2 !== cifsntdomain.txt for Samba release 1.9.18alpha2 22 Oct 1997
4 NT Domain Authentication
5 ------------------------
7 Authors: - Luke Kenneth Casson Leighton (lkcl@switchboard.net)
8 Copyright (C) 1997 Luke Kenneth Casson Leighton
9 - Paul Ashton (paul@argo.demon.co.uk)
10 Copyright (C) 1997 Paul Ashton
12 Version: 0.017 (20oct97)
14 Distribution: Unlimited and encouraged, for the purposes of implementation
15 and comments. Feedback welcomed by the authors.
17 Liability: Absolutely none accepted implicitly or explicitly, direct
18 or consequentially, for use, abuse, misuse, lack of use,
19 misunderstandings, mistakes, omissions, mis-information for
20 anything in or not in, related to or pertaining to this
21 document or anything else that a lawyer can think of or not
24 Warning: Please bear in mind that an incorrect implementation of this
25 protocol can cause NT workstation to fail irrevocably, for
26 which the authors accept no liability (see above). Please
27 contact your vendor if you have any problems.
29 Sources: - Packet Traces from Netmonitor (Service Pack 1 and above)
30 - Paul Ashton and Luke Leighton's other "NT Domain" doc.
31 - CIFS documentation - cifs6.txt
32 - CIFS documentation - cifsrap2.txt
34 Original: http://mailhost.cb1.com/~lkcl/cifsntdomain.txt.
35 (Controlled copy maintained by lkcl@switchboard.net)
37 Credits: - Paul Ashton: loads of work with Net Monitor;
38 understanding the NT authentication system;
39 reference implementation of the NT domain support on which
40 this document is originally based.
41 - Linus Nordberg: producing c-code from Paul's crypto spec.
42 - Windows Sourcer development team
48 2) Structures and notes
53 3) Transact Named Pipe Header/Tail
58 4) NTLSA Transact Named Pipe
61 4.2) LSA Query Info Policy
62 4.3) LSA Enumerate Trusted Domains
68 5) NETLOGON rpc Transact Named Pipe
70 5.1) LSA Request Challenge
71 5.2) LSA Authenticate 2
72 5.3) LSA Server Password Set
76 6) \\MAILSLOT\NET\NTLOGON
81 7) SRVSVC Transact Named Pipe
84 7.2) Net Server Get Info
88 A1) Cryptographic side of NT Domain Authentication
96 This document contains information to provide an NT workstation with login
97 services, without the need for an NT server.
99 It should be possible to select a domain instead of a workgroup (in the NT
100 workstation's TCP/IP settings) and after the obligatory reboot, type in a
101 username, password, select a domain and successfully log in. I would
102 appreciate any feedback on your experiences with this process, and any
103 comments, corrections and additions to this document.
106 The packets described here can be easily derived from (and are probably
107 better understood using) Netmon.exe. You will need to use the version
108 of Netmon that matches your system, in order to correctly decode the
109 NETLOGON, lsarpc and srvsvc Transact pipes. This document is derived from
110 NT Service Pack 1 and its corresponding version of Netmon. It is intended
111 that an annotated packet trace be produced, which will likely be more
112 instructive than this document.
114 Also needed, to fully implement NT Domain Login Services, is the
115 document describing the cryptographic part of the NT authentication.
116 This document is available from comp.protocols.smb; from the ntsecurity.net
117 digest and from the samba digest, amongst other sources.
119 A copy is available from:
121 http://ntbugtraq.rc.on.ca/SCRIPTS/WA.EXE?A2=ind9708&L=ntbugtraq&O=A&P=2935
122 http://mailhost.cb1.com/~lkcl/crypt.html
125 A c-code implementation, provided by Linus Nordberg <linus@incolumitas.se>
126 of this protocol is available from:
128 http://samba.anu.edu.au/cgi-bin/mfs/01/digest/1997/97aug/0391.html
129 http://mailhost.cb1.com/~lkcl/crypt.txt
132 Also used to provide debugging information is the Check Build version of
133 NT workstation, and enabling full debugging in NETLOGON. This is
134 achieved by setting the following REG_SZ registry key to 0x1ffffff:
136 HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
138 - Incorrect direct editing of the registry can cause your machine to fail.
