~zulcss/samba/server-dailies-3.4

services, without the need for an NT server. It is the sgml version of <ulink url="http://mailhost.cb1.com/~lkcl/cifsntdomain.txt">http://mailhost.cb1.com/~lkcl/cifsntdomain.txt</ulink>, controlled by Luke.

</para>

<para>

It should be possible to select a domain instead of a workgroup (in the NT

workstation's TCP/IP settings) and after the obligatory reboot, type in a

username, password, select a domain and successfully log in. I would

appreciate any feedback on your experiences with this process, and any

comments, corrections and additions to this document.

</para>

<para>

The packets described here can be easily derived from (and are probably

better understood using) Netmon.exe. You will need to use the version

of Netmon that matches your system, in order to correctly decode the

NETLOGON, lsarpc and srvsvc Transact pipes. This document is derived from

NT Service Pack 1 and its corresponding version of Netmon. It is intended

that an annotated packet trace be produced, which will likely be more

instructive than this document.

</para>

<para>

Also needed, to fully implement NT Domain Login Services, is the

document describing the cryptographic part of the NT authentication.

This document is available from comp.protocols.smb; from the ntsecurity.net

digest and from the samba digest, amongst other sources.

</para>

<para>

A copy is available from:

</para>

<para><ulink url="http://ntbugtraq.rc.on.ca/SCRIPTS/WA.EXE?A2=ind9708;L=ntbugtraq;O=A;P=2935">http://ntbugtraq.rc.on.ca/SCRIPTS/WA.EXE?A2=ind9708;L=ntbugtraq;O=A;P=2935</ulink></para>

<para><ulink url="http://mailhost.cb1.com/~lkcl/crypt.html">http://mailhost.cb1.com/~lkcl/crypt.html</ulink></para>

<para>

A c-code implementation, provided by <ulink url="mailto:linus@incolumitas.se">Linus Nordberg</ulink>

of this protocol is available from:

</para>

<para><ulink url="http://samba.org/cgi-bin/mfs/01/digest/1997/97aug/0391.html">http://samba.org/cgi-bin/mfs/01/digest/1997/97aug/0391.html</ulink></para>

<para><ulink url="http://mailhost.cb1.com/~lkcl/crypt.txt">http://mailhost.cb1.com/~lkcl/crypt.txt</ulink></para>

<para>

Also used to provide debugging information is the Check Build version of

NT workstation, and enabling full debugging in NETLOGON. This is

achieved by setting the following REG_SZ registry key to 0x1ffffff:

</para>

<para><filename>HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters</filename></para>

<para><emphasis>Incorrect direct editing of the registry can cause your

machine to fail. Then again, so can incorrect implementation of this

protocol. See "Liability:" above.</emphasis></para>

<para>

Bear in mind that each packet over-the-wire will have its origin in an

API call. Therefore, there are likely to be structures, enumerations

and defines that are usefully documented elsewhere.

</para>

<para>

This document is by no means complete or authoritative. Missing sections

include, but are not limited to:

</para>

<listitem><para>Mappings of RIDs to usernames (and vice-versa).</para></listitem>

100

101

<listitem><para>What a User ID is and what a Group ID is.</para></listitem>

102

103

<listitem><para>The exact meaning/definition of various magic constants or enumerations.</para></listitem>

104

105

<listitem><para>The reply error code and use of that error code when a

106

workstation becomes a member of a domain (to be described later).

107

Failure to return this error code will make the workstation report

108

that it is already a member of the domain.</para></listitem>

109

110

<listitem><para>the cryptographic side of the NetrServerPasswordSet command,

111

which would allow the workstation to change its password. This password is

112

used to generate the long-term session key. [It is possible to reject this

113

command, and keep the default workstation password].</para></listitem>

114

115

</orderedlist>

116

117

<sect2>

118

<title>Sources</title>

119

120

121

<member>cket Traces from Netmonitor (Service Pack 1 and above)</member>

122

<member>ul Ashton and Luke Leighton's other "NT Domain" doc.</member>

123

<member>FS documentation - cifs6.txt</member>

124

<member>FS documentation - cifsrap2.txt</member>

125

</simplelist>

126

127

</sect2>

128

129

<sect2>

130

<title>Credits</title>

131

132

133

<member>Paul Ashton: loads of work with Net Monitor; understanding the NT authentication system; reference implementation of the NT domain support on which this document is originally based.</member>

134

<member>Duncan Stansfield: low-level analysis of MSRPC Pipes.</member>

135

<member>Linus Nordberg: producing c-code from Paul's crypto spec.</member>

136

<member>Windows Sourcer development team</member>

137

</simplelist>

138

139

</sect2>

140

141

</sect1>

142

143

<sect1>

144

<title>Notes and Structures</title>

145

146

<sect2>

147

<title>Notes</title>

148

149

150

151

In the SMB Transact pipes, some "Structures", described here, appear to be

152

4-byte aligned with the SMB header, at their start. Exactly which

153

"Structures" need aligning is not precisely known or documented.

154

</para></listitem>

155

156

157

In the UDP NTLOGON Mailslots, some "Structures", described here, appear to be

158

2-byte aligned with the start of the mailslot, at their start.

159

</para></listitem>

160

161

162

Domain SID is of the format S-revision-version-auth1-auth2...authN.

163

e.g S-1-5-123-456-789-123-456. the 5 could be a sub-revision.

164

</para></listitem>

165

166

167

any undocumented buffer pointers must be non-zero if the string buffer it

168

refers to contains characters. exactly what value they should be is unknown.

169

0x0000 0002 seems to do the trick to indicate that the buffer exists. a

170

NULL buffer pointer indicates that the string buffer is of zero length.

171

If the buffer pointer is NULL, then it is suspected that the structure it

172

refers to is NOT put into (or taken out of) the SMB data stream. This is

173

empirically derived from, for example, the LSA SAM Logon response packet,

174

where if the buffer pointer is NULL, the user information is not inserted

175

into the data stream. Exactly what happens with an array of buffer pointers

176

is not known, although an educated guess can be made.

177

</para></listitem>

178

179

180

an array of structures (a container) appears to have a count and a pointer.

181

if the count is zero, the pointer is also zero. no further data is put

182

into or taken out of the SMB data stream. if the count is non-zero, then

183

the pointer is also non-zero. immediately following the pointer is the

184

count again, followed by an array of container sub-structures. the count

185

appears a third time after the last sub-structure.

186

</para></listitem>

187

</orderedlist>

188

189

</sect2>

190

191

<sect2>

192

<title>Enumerations</title>

193

194

<sect3>

195

<title>MSRPC Header type</title>

196

<para>command number in the msrpc packet header</para>

197

198

199

200

<term>MSRPC_Request:</term>

201

202

</varlistentry>

203

204

<term>MSRPC_Response:</term>

205

206

</varlistentry>

207

208

<term>MSRPC_Bind:</term>

209

210

</varlistentry>

211

212

<term>MSRPC_BindAck:</term>

213

214

</varlistentry>

215

</variablelist>

216

</sect3>

217

218

<sect3>

219

<title>MSRPC Packet info</title>

220

221

<para>The meaning of these flags is undocumented</para>

222

223

224

225

<term>FirstFrag:</term>

226

227

</varlistentry>

228

229

<term>LastFrag:</term>

230

231

</varlistentry>

232

233

<term>NotaFrag:</term>

234

235

</varlistentry>

236

237

<term>RecRespond:</term>

238

239

</varlistentry>

240

241

<term>NoMultiplex:</term>

242

243

</varlistentry>

244

245

<term>NotForIdemp:</term>

246

247

</varlistentry>

248

249

<term>NotforBcast:</term>

250

251

</varlistentry>

252

253

<term>NoUuid:</term>

254

255

</varlistentry>

256

</variablelist>

257

258

</sect3>

259

260

</sect2>

261

262

<sect2>

263

<title>Structures</title>

264

265

266

<para>sizeof VOID* is 32 bits.</para>

267

</sect3>

268

269

270

<para>sizeof char is 8 bits.</para>

271

</sect3>

272

273

<sect3><title>UTIME</title>

274

<para>UTIME is 32 bits, indicating time in seconds since 01jan1970. documented in cifs6.txt (section 3.5 page, page 30).</para>

275

</sect3>

276

277

<sect3><title>NTTIME</title>

278

<para>NTTIME is 64 bits. documented in cifs6.txt (section 3.5 page, page 30).</para>

279

</sect3>

280

281

<sect3>

282

<title>DOM_SID (domain SID structure)</title>

283

284

285

286

287

288

<listitem><para>num of sub-authorities in domain SID</para></listitem>

289

</varlistentry>

290

291

292

293

<listitem><para>SID revision number</para></listitem>

294

</varlistentry>

295

296

297

<listitem><para>num of sub-authorities in domain SID</para></listitem>

298

</varlistentry>

299

300

301

<listitem><para>6 bytes for domain SID - Identifier Authority.</para></listitem>

302

</varlistentry>

303

304

305

<term>UINT16[n_subauths]</term>

306

<listitem><para>domain SID sub-authorities</para></listitem>

307

</varlistentry>

308

309

</variablelist>

310

311

<para><emphasis>Note: the domain SID is documented elsewhere.</emphasis>

312

</para>

313

314

</sect3>

315

316

<sect3>

317

<title>STR (string)</title>

318

319

<para>STR (string) is a char[] : a null-terminated string of ascii characters.</para>

320

321

</sect3>

322

323

<sect3>

324

<title>UNIHDR (unicode string header) </title>

325

326

327

328

329

330

<listitem><para>length of unicode string</para></listitem>

331

</varlistentry>

332

333

334

335

<listitem><para>max length of unicode string</para></listitem>

336

</varlistentry>

337

338

339

340

<listitem><para>4 - undocumented.</para></listitem>

341

</varlistentry>

342

343

</variablelist>

344

345

</sect3>

346

347

<sect3>

348

<title>UNIHDR2 (unicode string header plus buffer pointer)</title>

349

350

351

352

353

<term>UNIHDR</term>

354

<listitem><para>unicode string header</para></listitem>

355

</varlistentry>

356

357

358

359

360

<listitem><para>undocumented buffer pointer</para></listitem>

361

</varlistentry>

362

363

</variablelist>

364

365

</sect3>

366

367

<sect3>

368

<title>UNISTR (unicode string)</title>

369

370

371

372

373

374

<listitem><para>null-terminated string of unicode characters.</para></listitem>

375

</varlistentry>

376

377

</variablelist>

378

379

</sect3>

380

381

<sect3>

382

<title>NAME (length-indicated unicode string)</title>

383

384

385

386

387

388

<listitem><para>length of unicode string</para></listitem>

389

</varlistentry>

390

391

392

<listitem><para>null-terminated string of unicode characters.</para></listitem>

393

</varlistentry>

394

395

</variablelist>

396

397

</sect3>

398

399

<sect3>

400

<title>UNISTR2 (aligned unicode string)</title>

401

402

403

404

405

<listitem><para>padding to get unicode string 4-byte aligned with the start of the SMB header.</para></listitem>

