assets/css/metro-bootstrap.css, referer: http://svcaarchive/login.php
[Mon Nov 21 15:41:23.006634 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of Require all granted: granted, referer: http://svcaarchive/login.php
[Mon Nov 21 15:41:23.006649 2016] [authz_core:debug] [pid 7088] mod_authz_core.c(809): [client 10.200.5.70:50924] AH01626: authorization result of <RequireAny>: granted, referer: http://svcaarchive/login.php
[Mon Nov 21 15:41:23.006811 2016] [deflate:debug] [pid 7088] mod_deflate.c(855): [client 10.200.5.70:50924] AH01384: Zlib: Compressed 2444 to 1238 : URL /view/theme/default/assets/js/html5.js, referer: http://svcaarchive/login.php
[Mon Nov 21 15:41:23.018076 2016] [authz_core:debug] [pid 7087] mod_authz_core.c(809): [client 10.200.5.70:50925] AH01626: authorization result of Require all granted: granted, referer: http://svcaarchive/login.php
[Mon Nov 21 15:41:23.018105 2016] [authz_core:debug] [pid 7087] mod_authz_core.c(809): [client 10.200.5.70:50925] AH01626: authorization result of <RequireAny>: granted, referer: http://svcaarchive/login.php
[Mon Nov 21 15:41:23.332434 2016] [authz_core:debug] [pid 7087] mod_authz_core.c(809): [client 10.200.5.70:50925] AH01626: authorization result of Require all granted: granted
[Mon Nov 21 15:41:23.332448 2016] [authz_core:debug] [pid 7087] mod_authz_core.c(809): [client 10.200.5.70:50925] AH01626: authorization result of <RequireAny>: granted

Comments (26)

  1. Rory McInerney reporter

    Saw another thread on this, so including this information to provde it's bound to the domain ok:

    root@svcaarchive:/var/log/apache2# wbinfo -u
MYDOMAIN\administrator
MYDOMAIN\ldap
MYDOMAIN\sharepoint
MYDOMAIN\join

    root@svcaarchive:/var/log/apache2# wbinfo -g
MYDOMAIN\domain computers
MYDOMAIN\domain users
MYDOMAIN\domain guests

    root@svcaarchive:/var/log/apache2# net ads info
LDAP server: xx.xx.xx.165
LDAP server name: mydc.mydomain
Realm: MYDOMAIN
Bind Path: dc=MYDOMAIN
LDAP port: 389
Server time: Tue, 22 Nov 2016 07:54:13 GMT
KDC server: xx.xx.xx.165
Server time offset: 0

    I can email net ads lookup over too (it works!) but I'd rather not post it here as it contains loads of info about our setup.

    Thanks

  2. Janos SUTO repo owner

    It seems that the authentication is successful: [Mon Nov 21 15:41:22.866215 2016] [auth_ntlm_winbind:debug] [pid 7088] mod_auth_ntlm_winbind.c(792): [client 10.200.5.70:50924] authenticated MYDOMAIN\some.users

    I suspect that some data is sent before the session cookie is sent. Perhaps some white characters from config-site.php? I also recommend to go to search.php after you are redirected to login.php (=manually change the url), and let's see if it shows the search page or sends you to login.php again.

  3. Rory McInerney reporter

    I've checked the site-config.php file and there's no white characters (spaces/newlines). Going to /search.php just sends me back to /login.php

  4. Rory McInerney reporter

    This is the php version too, if it's any help.

    root@svcaarchive:/var/www/piler# php -v
PHP 5.6.27-0+deb8u1 (cli) (built: Oct 15 2016 15:53:28)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
    with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies

    Update: This also happens when logging in on /login.php with ldap username and password on non-NTLM enabled browser with the same outcomes in the error log.

  5. Janos SUTO repo owner

    OK, then we have to figure out what data is sent before the session cookies. Can you do some debugging? It would be great to see a network dump, eg. "ngrep -X port 80" output when you try to login. You may need to install ngrep, eg. apt-get install ngrep.

  6. Rory McInerney reporter

    Sure, it's saying there is some browser unauthorised message. I've checked the apache logs and the winbind helper is reporting ok again. 

