2 !== cifsntdomain.txt for Samba release 1.9.18alpha9 30 Oct 1997
4 NT Domain Authentication
5 ------------------------
7 Authors: - Luke Kenneth Casson Leighton (lkcl@switchboard.net)
8 -------- - Paul Ashton (paul@argo.demon.co.uk)
9 - Duncan Stansfield (duncans@sco.com)
11 Copyright (C) 1997 Luke Kenneth Casson Leighton
12 Copyright (C) 1997 Paul Ashton
13 Copyright (C) 1997 Duncan Stansfield
15 Version: 0.023 (29oct97)
18 Distribution: Unlimited and encouraged, for the purposes of implementation
19 ------------- and comments. Feedback welcomed by the authors.
21 Liability: Absolutely none accepted implicitly or explicitly, direct
22 ---------- or consequentially, for use, abuse, misuse, lack of use,
23 misunderstandings, mistakes, omissions, mis-information for
24 anything in or not in, related to or not related to, or
25 pertaining to this document, or anything else that a lawyer
26 can think of or not think of.
28 Warning: Please bear in mind that an incorrect implementation of this
29 -------- protocol can cause NT workstation to fail irrevocably, for
30 which the authors accept no liability (see above). Please
31 contact your vendor if you have any problems.
33 Sources: - Packet Traces from Netmonitor (Service Pack 1 and above)
34 -------- - Paul Ashton and Luke Leighton's other "NT Domain" doc.
35 - CIFS documentation - cifs6.txt
36 - CIFS documentation - cifsrap2.txt
38 Original: http://mailhost.cb1.com/~lkcl/cifsntdomain.txt.
39 --------- (Controlled copy maintained by lkcl@switchboard.net)
41 Credits: - Paul Ashton: loads of work with Net Monitor;
42 -------- understanding the NT authentication system;
43 reference implementation of the NT domain support on which
44 this document is originally based.
45 - Duncan Stansfield: low-level analysis of MSRPC Pipes.
46 - Linus Nordberg: producing c-code from Paul's crypto spec.
47 - Windows Sourcer development team
55 2) Structures and notes
61 3) Transact Named Pipe Header/Tail
67 4) NTLSA Transact Named Pipe
70 4.2) LSA Query Info Policy
71 4.3) LSA Enumerate Trusted Domains
77 5) NETLOGON rpc Transact Named Pipe
79 5.1) LSA Request Challenge
80 5.2) LSA Authenticate 2
81 5.3) LSA Server Password Set
85 6) \\MAILSLOT\NET\NTLOGON
90 7) SRVSVC Transact Named Pipe
93 7.2) Net Server Get Info
99 A1) Cryptographic side of NT Domain Authentication
107 A2.1) Well-known SIDs
109 A2.1.1) Universal well-known SIDs
110 A2.1.2) NT well-known SIDs
112 A2.2) Well-known RIDS
114 A2.2.1) Well-known RID users
115 A2.2.2) Well-known RID groups
116 A2.2.3) Well-known RID aliases
124 This document contains information to provide an NT workstation with login
125 services, without the need for an NT server.
127 It should be possible to select a domain instead of a workgroup (in the NT
128 workstation's TCP/IP settings) and after the obligatory reboot, type in a
129 username, password, select a domain and successfully log in. I would
130 appreciate any feedback on your experiences with this process, and any
131 comments, corrections and additions to this document.
134 The packets described here can be easily derived from (and are probably
135 better understood using) Netmon.exe. You will need to use the version
136 of Netmon that matches your system, in order to correctly decode the
137 NETLOGON, lsarpc and srvsvc Transact pipes. This document is derived from
138 NT Service Pack 1 and its corresponding version of Netmon. It is intended
139 that an annotated packet trace be produced, which will likely be more
140 instructive than this document.
142 Also needed, to fully implement NT Domain Login Services, is the
143 document describing the cryptographic part of the NT authentication.
144 This document is available from comp.protocols.smb; from the ntsecurity.net
145 digest and from the samba digest, amongst other sources.
147 A copy is available from:
149 http://ntbugtraq.rc.on.ca/SCRIPTS/WA.EXE?A2=ind9708&L=ntbugtraq&O=A&P=2935
150 http://mailhost.cb1.com/~lkcl/crypt.html
153 A c-code implementation, provided by Linus Nordberg <linus@incolumitas.se>
154 of this protocol is available from:
156 http://samba.anu.edu.au/cgi-bin/mfs/01/digest/1997/97aug/0391.html
157 http://mailhost.cb1.com/~lkcl/crypt.txt
160 Also used to provide debugging information is the Check Build version of
161 NT workstation, and enabling full debugging in NETLOGON. This is
162 achieved by setting the following REG_SZ registry key to 0x1ffffff:
164 HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
166 - Incorrect direct editing of the registry can cause your machine to fail.
167 Then again, so can incorrect implementation of this protocol.
168 See "Liability:" above.
171 Bear in mind that each packet over-the-wire will have its origin in an
172 API call. Therefore, there are likely to be structures, enumerations
173 and defines that are usefully documented elsewhere.
176 This document is by no means complete or authoritative. Missing sections
177 include, but are not limited to:
179 - the meaning (and use by NT) of SIDs and RIDs.
