NT Domain Authentication Protocol - draft
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Wed Oct 1 12:29:18 GMT 1997
attached is a draft protocol, derived from packet traces using NetMon.exe
from Service Pack 1, and from the authentication spec published a few
weeks ago by Paul Ashton (paul at argo.demon.co.uk) and myself.
it contains the SMB NETLOGON and ntlsa transact named pipes necessary to
provide Domain Logon services to NT workstation. the next version will
contain the UDP \\MAILSLOT\NET\NTLOGON services which are also needed,
and are also deriveable purely from packet traces using NetMon.exe.
the main issue to resolve with this spec is 4-byte SMB-header alignments
at the start of the various "structures".
Luke Kenneth Casson Leighton (lkcl at switchboard.net)
Web site under construction (http://mailhost.cb1.com/~lkcl)
"Confront difficulties while they are still easy"
NT Domain Authentication
------------------------
1) Structures and notes
-----------------------
- Domain SID is of the format S-revision-version-auth1-auth2...authN.
e.g S-1-5-123-456-789-123-456. the 5 could be a sub-revision.
- sizeof VOID* is 32 bits.
- UTIME is 32 bits, indicating time in seconds since 01jan1970. documented
in cifs6.txt.
- NTTIME is 64 bits, and is probably documented in cifs6.txt
- any undocumented buffer pointers must be non-zero if the string buffer it
refers to contains characters. exactly what value they should be is unknown.
0x0000 0002 seems to do the trick to indicate that the buffer exists. a
NULL buffer pointer indicates that the string buffer is of zero length.
- DOM_SID (domain SID structure) is:
UINT32 num of sub-authorities in domain SID
UINT8 SID revision number
UINT8 num of sub-authorities in domain SID
UINT8[6] 6 bytes for domain SID
UINT16[n_subauths] domain SID sub-authorities
- UNIHDR (unicode string header) is:
UINT16 max length of unicode string
UINT16 length of unicode string
UINT32 4 - undocumented.
- UNIHDR2 (unicode string header plus buffer pointer) is:
UNIHDR unicode string header
VOID* undocumented buffer pointer
- UNISTR (unicode string) is:
UINT16[] null-terminated string of unicode characters.
- UNISTR2 (aligned unicode string) is:
UINT8[] padding to get unicode string 4-byte aligned
with the start of the SMB header.
UINT32 max length of unicode string
UINT32 0 - undocumented
UINT32 length of unicode string
UINT16[] string of uncode characters.
- DOM_SID2 (domain SID structure, SIDS stored in unicode) is:
UINT32 5 - SID name use?
UINT32 0 - undocumented
UNIHDR2 domain SID unicode string header
UNISTR domain SID unicode string
- DOM_RID (domain RID structure) is:
UINT32 5 - well-known SID. 1 - user SID (see ShowACLs)
UINT32 5 - undocumented
UINT32 domain RID
UINT32 0 - domain index out of above reference domains
- LOG_INFO (server, account, client structure) is:
Note: logon server name starts with two '\' characters and is upper case.
Note: account name is the logon client name from the LSA Request Challenge,
with a $ on the end of it, in upper case.
VOID* undocumented buffer pointer
UNISTR2 logon server unicode string
UNISTR2 account name unicode string
UINT16 sec_chan - security channel type
UNISTR2 logon client machine unicode string
- CREDS (credentials + time stamp)
char[8] credentials
UTIME time stamp
- CLNT_INFO (server, account, client structure, client credentials) is:
Note: whenever this structure appears in a request, you must take a copy
of the client-calculated credentials received, because they will be
used in subsequent credential checks. the presumed intention is to
maintain an authenticated request/response trail.
LOG_INFO logon account info
CREDS client-calculated credentials + client time
- SAM_INFO (sam logon/logoff id info structure) is:
CLNT_INFO client identification/authentication info
CRED return credentials - ignored.
UINT16 logon level
UINT32 undocumented - auth_level?
switch (auth_level)
case 1:
{
UINT8[] ???? padding, for 4-byte alignment with SMB header?