    interface: eth0 (192.168.0.0/255.255.254.0)
filter: (ip or ip6) and ( port 80 )
###
T 192.168.0.65:60100 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:60100 -> 192.168.0.66:80 [AP]
  GET /sso.php HTTP/1.1..Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, ap
  plication/msword, */*..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET
  4.0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..DNT: 1..Connection: Keep-Alive....                                                                                                                                            
##
T 192.168.0.66:80 -> 192.168.0.65:60100 [AP]
  HTTP/1.1 401 Unauthorized..Date: Tue, 22 Nov 2016 11:28:12 GMT..Server: Apache/2.4.10 (Debian)..WWW-Authenticate: NTLM..Content-Length: 458..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: text/html; charset=is
  o-8859-1....<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>401 Unauthorized</title>.</head><body>.<h1>Unauthorized</h1>.<p>This server could not verify that you.are authorized to access the document.requested
  .  Either you supplied the wrong.credentials (e.g., bad password), or your.browser doesn't understand how to supply.the credentials required.</p>.<hr>.<address>Apache/2.4.10 (Debian) Server at svcaarchive Port 80</address>.</body></
  html>.                                                                                                                                                                                                                                  
#
T 192.168.0.65:60100 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:60100 -> 192.168.0.66:80 [AP]
  GET /sso.php HTTP/1.1..Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, ap
  plication/msword, */*..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET
  4.0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..DNT: 1..Connection: Keep-Alive..Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==....                                                              
#
T 192.168.0.66:80 -> 192.168.0.65:60100 [AP]
  HTTP/1.1 401 Unauthorized..Date: Tue, 22 Nov 2016 11:28:12 GMT..Server: Apache/2.4.10 (Debian)..WWW-Authenticate: NTLM TlRMTVNTUAACAAAAGgAaADgAAAAFgomi0d4G3M6SZsYAAAAAAAAAALQAtABSAAAABgEAAAAAAA9NAFUATABUAEkARwBSAE8AVQBQAFAATABDAAIAG
  gBNAFUATABUAEkARwBSAE8AVQBQAFAATABDAAEAFgBTAFYAQwBBAEEAUgBDAEgASQBWAEUABAAmAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwAAwA+AHMAdgBjAGEAYQByAGMAaABpAHYAZQAuAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwABwAIADBEUYKzRNIBA
  AAAAA==..Content-Length: 458..Keep-Alive: timeout=5, max=99..Connection: Keep-Alive..Content-Type: text/html; charset=iso-8859-1....<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>401 Unauthorized</title>.</he
  ad><body>.<h1>Unauthorized</h1>.<p>This server could not verify that you.are authorized to access the document.requested.  Either you supplied the wrong.credentials (e.g., bad password), or your.browser doesn't understand how to sup
  ply.the credentials required.</p>.<hr>.<address>Apache/2.4.10 (Debian) Server at svcaarchive Port 80</address>.</body></html>.                                                                                                          
#
T 192.168.0.65:60100 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:60100 -> 192.168.0.66:80 [AP]
  GET /sso.php HTTP/1.1..Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, ap
  plication/msword, */*..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET
  4.0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..DNT: 1..Connection: Keep-Alive..Authorization: NTLM TlRMTVNTUAADAAAAGAAYAJoAAAB4AXgBsgAAABoAGgBYAAAAHAAcAHIAAAAMAAwAjgAAAAAAAAAqAgAABYKIogYBsR0AAAAPuwoGzK+jxHUYSJ1CloBPz00AVQ
  BMAFQASQBHAFIATwBVAFAAUABMAEMAUgBvAHIAeQAuAE0AYwBJAG4AZQByAG4AZQB5AFIATwBSAFkAUABDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKtM2JWTyYpHCJTudkCBn+UBAQAAAAAAADBEUYKzRNIB4rAC04rYVLIAAAAAAgAaAE0AVQBMAFQASQBHAFIATwBVAFAAUABMAEMAAQAWAFMAVgBDAEEAQQ
  BSAEMASABJAFYARQAEACYAbQB1AGwAdABpAGcAcgBvAHUAcABwAGwAYwAuAGwAbwBjAGEAbAADAD4AcwB2AGMAYQBhAHIAYwBoAGkAdgBlAC4AbQB1AGwAdABpAGcAcgBvAHUAcABwAGwAYwAuAGwAbwBjAGEAbAAHAAgAMERRgrNE0gEGAAQAAgAAAAgAMAAwAAAAAAAAAAAAAAAAMAAAkJzxPmjuTLhsWDaTAK
  18VvjOndxqmWaDJKymOBlk8w0KABAAAAAAAAAAAAAAAAAAAAAAAAkAPABIAFQAVABQAC8AcwB2AGMAYQBhAHIAYwBoAGkAdgBlAC4ATQB1AGwAdABpAEcAcgBvAHUAcABQAGwAYwAAAAAAAAAAAAAAAAA=....                                                                          
##
T 192.168.0.66:80 -> 192.168.0.65:60100 [AP]
  HTTP/1.1 302 Found..Date: Tue, 22 Nov 2016 11:28:12 GMT..Server: Apache/2.4.10 (Debian)..Set-Cookie: PHPSESSID=h82nu0n365s962jfd5fea4v8g5; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GMT..Cache-Control: no-store, no-cache, must-reval
  idate, post-check=0, pre-check=0..Pragma: no-cache..Location: http://svcaarchive/login.php..Content-Length: 0..Keep-Alive: timeout=5, max=98..Connection: Keep-Alive..Content-Type: text/html; charset=UTF-8....                        
#
T 192.168.0.65:60100 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:60100 -> 192.168.0.66:80 [AP]
  GET /login.php HTTP/1.1..Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, 
  application/msword, */*..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .N
  ET4.0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..Cookie: PHPSESSID=h82nu0n365s962jfd5fea4v8g5..Connection: Keep-Alive..DNT: 1....                                                                                            
##
T 192.168.0.66:80 -> 192.168.0.65:60100 [AP]
  HTTP/1.1 200 OK..Date: Tue, 22 Nov 2016 11:28:13 GMT..Server: Apache/2.4.10 (Debian)..Expires: Thu, 19 Nov 1981 08:52:00 GMT..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0..Pragma: no-cache..Vary: Acc
  ept-Encoding..Content-Encoding: gzip..Content-Length: 979..Keep-Alive: timeout=5, max=97..Connection: Keep-Alive..Content-Type: text/html; charset=UTF-8...............VQo.6.~........fi..@...7...gCQ..-.%6........(...,....6u....;...W.
  ./...c..B.z..!..YD....!a.<u.\.`9Ir.....v....++...Te....8.)y..m.l*.-%.*-..........@.>..Q.+..L.%D....).-l7J......4...I.Nr........`.-*+TyD4.m..a..M.E..}.3...JQ..\.:....l........q.m4,1.a....R.X..>.(. #j.V...,v......qy9=%&...Y+M&...7....
  /Q...$&,.!A0..+-pL.........o.w....:.~.T&!Q)..U0...........!?.5..Y.._...........5..t.2.....e*._\........eJ...........m.xUI.Z..9.....J.H)1.o0...~}.......=...C.~Uf.H".$28...."r6.;..K.l._Y........O.Mj.....h......r.2/.N.W*...FT:..x.>iwPS
  ...:...t..HL...ewd...@b..(2...3j..w..=...1.s.:8_...[...A.Vd..)iu;....jC.t:.i......J...' .c..+JP.r.%.$.}..20"+EI..[.|..^.k.pc...|.(......k..R.E.......w2GI.e..V.{..[...o_.+...$4 w....V.T.'.+....._!i...._.....8.Z%..=.....Z{9...A...|P..
  t..ZU..W.$..$....J...[.12.....q..q..C...w.s#D.....&.a%.....7 %q_.....L....\........^.... =!`..U..j..w.^{.,&..U|1........U.../.4......y..8../.g....|...g.._o...0Y.........%..M~.....Oo....k.c.P-./......u.<g{...                         
#
T 192.168.0.65:60100 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:60100 -> 192.168.0.66:80 [AP]
  GET /view/theme/default/assets/css/metro-bootstrap.css HTTP/1.1..Accept: */*..Referer: http://svcaarchive/login.php..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .
  NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..If-Modified-Since: Mon, 21 Nov 2016 13:33:38 GMT..If-None-Match: "2d937-541cfb40
  ffe1f-gzip"..DNT: 1..Connection: Keep-Alive..Cookie: PHPSESSID=h82nu0n365s962jfd5fea4v8g5....                                                                                                                                           
#
T 192.168.0.66:80 -> 192.168.0.65:60100 [A]
  HTTP/1.1 200 OK..Date: Tue, 22 Nov 2016 11:28:13 GMT..Server: Apache/2.4.10 (Debian)..Last-Modified: Mon, 21 Nov 2016 13:33:38 GMT..ETag: "2d937-541cfb40ffe1f-gzip"..Accept-Ranges: bytes..Vary: Accept-Encoding..Content-Encoding: gzi
  p..Content-Length: 31559..Keep-Alive: timeout=5, max=96..Connection: Keep-Alive..Content-Type: text/css................k.#7. .].".d:U.H*..LSm..Z...........5cAF0.]$..$......w8..".....S..E.....p8.............z...&..]v...o.2.].........
  .:.....?~S..n.o...k.E.^.n.^l..M}.t..~...b...vX.....<....8....vC....|......~....7......>~.....y.@...;.K..VO...k..."...._^.........y...{.......................v...,/.'....?_...{8;rH.w.~s=?...%.....A._....&Ir/3.....^.@...-.......~...~.
  =...e|..*..........C.j.I...^....S..(O..v_S....E..=..k.....#.H...e....w...2FR|..K..[...=.....5..$-......P.Z~....3.....Su/*.....]....u?.. .P.vG"'........i....J.'u}{.O..e" ..V.}..o.$.%.BD.......;..."k{"m..{....zx...bC.p2ud.oiGl.......[
  ....c?...*swG......x$].......i....._T.TZ.V....S..+.....L.Z"1F...CG.....A..C}...2$...p...S...T....^2.......5..F..<........FCHH..@kH....ot..G.t....s...C.e....A..DQ..,.v..L....7.......!!.Jp..a...Y...C.tup"*...#.X..!.(...u.S?\....)..o.0
  ...z....csw!T.O...E....Q~.j.... ..W>2...l..d.....n.......EO...^....exMs..............[7<...V....t.+...^..&.c3t'R..3..W.j..D.06...J..G12#.....#.....S.@f%.?..P...].......:....R.m..S......h....8l=.3...h.t.*...|Z....y......]Bus..~...,P#
  k..........>=.9U%...mOx2&p.iM..,.../.....;2..h..4.M.lj.....Z.)..{S....mh.NWlXr.b.o?.{......;J..2m.#*.cF5...S.n....T.........m..6...|....._...h..Z:...n.............,%.B...x1...c...-.....H..r....CXh$a.(.0........z...'._..4.^.T...'K.&.
  x..b..S..|..T?..v..H-....5=S........0.J.....p...V..]..X..-...M.......s.D.7.@....Y..<..X.A;.....1..6-.....Wz.~.U..e4m..f_..o..{....H&..rG).c.p......i.uG...Y...ay....,.4. .D...?... ....*.uRB..M.Dj...P..%H.db..K... .....*..).)....(....
  D$.."..Hk.$I....i?....s#=7.sC-....J.,R-..2s..B..t.r=S.(.2S..T.Lt..-3...y..<.3.(\n.W...$..B....Hy...J........_5.C......"...H...K..~...2'...L..6.n....r.....E:..~.^.2.}4..`.l.`...`...eS.*...BK..[E....<*...8.!9 .JQ<Rm...*."&...Y......)Q
  ...0<J..+..B..9. 5..(...F..T.BCs8.....R..*5X.V.$.k(...-W...c.S.V*.ah..N..$<.YLr...Q.ch...V.ddQ*<$..t.(.....R..#.IV...6.e.8..J..h.V.....W.......2,z..+...&...6(..K..%^...Bs.[u......Q.1.f+M...Z..Cn..:....&+.YA..D..J|./V@...2..|.[.f.N..
  l..2...U......H.*4...$_......."_e.F3+.u5..N.4*...2...j.J..(.D...h..0E0/V3..n.....F..3..."u..U+X<)LS...S.V.aK&.H....D.U..$...h..:L.*B}Rt...s...Xs<.|.g.@.$;.W>.K.}v.n~.+M1..p$.....N.D'.J..L)L.}.wH..0(V.&.&...`...Iu..`....$_kT..Lc...)0
  7.&.&.P..)..'@k..m......W...!I.Lv.X.3.>.Z3.a>1..5.s......`.....s.......|.F(.^a.5..l.0n......h..FO.J...l....*W....O..V.2it.!...f3..D.W.'.5.. "../..t.A.V..2.....#.......FAR.d.C....|)y&....#.....X{.........{.o...-.P.....n...)........_.
  ../-......H:E.n....V.f....h..B..C...UZ....e...,Y'.*.....J.....4.3|.M^..*|.n6..,s.b*.b,/.u.I..IFO-D|_g.K..l............/.W.....`.+....a....qG.....R.<...t..D|..C........].0.".....!..2.!..$~...!)..)I.S..,...].$;)...b........LM...9hv...
  .C.r.FV.....a#....kH.<QO..Y..>........o.....P ....q.qW.e?..u...........}......i....7........1Z~u=2.......D.w.Q..9.+~:......."...X.|.O!i3D...>.p.....Y.e.4X{...c...Q.../w...Jg.=.........:=a..yU.....w.......X2S.......9.b.4.....v..N..|.
  qG..%1E.Q..C}B.0.&|.;i....w.....P..;....:.UX..M}....RW._..y.e..O.Nyrl...""...#\:.. ...8w..7.....tj.M}f'....j..l..qO..`.Ka6...,8Yc.....2....VB..F......6...Y\..:.....0J.?.....k...W}.FpD..!.8....D.......O.<.F..pG......)...s..(Z./RO.E..
  .Q...b....pk.....N.....&..d%s......X....?..}....Xo....G.'.y........1v>.Z..c.T....:..o|'..wbmz'.lE2.#H.z.(......B.....-qUG...Y...f..@.....GR=?.t'N...<..(..w..B....c....S.JD..G..x..V.0...."._...19tv&.....a.>....I..y3..=..../..........
  8.)D.....I2=.xn/.i..$V9.....fi.......G............m.rU ..8..O.....a_. .XI..Nc|.Q-A.WA.E.^.v..&..hO..L...L..B..u$/I....4......4....}o$...u;......Z..."O..M7..T.4.2h.......Q..v58....Q ).........CC9.N...h.. :.K%.v{.Nj.O.)..g......v.r..D
  .4:.!...#...?..!..."....*ts%............y=.....F. ........=...)....".H.(.H.(..L9.. h.........@2..A..8Ar.hA......x.1~D.5..m)...8b.Y.. ..E.'9.....x...\.....E.../....9.VZ).s...x3..."....-.a......-$..P...p...7. .m.7.sw...4...r3..B.o.x.l
  ..l...9A.ns.N....Zu.r..y....u..N..#.....1..,d... ..3.HS...W..Q..kej..:..........2.f.xb.t...^...=u...X.`Ly4].......o]^..d.$.....{z.VMmf...&..9..,H.............|/VR...y.....C..P.)..(p.....%<.OO.............                            
#
T 192.168.0.66:80 -> 192.168.0.65:60100 [A]
  |I+.9..TnE.RrG... ...V..A.....?X..'..-..}.G:..>..+uq.W/BD.z..53-oO*j...k....z...%..X7N&H.k.J.4..ql..g ........pLd..!.l..:J.yE...].j ...Cxh'QJ...C5X.).............:...........[*.......&....9...K..%4..N,..Snb..$....-..&..@Q.P......0P.
  ........@..P....G3.E.B..sY.L........[.L....Eb....SJ.B.n..2j..S..}7}....Q?.%...^*.)'.....5........:&N5.[.u0fE.xm;..U....FM.c...c./C...........JzD,q{..N. ..U.i :.d..:G..V.....<..J.^S=.....(z|.O+~.a..'.....8.Js...kC<S,...."r.....X.....
  }._|...7.O.0.....8H.D.,.......f....I...<..{ .&-Qx......M...IF.!e...........A..U.....:......D6..x.:Ny.>Jy.....=....D].)E....q....W.....W.Y.T.sU.G........4X|..iB....M{...E.8.>....[.. ..P....;...@...EG......5..../Q..1....R....z.'~..j..
  .....z]..g........a.r0.q. ..V..v.6.=*..a....n. n...u.....u:T..E...BG(...'.2......`H7..75.G&..........~.K...I.?.)...w.....A.......U.l.{T...........k.z..d..2..E.J.6.fD.!u...k..X}...U....R].-...@b....,.{.d..f....Alz.....AYp6 ........f.
  ..?.::.!..i.%..4D..!..rG.yV._..{.u.f..........N.;W....}Bv<......F...el...A..S];g..`&.f.OD...C{.Z..\.j..`..(....[}...c.8B.....G...lw.&.r.CX.gi..Kay.f..\..~%....]l..........i...I..[z..h.$.....:..e1.a.V>1......._....f../6$H.`|n.7..K...
  o......b...).H.Ydx..<`...r.T.y.+I.*IF..........TMFq. ..J;H.<G..I....lw.Wu.Z.5..*...?.".9..M.j......).j..(h..F..5N.h....R.....JU.`.!.....>........>S_M.l.....TdR...:lZ?".....:...>.m.G..)@.Xc...S.Q...*...'..rm..F,!f*.I)?w...40...C..3..
  vY..D.Y}....[Lr.M..l...T.....Z43)r.....A..........t........|y8.7...F..!_.O.$....FK.1@`.(<.....T....X.,.qhi......|*:.$..Br%F{...udC.......X.D..c#.E.e.Xy.m......Nc.......nB..i.......d.j"2..-^.Y......G.9...N..6..i.!.LS.C..,O.E....@.]..
  n.V.-.o.p.!9}...k.....-........R....3..O...............a6.........$...:...,.#88.[..c.x>N.......o@.Q......g...q..$.9.o....9...mG.3..F..~(de.....,X...@.....&.U....9}Q._@...qc..)?.....#.....=|L..v....n!?./..X.. .l. .M|..a?.0R%..Ne.uCA.
  .*..#.xt...?@.....5...3.0......l=..r..y.|....sb?..."vs^H..R3. ...=.[@(L.....8.P..V....).j.y;%.B..D<(.Z..1I...]'[.".....}.l....'.X......$........e..j>...z..w7.....v?.!F%./..Lz..=%..<..{B.....Df.M.N...}e]..I.......s.n...#.sK...S.....f
  .;.?.C...k...$...#.7Gz8.%@....(.?.......c..e..ITQ...6.z.....[....;.&.>...ipf.....*|....8.O_.)v.*;Y._o.8_..$U.;B....4...........a.uE...X..@1@|Uu..(b~2Q.'..+..Xa..)8.. &....M....bT....l...W.AQy..s|iXb.Klc..i4..&....4..@."h.i4..&..$.4.
  .@.c..FS.h..M6........3X\.h*....G.)~........cD...l.LQ..Y.....c... *C\/.K.k.X.qc........5W..._.....;..J{(..!l.M....z.....8c...^.q4......c1x.M.&[..?....V.>..........C...y..]....W..)..S.\:{........?%.x.}.f~.o.v.}..T...5.......m.D,.S{..
  ...YLb..o....E....\......%....[.>...}= H. a.r..y........n...d.TSd R...}7...rm.M?..|..C>...%....Q........6jg..B....S.^..b.-..p...X.O4....d.X.........;x.x..?..:..\.6...^.....*;..v.-..1.h..q..._B.......Wz...M....r...Zn...Js.Y.x^......5