406

</varlistentry>

407

408

409

<listitem><para>max length of unicode string</para></listitem>

410

</varlistentry>

411

412

413

<listitem><para>0 - undocumented</para></listitem>

414

</varlistentry>

415

416

417

<listitem><para>length of unicode string</para></listitem>

418

</varlistentry>

419

420

421

<listitem><para>string of uncode characters</para></listitem>

422

</varlistentry>

423

424

</variablelist>

425

426

</sect3>

427

428

<sect3>

429

<title>OBJ_ATTR (object attributes)</title>

430

431

432

433

434

<listitem><para>0x18 - length (in bytes) including the length field.</para></listitem></varlistentry>

435

436

437

<listitem><para>0 - root directory (pointer)</para></listitem></varlistentry>

438

439

440

<listitem><para>0 - object name (pointer)</para></listitem></varlistentry>

441

442

443

<listitem><para>0 - attributes (undocumented)</para></listitem></varlistentry>

444

445

446

<listitem><para>0 - security descriptior (pointer)</para></listitem></varlistentry>

447

448

449

<listitem><para>0 - security quality of service</para></listitem>

450

</varlistentry>

451

452

</variablelist>

453

454

</sect3>

455

456

<sect3>

457

<title>POL_HND (LSA policy handle)</title>

458

459

460

461

462

<listitem><para>policy handle</para></listitem>

463

</varlistentry>

464

</variablelist>

465

466

</sect3>

467

468

<sect3>

469

<title>DOM_SID2 (domain SID structure, SIDS stored in unicode)</title>

470

471

472

473

474

475

</varlistentry>

476

477

478

<listitem><para>0 - undocumented</para></listitem>

479

</varlistentry>

480

481

<term>UNIHDR2</term>

482

<listitem><para>domain SID unicode string header</para></listitem>

483

</varlistentry>

484

485

<term>UNISTR</term>

486

<listitem><para>domain SID unicode string</para></listitem>

487

</varlistentry>

488

</variablelist>

489

490

<para><emphasis>Note: there is a conflict between the unicode string header and the unicode string itself as to which to use to indicate string length. this will need to be resolved.</emphasis></para>

491

492

<para><emphasis>Note: the SID type indicates, for example, an alias; a well-known group etc. this is documented somewhere.</emphasis></para>

493

494

</sect3>

495

496

<sect3>

497

<title>DOM_RID (domain RID structure)</title>

498

499

500

501

502

<listitem><para>5 - well-known SID. 1 - user SID (see ShowACLs)</para></listitem></varlistentry>

503

504

505

<listitem><para>5 - undocumented</para></listitem>

506

</varlistentry>

507

508

509

<listitem><para>domain RID </para></listitem>

510

</varlistentry>

511

512

513

<listitem><para>0 - domain index out of above reference domains</para></listitem>

514

</varlistentry>

515

</variablelist>

516

517

</sect3>

518

519

<sect3>

520

<title>LOG_INFO (server, account, client structure)</title>

521

522

<para><emphasis>Note: logon server name starts with two '\' characters and is upper case.</emphasis></para>

523

524

<para><emphasis>Note: account name is the logon client name from the LSA Request Challenge, with a $ on the end of it, in upper case.</emphasis></para>

525

526

527

528

529

<listitem><para>undocumented buffer pointer</para></listitem>

530

</varlistentry>

531

532

<term>UNISTR2</term>

533

<listitem><para>logon server unicode string</para></listitem>

534

</varlistentry>

535

536

<term>UNISTR2</term>

537

<listitem><para>account name unicode string</para></listitem>

538

</varlistentry>

539

540

541

<listitem><para>sec_chan - security channel type</para></listitem>

542

</varlistentry>

543

544

<term>UNISTR2</term>

545

<listitem><para>logon client machine unicode string</para></listitem>

546

</varlistentry>

547

</variablelist>

548

549

</sect3>

550

551

<sect3>

552

<title>CLNT_SRV (server, client names structure)</title>

553

554

<para><emphasis>Note: logon server name starts with two '\' characters and is upper case.</emphasis></para>

555

556

557

558

559

<listitem><para>undocumented buffer pointer</para></listitem>

560

</varlistentry>

561

562

<term>UNISTR2</term>

563

<listitem><para>logon server unicode string</para></listitem>

564

</varlistentry>

565

566

567

<listitem><para>undocumented buffer pointer</para></listitem>

568

</varlistentry>

569

570

<term>UNISTR2</term>

571

<listitem><para>logon client machine unicode string</para></listitem>

572

</varlistentry>

573

</variablelist>

574

575

</sect3>

576

577

<sect3>

578

<title>CREDS (credentials + time stamp)</title>

579

580

581

582

583

<listitem><para>credentials</para></listitem>

584

</varlistentry>

585

586

<term>UTIME</term>

587

<listitem><para>time stamp</para></listitem>

588

</varlistentry>

589

</variablelist>

590

591

</sect3>

592

593

<sect3>

594

<title>CLNT_INFO2 (server, client structure, client credentials)</title>

595

596

<para><emphasis>Note: whenever this structure appears in a request, you must take a copy of the client-calculated credentials received, because they will beused in subsequent credential checks. the presumed intention is to

597

maintain an authenticated request/response trail.</emphasis></para>

598

599

600

601

602

<listitem><para>client and server names</para></listitem>

603

</varlistentry>

604

605

606

<listitem><para>???? padding, for 4-byte alignment with SMB header.</para></listitem>

607

</varlistentry>

608

609

610

<listitem><para>pointer to client credentials.</para></listitem>

611

</varlistentry>

612

613

<term>CREDS</term>

614

<listitem><para>client-calculated credentials + client time</para></listitem>

615

</varlistentry>

616

</variablelist>

617

618

</sect3>

619

620

<sect3>

621

<title>CLNT_INFO (server, account, client structure, client credentials)</title>

622

<para><emphasis>Note: whenever this structure appears in a request, you must take a copy of the client-calculated credentials received, because they will be used in subsequent credential checks. the presumed intention is to maintain an authenticated request/response trail.</emphasis></para>

623

624

625

626

627

<listitem><para>logon account info</para></listitem>

628

</varlistentry>

629

630

<term>CREDS</term>

631

<listitem><para>client-calculated credentials + client time</para></listitem>

632

</varlistentry>

633

</variablelist>

634

635

</sect3>

636

637

<sect3>

638

<title>ID_INFO_1 (id info structure, auth level 1)</title>

639

640

641

642

643

644

</varlistentry>

645

646

<term>UNIHDR</term>

647

<listitem><para>domain name unicode header</para></listitem>

648

</varlistentry>

649

650

651

<listitem><para>param control</para></listitem>

652

</varlistentry>

653

654

655

<listitem><para>logon ID</para></listitem>

656

</varlistentry>

657

658

<term>UNIHDR</term>

659

<listitem><para>user name unicode header</para></listitem>

660

</varlistentry>

661

662

<term>UNIHDR</term>

663

<listitem><para>workgroup name unicode header</para></listitem>

664

</varlistentry>

665

666

667

<listitem><para>arc4 LM OWF Password</para></listitem>

668

</varlistentry>

669

670

671

<listitem><para>arc4 NT OWF Password</para></listitem>

672

</varlistentry>

673

674

<term>UNISTR2</term>

675

<listitem><para>domain name unicode string</para></listitem>

676

</varlistentry>

677

678

<term>UNISTR2</term>

679

<listitem><para>user name unicode string</para></listitem>

680

</varlistentry>

681

682

<term>UNISTR2</term>

683

<listitem><para>workstation name unicode string</para></listitem>

684

</varlistentry>

685

</variablelist>

686

687

</sect3>

688

689

<sect3>

690

<title>SAM_INFO (sam logon/logoff id info structure)</title>

691

692

<para><emphasis>Note: presumably, the return credentials is supposedly for the server to verify that the credential chain hasn't been compromised.</emphasis></para>

693

694

695

696

697

<listitem><para>client identification/authentication info</para></listitem>

698

</varlistentry>

699

700

701

<listitem><para>pointer to return credentials.</para></listitem>

702

</varlistentry>

703

704

705

<listitem><para>return credentials - ignored.</para></listitem>

706

</varlistentry>

707

708

709

<listitem><para>logon level</para></listitem>

710

</varlistentry>

711

712

713

<listitem><para>switch value</para></listitem>

714

</varlistentry>

715

716

</variablelist>

717

718

719

switch (switch_value)

720

case 1:

721

{

722

ID_INFO_1 id_info_1;

723

}

724

</programlisting></para>

725

726

</sect3>

727

728

<sect3>

729

<title>GID (group id info)</title>

730

731

732

733

734

<listitem><para>group id</para></listitem></varlistentry>

735

736

737

<listitem><para>user attributes (only used by NT 3.1 and 3.51)</para></listitem></varlistentry>

738

</variablelist>

739

740

</sect3>

741

742

<sect3>

743

<title>DOM_REF (domain reference info)</title>

744

745

746

747

748

<listitem><para>undocumented buffer pointer.</para></listitem>

749

</varlistentry>

750

751

752

<listitem><para>num referenced domains?</para></listitem>

753

</varlistentry>

754

755

756

<listitem><para>undocumented domain name buffer pointer.</para></listitem>

757

</varlistentry>

758

759

760

<listitem><para>32 - max number of entries</para></listitem>

761

</varlistentry>

762

763

764

<listitem><para>4 - num referenced domains?</para></listitem>

765

</varlistentry>

766

767

<term>UNIHDR2</term>

768

<listitem><para>domain name unicode string header</para></listitem>

769

</varlistentry>

770

771

<term>UNIHDR2[num_ref_doms-1]</term>

772

<listitem><para>referenced domain unicode string headers</para></listitem>

773

</varlistentry>

774

775

<term>UNISTR</term>

776

<listitem><para>domain name unicode string</para></listitem>

777

</varlistentry>

778

779

780

<listitem><para>referenced domain SIDs</para></listitem>

781

</varlistentry>

782

</variablelist>

783

784

</sect3>

785

786

<sect3>

787

<title>DOM_INFO (domain info, levels 3 and 5 are the same))</title>

788

789

790

791

792

<listitem><para>??? padding to get 4-byte alignment with start of SMB header</para></listitem>

793

</varlistentry>

794

795

796

<listitem><para>domain name string length * 2</para></listitem>

797

</varlistentry>

798

799

800

<listitem><para>domain name string length * 2</para></listitem>

801

</varlistentry>

802

803

804

<listitem><para>undocumented domain name string buffer pointer</para></listitem>

805

</varlistentry>

806

807

808

<listitem><para>undocumented domain SID string buffer pointer</para></listitem></varlistentry>

809

810

<term>UNISTR2</term>

811

<listitem><para>domain name (unicode string)</para></listitem></varlistentry>

812

813

814

<listitem><para>domain SID</para></listitem>

815

</varlistentry>

816

</variablelist>

817

818

</sect3>

819

820

<sect3>

821

<title>USER_INFO (user logon info)</title>

822

823

<para><emphasis>Note: it would be nice to know what the 16 byte user session key is for.</emphasis></para>