139 Then again, so can incorrect implementation of this protocol.
140 See "Liability:" above.
143 Bear in mind that each packet over-the-wire will have its origin in an
144 API call. Therefore, there are likely to be structures, enumerations
145 and defines that are usefully documented elsewhere.
148 This document is by no means complete or authoritative. Missing sections
149 include, but are not limited to:
151 - the meaning (and use by NT) of SIDs and RIDs.
153 - mappings of RIDs to usernames (and vice-versa).
155 - what a User ID is and what a Group ID is.
157 - the exact meaning/definition of various magic constants or enumerations.
159 - the reply error code and use of that error code when a workstation
160 becomes a member of a domain (to be described later). Failure to
161 return this error code will make the workstation report that it is
162 already a member of the domain.
164 - the cryptographic side of the NetrServerPasswordSet command, which would
165 allow the workstation to change its password. This password is used to
166 generate the long-term session key. [It is possible to reject this
167 command, and keep the default workstation password].
170 2) Notes and Structures
171 -----------------------
177 - In the SMB Transact pipes, some "Structures", described here, appear to be
178 4-byte aligned with the SMB header, at their start. Exactly which
179 "Structures" need aligning is not precisely known or documented.
181 - In the UDP NTLOGON Mailslots, some "Structures", described here, appear to be
182 2-byte aligned with the start of the mailslot, at their start.
184 - Domain SID is of the format S-revision-version-auth1-auth2...authN.
185 e.g S-1-5-123-456-789-123-456. the 5 could be a sub-revision.
187 - any undocumented buffer pointers must be non-zero if the string buffer it
188 refers to contains characters. exactly what value they should be is unknown.
189 0x0000 0002 seems to do the trick to indicate that the buffer exists. a
190 NULL buffer pointer indicates that the string buffer is of zero length.
191 If the buffer pointer is NULL, then it is suspected that the structure it
192 refers to is NOT put into (or taken out of) the SMB data stream. This is
193 empirically derived from, for example, the LSA SAM Logon response packet,
194 where if the buffer pointer is NULL, the user information is not inserted
195 into the data stream. Exactly what happens with an array of buffer pointers
196 is not known, although an educated guess can be made.
198 - an array of structures (a container) appears to have a count and a pointer.
199 if the count is zero, the pointer is also zero. no further data is put
200 into or taken out of the SMB data stream. if the count is non-zero, then
201 the pointer is also non-zero. immediately following the pointer is the
202 count again, followed by an array of container sub-structures. the count
203 appears a third time after the last sub-structure.
210 - sizeof VOID* is 32 bits.
212 - sizeof char is 8 bits.
214 - UTIME is 32 bits, indicating time in seconds since 01jan1970. documented
215 in cifs6.txt (section 3.5 page, page 30).
217 - NTTIME is 64 bits. documented in cifs6.txt (section 3.5 page, page 30).
219 - DOM_SID (domain SID structure) :
221 UINT32 num of sub-authorities in domain SID
222 UINT8 SID revision number
223 UINT8 num of sub-authorities in domain SID
224 UINT8[6] 6 bytes for domain SID - Identifier Authority.
225 UINT16[n_subauths] domain SID sub-authorities
227 Note: the domain SID is documented elsewhere.
231 char[] null-terminated string of ascii characters.
233 - UNIHDR (unicode string header) :
235 UINT16 length of unicode string
236 UINT16 max length of unicode string
237 UINT32 4 - undocumented.
239 - UNIHDR2 (unicode string header plus buffer pointer) :
241 UNIHDR unicode string header
242 VOID* undocumented buffer pointer
244 - UNISTR (unicode string) :
246 UINT16[] null-terminated string of unicode characters.
248 - NAME (length-indicated unicode string) :
250 UINT32 length of unicode string
251 UINT16[] null-terminated string of unicode characters.
253 - UNISTR2 (aligned unicode string) :
255 UINT8[] padding to get unicode string 4-byte aligned
256 with the start of the SMB header.