  h....9K:.D.......... .4..z}...K{/..!...........)....={....=...,S.eds.S"....5..^.....e._.H.8.(S..D/=...=..8..#..e...4...3TT.d:B.......n.....HB2..xHH.$8.....2@B.IHG.R......'!.H....$!.I.<$dN....."..$..rd9th........Q5..3..b\.8.PY9p!..1?
  8.."A..mH2.2..tca.....J...........f..;....v.m.:....nO...;...wVc=P....j.I\(..j]...H.sn..}..$.V.v.../.jn4#.'@=h}..!q.4.6...{...P`q."....-..Z...~...eGX(p....U...7a.Sw....=d..P...8*.d1v.-.q.8.@1k,.rV&Z..cG...N...s.M)oi........Y.5Hx.f..s
  .m....:.....K..x.....L...f.t-nF...<..d.`.PS....:_....-2.[.Z...gq.E.g.K..._.....5K...#A...|I&F...n.........hlI.N....o!..W.....L.^.$..N{!....'.C..a.-...l....|^R..X.i.#X.9%.%B}$f.k...b..jK..m.c:....@b!2.9.A.=........=%l.?...o?o...... .
  .q|....:.............v..$.*.......v............S.....pFYr.......8..<.xw..e.J...e.G....D..y..D.+}.....;..C........m..%.......{...G}.6,.5.@.........Q9.J..i....Se"..y..g55.....M%0....HSU&.T...xVS....}w...F.{&SU.z.-..j..wvf...G.F..0.h$E
  ...U.M...i.9..q.0........3J...;F.69.ZN....`0.b~..m......H....@......P..C..O-.B.(l2...F.(}......t.e{8]>....y=.8.b.!.....#.e.o.ip..C!j..1LQ.....G!6#.....8A..Eo:-.#...`..%+..s.?..}.K]......$.'b.........C.z_....h! Wd..Q.G@.v..eV.i.....H
  .}....R5.u.......=.s.Y..(.........;...0  aT.,7.....m`k...+C...S.+.Ba..-..1."...`V....D..H.v_......jN;b..*5....,...k ...I...-,Pu.Q......>..B..Z.n0...|Yk 8G...{\....CV.8....6:....6...j.*....RQ....GGP.D.#.5>.&P5...X.c.......$.5......27
  !.k..-L..Iji...z.t[t.N*}..05TG.Iv7im...."HO).7p?tM...@.O..r....@Yl.....Rhb.'zq.=....[.PF.P@......a..NQ.h^.j..).0v.......>R S.K{Z...........E...X.e.8 Y.Y....:..LD.6.)=.......ISk4......}.@..?.p..P.....w..,.                            
#
T 192.168.0.66:80 -> 192.168.0.65:60100 [A]
  a..-K!..gf...@......D...nP i.{7..(........T5..........x..8..V..FU.......h}.A....z|...yhB:{>.LP.J.c..e..@....../..r..y.9M]...u...<.@.v....R......@p.%#{.........6..;.....Y|..}..p.............]..e.mQ.V...{\..@..9fgC...D}..BmW..c.{.. pC
  }lz..P.....C....Tp......$I......!]#.(.,_>....T.]u:.g........=.........bc.;....7.......P+..w...@........pH].....t.......Hh....Y..|..vJ...:G..:...B..,....Wcw=..D.]..,,`vh.....y.v..U;%.L.#t..J8...p..J....{b...g.].......J..>.y9.{...nu:q
  .....?..6W@..:....)..>..ruN.DoO....4.......v=..CkL.,.....B...@..Qnn...G.*{x.p...(............,..&F-...@.._.i.5(......DD..<.........8...D._P......gL].e....#...@|..s..5{.p.eF...\.....U....k....@....... r.......@....=*o5\..-J.j.En.....
  ..5._.l.......@.6.h..u......5Wt.lb8.j./g....t..l....6@.O..%.......%H....?..of.}3...&F4. ...wB00......cS.`=.....h..^v...PI..y...}t7...Dz./.7@....{v.m......k........&F...Y.......R.z\...GA...L..|6p.B....6j.....Mi..4nS..NU.@.I.O.x......
  ...0..7....pE,..1..._.xE.....7..........e....j..5.y...6Jk/.].g..L...a...T..=.(.[ ld.2....*j...........DbQ..`....D..G..A..A:.y.{...vo..@..a..........?o.................:y...~.mql@..}.7.....c.j.l].=......"\9u.......D ...o...C....l...B
  E.t..q..v.....[ `;.....arrq2.HV._iL.".....#x.I+.R..<...@.l..%i......I...&.....uP..pN2..6..=.....J........5.7...._...r.D...X......`....x8...n.Cg........9&.nI..,.m..=..E4.i.cFR..e...|.D.....:.S...X..@..O'..uAB.N.5u.....9...t..HG......
  .jz......"x..}..e.D.`.=..lcc.q....X....}..3nQ.e.?....NL...~T.O:.":.Z.a.....s.."x|j.o...sM...(.pm.g:_....8..........)......e.o0.|....^.+Y..7CwB....:_..@ ..P..X#x..t..W....5<"x..@O.;5:</5B:..E...y.....(Av.....P..H.q'...;.pF..TCO.,..D.
  ...i..L.]....U. .ug.i.....J...<O...L.x.jw9.3..N..s...1$......h.....^.I*..>..Q..g....;...../...T...b..W.g.+%.g...X' <....0E.......H8.:^...W..C.wH.<t..\b.Vf.....c..N@mI....%.....pB..q.8.W!"x.K.tG....[:.j...3.P(xs..6..*.-.=.k.v x...8D.
  =...C0d.j.R....H.g...e..z.#xTkh.D...^ps...Y......P....Zw.M........e....n.a..c@.M...Zh.]...Bf:...K7..]...2t...=....^v.W=...,....../.......g.P...t).x..s..\.n...w.X....'.Y...^.<.."x.K..8....]4P.~s#......>n.c.OzuG..0....(..CdN....1..*x.
  .....5=.3^...Hx..BDb....zq(7B d..t.w.5....8......v......w....X}:........I.PE.....l.;t.)..6WT2......5.....^...Q.s.Oxm..p...?..iG....].i...C..VjKn.................R...............<....:...........m..............YT....e.)<L......*..Z..
  ....||......Q.l...VG7.}.4.{.n..Y.t|.'d?*..zd.g#.g..vm...W... ...)..........r.^...@D.._...O4-.."O.W...|...2G.....D..SH..1:.Htz.J.]&...J.....p...V...>...?F.......p.7.J.Q|.......>8.D.9g.H.y&.|....Vz@D.x%.D.8.....]~`.C.........62.:z.jx|
  ...Q.z.E+......%.$.~..CGD....k....O.._...(Ec.T.<.....#..(..=l..`D."[/...UY.D......C}......X...\...|V.d6..ae1,...&..E21.!o..T...yM..".6n..fC?TE... ............v.".......f.\.......I..\...p..(.E.\~...C.D......u..?}Oz...."h.....'...(...
  ....d$.0......Q.....5...K...Et..n"7.l.Y.tU...K.@....)...vf.GFI.S.........4H]M...{.0....o5...K|gX].....76A....$l>...GV...X.....>5...md..4.&...A.e....~.52.T1.M.....7.N..&..&/s.2^FN.0.......u._.B................X+.......p...V..|yXO....
  ..J..W.0......^....+.&..f4rnB. .:{.L.h.~ ..QR.@\F..+e.....).Z1....n8.....A...[...O.u._...5.8..IC.......ON........y.5i..^y.........^.....Q5..|...;_7...mB._.Xdu......;|.d....^c.)s#......bv,.Q.....)...I...}!B...._.......V.+'.[_........
  .....g....%2Yk.*"..T...'A...0.W.Q..1W...D&X.l..6.4.KjLH.m}n.v!..?...EQN...E...G..7"@.Z:z...]kva.1.S9^"....W]...E.6.^...bj!s.t..".V...<.....$.+I......u..."...F..L.@t..Q..;.....~.....oi.8"b...(.ti.....nu........P.-..>...."..l....U..A.
  .0.nY...r....y...c.kX...5...\k....5....X....5,..Y........EB.'..7...$...L[.%V./.$E..Tv....;..................%.......Y..x.9...Is;..C.....[.Qn:......i.o?.o.<.j.)&.....+t4R/.xc....O.,....:1.........3.,.,#......p:|.V.$|......S...6..s.AC
  F....+..J...(....I9...!V(.%$=DK../.y.P^..>.~.....gT\SCd....A..T/.E0.9xtg..Y...3....7.#Yi.%\....Lc..1....'.x...u.[.7.o..y.%.1...Xl5B......./.,|O..o.p<d%.9..,..e4.D.G#.y9@.CO.=....6.a`.Ts...C...v..shr.......S!M?......o...z..zk~zE.T...
  /#..f.-...\.r........@....jF..LKk...AK..1ki......|.3&0..U.X....&......TD.bU.l:....5K`..X.M..X....7..<.l^tS.c|......M9W.y.rv.......rA.....0...+.hxE/......0.U......i.. Sm..}B.7.kl.U.......c<..m....Tl/7..I...m.. \aE?..<m.9.961....G...\
  #~..o..J.....CF<..r.s.`.....#.W.r#^..8.e... .../Ro...IXc.z.d.X.....m^G...xn....o.t.V7.,.m.&..M...g.,)61...'.,'Ir.,...}..._.gI.C.<..r.s.@.[.q.._q...^n.s...].L.."I..<....Z.....0..Q.....U..q.F.X...P..."[.4..                            
#
T 192.168.0.66:80 -> 192.168.0.65:60100 [A]
  x..1..Eu.E..........C}.I..>].7.}...P..!C..?9.9X..M."L..8.yE/7....c]&M..e.>.E...]4.ilZUqj.U.]..O.2J.k...^n..U..47..l......o.|.>s.slr..1.<.g.....E}..W.k.w^..xg.O/..X....yR._s..*z.........O..H.>.i.-.u...uu..!...Z.uzZ..F...i.r..h..M..o.
  R.f?...b.^......{.I..=].7.}....V'.....L...'P..[..5.r.......}|.$.s]O3.:K.e..M......c.C.2....5.....).pm}<...3t....../..COl.g.t.G6..fa...mPp.K...d.[.N.`.R#.@H/............y.1..}8?v.S.!...`k...Y.O.8.. yO.V."{...}cI....u.[..;........^?..
  .yX..Y..a......y;.0.(.B.#.Uo:.8n.Zw..IB...}...H.......h...F....~]...H....+p.A.5O....._X}.+..cg...e2`.+^B....5..p.~.[....%.s.OL..#..:.O..~..k5.L.....u....DI.$..D......=.&....J.......9.Y.....}-[.w......_..l...p.-.6.N..........?...n...
  .n......v.~.....sO....2o..7#x....p.bN.P.lfX..A..f.....#.Z*...v.w.b..+...eNP.S5........U../..1v.6.....qX....W.N3~3...'0:.M.df...^^.3......iW8I=>M3M1A>.s....f..+..!2{....9\./T.yxc..G...t&...8.<j......w.....h.........#.$.x.Kt.7...D"<..
  .p...3#..~.W.%P.^K.g.m..Qf=n..,.=n-...L..1...wa..A.}).Rk..1-....D.Lg.....u......e.../...V..o......<.T2..~.?-.1..[.....@mUl.....q....T`.G:......... ......_b.v...X...w@.........c.;..6\1.`.!.......(. .7r....7......M_..8~.r.-[yOP.7.n.&{
  ....]..O.K..m.Ve.(..#"..c...l.n.P....r.G.u\.G.aA..m.#n..G...&...4/........\..6/.a..l>...1N5.K..4..z].5....I..n@.Y...#...fk..~....6R............. 4.v..Y...2...;-........Q 8.p..v.............C......9.........8N>.b...F...2..;.....]z...
  ...MJ.._.....D..d!...........*.M..Lc.c/.".y.B.....5@..NX$$..........                                                                                                                                                                    
#
T 192.168.0.65:60100 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.66:80 -> 192.168.0.65:60100 [A]
  .b..i.0u.;........G...Y.}2..Fo..^.KJ..^.y.N.~.~T6..U......@X.#...xb....bp.....&.w.@......#.J..I.....A...@.z...5.....t..G'.P....H......Jl..,....5.`.v12.........h.6.....w.N.!.0.F.-..-V...!7.N1.U.....h.[.p.;.h..\3.Q-9......8..\.2.C.1..
  g.k..'.....s.........W.tz..=O+.........W.at.....8i.&j.8.\;...........Q2...X.<..[..P..t..=[B...-.g{..*x.z*..W..x..#z....$.k....s.....ZN......VJ..5C...4z.]...*7...c.....I,..!<.)...^...ke*.z`.zJ.f.g..{h....`.!.b.C8#.jkl3)..v50.e.2.U...
  .QP7.I.R.~T......d...w`..RE.c#..4u...Q.;..T.I........P....V\n...........C)..>V.X..k.,..E...E]..ju.s..........|L.A.....U..Ml....m.....vy:..wO..T.v0j5`"._R.(X. ....7..G.I.\s...K.`.;.C.w.......t..L.qe.........kw..~....\.]......inPr....
  ......2k.n/.1|V.9...6..Z.-`..g..Q.......O~^.u..s.j^...;:."....V.[sIBC.... Nu..g{.jcOrd.....g..3.4.......9.I......&IrG..*......u... ?....~..#.x.6.....D....cDct..9.4.>.RsT.Q.].c....fa..M.....=......i.S...Q...-V.....5...Z....;I.....x;.
  .......~..w>..&"..<o.....#.h..........iiv....y...pQ...gb`.rw<...".....O.)......~.B.^.a......D...A.h.n.e.B.....cq..5l...4,..c.......X....s.o7F..j..Hc...5.d.mU.]a...R.....f..3..H.}0..zH..n....,KH.....97f.}.T.o..;...R.....1.Y.....V..._
  .....k-.|*U..>t..w...}.......B|...!.....h.j.......g21...n.O.$..D....Sk.......H.ab...(oF..4..T.@7._`.d|...Pz..d....k.W.gD.sa...7a1.FA.x-..`...G..%.. .L.<.g.n}V.@.(sd........L.....HZ3.S{.iN..M..t.%.A.......W..F._.o..t...$..........*.2
  )4...t..B7|e!....$.q.y..Y...1......5X.jo........t..p...A.Q...o'..bx&.K?.J......J"..Z.'b.%.o.[...YxY.....*.....+...;......,...9X.J.~`.`..`....`..ow.L..t.L..:X<....E.Q,....:B.......$......U..A\..6K.n.a.a...Zf.|Yl_.Mb.V.#w....'k.kcg...
  .w6&.<.7...iF..h...J.......=.....T..>.1D..,^It,..+%{...B.*.7...|....br...G.e.2 .38...(=,....6....=..... .uW.\.z..9;...zM._/....;....4Z..nhs>.f/.h..#...=.lO.-...........q..;.n.....).......=Q+NW..p........w.'g.3W.....Fo>.......F._..P.
  q_V..s..P>...Ml2......r>... ...-...hz6\.....%..*.G.tMR...F......W".....Ue2.J.[..u.'K-".'.....T^..j.....u. b.....t..|...s.t.G......t.$9.t.E.k:O....c?....?cMG.19a...L|.g.w...E..W..J...[..2...6.....`.?.....f........sd{..8.e........&...
  .vn.Y...q'A.vz....'g.R.b.&....L+..Y.r..z.e..f....`......-..;mv..YxO..s.wj.f..5t..........N.&.].c{9...v.P.Vbo%...Z..!n........fTx.=....`.!.....B.,......]EV.H..K.r.l.!.0p....,.<p(.\..(....v&..Q.2P.-.....[.{....FF>.).}......]`..f.A..f.
  ....}......Clv^......._....axE/.L.=.\.......f..........;..x.x...6!6#.@..1.u.........1aZ..hs...m...e...M..|s.....:2.g.&.1.."....6=..Y....-.g.*...\o.>..3.:$.2g.cd...n..g..l.{....]+.......v...R2.7.>......%.;.Dc.....M.....`.s.;..y.tI.o.
  .E.. Z.B<...d..|.......S=F.-.Z>...Y.w.7.M.j=...0.d3....W~l.r..{.d1..;......|..@.Pi...JE.....)5P..*V........[..P.>....w..%...YR.[.......O...5<..@e.z'.9..../q.^2K.....%^.K|.v......G....2......#.n.......a...b.d7cu].....33(....#f;...+7.
  ...(.{sUdO-..2V^...o.^$...+d,'p..,Kp..f.F.#..-...9....e......j.0..8.rc..W.F.s;.?......A..d.-.R...'.{_.@.p....|..z...t..._........R..Q.b....0.Xm..}..{B...V`...2....S.0?.8..(......#.Y(.Wf.y.}.......n.....J5y#C+.E_ J.......Y3'.J..<..$.
  pn....0..E.._..t.}...\..M.! .*9.....J..m}n....i3.P.s...Y...;%.j@H.VCH......>8..!.9..F+,....5.*.]2.>..K.B.u.|FnL.k.......4......J.sl.]k.._@..T.tB.2[.2....p.......'/.H....0........T6..x.....-.....R8"k[%.E....v)f..0~4....;}..t`.T'..K..
  .}.u...9K...6...}......m..[fCY..)...d.,..}.......i.......o.@F.Qa.cm...i..1...i....e...-.........*..6......g......L7.2.d..hw..N...T....)...Y%.. M%.).guZ..)).R..U....]i(.....:.a}.....j.O..u.wP.........I...I..B.....[68...Z_^..6\.k...7~
  .........iY.>...z.......xK..k-2...&..lM.[....Kw.....m......z.o..:.....sM.......c..lw.h.........`.F......{.b......J....F.~.H>i..Ieq..`..G.k.(...l.z.r..).=+.W`m@.Q.P..m..K.x.Q.O.....)..bdL.FE..........5....X0*.....r6....[}!>y.N.b-....
  'H4Z...==I..pn:`&......!f1...d.G.bD.U.........j........g]...s.....V....c.........4{.._..w.k`1b. .:a..d..Q..;.q.O.e..`'2..y...~.b..E.8......$.....I.../..cg..f.....[F!}.*J...}%n....^?...x.....`..u*H.DH......`.....h..^...j]7...GE.)..Y.
  .i.Yo.1cH.<...XW.I....$..3.....X#....-A.....qNi.........#..............p.|.......k..wkj..|C..e..C0t..p..K}.......d...Q....n..P.d.I.,Y'c...y%...;N.Vyh......fl.",F$.!KY..H....VP.]KD.$Y.'.`.q.+...T..L.E.....q.&....gGr...+V.....4....=..
  ......G...j.....`.8.XR$..2....x|.~....=..d.@.b.C....=?....LU}..3...G..........u..z...k.}.e._..u...H.x..]Eh.!....p.u...C?T....M86q.D`......\.M......J...&.>......n2.. .L2.z ,rc./.. ....2.(x..Z..}.VK...uW0..                            
#
T 192.168.0.66:80 -> 192.168.0.65:60100 [A]
  y.%.*l...q......Ke.n.{..aS...../qM....5Y.{..S..\.b....h...*.....z..X.$....l.......r....l...r.T...V~...d....6..|.!....tZ..&..].Tl/...^....q.....&u.5..KE..!....T.-./`... ..GofO......X..(A.p."L..}..M>~..f'd..n......L....2......o....F [
  ..ZbK..d...6.{O.;..>..%T.....M...*...?.b.d.|.s.S...R..B..K.......2)..'M....M.E..&..m..cM>l.d.d..P96a...7[.3HrY..E}......Py}....G,T[@p.b.'.%................b#.%..G@.4..E......9y.Is..1+.*{.............$......9.W.k.i.>dN..O.iB.n.......
  }V.}V.}V.[m.o..Pe..jtJsl}..u...I.l....|H.j.~....&.3....l.I..l..o>..........x.......&3..p2~..~..~...V..[l.TV...:.y..eu...+.-.y......s..0l....x.Y.i..gM&.z..xJ...&.>.....b>.bp.....F...........j;~.. *..l.....j'&a>..`B..c.....)....+..G.v
  h... I<T...Q..5,..}v~.....b...=.G..MM.xn...g.....AqQ.y..\*..[....K{......sP.......3..i(.T?.3..h.r.f...T.m3....Si.-..'.......]..A.:..{....\..t#a..q.V.!6.U......&...Z..*.....H..\6.8o..........A.r...:.kG....2N.........<#..c.%.......0-.
  ..%c.]L.BN.....3.......pz*n..5..kV......i.. ..3.c.y*.....]...OF{.[.8&.....A..i...];........xq.21bI..........%....a.=.....A....`.Y.4F...u*...Bc.P.!....F....i*]v..D...i..GzxD2]..=..y...u{w....A.%1.R.`..>...y..B..E ./O;.....M..........
  ...z~Oc...i..>...ph...^.H.s.[.D.....!..NkU.k......w... :...'p...).}Q.S.(.......=.m......C....1..%...;...#..1u.`/........%.R......Be.t...P....1.-.l..]?t.R.}..../.... .....@F6...$.hx..H..C..-....D&.....R.....>......Z}..bu=.^c.........
  F...}..~...oI..SR..R). ._.Z.).v{n/.~................M|E;.....J."H...d.>...;..-3cC.....i.OJ46.&.\..4..j.]..M4..>...y^..4e.........<...r@.......{........r..(....%...........<.:.yT'..n.FZ.ohM4......,..g)..R....@.....{...s`2..z.=<......
  ....%...4.`..8...Q.....t....q,j..Y.]Q...>.E.....e.7...-....r..\..._....Gm...9@....6.k....U..q...~..B...Pvg.q4:.=..a.h."..h.^470P....@......U....21.;..U..;SF.2-."NO`"DS#...1H.e..74...YR...HL.|L,db...Eb...2..W..T&...DN.9.h..a.d...>...
  ..(.T....P/.j.y...J..[.0..3..f.Zf.i$.z..J.(.3...T..s..D..5.t.E..#-....f.6.y6.."...Q+..J.-._e..A.8.WE..IX.>..,.R.0. ...J....2*....oT....F.F.......]]..4/.2..<)..-).l...$O..+..*.r....2..8..0....#.V...".b.....l.Cs..H..,.$)M.j..HW..IR(4$
  '..8.."+...04R7...H.2..,..(......s..y...Q...M.b..q..i.UeYe.....(&iqNy....7-WyT.e.%aR.E....,..*..(....e..S..-&..d#....aV..H...C#u|Bz...h...u#....Y..QQ.E.cx.5W.@w.Q...T..H"....L#...]..@.*..fDD!.iH.(.*\.eW.(.aZ.qRdy5RCE...$-.0JH7.h..*.
  ...uh.......D.H...,...-H...<...Wy....<...b$:.V......[2...4...2K...^.).dN"u.].+>....o.OWD.f..6e....o.._.+....q.j.O.\...%..\...T.d..u..q...i..UA8Gz...b...E.*.4.......I...(.RcJ:..`..IsQ.. .*.2+.]..)i...<.t+f...J.}..d4.&.&.h...P8...D.D.
