questions about cifsntdomain.txt

Phil Cox pcc at
Mon Aug 31 02:57:16 GMT 1998

In the cifsntdomain.txt portion of the samaba docs, there is a description
of the SAM logon information. I have a couple of questions.
Here is the first structure in question:

- ID_INFO_1 (id info structure, auth level 1) :

    VOID*         ptr_id_info_1
    UNIHDR        domain name unicode header
    UINT32        param control
    UINT64        logon ID
    UNIHDR        user name unicode header
    UNIHDR        workgroup name unicode header
    char[16]      arc4 LM OWF Password
    char[16]      arc4 NT OWF Password
    UNISTR2       domain name unicode string
    UNISTR2       user name unicode string
    UNISTR2       workstation name unicode string

Now the question:

1. Are the OWF only "encrypted" with arc4? Or is there actually a stronger
encryption before the arc4'ing them?

What I am trying to find out, is whether it is just as easy to capture and
crack the domain logon (dce/rpc) based packets, as it is the SMB/CIFS
challenge-response authentication packets?

The Next structure is the 

- CLNT_INFO2 (server, client structure, client credentials) :
        CLNT_SRV     client and server names
        UINT8[]      ???? padding, for 4-byte alignment with SMB header.
        VOID*        pointer to client credentials.
        CREDS        client-calculated credentials + client time

Where do I findout how the client calculated the credential?

Your input is much appreciated.

Phil Cox

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Computer Incident Advisory Capability (CIAC)    Philip C. Cox
(510)422-8193                                   (510)422-8564
ciac at                                   pcc at
PGP fingerprint =  1A97 AB44 406A 77B7  3EA8 3B5B E3B5 BE73
Noteable Quote  = "Do today what you want to be tomorrow."

More information about the samba-ntdom mailing list