257 UINT32 max length of unicode string
258 UINT32 0 - undocumented
259 UINT32 length of unicode string
260 UINT16[] string of uncode characters.
262 - POL_HND (LSA policy handle) :
264 char[20] policy handle
266 - DOM_SID2 (domain SID structure, SIDS stored in unicode) :
269 UINT32 0 - undocumented
270 UNIHDR2 domain SID unicode string header
271 UNISTR domain SID unicode string
273 Note: there is a conflict between the unicode string header and the
274 unicode string itself as to which to use to indicate string
275 length. this will need to be resolved.
277 Note: the SID type indicates, for example, an alias; a well-known group etc.
278 this is documented somewhere.
280 - DOM_RID (domain RID structure) :
282 UINT32 5 - well-known SID. 1 - user SID (see ShowACLs)
283 UINT32 5 - undocumented
285 UINT32 0 - domain index out of above reference domains
288 - LOG_INFO (server, account, client structure) :
290 Note: logon server name starts with two '\' characters and is upper case.
292 Note: account name is the logon client name from the LSA Request Challenge,
293 with a $ on the end of it, in upper case.
295 VOID* undocumented buffer pointer
296 UNISTR2 logon server unicode string
297 UNISTR2 account name unicode string
298 UINT16 sec_chan - security channel type
299 UNISTR2 logon client machine unicode string
301 - CLNT_SRV (server, client names structure) :
303 Note: logon server name starts with two '\' characters and is upper case.
305 VOID* undocumented buffer pointer
306 UNISTR2 logon server unicode string
307 VOID* undocumented buffer pointer
308 UNISTR2 logon client machine unicode string
310 - CREDS (credentials + time stamp)
315 - CLNT_INFO2 (server, client structure, client credentials) :
317 Note: whenever this structure appears in a request, you must take a copy
318 of the client-calculated credentials received, because they will be
319 used in subsequent credential checks. the presumed intention is to
320 maintain an authenticated request/response trail.
322 CLNT_SRV client and server names
323 UINT8[] ???? padding, for 4-byte alignment with SMB header.
324 VOID* pointer to client credentials.
325 CREDS client-calculated credentials + client time
327 - CLNT_INFO (server, account, client structure, client credentials) :
329 Note: whenever this structure appears in a request, you must take a copy
330 of the client-calculated credentials received, because they will be
331 used in subsequent credential checks. the presumed intention is to
332 maintain an authenticated request/response trail.
334 LOG_INFO logon account info
335 CREDS client-calculated credentials + client time
337 - ID_INFO_1 (id info structure, auth level 1) :
340 UNIHDR domain name unicode header
343 UNIHDR user name unicode header
344 UNIHDR workgroup name unicode header
345 char[16] rc4 LM OWF Password
346 char[16] rc4 NT OWF Password
347 UNISTR2 domain name unicode string
348 UNISTR2 user name unicode string
349 UNISTR2 workgroup name unicode string
351 - SAM_INFO (sam logon/logoff id info structure) :
353 CLNT_INFO2 client identification/authentication info
354 VOID* pointer to return credentials.
355 CRED return credentials - ignored.
359 switch (switch_value)
365 - GID (group id info) :
368 UINT32 user attributes (only used by NT 3.1 and 3.51)
370 - DOM_REF (domain reference info) :