181 - mappings of RIDs to usernames (and vice-versa).
183 - what a User ID is and what a Group ID is.
185 - the exact meaning/definition of various magic constants or enumerations.
187 - the reply error code and use of that error code when a workstation
188 becomes a member of a domain (to be described later). Failure to
189 return this error code will make the workstation report that it is
190 already a member of the domain.
192 - the cryptographic side of the NetrServerPasswordSet command, which would
193 allow the workstation to change its password. This password is used to
194 generate the long-term session key. [It is possible to reject this
195 command, and keep the default workstation password].
198 2) Notes and Structures
199 -----------------------
205 - In the SMB Transact pipes, some "Structures", described here, appear to be
206 4-byte aligned with the SMB header, at their start. Exactly which
207 "Structures" need aligning is not precisely known or documented.
209 - In the UDP NTLOGON Mailslots, some "Structures", described here, appear to be
210 2-byte aligned with the start of the mailslot, at their start.
212 - Domain SID is of the format S-revision-version-auth1-auth2...authN.
213 e.g S-1-5-123-456-789-123-456. the 5 could be a sub-revision.
215 - any undocumented buffer pointers must be non-zero if the string buffer it
216 refers to contains characters. exactly what value they should be is unknown.
217 0x0000 0002 seems to do the trick to indicate that the buffer exists. a
218 NULL buffer pointer indicates that the string buffer is of zero length.
219 If the buffer pointer is NULL, then it is suspected that the structure it
220 refers to is NOT put into (or taken out of) the SMB data stream. This is
221 empirically derived from, for example, the LSA SAM Logon response packet,
222 where if the buffer pointer is NULL, the user information is not inserted
223 into the data stream. Exactly what happens with an array of buffer pointers
224 is not known, although an educated guess can be made.
226 - an array of structures (a container) appears to have a count and a pointer.
227 if the count is zero, the pointer is also zero. no further data is put
228 into or taken out of the SMB data stream. if the count is non-zero, then
229 the pointer is also non-zero. immediately following the pointer is the
230 count again, followed by an array of container sub-structures. the count
231 appears a third time after the last sub-structure.
237 - MSRPC Header type. command number in the msrpc packet header
244 - MSRPC Packet info. the meaning of these flags is undocumented
259 - sizeof VOID* is 32 bits.
261 - sizeof char is 8 bits.
263 - UTIME is 32 bits, indicating time in seconds since 01jan1970. documented
264 in cifs6.txt (section 3.5 page, page 30).
266 - NTTIME is 64 bits. documented in cifs6.txt (section 3.5 page, page 30).
268 - DOM_SID (domain SID structure) :
270 UINT32 num of sub-authorities in domain SID
271 UINT8 SID revision number
272 UINT8 num of sub-authorities in domain SID
273 UINT8[6] 6 bytes for domain SID - Identifier Authority.
274 UINT16[n_subauths] domain SID sub-authorities
276 Note: the domain SID is documented elsewhere.
280 char[] null-terminated string of ascii characters.
282 - UNIHDR (unicode string header) :
284 UINT16 length of unicode string
285 UINT16 max length of unicode string
286 UINT32 4 - undocumented.
288 - UNIHDR2 (unicode string header plus buffer pointer) :
290 UNIHDR unicode string header
291 VOID* undocumented buffer pointer
293 - UNISTR (unicode string) :
295 UINT16[] null-terminated string of unicode characters.
297 - NAME (length-indicated unicode string) :
299 UINT32 length of unicode string
300 UINT16[] null-terminated string of unicode characters.
302 - UNISTR2 (aligned unicode string) :
304 UINT8[] padding to get unicode string 4-byte aligned
305 with the start of the SMB header.
306 UINT32 max length of unicode string
307 UINT32 0 - undocumented
308 UINT32 length of unicode string
309 UINT16[] string of uncode characters.
311 - OBJ_ATTR (object attributes) :
313 UINT32 0x18 - length (in bytes) including the length field.
314 VOID* 0 - root directory (pointer)
315 VOID* 0 - object name (pointer)
316 UINT32 0 - attributes (undocumented)
317 VOID* 0 - security descriptior (pointer)
318 UINT32 0 - security quality of service
320 - POL_HND (LSA policy handle) :
322 char[20] policy handle
324 - DOM_SID2 (domain SID structure, SIDS stored in unicode) :
327 UINT32 0 - undocumented
328 UNIHDR2 domain SID unicode string header
329 UNISTR domain SID unicode string
331 Note: there is a conflict between the unicode string header and the
332 unicode string itself as to which to use to indicate string
333 length. this will need to be resolved.
335 Note: the SID type indicates, for example, an alias; a well-known group etc.
336 this is documented somewhere.
338 - DOM_RID (domain RID structure) :
340 UINT32 5 - well-known SID. 1 - user SID (see ShowACLs)
341 UINT32 5 - undocumented
343 UINT32 0 - domain index out of above reference domains
346 - LOG_INFO (server, account, client structure) :
348 Note: logon server name starts with two '\' characters and is upper case.
350 Note: account name is the logon client name from the LSA Request Challenge,
351 with a $ on the end of it, in upper case.