824

825

826

827

<term>NTTIME</term>

828

<listitem><para>logon time</para></listitem>

829

</varlistentry>

830

831

<term>NTTIME</term>

832

<listitem><para>logoff time</para></listitem>

833

</varlistentry>

834

835

<term>NTTIME</term>

836

<listitem><para>kickoff time</para></listitem>

837

</varlistentry>

838

839

<term>NTTIME</term>

840

<listitem><para>password last set time</para></listitem>

841

</varlistentry>

842

843

<term>NTTIME</term>

844

<listitem><para>password can change time</para></listitem>

845

</varlistentry>

846

847

<term>NTTIME</term>

848

<listitem><para>password must change time</para></listitem>

849

</varlistentry>

850

851

<term>UNIHDR</term>

852

<listitem><para>username unicode string header</para></listitem>

853

</varlistentry>

854

855

<term>UNIHDR</term>

856

<listitem><para>user's full name unicode string header</para></listitem>

857

</varlistentry>

858

859

<term>UNIHDR</term>

860

<listitem><para>logon script unicode string header</para></listitem>

861

</varlistentry>

862

863

<term>UNIHDR</term>

864

<listitem><para>profile path unicode string header</para></listitem>

865

</varlistentry>

866

867

<term>UNIHDR</term>

868

<listitem><para>home directory unicode string header</para></listitem>

869

</varlistentry>

870

871

<term>UNIHDR</term>

872

<listitem><para>home directory drive unicode string header</para></listitem>

873

</varlistentry>

874

875

876

<listitem><para>logon count</para></listitem>

877

</varlistentry>

878

879

880

<listitem><para>bad password count</para></listitem>

881

</varlistentry>

882

883

884

885

</varlistentry>

886

887

888

<listitem><para>Group ID</para></listitem>

889

</varlistentry>

890

891

892

<listitem><para>num groups</para></listitem>

893

</varlistentry>

894

895

896

<listitem><para>undocumented buffer pointer to groups.</para></listitem>

897

</varlistentry>

898

899

900

<listitem><para>user flags</para></listitem>

901

</varlistentry>

902

903

904

<listitem><para>user session key</para></listitem>

905

</varlistentry>

906

907

<term>UNIHDR</term>

908

<listitem><para>logon server unicode string header</para></listitem>

909

</varlistentry>

910

911

<term>UNIHDR</term>

912

<listitem><para>logon domain unicode string header</para></listitem>

913

</varlistentry>

914

915

916

<listitem><para>undocumented logon domain id pointer</para></listitem>

917

</varlistentry>

918

919

920

<listitem><para>40 undocumented padding bytes. future expansion?</para></listitem>

921

</varlistentry>

922

923

924

<listitem><para>0 - num_other_sids?</para></listitem>

925

</varlistentry>

926

927

928

<listitem><para>NULL - undocumented pointer to other domain SIDs.</para></listitem>

929

</varlistentry>

930

931

<term>UNISTR2</term>

932

<listitem><para>username unicode string</para></listitem>

933

</varlistentry>

934

935

<term>UNISTR2</term>

936

<listitem><para>user's full name unicode string</para></listitem>

937

</varlistentry>

938

939

<term>UNISTR2</term>

940

<listitem><para>logon script unicode string</para></listitem>

941

</varlistentry>

942

943

<term>UNISTR2</term>

944

<listitem><para>profile path unicode string</para></listitem>

945

</varlistentry>

946

947

<term>UNISTR2</term>

948

<listitem><para>home directory unicode string</para></listitem>

949

</varlistentry>

950

951

<term>UNISTR2</term>

952

<listitem><para>home directory drive unicode string</para></listitem>

953

</varlistentry>

954

955

956

<listitem><para>num groups</para></listitem>

957

</varlistentry>

958

959

<term>GID[num_groups]</term>

960

<listitem><para>group info</para></listitem>

961

</varlistentry>

962

963

<term>UNISTR2</term>

964

<listitem><para>logon server unicode string</para></listitem>

965

</varlistentry>

966

967

<term>UNISTR2</term>

968

<listitem><para>logon domain unicode string</para></listitem>

969

</varlistentry>

970

971

972

<listitem><para>domain SID</para></listitem>

973

</varlistentry>

974

975

976

<listitem><para>other domain SIDs?</para></listitem>

977

</varlistentry>

978

</variablelist>

979

980

</sect3>

981

982

<sect3>

983

<title>SH_INFO_1_PTR (pointers to level 1 share info strings)</title>

984

985

<para><emphasis>Note: see cifsrap2.txt section5, page 10.</emphasis></para>

986

987

988

<member>0 for shi1_type indicates a Disk.</member>

989

<member>1 for shi1_type indicates a Print Queue.</member>

990

<member>2 for shi1_type indicates a Device.</member>

991

<member>3 for shi1_type indicates an IPC pipe.</member>

992

<member>0x8000 0000 (top bit set in shi1_type) indicates a hidden share.</member>

993

</simplelist>

994

995

996

997

998

999

<listitem><para>shi1_netname - pointer to net name</para></listitem>

1000

</varlistentry>

1001

1002

1003

<listitem><para>shi1_type - type of share. 0 - undocumented.</para></listitem>

1004

</varlistentry>

1005

1006

1007

<listitem><para>shi1_remark - pointer to comment.</para></listitem>

1008

</varlistentry>

1009

1010

</variablelist>

1011

1012

</sect3>

1013

1014

<sect3>

1015

<title>SH_INFO_1_STR (level 1 share info strings)</title>

1016

1017

1018

1019

<term>UNISTR2</term>

1020

<listitem><para>shi1_netname - unicode string of net name</para></listitem>

1021

</varlistentry>

1022

1023

<term>UNISTR2</term>

1024

<listitem><para>shi1_remark - unicode string of comment.</para></listitem>

1025

</varlistentry>

1026

</variablelist>

1027

1028

</sect3>

1029

1030

<sect3>

1031

<title>SHARE_INFO_1_CTR</title>

1032

1033

<para>share container with 0 entries:</para>

1034

1035

1036

1037

1038

<listitem><para>0 - EntriesRead</para></listitem>

1039

</varlistentry>

1040

1041

1042

<listitem><para>0 - Buffer</para></listitem>

1043

</varlistentry>

1044

</variablelist>

1045

1046

<para>share container with > 0 entries:</para>

1047

1048

1049

1050

1051

<listitem><para>EntriesRead</para></listitem>

1052

</varlistentry>

1053

1054

1055

<listitem><para>non-zero - Buffer</para></listitem>

1056

</varlistentry>

1057

1058

1059

<listitem><para>EntriesRead</para></listitem>

1060

</varlistentry>

1061

1062

<term>SH_INFO_1_PTR[EntriesRead]</term>

1063

<listitem><para>share entry pointers</para></listitem>

1064

</varlistentry>

1065

1066

<term>SH_INFO_1_STR[EntriesRead]</term>

1067

<listitem><para>share entry strings</para></listitem>

1068

</varlistentry>

1069

1070

1071

<listitem><para>padding to get unicode string 4-byte aligned with start of the SMB header.</para></listitem>

1072

</varlistentry>

1073

1074

1075

<listitem><para>EntriesRead</para></listitem>

1076

</varlistentry>

1077

1078

1079

<listitem><para>0 - padding</para></listitem>

1080

</varlistentry>

1081

1082

</variablelist>

1083

1084

</sect3>

1085

1086

<sect3>

1087

<title>SERVER_INFO_101</title>

1088

1089

<para><emphasis>Note: see cifs6.txt section 6.4 - the fields described therein will be of assistance here. for example, the type listed below is the same as fServerType, which is described in 6.4.1. </emphasis></para>

1090

1091

1092

1093

<term>SV_TYPE_WORKSTATION</term>

1094

<listitem><para>0x00000001 All workstations</para></listitem>

1095

</varlistentry>

1096

1097

<term>SV_TYPE_SERVER</term>

1098

<listitem><para>0x00000002 All servers</para></listitem>

1099

</varlistentry>

1100

1101

<term>SV_TYPE_SQLSERVER</term>

1102

<listitem><para>0x00000004 Any server running with SQL server</para></listitem>

1103

</varlistentry>

1104

1105

<term>SV_TYPE_DOMAIN_CTRL</term>

1106

<listitem><para>0x00000008 Primary domain controller</para></listitem>

1107

</varlistentry>

1108

1109

<term>SV_TYPE_DOMAIN_BAKCTRL</term>

1110

<listitem><para>0x00000010 Backup domain controller</para></listitem>

1111

</varlistentry>

1112

1113

<term>SV_TYPE_TIME_SOURCE</term>

1114

<listitem><para>0x00000020 Server running the timesource service</para></listitem>

1115

</varlistentry>

1116

1117

1118

<listitem><para>0x00000040 Apple File Protocol servers</para></listitem>

1119

</varlistentry>

1120

1121

<term>SV_TYPE_NOVELL</term>

1122

<listitem><para>0x00000080 Novell servers</para></listitem>

1123

</varlistentry>

1124

1125

<term>SV_TYPE_DOMAIN_MEMBER</term>

1126

<listitem><para>0x00000100 Domain Member</para></listitem>

1127

</varlistentry>

1128

1129

<term>SV_TYPE_PRINTQ_SERVER</term>

1130

<listitem><para>0x00000200 Server sharing print queue</para></listitem>

1131

</varlistentry>

1132

1133

<term>SV_TYPE_DIALIN_SERVER</term>

1134

<listitem><para>0x00000400 Server running dialin service.</para></listitem>

1135

</varlistentry>

1136

1137

<term>SV_TYPE_XENIX_SERVER</term>

1138

<listitem><para>0x00000800 Xenix server</para></listitem>

1139

</varlistentry>

1140

1141

1142

<listitem><para>0x00001000 NT server</para></listitem>

1143

</varlistentry>

1144

1145

1146

<listitem><para>0x00002000 Server running Windows for </para></listitem>

1147

</varlistentry>

1148

1149

<term>SV_TYPE_SERVER_NT</term>

1150

<listitem><para>0x00008000 Windows NT non DC server</para></listitem>

1151

</varlistentry>

1152

1153

<term>SV_TYPE_POTENTIAL_BROWSER</term>

1154

<listitem><para>0x00010000 Server that can run the browser service</para></listitem>

1155

</varlistentry>

1156

1157

<term>SV_TYPE_BACKUP_BROWSER</term>

1158

<listitem><para>0x00020000 Backup browser server</para></listitem>

1159

</varlistentry>

1160

1161

<term>SV_TYPE_MASTER_BROWSER</term>

1162

<listitem><para>0x00040000 Master browser server</para></listitem>

1163

</varlistentry>

1164

1165

<term>SV_TYPE_DOMAIN_MASTER</term>

1166

<listitem><para>0x00080000 Domain Master Browser server</para></listitem>

1167

</varlistentry>

1168

1169

<term>SV_TYPE_LOCAL_LIST_ONLY</term>

1170

<listitem><para>0x40000000 Enumerate only entries marked "local"</para></listitem>

1171

</varlistentry>

1172

1173

<term>SV_TYPE_DOMAIN_ENUM</term>

1174

<listitem><para>0x80000000 Enumerate Domains. The pszServer and pszDomain parameters must be NULL.</para></listitem>