372 VOID* undocumented buffer pointer.
373 UINT32 num referenced domains?
374 VOID* undocumented domain name buffer pointer.
375 UINT32 32 - max number of entries
376 UINT32 4 - num referenced domains?
378 UNIHDR2 domain name unicode string header
379 UNIHDR2[num_ref_doms-1] referenced domain unicode string headers
381 UNISTR domain name unicode string
382 DOM_SID[num_ref_doms] referenced domain SIDs
384 - DOM_INFO (domain info, levels 3 and 5 are the same)) :
386 UINT8[] ??? padding to get 4-byte alignment with start of SMB header
387 UINT16 domain name string length * 2
388 UINT16 domain name string length * 2
389 VOID* undocumented domain name string buffer pointer
390 VOID* undocumented domain SID string buffer pointer
391 UNISTR2 domain name (unicode string)
394 - USER_INFO (user logon info) :
399 NTTIME password last set time
400 NTTIME password can change time
401 NTTIME password must change time
403 UNIHDR username unicode string header
404 UNIHDR user's full name unicode string header
405 UNIHDR logon script unicode string header
406 UNIHDR profile path unicode string header
407 UNIHDR home directory unicode string header
408 UNIHDR home directory drive unicode string header
411 UINT16 bad password count
416 VOID* undocumented buffer pointer to groups.
419 char[16] unused user session key
421 UNIHDR logon server unicode string header
422 UNIHDR logon domain unicode string header
423 VOID* undocumented logon domain id pointer
424 char[40] 40 undocumented padding bytes. future expansion?
426 UINT32 0 - num_other_sids?
427 VOID* NULL - undocumented pointer to other domain SIDs.
429 UNISTR2 username unicode string
430 UNISTR2 user's full name unicode string
431 UNISTR2 logon script unicode string
432 UNISTR2 profile path unicode string
433 UNISTR2 home directory unicode string
434 UNISTR2 home directory drive unicode string
437 GID[num_groups] group info
439 UNISTR2 logon server unicode string
440 UNISTR2 logon domain unicode string
443 DOM_SID[num_sids] other domain SIDs?
445 - SH_INFO_1_PTR (pointers to level 1 share info strings):
447 Note: see cifsrap2.txt section5, page 10.
449 0 for shi1_type indicates a Disk.
450 1 for shi1_type indicates a Print Queue.
451 2 for shi1_type indicates a Device.
452 3 for shi1_type indicates an IPC pipe.
453 0x8000 0000 (top bit set in shi1_type) indicates a hidden share.
455 VOID* shi1_netname - pointer to net name
456 UINT32 shi1_type - type of share. 0 - undocumented.
457 VOID* shi1_remark - pointer to comment.
459 - SH_INFO_1_STR (level 1 share info strings) :
461 UNISTR2 shi1_netname - unicode string of net name
462 UNISTR2 shi1_remark - unicode string of comment.
466 share container with 0 entries:
468 UINT32 0 - EntriesRead
471 share container with > 0 entries:
474 UINT32 non-zero - Buffer
477 SH_INFO_1_PTR[EntriesRead] share entry pointers
478 SH_INFO_1_STR[EntriesRead] share entry strings
480 UINT8[] padding to get unicode string 4-byte
481 aligned with start of the SMB header.
487 Note: see cifs6.txt section 6.4 - the fields described therein will be
488 of assistance here. for example, the type listed below is the
489 same as fServerType, which is described in 6.4.1.