353 VOID* undocumented buffer pointer
354 UNISTR2 logon server unicode string
355 UNISTR2 account name unicode string
356 UINT16 sec_chan - security channel type
357 UNISTR2 logon client machine unicode string
359 - CLNT_SRV (server, client names structure) :
361 Note: logon server name starts with two '\' characters and is upper case.
363 VOID* undocumented buffer pointer
364 UNISTR2 logon server unicode string
365 VOID* undocumented buffer pointer
366 UNISTR2 logon client machine unicode string
368 - CREDS (credentials + time stamp)
373 - CLNT_INFO2 (server, client structure, client credentials) :
375 Note: whenever this structure appears in a request, you must take a copy
376 of the client-calculated credentials received, because they will be
377 used in subsequent credential checks. the presumed intention is to
378 maintain an authenticated request/response trail.
380 CLNT_SRV client and server names
381 UINT8[] ???? padding, for 4-byte alignment with SMB header.
382 VOID* pointer to client credentials.
383 CREDS client-calculated credentials + client time
385 - CLNT_INFO (server, account, client structure, client credentials) :
387 Note: whenever this structure appears in a request, you must take a copy
388 of the client-calculated credentials received, because they will be
389 used in subsequent credential checks. the presumed intention is to
390 maintain an authenticated request/response trail.
392 LOG_INFO logon account info
393 CREDS client-calculated credentials + client time
395 - ID_INFO_1 (id info structure, auth level 1) :
398 UNIHDR domain name unicode header
401 UNIHDR user name unicode header
402 UNIHDR workgroup name unicode header
403 char[16] rc4 LM OWF Password
404 char[16] rc4 NT OWF Password
405 UNISTR2 domain name unicode string
406 UNISTR2 user name unicode string
407 UNISTR2 workstation name unicode string
409 - SAM_INFO (sam logon/logoff id info structure) :
411 Note: presumably, the return credentials is supposedly for the server to
412 verify that the credential chain hasn't been compromised.
414 CLNT_INFO2 client identification/authentication info
415 VOID* pointer to return credentials.
416 CRED return credentials - ignored.
420 switch (switch_value)
426 - GID (group id info) :
429 UINT32 user attributes (only used by NT 3.1 and 3.51)
431 - DOM_REF (domain reference info) :
433 VOID* undocumented buffer pointer.
434 UINT32 num referenced domains?
435 VOID* undocumented domain name buffer pointer.
436 UINT32 32 - max number of entries
437 UINT32 4 - num referenced domains?
439 UNIHDR2 domain name unicode string header
440 UNIHDR2[num_ref_doms-1] referenced domain unicode string headers
442 UNISTR domain name unicode string
443 DOM_SID[num_ref_doms] referenced domain SIDs
445 - DOM_INFO (domain info, levels 3 and 5 are the same)) :
447 UINT8[] ??? padding to get 4-byte alignment with start of SMB header
448 UINT16 domain name string length * 2
449 UINT16 domain name string length * 2
450 VOID* undocumented domain name string buffer pointer
451 VOID* undocumented domain SID string buffer pointer
452 UNISTR2 domain name (unicode string)
455 - USER_INFO (user logon info) :
457 Note: it would be nice to know what the 16 byte user session key is for.
462 NTTIME password last set time
463 NTTIME password can change time
464 NTTIME password must change time
466 UNIHDR username unicode string header
467 UNIHDR user's full name unicode string header
468 UNIHDR logon script unicode string header
469 UNIHDR profile path unicode string header
470 UNIHDR home directory unicode string header
471 UNIHDR home directory drive unicode string header
474 UINT16 bad password count
479 VOID* undocumented buffer pointer to groups.
482 char[16] user session key
484 UNIHDR logon server unicode string header
485 UNIHDR logon domain unicode string header
486 VOID* undocumented logon domain id pointer
487 char[40] 40 undocumented padding bytes. future expansion?
489 UINT32 0 - num_other_sids?
490 VOID* NULL - undocumented pointer to other domain SIDs.
492 UNISTR2 username unicode string
493 UNISTR2 user's full name unicode string
494 UNISTR2 logon script unicode string
495 UNISTR2 profile path unicode string
496 UNISTR2 home directory unicode string
497 UNISTR2 home directory drive unicode string
500 GID[num_groups] group info
502 UNISTR2 logon server unicode string
503 UNISTR2 logon domain unicode string
506 DOM_SID[num_sids] other domain SIDs?
508 - SH_INFO_1_PTR (pointers to level 1 share info strings):
510 Note: see cifsrap2.txt section5, page 10.
512 0 for shi1_type indicates a Disk.
513 1 for shi1_type indicates a Print Queue.
514 2 for shi1_type indicates a Device.
515 3 for shi1_type indicates an IPC pipe.
516 0x8000 0000 (top bit set in shi1_type) indicates a hidden share.