1175

</varlistentry>

1176

1177

</variablelist>

1178

1179

1180

1181

1182

<listitem><para>500 - platform_id</para></listitem>

1183

</varlistentry>

1184

1185

1186

<listitem><para>pointer to name</para></listitem>

1187

</varlistentry>

1188

1189

1190

<listitem><para>5 - major version</para></listitem>

1191

</varlistentry>

1192

1193

1194

<listitem><para>4 - minor version</para></listitem></varlistentry>

1195

1196

1197

<listitem><para>type (SV_TYPE_... bit field)</para></listitem></varlistentry>

1198

1199

1200

<listitem><para>pointer to comment</para></listitem>

1201

</varlistentry>

1202

1203

<term>UNISTR2</term>

1204

<listitem><para>sv101_name - unicode string of server name</para></listitem>

1205

</varlistentry>

1206

1207

<term>UNISTR2</term>

1208

<listitem><para>sv_101_comment - unicode string of server comment.</para></listitem>

1209

</varlistentry>

1210

1211

1212

<listitem><para>padding to get unicode string 4-byte aligned with start of the SMB header.</para></listitem>

1213

</varlistentry>

1214

</variablelist>

1215

1216

</sect3>

1217

</sect2>

1218

</sect1>

1219

1220

<sect1>

1221

<title>MSRPC over Transact Named Pipe</title>

1222

1223

<para>For details on the SMB Transact Named Pipe, see cifs6.txt</para>

1224

1225

<sect2>

1226

<title>MSRPC Pipes</title>

1227

1228

<para>

1229

The MSRPC is conducted over an SMB Transact Pipe with a name of

1230

<filename>\PIPE\</filename>. You must first obtain a 16 bit file handle, by

1231

sending a SMBopenX with the pipe name <filename>\PIPE\srvsvc</filename> for

1232

example. You can then perform an SMB Trans,

1233

and must carry out an SMBclose on the file handle once you are finished.

1234

</para>

1235

1236

<para>

1237

Trans Requests must be sent with two setup UINT16s, no UINT16 params (none

1238

known about), and UINT8 data parameters sufficient to contain the MSRPC

1239

header, and MSRPC data. The first UINT16 setup parameter must be either

1240

0x0026 to indicate an RPC, or 0x0001 to indicate Set Named Pipe Handle

1241

state. The second UINT16 parameter must be the file handle for the pipe,

1242

obtained above.

1243

</para>

1244

1245

<para>

1246

The Data section for an API Command of 0x0026 (RPC pipe) in the Trans

1247

Request is the RPC Header, followed by the RPC Data. The Data section for

1248

an API Command of 0x0001 (Set Named Pipe Handle state) is two bytes. The

1249

only value seen for these two bytes is 0x00 0x43.

1250

</para>

1251

1252

<para>

1253

MSRPC Responses are sent as response data inside standard SMB Trans

1254

responses, with the MSRPC Header, MSRPC Data and MSRPC tail.

1255

</para>

1256

1257

<para>

1258

It is suspected that the Trans Requests will need to be at least 2-byte

1259

aligned (probably 4-byte). This is standard practice for SMBs. It is also

1260

independent of the observed 4-byte alignments with the start of the MSRPC

1261

header, including the 4-byte alignment between the MSRPC header and the

1262

MSRPC data.

1263

</para>

1264

1265

<para>

1266

First, an SMBtconX connection is made to the IPC$ share. The connection

1267

must be made using encrypted passwords, not clear-text. Then, an SMBopenX

1268

is made on the pipe. Then, a Set Named Pipe Handle State must be sent,

1269

after which the pipe is ready to accept API commands. Lastly, and SMBclose

1270

is sent.

1271

</para>

1272

1273

<para>

1274

To be resolved:

1275

</para>

1276

1277

<para>

1278

lkcl/01nov97 there appear to be two additional bytes after the null-terminated \PIPE\ name for the RPC pipe. Values seen so far are

1279

listed below:</para>

1280

1281

1282

initial SMBopenX request: RPC API command 0x26 params:

1283

"\\PIPE\\lsarpc" 0x65 0x63; 0x72 0x70; 0x44 0x65;

1284

"\\PIPE\\srvsvc" 0x73 0x76; 0x4E 0x00; 0x5C 0x43;

1285

</programlisting></para>

1286

1287

</sect2>

1288

1289

<sect2>

1290

<title>Header</title>

1291

1292

<para>[section to be rewritten, following receipt of work by Duncan Stansfield]</para>

1293

1294

<para>Interesting note: if you set packed data representation to 0x0100 0000

1295

then all 4-byte and 2-byte word ordering is turned around!</para>

1296

1297

<para>The start of each of the NTLSA and NETLOGON named pipes begins with:</para>

1298

1299

1300

<segtitle>offset</segtitle><segtitle>Variable type</segtitle><segtitle>Variable data</segtitle>

1301

<seglistitem><seg>00</seg><seg>UINT8</seg><seg>5 - RPC major version</seg></seglistitem>

1302

<seglistitem><seg>01</seg><seg>UINT8</seg><seg>0 - RPC minor version</seg></seglistitem>

1303

<seglistitem><seg>02</seg><seg>UINT8</seg><seg>2 - RPC response packet</seg></seglistitem>

1304

<seglistitem><seg>03</seg><seg>UINT8</seg><seg>3 - (FirstFrag bit-wise or with LastFrag)</seg></seglistitem>

1305

<seglistitem><seg>04</seg><seg>UINT32</seg><seg>0x1000 0000 - packed data representation</seg></seglistitem>

1306

<seglistitem><seg>08</seg><seg>UINT16</seg><seg>fragment length - data size (bytes) inc header and tail.</seg></seglistitem>

1307

<seglistitem><seg>0A</seg><seg>UINT16</seg><seg>0 - authentication length </seg></seglistitem>

1308

<seglistitem><seg>0C</seg><seg>UINT32</seg><seg>call identifier. matches 12th UINT32 of incoming RPC data.</seg></seglistitem>

1309

<seglistitem><seg>10</seg><seg>UINT32</seg><seg>allocation hint - data size (bytes) minus header and tail.</seg></seglistitem>

1310

<seglistitem><seg>14</seg><seg>UINT16</seg><seg>0 - presentation context identifier</seg></seglistitem>

1311

<seglistitem><seg>16</seg><seg>UINT8</seg><seg>0 - cancel count</seg></seglistitem>

1312

<seglistitem><seg>17</seg><seg>UINT8</seg><seg>in replies: 0 - reserved; in requests: opnum - see #defines.</seg></seglistitem>

1313

<seglistitem><seg>18</seg><seg>......</seg><seg>start of data (goes on for allocation_hint bytes)</seg></seglistitem>

1314

</segmentedlist>

1315

1316

<sect3>

1317

<title>RPC_Packet for request, response, bind and bind acknowledgement</title>

1318

1319

1320

1321

<term>UINT8 versionmaj</term>

1322

<listitem><para>reply same as request (0x05)</para></listitem></varlistentry>

1323

1324

<term>UINT8 versionmin</term>

1325

<listitem><para>reply same as request (0x00)</para></listitem></varlistentry>

1326

1327

1328

<listitem><para>one of the MSRPC_Type enums</para></listitem></varlistentry>

1329

1330

<term>UINT8 flags</term>

1331

<listitem><para>reply same as request (0x00 for Bind, 0x03 for Request)</para></listitem></varlistentry>

1332

1333

<term>UINT32 representation</term>

1334

<listitem><para>reply same as request (0x00000010)</para></listitem></varlistentry>

1335

1336

<term>UINT16 fraglength</term>

1337

<listitem><para>the length of the data section of the SMB trans packet</para></listitem></varlistentry>

1338

1339

<term>UINT16 authlength</term>

1340

1341

</varlistentry>

1342

1343

<term>UINT32 callid</term>

1344

<listitem><para>call identifier. (e.g. 0x00149594)</para></listitem></varlistentry>

1345

1346

<term>* stub USE TvPacket</term>

1347

<listitem><para>the remainder of the packet depending on the "type"</para></listitem></varlistentry>

1348

</variablelist>

1349

1350

</sect3>

1351

1352

<sect3>

1353

<title>Interface identification</title>

1354

1355

<para>the interfaces are numbered. as yet I haven't seen more than one interface used on the same pipe name srvsvc</para>

1356

1357

1358

abstract (0x4B324FC8, 0x01D31670, 0x475A7812, 0x88E16EBF, 0x00000003)

1359

transfer (0x8A885D04, 0x11C91CEB, 0x0008E89F, 0x6048102B, 0x00000002)

1360

</programlisting></para>

1361

1362

</sect3>

1363

1364

<sect3>

1365

<title>RPC_Iface RW</title>

1366

1367

1368

1369

1370

<listitem><para>16 bytes of number</para></listitem></varlistentry>

1371

1372

<term>UINT32 version</term>

1373

<listitem><para>the interface number</para></listitem></varlistentry>

1374

</variablelist>

1375

1376

1377

</sect3>

1378

1379

<sect3>

1380

<title>RPC_ReqBind RW</title>

1381

1382

<para>the remainder of the packet after the header if "type" was Bind in the response header, "type" should be BindAck</para>

1383

1384

1385

1386

<term>UINT16 maxtsize</term>

1387

<listitem><para>maximum transmission fragment size (0x1630)</para></listitem></varlistentry>

1388

1389

<term>UINT16 maxrsize</term>

1390

<listitem><para>max receive fragment size (0x1630)</para></listitem></varlistentry>

1391

1392

<term>UINT32 assocgid</term>

1393

<listitem><para>associated group id (0x0)</para></listitem></varlistentry>

1394

1395

<term>UINT32 numelements</term>

1396

<listitem><para>the number of elements (0x1)</para></listitem></varlistentry>

1397

1398

<term>UINT16 contextid</term>

1399

<listitem><para>presentation context identifier (0x0)</para></listitem></varlistentry>

1400

1401

<term>UINT8 numsyntaxes</term>

1402

<listitem><para>the number of syntaxes (has always been 1?)(0x1)</para></listitem></varlistentry>

1403

1404

1405

<listitem><para>4-byte alignment padding, against SMB header</para></listitem></varlistentry>

1406

1407

<term>* abstractint USE RPC_Iface</term>

1408

<listitem><para>num and vers. of interface client is using</para></listitem></varlistentry>

1409

1410

<term>* transferint USE RPC_Iface</term>

1411

<listitem><para>num and vers. of interface to use for replies</para></listitem>

1412

</varlistentry>

1413

</variablelist>

1414

1415

</sect3>

1416

1417

<sect3>

1418

<title>RPC_Address RW</title>

1419

1420

1421

1422

<term>UINT16 length</term>

1423

<listitem><para>length of the string including null terminator</para></listitem></varlistentry>

1424

1425

<term>* port USE string</term>

1426

<listitem><para>the string above in single byte, null terminated form</para></listitem></varlistentry>

1427

</variablelist>

1428

1429

</sect3>

1430

1431

<sect3>

1432

<title>RPC_ResBind RW</title>

1433

1434

<para>the response to place after the header in the reply packet</para>

1435

1436

1437

1438

<term>UINT16 maxtsize</term>

1439

<listitem><para>same as request</para></listitem></varlistentry>

1440

1441

<term>UINT16 maxrsize</term>

1442

<listitem><para>same as request</para></listitem></varlistentry>

1443

1444

<term>UINT32 assocgid</term>

1445

1446

1447

<term>* secondaddr USE RPC_Address</term>

1448

<listitem><para>the address string, as described earlier</para></listitem></varlistentry>