  ..S.AiT@..0..4!.I..A.n..t...09A...\TU...Vf.C..'...7."..2*......_..1/..Io....1+2#c.N.&3H~H..O.. b....$.....4.8g.>7k..M..!..@$.. 3,.U.........n..bg...$.:.N.U0..afV@.;".Y..D....u.;!.%"%..o."!.%".G...!.....IuB..t.Ps.'...........W`...x..
  A.$......91....U.m...N.cj..91..,Hh35vL{...D......!iL.d@..@h..$. ........,qauO.....*.O...$....=tM.:R2^...,Lf..8...I........V.L...3..."..*!...?...;.;F..........0...@...,...Fda.L,........%4..N,r......2.T...."\4cNi.(](.?F.s...@Q.P(.Mh25
  7P.................&;S.E.B..H....@..P(.Sf...R..J..,.5e.)Z.....Wn..=1.yD..a.h......7.3...=9R~.-Y...@..%L.....rX.01Wk{.......M`.Z..D.*.zI..)4....H........d...Vz...(.L....L....L.n.|~.T... ............c.v.h.3...k.E.($fLX..6-..4=......_.
  /JL.*..5.hU..f.'y\.....E.0.Hu.....~.,...(.....A.hV.._...[4.....t..O.EK.......E..,..8..4B]v.-..i.../t..D..%X.edi.R...ETTi)..<.....F.8&K."....D.Vi(.B.(!..~.2"L..#.c4..*......E..2..$%..*F.QsC...."JK....Yd=M.y%YkE..=.7.....%9)Y=..).....
  ;GG...G<$..0....j\.<..s4".....8G..,..!X...'^.sT........TA.jdmYE.u.....A`{G..+..,.R.Q....=.By.....B.D.&ta..xc.G.$..zQ.5W......3".i.:..^.)...~..M...$'..iE.....X..q......Z%eX...K2.B....".W`......_..Kw.R.(w..p..+.Nl.../..(.....Z..3|..u.
  .....,...r".U...9.G..WR..$.@...t..:)].h..TS$.hg...3.W.$y.`.."MVe.GY"..H.UA..B. #...U..H5me9a#2.d9..B5u.;T..#..9.,.&.....Q.U.9.....IF.....4'....$O.n.,.iNf...`.....D...J./J....')PSid.6......DDN..tp........9..VeA:..%a....;I5...n.%M.j%F
  .Q5.m.8..9.oL.4.......DE.l...I.z.UD4dY..'..1w...^.H....a...bH......^Rm.1..r..!aH...&....+.I..p........I.=e.y.......(--.7;J.......Bq..4.P..(M-.7;J.......Bq.....[=....}I....F`..Y.?"..+~.Z...N....b.....w.....dG.10.O.).2....A.._.....v.F
  B.....;.....3..r.q<....`..f_}a..x. c...2..w5.|..]5...:..k..U?..O....{..].?}.#....)u\...5..`.....w.....I..2>.......v.D...~.'...}...X.d.......P.E.*.......;o.z...6...[.h..........Uwd....`....@..W.......aZ.}B                            
#
T 192.168.0.66:80 -> 192.168.0.65:60100 [A]
  .M.m ...."...A.K...........!...Gj.........S{|gp..J.e........8!..HM8....."...C....rA...I2.lvp.Pw]...%E..H..!W.H....../..c....*z...z..{....5G'i.4.*.....+".5vMI1#.....e..`A].V.hq...[ID9.......q..oWa...2....$...J...UK..q....Z....Y....[.
  rS..S-...u6f....Iu.../....1.._.|..A.......i.L.7..#xn...+Q.$.....,....... =...n)f..1.....<...$....S.b...@5W.w..s;|h.I..A...7....Xg% ...bG.....S......../H....hr.''xr.'gxrn.../.3...nK...(m@L".d..@d.0.|.3I..=p.,e...}.....gB...H.......&.
  D...TJ.......q..... ........7...C.....!.z..bOLK1v.|....>N]U.qjW..m..{.(.....>.{......M.6......X;...]EO..=Fn^D..[.:..X..:.V^r...+Xn..8.........Q.V....%Kq....^..C...,.......7.R./wCk.+...f._...m}....^.k......c...d.j........(..n.-I.....
  .....L0D.....Y......a.....'~C.].7(#.-.hA......W...o...\...<f4..S%..l3s.o.....(....V..._.......g......a...x.Q/ ..0....k'.....b ....._.+...7..,.B......x..A.../.4J.",.....B.....Ds......T:s.~...vAl..h...#.#.Ac^..s...$..rm.<~.I..\cy.L.P.
  .............g....S........T..f":.L..........5.S.....4.m......u"V..~.Jh..uK..w/,..3.4..b..yi.c`...1,..b...... P..`(D......5...]...^...xG?z....Q7$...K..W.WRG.\.3.sH..Gy...(].,..D.r..L.../.T.......S...jqa.8.b.....'v.h...Y.._:...'[..5.
  ..^...v....&1.H......SMT,.>...B.!A5......v......1nK...A).......I'.H..j.9.F..-................B...LV...X.<.v.... ....%F7Y)+lV..9..;.....'.....@F..K'W............_.........@......CM..................v..2'..EQ-..X.r.n...^...(.=...0.$V6
  ...............ri..3rb?.X....q.:..x..;........~z%?...._..u^v...u+.y....0Tm.......,.e...l.A.r.../...Cm/....)i.".......fOv.....3...f.............Y.@..F..nx.]I..F...}.....N.u"Z%...vv..\..o...+.v...jy.{......n......6n<&..o....a.`%d.....
  ...a~...N.N..|'...KW.1.u...U%..G...K9.?.......g.H...[wl(.....G...2.c..^|..I3.....$......;..Qi;gj.l.wCW...1qx j....D..L(..|L.Z....'*m}%.....4._.QG6.,......p....n411 q...UZ.+..A....).6<....`2 ....9...g2....3.....zy..C?.+.@......aX..>.
  '.,..x...D.mwU%..L.f....c6X......J..2.}v....u.`..qz..3.+....QH.r......|.)...$Q.T...AY}..'EV.x.,...5..@'...&6.2Zj....#.A..E..4T8^.Q .].......(...A...>.%..U.Q.r6..(.E......!Q.hz.l]..p.z...L.......(W6.U.....>........G...|b.+.../K.B..9)
  +..."c...z..#3I.(...W).....E.Y.''.B^!q..J...~...M...\.l...WI.H.......m,.....;.r.Un....i.C7.DI.g....Q...8us...6.}#...u...?oQ......D.Q.h....IoQ.....?8=e.G....0..........]|...,.......w........r..~y#C9O'..8..>..wT.(.......n..../.h5.....
  .WS.s.U.nG....w....=Q.....W..S...%...\...L].\.(8Y...>96.......Ot."......F..f......E...v.w....Y._0h....P..r|...w.rc....!....:...r......bM.......a.2.....R...`?.1..Pw.%{.....5............$..2.m...sBy.e.....2."C..$GY@..58.r0K.=....Lo...
  }...n.Z...C=8.......4...M.]..;..K".p.....*...-.6z.$v.....9b. ......b.A....1K4..Q.r.}s.....z..1....../. X............,V.2...e.....K..h.J.Z....b7...D....{..C.............O.........y.;\.RDX\......T$..Y.?-..3h.OE.....g..1..]..u..b..1..7
  .....NJ]l.N...\3@..E.r....@wR..kPW8+.v....Eh...?vl....5BS.....k...........1........f.z..;p....l..1K.....F.Ac.a.q/...;f..\.F.s.D.....Vdb.XE.q....a.......[..j.m..u.'.Y..:....>.V..4.M.........c.fo+F..z.l.U({...Wc.......-.j..Q.o..2A..;%
  .0.'....O.....Bd.Y..K;|^.^!r...R.*.{..U*...Yj....=.e.P.W.u..x...wGA.y!..(....[.S....S....S...oWi.u./..e'.Y.e'.Y.e.N./......*......3.K../..%...+.*89...'G.U.... Z.&oa..|0yKO.2.....]6=.s......8u...C.+5....`;.....W/..)?E..>..s.Nz=..\<.=
  ..a....Px...v ..~...@..Wz.W..?.n_N^.._..g..........R.?8...50..{.....;.G9.4.....8..:.V.A?......V...........7...<.7.8.>..u.l...8._.S....W$.W,.17.d..8....VV.....QY..q]E.9...;........v.eh.5..hB,w..........>V.+.~....C..S.H.%F....H/....Ea
  ..7#.Q..8..V^S(......(H...`.....s...!.|.Z.......... .4.fa_...}..>..x..yx....A.s...../b.%.....ag..jDWiDB.Y].....S.i.RM=.^\FG.d.J..@v;...r ..n..>7`...V.........z...h.Tl{=".=.ALJ68{......[...f......5.Ll9....M`FV.o.H....C....&...ZLgW%..
  .x.......C:......GAA....vU..w.TL1..N.hn...ET........P..2......Y.!H.].)x.y....x.f...9......Aq..i2o...j....c...LGD.....h.).....J)X.j...a..q4.8.....7@I|L.<%.........aZ..].a.&.D.#.J..3...<.....sd.`=W.......j........f\m.P......2....<...*
  -.@..&.0(2..0.....v..A..T'...b..(.!....................3 .~..b.|.l...D_Z-.+Tw.^.JVS.3u...v..&..l...i.^.t#...I...Jg....f....+.)...;....|.Kr.....3.>...h|X@hN.*.n.J=g&.(......P..2.......P(.>=.k.bD.1....p..j.....YP...Z.D....J.........Y.
  .I......O0~\^....oSX....w.@.h0..<..S8I.......D.......Fsk).}.#.#.f...).X.#c...Af#....IP....uXL..V.X..."......t....lv.\T.7.G`..N.+.e..../0.g+%......T>if...&.N.#.K ..98..{.......g!.|..)u n.Z...Sa....~x....(*                            
#
T 192.168.0.66:80 -> 192.168.0.65:60100 [AP]
  ?.j.....%d.e......n..t..rL1e..;.....V._+.. .......S2....Z.p.C..*..X0.'.D...6...|...\.Ok.(..z..ss......Z+.6.x/2f.T..#.........X.c...r6.1Z..dL....e............m..4!..,>....E7_..`b............."..?S...g.8q|.....L_.Z...>yh.C.....B......
  .....:.|.A..,t"...V..1..4.,.......*.6..2.W...$....F..R..:=..1...HB.\.fMs......m..v.6.3.n.^...............W.(....Dt.....~.v.._............x...,E.}1...~TN.)h.....O8.b.A...>...D..I.....c[K.r...../V....4...J..8....XF6.w....&.....@.....=
  .k..U......O+.=.Z......w..e.;..>..Mz.y7.8..S.....WY.6..^A.b{iP).4...f!...".3C...,..k..Z+q{....o....0.n G....(mq....v.69..7..{.....~.iF>!...~..UF.sd.8..]s..C...>:......P.}7....'::8.e...Qe.:..._.$Y%....d......4....p......5.\9. r04...U
  ..G.....G.Q%.b.;\.mGc.2C..GAP.a...w...f..2/.-.....LS.......F*....<3..*...3.x..|..^......O...`..ljt.7g.=.....m11e.J..2........7.xL.........D.p3.Cd,f.t...T...........H...u..=Z.X..v..z.......8..`..vh.c-]"|...t...m ;."....=......w..]...
  ..H.E,...;z......./L...k.H.&..cUA...1B.R..B.........b...=@..9.r.k..0?e.o..c.K;x...v..E..).Z(.L.P.R2t......w.n...@Xg..!1...X..=i......V..z.Z....`p..:wF.=c.......Y.}......>..%6.....N.7.Y.......d......%.j.I.;':...B}....r ........A.z..@
  .g..|t.r...A..s.....E......-..8....$N.y...[l.t.V._<L..4.b._..Z.gK.o.@... U.[..........a.kv....=I.t"8.*..;.~..[..G.....].U%.sl...lO.;.8......K..;.0..S+^..=R...S.k..c^?....|....7/nJ=....^z........6.6...+.7.....8.....}.-.]T.0uSg...U...
  4)..$....i.4.a......NM.G.'0.!.].@....e.7.....E..o.La.......?QbO...#.....b..2...9.1....[....t.i.)...R)...&....f.vK@d......D...`.V.<...^G..L.L..s%G.#u&.1+.<.^..?q...W..........MJ..3\.....B....e.._..0.4.........W....8k..(,...<.3.x.....
  .w".].\W.Ra\e..0*.....6...U8.m.U...}.G..'bU....w....@..m.@...uj.U4.....z7.z...."..."..........[0.._..Ag....F.fv.e.ze~...i0...4....2Zy..7W...#.....<....!u.Y.G.n....^..(...,=....3w..\[...U.....~.."9......a....N|n..,}.#...0...w........
  .....I.....=.'..e.!..Y.0I.......WS2<.Q.*....T..$Ey..$..vL......wZ .... d?.rN....,..U..^....T.%..w3..~E...Qj..y......Z.;.>..g..q.6..uq._.p..5;`.@..._e.;...\p".=g.........Y=...>{..9M.5]..^n...r.W.........p.pG7........d......M...A....y
  .;....6..2=.p...(..tKBW.$n.DMd..........7....f_.....+v.../.....W.H~..uq....#H.=u.v.V...;.Po..v.:.!..}.w'R.m.Y7...:.I.G...qi..$T..~M,$U.]...l..........$!..~ IC.q...zd.m..IQ....E.u.iRM....Ep-...n...h...^<P..du...F....,A.Z_.Kb...(..Vm.
  ..o/...r[.V..Q.D.x......P....z..m._.ng...8..*X..K...!.....N..m.o...#.O.G.K^Q.......A......#..*v..[....?]O.c...!.g......J.H...M.......}^..}R7....!M..`....D......+....D.Xw8."+...?ZWc.P.........-.q;..Y.$.%....h.;.<U..eFG:.G...G../h....
  .c..bO..)..A~>...2/O...O.L......9._..G[R.q...8.B..^.....(....Th..f.....y~.B.)$...%...?.O'...T38v.[_...8A.....g~......Cv 0......AQ<..8.a..<.Of.H..E%{.:.(^...VcQ.@.. .""....ldv.....,.m/.+.k........_..520Q..C.L!.....~.l.IN....f#.j.nU..
  ..9.N....,.p&.......L*.!...8.y?.....A....5.... ..l....?J:._f.WT.....Z....._>......B.l...E!1".F.8....../f{Q....k?..!.A.Y.......b.=i0!.......h..C{.&9..`Js.......n...y...BL0.$]a...,t>\N....u...#scG_By...M..4.d...T...JG4.....J...]{h..^.
  .......2...[....$..]AH.rg......E..-..Rq`N..`......|.."~.6..../Cwj..B.......n..u..u.4o.]..\.......~h.3+..hm\vI.........bf.......$...^.[....N@>}.$7.i.v.r.......C....*.!Gl>;.....J...3..r4gx...-:;:JGW.....&...\_..fw.....\3.y.b...%T.f..n
  E.:...:.V.........Q.b.....\'...v.u..H.B+f|*...v..f..G.d.6...zPR0..K.bf$......^.......;.D..;2t??.ks..\[.i...?_..n....-...V..B..O....?.U. ...6........<A0......O.].B...*..a].....o.f.q.....u......!.[.... ....E$.]....~.6.O.h.Q..+.D....M.
  ~....IQ`W.:3...i....^c\>........b....m.!.v.8...3./...C..0m/..R.x....sU...h...8.=....x4#|s..('}r.>....K6|.....t..u..~..@t+.gB....k3z...1?X].-Y.2u.....6.,.+#........Gb.....:m.....z.u..W..4..,.D&..o..l?...9.Id.^..........|..5f.~.F.:0..
  ^.....j.8^\..IKvg.}..d.s.A .A  3..J.~/.A.J.Y?..G..L4.[|.l.=#5...].# .>.......Bi..E..{."q.f....||....S....9m\Wi..F.E.........>...u.a.?..i^..y.O$...n.Mh\...p..s..@_I..l.._.fSP......b....AB.z.C...(.......C..U`...@....|.v.)P3....(.@....
  .......|.....eu.zt'U......;B.:g.~Q..=+....m..mh....(..t....w..........#......x.nt.".Mk...JD..t.$.F......<".g....k.%.@L.zh.n..x................"/.D@.?s...1..{.F..... .^. $..P.s.W...rQ.=.1.W.@...Zx....Y../.....u.7...                  
#
T 192.168.0.65:60100 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:60100 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:60100 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:60100 -> 192.168.0.66:80 [AP]
  GET /view/theme/default/assets/js/html5.js HTTP/1.1..Accept: */*..Referer: http://svcaarchive/login.php..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.
  50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..If-Modified-Since: Mon, 21 Nov 2016 13:33:38 GMT..If-None-Match: "98c-541cfb4100dbf-gzip"..D
  NT: 1..Connection: Keep-Alive..Cookie: PHPSESSID=h82nu0n365s962jfd5fea4v8g5....                                                                                                                                                         
#
T 192.168.0.66:80 -> 192.168.0.65:60100 [AP]
  HTTP/1.1 200 OK..Date: Tue, 22 Nov 2016 11:28:13 GMT..Server: Apache/2.4.10 (Debian)..Last-Modified: Mon, 21 Nov 2016 13:33:38 GMT..ETag: "98c-541cfb4100dbf-gzip"..Accept-Ranges: bytes..Vary: Accept-Encoding..Content-Encoding: gzip.
  .Content-Length: 1256..Keep-Alive: timeout=5, max=95..Connection: Keep-Alive..Content-Type: application/javascript..............}V]..6.}..PLg.&.'@..^...[:.Lg......l+q$.%.....W..dS.C.!]./.sn..'..............E..n.r...i....ZrZY..A..J..
  .j..L...i.._...w..e......580...n.&.TZ[.d>/.-.,..9..;..v]=7.{.x>..V1+..+.G...Z..nC.D..E%.BY.6.....m.*.B...:G.........D..F/2.....[z......0#......K.....#Y4.G..A.R.a.....(.yXD...5.Z.{. .K..1".,.....QV.[zw}|.Y..........0....h.....^......
  ..Uo.F.)e......f.....EL.Z(......J..4.Ay..O$...Y......q.."...i..].8X....q...3gd..4..l*b.........T.(.C.}.]......3(q..`......".i.1#.aniy...E.....RKp.7..(....o.y.G.......V..<}^.,..gtv.D.]4...V]..bhdt<.{......h.w.|...wo>~.4,...%5....0'4e
  ........r!..f^o?...]....<.n.w.....>4..R).x.!..+c..xI.+Y%05............V.........nk..RaE7..}.;...t.d.f.n.r..([yk..G77...J7...b.]...A:..JP.....n.p....y.y..fx.g.7.L..+..yq8.....H..U.9..!./W.Kx.d...tkZ;.........Z.....ptk...x..W..2...7..
  ..1...r.r)*n.u..W>u.3W.....|...h&*WI.+W.{gj..h.V..W.,..5.|.,w.t.qm......_G-.pI.Xy..ix...l.!..AB.$.....o.yy5.. ]......H.[.K..)....u.7.s...P.-#.....#u......m....T....;....O,~......r.@.:F-+C....$.E.Ea./..al%.q..c.e....hO.D[.5..D......Z
  ..T.X....2........A=kP...Y.<7.Z.] ....[..F.~N..P..k.."+..m ....h..%...A...I.O......M[.....Z).M..")..L.~4,a..$.........$..A...........5...|..@.s.d ...F.WK...........d..!.....~.Yt..P...Q*X...L....y....4...Q./..Jw....                  
###
T 192.168.0.65:60100 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:60103 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:60103 -> 192.168.0.66:80 [AP]
  GET /view/theme/default/assets/images/archive-logo-lg.png HTTP/1.1..Accept: */*..Referer: http://svcaarchive/login.php..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2
  ; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..If-Modified-Since: Mon, 21 Nov 2016 13:33:38 GMT..If-None-Match: "27ce-541cfb
  4100dbf"..DNT: 1..Connection: Keep-Alive..Cookie: PHPSESSID=h82nu0n365s962jfd5fea4v8g5..Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==....                                                                
##
T 192.168.0.66:80 -> 192.168.0.65:60103 [AP]
  HTTP/1.1 304 Not Modified..Date: Tue, 22 Nov 2016 11:28:13 GMT..Server: Apache/2.4.10 (Debian)..Connection: Keep-Alive..Keep-Alive: timeout=5, max=100..ETag: "27ce-541cfb4100dbf"....                                                  
#
T 192.168.0.65:60103 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:60100 -> 192.168.0.66:80 [AF]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:60103 -> 192.168.0.66:80 [AF]
  ......                                                                                                                                                                                                                                  
###
T 192.168.0.65:60103 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:60103 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:60100 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:60100 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
exit
49 received, 0 dropped
  7. Janos SUTO repo owner