518 VOID* shi1_netname - pointer to net name
519 UINT32 shi1_type - type of share. 0 - undocumented.
520 VOID* shi1_remark - pointer to comment.
522 - SH_INFO_1_STR (level 1 share info strings) :
524 UNISTR2 shi1_netname - unicode string of net name
525 UNISTR2 shi1_remark - unicode string of comment.
529 share container with 0 entries:
531 UINT32 0 - EntriesRead
534 share container with > 0 entries:
537 UINT32 non-zero - Buffer
540 SH_INFO_1_PTR[EntriesRead] share entry pointers
541 SH_INFO_1_STR[EntriesRead] share entry strings
543 UINT8[] padding to get unicode string 4-byte
544 aligned with start of the SMB header.
550 Note: see cifs6.txt section 6.4 - the fields described therein will be
551 of assistance here. for example, the type listed below is the
552 same as fServerType, which is described in 6.4.1.
554 SV_TYPE_WORKSTATION 0x00000001 All workstations
555 SV_TYPE_SERVER 0x00000002 All servers
556 SV_TYPE_SQLSERVER 0x00000004 Any server running with SQL
558 SV_TYPE_DOMAIN_CTRL 0x00000008 Primary domain controller
559 SV_TYPE_DOMAIN_BAKCTRL 0x00000010 Backup domain controller
560 SV_TYPE_TIME_SOURCE 0x00000020 Server running the timesource
562 SV_TYPE_AFP 0x00000040 Apple File Protocol servers
563 SV_TYPE_NOVELL 0x00000080 Novell servers
564 SV_TYPE_DOMAIN_MEMBER 0x00000100 Domain Member
565 SV_TYPE_PRINTQ_SERVER 0x00000200 Server sharing print queue
566 SV_TYPE_DIALIN_SERVER 0x00000400 Server running dialin service.
567 SV_TYPE_XENIX_SERVER 0x00000800 Xenix server
568 SV_TYPE_NT 0x00001000 NT server
569 SV_TYPE_WFW 0x00002000 Server running Windows for
571 SV_TYPE_SERVER_NT 0x00008000 Windows NT non DC server
572 SV_TYPE_POTENTIAL_BROWSER 0x00010000 Server that can run the browser
574 SV_TYPE_BACKUP_BROWSER 0x00020000 Backup browser server
575 SV_TYPE_MASTER_BROWSER 0x00040000 Master browser server
576 SV_TYPE_DOMAIN_MASTER 0x00080000 Domain Master Browser server
577 SV_TYPE_LOCAL_LIST_ONLY 0x40000000 Enumerate only entries marked
579 SV_TYPE_DOMAIN_ENUM 0x80000000 Enumerate Domains. The pszServer
580 and pszDomain parameters must be
583 UINT32 500 - platform_id
584 VOID* pointer to name
585 UINT32 5 - major version
586 UINT32 4 - minor version
587 UINT32 type (SV_TYPE_... bit field)
588 VOID* pointer to comment
590 UNISTR2 sv101_name - unicode string of server name
591 UNISTR2 sv_101_comment - unicode string of server comment.
593 UINT8[] padding to get unicode string 4-byte
594 aligned with start of the SMB header.
598 3) MSRPC over Transact Named Pipe
599 ---------------------------------
601 For details on the SMB Transact Named Pipe, see cifs6.txt
607 The MSRPC is conducted over an SMB Transact Pipe with a name of "\PIPE\".
608 You must first obtain a 16 bit file handle, by sending a SMBopenX with the
609 pipe name "\PIPE\srvsvc" for example. You can then perform an SMB Trans,
610 and must carry out an SMBclose on the file handle once you are finished.
612 Trans Requests must be sent with two setup UINT16s, no UINT16 params (none
613 known about), and UINT8 data parameters sufficient to contain the MSRPC
614 header, and MSRPC data. The first UINT16 setup parameter must be 0x26. The
615 second UINT16 parameter must be the file handle for the pipe, obtained above.
617 MSRPC Responses are sent as response data inside standard SMB Trans
618 responses, with the MSRPC Header, MSRPC Data and MSRPC tail.
620 [section on MSRPC Bind and BindAck to be added once they are understood].
622 It is suspected that the Trans Requests will need to be at least 2-byte
623 aligned (probably 4-byte). This is standard practice for SMBs. It is also
624 independent of the observed 4-byte alignments with the start of the MSRPC
625 header, including the 4-byte alignment between the MSRPC header and the
632 [section to be rewritten, following receipt of work by Duncan Stansfield]
635 Interesting note: if you set packed data representation to 0x0100 0000
636 then all 4-byte and 2-byte word ordering is turned around!
638 The start of each of the NTLSA and NETLOGON named pipes begins with:
640 00 UINT8 5 - RPC major version
641 01 UINT8 0 - RPC minor version
642 02 UINT8 2 - RPC response packet
643 03 UINT8 3 - (FirstFrag bit-wise or with LastFrag)
644 04 UINT32 0x1000 0000 - packed data representation
645 08 UINT16 fragment length - data size (bytes) inc header and tail.
646 0A UINT16 0 - authentication length
647 0C UINT32 call identifier. matches 12th UINT32 of incoming RPC data.
648 10 UINT32 allocation hint - data size (bytes) minus header and tail.
649 14 UINT16 0 - presentation context identifier
650 16 UINT8 0 - cancel count
651 17 UINT8 in replies: 0 - reserved; in requests: opnum - see #defines.