1449

1450

1451

<listitem><para>4-byte alignment padding, against SMB header</para></listitem></varlistentry>

1452

1453

<term>UINT8 numresults</term>

1454

<listitem><para>the number of results (0x01)</para></listitem></varlistentry>

1455

1456

1457

<listitem><para>4-byte alignment padding, against SMB header</para></listitem></varlistentry>

1458

1459

<term>UINT16 result</term>

1460

<listitem><para>result (0x00 = accept)</para></listitem></varlistentry>

1461

1462

<term>UINT16 reason</term>

1463

<listitem><para>reason (0x00 = no reason specified)</para></listitem></varlistentry>

1464

1465

<term>* transfersyntax USE RPC_Iface</term>

1466

<listitem><para>the transfer syntax from the request</para></listitem></varlistentry>

1467

</variablelist>

1468

1469

</sect3>

1470

1471

<sect3>

1472

<title>RPC_ReqNorm RW</title>

1473

1474

<para>the remainder of the packet after the header for every other other request</para>

1475

1476

1477

1478

<term>UINT32 allochint</term>

1479

<listitem><para>the size of the stub data in bytes</para></listitem></varlistentry>

1480

1481

<term>UINT16 prescontext</term>

1482

<listitem><para>presentation context identifier (0x0)</para></listitem></varlistentry>

1483

1484

<term>UINT16 opnum</term>

1485

<listitem><para>operation number (0x15)</para></listitem></varlistentry>

1486

1487

<term>* stub USE TvPacket</term>

1488

<listitem><para>a packet dependent on the pipe name (probably the interface) and the op number)</para></listitem></varlistentry>

1489

</variablelist>

1490

1491

</sect3>

1492

1493

<sect3>

1494

<title>RPC_ResNorm RW</title>

1495

1496

1497

1498

<term>UINT32 allochint</term>

1499

<listitem><para># size of the stub data in bytes</para></listitem></varlistentry>

1500

1501

<term>UINT16 prescontext</term>

1502

<listitem><para># presentation context identifier (same as request)</para></listitem></varlistentry>

1503

1504

<term>UINT8 cancelcount</term>

1505

<listitem><para># cancel count? (0x0)</para></listitem></varlistentry>

1506

1507

<term>UINT8 reserved</term>

1508

<listitem><para># 0 - one byte padding</para></listitem></varlistentry>

1509

1510

<term>* stub USE TvPacket</term>

1511

<listitem><para># the remainder of the reply</para></listitem></varlistentry>

1512

</variablelist>

1513

</sect3>

1514

1515

</sect2>

1516

1517

<sect2>

1518

1519

1520

<para>The end of each of the NTLSA and NETLOGON named pipes ends with:</para>

1521

1522

1523

1524

1525

1526

</varlistentry>

1527

1528

1529

<listitem><para>return code</para></listitem>

1530

</varlistentry>

1531

</variablelist>

1532

1533

</sect2>

1534

1535

<sect2>

1536

1537

1538

<para>

1539

RPC Binds are the process of associating an RPC pipe (e.g \PIPE\lsarpc)

1540

with a "transfer syntax" (see RPC_Iface structure). The purpose for doing

1541

this is unknown.

1542

</para>

1543

1544

<para><emphasis>Note: The RPC_ResBind SMB Transact request is sent with two uint16 setup parameters. The first is 0x0026; the second is the file handle

1545

returned by the SMBopenX Transact response.</emphasis></para>

1546

1547

<para><emphasis>Note: The RPC_ResBind members maxtsize, maxrsize and assocgid are the same in the response as the same members in the RPC_ReqBind. The

1548

RPC_ResBind member transfersyntax is the same in the response as

1549

the</emphasis></para>

1550

1551

<para><emphasis>Note: The RPC_ResBind response member secondaddr contains the name of what is presumed to be the service behind the RPC pipe. The

1552

mapping identified so far is:</emphasis></para>

1553

1554

1555

1556

1557

<term>initial SMBopenX request:</term>

1558

<listitem><para>RPC_ResBind response:</para></listitem>

1559

</varlistentry>

1560

1561

1562

<term>"\\PIPE\\srvsvc"</term>

1563

<listitem><para>"\\PIPE\\ntsvcs"</para></listitem>

1564

</varlistentry>

1565

1566

1567

<listitem><para>"\\PIPE\\lsass"</para></listitem>

1568

</varlistentry>

1569

1570

<term>"\\PIPE\\lsarpc"</term>

1571

<listitem><para>"\\PIPE\\lsass"</para></listitem>

1572

</varlistentry>

1573

1574

<term>"\\PIPE\\wkssvc"</term>

1575

<listitem><para>"\\PIPE\\wksvcs"</para></listitem>

1576

</varlistentry>

1577

1578

<term>"\\PIPE\\NETLOGON"</term>

1579

<listitem><para>"\\PIPE\\NETLOGON"</para></listitem>

1580

</varlistentry>

1581

</variablelist>

1582

1583

<para><emphasis>Note: The RPC_Packet fraglength member in both the Bind Request and Bind Acknowledgment must contain the length of the entire RPC data, including the RPC_Packet header.</emphasis></para>

1584

1585

<para>Request:</para>

1586

1587

1588

<member>RPC_Packet</member>

1589

<member>RPC_ReqBind</member>

1590

</simplelist>

1591

1592

<para>Response:</para>

1593

1594

<member>RPC_Packet</member>

1595

<member>RPC_ResBind</member>

1596

</simplelist>

1597

1598

</sect2>

1599

1600

<sect2>

1601

<title>NTLSA Transact Named Pipe</title>

1602

1603

<para>The sequence of actions taken on this pipe are:</para>

1604

1605

1606

<member>Establish a connection to the IPC$ share (SMBtconX). use encrypted passwords.</member>

1607

<member>Open an RPC Pipe with the name "\\PIPE\\lsarpc". Store the file handle.</member>

1608

<member>Using the file handle, send a Set Named Pipe Handle state to 0x4300.</member>

1609

<member>Send an LSA Open Policy request. Store the Policy Handle.</member>

1610

<member>Using the Policy Handle, send LSA Query Info Policy requests, etc.</member>

1611

<member>Using the Policy Handle, send an LSA Close.</member>

1612

<member>Close the IPC$ share.</member>

1613

</simplelist>

1614

1615

<para>Defines for this pipe, identifying the query are:</para>

1616

1617

1618

<term>LSA Open Policy:</term>

1619

1620

</varlistentry>

1621

1622

<term>LSA Query Info Policy:</term>

1623

1624

</varlistentry>

1625

1626

<term>LSA Enumerate Trusted Domains:</term>

1627

1628

</varlistentry>

1629

1630

<term>LSA Open Secret:</term>

1631

1632

</varlistentry>

1633

1634

<term>LSA Lookup SIDs:</term>

1635

1636

</varlistentry>

1637

1638

<term>LSA Lookup Names:</term>

1639

1640

</varlistentry>

1641

1642

<term>LSA Close:</term>

1643

1644

</varlistentry>

1645

</variablelist>

1646

1647

</sect2>

1648

1649

<sect2>

1650

<title>LSA Open Policy</title>

1651

1652

<para><emphasis>Note: The policy handle can be anything you like.</emphasis></para>

1653

1654

<sect3>

1655

<title>Request</title>

1656

1657

1658

1659

1660

<listitem><para>buffer pointer</para></listitem>

1661

</varlistentry>

1662

1663

<term>UNISTR2</term>

1664

<listitem><para>server name - unicode string starting with two '\'s</para></listitem>

1665

</varlistentry>

1666

1667

1668

<listitem><para>object attributes</para></listitem>

1669

</varlistentry>

1670

1671

1672

<listitem><para>1 - desired access</para></listitem>

1673

</varlistentry>

1674

</variablelist>

1675

1676

</sect3>

1677

1678

<sect3>

1679

<title>Response</title>

1680

1681

1682

1683

1684

1685

<listitem><para>LSA policy handle</para></listitem>

1686

</varlistentry>

1687

1688

1689

<term>return</term>

1690

<listitem><para>0 - indicates success</para></listitem>

1691

</varlistentry>

1692

1693

</variablelist>

1694

1695

</sect3>

1696

1697

</sect2>

1698

1699

<sect2>

1700

<title>LSA Query Info Policy</title>

1701

1702

<para><emphasis>Note: The info class in response must be the same as that in the request.</emphasis></para>

1703

1704

<sect3>

1705

<title>Request</title>

1706

1707

1708

1709

1710

<listitem><para>LSA policy handle</para></listitem></varlistentry>

1711

1712

1713

<listitem><para>info class (also a policy handle?)</para></listitem></varlistentry>

1714

</variablelist>

1715

1716

</sect3>

1717

1718

<sect3>

1719

<title>Response</title>

1720

1721

1722

1723

1724

<listitem><para>undocumented buffer pointer</para></listitem>

1725

</varlistentry>

1726

1727

1728

<listitem><para>info class (same as info class in request).</para></listitem>

1729

</varlistentry>

1730

1731

</variablelist>

1732

1733

1734

switch (info class)

1735

case 3:

1736

case 5:

1737

{

1738

DOM_INFO domain info, levels 3 and 5 (are the same).

1739

}

1740

1741

return 0 - indicates success

1742

</programlisting></para>

1743

1744

</sect3>

1745

1746

</sect2>

1747

1748

<sect2>

1749

<title>LSA Enumerate Trusted Domains</title>

1750

1751

<sect3>

1752

<title>Request</title>

1753

1754

<para>no extra data</para>

1755

1756

</sect3>

1757

1758

<sect3>

1759

<title>Response</title>

1760

1761

1762

1763

1764

<listitem><para>0 - enumeration context</para></listitem>

1765

</varlistentry>

1766

1767

1768

<listitem><para>0 - entries read</para></listitem>

1769

</varlistentry>

1770

1771

1772

<listitem><para>0 - trust information</para></listitem>

1773

</varlistentry>

1774

1775

<term>return</term>

1776

<listitem><para>0x8000 001a - "no trusted domains" success code</para></listitem>

1777

</varlistentry>

1778

</variablelist>

1779

1780

</sect3>

1781

</sect2>

1782

1783

<sect2>

1784

<title>LSA Open Secret</title>

1785

1786

<sect3>

1787

<title>Request</title>

1788

1789

<para>no extra data</para>

1790

1791

</sect3>

1792

1793

<sect3>

1794

<title>Response</title>

1795

1796

1797

1798

1799

<listitem><para>0 - undocumented</para></listitem>

1800

</varlistentry>

1801

1802

1803

<listitem><para>0 - undocumented</para></listitem>

1804

</varlistentry>

1805

1806

1807

<listitem><para>0 - undocumented</para></listitem>

1808

</varlistentry>

1809

1810

1811

<listitem><para>0 - undocumented</para></listitem>

1812

</varlistentry>

1813

1814

1815

<listitem><para>0 - undocumented</para></listitem>

1816

</varlistentry>

1817

</variablelist>

1818

1819

<para>return 0x0C00 0034 - "no such secret" success code</para>

1820

1821

</sect3>

1822

1823

</sect2>

1824

1825

<sect2>

1826

<title>LSA Close</title>

1827

1828

<sect3>

1829

<title>Request</title>

1830

1831

1832

1833

1834

<listitem><para>policy handle to be closed</para></listitem>

1835

</varlistentry>

1836

</variablelist>

1837

1838

</sect3>

1839

1840

<sect3>

1841

<title>Response</title>

1842

1843

1844

1845

1846

<listitem><para>0s - closed policy handle (all zeros)</para></listitem></varlistentry>

1847

</variablelist>

1848

1849

<para>return 0 - indicates success</para>

1850

1851

</sect3>

1852

</sect2>

1853

1854

<sect2>

1855

<title>LSA Lookup SIDS</title>

1856

1857

<para><emphasis>Note: num_entries in response must be same as num_entries in request.</emphasis></para>

1858

1859

<sect3>

1860

<title>Request</title>

1861

1862

1863

1864

1865

<listitem><para>LSA policy handle</para></listitem>

1866

</varlistentry>

1867

1868

1869

<listitem><para>num_entries</para></listitem>

1870

</varlistentry>

1871

1872

1873

<listitem><para>undocumented domain SID buffer pointer</para></listitem>

1874

</varlistentry>

1875

1876

1877

<listitem><para>undocumented domain name buffer pointer</para></listitem>

1878

</varlistentry>

1879

1880

<term>VOID*[num_entries] undocumented domain SID pointers to be looked up.