    Apache keeps sending the "HTTP/1.1 401 Unauthorized" response. I have one more trick: edit .htaccess in the document root, and create a block like this in the <IfModule auth_ntlm_winbind_module> block:

       <FilesMatch "1\.txt$">
      AuthName "piler NTLM authentication"
      NTLMAuth on
      NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
      NTLMBasicAuthoritative on
      AuthType NTLM
      require valid-user
   </FilesMatch>

    Then create a file 1.txt with some contents, eg. Hello world! or similar. Then restart apache, and try to get this file: /1.txt. If you can, then the apache authentication is fine. I'd like to see the ngrep output again for getting this file.

  8. Rory McInerney reporter 
    interface: eth0 (192.168.0.0/255.255.254.0)
filter: (ip or ip6) and ( port 80 )
###
T 192.168.0.65:63861 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:63861 -> 192.168.0.66:80 [AP]
  GET /1.txt HTTP/1.1..Host: svcaarchive..Connection: keep-alive..Cache-Control: max-age=0..Upgrade-Insecure-Requests: 1..User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safar
  i/537.36..Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8..Accept-Encoding: gzip, deflate, sdch..Accept-Language: en-GB,en-US;q=0.8,en;q=0.6..Cookie: PHPSESSID=ches8bgmfnhbnbgue39rt537g2; splitter2
  =341..If-None-Match: "6-541e322cb103d"..If-Modified-Since: Tue, 22 Nov 2016 12:44:40 GMT....                                                                                                                                            
##
T 192.168.0.66:80 -> 192.168.0.65:63861 [AP]
  HTTP/1.1 401 Unauthorized..Date: Tue, 22 Nov 2016 12:46:38 GMT..Server: Apache/2.4.10 (Debian)..WWW-Authenticate: NTLM..Content-Length: 458..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: text/html; charset=is
  o-8859-1....<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>401 Unauthorized</title>.</head><body>.<h1>Unauthorized</h1>.<p>This server could not verify that you.are authorized to access the document.requested
  .  Either you supplied the wrong.credentials (e.g., bad password), or your.browser doesn't understand how to supply.the credentials required.</p>.<hr>.<address>Apache/2.4.10 (Debian) Server at svcaarchive Port 80</address>.</body></
  html>.                                                                                                                                                                                                                                  
#
T 192.168.0.65:63861 -> 192.168.0.66:80 [AP]
  GET /1.txt HTTP/1.1..Host: svcaarchive..Connection: keep-alive..Cache-Control: max-age=0..Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==..Upgrade-Insecure-Requests: 1..User-Agent: Mozilla/5.0 (Windows N
  T 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36..Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8..Accept-Encoding: gzip, deflate, sdch..Accept-Language: en-GB
  ,en-US;q=0.8,en;q=0.6..Cookie: PHPSESSID=ches8bgmfnhbnbgue39rt537g2; splitter2=341..If-None-Match: "6-541e322cb103d"..If-Modified-Since: Tue, 22 Nov 2016 12:44:40 GMT....                                                              
#
T 192.168.0.66:80 -> 192.168.0.65:63861 [AP]
  HTTP/1.1 401 Unauthorized..Date: Tue, 22 Nov 2016 12:46:38 GMT..Server: Apache/2.4.10 (Debian)..WWW-Authenticate: NTLM TlRMTVNTUAACAAAAGgAaADgAAAAFgomiS26GLpmYR3YAAAAAAAAAALQAtABSAAAABgEAAAAAAA9NAFUATABUAEkARwBSAE8AVQBQAFAATABDAAIAG
  gBNAFUATABUAEkARwBSAE8AVQBQAFAATABDAAEAFgBTAFYAQwBBAEEAUgBDAEgASQBWAEUABAAmAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwAAwA+AHMAdgBjAGEAYQByAGMAaABpAHYAZQAuAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwABwAIAIgPg3e+RNIBA
  AAAAA==..Content-Length: 458..Keep-Alive: timeout=5, max=99..Connection: Keep-Alive..Content-Type: text/html; charset=iso-8859-1....<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>401 Unauthorized</title>.</he
  ad><body>.<h1>Unauthorized</h1>.<p>This server could not verify that you.are authorized to access the document.requested.  Either you supplied the wrong.credentials (e.g., bad password), or your.browser doesn't understand how to sup
  ply.the credentials required.</p>.<hr>.<address>Apache/2.4.10 (Debian) Server at svcaarchive Port 80</address>.</body></html>.                                                                                                          
#
T 192.168.0.65:63861 -> 192.168.0.66:80 [AP]
  GET /1.txt HTTP/1.1..Host: svcaarchive..Connection: keep-alive..Cache-Control: max-age=0..Authorization: NTLM TlRMTVNTUAADAAAAGAAYAJoAAABiAWIBsgAAABoAGgBYAAAAHAAcAHIAAAAMAAwAjgAAAAAAAAAUAgAABYKIogYBsR0AAAAPMJ4GzalrT1cnrceJZv5yE00AVQ
  BMAFQASQBHAFIATwBVAFAAUABMAEMAUgBvAHIAeQAuAE0AYwBJAG4AZQByAG4AZQB5AFIATwBSAFkAUABDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF20kRlFerV1+/tIFJ0CWVQBAQAAAAAAAIgPg3e+RNIBi4bQ/xO/dpYAAAAAAgAaAE0AVQBMAFQASQBHAFIATwBVAFAAUABMAEMAAQAWAFMAVgBDAEEAQQ
  BSAEMASABJAFYARQAEACYAbQB1AGwAdABpAGcAcgBvAHUAcABwAGwAYwAuAGwAbwBjAGEAbAADAD4AcwB2AGMAYQBhAHIAYwBoAGkAdgBlAC4AbQB1AGwAdABpAGcAcgBvAHUAcABwAGwAYwAuAGwAbwBjAGEAbAAHAAgAiA+Dd75E0gEGAAQAAgAAAAgAMAAwAAAAAAAAAAAAAAAAMAAAkJzxPmjuTLhsWDaTAK
  18VvjOndxqmWaDJKymOBlk8w0KABAAAAAAAAAAAAAAAAAAAAAAAAkAJgBIAFQAVABQAC8AcwB2AGMAYQBhAHIAYwBoAGkAdgBlADoAOAAwAAAAAAAAAAAAAAAAAA==..Upgrade-Insecure-Requests: 1..User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
   like Gecko) Chrome/54.0.2840.99 Safari/537.36..Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8..Accept-Encoding: gzip, deflate, sdch..Accept-Language: en-GB,en-US;q=0.8,en;q=0.6..Cookie: PHPSESSID
  =ches8bgmfnhbnbgue39rt537g2; splitter2=341..If-None-Match: "6-541e322cb103d"..If-Modified-Since: Tue, 22 Nov 2016 12:44:40 GMT....                                                                                                      
#
T 192.168.0.66:80 -> 192.168.0.65:63861 [AP]
  HTTP/1.1 304 Not Modified..Date: Tue, 22 Nov 2016 12:46:38 GMT..Server: Apache/2.4.10 (Debian)..Connection: Keep-Alive..Keep-Alive: timeout=5, max=98..ETag: "6-541e322cb103d"....                                                      
#
T 192.168.0.65:63861 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
exit
11 received, 0 dropped