652 18 ...... start of data (goes on for allocation_hint bytes)
655 RPC_Packet for request, response, bind and bind acknowledgement.
658 UINT8 versionmaj # reply same as request (0x05)
659 UINT8 versionmin # reply same as request (0x00)
660 UINT8 type # one of the MSRPC_Type enums
661 UINT8 flags # reply same as request (0x00 for Bind, 0x03 for Request)
662 UINT32 representation # reply same as request (0x00000010)
663 UINT16 fraglength # the length of the data section of the SMB trans packet
665 UINT32 callid # call identifier. (e.g. 0x00149594)
667 * stub USE TvPacket # the remainder of the packet depending on the "type"
671 # the interfaces are numbered. as yet I haven't seen more than one interface
672 # used on the same pipe name
674 # abstract (0x4B324FC8, 0x01D31670, 0x475A7812, 0x88E16EBF, 0x00000003)
675 # transfer (0x8A885D04, 0x11C91CEB, 0x0008E89F, 0x6048102B, 0x00000002)
678 UINT8 byte[16] # 16 bytes of number
679 UINT32 version # the interface number
683 # the remainder of the packet after the header if "type" was Bind
684 # in the response header, "type" should be BindAck
687 UINT16 maxtsize # maximum transmission fragment size (0x1630)
688 UINT16 maxrsize # max receive fragment size (0x1630)
689 UINT32 assocgid # associated group id (0x0)
690 UINT32 numelements # the number of elements (0x1)
691 UINT16 contextid # presentation context identifier (0x0)
692 UINT8 numsyntaxes # the number of syntaxes (has always been 1?)(0x1)
693 UINT8[] # 4-byte alignment padding, against SMB header
695 * abstractint USE RPC_Iface # num and vers. of interface client is using
696 * transferint USE RPC_Iface # num and vers. of interface to use for replies
702 UINT16 length # length of the string including null terminator
703 * port USE string # the string above in single byte, null terminated form
707 # the response to place after the header in the reply packet
710 UINT16 maxtsize # same as request
711 UINT16 maxrsize # same as request
712 UINT32 assocgid # zero
714 * secondaddr USE RPC_Address # the address string, as described earlier
716 UINT8[] # 4-byte alignment padding, against SMB header
718 UINT8 numresults # the number of results (0x01)
720 UINT8[] # 4-byte alignment padding, against SMB header
721 UINT16 result # result (0x00 = accept)
722 UINT16 reason # reason (0x00 = no reason specified)
724 * transfersyntax USE RPC_Iface # the transfer syntax from the request
728 # the remainder of the packet after the header for every other other
732 UINT32 allochint # the size of the stub data in bytes
733 UINT16 prescontext # presentation context identifier (0x0)
734 UINT16 opnum # operation number (0x15)
736 * stub USE TvPacket # a packet dependent on the pipe name
737 # (probably the interface) and the op number)
741 # response to a request
744 UINT32 allochint # size of the stub data in bytes
745 UINT16 prescontext # presentation context identifier (same as request)
746 UINT8 cancelcount # cancel count? (0x0)
747 UINT8 reserved # 0 - one byte padding
749 * stub USE TvPacket # the remainder of the reply
756 The end of each of the NTLSA and NETLOGON named pipes ends with:
763 3.4 RPC Bind / Bind Ack
764 -----------------------
766 RPC Binds are the process of associating an RPC pipe (e.g \PIPE\lsarpc)
767 with a "transfer syntax" (see RPC_Iface structure). The purpose for doing
770 Note: The RPC_ResBind SMB Transact request is sent with two uint16 setup
771 parameters. The first is 0x0026; the second is the file handle
772 returned by the SMBopenX Transact response.
774 Note: The RPC_ResBind members maxtsize, maxrsize and assocgid are the
775 same in the response as the same members in the RPC_ReqBind. The
776 RPC_ResBind member transfersyntax is the same in the response as
779 Note: The RPC_ResBind response member secondaddr contains the name
780 of what is presumed to be the service behind the RPC pipe. The
781 mapping identified so far is:
783 initial SMBopenX request: RPC_ResBind response:
785 "\\PIPE\\srvsvc" "\\PIPE\\ntsvcs"
786 "\\PIPE\\samr" "\\PIPE\\lsass"
787 "\\PIPE\\lsarpc" "\\PIPE\\lsass"
788 "\\PIPE\\wkssvc" "\\PIPE\\wksvcs"
789 "\\PIPE\\NETLOGON" "\\PIPE\\NETLOGON"
791 Note: The RPC_Packet fraglength member in both the Bind Request and Bind
792 Acknowledgment must contain the length of the entire RPC data,
793 including the RPC_Packet header.