1881

</term>

1882

<listitem><para>DOM_SID[num_entries] domain SIDs to be looked up.</para></listitem></varlistentry>

1883

1884

1885

<listitem><para>completely undocumented 16 bytes.</para></listitem>

1886

</varlistentry>

1887

</variablelist>

1888

1889

</sect3>

1890

1891

<sect3>

1892

<title>Response</title>

1893

1894

1895

1896

1897

<listitem><para>domain reference response</para></listitem></varlistentry>

1898

1899

1900

<listitem><para>num_entries (listed above)</para></listitem></varlistentry>

1901

1902

1903

<listitem><para>undocumented buffer pointer</para></listitem></varlistentry>

1904

1905

1906

<listitem><para>num_entries (listed above)</para></listitem></varlistentry>

1907

1908

<term>DOM_SID2[num_entries]</term>

1909

<listitem><para>domain SIDs (from Request, listed above).</para></listitem></varlistentry>

1910

1911

1912

<listitem><para>num_entries (listed above)</para></listitem></varlistentry>

1913

</variablelist>

1914

1915

<para>return 0 - indicates success</para>

1916

1917

</sect3>

1918

1919

</sect2>

1920

1921

<sect2>

1922

<title>LSA Lookup Names</title>

1923

1924

<para><emphasis>Note: num_entries in response must be same as num_entries in request.</emphasis></para>

1925

1926

<sect3>

1927

<title>Request</title>

1928

1929

1930

1931

1932

<listitem><para>LSA policy handle</para></listitem>

1933

</varlistentry>

1934

1935

1936

<listitem><para>num_entries</para></listitem>

1937

</varlistentry>

1938

1939

1940

<listitem><para>num_entries</para></listitem>

1941

</varlistentry>

1942

1943

1944

<listitem><para>undocumented domain SID buffer pointer</para></listitem>

1945

</varlistentry>

1946

1947

1948

<listitem><para>undocumented domain name buffer pointer</para></listitem>

1949

</varlistentry>

1950

1951

<term>NAME[num_entries]</term>

1952

<listitem><para>names to be looked up.</para></listitem>

1953

</varlistentry>

1954

1955

1956

<listitem><para>undocumented bytes - falsely translated SID structure?</para></listitem>

1957

</varlistentry>

1958

</variablelist>

1959

1960

</sect3>

1961

1962

<sect3>

1963

<title>Response</title>

1964

1965

1966

1967

1968

<listitem><para>domain reference response</para></listitem></varlistentry>

1969

1970

1971

<listitem><para>num_entries (listed above)</para></listitem></varlistentry>

1972

1973

1974

<listitem><para>undocumented buffer pointer</para></listitem></varlistentry>

1975

1976

1977

<listitem><para>num_entries (listed above)</para></listitem></varlistentry>

1978

1979

<term>DOM_RID[num_entries]</term>

1980

<listitem><para>domain SIDs (from Request, listed above).</para></listitem></varlistentry>

1981

1982

1983

<listitem><para>num_entries (listed above)</para></listitem></varlistentry>

1984

</variablelist>

1985

1986

<para>return 0 - indicates success</para>

1987

1988

</sect3>

1989

</sect2>

1990

</sect1>

1991

1992

<sect1>

1993

<title>NETLOGON rpc Transact Named Pipe</title>

1994

1995

<para>The sequence of actions taken on this pipe are:</para>

1996

1997

1998

<member>tablish a connection to the IPC$ share (SMBtconX). use encrypted passwords.</member>

1999

<member>en an RPC Pipe with the name "\\PIPE\\NETLOGON". Store the file handle.</member>

2000

<member>ing the file handle, send a Set Named Pipe Handle state to 0x4300.</member>

2001

<member>eate Client Challenge. Send LSA Request Challenge. Store Server Challenge.</member>

2002

<member>lculate Session Key. Send an LSA Auth 2 Challenge. Store Auth2 Challenge.</member>

2003

<member>lc/Verify Client Creds. Send LSA Srv PW Set. Calc/Verify Server Creds.</member>

2004

<member>lc/Verify Client Creds. Send LSA SAM Logon . Calc/Verify Server Creds.</member>

2005

<member>lc/Verify Client Creds. Send LSA SAM Logoff. Calc/Verify Server Creds.</member>

2006

<member>ose the IPC$ share.</member>

2007

</simplelist>

2008

2009

<para>Defines for this pipe, identifying the query are</para>

2010

2011

2012

2013

<term>LSA Request Challenge:</term>

2014

2015

</varlistentry>

2016

2017

<term>LSA Server Password Set:</term>

2018

2019

</varlistentry>

2020

2021

<term>LSA SAM Logon:</term>

2022

2023

</varlistentry>

2024

2025

<term>LSA SAM Logoff:</term>

2026

2027

</varlistentry>

2028

2029

2030

2031

</varlistentry>

2032

2033

<term>LSA Logon Control:</term>

2034

2035

</varlistentry>

2036

</variablelist>

2037

2038

<sect2>

2039

<title>LSA Request Challenge</title>

2040

2041

<para><emphasis>Note: logon server name starts with two '\' characters and is upper case.</emphasis></para>

2042

2043

<para><emphasis>Note: logon client is the machine, not the user.</emphasis></para>

2044

2045

<para><emphasis>Note: the initial LanManager password hash, against which the challenge is issued, is the machine name itself (lower case). there will becalls issued (LSA Server Password Set) which will change this, later. refusing these calls allows you to always deal with the same password (i.e the LM# of the machine name in lower case).</emphasis></para>

2046

2047

<sect3>

2048

<title>Request</title>

2049

2050

2051

2052

2053

<listitem><para>undocumented buffer pointer</para></listitem>

2054

</varlistentry>

2055

2056

<term>UNISTR2</term>

2057

<listitem><para>logon server unicode string</para></listitem>

2058

</varlistentry>

2059

2060

<term>UNISTR2</term>

2061

<listitem><para>logon client unicode string</para></listitem>

2062

</varlistentry>

2063

2064

2065

<listitem><para>client challenge</para></listitem>

2066

</varlistentry>

2067

</variablelist>

2068

2069

</sect3>

2070

2071

<sect3>

2072

<title>Response</title>

2073

2074

2075

2076

2077

<listitem><para>server challenge</para></listitem>

2078

</varlistentry>

2079

</variablelist>

2080

2081

<para>return 0 - indicates success</para>

2082

2083

</sect3>

2084

2085

</sect2>

2086

2087

<sect2>

2088

<title>LSA Authenticate 2</title>

2089

2090

<para><emphasis>Note: in between request and response, calculate the client credentials, and check them against the client-calculated credentials (this process uses the previously received client credentials).</emphasis></para>

2091

2092

<para><emphasis>Note: neg_flags in the response is the same as that in the request.</emphasis></para>

2093

2094

<para><emphasis>Note: you must take a copy of the client-calculated credentials received here, because they will be used in subsequent authentication packets.</emphasis></para>

2095

2096

<sect3>

2097

<title>Request</title>

2098

2099

2100

2101

2102

<listitem><para>client identification info</para></listitem>

2103

</varlistentry>

2104

2105

2106

<listitem><para>client-calculated credentials</para></listitem>

2107

</varlistentry>

2108

2109

2110

<listitem><para>padding to 4-byte align with start of SMB header.</para></listitem></varlistentry>

2111

2112

2113

<listitem><para>neg_flags - negotiated flags (usual value is 0x0000 01ff)</para></listitem></varlistentry>

2114

</variablelist>

2115

2116

</sect3>

2117

2118

<sect3>

2119

<title>Response</title>

2120

2121

2122

2123

2124

<listitem><para>server credentials.</para></listitem>

2125

</varlistentry>

2126

2127

2128

<listitem><para>neg_flags - same as neg_flags in request.</para></listitem>

2129

</varlistentry>

2130

</variablelist>

2131

2132

<para>return 0 - indicates success. failure value unknown.</para>

2133

2134

</sect3>

2135

2136

</sect2>

2137

2138

<sect2>

2139

<title>LSA Server Password Set</title>

2140

2141

<para><emphasis>Note: the new password is suspected to be a DES encryption using the old password to generate the key.</emphasis></para>

2142

2143

2144

2145

<para><emphasis>Note: the server credentials are constructed from the client-calculated credentials and the client time + 1 second.</emphasis></para>

2146

2147

<para><emphasis>Note: you must take a copy of the client-calculated credentials received here, because they will be used in subsequent authentication packets.</emphasis></para>

2148

2149

<sect3>

2150

<title>Request</title>

2151

2152

2153

2154

2155

<listitem><para>client identification/authentication info</para></listitem>

2156

</varlistentry>

2157

2158

2159

<listitem><para>new password - undocumented.</para></listitem>

2160

</varlistentry>

2161

</variablelist>

2162

2163

</sect3>

2164

2165

<sect3>

2166

<title>Response</title>

2167

2168

2169

2170

<term>CREDS</term>

2171

<listitem><para>server credentials. server time stamp appears to be ignored.</para></listitem>

2172

</varlistentry>

2173

</variablelist>

2174

2175

<para>return 0 - indicates success; 0xC000 006a indicates failure</para>

2176

2177

</sect3>

2178

</sect2>

2179

2180

<sect2>

2181

<title>LSA SAM Logon</title>

2182

2183

2184

Note: valid_user is True iff the username and password hash are valid for

2185

the requested domain.