    I can see contents of the file created, 1.txt but it is still rejecting something.

  9. Janos SUTO repo owner

    I'm confused, because I can't see 1.txt contents in the ngrep output above. Btw. can you try it with a different browser as well, eg. firefox, chrome?

  10. Rory McInerney reporter 
    interface: eth0 (192.168.0.0/255.255.254.0)
filter: (ip or ip6) and ( port 80 )
#
T 192.168.0.65:64095 -> 192.168.0.66:80 [AF]
  ......                                                                                                                                                                                                                                  
##
T 192.168.0.65:64095 -> 192.168.0.66:80 [AR]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:64095 -> 192.168.0.66:80 [R]
  ......                                                                                                                                                                                                                                  
###
T 192.168.0.65:64116 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:64116 -> 192.168.0.66:80 [AP]
  GET /1.txt HTTP/1.1..Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, appl
  ication/msword, */*..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.
  0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..If-Modified-Since: Tue, 22 Nov 2016 12:44:40 GMT..If-None-Match: "6-541e322cb103d"..DNT: 1..Connection: Keep-Alive..Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAA
  AAAGAbEdAAAADw==....                                                                                                                                                                                                                    
##
T 192.168.0.66:80 -> 192.168.0.65:64116 [AP]
  HTTP/1.1 401 Unauthorized..Date: Tue, 22 Nov 2016 13:00:15 GMT..Server: Apache/2.4.10 (Debian)..WWW-Authenticate: NTLM TlRMTVNTUAACAAAAGgAaADgAAAAFgomiY3e7RIZqtzYAAAAAAAAAALQAtABSAAAABgEAAAAAAA9NAFUATABUAEkARwBSAE8AVQBQAFAATABDAAIAG
  gBNAFUATABUAEkARwBSAE8AVQBQAFAATABDAAEAFgBTAFYAQwBBAEEAUgBDAEgASQBWAEUABAAmAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwAAwA+AHMAdgBjAGEAYQByAGMAaABpAHYAZQAuAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwABwAIAMTWh17ARNIBA
  AAAAA==..Content-Length: 458..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: text/html; charset=iso-8859-1....<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>401 Unauthorized</title>.</h
  ead><body>.<h1>Unauthorized</h1>.<p>This server could not verify that you.are authorized to access the document.requested.  Either you supplied the wrong.credentials (e.g., bad password), or your.browser doesn't understand how to su
  pply.the credentials required.</p>.<hr>.<address>Apache/2.4.10 (Debian) Server at svcaarchive Port 80</address>.</body></html>.                                                                                                         
#
T 192.168.0.65:64116 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:64116 -> 192.168.0.66:80 [AP]
  GET /1.txt HTTP/1.1..Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, appl
  ication/msword, */*..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.
  0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..If-Modified-Since: Tue, 22 Nov 2016 12:44:40 GMT..If-None-Match: "6-541e322cb103d"..DNT: 1..Connection: Keep-Alive..Authorization: NTLM TlRMTVNTUAADAAAAGAAYAJoAAAB4AXgBsgAAABoA
  GgBYAAAAHAAcAHIAAAAMAAwAjgAAAAAAAAAqAgAABYKIogYBsR0AAAAPSPA0g0mQ5UoDQYjXBshzR00AVQBMAFQASQBHAFIATwBVAFAAUABMAEMAUgBvAHIAeQAuAE0AYwBJAG4AZQByAG4AZQB5AFIATwBSAFkAUABDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKeBD5ZEag0EqpvQXCH7uOgBAQAAAAAAAMTW
  h17ARNIBQAlblxijfzYAAAAAAgAaAE0AVQBMAFQASQBHAFIATwBVAFAAUABMAEMAAQAWAFMAVgBDAEEAQQBSAEMASABJAFYARQAEACYAbQB1AGwAdABpAGcAcgBvAHUAcABwAGwAYwAuAGwAbwBjAGEAbAADAD4AcwB2AGMAYQBhAHIAYwBoAGkAdgBlAC4AbQB1AGwAdABpAGcAcgBvAHUAcABwAGwAYwAuAGwA
  bwBjAGEAbAAHAAgAxNaHXsBE0gEGAAQAAgAAAAgAMAAwAAAAAAAAAAAAAAAAMAAAkJzxPmjuTLhsWDaTAK18VvjOndxqmWaDJKymOBlk8w0KABAAAAAAAAAAAAAAAAAAAAAAAAkAPABIAFQAVABQAC8AcwB2AGMAYQBhAHIAYwBoAGkAdgBlAC4ATQB1AGwAdABpAEcAcgBvAHUAcABQAGwAYwAAAAAAAAAAAAAA
  AAA=....                                                                                                                                                                                                                                
#
T 192.168.0.66:80 -> 192.168.0.65:64116 [AP]
  HTTP/1.1 304 Not Modified..Date: Tue, 22 Nov 2016 13:00:15 GMT..Server: Apache/2.4.10 (Debian)..Connection: Keep-Alive..Keep-Alive: timeout=5, max=99..ETag: "6-541e322cb103d"....                                                      
#
T 192.168.0.65:64116 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
##
T 192.168.0.65:64116 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:64116 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
exit
17 received, 0 dropped

    Sorry, that was my bad. Here is the correct log.

  11. Janos SUTO repo owner

    No problem, however, I still can't see a successful authorization. Would try with firefox and/or chrome? Don't forget to setup them to use sso for this site.

  12. Rory McInerney reporter 
    T 192.168.0.65:64673 -> 192.168.0.66:80 [AP]
  GET /1.txt HTTP/1.1..Host: svcaarchive..Connection: keep-alive..Upgrade-Insecure-Requests: 1..User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36..Accept: text/htm
  l,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8..Accept-Encoding: gzip, deflate, sdch..Accept-Language: en-GB,en-US;q=0.8,en;q=0.6..Cookie: PHPSESSID=ches8bgmfnhbnbgue39rt537g2; splitter2=341..If-None-Match: "6-54
  1e322cb103d"..If-Modified-Since: Tue, 22 Nov 2016 12:44:40 GMT....                                                                                                                                                                      
##
T 192.168.0.66:80 -> 192.168.0.65:64673 [AP]
  HTTP/1.1 401 Unauthorized..Date: Tue, 22 Nov 2016 13:17:27 GMT..Server: Apache/2.4.10 (Debian)..WWW-Authenticate: NTLM..Content-Length: 458..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: text/html; charset=is
  o-8859-1....<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>401 Unauthorized</title>.</head><body>.<h1>Unauthorized</h1>.<p>This server could not verify that you.are authorized to access the document.requested
  .  Either you supplied the wrong.credentials (e.g., bad password), or your.browser doesn't understand how to supply.the credentials required.</p>.<hr>.<address>Apache/2.4.10 (Debian) Server at svcaarchive Port 80</address>.</body></
  html>.                                                                                                                                                                                                                                  
#
T 192.168.0.65:64673 -> 192.168.0.66:80 [AP]
  GET /1.txt HTTP/1.1..Host: svcaarchive..Connection: keep-alive..Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==..Upgrade-Insecure-Requests: 1..User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/
  537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36..Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8..Accept-Encoding: gzip, deflate, sdch..Accept-Language: en-GB,en-US;q=0.8,en;q=0.6..Coo
  kie: PHPSESSID=ches8bgmfnhbnbgue39rt537g2; splitter2=341..If-None-Match: "6-541e322cb103d"..If-Modified-Since: Tue, 22 Nov 2016 12:44:40 GMT....                                                                                        
#
T 192.168.0.66:80 -> 192.168.0.65:64673 [AP]
  HTTP/1.1 401 Unauthorized..Date: Tue, 22 Nov 2016 13:17:27 GMT..Server: Apache/2.4.10 (Debian)..WWW-Authenticate: NTLM TlRMTVNTUAACAAAAGgAaADgAAAAFgomil1Dk0+kpqzMAAAAAAAAAALQAtABSAAAABgEAAAAAAA9NAFUATABUAEkARwBSAE8AVQBQAFAATABDAAIAG
  gBNAFUATABUAEkARwBSAE8AVQBQAFAATABDAAEAFgBTAFYAQwBBAEEAUgBDAEgASQBWAEUABAAmAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwAAwA+AHMAdgBjAGEAYQByAGMAaABpAHYAZQAuAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwABwAIAJzVjcXCRNIBA
  AAAAA==..Content-Length: 458..Keep-Alive: timeout=5, max=99..Connection: Keep-Alive..Content-Type: text/html; charset=iso-8859-1....<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>401 Unauthorized</title>.</he
  ad><body>.<h1>Unauthorized</h1>.<p>This server could not verify that you.are authorized to access the document.requested.  Either you supplied the wrong.credentials (e.g., bad password), or your.browser doesn't understand how to sup
  ply.the credentials required.</p>.<hr>.<address>Apache/2.4.10 (Debian) Server at svcaarchive Port 80</address>.</body></html>.                                                                                                          
#
T 192.168.0.65:64673 -> 192.168.0.66:80 [AP]
  GET /1.txt HTTP/1.1..Host: svcaarchive..Connection: keep-alive..Authorization: NTLM TlRMTVNTUAADAAAAGAAYAJoAAABiAWIBsgAAABoAGgBYAAAAHAAcAHIAAAAMAAwAjgAAAAAAAAAUAgAABYKIogYBsR0AAAAPd2yqmmSQJo4aKmcLhYkbUk0AVQBMAFQASQBHAFIATwBVAFAAUABM
  AEMAUgBvAHIAeQAuAE0AYwBJAG4AZQByAG4AZQB5AFIATwBSAFkAUABDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMzOTvwwDtrZiAajybaDeqIBAQAAAAAAAJzVjcXCRNIBZFBuI1jnoUQAAAAAAgAaAE0AVQBMAFQASQBHAFIATwBVAFAAUABMAEMAAQAWAFMAVgBDAEEAQQBSAEMASABJAFYARQAEACYAbQB1
  AGwAdABpAGcAcgBvAHUAcABwAGwAYwAuAGwAbwBjAGEAbAADAD4AcwB2AGMAYQBhAHIAYwBoAGkAdgBlAC4AbQB1AGwAdABpAGcAcgBvAHUAcABwAGwAYwAuAGwAbwBjAGEAbAAHAAgAnNWNxcJE0gEGAAQAAgAAAAgAMAAwAAAAAAAAAAAAAAAAMAAAkJzxPmjuTLhsWDaTAK18VvjOndxqmWaDJKymOBlk8w0K
  ABAAAAAAAAAAAAAAAAAAAAAAAAkAJgBIAFQAVABQAC8AcwB2AGMAYQBhAHIAYwBoAGkAdgBlADoAOAAwAAAAAAAAAAAAAAAAAA==..Upgrade-Insecure-Requests: 1..User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2
  840.99 Safari/537.36..Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8..Accept-Encoding: gzip, deflate, sdch..Accept-Language: en-GB,en-US;q=0.8,en;q=0.6..Cookie: PHPSESSID=ches8bgmfnhbnbgue39rt537g
  2; splitter2=341..If-None-Match: "6-541e322cb103d"..If-Modified-Since: Tue, 22 Nov 2016 12:44:40 GMT....                                                                                                                                
#
T 192.168.0.66:80 -> 192.168.0.65:64673 [AP]
  HTTP/1.1 304 Not Modified..Date: Tue, 22 Nov 2016 13:17:27 GMT..Server: Apache/2.4.10 (Debian)..Connection: Keep-Alive..Keep-Alive: timeout=5, max=98..ETag: "6-541e322cb103d"....                                                      
#
T 192.168.0.65:64673 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
exit
24 received, 0 dropped

    I checked the access logs and there's certainly winbind stuff going on. The browser is also definately set to use NTLM.

  13. Janos SUTO repo owner

    I can see that, however the 'going on stuff' is not good enough. I have no other idea other than double check the samba logs, perhaps there's a clue in them.

  14. Rory McInerney reporter

    By things going on. I meant that mod_auth_ntlm_winbind is working fine, as pasted previously. Apologies for being unclear. 