806 4) NTLSA Transact Named Pipe
807 ----------------------------
809 Defines for this pipe, identifying the query are:
811 - LSA Open Policy: 0x2c
812 - LSA Query Info Policy: 0x07
813 - LSA Enumerate Trusted Domains: 0x0d
814 - LSA Open Secret: 0xff
815 - LSA Lookup SIDs: 0xfe
816 - LSA Lookup Names: 0xfd
823 Note: The policy handle can be anything you like.
828 UNISTR2 server name - unicode string starting with two '\'s
829 OBJ_ATTR object attributes
830 UINT32 1 - desired access
834 POL_HND LSA policy handle
836 return 0 - indicates success
839 4.2) LSA Query Info Policy
840 --------------------------
842 Note: The info class in response must be the same as that in the request.
846 POL_HND LSA policy handle
847 UINT16 info class (also a policy handle?)
851 VOID* undocumented buffer pointer
852 UINT16 info class (same as info class in request).
858 DOM_INFO domain info, levels 3 and 5 (are the same).
861 return 0 - indicates success
864 4.3) LSA Enumerate Trusted Domains
865 ----------------------------------
873 UINT32 0 - enumeration context
874 UINT32 0 - entries read
875 UINT32 0 - trust information
877 return 0x8000 001a - "no trusted domains" success code
889 UINT32 0 - undocumented
890 UINT32 0 - undocumented
891 UINT32 0 - undocumented
892 UINT32 0 - undocumented
893 UINT32 0 - undocumented
895 return 0x0C00 0034 - "no such secret" success code
903 POL_HND policy handle to be closed
907 POL_HND 0s - closed policy handle (all zeros)
909 return 0 - indicates success
915 Note: num_entries in response must be same as num_entries in request.
919 POL_HND LSA policy handle
921 VOID* undocumented domain SID buffer pointer
922 VOID* undocumented domain name buffer pointer
923 VOID*[num_entries] undocumented domain SID pointers to be looked up.
924 DOM_SID[num_entries] domain SIDs to be looked up.
925 char[16] completely undocumented 16 bytes.
929 DOM_REF domain reference response
931 UINT32 num_entries (listed above)
932 VOID* undocumented buffer pointer
934 UINT32 num_entries (listed above)
935 DOM_SID2[num_entries] domain SIDs (from Request, listed above).
937 UINT32 num_entries (listed above)
939 return 0 - indicates success
942 4.7) LSA Lookup Names
943 ---------------------
945 Note: num_entries in response must be same as num_entries in request.
949 POL_HND LSA policy handle
952 VOID* undocumented domain SID buffer pointer
953 VOID* undocumented domain name buffer pointer
954 NAME[num_entries] names to be looked up.
955 char[] undocumented bytes - falsely translated SID structure?
959 DOM_REF domain reference response
961 UINT32 num_entries (listed above)
962 VOID* undocumented buffer pointer
964 UINT32 num_entries (listed above)
965 DOM_RID[num_entries] domain SIDs (from Request, listed above).
967 UINT32 num_entries (listed above)
969 return 0 - indicates success
973 5) NETLOGON rpc Transact Named Pipe
974 -----------------------------------
976 Defines for this pipe, identifying the query are:
978 - LSA Request Challenge: 0x04
979 - LSA Server Password Set: 0x06
980 - LSA SAM Logon: 0x02
981 - LSA SAM Logoff: 0x03
983 - LSA Logon Control: 0x0e
986 5.1) LSA Request Challenge
987 --------------------------
989 Note: logon server name starts with two '\' characters and is upper case.
991 Note: logon client is the machine, not the user.
993 Note: the initial LanManager password hash, against which the challenge
994 is issued, is the machine name itself (lower case). there will be
995 calls issued (LSA Server Password Set) which will change this, later.
996 refusing these calls allows you to always deal with the same password
997 (i.e the LM# of the machine name in lower case).
1001 VOID* undocumented buffer pointer
1002 UNISTR2 logon server unicode string
1003 UNISTR2 logon client unicode string
1004 char[8] client challenge
1008 char[8] server challenge
1010 return 0 - indicates success
1014 5.2) LSA Authenticate 2
1015 -----------------------
1017 Note: in between request and response, calculate the client credentials,
1018 and check them against the client-calculated credentials (this
1019 process uses the previously received client credentials).
1021 Note: neg_flags in the response is the same as that in the request.
1023 Note: you must take a copy of the client-calculated credentials received
1024 here, because they will be used in subsequent authentication packets.
1028 LOG_INFO client identification info
1030 char[8] client-calculated credentials
1031 UINT8[] padding to 4-byte align with start of SMB header.
1032 UINT32 neg_flags - negotiated flags (usual value is 0x0000 01ff)
1036 char[8] server credentials.
1037 UINT32 neg_flags - same as neg_flags in request.
1039 return 0 - indicates success. failure value unknown.
1042 5.3) LSA Server Password Set
1043 ----------------------------
1045 Note: the new password is suspected to be a DES encryption using the old
1046 password to generate the key.
1048 Note: in between request and response, calculate the client credentials,
1049 and check them against the client-calculated credentials (this
1050 process uses the previously received client credentials).
1052 Note: the server credentials are constructed from the client-calculated
1053 credentials and the client time + 1 second.
1055 Note: you must take a copy of the client-calculated credentials received
1056 here, because they will be used in subsequent authentication packets.
1060 CLNT_INFO client identification/authentication info
1061 char[] new password - undocumented.
1065 CREDS server credentials. server time stamp appears to be ignored.
1067 return 0 - indicates success; 0xC000 006a indicates failure
1073 Note: valid_user is True iff the username and password hash are valid for
1074 the requested domain.