491 SV_TYPE_WORKSTATION 0x00000001 All workstations
492 SV_TYPE_SERVER 0x00000002 All servers
493 SV_TYPE_SQLSERVER 0x00000004 Any server running with SQL
495 SV_TYPE_DOMAIN_CTRL 0x00000008 Primary domain controller
496 SV_TYPE_DOMAIN_BAKCTRL 0x00000010 Backup domain controller
497 SV_TYPE_TIME_SOURCE 0x00000020 Server running the timesource
499 SV_TYPE_AFP 0x00000040 Apple File Protocol servers
500 SV_TYPE_NOVELL 0x00000080 Novell servers
501 SV_TYPE_DOMAIN_MEMBER 0x00000100 Domain Member
502 SV_TYPE_PRINTQ_SERVER 0x00000200 Server sharing print queue
503 SV_TYPE_DIALIN_SERVER 0x00000400 Server running dialin service.
504 SV_TYPE_XENIX_SERVER 0x00000800 Xenix server
505 SV_TYPE_NT 0x00001000 NT server
506 SV_TYPE_WFW 0x00002000 Server running Windows for
508 SV_TYPE_SERVER_NT 0x00008000 Windows NT non DC server
509 SV_TYPE_POTENTIAL_BROWSER 0x00010000 Server that can run the browser
511 SV_TYPE_BACKUP_BROWSER 0x00020000 Backup browser server
512 SV_TYPE_MASTER_BROWSER 0x00040000 Master browser server
513 SV_TYPE_DOMAIN_MASTER 0x00080000 Domain Master Browser server
514 SV_TYPE_LOCAL_LIST_ONLY 0x40000000 Enumerate only entries marked
516 SV_TYPE_DOMAIN_ENUM 0x80000000 Enumerate Domains. The pszServer
517 and pszDomain parameters must be
520 UINT32 500 - platform_id
521 VOID* pointer to name
522 UINT32 5 - major version
523 UINT32 4 - minor version
524 UINT32 type (SV_TYPE_... bit field)
525 VOID* pointer to comment
527 UNISTR2 sv101_name - unicode string of server name
528 UNISTR2 sv_101_comment - unicode string of server comment.
530 UINT8[] padding to get unicode string 4-byte
531 aligned with start of the SMB header.
535 3) Transact Named Pipe Header/Tail
536 ----------------------------------
538 Interesting note: if you set packed data representation to 0x0100 0000 then
539 all 4-byte and 2-byte word ordering is turned around.
544 The start of each of the NTLSA and NETLOGON named pipes begins with:
546 00 UINT8 5 - RPC major version
547 01 UINT8 0 - RPC minor version
548 02 UINT8 2 - RPC response packet
549 03 UINT8 3 - first frag + last frag
550 04 UINT32 0x1000 0000 - packed data representation
551 08 UINT16 fragment length - data size (bytes) inc header and tail.
552 0A UINT16 0 - authentication length
553 0C UINT32 call identifier. matches 12th UINT32 of incoming RPC data.
554 10 UINT32 allocation hint - data size (bytes) minus header and tail.
555 14 UINT16 0 - presentation context identifier
556 16 UINT8 0 - cancel count
557 17 UINT8 0 - reserved
558 18 ...... start of data (goes on for allocation_hint bytes)
564 The end of each of the NTLSA and NETLOGON named pipes ends with:
571 4) NTLSA Transact Named Pipe
572 ----------------------------
574 Defines for this pipe, identifying the query are:
576 - LSA Open Policy: 0x2c
577 - LSA Query Info Policy: 0x07
578 - LSA Enumerate Trusted Domains: 0x0d
579 - LSA Open Secret: 0xff
580 - LSA Lookup SIDs: 0xfe
581 - LSA Lookup Names: 0xfd
588 Note: The policy handle can be anything you like.
596 POL_HND LSA policy handle
598 return 0 - indicates success
601 4.2) LSA Query Info Policy
602 --------------------------
604 Note: The info class in response must be the same as that in the request.
608 POL_HND LSA policy handle
609 UINT16 info class (also a policy handle?)
613 VOID* undocumented buffer pointer
614 UINT16 info class (same as info class in request).
620 DOM_INFO domain info, levels 3 and 5 (are the same).
623 return 0 - indicates success
626 4.3) LSA Enumerate Trusted Domains
627 ----------------------------------
635 UINT32 0 - enumeration context
636 UINT32 0 - entries read
637 UINT32 0 - trust information
639 return 0x8000 001a - "no trusted domains" success code
651 UINT32 0 - undocumented
652 UINT32 0 - undocumented
653 UINT32 0 - undocumented
654 UINT32 0 - undocumented
655 UINT32 0 - undocumented
657 return 0x0C00 0034 - "no such secret" success code
669 UINT32 0 - undocumented
670 UINT32 0 - undocumented
671 UINT32 0 - undocumented
672 UINT32 0 - undocumented
673 UINT32 0 - undocumented
675 return 0 - indicates success
681 Note: num_entries in response must be same as num_entries in request.
685 POL_HND LSA policy handle
687 VOID* undocumented domain SID buffer pointer
688 VOID* undocumented domain name buffer pointer
689 VOID*[num_entries] undocumented domain SID pointers to be looked up.
690 DOM_SID[num_entries] domain SIDs to be looked up.
691 char[16] completely undocumented 16 bytes.