2186

</emphasis></para>

2187

2188

<sect3>

2189

<title>Request</title>

2190

2191

2192

2193

<listitem><para>sam_id structure</para></listitem>

2194

</varlistentry>

2195

</variablelist>

2196

2197

</sect3>

2198

2199

<sect3>

2200

<title>Response</title>

2201

2202

2203

2204

2205

<listitem><para>undocumented buffer pointer</para></listitem>

2206

</varlistentry>

2207

2208

<term>CREDS</term>

2209

<listitem><para>server credentials. server time stamp appears to be ignored.</para></listitem>

2210

</varlistentry>

2211

</variablelist>

2212

2213

2214

if (valid_user)

2215

{

2216

UINT16 3 - switch value indicating USER_INFO structure.

2217

VOID* non-zero - pointer to USER_INFO structure

2218

USER_INFO user logon information

2219

2220

UINT32 1 - Authoritative response; 0 - Non-Auth?

2221

2222

return 0 - indicates success

2223

}

2224

else

2225

{

2226

UINT16 0 - switch value. value to indicate no user presumed.

2227

VOID* 0x0000 0000 - indicates no USER_INFO structure.

2228

2229

UINT32 1 - Authoritative response; 0 - Non-Auth?

2230

2231

return 0xC000 0064 - NT_STATUS_NO_SUCH_USER.

2232

}

2233

</programlisting></para>

2234

2235

</sect3>

2236

2237

</sect2>

2238

2239

<sect2>

2240

<title>LSA SAM Logoff</title>

2241

2242

2243

Note: presumably, the SAM_INFO structure is validated, and a (currently

2244

undocumented) error code returned if the Logoff is invalid.

2245

</emphasis></para>

2246

2247

<sect3>

2248

<title>Request</title>

2249

2250

2251

2252

2253

<listitem><para>sam_id structure</para></listitem>

2254

</varlistentry>

2255

</variablelist>

2256

2257

</sect3>

2258

2259

<sect3>

2260

<title>Response</title>

2261

2262

2263

2264

2265

<listitem><para>undocumented buffer pointer</para></listitem>

2266

</varlistentry>

2267

2268

<term>CREDS</term>

2269

<listitem><para>server credentials. server time stamp appears to be ignored.</para></listitem>

2270

</varlistentry>

2271

</variablelist>

2272

2273

<para>return 0 - indicates success. undocumented failure indication.</para>

2274

2275

</sect3>

2276

</sect2>

2277

</sect1>

2278

2279

<sect1>

2280

<title>\\MAILSLOT\NET\NTLOGON</title>

2281

2282

2283

Note: mailslots will contain a response mailslot, to which the response

2284

should be sent. the target NetBIOS name is REQUEST_NAME<20>, where

2285

REQUEST_NAME is the name of the machine that sent the request.

2286

</emphasis></para>

2287

2288

<sect2>

2289

<title>Query for PDC</title>

2290

2291

<para><emphasis>Note: NTversion, LMNTtoken, LM20token in response are the same as those given in the request.</emphasis></para>

2292

2293

<sect3>

2294

<title>Request</title>

2295

2296

2297

2298

2299

<listitem><para>0x0007 - Query for PDC</para></listitem>

2300

</varlistentry>

2301

2302

2303

<listitem><para>machine name</para></listitem>

2304

</varlistentry>

2305

2306

2307

<listitem><para>response mailslot</para></listitem>

2308

</varlistentry>

2309

2310

2311

<listitem><para>padding to 2-byte align with start of mailslot.</para></listitem>

2312

</varlistentry>

2313

2314

<term>UNISTR</term>

2315

<listitem><para>machine name</para></listitem>

2316

</varlistentry>

2317

2318

2319

<listitem><para>NTversion</para></listitem>

2320

</varlistentry>

2321

2322

2323

<listitem><para>LMNTtoken</para></listitem>

2324

</varlistentry>

2325

2326

2327

<listitem><para>LM20token</para></listitem>

2328

</varlistentry>

2329

</variablelist>

2330

2331

</sect3>

2332

2333

<sect3>

2334

<title>Response</title>

2335

2336

2337

2338

2339

<listitem><para>0x000A - Respose to Query for PDC</para></listitem></varlistentry>

2340

2341

2342

<listitem><para>machine name (in uppercase)</para></listitem></varlistentry>

2343

2344

2345

<listitem><para>padding to 2-byte align with start of mailslot.</para></listitem>

2346

</varlistentry>

2347

2348

<term>UNISTR</term>

2349

<listitem><para>machine name</para></listitem>

2350

</varlistentry>

2351

2352

<term>UNISTR</term>

2353

<listitem><para>domain name</para></listitem></varlistentry>

2354

2355

2356

<listitem><para>NTversion (same as received in request)</para></listitem></varlistentry>

2357

2358

2359

<listitem><para>LMNTtoken (same as received in request)</para></listitem></varlistentry>

2360

2361

2362

<listitem><para>LM20token (same as received in request)</para></listitem></varlistentry>

2363

</variablelist>

2364

2365

</sect3>

2366

</sect2>

2367

2368

<sect2>

2369

<title>SAM Logon</title>

2370

2371

<para><emphasis>Note: machine name in response is preceded by two '\' characters.</emphasis></para>

2372

2373

<para><emphasis>Note: NTversion, LMNTtoken, LM20token in response are the same as those given in the request.</emphasis></para>

2374

2375

<para><emphasis>Note: user name in the response is presumably the same as that in the request.</emphasis></para>

2376

2377

<sect3>

2378

<title>Request</title>

2379

2380

2381

2382

2383

<listitem><para>0x0012 - SAM Logon</para></listitem>

2384

</varlistentry>

2385

2386

2387

<listitem><para>request count</para></listitem>

2388

</varlistentry>

2389

2390

<term>UNISTR</term>

2391

<listitem><para>machine name</para></listitem>

2392

</varlistentry>

2393

2394

<term>UNISTR</term>

2395

2396

</varlistentry>

2397

2398

2399

<listitem><para>response mailslot</para></listitem>

2400

</varlistentry>

2401

2402

2403

<listitem><para>alloweable account</para></listitem>

2404

</varlistentry>

2405

2406

2407

<listitem><para>domain SID size</para></listitem>

2408

</varlistentry>

2409

2410

2411

<listitem><para>domain SID, of sid_size bytes.</para></listitem>

2412

</varlistentry>

2413

2414

2415

<listitem><para>???? padding to 4? 2? -byte align with start of mailslot.</para></listitem>

2416

</varlistentry>

2417

2418

2419

<listitem><para>NTversion</para></listitem>

2420

</varlistentry>

2421

2422

2423

<listitem><para>LMNTtoken</para></listitem>

2424

</varlistentry>

2425

2426

2427

<listitem><para>LM20token</para></listitem>

2428

</varlistentry>

2429

</variablelist>

2430

2431

</sect3>

2432

2433

<sect3>

2434

<title>Response</title>

2435

2436

2437

2438

2439

<listitem><para>0x0013 - Response to SAM Logon</para></listitem>

2440

</varlistentry>

2441

2442

<term>UNISTR</term>

2443

<listitem><para>machine name</para></listitem>

2444

</varlistentry>

2445

2446

<term>UNISTR</term>

2447

<listitem><para>user name - workstation trust account</para></listitem>

2448

</varlistentry>

2449

2450

<term>UNISTR</term>

2451

<listitem><para>domain name </para></listitem>

2452

</varlistentry>

2453

2454

2455

<listitem><para>NTversion</para></listitem>

2456

</varlistentry>

2457

2458

2459

<listitem><para>LMNTtoken</para></listitem>

2460

</varlistentry>

2461

2462

2463

<listitem><para>LM20token</para></listitem>

2464

</varlistentry>

2465

</variablelist>

2466

2467

</sect3>

2468

</sect2>

2469

</sect1>

2470

2471

<sect1>

2472

<title>SRVSVC Transact Named Pipe</title>

2473

2474

<para>Defines for this pipe, identifying the query are:</para>

2475

2476

2477

2478

<term>Net Share Enum</term>

2479

2480

</varlistentry>

2481

2482

<term>Net Server Get Info</term>

2483

2484

</varlistentry>

2485

2486

</variablelist>

2487

2488

<sect2>

2489

<title>Net Share Enum</title>

2490

2491

<para><emphasis>Note: share level and switch value in the response are presumably the same as those in the request.</emphasis></para>

2492

2493

<para><emphasis>Note: cifsrap2.txt (section 5) may be of limited assistance here.</emphasis></para>

2494

2495

<sect3>

2496

<title>Request</title>

2497

2498

2499

2500

2501

<listitem><para>pointer (to server name?)</para></listitem></varlistentry>

2502

2503

<term>UNISTR2</term>

2504

<listitem><para>server name</para></listitem>

2505

</varlistentry>

2506

2507

2508

<listitem><para>padding to get unicode string 4-byte aligned with the start of the SMB header.</para></listitem>

2509

</varlistentry>

2510

2511

2512

<listitem><para>share level</para></listitem>

2513

</varlistentry>

2514

2515

2516

<listitem><para>switch value</para></listitem>

2517

</varlistentry>

2518

2519

2520

<listitem><para>pointer to SHARE_INFO_1_CTR</para></listitem>

2521

</varlistentry>

2522

2523

<term>SHARE_INFO_1_CTR</term>

2524

<listitem><para>share info with 0 entries</para></listitem>

2525

</varlistentry>

2526

2527

2528

<listitem><para>preferred maximum length (0xffff ffff)</para></listitem></varlistentry>

2529

</variablelist>

2530

</sect3>

2531

2532

<sect3>

2533

<title>Response</title>

2534

2535

2536

2537

2538

<listitem><para>share level</para></listitem>

2539

</varlistentry>

2540

2541

2542

<listitem><para>switch value</para></listitem>

2543

</varlistentry>

2544

2545

2546

<listitem><para>pointer to SHARE_INFO_1_CTR</para></listitem></varlistentry>

2547

2548

<term>SHARE_INFO_1_CTR</term>

2549

<listitem><para>share info (only added if share info ptr is non-zero)</para></listitem></varlistentry>

2550

</variablelist>

2551

2552

<para>return 0 - indicates success</para>

2553

2554

</sect3>

2555

</sect2>

2556

2557

<sect2>

2558

<title>Net Server Get Info</title>

2559

2560

<para><emphasis>Note: level is the same value as in the request.</emphasis></para>

2561

2562

<sect3>

2563

<title>Request</title>

2564

2565

2566

2567

<term>UNISTR2</term>

2568

<listitem><para>server name</para></listitem>

2569

</varlistentry>

2570

2571

2572

<listitem><para>switch level</para></listitem>

2573

</varlistentry>

2574

</variablelist>

2575

2576

</sect3>

2577

2578

<sect3>

2579

<title>Response</title>

2580

2581

2582

2583

2584

<listitem><para>switch level</para></listitem>

2585

</varlistentry>

2586

2587

2588

<listitem><para>pointer to SERVER_INFO_101</para></listitem>

2589

</varlistentry>

2590

2591

<term>SERVER_INFO_101</term>

2592

<listitem><para>server info (only added if server info ptr is non-zero)</para></listitem></varlistentry>

2593

</variablelist>

2594

2595

<para>return 0 - indicates success</para>

2596

2597

</sect3>

2598

</sect2>

2599

</sect1>

2600

2601

<sect1>

2602

<title>Cryptographic side of NT Domain Authentication</title>

2603

2604

<sect2>

2605

<title>Definitions</title>

2606

2607

2608

2609

2610

<listitem><para>Intel byte ordered addition of corresponding 4 byte words in arrays A1 and A2</para></listitem>