1078 SAM_INFO sam_id structure
1082 VOID* undocumented buffer pointer
1083 CREDS server credentials. server time stamp appears to be ignored.
1087 UINT16 3 - switch value indicating USER_INFO structure.
1088 VOID* non-zero - pointer to USER_INFO structure
1089 USER_INFO user logon information
1091 UINT32 1 - Authoritative response; 0 - Non-Auth?
1093 return 0 - indicates success
1097 UINT16 0 - switch value. value to indicate no user presumed.
1098 VOID* 0x0000 0000 - indicates no USER_INFO structure.
1100 UINT32 1 - Authoritative response; 0 - Non-Auth?
1102 return 0xC000 0064 - NT_STATUS_NO_SUCH_USER.
1107 --------------------
1109 Note: presumably, the SAM_INFO structure is validated, and a (currently
1110 undocumented) error code returned if the Logoff is invalid.
1114 SAM_INFO sam_id structure
1118 VOID* undocumented buffer pointer
1119 CREDS server credentials. server time stamp appears to be ignored.
1121 return 0 - indicates success. undocumented failure indication.
1124 6) \\MAILSLOT\NET\NTLOGON
1125 -------------------------
1127 Note: mailslots will contain a response mailslot, to which the response
1128 should be sent. the target NetBIOS name is REQUEST_NAME<20>, where
1129 REQUEST_NAME is the name of the machine that sent the request.
1135 Note: NTversion, LMNTtoken, LM20token in response are the same as those
1136 given in the request.
1140 UINT16 0x0007 - Query for PDC
1142 STR response mailslot
1143 UINT8[] padding to 2-byte align with start of mailslot.
1151 UINT16 0x000A - Respose to Query for PDC
1152 STR machine name (in uppercase)
1153 UINT8[] padding to 2-byte align with start of mailslot.
1156 UINT32 NTversion (same as received in request)
1157 UINT16 LMNTtoken (same as received in request)
1158 UINT16 LM20token (same as received in request)
1164 Note: machine name in response is preceded by two '\' characters.
1166 Note: NTversion, LMNTtoken, LM20token in response are the same as those
1167 given in the request.
1169 Note: user name in the response is presumably the same as that in the request.
1173 UINT16 0x0012 - SAM Logon
1174 UINT16 request count
1177 STR response mailslot
1178 UINT32 alloweable account
1179 UINT32 domain SID size
1180 char[sid_size] domain SID, of sid_size bytes.
1181 UINT8[] ???? padding to 4? 2? -byte align with start of mailslot.
1188 UINT16 0x0013 - Response to SAM Logon
1190 UNISTR user name - workstation trust account
1198 7) SRVSVC Transact Named Pipe
1199 -----------------------------
1202 Defines for this pipe, identifying the query are:
1204 - Net Share Enum : 0x0f
1205 - Net Server Get Info : 0x15
1211 Note: share level and switch value in the response are presumably the
1212 same as those in the request.
1214 Note: cifsrap2.txt (section 5) may be of limited assistance here.
1218 VOID* pointer (to server name?)
1221 UINT8[] padding to get unicode string 4-byte aligned
1222 with the start of the SMB header.
1227 VOID* pointer to SHARE_INFO_1_CTR
1228 SHARE_INFO_1_CTR share info with 0 entries
1230 UINT32 preferred maximum length (0xffff ffff)
1237 VOID* pointer to SHARE_INFO_1_CTR
1238 SHARE_INFO_1_CTR share info (only added if share info ptr is non-zero)
1240 return 0 - indicates success
1243 7.2) Net Server Get Info
1246 Note: level is the same value as in the request.
1256 VOID* pointer to SERVER_INFO_101
1258 SERVER_INFO_101 server info (only added if server info ptr is non-zero)
1260 return 0 - indicates success
1267 A1) Cryptographic side of NT Domain Authentication
1268 --------------------------------------------------
1274 Add(A1,A2): Intel byte ordered addition of corresponding 4 byte words
1277 E(K,D): DES ECB encryption of 8 byte data D using 7 byte key K
1279 lmowf(): Lan man hash
1283 PW: md4(machine_password) == md4(lsadump $machine.acc) ==
1284 pwdump(machine$) (initially) == md4(lmowf(unicode(machine)))
1286 RC4(K,Lk,D,Ld): RC4 encryption of data D of length Ld with key K of
1289 v[m..n(,l)]: subset of v from bytes m to n, optionally padded with
1292 Cred(K,D): E(K[7..7,7],E(K[0..6],D)) computes a credential
1294 Time(): 4 byte current time
1296 Cc,Cs: 8 byte client and server challenges Rc,Rs: 8 byte client and
1303 C->S ReqChal,Cc S->C Cs
1305 C & S compute session key Ks = E(PW[9..15],E(PW[0..6],Add(Cc,Cs)))
1307 C: Rc = Cred(Ks,Cc) C->S Authenticate,Rc S: Rs = Cred(Ks,Cs),
1308 assert(Rc == Cred(Ks,Cc)) S->C Rs C: assert(Rs == Cred(Ks,Cs))
1310 On joining the domain the client will optionally attempt to change its
1311 password and the domain controller may refuse to update it depending
1312 on registry settings. This will also occur weekly afterwards.