695 DOM_REF domain reference response
697 UINT32 num_entries (listed above)
698 VOID* undocumented buffer pointer
700 UINT32 num_entries (listed above)
701 DOM_SID2[num_entries] domain SIDs (from Request, listed above).
703 UINT32 num_entries (listed above)
705 return 0 - indicates success
708 4.7) LSA Lookup Names
709 ---------------------
711 Note: num_entries in response must be same as num_entries in request.
715 POL_HND LSA policy handle
718 VOID* undocumented domain SID buffer pointer
719 VOID* undocumented domain name buffer pointer
720 NAME[num_entries] names to be looked up.
721 char[] undocumented bytes - falsely translated SID structure?
725 DOM_REF domain reference response
727 UINT32 num_entries (listed above)
728 VOID* undocumented buffer pointer
730 UINT32 num_entries (listed above)
731 DOM_RID[num_entries] domain SIDs (from Request, listed above).
733 UINT32 num_entries (listed above)
735 return 0 - indicates success
739 5) NETLOGON rpc Transact Named Pipe
740 -----------------------------------
742 Defines for this pipe, identifying the query are:
744 - LSA Request Challenge: 0x04
745 - LSA Server Password Set: 0x06
746 - LSA SAM Logon: 0x02
747 - LSA SAM Logoff: 0xfc
749 - LSA Logon Control: 0x0e
752 5.1) LSA Request Challenge
753 --------------------------
755 Note: logon server name starts with two '\' characters and is upper case.
757 Note: logon client is the machine, not the user.
759 Note: the initial LanManager password hash, against which the challenge
760 is issued, is the machine name itself (lower case). there will be
761 calls issued (LSA Server Password Set) which will change this, later.
762 refusing these calls allows you to always deal with the same password
763 (i.e the LM# of the machine name in lower case).
767 VOID* undocumented buffer pointer
768 UNISTR2 logon server unicode string
769 UNISTR2 logon client unicode string
770 char[8] client challenge
774 char[8] server challenge
776 return 0 - indicates success
780 5.2) LSA Authenticate 2
781 -----------------------
783 Note: in between request and response, calculate the client credentials,
784 and check them against the client-calculated credentials (this
785 process uses the previously received client credentials).
787 Note: neg_flags in the response is the same as that in the request.
789 Note: you must take a copy of the client-calculated credentials received
790 here, because they will be used in subsequent authentication packets.
794 LOG_INFO client identification info
796 char[8] client-calculated credentials
797 UINT8[] padding to 4-byte align with start of SMB header.
798 UINT32 neg_flags - negotiated flags (usual value is 0x0000 01ff)
802 char[8] server credentials.
803 UINT32 neg_flags - same as neg_flags in request.
805 return 0 - indicates success. failure value unknown.
808 5.3) LSA Server Password Set
809 ----------------------------
811 Note: the new password is suspected to be a DES encryption using the old
812 password to generate the key.
814 Note: in between request and response, calculate the client credentials,
815 and check them against the client-calculated credentials (this
816 process uses the previously received client credentials).
818 Note: the server credentials are constructed from the client-calculated
819 credentials and the client time + 1 second.
821 Note: you must take a copy of the client-calculated credentials received
822 here, because they will be used in subsequent authentication packets.
826 CLNT_INFO client identification/authentication info
827 char[] new password - undocumented.
831 CREDS server credentials. server time stamp appears to be ignored.
833 return 0 - indicates success; 0xC000 006a indicates failure
839 Note: valid_user is True iff the username and password hash are valid for
840 the requested domain.
844 SAM_INFO sam_id structure
848 VOID* undocumented buffer pointer
849 CREDS server credentials. server time stamp appears to be ignored.
853 UINT16 3 - switch value indicating USER_INFO structure.
854 VOID* non-zero - pointer to USER_INFO structure
855 USER_INFO user logon information
857 UINT32 1 - Authoritative response; 0 - Non-Auth?
859 return 0 - indicates success
863 UINT16 0 - switch value. value to indicate no user presumed.
864 VOID* 0x0000 0000 - indicates no USER_INFO structure.
866 UINT32 1 - Authoritative response; 0 - Non-Auth?
868 return 0xC000 0064 - NT_STATUS_NO_SUCH_USER.