UNIHDR domain name unicode header
UINT32 param control
UINT64 logon ID
UNIHDR user name unicode header
UNIHDR workgroup name unicode header
char[16] rc4 LM OWF Password
char[16] rc4 NT OWF Password
UNISTR2 domain name unicode string
UNISTR2 user name unicode string
UNISTR2 workgroup name unicode string
}
- GID (group id info) is:
UINT32 group id
UINT32 user attributes (only used by NT 3.1 and 3.51)
2) Transact Named Pipe Header/Tail
----------------------------------
2.1 Header
----------
The start of each of the NTLSA and NETLOGON named pipes begins with:
00 UINT8 5 - RPC major version
01 UINT8 0 - RPC minor version
02 UINT8 2 - RPC response packet
03 UINT8 3 - first frag + last frag
04 UINT32 0x0000 0010 - packed data representation
08 UINT16 fragment length - data size (bytes) inc header and tail.
0A UINT16 0 - authentication length
0C UINT32 call identifier. matches 12th UINT32 of incoming RPC data.
10 UINT32 allocation hint - data size (bytes) minus header and tail.
14 UINT16 0 - presentation context identifier
16 UINT8 0 - cancel count
17 UINT8 0 - reserved
18 ...... start of data (goes on for allocation_hint bytes)
2.2 Tail
--------
The end of each of the NTLSA and NETLOGON named pipes ends with:
...... end of data
UINT32 return code
3) NTLSA Transact Named Pipe
----------------------------
2.1) LSA Open Policy
--------------------
Note: The policy handle can be anything you like.
Request:
no extra data.
Response:
char[20] policy handle
return 0 - indicates success
2.2) LSA Query Info Policy
--------------------------
Note: The info class in response must be the same as that in the request.
Request:
starting from offset 44:
UINT16 info class (also a policy handle?)
Response:
VOID* undocumented buffer pointer
UINT16 info class (same as info class in request).
switch (info class)
case 3:
case 5:
{
UINT8[] ??? padding to get 4-byte alignment with start of SMB header
UINT16 domain name string length * 2
UINT16 domain name string length * 2
VOID* undocumented domain name string buffer pointer
VOID* undocumented domain SID string buffer pointer
UNISTR domain name (unicode string)
DOM_SID domain SID
}
return 0 - indicates success
2.3) LSA Enumerate Trusted Domains
----------------------------------
Request:
no extra data
Response:
UINT32 0 - enumeration context
UINT32 0 - entries read
UINT32 0 - trust information
return 0x8000 001a - "no trusted domains" success code
2.4) LSA Open Secret
--------------------
Request:
no extra data
Response:
UINT32 0 - undocumented
UINT32 0 - undocumented
UINT32 0 - undocumented
UINT32 0 - undocumented
UINT32 0 - undocumented
return 0x0C00 0034 - "no such secret" success code
2.5) LSA Close
--------------
Request:
no extra data
Response:
UINT32 0 - undocumented
UINT32 0 - undocumented
UINT32 0 - undocumented
UINT32 0 - undocumented
UINT32 0 - undocumented
return 0 - indicates success
2.6) LSA Lookup SIDS
--------------------
Note: num_entries in response must be same as num_entries in request.
Request:
char[20] policy handle
UINT32 num_entries
VOID* undocumented domain SID buffer pointer
VOID* undocumented domain name buffer pointer
VOID*[num_entries] undocumented domain SID pointers to be looked up.
DOM_SID[num_entries] domain SIDs to be looked up.
char[16] completely undocumented 16 bytes.
Response:
VOID* undocumented buffer pointer.
UINT32 num referenced domains?
VOID* undocumented domain name buffer pointer.
UINT32 32 - max number of entries
UINT32 4 - num referenced domains?
UNIHDR2 domain name unicode string header
UNIHDR2[num_ref_doms] referenced domain unicode string headers
UNISTR domain name unicode string
DOM_SID domain SID
DOM_SID[num_ref_doms] referenced domain SIDs
UINT32 num_entries (listed above)
VOID* undocumented buffer pointer
UINT32 num_entries (listed above)
DOM_SID2[num_entries] domain SIDs (from Request, listed above).
UINT32 num_entries (listed above)
return 0 - indicates success
2.7) LSA Lookup Names
---------------------
Note: num_entries in response must be same as num_entries in request.
Request:
char[20] policy handle
UINT32 num_entries
UINT32 num_entries
VOID* undocumented domain SID buffer pointer
VOID* undocumented domain name buffer pointer
NAME[num_entries] names to be looked up.
char[] undocumented bytes - falsely translated SID structure?
Response:
VOID* undocumented buffer pointer.
UINT32 num referenced domains?
VOID* undocumented domain name buffer pointer.
UINT32 32 - max number of entries
UINT32 4 - num referenced domains?
UNIHDR2 domain name unicode string header
UNIHDR2[num_ref_doms] referenced domain unicode string headers
UNISTR domain name unicode string
DOM_SID domain SID
DOM_SID[num_ref_doms] referenced domain SIDs
UINT32 num_entries (listed above)
VOID* undocumented buffer pointer
UINT32 num_entries (listed above)
DOM_RID[num_entries] domain SIDs (from Request, listed above).