2611

</varlistentry>

2612

2613

2614

2615

<listitem><para>DES ECB encryption of 8 byte data D using 7 byte key K</para></listitem>

2616

</varlistentry>

2617

2618

2619

<term>lmowf()</term>

2620

2621

</varlistentry>

2622

2623

2624

<term>ntowf()</term>

2625

2626

</varlistentry>

2627

2628

2629

2630

<listitem><para>md4(machine_password) == md4(lsadump $machine.acc) ==

2631

pwdump(machine$) (initially) == md4(lmowf(unicode(machine)))

2632

</para></listitem>

2633

</varlistentry>

2634

2635

2636

2637

<listitem><para>ARC4 encryption of data D of length Ld with key K of length Lk</para></listitem>

2638

</varlistentry>

2639

2640

2641

2642

<listitem><para>subset of v from bytes m to n, optionally padded with zeroes to length l</para></listitem>

2643

</varlistentry>

2644

2645

2646

2647

<listitem><para>E(K[7..7,7],E(K[0..6],D)) computes a credential</para></listitem>

2648

</varlistentry>

2649

2650

2651

2652

<listitem><para>4 byte current time</para></listitem>

2653

</varlistentry>

2654

2655

2656

2657

<listitem><para>8 byte client and server challenges Rc,Rs: 8 byte client and server credentials</para></listitem>

2658

</varlistentry>

2659

2660

</variablelist>

2661

2662

</sect2>

2663

2664

<sect2>

2665

<title>Protocol</title>

2666

2667

2668

C->S ReqChal,Cc

2669

S->C Cs

2670

</programlisting>

2671

2672

2673

C & S compute session key Ks = E(PW[9..15],E(PW[0..6],Add(Cc,Cs)))

2674

</programlisting>

2675

2676

2677

C: Rc = Cred(Ks,Cc)

2678

C->S Authenticate,Rc

2679

S: Rs = Cred(Ks,Cs), assert(Rc == Cred(Ks,Cc))

2680

S->C Rs

2681

C: assert(Rs == Cred(Ks,Cs))

2682

</programlisting>

2683

2684

<para>

2685

On joining the domain the client will optionally attempt to change its

2686

password and the domain controller may refuse to update it depending

2687

on registry settings. This will also occur weekly afterwards.

2688

</para>

2689

2690

2691

C: Tc = Time(), Rc' = Cred(Ks,Rc+Tc)

2692

C->S ServerPasswordSet,Rc',Tc,arc4(Ks[0..7,16],lmowf(randompassword())

2693

C: Rc = Cred(Ks,Rc+Tc+1)

2694

S: assert(Rc' == Cred(Ks,Rc+Tc)), Ts = Time()

2695

S: Rs' = Cred(Ks,Rs+Tc+1)

2696

S->C Rs',Ts

2697

C: assert(Rs' == Cred(Ks,Rs+Tc+1))

2698

S: Rs = Rs'

2699

</programlisting>

2700

2701

<para>

2702

User: U with password P wishes to login to the domain (incidental data

2703

such as workstation and domain omitted)

2704

</para>

2705

2706

2707

C: Tc = Time(), Rc' = Cred(Ks,Rc+Tc)

2708

C->S NetLogonSamLogon,Rc',Tc,U,arc4(Ks[0..7,16],16,ntowf(P),16), arc4(Ks[0..7,16],16,lmowf(P),16)

2709

S: assert(Rc' == Cred(Ks,Rc+Tc)) assert(passwords match those in SAM)

2710

S: Ts = Time()

2711

</programlisting>

2712

2713

2714

S->C Cred(Ks,Cred(Ks,Rc+Tc+1)),userinfo(logon script,UID,SIDs,etc)

2715

C: assert(Rs == Cred(Ks,Cred(Rc+Tc+1))

2716

C: Rc = Cred(Ks,Rc+Tc+1)

2717

</programlisting>

2718

2719

</sect2>

2720

2721

<sect2>

2722

<title>Comments</title>

2723

2724

<para>

2725

On first joining the domain the session key could be computed by

2726

anyone listening in on the network as the machine password has a well

2727

known value. Until the machine is rebooted it will use this session

2728

key to encrypt NT and LM one way functions of passwords which are

2729

password equivalents. Any user who logs in before the machine has been

2730

rebooted a second time will have their password equivalent exposed. Of

2731

course the new machine password is exposed at this time anyway.

2732

</para>

2733

2734

<para>

2735

None of the returned user info such as logon script, profile path and

2736

SIDs *appear* to be protected by anything other than the TCP checksum.

2737

</para>

2738

2739

<para>

2740

The server time stamps appear to be ignored.

2741

</para>

2742

2743

<para>

2744

The client sends a ReturnAuthenticator in the SamLogon request which I

2745

can't find a use for. However its time is used as the timestamp

2746

returned by the server.

2747

</para>

2748

2749

<para>

2750

The password OWFs should NOT be sent over the network reversibly

2751

encrypted. They should be sent using ARC4(Ks,md4(owf)) with the server

2752

computing the same function using the owf values in the SAM.

2753

</para>

2754

2755

</sect2>

2756

</sect1>

2757

2758

<sect1>

2759

2760

2761

<para>

2762

SIDs and RIDs are well documented elsewhere.

2763

</para>

2764

2765

<para>

2766

A SID is an NT Security ID (see DOM_SID structure). They are of the form:

2767

</para>

2768

2769

2770

<member>revision-NN-SubAuth1-SubAuth2-SubAuth3... </member>

2771

<member>revision-0xNNNNNNNNNNNN-SubAuth1-SubAuth2-SubAuth3...</member>

2772

</simplelist>

2773

2774

<para>

2775

currently, the SID revision is 1.

2776

The Sub-Authorities are known as Relative IDs (RIDs).

2777

</para>

2778

2779

<sect2>

2780

<title>Well-known SIDs</title>

2781

2782

<sect3>

2783

<title>Universal well-known SIDs</title>

2784

2785

2786

2787

2788

2789

</varlistentry>

2790

2791

<term>World</term>

2792

2793

</varlistentry>

2794

2795

<term>Local</term>

2796

2797

</varlistentry>

2798

2799

<term>Creator Owner ID</term>

2800

2801

</varlistentry>

2802

2803

<term>Creator Group ID</term>

2804

2805

</varlistentry>

2806

2807

<term>Creator Owner Server ID</term>

2808

2809

</varlistentry>

2810

2811

<term>Creator Group Server ID</term>

2812

2813

</varlistentry>

2814

2815

<term>(Non-unique IDs)</term>

2816

2817

</varlistentry>

2818

</variablelist>

2819

2820

</sect3>

2821

2822

<sect3>

2823

<title>NT well-known SIDs</title>

2824

2825

2826

2827

<term>NT Authority</term>

2828

2829

</varlistentry>

2830

2831

<term>Dialup</term>

2832

2833

</varlistentry>

2834

2835

<term>Network</term>

2836

2837

</varlistentry>

2838

2839

<term>Batch</term>

2840

2841

</varlistentry>

2842

2843

<term>Interactive</term>

2844

2845

</varlistentry>

2846

2847

<term>Service</term>

2848

2849

2850

<term>AnonymousLogon(aka null logon session)</term>

2851

2852

</varlistentry>

2853

2854

<term>Proxy</term>

2855

2856

2857

<term>ServerLogon(aka domain controller account)</term>

2858

2859

</varlistentry>

2860

2861

<term>(Logon IDs)</term>

2862

2863

</varlistentry>

2864

2865

<term>(NT non-unique IDs)</term>

2866

2867

</varlistentry>

2868

2869

<term>(Built-in domain)</term>

2870

2871

</varlistentry>

2872

</variablelist>

2873

2874

</sect3>

2875

</sect2>

2876

2877

<sect2>

2878

<title>Well-known RIDS</title>

2879

2880

<para>

2881

A RID is a sub-authority value, as part of either a SID, or in the case

2882

of Group RIDs, part of the DOM_GID structure, in the USER_INFO_1

2883

structure, in the LSA SAM Logon response.

2884

</para>

2885

2886

<sect3>

2887

<title>Well-known RID users</title>

2888

2889

2890

<segtitle>Groupname</segtitle>

2891

2892

2893

<seglistitem><seg>DOMAIN_USER_RID_ADMIN</seg><seg>0x0000</seg><seg>01F4</seg></seglistitem>

2894

<seglistitem><seg>DOMAIN_USER_RID_GUEST</seg><seg>0x0000</seg><seg>01F5</seg></seglistitem>

2895

</segmentedlist>

2896

2897

</sect3>

2898

2899

<sect3>

2900

<title>Well-known RID groups</title>

2901

2902

2903

<segtitle>Groupname</segtitle>

2904

2905

2906

<seglistitem><seg> DOMAIN_GROUP_RID_ADMINS</seg><seg>0x0000</seg><seg>0200</seg></seglistitem>

2907

<seglistitem><seg> DOMAIN_GROUP_RID_USERS</seg><seg>0x0000</seg><seg>0201</seg></seglistitem>

2908

<seglistitem><seg> DOMAIN_GROUP_RID_GUESTS</seg><seg>0x0000</seg><seg>0202</seg></seglistitem>

2909

</segmentedlist>

2910

2911

</sect3>

2912

2913

<sect3>

2914

<title>Well-known RID aliases</title>

2915

2916

2917

<segtitle>Groupname</segtitle>

2918

2919

2920

<seglistitem><seg> DOMAIN_ALIAS_RID_ADMINS</seg><seg>0x0000</seg><seg>0220</seg></seglistitem>

2921

<seglistitem><seg> DOMAIN_ALIAS_RID_USERS</seg><seg>0x0000</seg><seg>0221</seg></seglistitem>

2922

<seglistitem><seg> DOMAIN_ALIAS_RID_GUESTS</seg><seg>0x0000</seg><seg>0222</seg></seglistitem>

2923

<seglistitem><seg> DOMAIN_ALIAS_RID_POWER_USERS</seg><seg>0x0000</seg><seg>0223</seg></seglistitem>

2924

<seglistitem><seg> DOMAIN_ALIAS_RID_ACCOUNT_OPS</seg><seg>0x0000</seg><seg>0224</seg></seglistitem>

2925

<seglistitem><seg> DOMAIN_ALIAS_RID_SYSTEM_OPS</seg><seg>0x0000</seg><seg>0225</seg></seglistitem>

2926

<seglistitem><seg> DOMAIN_ALIAS_RID_PRINT_OPS</seg><seg>0x0000</seg><seg>0226</seg></seglistitem>

2927

<seglistitem><seg> DOMAIN_ALIAS_RID_BACKUP_OPS</seg><seg>0x0000</seg><seg>0227</seg></seglistitem>

2928

<seglistitem><seg> DOMAIN_ALIAS_RID_REPLICATOR</seg><seg>0x0000</seg><seg>0228</seg></seglistitem>

2929

</segmentedlist>

2930

2931

</sect3>

2932

</sect2>

2933

</sect1>

2934

</chapter>