875 Note: presumably, the SAM_INFO structure is validated, and a (currently
876 undocumented) error code returned if the Logoff is invalid.
880 SAM_INFO sam_id structure
884 VOID* undocumented buffer pointer
885 CREDS server credentials. server time stamp appears to be ignored.
887 return 0 - indicates success. undocumented failure indication.
890 6) \\MAILSLOT\NET\NTLOGON
891 -------------------------
893 Note: mailslots will contain a response mailslot, to which the response
894 should be sent. the target NetBIOS name is REQUEST_NAME<20>, where
895 REQUEST_NAME is the name of the machine that sent the request.
901 Note: NTversion, LMNTtoken, LM20token in response are the same as those
902 given in the request.
906 UINT16 0x0007 - Query for PDC
908 STR response mailslot
909 UINT8[] padding to 2-byte align with start of mailslot.
917 UINT16 0x000A - Respose to Query for PDC
918 STR machine name (in uppercase)
919 UINT8[] padding to 2-byte align with start of mailslot.
922 UINT32 NTversion (same as received in request)
923 UINT16 LMNTtoken (same as received in request)
924 UINT16 LM20token (same as received in request)
930 Note: machine name in response is preceded by two '\' characters.
932 Note: NTversion, LMNTtoken, LM20token in response are the same as those
933 given in the request.
935 Note: user name in the response is presumably the same as that in the request.
939 UINT16 0x0012 - SAM Logon
943 STR response mailslot
944 UINT32 alloweable account
945 UINT32 domain SID size
946 char[sid_size] domain SID, of sid_size bytes.
947 UINT8[] ???? padding to 4? 2? -byte align with start of mailslot.
954 UINT16 0x0013 - Response to SAM Logon
956 UNISTR user name - workstation trust account
964 7) SRVSVC Transact Named Pipe
965 -----------------------------
968 Defines for this pipe, identifying the query are:
970 - Net Share Enum : 0x0f
971 - Net Server Get Info : 0x15
977 Note: share level and switch value in the response are presumably the
978 same as those in the request.
980 Note: cifsrap2.txt (section 5) may be of limited assistance here.
984 VOID* pointer (to server name?)
987 UINT8[] padding to get unicode string 4-byte aligned
988 with the start of the SMB header.
993 VOID* pointer to SHARE_INFO_1_CTR
994 SHARE_INFO_1_CTR share info with 0 entries
996 UINT32 preferred maximum length (0xffff ffff)
1003 VOID* pointer to SHARE_INFO_1_CTR
1004 SHARE_INFO_1_CTR share info (only added if share info ptr is non-zero)
1006 return 0 - indicates success
1009 7.2) Net Server Get Info
1012 Note: level is the same value as in the request.
1022 VOID* pointer to SERVER_INFO_101
1024 SERVER_INFO_101 server info (only added if server info ptr is non-zero)
1026 return 0 - indicates success
1033 A1) Cryptographic side of NT Domain Authentication
1034 --------------------------------------------------
1039 Add(A1,A2): Intel byte ordered addition of corresponding 4 byte
1040 words in arrays A1 and A2
1042 E(K,D): DES ECB encryption of 8 byte data D using 7 byte key K
1044 lmowf(): Lan man hash
1048 PW: md4(machine_password) =3D=3D md4(lsadump $machine.acc)
1049 =3D=3D pwdump(machine$)
1050 (initially) =3D=3D md4(lmowf(unicode(machine)))
1052 RC4(K,Lk,D,Ld): RC4 encryption of data D of length Ld with key K
1055 v[m..n(,l)]: subset of v from bytes m to n, optionally padded
1056 with zeroes to length l
1058 Cred(K,D): E(K[7..7,7],E(K[0..6],D)) computes a credential
1060 Time(): 4 byte current time
1062 Cc,Cs: 8 byte client and server challenges
1063 Rc,Rs: 8 byte client and server credentials