    #!
[Tue Nov 22 13:53:50.179506 2016] [authz_core:debug] [pid 16518] mod_authz_core.c(809): [client 192.168.0.65:49967] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Nov 22 13:53:50.179568 2016] [authz_core:debug] [pid 16518] mod_authz_core.c(809): [client 192.168.0.65:49967] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Nov 22 13:53:50.181781 2016] [authz_core:debug] [pid 16518] mod_authz_core.c(809): [client 192.168.0.65:49967] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Nov 22 13:53:50.181794 2016] [authz_core:debug] [pid 16518] mod_authz_core.c(809): [client 192.168.0.65:49967] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Nov 22 13:53:50.181873 2016] [auth_ntlm_winbind:debug] [pid 16518] mod_auth_ntlm_winbind.c(1023): [client 192.168.0.65:49967] doing ntlm auth dance
[Tue Nov 22 13:53:50.181898 2016] [auth_ntlm_winbind:debug] [pid 16518] mod_auth_ntlm_winbind.c(489): [client 192.168.0.65:49967] Using existing auth helper 16584
[Tue Nov 22 13:53:50.181906 2016] [auth_ntlm_winbind:debug] [pid 16518] mod_auth_ntlm_winbind.c(657): [client 192.168.0.65:49967] creating auth user
[Tue Nov 22 13:53:50.182501 2016] [auth_ntlm_winbind:debug] [pid 16518] mod_auth_ntlm_winbind.c(708): [client 192.168.0.65:49967] parsing reply from helper to YR TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==\n
[Tue Nov 22 13:53:50.182588 2016] [auth_ntlm_winbind:debug] [pid 16518] mod_auth_ntlm_winbind.c(746): [client 192.168.0.65:49967] got response: TT TlRMTVNTUAACAAAAGgAaADgAAAAFgomi+iAqvP1+qkYAAAAAAAAAALQAtABSAAAABgEAAAAAAA9NAFUATABUAEkARwBSAE8AVQBQAFAATABDAAIAGgBNAFUATABUAEkARwBSAE8AVQBQAFAATABDAAEAFgBTAFYAQwBBAEEAUgBDAEgASQBWAEUABAAmAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwAAwA+AHMAdgBjAGEAYQByAGMAaABpAHYAZQAuAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwABwAIAFDAetrHRNIBAAAAAA==
[Tue Nov 22 13:53:50.182593 2016] [auth_ntlm_winbind:debug] [pid 16518] mod_auth_ntlm_winbind.c(416): [client 192.168.0.65:49967] sending back TlRMTVNTUAACAAAAGgAaADgAAAAFgomi+iAqvP1+qkYAAAAAAAAAALQAtABSAAAABgEAAAAAAA9NAFUATABUAEkARwBSAE8AVQBQAFAATABDAAIAGgBNAFUATABUAEkARwBSAE8AVQBQAFAATABDAAEAFgBTAFYAQwBBAEEAUgBDAEgASQBWAEUABAAmAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwAAwA+AHMAdgBjAGEAYQByAGMAaABpAHYAZQAuAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwABwAIAFDAetrHRNIBAAAAAA==
[Tue Nov 22 13:53:50.185006 2016] [authz_core:debug] [pid 16518] mod_authz_core.c(809): [client 192.168.0.65:49967] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Nov 22 13:53:50.185017 2016] [authz_core:debug] [pid 16518] mod_authz_core.c(809): [client 192.168.0.65:49967] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Nov 22 13:53:50.185021 2016] [auth_ntlm_winbind:debug] [pid 16518] mod_auth_ntlm_winbind.c(1023): [client 192.168.0.65:49967] doing ntlm auth dance
[Tue Nov 22 13:53:50.185025 2016] [auth_ntlm_winbind:debug] [pid 16518] mod_auth_ntlm_winbind.c(489): [client 192.168.0.65:49967] Using existing auth helper 16584
[Tue Nov 22 13:53:50.185789 2016] [auth_ntlm_winbind:debug] [pid 16518] mod_auth_ntlm_winbind.c(708): [client 192.168.0.65:49967] parsing reply from helper to KK TlRMTVNTUAADAAAAGAAYAJoAAABiAWIBsgAAABoAGgBYAAAAHAAcAHIAAAAMAAwAjgAAAAAAAAAUAgAABYKIogYBsR0AAAAP3ODkcPgWh2XfeqNiDaqWTU0AVQBMAFQASQBHAFIATwBVAFAAUABMAEMAUgBvAHIAeQAuAE0AYwBJAG4AZQByAG4AZQB5AFIATwBSAFkAUABDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAObp33nucGUKGwN5c8+o1r8BAQAAAAAAAFDAetrHRNIBDnZbH344QlEAAAAAAgAaAE0AVQBMAFQASQBHAFIATwBVAFAAUABMAEMAAQAWAFMAVgBDAEEAQQBSAEMASABJAFYARQAEACYAbQB1AGwAdABpAGcAcgBvAHUAcABwAGwAYwAuAGwAbwBjAGEAbAADAD4AcwB2AGMAYQBhAHIAYwBoAGkAdgBlAC4AbQB1AGwAdABpAGcAcgBvAHUAcABwAGwAYwAuAGwAbwBjAGEAbAAHAAgAUMB62sdE0gEGAAQAAgAAAAgAMAAwAAAAAAAAAAAAAAAAMAAAkJzxPmjuTLhsWDaTAK18VvjOndxqmWaDJKymOBlk8w0KABAAAAAAAAAAAAAAAAAAAAAAAAkAJgBIAFQAVABQAC8AcwB2AGMAYQBhAHIAYwBoAGkAdgBlADoAOAAwAAAAAAAAAAAAAAAAAA==\n
[Tue Nov 22 13:53:50.187926 2016] [auth_ntlm_winbind:debug] [pid 16518] mod_auth_ntlm_winbind.c(746): [client 192.168.0.65:49967] got response: AF MULTIGROUPPLC\\rory.mcinerney
[Tue Nov 22 13:53:50.187938 2016] [auth_ntlm_winbind:debug] [pid 16518] mod_auth_ntlm_winbind.c(792): [client 192.168.0.65:49967] authenticated MULTIGROUPPLC\\rory.mcinerney
[Tue Nov 22 13:53:50.187944 2016] [authz_core:debug] [pid 16518] mod_authz_core.c(809): [client 192.168.0.65:49967] AH01626: authorization result of Require valid-user : granted
[Tue Nov 22 13:53:50.187948 2016] [authz_core:debug] [pid 16518] mod_authz_core.c(809): [client 192.168.0.65:49967] AH01626: authorization result of <RequireAny>: granted
[Tue Nov 22 13:53:50.188678 2016] [:error] [pid 16518] [client 192.168.0.65:49967] PHP Notice:  A session had already been started - ignoring session_start() in /var/www/piler/system/request.php on line 30
[Tue Nov 22 13:53:50.189475 2016] [:error] [pid 16518] [client 192.168.0.65:49967] PHP Notice:  A session had already been started - ignoring session_start() in /var/www/piler/system/request.php on line 30
[Tue Nov 22 13:53:50.206918 2016] [authz_core:debug] [pid 16518] mod_authz_core.c(809): [client 192.168.0.65:49967] AH01626: authorization result of Require all granted: granted
[Tue Nov 22 13:53:50.206930 2016] [authz_core:debug] [pid 16518] mod_authz_core.c(809): [client 192.168.0.65:49967] AH01626: authorization result of <RequireAny>: granted
[Tue Nov 22 13:53:50.207013 2016] [authz_core:debug] [pid 16518] mod_authz_core.c(809): [client 192.168.0.65:49967] AH01626: authorization result of Require all granted: granted
[Tue Nov 22 13:53:50.207021 2016] [authz_core:debug] [pid 16518] mod_authz_core.c(809): [client 192.168.0.65:49967] AH01626: authorization result of <RequireAny>: granted
[Tue Nov 22 13:53:50.209701 2016] [deflate:debug] [pid 16518] mod_deflate.c(855): [client 192.168.0.65:49967] AH01384: Zlib: Compressed 2427 to 961 : URL /index.php

    The samba logs are completely clean of any errors, but I'm led to believe by these logs that the module is authenticating correctly. The same result also comes up when using login.php with typed in/username password. As far as I can guess, apache is authenticating against the domain ok.

    Could I ask what version of php the webui was built against and whether it was nginx or apache?

  15. Janos SUTO repo owner

    Well, the sso part was tested with php 5 + apache 2.2 (however, I believe that sso should work with php 7 + apache 2.4 as well, since it has nothing to do with php versions).

    I also saw the 'authenticated' line in the apache debug logs, however if you can't get 1.txt, then it's simply not working properly, and the webserver itself (not php with any versions) rejects your request. We have to fix it first.

  16. Rory McInerney reporter

    I can see the contents of the file, 1.txt - the latest ngrep log is from when I was able to do this.

  18. Rory McInerney reporter

    I think there was some web-browser caching happening which I apologise for. This ngrep for /1.txt displays the word "thins" (content of the file) which is also present in the ngrep log.

    T 192.168.0.65:52229 -> 192.168.0.66:80 [AP]
  GET /1.txt HTTP/1.1..Host: svcaarchive..Connection: keep-alive..Pragma: no-cache..Cache-Control: no-cache..Upgrade-Insecure-Requests: 1..User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/5
  4.0.2840.99 Safari/537.36..Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8..Accept-Encoding: gzip, deflate, sdch..Accept-Language: en-GB,en-US;q=0.8,en;q=0.6..Cookie: PHPSESSID=ches8bgmfnhbnbgue39r
  t537g2; splitter2=341....
##
T 192.168.0.66:80 -> 192.168.0.65:52229 [AP]
  HTTP/1.1 401 Unauthorized..Date: Tue, 22 Nov 2016 15:08:09 GMT..Server: Apache/2.4.10 (Debian)..WWW-Authenticate: NTLM..Content-Length: 458..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: text/html; charset=is
  o-8859-1....<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>401 Unauthorized</title>.</head><body>.<h1>Unauthorized</h1>.<p>This server could not verify that you.are authorized to access the document.requested
  .  Either you supplied the wrong.credentials (e.g., bad password), or your.browser doesn't understand how to supply.the credentials required.</p>.<hr>.<address>Apache/2.4.10 (Debian) Server at svcaarchive Port 80</address>.</body></
  html>.
#
T 192.168.0.65:52229 -> 192.168.0.66:80 [AP]
  GET /1.txt HTTP/1.1..Host: svcaarchive..Connection: keep-alive..Pragma: no-cache..Cache-Control: no-cache..Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==..Upgrade-Insecure-Requests: 1..User-Agent: Mozil
  la/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36..Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8..Accept-Encoding: gzip, deflate, sdch..Accep
  t-Language: en-GB,en-US;q=0.8,en;q=0.6..Cookie: PHPSESSID=ches8bgmfnhbnbgue39rt537g2; splitter2=341....
#
T 192.168.0.66:80 -> 192.168.0.65:52229 [AP]
  HTTP/1.1 401 Unauthorized..Date: Tue, 22 Nov 2016 15:08:09 GMT..Server: Apache/2.4.10 (Debian)..WWW-Authenticate: NTLM TlRMTVNTUAACAAAAGgAaADgAAAAFgomiS4N+lRChvLsAAAAAAAAAALQAtABSAAAABgEAAAAAAA9NAFUATABUAEkARwBSAE8AVQBQAFAATABDAAIAG
  gBNAFUATABUAEkARwBSAE8AVQBQAFAATABDAAEAFgBTAFYAQwBBAEEAUgBDAEgASQBWAEUABAAmAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwAAwA+AHMAdgBjAGEAYQByAGMAaABpAHYAZQAuAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwABwAIAORDgzzSRNIBA
  AAAAA==..Content-Length: 458..Keep-Alive: timeout=5, max=99..Connection: Keep-Alive..Content-Type: text/html; charset=iso-8859-1....<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>401 Unauthorized</title>.</he
  ad><body>.<h1>Unauthorized</h1>.<p>This server could not verify that you.are authorized to access the document.requested.  Either you supplied the wrong.credentials (e.g., bad password), or your.browser doesn't understand how to sup
  ply.the credentials required.</p>.<hr>.<address>Apache/2.4.10 (Debian) Server at svcaarchive Port 80</address>.</body></html>.
#
T 192.168.0.65:52229 -> 192.168.0.66:80 [AP]
  GET /1.txt HTTP/1.1..Host: svcaarchive..Connection: keep-alive..Pragma: no-cache..Cache-Control: no-cache..Authorization: NTLM TlRMTVNTUAADAAAAGAAYAJoAAABiAWIBsgAAABoAGgBYAAAAHAAcAHIAAAAMAAwAjgAAAAAAAAAUAgAABYKIogYBsR0AAAAPmguCECQnZ
  fjY/oiAw1pjrU0AVQBMAFQASQBHAFIATwBVAFAAUABMAEMAUgBvAHIAeQAuAE0AYwBJAG4AZQByAG4AZQB5AFIATwBSAFkAUABDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANoB7ee8TkNGACR7IwilDCsBAQAAAAAAAORDgzzSRNIB323kXWHQHY8AAAAAAgAaAE0AVQBMAFQASQBHAFIATwBVAFAAUABMAEMAA
  QAWAFMAVgBDAEEAQQBSAEMASABJAFYARQAEACYAbQB1AGwAdABpAGcAcgBvAHUAcABwAGwAYwAuAGwAbwBjAGEAbAADAD4AcwB2AGMAYQBhAHIAYwBoAGkAdgBlAC4AbQB1AGwAdABpAGcAcgBvAHUAcABwAGwAYwAuAGwAbwBjAGEAbAAHAAgA5EODPNJE0gEGAAQAAgAAAAgAMAAwAAAAAAAAAAAAAAAAMAAAk
  JzxPmjuTLhsWDaTAK18VvjOndxqmWaDJKymOBlk8w0KABAAAAAAAAAAAAAAAAAAAAAAAAkAJgBIAFQAVABQAC8AcwB2AGMAYQBhAHIAYwBoAGkAdgBlADoAOAAwAAAAAAAAAAAAAAAAAA==..Upgrade-Insecure-Requests: 1..User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebK
  it/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36..Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8..Accept-Encoding: gzip, deflate, sdch..Accept-Language: en-GB,en-US;q=0.8,en;q=0.6..
  Cookie: PHPSESSID=ches8bgmfnhbnbgue39rt537g2; splitter2=341....
#
T 192.168.0.66:80 -> 192.168.0.65:52229 [AP]
  HTTP/1.1 200 OK..Date: Tue, 22 Nov 2016 15:08:09 GMT..Server: Apache/2.4.10 (Debian)..Last-Modified: Tue, 22 Nov 2016 12:44:40 GMT..ETag: "6-541e322cb103d"..Accept-Ranges: bytes..Content-Length: 6..Keep-Alive: timeout=5, max=98..Con
  nection: Keep-Alive..Content-Type: text/plain....thins.
#
T 192.168.0.65:52229 -> 192.168.0.66:80 [AP]
  GET /favicon.ico HTTP/1.1..Host: svcaarchive..Connection: keep-alive..Pragma: no-cache..Cache-Control: no-cache..User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.3
  6..Accept: */*..Referer: http://svcaarchive/1.txt..Accept-Encoding: gzip, deflate, sdch..Accept-Language: en-GB,en-US;q=0.8,en;q=0.6..Cookie: PHPSESSID=ches8bgmfnhbnbgue39rt537g2; splitter2=341....
#
T 192.168.0.66:80 -> 192.168.0.65:52229 [AP]
  HTTP/1.1 404 Not Found..Date: Tue, 22 Nov 2016 15:08:09 GMT..Server: Apache/2.4.10 (Debian)..Content-Length: 286..Keep-Alive: timeout=5, max=97..Connection: Keep-Alive..Content-Type: text/html; charset=iso-8859-1....<!DOCTYPE HTML P
  UBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /favicon.ico was not found on this server.</p>.<hr>.<address>Apache/2.4.10 (Debian) Server at svcaarc
  hive Port 80</address>.</body></html>.
  19. Janos SUTO repo owner

    OK, it looks better. Can you run ngrep again, but this time checking /sso.php? You may skip the inside of the long binary garbage to shorten the output. The point is that I'd like to see the HTTP/1.1 200 OK response (or something similar) with some cookies.