UINT32 num_entries (listed above)
return 0 - indicates success
3) NETLOGON rpc Transact Named Pipe
-----------------------------------
3.1) LSA Request Challenge
--------------------------
Note: logon server name starts with two '\' characters and is upper case.
Note: logon client is the machine, not the user.
Note: the initial LanManager password hash, against which the challenge
is issued, is the machine name itself (lower case). there will be
calls issued (LSA Server Password Set) which will change this, later.
refusing these calls allows you to always deal with the same password
(i.e the LM# of the machine name in lower case).
Request:
VOID* undocumented buffer pointer
UNISTR2 logon server unicode string
UNISTR2 logon client unicode string
char[8] client challenge
Response:
char[8] server challenge
return 0 - indicates success
3.2) LSA Authenticate 2
--------------------
Note: in between request and response, calculate the client credentials,
and check them against the client-calculated credentials (this
process uses the previously received client credentials).
Note: neg_flags in the response is the same as that in the request.
Note: you must take a copy of the client-calculated credentials received
here, because they will be used in subsequent authentication packets.
Request:
LOG_INFO client identification info
char[8] client-calculated credentials
UINT8[] padding to 4-byte align with start of SMB header.
UINT32 neg_flags - negotiated flags (usual value is 0x0000 01ff)
Response:
char[8] server credentials.
UINT32 neg_flags - same as neg_flags in request.
return 0 - indicates success. failure value unknown.
3.3) LSA Server Password Set
----------------------------
Note: the new password is suspected to be a DES encryption using the old
password to generate the key.
Note: in between request and response, calculate the client credentials,
and check them against the client-calculated credentials (this
process uses the previously received client credentials).
Note: the server credentials are constructed from the client-calculated
credentials and the client time + 1 second.
Note: you must take a copy of the client-calculated credentials received
here, because they will be used in subsequent authentication packets.
Request:
CLNT_INFO client identification/authentication info
char[] new password - undocumented.
Response:
CREDS server credentials. server time stamp appears to be ignored.
return 0 - indicates success; 0xC000 006a indicates failure
3.4) LSA SAM Logon
--------------------
Note: valid_user is True iff the username and password hash are valid for
the requested domain.
Request:
SAM_INFO sam_id structure
Response:
VOID* undocumented buffer pointer
CREDS server credentials. server time stamp appears to be ignored.
if (valid_user)
{
VOID* non-zero - undocumented buffer pointer.
NTTIME logon time
NTTIME logoff time
NTTIME kickoff time
NTTIME password last set time
NTTIME password can change time
NTTIME password must change time
UNIHDR username unicode string header
UNIHDR user's full name unicode string header
UNIHDR logon script unicode string header
UNIHDR profile path unicode string header
UNIHDR home directory unicode string header
UNIHDR home directory drive unicode string header
UINT16 logon count
UINT16 bad password count
UINT32 User ID
UINT32 Group ID
UINT32 num groups
VOID* undocumented buffer pointer to groups.
UINT32 user flags
char[16] unused user session key
UNIHDR logon server unicode string header
UNIHDR logon domain unicode string header
VOID* undocumented logon domain id pointer
char[40] unused padding bytes.
UINT32 0 - num_sids
VOID* NULL - undocumented pointer to SIDs.
UNISTR2 username unicode string
UNISTR2 user's full name unicode string
UNISTR2 logon script unicode string
UNISTR2 profile path unicode string
UNISTR2 home directory unicode string
UNISTR2 home directory drive unicode string
UINT32 num groups
GID[num_groups] group info
UNISTR2 logon server unicode string
UNISTR2 logon domain unicode string
DOM_SID[2?] undocumented - domain SIDs
DOM_SID domain SID
UINT32 1 - Authoritative response; 0 - Non-Auth?
return 0 - indicates success
}
else
{
VOID* 0x0000 0000 - undocumented buffer pointer
UINT32 1 - Authoritative response; 0 - Non-Auth?
return 0xC000 0064 - indicates failure
}
3.5) LSA SAM Logoff
--------------------
Note: presumably, the SAM_INFO structure is validated, and a (currently
undocumented) error code returned if the Logoff is invalid.
Request:
SAM_INFO sam_id structure
Response:
VOID* undocumented buffer pointer
CREDS server credentials. server time stamp appears to be ignored.
More information about the samba
mailing list