1314 C: Tc = Time(), Rc' = Cred(Ks,Rc+Tc) C->S ServerPasswordSet,Rc',Tc,
1315 rc4(Ks[0..7,16],lmowf(randompassword()) C: Rc = Cred(Ks,Rc+Tc+1) S:
1316 assert(Rc' == Cred(Ks,Rc+Tc)), Ts = Time() S: Rs' = Cred(Ks,Rs+Tc+1)
1317 S->C Rs',Ts C: assert(Rs' == Cred(Ks,Rs+Tc+1)) S: Rs = Rs'
1319 User: U with password P wishes to login to the domain (incidental data
1320 such as workstation and domain omitted)
1322 C: Tc = Time(), Rc' = Cred(Ks,Rc+Tc) C->S NetLogonSamLogon,Rc',Tc,U,
1323 rc4(Ks[0..7,16],16,ntowf(P),16), rc4(Ks[0..7,16],16,lmowf(P),16) S:
1324 assert(Rc' == Cred(Ks,Rc+Tc)) assert(passwords match those in SAM) S:
1327 S->C Cred(Ks,Cred(Ks,Rc+Tc+1)),userinfo(logon script,UID,SIDs,etc) C:
1328 assert(Rs == Cred(Ks,Cred(Rc+Tc+1)) C: Rc = Cred(Ks,Rc+Tc+1)
1334 On first joining the domain the session key could be computed by
1335 anyone listening in on the network as the machine password has a well
1336 known value. Until the machine is rebooted it will use this session
1337 key to encrypt NT and LM one way functions of passwords which are
1338 password equivalents. Any user who logs in before the machine has been
1339 rebooted a second time will have their password equivalent exposed. Of
1340 course the new machine password is exposed at this time anyway.
1342 None of the returned user info such as logon script, profile path and
1343 SIDs *appear* to be protected by anything other than the TCP checksum.
1345 The server time stamps appear to be ignored.
1347 The client sends a ReturnAuthenticator in the SamLogon request which I
1348 can't find a use for. However its time is used as the timestamp
1349 returned by the server.
1351 The password OWFs should NOT be sent over the network reversibly
1352 encrypted. They should be sent using RC4(Ks,md4(owf)) with the server
1353 computing the same function using the owf values in the SAM.
1359 SIDs and RIDs are well documented elsewhere.
1361 A SID is an NT Security ID (see DOM_SID structure). They are of the form:
1363 S-revision-NN-SubAuth1-SubAuth2-SubAuth3...
1364 S-revision-0xNNNNNNNNNNNN-SubAuth1-SubAuth2-SubAuth3...
1366 currently, the SID revision is 1.
1367 The Sub-Authorities are known as Relative IDs (RIDs).
1370 A2.1) Well-known SIDs
1371 ---------------------
1374 A2.1.1) Universal well-known SIDs
1375 ---------------------------------
1380 Creator Owner ID S-1-3-0
1381 Creator Group ID S-1-3-1
1382 Creator Owner Server ID S-1-3-2
1383 Creator Group Server ID S-1-3-3
1385 (Non-unique IDs) S-1-4
1388 A2.1.2) NT well-known SIDs
1389 --------------------------
1398 AnonymousLogon S-1-5-7 (aka null logon session)
1400 ServerLogon S-1-5-8 (aka domain controller account)
1402 (Logon IDs) S-1-5-5-X-Y
1404 (NT non-unique IDs) S-1-5-0x15-...
1406 (Built-in domain) s-1-5-0x20
1410 A2.2) Well-known RIDS
1411 ---------------------
1413 A RID is a sub-authority value, as part of either a SID, or in the case
1414 of Group RIDs, part of the DOM_GID structure, in the USER_INFO_1
1415 structure, in the LSA SAM Logon response.
1418 A2.2.1) Well-known RID users
1419 ----------------------------
1421 DOMAIN_USER_RID_ADMIN 0x0000 01F4
1422 DOMAIN_USER_RID_GUEST 0x0000 01F5
1426 A2.2.2) Well-known RID groups
1427 ----------------------------
1429 DOMAIN_GROUP_RID_ADMINS 0x0000 0200
1430 DOMAIN_GROUP_RID_USERS 0x0000 0201
1431 DOMAIN_GROUP_RID_GUESTS 0x0000 0202
1435 A2.2.3) Well-known RID aliases
1436 ------------------------------
1438 DOMAIN_ALIAS_RID_ADMINS 0x0000 0220
1439 DOMAIN_ALIAS_RID_USERS 0x0000 0221
1440 DOMAIN_ALIAS_RID_GUESTS 0x0000 0222
1441 DOMAIN_ALIAS_RID_POWER_USERS 0x0000 0223
1443 DOMAIN_ALIAS_RID_ACCOUNT_OPS 0x0000 0224
1444 DOMAIN_ALIAS_RID_SYSTEM_OPS 0x0000 0225
1445 DOMAIN_ALIAS_RID_PRINT_OPS 0x0000 0226
1446 DOMAIN_ALIAS_RID_BACKUP_OPS 0x0000 0227
1448 DOMAIN_ALIAS_RID_REPLICATOR 0x0000 0228