  20. Rory McInerney reporter 
    #!

interface: eth0 (192.168.0.0/255.255.254.0)
filter: (ip or ip6) and ( port 80 )
###
T 192.168.0.65:52773 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:52773 -> 192.168.0.66:80 [AP]
  GET /sso.php HTTP/1.1..Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, ap
  plication/msword, */*..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET
  4.0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..DNT: 1..Connection: Keep-Alive....                                                                                                                                            
##
T 192.168.0.66:80 -> 192.168.0.65:52773 [AP]
  HTTP/1.1 401 Unauthorized..Date: Tue, 22 Nov 2016 15:24:54 GMT..Server: Apache/2.4.10 (Debian)..WWW-Authenticate: NTLM..Content-Length: 458..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: text/html; charset=is
  o-8859-1....<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>401 Unauthorized</title>.</head><body>.<h1>Unauthorized</h1>.<p>This server could not verify that you.are authorized to access the document.requested
  .  Either you supplied the wrong.credentials (e.g., bad password), or your.browser doesn't understand how to supply.the credentials required.</p>.<hr>.<address>Apache/2.4.10 (Debian) Server at svcaarchive Port 80</address>.</body></
  html>.                                                                                                                                                                                                                                  
#
T 192.168.0.65:52773 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:52773 -> 192.168.0.66:80 [AP]
  GET /sso.php HTTP/1.1..Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, ap
  plication/msword, */*..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET
  4.0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..DNT: 1..Connection: Keep-Alive..Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==....                                                              
#
T 192.168.0.66:80 -> 192.168.0.65:52773 [AP]
  HTTP/1.1 401 Unauthorized..Date: Tue, 22 Nov 2016 15:24:54 GMT..Server: Apache/2.4.10 (Debian)..WWW-Authenticate: NTLM TlRMTVNTUAACAAAAGgAaADgAAAAFgomivNTJc1ZgmkkAAAAAAAAAALQAtABSAAAABgEAAAAAAA9NAFUATABUAEkARwBSAE8AVQBQAFAATABDAAIAG
  gBNAFUATABUAEkARwBSAE8AVQBQAFAATABDAAEAFgBTAFYAQwBBAEEAUgBDAEgASQBWAEUABAAmAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwAAwA+AHMAdgBjAGEAYQByAGMAaABpAHYAZQAuAG0AdQBsAHQAaQBnAHIAbwB1AHAAcABsAGMALgBsAG8AYwBhAGwABwAIACDilZPURNIBA
  AAAAA==..Content-Length: 458..Keep-Alive: timeout=5, max=99..Connection: Keep-Alive..Content-Type: text/html; charset=iso-8859-1....<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>401 Unauthorized</title>.</he
  ad><body>.<h1>Unauthorized</h1>.<p>This server could not verify that you.are authorized to access the document.requested.  Either you supplied the wrong.credentials (e.g., bad password), or your.browser doesn't understand how to sup
  ply.the credentials required.</p>.<hr>.<address>Apache/2.4.10 (Debian) Server at svcaarchive Port 80</address>.</body></html>.                                                                                                          
#
T 192.168.0.65:52773 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:52773 -> 192.168.0.66:80 [AP]
  GET /sso.php HTTP/1.1..Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, ap
  plication/msword, */*..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET
  4.0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..DNT: 1..Connection: Keep-Alive..Authorization: NTLM TlRMTVNTUAADAAAAGAAYAJoAAAB4AXgBsgAAABoAGgBYAAAAHAAcAHIAAAAMAAwAjgAAAAAAAAAqAgAABYKIogYBsR0AAAAP/lRW8pUN+uD6EP91WMKwdE0AVQ
  BMAFQASQBHAFIATwBVAFAAUABMAEMAUgBvAHIAeQAuAE0AYwBJAG4AZQByAG4AZQB5AFIATwBSAFkAUABDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMJLGbe96BN69BUVvCDtbF0BAQAAAAAAACDilZPURNIBNdbCrHCd7jsAAAAAAgAaAE0AVQBMAFQASQBHAFIATwBVAFAAUABMAEMAAQAWAFMAVgBDAEEAQQ
  BSAEMASABJAFYARQAEACYAbQB1AGwAdABpAGcAcgBvAHUAcABwAGwAYwAuAGwAbwBjAGEAbAADAD4AcwB2AGMAYQBhAHIAYwBoAGkAdgBlAC4AbQB1AGwAdABpAGcAcgBvAHUAcABwAGwAYwAuAGwAbwBjAGEAbAAHAAgAIOKVk9RE0gEGAAQAAgAAAAgAMAAwAAAAAAAAAAAAAAAAMAAAkJzxPmjuTLhsWDaTAK
  18VvjOndxqmWaDJKymOBlk8w0KABAAAAAAAAAAAAAAAAAAAAAAAAkAPABIAFQAVABQAC8AcwB2AGMAYQBhAHIAYwBoAGkAdgBlAC4ATQB1AGwAdABpAEcAcgBvAHUAcABQAGwAYwAAAAAAAAAAAAAAAAA=....                                                                          
#
T 192.168.0.66:80 -> 192.168.0.65:52773 [AP]
  HTTP/1.1 302 Found..Date: Tue, 22 Nov 2016 15:24:54 GMT..Server: Apache/2.4.10 (Debian)..Set-Cookie: PHPSESSID=9r36e2o9b8jtgddc5mrrs25be4; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GMT..Cache-Control: no-store, no-cache, must-reval
  idate, post-check=0, pre-check=0..Pragma: no-cache..Location: http://svcaarchive/login.php..Content-Length: 0..Keep-Alive: timeout=5, max=98..Connection: Keep-Alive..Content-Type: text/html; charset=UTF-8....                        
#
T 192.168.0.65:52773 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:52773 -> 192.168.0.66:80 [AP]
  GET /login.php HTTP/1.1..Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, 
  application/msword, */*..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .N
  ET4.0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..Cookie: PHPSESSID=9r36e2o9b8jtgddc5mrrs25be4..Connection: Keep-Alive..DNT: 1....                                                                                            
#
T 192.168.0.66:80 -> 192.168.0.65:52773 [AP]
  HTTP/1.1 200 OK..Date: Tue, 22 Nov 2016 15:24:54 GMT..Server: Apache/2.4.10 (Debian)..Expires: Thu, 19 Nov 1981 08:52:00 GMT..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0..Pragma: no-cache..Vary: Acc
  ept-Encoding..Content-Encoding: gzip..Content-Length: 979..Keep-Alive: timeout=5, max=97..Connection: Keep-Alive..Content-Type: text/html; charset=UTF-8 <BINARY GARBAGE>
T 192.168.0.65:52773 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:52773 -> 192.168.0.66:80 [AP]
  GET /view/theme/default/assets/css/metro-bootstrap.css HTTP/1.1..Accept: */*..Referer: http://svcaarchive/login.php..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .
  NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..If-Modified-Since: Mon, 21 Nov 2016 13:33:38 GMT..If-None-Match: "2d937-541cfb40
  ffe1f-gzip"..DNT: 1..Connection: Keep-Alive..Cookie: PHPSESSID=9r36e2o9b8jtgddc5mrrs25be4....                                                                                                                                           
#
T 192.168.0.66:80 -> 192.168.0.65:52773 [A]
  HTTP/1.1 200 OK..Date: Tue, 22 Nov 2016 15:24:54 GMT..Server: Apache/2.4.10 (Debian)..Last-Modified: Tue, 22 Nov 2016 12:42:49 GMT..ETag: "2d937-541e31c26de3e-gzip"..Accept-Ranges: bytes..Vary: Accept-Encoding..Content-Encoding: gzi
  p..Content-Length: 31559..Keep-Alive: timeout=5, max=96..Connection: Keep-Alive..Content-Type: text/css.<BINARY GARBAGE>                           
#
T 192.168.0.66:80 -> 192.168.0.65:52773 [A]
 <BINARY GARBAGE>                          
#
T 192.168.0.66:80 -> 192.168.0.65:52773 [A]
<BINARY GARBAGE>                          
#
T 192.168.0.66:80 -> 192.168.0.65:52773 [A]
 <BINARY GARBAGE>                                                                                                                                                                  
#
T 192.168.0.65:52773 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.66:80 -> 192.168.0.65:52773 [A]
<BINARY GARBAGE>                         
#
T 192.168.0.66:80 -> 192.168.0.65:52773 [A]
<BINARY GARBAGE>                          
#
T 192.168.0.66:80 -> 192.168.0.65:52773 [A]
<BINARY GARBAGE>                    
#
T 192.168.0.66:80 -> 192.168.0.65:52773 [AP]
<BINARY GARBAGE>                
#
T 192.168.0.65:52773 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:52773 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:52773 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:52773 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:52773 -> 192.168.0.66:80 [AP]
  GET /view/theme/default/assets/js/html5.js HTTP/1.1..Accept: */*..Referer: http://svcaarchive/login.php..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.
  50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..If-Modified-Since: Mon, 21 Nov 2016 13:33:38 GMT..If-None-Match: "98c-541cfb4100dbf-gzip"..D
  NT: 1..Connection: Keep-Alive..Cookie: PHPSESSID=9r36e2o9b8jtgddc5mrrs25be4....                                                                                                                                                         
#
T 192.168.0.66:80 -> 192.168.0.65:52773 [AP]
  HTTP/1.1 200 OK..Date: Tue, 22 Nov 2016 15:24:54 GMT..Server: Apache/2.4.10 (Debian)..Last-Modified: Tue, 22 Nov 2016 12:42:49 GMT..ETag: "98c-541e31c276ade-gzip"..Accept-Ranges: bytes..Vary: Accept-Encoding..Content-Encoding: gzip.
  .Content-Length: 1256..Keep-Alive: timeout=5, max=95..Connection: Keep-Alive..Content-Type: application/javascript.<BINARY GARBAGE>
T 192.168.0.65:52773 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:52773 -> 192.168.0.66:80 [AP]
  GET /view/theme/default/assets/images/archive-logo-lg.png HTTP/1.1..Accept: */*..Referer: http://svcaarchive/login.php..Accept-Language: en-GB..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2
  ; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)..Accept-Encoding: gzip, deflate..Host: svcaarchive..If-Modified-Since: Mon, 21 Nov 2016 13:33:38 GMT..If-None-Match: "27ce-541cfb
  4100dbf"..DNT: 1..Connection: Keep-Alive..Cookie: PHPSESSID=9r36e2o9b8jtgddc5mrrs25be4....                                                                                                                                              
#
T 192.168.0.66:80 -> 192.168.0.65:52773 [A]
  HTTP/1.1 200 OK..Date: Tue, 22 Nov 2016 15:24:54 GMT..Server: Apache/2.4.10 (Debian)..Last-Modified: Tue, 22 Nov 2016 12:42:49 GMT..ETag: "27ce-541e31c270d1e"..Accept-Ranges: bytes..Content-Length: 10190..Keep-Alive: timeout=5, max=
  94..Connection: Keep-Alive..Content-Type: image/png.....PNG........<BINARY GARBAGE>                                                                                                                                                                                                                           
#
T 192.168.0.66:80 -> 192.168.0.65:52773 [AP]
  ,UC..q.....>.l.v.Jp=-..6I(.8....E....k.b.|......l..6tk..)...egr.R.~z..s...iy..... .o.~....C..c_.......O......BOD...U...%L..R...T.>........R.}.BB,,8x.._.(YI....S.(4!x.. w..).T.....).+"..N...,.i-..L.cB0Q(B0....Avl.).k.s.....J.......z.
  ..5.?..vg........IEND.B`.                                                                                                                                                                                                               
#
T 192.168.0.65:52773 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
#
T 192.168.0.65:52773 -> 192.168.0.66:80 [A]
  ......                                                                                                                                                                                                                                  
exit
38 received, 0 dropped
  21. Janos SUTO repo owner

    OK. Unfortunately I can't do more without seeing the php code in action. Is it possible a remote session for that?

  22. Rory McInerney reporter

    Yes, this will be fine. What is your preffered method? I can either get external ssh set up on the firewall or can give teamviewer access to a local machine with web/ssh access to the machine.

  23. Janos SUTO repo owner

    ssh is my preferred method, however it would be great to see the gui in a browser as well. In what timezone are you?

  24. Rory McInerney reporter

    I am in GMT and will be available 07.30 - 1700 to give access if that works for you?

    Easiest method for me would be to give you teamviewer access to a box with browser/putty on if that is ok with you?

  25. Janos SUTO repo owner

    Yes, it's fine. Contact me on skype (janos.suto) tomorrow, and we'll discuss the rest.

  27. Log in to comment
Assignee
Type
bug
Priority
minor
Status
resolved
Votes
0
Watchers
2
Jira: the preferred issue tracker for Bitbucket. Join the team!